4
Open CVEs
0
Exploited
0
KEV
1
Unpatched
0
No Workaround
4
Internet-facing
Why this provider is risky now
This provider has 4 open CVE(s) in the last 7 days. 1 have no vendor patch. 4 affect internet-facing services. 1 impact the management/identity plane.
1 Unpatched
1 Mgmt / Admin Plane
4 Internet-facing
Top Risky CVEs
CVE-2026-34457
Act Now
Authentication bypass in OAuth2 Proxy versions before 7.15.2 allows remote unauthenticated attackers to access protected resources when deployed with nginx auth_request integration and health check features enabled. Attackers can spoof health check User-Agent headers to bypass OAuth2 authentication entirely, gaining unauthorized access to upstream applications. CVSS 9.1 (Critical) reflects network-accessible, low-complexity attack requiring no privileges or user interaction. No active exploitation confirmed (not in CISA KEV), but the trivial attack complexity and authentication bypass impact warrant immediate patching in affected deployments using nginx auth_request with --ping-user-agent or --gcp-healthchecks flags.
Within 24 hours: Identify all deployments of OAuth2 Proxy and determine which instances use nginx auth_request with health check features (--ping-user-agent or --gcp-healthchecks flags enabled). Within 7 days: Upgrade all affected OAuth2 Proxy instances to version 7.15.2 or later. Within 30 days: Conduct access log review for the past 90 days to identify any suspicious health check User-Agent patterns that may indicate exploitation attempts.
Edge exposure
ICT dependency
Patched
Why flagged?
NIS2 Relevant
- • CRITICAL severity
- • Internet-facing technique: authentication-bypass
- • Third-party ICT: F5
- • Strong evidence (KEV / high EPSS / multi-source)
DORA Relevant
- • CRITICAL severity
- • ICT provider: F5 (Network & Security)
9.1
CVSS
0.1%
EPSS
46
Priority
CVE-2026-40575
Act Now
### Impact
A configuration-dependent authentication bypass exists in OAuth2 Proxy.
Deployments are affected when all of the following are true:
* OAuth2 Proxy is configured with `--reverse-proxy`
*
Edge exposure
ICT dependency
Patched
Why flagged?
NIS2 Relevant
- • CRITICAL severity
- • Internet-facing technique: authentication-bypass
- • Third-party ICT: F5
- • Moderate evidence (PoC / elevated EPSS)
DORA Relevant
- • CRITICAL severity
- • ICT provider: F5 (Network & Security)
9.1
CVSS
46
Priority
CVE-2026-40487
This Week
File upload validation bypass in Postiz social media scheduler (versions before 2.21.6) allows authenticated users to upload executable file types (HTML, SVG) with spoofed Content-Type headers, achieving stored XSS when nginx serves files using their original extensions. Attackers can hijack sessions and take over other user accounts. CVSS 8.9 (High) reflects network attack vector with low complexity requiring only low-privilege authentication and user interaction. EPSS data not provided. Not listed in CISA KEV. Vendor patch released in version 2.21.6.
Within 24 hours: Identify all Postiz deployments and confirm current version numbers. Within 7 days: Upgrade all Postiz instances to version 2.21.6 or later per vendor patch release. Verify patch deployment across all affected systems. Within 30 days: Conduct audit of file upload logs since deployment to identify any suspicious uploads with mismatched Content-Type headers; reset session tokens for all users as a precautionary measure.
Edge exposure
ICT dependency
Patched
Why flagged?
NIS2 Relevant
- • HIGH severity
- • Internet-facing (CWE-79: Cross-site Scripting (XSS))
- • Third-party ICT: F5
- • Strong evidence (KEV / high EPSS / multi-source)
DORA Relevant
- • HIGH severity
- • ICT provider: F5 (Network & Security)
8.9
CVSS
0.0%
EPSS
45
Priority
Decidim GraphQL API exposes all commentable resources platform-wide without permission checks, enabling unauthorized access to comments and associated data across public and private participation spaces. Affects decidim-api and decidim-comments Ruby gems with default configurations exposing the /api endpoint publicly. No vendor patch available - only workarounds via authentication enforcement or IP allowlisting. CVSS 7.5 (High) reflects network-accessible confidentiality breach, though real-world impact depends heavily on whether the Decidim instance hosts non-public participation spaces.
Within 24 hours: Identify all Decidim instances in your environment and determine which host non-public participation spaces; document data sensitivity levels. Within 7 days: Implement IP allowlisting or network segmentation to restrict /api endpoint access to trusted networks only, or enforce API authentication via reverse proxy/WAF rules; test that legitimate API consumers remain functional. Within 30 days: Contact Decidim maintainers for patch timeline; evaluate whether instance can be reconfigured to public-only participation or if migration to patched version is feasible; maintain blocklist rules pending vendor remediation.
Edge exposure
ICT dependency
No patch available
Management plane
Why flagged?
NIS2 Relevant
- • HIGH severity
- • Internet-facing technique: authentication-bypass
- • Third-party ICT: F5
- • No patch available
- • Management plane (Missing Authorization)
- • Moderate evidence (PoC / elevated EPSS)
DORA Relevant
- • HIGH severity
- • ICT provider: F5 (Network & Security)
- • No remediation available
- • Authentication / access control weakness
7.5
CVSS
38
Priority
By Exposure
Internet-facing
4
Mgmt / Admin Plane
1
Identity / Auth
1
Internal only
0
By Exploitability
Known exploited
0
Public PoC
0
High EPSS (>30%)
0
Remote unauthenticated
3
Local only
0
By Remediation
Patch available
3
No patch
1
Workaround available
3
No workaround
0