Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools

TWCERT/CC

#cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e
PolicyEmail

Short Name

twcert

Program Role

CNA

Top Level Root

MITRE Corporation

Security Advisories

View Advisories (Chinese)
View Advisories (English)

Domain

cert.org.tw

Country

Taiwan

Scope

Vulnerability assignment related to its vulnerability coordination role.
Reported CVEsVendorsProductsReports
885Vulnerabilities found

CVE-2026-15804
Assigner-TWCERT/CC
ShareView Details
Assigner-TWCERT/CC
CVSS Score-8.7||HIGH
EPSS-0.30% / 22.16%
||
7 Day CHG~0.00%
Published-15 Jul, 2026 | 07:31
Updated-15 Jul, 2026 | 13:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
MetaGuru|HCM - SQL Injection

The HCM developed by MetaGuru has a SQL Injection vulnerability. Authenticated remote attackers can inject SQL commands via specific parameters, thereby compromising the confidentiality, integrity, and availability of database data.

Action-Not Available
Vendor-MetaGuru
Product-HCM
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2026-9492
Assigner-TWCERT/CC
ShareView Details
Assigner-TWCERT/CC
CVSS Score-8.5||HIGH
EPSS-0.11% / 1.46%
||
7 Day CHG~0.00%
Published-13 Jul, 2026 | 03:41
Updated-14 Jul, 2026 | 15:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
GIGABYTE|Gigabyte Control Center - Improper Access Control

The MBStorage DRAM lighting control module within Gigabyte Control Center (GCC) developed by GIGABYTE Technology has an Improper Access Control vulnerability. Authenticated local attackers can send specific IOCTL commands through the driver MyPortIO_x64.sys bundled with the module, thereby arbitrarily reading and writing physical memory and obtaining kernel-level privileges.

Action-Not Available
Vendor-GIGABYTE
Product-MBStorage
CWE ID-CWE-782
Exposed IOCTL with Insufficient Access Control
CVE-2026-15553
Assigner-TWCERT/CC
ShareView Details
Assigner-TWCERT/CC
CVSS Score-6.9||MEDIUM
EPSS-0.25% / 16.38%
||
7 Day CHG~0.00%
Published-13 Jul, 2026 | 03:10
Updated-14 Jul, 2026 | 15:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Ragic|Enterprise Cloud Database - Arbitrary File Upload

Enterprise Cloud Database developed by Ragic has a Arbitrary File Upload vulnerability, allowing unauthenticated remote attackers to upload malicious files and make them available for users to download.

Action-Not Available
Vendor-Ragic Corporation
Product-Enterprise Cloud Database
CWE ID-CWE-434
Unrestricted Upload of File with Dangerous Type
CVE-2026-15552
Assigner-TWCERT/CC
ShareView Details
Assigner-TWCERT/CC
CVSS Score-5.3||MEDIUM
EPSS-0.21% / 10.56%
||
7 Day CHG~0.00%
Published-13 Jul, 2026 | 02:45
Updated-14 Jul, 2026 | 15:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Ragic|Enterprise Cloud Database - Stored Cross-Site Scripting

Enterprise Cloud Database developed by Ragic has a Stored Cross-Site Scripting vulnerability, allowing unauthenticated remote attackers to inject persistent JavaScript code executed in users' browsers upon page load.

Action-Not Available
Vendor-Ragic Corporation
Product-Enterprise Cloud Database
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2026-14809
Assigner-TWCERT/CC
ShareView Details
Assigner-TWCERT/CC
CVSS Score-8.7||HIGH
EPSS-0.44% / 35.45%
||
7 Day CHG~0.00%
Published-06 Jul, 2026 | 07:21
Updated-06 Jul, 2026 | 19:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
PROG MIS|Prog Management System - SQL Injection

Prog Management System developed by PROG MIS has a SQL Injection vulnerability, allowing unauthenticated remote attackers to inject arbitrary SQL commands to read database contents.

Action-Not Available
Vendor-PROG MIS
Product-Prog Management System
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2026-14808
Assigner-TWCERT/CC
ShareView Details
Assigner-TWCERT/CC
CVSS Score-9.3||CRITICAL
EPSS-0.51% / 39.92%
||
7 Day CHG~0.00%
Published-06 Jul, 2026 | 07:18
Updated-06 Jul, 2026 | 19:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
PROG MIS|Prog Management System - Exposure of Sensitive Information

Prog Management System developed by PROG MIS has a Exposure of Sensitive Information vulnerability, allowing unauthenticated remote attackers to view a specific page and obtain the database account and password.

Action-Not Available
Vendor-PROG MIS
Product-Prog Management System
CWE ID-CWE-497
Exposure of Sensitive System Information to an Unauthorized Control Sphere
CVE-2026-14807
Assigner-TWCERT/CC
ShareView Details
Assigner-TWCERT/CC
CVSS Score-9.3||CRITICAL
EPSS-0.46% / 37.26%
||
7 Day CHG~0.00%
Published-06 Jul, 2026 | 07:09
Updated-06 Jul, 2026 | 17:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
PROG MIS|ERP App - Use of Hard-coded Credentials

ERP App developed by PROG MIS has a Use of Hard-coded Credentials vulnerability, allowing unauthenticated remote attackers to log in to view application code and obtain the database account and password.

Action-Not Available
Vendor-PROG MIS
Product-ERP App
CWE ID-CWE-798
Use of Hard-coded Credentials
CVE-2026-14162
Assigner-TWCERT/CC
ShareView Details
Assigner-TWCERT/CC
CVSS Score-9.3||CRITICAL
EPSS-0.47% / 37.80%
||
7 Day CHG~0.00%
Published-30 Jun, 2026 | 10:57
Updated-30 Jun, 2026 | 14:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Advantech|Hospital Quering Management - Missing Authentication

Hospital Queuing Management developed by Advantech has a Sensitive Data Exposure vulnerability, allowing unauthenticated remote attackers to access a specific URL to obtain API documentation.

Action-Not Available
Vendor-Advantech (Advantech Co., Ltd.)
Product-Hospital Quering Management
CWE ID-CWE-306
Missing Authentication for Critical Function
CVE-2026-14161
Assigner-TWCERT/CC
ShareView Details
Assigner-TWCERT/CC
CVSS Score-8.7||HIGH
EPSS-0.44% / 35.45%
||
7 Day CHG~0.00%
Published-30 Jun, 2026 | 10:52
Updated-30 Jun, 2026 | 14:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Advantech|Hospital Queuing Management - Sensitive Data Exposure

Hospital Quening Management developed by Advantech has a Sensitive Data Exposure vulnerability, allowing unauthenticated remote attackers to access a specific URL to obtain API documentation.

Action-Not Available
Vendor-Advantech (Advantech Co., Ltd.)
Product-Hospital Queuing Management
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2026-12581
Assigner-TWCERT/CC
ShareView Details
Assigner-TWCERT/CC
CVSS Score-7.7||HIGH
EPSS-0.30% / 21.87%
||
7 Day CHG~0.00%
Published-22 Jun, 2026 | 09:30
Updated-22 Jun, 2026 | 20:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Digiwin|EasyFlow .NET - Session Fixation

EasyFlow .NET developed by Digiwin has a Session Fixation vulnerability. If unauthenticated remote attackers replace a specific session ID for a user, they can gain the user's privilege once the user logs in.

Action-Not Available
Vendor-Digiwin
Product-EasyFlow .NET
CWE ID-CWE-384
Session Fixation
CVE-2026-12580
Assigner-TWCERT/CC
ShareView Details
Assigner-TWCERT/CC
CVSS Score-5.1||MEDIUM
EPSS-0.17% / 6.43%
||
7 Day CHG~0.00%
Published-22 Jun, 2026 | 09:26
Updated-22 Jun, 2026 | 20:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Digiwin|EasyFlow .NET - Stored Cross-Site Scripting

EasyFlow .NET developed by Digiwin has a Stored Cross-Site Scripting vulnerability, allowing authenticated remote attackers to inject persistent JavaScript code executed in users' browsers upon page load.

Action-Not Available
Vendor-Digiwin
Product-EasyFlow .NET
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2026-11849
Assigner-TWCERT/CC
ShareView Details
Assigner-TWCERT/CC
CVSS Score-9.3||CRITICAL
EPSS-0.35% / 27.26%
||
7 Day CHG~0.00%
Published-12 Jun, 2026 | 09:47
Updated-12 Jun, 2026 | 16:00
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
IEI Integration Corp|iRM-IEI Remote Management - Hard-coded Credentials

The  iRM-IEI Remote Management developed by IEI Integration Corp has a Hardcoded Credentials vulnerability, allowing unauthenticated remote attackers to exploit hard-coded credentials to gain administrative privileges on the database.

Action-Not Available
Vendor-IEI Integration Corp
Product-iRM-TSi410X
CWE ID-CWE-798
Use of Hard-coded Credentials
CVE-2026-11848
Assigner-TWCERT/CC
ShareView Details
Assigner-TWCERT/CC
CVSS Score-7.9||HIGH
EPSS-0.30% / 21.62%
||
7 Day CHG~0.00%
Published-12 Jun, 2026 | 09:44
Updated-12 Jun, 2026 | 16:00
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
IEI Integration Corp| iRM-IEI Remote Management - Missing Authentication

The iRM-IEI Remote Management developed by IEI Integration Corp has a Missing Authentication vulnerability, allowing unauthenticated remote attackers to exploit a specific functionality to obtain partial system configuration information.

Action-Not Available
Vendor-IEI Integration Corp
Product-iRM-TSi410X
CWE ID-CWE-306
Missing Authentication for Critical Function
CVE-2026-11847
Assigner-TWCERT/CC
ShareView Details
Assigner-TWCERT/CC
CVSS Score-5.3||MEDIUM
EPSS-0.29% / 20.79%
||
7 Day CHG~0.00%
Published-12 Jun, 2026 | 09:37
Updated-12 Jun, 2026 | 16:00
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Integration Corp|iVEC-IEI Virtualization Edge Computer - Arbitrary File Deletion

The  iVEC-IEI Virtualization Edge Computer developed by IEI Integration Corp has a Path Traversal vulnerability, allowing authenticated remote attackers to exploit this vulnerability to create directories in unintended system paths.

Action-Not Available
Vendor-IEI Integration Corp
Product-iVEC TANK-XM811
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2026-11846
Assigner-TWCERT/CC
ShareView Details
Assigner-TWCERT/CC
CVSS Score-7.2||HIGH
EPSS-0.40% / 32.42%
||
7 Day CHG~0.00%
Published-12 Jun, 2026 | 09:31
Updated-12 Jun, 2026 | 16:00
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
IEI Integration Corp|iVEC-IEI Virtualization Edge Computer - Arbitrary File Deletion

The  iVEC-IEI Virtualization Edge Computer developed by IEI Integration Corp has an Arbitrary File Deletion vulnerability, allowing authenticated remote attackers to exploit this vulnerability to delete arbitrary system files or directories,  resulting in data destruction or service disruption.

Action-Not Available
Vendor-IEI Integration Corp
Product-iVEC TANK-XM811
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2026-11845
Assigner-TWCERT/CC
ShareView Details
Assigner-TWCERT/CC
CVSS Score-8.6||HIGH
EPSS-0.95% / 57.34%
||
7 Day CHG~0.00%
Published-12 Jun, 2026 | 09:27
Updated-12 Jun, 2026 | 16:00
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
IEI Integration Corp|iVEC-IEI Virtualization Edge Computer - OS Command Injection

The iVEC-IEI Virtualization Edge Computer developed by IEI Integration Corp has a OS Command Injection vulnerability, allowing privileged remote attackers to inject arbitrary OS commands and execute them on the device.

Action-Not Available
Vendor-IEI Integration Corp
Product-iVEC TANK-XM811
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2026-11844
Assigner-TWCERT/CC
ShareView Details
Assigner-TWCERT/CC
CVSS Score-6.9||MEDIUM
EPSS-0.41% / 33.01%
||
7 Day CHG~0.00%
Published-12 Jun, 2026 | 09:12
Updated-12 Jun, 2026 | 16:00
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
IEI Integration Corp|iVEC-IEI Virtualization Edge Computer - Arbitrary File Read

The iVEC-IEI Virtualization Edge Computer developed by IEI Integration Corp has a Arbitrary File Read vulnerability, allowing privileged remote attackers to access files outside the intended directory scope.

Action-Not Available
Vendor-IEI Integration Corp
Product-iVEC TANK-XM811
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2026-12060
Assigner-TWCERT/CC
ShareView Details
Assigner-TWCERT/CC
CVSS Score-6.9||MEDIUM
EPSS-0.31% / 23.38%
||
7 Day CHG~0.00%
Published-12 Jun, 2026 | 06:43
Updated-12 Jun, 2026 | 16:00
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Hepta Platforms|Heptabase - Exposed Dangerous

Heptabase developed by Hepta Platforms has a Exposed Dangerous Method or Function vulnerability, allowing unauthenticated remote attackers to leverage social engineering techniques to trick a victim into opening or loading a malicious webpage within the Heptabase application, thereby gaining unauthorized access to camera and microphone permissions.

Action-Not Available
Vendor-Hepta Platforms
Product-Heptabase
CWE ID-CWE-749
Exposed Dangerous Method or Function
CVE-2026-12059
Assigner-TWCERT/CC
ShareView Details
Assigner-TWCERT/CC
CVSS Score-8.7||HIGH
EPSS-0.45% / 36.36%
||
7 Day CHG~0.00%
Published-12 Jun, 2026 | 06:30
Updated-12 Jun, 2026 | 16:00
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cellopoint|CelloOS - Improper Access Control

The SSH service of CelloOS developed by Cellopoint has an Improper Access Control vulnerability, allowing authenticated remote attackers to bypass the enforced command restrictions and execute operating system commands outside the originally authorized scope.

Action-Not Available
Vendor-Cellopoint
Product-CelloOS
CWE ID-CWE-1284
Improper Validation of Specified Quantity in Input
CVE-2026-10597
Assigner-TWCERT/CC
ShareView Details
Assigner-TWCERT/CC
CVSS Score-6.9||MEDIUM
EPSS-0.24% / 15.58%
||
7 Day CHG~0.00%
Published-04 Jun, 2026 | 02:19
Updated-04 Jun, 2026 | 16:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
ITPison|OMICARD EDM - Insecure Direct Object Reference

OMICARD EDM developed by ITPison has a Insecure Direct Object Reference vulnerability, allowing unauthenticated remote attackers to modify a specific parameter to obtain user's email address.

Action-Not Available
Vendor-ITPison
Product-OMICARD EDM
CWE ID-CWE-639
Authorization Bypass Through User-Controlled Key
CVE-2026-10075
Assigner-TWCERT/CC
ShareView Details
Assigner-TWCERT/CC
CVSS Score-6.9||MEDIUM
EPSS-0.39% / 30.98%
||
7 Day CHG~0.00%
Published-29 May, 2026 | 12:53
Updated-29 May, 2026 | 15:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Interinfo|DreamMaker - Path Traversal

DreamMaker developed by Interinfo has a Path Traversal vulnerability, allowing unauthenticated remote attackers to read file names under arbitrary path by exploiting an Absolute Path Traversal vulnerability.

Action-Not Available
Vendor-Interinfo
Product-DreamMaker
CWE ID-CWE-36
Absolute Path Traversal
CVE-2026-10074
Assigner-TWCERT/CC
ShareView Details
Assigner-TWCERT/CC
CVSS Score-6.9||MEDIUM
EPSS-0.35% / 26.99%
||
7 Day CHG~0.00%
Published-29 May, 2026 | 12:45
Updated-29 May, 2026 | 15:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Interinfo|DreamMaker - Arbitrary File Read

DreamMaker developed by Interinfo has an Arbitrary File Read vulnerability, allowing privileged local attackers to exploit Relative Path Traversal to download arbitrary system files.

Action-Not Available
Vendor-Interinfo
Product-DreamMaker
CWE ID-CWE-23
Relative Path Traversal
CVE-2026-10073
Assigner-TWCERT/CC
ShareView Details
Assigner-TWCERT/CC
CVSS Score-8.7||HIGH
EPSS-0.35% / 27.62%
||
7 Day CHG~0.00%
Published-29 May, 2026 | 12:39
Updated-29 May, 2026 | 15:26
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Interinfo|DreamMaker - Arbitrary File Read

DreamMaker developed by Interinfo has an Arbitrary File Read vulnerability, allowing unauthenticated local attackers to exploit Relative Path Traversal to download arbitrary system files.

Action-Not Available
Vendor-Interinfo
Product-DreamMaker
CWE ID-CWE-23
Relative Path Traversal
CVE-2026-10072
Assigner-TWCERT/CC
ShareView Details
Assigner-TWCERT/CC
CVSS Score-8.6||HIGH
EPSS-0.46% / 36.75%
||
7 Day CHG~0.00%
Published-29 May, 2026 | 12:36
Updated-29 May, 2026 | 15:27
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Interinfo|DreamMaker - Arbitrary File Upload

DreamMaker developed by Interinfo has an Arbitrary File Upload vulnerability, allowing privileged remote attackers to upload and execute web shell backdoors, thereby enabling arbitrary code execution on the server.

Action-Not Available
Vendor-Interinfo
Product-DreamMaker
CWE ID-CWE-434
Unrestricted Upload of File with Dangerous Type
CVE-2026-10071
Assigner-TWCERT/CC
ShareView Details
Assigner-TWCERT/CC
CVSS Score-9.3||CRITICAL
EPSS-0.51% / 40.00%
||
7 Day CHG~0.00%
Published-29 May, 2026 | 12:32
Updated-29 May, 2026 | 15:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Interinfo|DreamMaker - Arbitrary File Upload

DreamMaker developed by Interinfo has an Arbitrary File Upload vulnerability, allowing unauthenticated remote attackers to upload and execute web shell backdoors, thereby enabling arbitrary code execution on the server.

Action-Not Available
Vendor-Interinfo
Product-DreamMaker
CWE ID-CWE-434
Unrestricted Upload of File with Dangerous Type
CVE-2026-10058
Assigner-TWCERT/CC
ShareView Details
Assigner-TWCERT/CC
CVSS Score-4.8||MEDIUM
EPSS-0.18% / 7.33%
||
7 Day CHG~0.00%
Published-29 May, 2026 | 08:37
Updated-29 May, 2026 | 15:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
ITP Technology|ITS Intelligent SCADA System - Stored Cross-Site Scripting

ITS Intelligent SCADA System developed by ITP Technology has a Stored Cross-Site Scripting vulnerability, allowing privileged remote attackers to inject persistent JavaScript codes that are executed in users' browsers upon page load.

Action-Not Available
Vendor-ITP Technology
Product-ITS Intelligent SCADA System
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2026-10057
Assigner-TWCERT/CC
ShareView Details
Assigner-TWCERT/CC
CVSS Score-4.8||MEDIUM
EPSS-0.18% / 7.33%
||
7 Day CHG~0.00%
Published-29 May, 2026 | 08:34
Updated-29 May, 2026 | 15:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
ITP Technology|ITS Intelligent SCADA System - Stored Cross-Site Scripting

ITS Intelligent SCADA System developed by ITP Technology has a Stored Cross-Site Scripting vulnerability, allowing privileged remote attackers to inject persistent JavaScript codes that are executed in users' browsers upon page load.

Action-Not Available
Vendor-ITP Technology
Product-ITS Intelligent SCADA System
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2026-9493
Assigner-TWCERT/CC
ShareView Details
Assigner-TWCERT/CC
CVSS Score-7.1||HIGH
EPSS-0.26% / 17.42%
||
7 Day CHG~0.00%
Published-29 May, 2026 | 05:54
Updated-29 May, 2026 | 15:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
BankPro E-Service Technology|Service Center - Insecure Direct Object Reference

Service Center developed by BankPro E-Service Technology has an Insecure Direct Object Reference vulnerability, allowing authenticated remote attackers to modify the parameter of a specific query function to access other users' EC order details.

Action-Not Available
Vendor-BankPro E-Service Technology
Product-Service Center
CWE ID-CWE-639
Authorization Bypass Through User-Controlled Key
CVE-2026-9003
Assigner-TWCERT/CC
ShareView Details
Assigner-TWCERT/CC
CVSS Score-8.7||HIGH
EPSS-0.54% / 41.77%
||
7 Day CHG~0.00%
Published-20 May, 2026 | 02:39
Updated-20 May, 2026 | 14:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
TONNET|E-LAN Hybrid Recording System - SQL Injection

E-LAN Hybrid Recording System developed by TONNET has a SQL Injection vulnerability, allowing unauthenticated remote attackers to inject arbitrary SQL commands to read database contents.

Action-Not Available
Vendor-TONNET
Product-TPR7308
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2026-7491
Assigner-TWCERT/CC
ShareView Details
Assigner-TWCERT/CC
CVSS Score-8.6||HIGH
EPSS-0.26% / 17.42%
||
7 Day CHG~0.00%
Published-02 May, 2026 | 09:14
Updated-05 May, 2026 | 20:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Zyosoft|School App - Insecure Direct Object Reference

School App developed by Zyosoft has an Insecure Direct Object Reference vulnerability, allowing authenticated remote attackers to modify a specific parameter to read and modify other users' data.

Action-Not Available
Vendor-Zyosoft
Product-School App
CWE ID-CWE-639
Authorization Bypass Through User-Controlled Key
CVE-2026-7490
Assigner-TWCERT/CC
ShareView Details
Assigner-TWCERT/CC
CVSS Score-8.6||HIGH
EPSS-0.46% / 37.38%
||
7 Day CHG~0.00%
Published-02 May, 2026 | 09:06
Updated-12 May, 2026 | 13:27
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Sunnet|CTMS and CPAS - Arbitrary File Upload

CTMS and CPAS developed by Sunnet has an Arbitrary File Upload vulnerability, allowing privileged remote attackers to upload and execute web shell backdoors, thereby enabling arbitrary code execution on the server.

Action-Not Available
Vendor-sun.netSunnet
Product-ehrd_ctmsehrd_cpasCPASCTMS
CWE ID-CWE-434
Unrestricted Upload of File with Dangerous Type
CVE-2026-7489
Assigner-TWCERT/CC
ShareView Details
Assigner-TWCERT/CC
CVSS Score-8.7||HIGH
EPSS-0.33% / 24.73%
||
7 Day CHG~0.00%
Published-02 May, 2026 | 09:02
Updated-05 May, 2026 | 20:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Sunnet|CTMS - SQL Injection

CTMS developed by Sunnet has a SQL Injection vulnerability, allowing authenticated remote attackers to inject arbitrary SQL commands to read, modify, and delete database contents.

Action-Not Available
Vendor-Sunnet
Product-CTMS
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2026-7280
Assigner-TWCERT/CC
ShareView Details
Assigner-TWCERT/CC
CVSS Score-8.4||HIGH
EPSS-0.12% / 2.12%
||
7 Day CHG~0.00%
Published-28 Apr, 2026 | 09:46
Updated-28 Apr, 2026 | 12:12
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
eMPIA Technology|AVACAST - Unquoted Service Path

AVACAST developed by eMPIA Technology has a Unquoted Service Path vulnerability, allowing privileged local attackers to place a malicious executable file in a specific directory, resulting in arbitrary code execution with system privileges when the AVACAST service starts.

Action-Not Available
Vendor-eMPIA Technology
Product-AVACAST
CWE ID-CWE-428
Unquoted Search Path or Element
CVE-2026-7279
Assigner-TWCERT/CC
ShareView Details
Assigner-TWCERT/CC
CVSS Score-8.5||HIGH
EPSS-0.11% / 1.80%
||
7 Day CHG~0.00%
Published-28 Apr, 2026 | 09:39
Updated-28 Apr, 2026 | 12:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
eMPIA Technology|AVACAST - DLL Hijacking

AVACAST developed by eMPIA Technology, has a DLL Hijacking vulnerability, allowing authenticated local attackers to place a malicious DLL in a specific directory, resulting in arbitrary code execution with system privileges when the system loads the DLL.

Action-Not Available
Vendor-eMPIA Technology
Product-AVACAST
CWE ID-CWE-427
Uncontrolled Search Path Element
CVE-2026-6947
Assigner-TWCERT/CC
ShareView Details
Assigner-TWCERT/CC
CVSS Score-8.7||HIGH
EPSS-0.45% / 36.62%
||
7 Day CHG~0.00%
Published-24 Apr, 2026 | 03:46
Updated-19 May, 2026 | 15:52
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
D-Link|DWM-222W USB Wi-Fi Adapter - Brute-Force Protection Bypass

DWM-222W USB Wi-Fi Adapter developed by D-Link has a Brute-Force Protection Bypass vulnerability, allowing unauthenticated adjacent network attackers to bypass login attempt limits to perform brute-force attacks to gain control over the device.

Action-Not Available
Vendor-D-Link Corporation
Product-DWM-222W
CWE ID-CWE-307
Improper Restriction of Excessive Authentication Attempts
CVE-2026-6887
Assigner-TWCERT/CC
ShareView Details
Assigner-TWCERT/CC
CVSS Score-9.3||CRITICAL
EPSS-0.36% / 28.09%
||
7 Day CHG~0.00%
Published-23 Apr, 2026 | 09:30
Updated-19 May, 2026 | 15:52
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
BorG Technology Corporation|Borg SPM 2007 - SQL Injection

Borg SPM 2007 (Sales Ended in 2008) developed by BorG Technology Corporation has a SQL Injection vulnerability, allowing unauthenticated remote attackers to inject arbitrary SQL commands to read, modify, and delete database contents.

Action-Not Available
Vendor-BorG Technology Corporation
Product-Borg SPM 2007
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2026-6886
Assigner-TWCERT/CC
ShareView Details
Assigner-TWCERT/CC
CVSS Score-9.3||CRITICAL
EPSS-0.45% / 36.46%
||
7 Day CHG~0.00%
Published-23 Apr, 2026 | 09:25
Updated-19 May, 2026 | 15:52
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
BorG Technology Corporation|Borg SPM 2007 - Authentication Bypass

Borg SPM 2007 (Sales Ended in 2008) developed by BorG Technology Corporation has a Authentication Bypass vulnerability, allowing unauthenticated remote attackers to log into the system as any user.

Action-Not Available
Vendor-BorG Technology Corporation
Product-Borg SPM 2007
CWE ID-CWE-1390
Weak Authentication
CVE-2026-6885
Assigner-TWCERT/CC
ShareView Details
Assigner-TWCERT/CC
CVSS Score-9.3||CRITICAL
EPSS-0.50% / 39.36%
||
7 Day CHG~0.00%
Published-23 Apr, 2026 | 09:05
Updated-19 May, 2026 | 15:52
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
BorG Technology Corporation|Borg SPM 2007 - Arbitrary File Upload

Borg SPM 2007 (Sales Ended in 2008) developed by BorG Technology Corporation has an Arbitrary File Upload vulnerability, allowing unauthenticated remote attackers to upload and execute web shell backdoors, thereby enabling arbitrary code execution on the server.

Action-Not Available
Vendor-BorG Technology Corporation
Product-Borg SPM 2007
CWE ID-CWE-434
Unrestricted Upload of File with Dangerous Type
CVE-2026-6835
Assigner-TWCERT/CC
ShareView Details
Assigner-TWCERT/CC
CVSS Score-5.1||MEDIUM
EPSS-0.21% / 10.93%
||
7 Day CHG~0.00%
Published-22 Apr, 2026 | 03:40
Updated-29 Apr, 2026 | 20:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
aEnrich|a+HCM - Arbitrary File Upload

The a+HCM developed by aEnrich has an Arbitrary File Upload vulnerability, allowing unauthenticated remote attackers to upload arbitrary files to any path, including HTML documents, which may result in a XSS-like effect.

Action-Not Available
Vendor-Yukai Digital Technology (aEnrich)
Product-a+HCM
CWE ID-CWE-434
Unrestricted Upload of File with Dangerous Type
CVE-2026-6834
Assigner-TWCERT/CC
ShareView Details
Assigner-TWCERT/CC
CVSS Score-7.1||HIGH
EPSS-0.26% / 17.42%
||
7 Day CHG~0.00%
Published-22 Apr, 2026 | 03:36
Updated-29 Apr, 2026 | 20:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
aEnrich|a+HRD - Missing Authorization

The a+HRD developed by aEnrich has a Missing Authorization vulnerability, allowing authenticated remote attackers to arbitrarily read database contents through a specific API method.

Action-Not Available
Vendor-Yukai Digital Technology (aEnrich)
Product-a+HRD
CWE ID-CWE-862
Missing Authorization
CVE-2026-6833
Assigner-TWCERT/CC
ShareView Details
Assigner-TWCERT/CC
CVSS Score-7.1||HIGH
EPSS-0.28% / 19.78%
||
7 Day CHG~0.00%
Published-22 Apr, 2026 | 03:32
Updated-29 Apr, 2026 | 20:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
aEnrich|a+HRD - SQL Injection

The a+HRD developed by aEnrich has a SQL Injection vulnerability, allowing authenticated remote attackers to inject arbitrary SQL commands to read database contents.

Action-Not Available
Vendor-Yukai Digital Technology (aEnrich)
Product-a+HRD
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2026-5965
Assigner-TWCERT/CC
ShareView Details
Assigner-TWCERT/CC
CVSS Score-9.3||CRITICAL
EPSS-1.74% / 75.13%
||
7 Day CHG~0.00%
Published-21 Apr, 2026 | 03:32
Updated-19 May, 2026 | 15:52
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
NewSoft|NewSoftOA - OS Command Injection

NewSoftOA developed by NewSoft has an OS Command Injection vulnerability, allowing unauthenticated local attackers to inject arbitrary OS commands and execute them on the server.

Action-Not Available
Vendor-NewSoft
Product-NewSoftOA
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2026-5967
Assigner-TWCERT/CC
ShareView Details
Assigner-TWCERT/CC
CVSS Score-8.7||HIGH
EPSS-0.37% / 29.44%
||
7 Day CHG~0.00%
Published-20 Apr, 2026 | 07:44
Updated-12 May, 2026 | 15:23
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
TeamT5|ThreatSonar Anti-Ransomware - Privilege Escalation

ThreatSonar Anti-Ransomware developed by TeamT5 has an Privilege Escalation vulnerability. Authenticated remote attackers with shell access can inject OS commands and execute them with root privileges.

Action-Not Available
Vendor-teamt5TeamT5
Product-threatsonar_anti-ransomwareThreatSonar Anti-Ransomware
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2026-5966
Assigner-TWCERT/CC
ShareView Details
Assigner-TWCERT/CC
CVSS Score-7.2||HIGH
EPSS-0.41% / 33.17%
||
7 Day CHG~0.00%
Published-20 Apr, 2026 | 07:40
Updated-12 May, 2026 | 15:29
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
TeamT5|ThreatSonar Anti-Ransomware - Arbitrary File Deletion

ThreatSonar Anti-Ransomware developed by TeamT5 has an Arbitrary File Deletion vulnerability. Authenticated remote attackers with web access can exploit Path Traversal to delete arbitrary files on the system.

Action-Not Available
Vendor-teamt5TeamT5
Product-threatsonar_anti-ransomwareThreatSonar Anti-Ransomware
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CWE ID-CWE-23
Relative Path Traversal
CVE-2026-5964
Assigner-TWCERT/CC
ShareView Details
Assigner-TWCERT/CC
CVSS Score-9.3||CRITICAL
EPSS-0.37% / 28.83%
||
7 Day CHG~0.00%
Published-20 Apr, 2026 | 07:36
Updated-12 May, 2026 | 16:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Digiwin|EasyFlow .NET - SQL Injection

EasyFlow .NET developed by Digiwin has a SQL Injection vulnerability, allowing unauthenticated remote attackers to inject arbitrary SQL commands to read, modify, and delete database contents.

Action-Not Available
Vendor-digiwinDigiwin
Product-easyflow_.netEasyFlow .NET
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2026-5963
Assigner-TWCERT/CC
ShareView Details
Assigner-TWCERT/CC
CVSS Score-9.3||CRITICAL
EPSS-0.37% / 28.83%
||
7 Day CHG~0.00%
Published-20 Apr, 2026 | 07:32
Updated-12 May, 2026 | 16:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Digiwin|EasyFlow .NET - SQL Injection

EasyFlow .NET developed by Digiwin has a SQL Injection vulnerability, allowing unauthenticated remote attackers to inject arbitrary SQL commands to read, modify, and delete database contents.

Action-Not Available
Vendor-digiwinDigiwin
Product-easyflow_.netEasyFlow .NET
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2026-6351
Assigner-TWCERT/CC
ShareView Details
Assigner-TWCERT/CC
CVSS Score-8.7||HIGH
EPSS-0.59% / 44.35%
||
7 Day CHG~0.00%
Published-16 Apr, 2026 | 02:39
Updated-19 May, 2026 | 15:52
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Openfind|MailGates/MailAudit - CRLF Injection

MailGates/MailAudit developed by Openfind has a CRLF Injection vulnerability, allowing unauthenticated remote attackers to exploit this vulnerability to read system files.

Action-Not Available
Vendor-Openfind
Product-MailAuditMailGates
CWE ID-CWE-93
Improper Neutralization of CRLF Sequences ('CRLF Injection')
CVE-2026-6350
Assigner-TWCERT/CC
ShareView Details
Assigner-TWCERT/CC
CVSS Score-9.3||CRITICAL
EPSS-0.77% / 51.36%
||
7 Day CHG~0.00%
Published-16 Apr, 2026 | 02:30
Updated-19 May, 2026 | 15:52
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Openfind|MailGates/MailAudit - Stack-based Buffer Overflow

MailGates/MailAudit developed by Openfind has a Stack-based Buffer Overflow vulnerability, allowing unauthenticated remote attackers to control the program's execution flow and execute arbitrary code.

Action-Not Available
Vendor-Openfind
Product-MailAuditMailGates
CWE ID-CWE-121
Stack-based Buffer Overflow
CVE-2026-6349
Assigner-TWCERT/CC
ShareView Details
Assigner-TWCERT/CC
CVSS Score-9.3||CRITICAL
EPSS-2.14% / 80.03%
||
7 Day CHG~0.00%
Published-16 Apr, 2026 | 02:24
Updated-19 May, 2026 | 15:52
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
HGiga|iSherlock - OS Command Injection

The  iSherlock developed by HGiga  has an OS Command Injection vulnerability, allowing unauthenticated local attackers to inject arbitrary OS commands and execute them on the server.

Action-Not Available
Vendor-HGiga
Product-iSherlock-audit-5.5iSherlock-base-5.5iSherlock-audit-4.5iSherlock-base-4.5
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2026-6348
Assigner-TWCERT/CC
ShareView Details
Assigner-TWCERT/CC
CVSS Score-9.3||CRITICAL
EPSS-0.18% / 7.67%
||
7 Day CHG~0.00%
Published-16 Apr, 2026 | 01:53
Updated-19 May, 2026 | 15:52
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Simopro Technology|WinMatrix - Missing Authentication

WinMatrix agent developed by Simopro Technology has a Missing Authentication vulnerability, allowing authenticated local attackers to execute arbitrary code with SYSTEM privileges on the local machine as well as on all hosts within the environment where the agent is installed.

Action-Not Available
Vendor-Simopro Technology
Product-WinMatrix
CWE ID-CWE-306
Missing Authentication for Critical Function
  • Previous
  • 1
  • 2
  • 3
  • ...
  • 17
  • 18
  • Next