49
Open CVEs
0
Exploited
0
KEV
9
Unpatched
0
No Workaround
36
Internet-facing
Why this provider is risky now
This provider has 49 open CVE(s) in the last 90 days. 9 have no vendor patch. 36 affect internet-facing services. 7 impact the management/identity plane.
9 Unpatched
7 Mgmt / Admin Plane
3 Public PoC
36 Internet-facing
Top Risky CVEs
CVE-2026-27944
Act Now
Unauthenticated backup download and RCE in Nginx UI before 2.3.3. EPSS 1.0%. PoC available.
Within 24 hours: Identify all systems running Nginx UI versions up to 2.3.3 and isolate them from untrusted networks; disable Nginx UI administrative interfaces if not actively required. Within 7 days: Implement network-level access controls restricting UI access to authorized administrators only; deploy WAF rules blocking exploitation patterns if available from the vendor. Within 30 days: Upgrade to a patched version when released by the vendor, or replace Nginx UI with an alternative solution if no patch timeline is provided.
Edge exposure
ICT dependency
Management plane
PoC
Patched
Why flagged?
NIS2 Relevant
- • CRITICAL severity
- • Internet-facing (CWE-306: Missing Authentication for Critical Function)
- • Third-party ICT: F5, SUSE
- • Proof of concept available
- • Management plane (Missing Authentication for Critical Function)
- • Strong evidence (KEV / high EPSS / multi-source)
DORA Relevant
- • CRITICAL severity
- • ICT provider: F5 (Network & Security)
- • ICT provider: SUSE (Infrastructure & Virtualization)
- • Authentication / access control weakness
9.8
CVSS
1.0%
EPSS
70
Priority
Remote unauthenticated nginx service takeover in nginx-ui's MCP integration allows network attackers to create, modify, or delete nginx configuration files and trigger automatic reloads without authentication. The /mcp_message endpoint lacks authentication middleware while exposing the same MCP tool handlers as the protected /mcp endpoint, and the IP whitelist defaults to empty (allow-all). Attackers can inject malicious server blocks to intercept credentials, exfiltrate backend topology, or crash nginx with invalid configs. CVSS 9.8 (Critical) with network attack vector, no authentication required, and high impact across confidentiality, integrity, and availability. No public exploit identified at time of analysis, though detailed proof-of-concept HTTP request provided in advisory.
Within 24 hours: Immediately identify all nginx-ui deployments in your environment and isolate affected instances from untrusted networks; implement network-level access controls to restrict /mcp_message endpoint to trusted administrative IPs only. Within 7 days: Monitor vendor (nginx-ui maintainers) for patch release; subscribe to security advisories for update notifications; conduct forensic review of nginx configuration change logs for unauthorized modifications since deployment date. Within 30 days: Apply vendor-released patch immediately upon availability; validate patch installation across all instances; restore nginx configurations from clean backups if compromise is suspected; implement permanent network segmentation and WAF rules blocking unauthenticated /mcp_message requests.
Edge exposure
ICT dependency
No patch available
Management plane
PoC
Why flagged?
NIS2 Relevant
- • CRITICAL severity
- • Internet-facing (CWE-306: Missing Authentication for Critical Function)
- • Third-party ICT: F5, SUSE
- • Proof of concept available
- • No patch available
- • Management plane (Missing Authentication for Critical Function)
- • Strong evidence (KEV / high EPSS / multi-source)
DORA Relevant
- • CRITICAL severity
- • ICT provider: F5 (Network & Security)
- • ICT provider: SUSE (Infrastructure & Virtualization)
- • No remediation available
- • Authentication / access control weakness
9.8
CVSS
0.1%
EPSS
69
Priority
CVE-2026-33494
Act Now
Ory Oathkeeper, an identity and access proxy, contains an authorization bypass vulnerability via HTTP path traversal that allows attackers to access protected resources without authentication. The vulnerability affects Ory Oathkeeper installations where the software uses un-normalized paths for rule matching, enabling requests like '/public/../admin/secrets' to bypass authentication requirements. With a CVSS score of 10.0 (Critical) and network-based exploitation requiring no privileges or user interaction, this represents a severe authentication bypass, though no current EPSS score or KEV listing indicates limited evidence of active exploitation at this time.
Within 24 hours: Identify all Ory Oathkeeper instances in production and assess exposure; apply vendor patch immediately to all affected systems. Within 7 days: Verify patch deployment across all environments; audit access logs for suspicious path traversal patterns (e.g., requests containing '/../'). Within 30 days: Conduct post-incident review; implement WAF rules to block path traversal attempts as defense-in-depth; document remediation timeline and system inventory.
Edge exposure
ICT dependency
Patched
Why flagged?
NIS2 Relevant
- • CRITICAL severity
- • Internet-facing technique: path-traversal
- • Third-party ICT: F5, SUSE
- • Moderate evidence (PoC / elevated EPSS)
DORA Relevant
- • CRITICAL severity
- • ICT provider: F5 (Network & Security)
- • ICT provider: SUSE (Infrastructure & Virtualization)
10.0
CVSS
0.0%
EPSS
50
Priority
CVE-2026-33502
Act Now
An unauthenticated server-side request forgery (SSRF) vulnerability exists in AVideo's Live plugin test.php endpoint that allows remote attackers to force the server to send HTTP requests to arbitrary URLs. The vulnerability affects AVideo installations with the Live plugin enabled and can be exploited to probe internal network services, access cloud metadata endpoints, and retrieve content from internal HTTP resources. A proof-of-concept has been published demonstrating localhost service enumeration, and the vulnerability requires no authentication or user interaction to exploit.
Within 24 hours: Inventory all AVideo installations with Live plugin enabled and assess network exposure. Within 7 days: Implement network segmentation to restrict AVideo server outbound connections and deploy WAF rules to block malicious test.php requests. Within 30 days: Disable the Live plugin on all non-critical instances, plan migration to alternative solutions, and establish vendor communication for patch timeline.
Edge exposure
ICT dependency
Patched
Why flagged?
NIS2 Relevant
- • CRITICAL severity
- • Internet-facing (CWE-918: Server-Side Request Forgery (SSRF))
- • Third-party ICT: F5
- • Strong evidence (KEV / high EPSS / multi-source)
DORA Relevant
- • CRITICAL severity
- • ICT provider: F5 (Network & Security)
9.3
CVSS
3.0%
EPSS
50
Priority
CVE-2026-33026
Act Now
Remote authenticated attackers can achieve arbitrary command execution on nginx-ui v2.3.3 servers by manipulating encrypted backup archives during restoration. The vulnerability stems from a circular trust model where backup integrity metadata is encrypted using the same AES key provided to clients, allowing attackers to decrypt backups, inject malicious configuration (including command execution directives), recompute valid hashes, and re-encrypt the archive. The restore process accepts tampered backups despite hash verification warnings. Publicly available exploit code exists with detailed proof-of-concept demonstrating configuration injection leading to arbitrary command execution. Vendor-released patch available in nginx-ui v2.3.4. This represents a regression from GHSA-g9w5-qffc-6762, which addressed backup access control but not the underlying cryptographic design flaw.
Within 24 hours: Identify all nginx-ui instances running v2.3.3 or earlier across your infrastructure using asset inventory and vulnerability scanning. Within 7 days: Upgrade all affected deployments to nginx-ui v2.3.4 or later per vendor advisory. Within 30 days: Audit backup integrity logs and configuration history for signs of unauthorized modification; rotate all nginx credentials and cryptographic keys used in backup operations post-patch.
Edge exposure
ICT dependency
Patched
Why flagged?
NIS2 Relevant
- • CRITICAL severity
- • Internet-facing technique: authentication-bypass
- • Third-party ICT: Docker, F5, SUSE
- • Strong evidence (KEV / high EPSS / multi-source)
DORA Relevant
- • CRITICAL severity
- • ICT provider: Docker (Dev Platforms & CI/CD)
- • ICT provider: F5 (Network & Security)
- • ICT provider: SUSE (Infrastructure & Virtualization)
9.4
CVSS
0.0%
EPSS
47
Priority
CVE-2026-34759
Act Now
Authentication bypass in OneUptime notification API endpoints allows unauthenticated remote attackers to manipulate Twilio account resources via missing authorization middleware. Affects all versions prior to 10.0.42. Attackers can purchase phone numbers on victim Twilio accounts and delete configured alerting numbers by exploiting unprotected /notification/ endpoints, using leaked projectId values from public Status Page APIs. No public exploit identified at time of analysis, though attack complexity is rated high (CVSS AC:H) and proof-of-concept details are available in the GitHub security advisory.
Within 24 hours: Identify all OneUptime instances and document current versions via application settings or API diagnostics. Within 7 days: Upgrade all affected OneUptime deployments to version 10.0.42 or later, testing notification workflows post-upgrade. Within 30 days: Audit Twilio account activity logs for unauthorized phone number purchases or deletions since OneUptime deployment, and review Status Page API access controls to limit projectId exposure.
Edge exposure
ICT dependency
Management plane
Patched
Why flagged?
NIS2 Relevant
- • CRITICAL severity
- • Internet-facing technique: authentication-bypass
- • Third-party ICT: F5
- • Management plane (Missing Authorization)
- • Strong evidence (KEV / high EPSS / multi-source)
DORA Relevant
- • CRITICAL severity
- • ICT provider: F5 (Network & Security)
- • Authentication / access control weakness
9.2
CVSS
0.1%
EPSS
46
Priority
CVE-2026-34457
Act Now
Authentication bypass in OAuth2 Proxy versions before 7.15.2 allows remote unauthenticated attackers to access protected resources when deployed with nginx auth_request integration and health check features enabled. Attackers can spoof health check User-Agent headers to bypass OAuth2 authentication entirely, gaining unauthorized access to upstream applications. CVSS 9.1 (Critical) reflects network-accessible, low-complexity attack requiring no privileges or user interaction. No active exploitation confirmed (not in CISA KEV), but the trivial attack complexity and authentication bypass impact warrant immediate patching in affected deployments using nginx auth_request with --ping-user-agent or --gcp-healthchecks flags.
Within 24 hours: Identify all deployments of OAuth2 Proxy and determine which instances use nginx auth_request with health check features (--ping-user-agent or --gcp-healthchecks flags enabled). Within 7 days: Upgrade all affected OAuth2 Proxy instances to version 7.15.2 or later. Within 30 days: Conduct access log review for the past 90 days to identify any suspicious health check User-Agent patterns that may indicate exploitation attempts.
Edge exposure
ICT dependency
Patched
Why flagged?
NIS2 Relevant
- • CRITICAL severity
- • Internet-facing technique: authentication-bypass
- • Third-party ICT: F5
- • Strong evidence (KEV / high EPSS / multi-source)
DORA Relevant
- • CRITICAL severity
- • ICT provider: F5 (Network & Security)
9.1
CVSS
0.1%
EPSS
46
Priority
CVE-2026-33419
Act Now
MinIO AIStor's Security Token Service (STS) AssumeRoleWithLDAPIdentity endpoint contains two combined vulnerabilities that enable LDAP credential brute-forcing: distinguishable error messages allowing username enumeration (CWE-204) and missing rate limiting (CWE-307). All MinIO deployments through the final open-source release with LDAP authentication enabled are affected. Unauthenticated network attackers can enumerate valid LDAP usernames, perform unlimited password guessing attacks, and obtain temporary AWS-style STS credentials granting full access to victim users' S3 buckets and objects.
Within 24 hours: Identify all MinIO instances with LDAP enabled and disable the AssumeRoleWithLDAPIdentity endpoint if not actively used; enable network segmentation to restrict access to the STS endpoint. Within 7 days: Implement WAF rules to rate-limit authentication attempts and block patterns consistent with credential enumeration; conduct audit logs for unauthorized access attempts. Within 30 days: Migrate to alternative authentication methods (e.g., IAM roles, temporary credentials from trusted identity providers) and evaluate MinIO alternatives if vendor does not release a patch timeline.
ICT dependency
Patched
Why flagged?
NIS2 Relevant
- • CRITICAL severity
- • Third-party ICT: Docker, F5, SUSE, Apple
- • Strong evidence (KEV / high EPSS / multi-source)
DORA Relevant
- • CRITICAL severity
- • ICT provider: Docker (Dev Platforms & CI/CD)
- • ICT provider: F5 (Network & Security)
- • ICT provider: SUSE (Infrastructure & Virtualization)
- • ICT provider: Apple (Operating Systems)
9.1
CVSS
0.1%
EPSS
46
Priority
CVE-2026-33186
Act Now
An authorization bypass vulnerability in gRPC-Go allows attackers to circumvent path-based access control by sending HTTP/2 requests with malformed :path pseudo-headers that omit the mandatory leading slash (e.g., 'Service/Method' instead of '/Service/Method'). This affects gRPC-Go servers using path-based authorization interceptors like google.golang.org/grpc/authz with deny rules for canonical paths but fallback allow rules. The vulnerability has a CVSS score of 9.1 (Critical) with network-based exploitation requiring no privileges or user interaction, enabling attackers to access restricted services and potentially exfiltrate or modify sensitive data.
Within 24 hours: Inventory all gRPC-Go deployments and identify services using path-based authorization controls; implement network segmentation to restrict gRPC service exposure. Within 7 days: Deploy WAF rules to detect and block malformed HTTP/2 :path pseudo-headers lacking leading slashes; enable enhanced logging and monitoring for authorization anomalies. Within 30 days: Evaluate vendor patches as they become available; consider migrating to alternative authentication mechanisms (mTLS, token-based) independent of path validation; conduct security audit of all accessed gRPC services.
Edge exposure
ICT dependency
Management plane
Patched
Why flagged?
NIS2 Relevant
- • CRITICAL severity
- • Internet-facing technique: authentication-bypass
- • Third-party ICT: F5, Red Hat, SUSE, Canonical / Ubuntu
- • Management plane (Improper Authorization)
- • Strong evidence (KEV / high EPSS / multi-source)
DORA Relevant
- • CRITICAL severity
- • ICT provider: F5 (Network & Security)
- • ICT provider: Red Hat (Infrastructure & Virtualization)
- • ICT provider: SUSE (Infrastructure & Virtualization)
- • ICT provider: Canonical / Ubuntu (Infrastructure & Virtualization)
- • Authentication / access control weakness
9.1
CVSS
0.0%
EPSS
46
Priority
CVE-2026-40575
Act Now
### Impact
A configuration-dependent authentication bypass exists in OAuth2 Proxy.
Deployments are affected when all of the following are true:
* OAuth2 Proxy is configured with `--reverse-proxy`
*
Edge exposure
ICT dependency
Patched
Why flagged?
NIS2 Relevant
- • CRITICAL severity
- • Internet-facing technique: authentication-bypass
- • Third-party ICT: F5
- • Moderate evidence (PoC / elevated EPSS)
DORA Relevant
- • CRITICAL severity
- • ICT provider: F5 (Network & Security)
9.1
CVSS
46
Priority
By Exposure
Internet-facing
36
Mgmt / Admin Plane
7
Identity / Auth
6
Internal only
13
By Exploitability
Known exploited
0
Public PoC
3
High EPSS (>30%)
0
Remote unauthenticated
26
Local only
5
By Remediation
Patch available
40
No patch
9
Workaround available
42
No workaround
0
Affected Services / Product Families
Nginx
49 CVE(s)
+ 39 more