21
Open CVEs
0
Exploited
0
KEV
7
Unpatched
1
No Workaround
20
Internet-facing
Why this provider is risky now
This provider has 21 open CVE(s) in the last 14 days. 7 have no vendor patch. 20 affect internet-facing services. 5 impact the management/identity plane.
7 Unpatched
5 Mgmt / Admin Plane
1 Public PoC
1 No Workaround
20 Internet-facing
Top Risky CVEs
Remote code execution via OS command injection in suvarchal docker-mcp-server through 0.1.0 allows unauthenticated attackers to execute arbitrary commands by manipulating the stop_container, remove_container, or pull_image HTTP interface functions. Publicly available exploit code exists, and while the vendor was notified early through GitHub issue #3, no patch has been released as of the analysis date.
Edge exposure
ICT dependency
PoC
Why flagged?
6.9
CVSS
1.0%
EPSS
56
Priority
CVE-2026-34976
Act Now
Unauthenticated remote attackers can trigger complete database overwrites, server-side file reads, and SSRF attacks against Dgraph graph database servers (v24.x, v25.x prior to v25.3.1) via the admin API's restoreTenant mutation. The mutation bypasses all authentication middleware due to missing authorization configuration, allowing attackers to provide arbitrary backup source URLs (including file:// schemes for local filesystem access), S3/MinIO credentials, Vault configuration paths, and encry
Within 24 hours: Identify all Dgraph instances running v24.x or v25.x prior to v25.3.1 using asset inventory and network scanning; isolate affected systems from production traffic if immediate patching is infeasible. Within 7 days: Apply vendor-released patch to upgrade all Dgraph instances to v25.3.1 or later (commit b15c87e9 minimum). Within 30 days: Conduct database integrity audit on all affected systems, rotate all credentials and encryption keys that may have been exposed, review access logs for exploitation indicators, and implement network segmentation to restrict admin API access to trusted internal networks only.
Edge exposure
ICT dependency
Management plane
Patched
Why flagged?
NIS2 Relevant
- • CRITICAL severity
- • Internet-facing technique: authentication-bypass, ssrf
- • Third-party ICT: HashiCorp, Docker
- • Management plane (Missing Authorization)
- • Strong evidence (KEV / high EPSS / multi-source)
DORA Relevant
- • CRITICAL severity
- • ICT provider: HashiCorp (Dev Platforms & CI/CD)
- • ICT provider: Docker (Dev Platforms & CI/CD)
- • Authentication / access control weakness
10.0
CVSS
0.0%
EPSS
50
Priority
CVE-2026-39842
Act Now
Remote code execution as root in OpenRemote IoT platform's rules engine (versions prior to 1.20.3) allows authenticated non-superuser attackers with write:rules role to execute arbitrary Java code via unsandboxed JavaScript rulesets. The vulnerability stems from Nashorn ScriptEngine.eval() executing user-supplied JavaScript without ClassFilter restrictions, enabling Java.type() access to any JVM class including java.lang.Runtime. Attackers can compromise the entire multi-tenant platform, steal c
Within 24 hours: Inventory all OpenRemote deployments and document current versions; restrict write:rules role to only trusted superuser accounts and disable rules engine if possible. Within 7 days: Test upgrade path to OpenRemote 1.20.3 or later in a non-production environment; implement network segmentation to limit rules engine access. Within 30 days: Complete upgrade of all production OpenRemote instances to version 1.20.3 or later; audit logs for any rules created by non-superuser accounts since deployment; validate tenant isolation is functioning post-patch.
Edge exposure
ICT dependency
Patched
Why flagged?
NIS2 Relevant
- • CRITICAL severity
- • Internet-facing (CWE-94: Code Injection)
- • Third-party ICT: Docker, PostgreSQL, Apple
- • Moderate evidence (PoC / elevated EPSS)
DORA Relevant
- • CRITICAL severity
- • ICT provider: Docker (Dev Platforms & CI/CD)
- • ICT provider: PostgreSQL (Databases & Data Platforms)
- • ICT provider: Apple (Operating Systems)
10.0
CVSS
0.1%
EPSS
50
Priority
SQL injection in Kestra orchestration platform's flow search endpoint (GET /api/v1/main/flows/search) enables remote code execution on the underlying PostgreSQL host. Authenticated users can trigger the vulnerability by visiting a malicious link, exploiting PostgreSQL's COPY TO PROGRAM feature to execute arbitrary OS commands on the Docker container host. Affects Kestra versions prior to 1.3.7 in default docker-compose deployments. With CVSS 9.9 (Critical) and low attack complexity requiring only low-privilege authentication, this represents a severe risk for container escape and host compromise scenarios.
Within 24 hours: Inventory all Kestra deployments and identify instances running versions prior to 1.3.7; disable or restrict network access to the /api/v1/main/flows/search endpoint. Within 7 days: Upgrade to Kestra 1.3.7 or later immediately upon availability confirmation; validate upgrade in non-production environment first. Within 30 days: Conduct forensic review of access logs for the search endpoint dating back 90 days; rotate all database credentials and review container escape indicators; implement network segmentation to limit container-to-host communication.
Edge exposure
ICT dependency
No patch available
Why flagged?
NIS2 Relevant
- • CRITICAL severity
- • Internet-facing (CWE-89: SQL Injection)
- • Third-party ICT: Docker, PostgreSQL
- • No patch available
- • Moderate evidence (PoC / elevated EPSS)
DORA Relevant
- • CRITICAL severity
- • ICT provider: Docker (Dev Platforms & CI/CD)
- • ICT provider: PostgreSQL (Databases & Data Platforms)
- • No remediation available
9.9
CVSS
0.1%
EPSS
50
Priority
Server-Side Request Forgery in Sonicverse Radio Audio Streaming Stack dashboard API client allows authenticated operators to perform arbitrary HTTP requests from the backend server to internal or external targets. Affects Docker Compose deployments installed via the provided install.sh script, including one-liner installations. Attacker can exploit insufficient URL validation in apps/dashboard/lib/api.ts to access internal services, exfiltrate sensitive data from cloud metadata endpoints, or pivot to restricted network segments. CVSS 9.9 critical severity with changed scope indicates potential for significant cross-boundary impact. No public exploit identified at time of analysis.
Within 24 hours: Identify all Sonicverse Radio deployments using Docker Compose with the standard install.sh script and restrict network access to the dashboard API to trusted operators only via firewall/WAF rules. Within 7 days: Implement compensating controls-isolate affected Docker containers from access to internal services, cloud metadata endpoints (169.254.169.254), and inter-service communication; audit logs for suspicious HTTP requests originating from dashboard API. Within 30 days: Monitor Sonicverse Radio vendor advisories for patch release; prepare upgrade plan to patched version immediately upon availability; consider alternative audio streaming solutions if patch timeline becomes unacceptable for your risk tolerance.
Edge exposure
ICT dependency
No patch available
Why flagged?
NIS2 Relevant
- • CRITICAL severity
- • Internet-facing (CWE-918: Server-Side Request Forgery (SSRF))
- • Third-party ICT: Docker
- • No patch available
- • Strong evidence (KEV / high EPSS / multi-source)
DORA Relevant
- • CRITICAL severity
- • ICT provider: Docker (Dev Platforms & CI/CD)
- • No remediation available
9.9
CVSS
0.0%
EPSS
50
Priority
CVE-2026-39987
Act Now
Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/terminal/ws` WebSocket endpoint. The terminal handler skips authentication validation entirely, accepting connections without credential checks and spawning PTY shells directly. Attackers obtain full interactive shell access as root in default Docker deployments through a single WebSocket connection, bypassing Marimo's authentication middleware. No public exploit identified at time of analysis.
Within 24 hours: Identify all Marimo deployments running version 0.20.4 or earlier using asset inventory and network discovery tools. Within 7 days: Upgrade all affected instances to Marimo 0.20.5 or later (vendor-released patch available). Temporarily disable or restrict network access to the `/terminal/ws` endpoint on affected systems if upgrade cannot be completed immediately. Within 30 days: Conduct application logs review for unauthorized WebSocket connections to `/terminal/ws` endpoint and verify no malicious commands were executed in historical access logs.
Edge exposure
ICT dependency
Management plane
Patched
Why flagged?
NIS2 Relevant
- • CRITICAL severity
- • Internet-facing (CWE-306: Missing Authentication for Critical Function)
- • Third-party ICT: Docker
- • Management plane (Missing Authentication for Critical Function)
- • Strong evidence (KEV / high EPSS / multi-source)
DORA Relevant
- • CRITICAL severity
- • ICT provider: Docker (Dev Platforms & CI/CD)
- • Authentication / access control weakness
9.3
CVSS
2.7%
EPSS
49
Priority
CVE-2026-33439
Act Now
Remote code execution in OpenIdentityPlatform OpenAM 16.0.5 and earlier allows unauthenticated attackers to execute arbitrary OS commands via unsafe Java deserialization of the jato.clientSession HTTP parameter. This bypass exploits an unpatched deserialization sink in JATO's ClientSession.deserializeAttributes() that was overlooked when CVE-2021-35464 was mitigated. Attackers can target any JATO ViewBean endpoint with <jato:form> tags (commonly found in password reset pages) using a PriorityQue
Within 24 hours: Identify all OpenAM deployments and document version numbers; verify if any are running 16.0.5 or earlier. Within 7 days: Apply vendor-released patch to OpenAM 16.0.6 or later (GitHub commit 014007c or subsequent stable release); test in staging environment first. Within 30 days: Conduct post-patch verification; review authentication logs for suspicious jato.clientSession parameter activity; implement network-level monitoring for JATO ViewBean endpoints.
Edge exposure
ICT dependency
Patched
Why flagged?
NIS2 Relevant
- • CRITICAL severity
- • Internet-facing (CWE-502: Deserialization of Untrusted Data)
- • Third-party ICT: Docker, Oracle Database, Apple
- • Strong evidence (KEV / high EPSS / multi-source)
DORA Relevant
- • CRITICAL severity
- • ICT provider: Docker (Dev Platforms & CI/CD)
- • ICT provider: Oracle Database (Databases & Data Platforms)
- • ICT provider: Apple (Operating Systems)
9.3
CVSS
0.1%
EPSS
47
Priority
CVE-2026-34977
Act Now
Unauthenticated remote code execution (RCE) at root level in Aperi'Solve <3.2.1 allows attackers to execute arbitrary commands via unsanitized password input in JPEG upload functionality. Attack requires no authentication (PR:N) and low complexity (AC:L), with CVSS 9.3 critical severity. Publicly available exploit code exists via GitHub advisory. Attackers gain full container compromise with potential pivot to PostgreSQL/Redis databases and, in misconfigured deployments with Docker socket mounts, possible host system takeover. EPSS data not provided, but given unauthenticated network-based vector and public disclosure with fix details, exploitation risk is substantial for exposed instances.
Within 24 hours: Identify all Aperi'Solve instances and their versions (check docker images, deployment manifests). If running <3.2.1, immediately isolate from internet or restrict network access to trusted sources only. Within 7 days: Upgrade all instances to Aperi'Solve 3.2.1 or later per vendor release notes; test in non-production environment first. Within 30 days: Review access logs for successful JPEG uploads to exploited instances during exposure window; audit PostgreSQL and Redis database access; if Docker socket is mounted, conduct full host system security assessment.
Edge exposure
ICT dependency
Patched
Why flagged?
NIS2 Relevant
- • CRITICAL severity
- • Internet-facing (CWE-78: OS Command Injection)
- • Third-party ICT: Docker, PostgreSQL, Redis
- • Strong evidence (KEV / high EPSS / multi-source)
DORA Relevant
- • CRITICAL severity
- • ICT provider: Docker (Dev Platforms & CI/CD)
- • ICT provider: PostgreSQL (Databases & Data Platforms)
- • ICT provider: Redis (Databases & Data Platforms)
9.3
CVSS
0.1%
EPSS
47
Priority
CVE-2026-40313
Act Now
GitHub Actions credential leakage in PraisonAI through ArtiPACKED attack exposes GITHUB_TOKEN and ACTIONS_RUNTIME_TOKEN in workflow artifacts. Versions 4.5.139 and below persist credentials in .git/config via actions/checkout without disabling persist-credentials, allowing any user with read access to public repository artifacts to extract tokens and compromise the supply chain. CVSS 9.1 (Critical) with network-accessible, unauthenticated attack vector. EPSS data not provided; no confirmed active exploitation (KEV status not indicated), but attack technique is publicly documented by Palo Alto Unit42 and widely reported. Vendor-released patch available in version 4.5.140.
Within 24 hours: Audit all PraisonAI deployments and identify instances running version 4.5.139 or below; immediately rotate all GitHub tokens and Actions runtime tokens. Within 7 days: upgrade all affected PraisonAI instances to version 4.5.140 or later and verify persist-credentials is disabled in actions/checkout configurations. Within 30 days: implement credential scanning in CI/CD pipelines, audit artifact retention policies, and review access logs for unauthorized token extraction from public repositories.
ICT dependency
Patched
Why flagged?
NIS2 Relevant
- • CRITICAL severity
- • Third-party ICT: Docker
- • Strong evidence (KEV / high EPSS / multi-source)
DORA Relevant
- • CRITICAL severity
- • ICT provider: Docker (Dev Platforms & CI/CD)
9.1
CVSS
0.0%
EPSS
46
Priority
CVE-2026-40258
Act Now
Path traversal (Zip Slip) in gramps-web-api media archive import allows authenticated owner-privileged users to write arbitrary files outside intended directories via malicious ZIP archives. Exploitation requires owner-level access and enables cross-tree data corruption in multi-tree SQLite deployments or config file overwrite in volume-mounted configurations. Postgres+S3 deployments limit impact to ephemeral container storage. No public exploit identified at time of analysis.
Within 24 hours: Identify all gramps-web-api instances in production and document their deployment architecture (SQLite vs. Postgres, storage backend). Within 7 days: Apply the vendor-released patch to all instances; prioritize systems using SQLite multi-tree or volume-mounted configurations. Within 30 days: Restrict media archive import functionality to trusted sources and implement file integrity monitoring on configuration directories; audit recent archive imports for unauthorized file modifications.
Edge exposure
ICT dependency
Patched
Why flagged?
NIS2 Relevant
- • CRITICAL severity
- • Internet-facing (CWE-22: Path Traversal)
- • Third-party ICT: Docker, PostgreSQL
- • Moderate evidence (PoC / elevated EPSS)
DORA Relevant
- • CRITICAL severity
- • ICT provider: Docker (Dev Platforms & CI/CD)
- • ICT provider: PostgreSQL (Databases & Data Platforms)
9.1
CVSS
46
Priority
By Exposure
Internet-facing
20
Mgmt / Admin Plane
5
Identity / Auth
3
Internal only
1
By Exploitability
Known exploited
0
Public PoC
1
High EPSS (>30%)
0
Remote unauthenticated
11
Local only
3
By Remediation
Patch available
14
No patch
7
Workaround available
18
No workaround
1
Affected Services / Product Families
Docker
21 CVE(s)
+ 11 more