CVE 취약점 정보

NVD, CISA KEV, EPSS 정보를 바탕으로 우선 확인할 CVE 취약점을 정리합니다.

NVD API 데이터를 사용하며, NVD의 보증 또는 인증을 의미하지 않습니다.
페이지당 10개 · 서버 조회
검색 결과 9,6891 / 969 페이지
점검 대응높음KEV 미등록
CVE-2026-56741

jline jline3 취약점

JLine is a Java library for handling console input. Prior to 3.30.14, 4.0.16, and 4.2.1, the JLine3 Telnet server remote-telnet module does not apply an upper bound to terminal dimensions received via the Telnet NAWS option, and TelnetIO.handleNAWS() in TelnetIO.java:856-879 reads client-supplied width and height as 16-bit unsigned integers and passes values such as 65535x65535 to setTerminalGeometry(), allowing an unauthenticated remote attacker to repeatedly alternate values and trigger continuous expensive rendering work that causes CPU exhaustion and denial of service. This issue is fix...

CVSS 위험도가 높아 영향 여부를 우선 점검할 취약점
점검 대응높음KEV 미등록
CVE-2026-56740

jline jline3 취약점

JLine is a Java library for handling console input. Prior to 3.30.14, 4.0.16, and 4.2.1, the JLine3 Telnet server remote-telnet module does not limit the number of environment variables a client may inject via the Telnet NEW-ENVIRON option, and TelnetIO.readNEVariables() in TelnetIO.java:1127-1180 stores each variable pair in a HashMap held by ConnectionData, allowing an unauthenticated attacker to flood unique variable pairs before the terminating IAC SE byte and exhaust JVM heap memory with an OutOfMemoryError. This issue is fixed in versions 3.30.14, 4.0.16, and 4.2.1.

CVSS 위험도가 높아 영향 여부를 우선 점검할 취약점
점검 대응높음KEV 미등록
CVE-2026-56171

Microsoft Remote Desktop Web Client, Windows Admin Center 취약점

Exposure of private personal information to an unauthorized actor in Windows RDP allows an unauthorized attacker to disclose information over a network.

CVSS 위험도가 높아 영향 여부를 우선 점검할 취약점
점검 대응높음KEV 미등록
CVE-2026-49485

hapifhir org.hl7.fhir.core 취약점

HAPI FHIR is a complete implementation of the HL7 FHIR standard for healthcare interoperability in Java. Prior to 6.9.9 and 6.9.4.2, all implementations of FHIRPathEngine accept arbitrary FHIRPath expressions and evaluate them without input validation, and the FHIRPath functions matches(), matchesFull(), and replaceMatches() pass user-controlled regular expressions to Java's Pattern.compile() and String.replaceAll() through an incomplete timeout utility. An attacker can send a resource containing an evil regex pattern that causes catastrophic backtracking, exhausting CPU resources and causi...

CVSS 위험도가 높아 영향 여부를 우선 점검할 취약점
점검 대응긴급KEV 미등록
CVE-2026-55518

avo-hq avo 취약점

Avo is a framework to create admin panels for Ruby on Rails apps. Prior to 3.32.1 and 4.0.0.beta.51, Avo's association attach workflow checks attach_<association>? in the UI and GET /resources/:resource/:id/:related/new path, but the actual write endpoint, POST /resources/:resource/:id/:related, does not run the same authorization check before mutating the association through Avo::AssociationsController#create. An authenticated low-privileged Avo user can bypass hidden or disabled attach controls and directly attach related records to a parent record by sending a crafted POST request, which...

CVSS 위험도가 높아 영향 여부를 우선 점검할 취약점
점검 대응높음KEV 미등록
CVE-2026-54498

ViewComponent view_component 취약점

view_component is a framework for building reusable, testable, and encapsulated view components in Ruby on Rails. From 4.0.0 until 4.12.0, ViewComponent::Base#around_render can return HTML-unsafe strings that bypass the escaping behavior applied to normal #call return values. This creates an XSS risk when downstream applications use around_render to wrap, replace, instrument, or conditionally return content that includes user-controlled data, and ViewComponent::Collection#render_in can amplify the issue by joining per-item results and marking the entire output html_safe, converting raw unsa...

CVSS 위험도가 높아 영향 여부를 우선 점검할 취약점
점검 대응긴급KEV 미등록
CVE-2026-54466

faye websocket-driver-node 취약점

websocket-driver is a WebSocket protocol handler with pluggable I/O. Prior to 0.7.5, the frame format in draft versions of the WebSocket protocol includes a length header that allows an arbitrarily large integer to be encoded as a sequence of bytes with the high bit set. By sending an indefinite sequence of bytes with values 0x80 or above, a client can make the server parse these bytes into an ever-growing integer in lib/websocket/driver/draft75.js; because JavaScript numbers are 64-bit floating point values, this number will eventually lose precision and lead to the subsequent payload bein...

CVSS 위험도가 높아 영향 여부를 우선 점검할 취약점
점검 대응긴급KEV 미등록
CVE-2026-54159

PrestaShop ps_facetedsearch 취약점

PrestaShop ps_facetedsearch is a module that adds layered navigation filters. From 3.0.0 until 4.0.4, the ps_facetedsearch module rebuilds selected search filters from the request URL, and the value of a slider filter, price or weight, is taken from the URL without sufficient validation and stored in an internal filter-block cache where it is serialized and later read back with a raw native unserialize() in src/Filters/Block.php. By crafting that value, an unauthenticated attacker can smuggle a malicious serialized PHP object into the cache, and when it is deserialized, a gadget chain write...

CVSS 위험도가 높아 영향 여부를 우선 점검할 취약점
점검 대응높음KEV 미등록
CVE-2026-53727

premailer css_parser 취약점

css_parser is a Ruby CSS parser. From 2.2.0 until 3.0.0, CssParser::Parser#read_remote_file in lib/css_parser/parser.rb, and therefore load_uri! and the @import-following branch of add_block!, issued HTTP and HTTPS requests against any host, port, and URI without a scheme allowlist, host or IP filtering, or protection against link-local, loopback, or RFC-1918 addresses. Location: redirects were followed recursively back into the same function, which also serviced file:// URIs, so a single attacker-controlled HTTP redirect could upgrade the bug from SSRF to arbitrary local file disclosure. A...

CVSS 위험도가 높아 영향 여부를 우선 점검할 취약점
점검 대응높음KEV 미등록
CVE-2026-50274

DataDog dd-trace-go 취약점

Datadog dd-trace-go is a Go client library for Datadog application performance monitoring, profiling, and security monitoring. Prior to 2.8.1, Datadog tracing libraries that implement W3C baggage propagation parse incoming baggage HTTP headers without enforcing DD_TRACE_BAGGAGE_MAX_ITEMS or DD_TRACE_BAGGAGE_MAX_BYTES limits on the extract path. A remote, unauthenticated attacker can send a request whose baggage header contains an arbitrarily large number of comma-separated key-value pairs or a single very large value, causing unbounded CPU and memory consumption and enabling a remote denial...

CVSS 위험도가 높아 영향 여부를 우선 점검할 취약점