36
Open CVEs
1
Exploited
1
KEV
13
Unpatched
7
No Workaround
22
Internet-facing
Why this provider is risky now
This provider has 36 open CVE(s) in the last 90 days. 1 listed in CISA KEV (known exploited). 13 have no vendor patch. 22 affect internet-facing services. 11 impact the management/identity plane.
1 KEV
1 Exploited
13 Unpatched
11 Mgmt / Admin Plane
2 Public PoC
7 No Workaround
22 Internet-facing
Top Risky CVEs
CVE-2026-45321
Act Now
Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actions exploitation. Attackers combined pull_request_target misconfiguration, Actions cache poisoning, and OIDC token memory extraction to publish malicious code under the legitimate TanStack identity. Installing any affected version executes a 2.3 MB obfuscated payload that exfiltrates AWS/GCP/Kubernetes credentials, npm tokens, GitHub secrets, SSH keys, and HashiCorp Vault tokens over encrypted Session/Oxen messenger infrastructure. The payload propagates by republishing victim-maintained packages with identical injection. Socket.dev and the TanStack team confirmed the incident via GHSA-g7cv-rxg3-hmpx. No EPSS or CISA KEV data available for this recent supply-chain attack. CVSS 9.6 reflects the cross-scope credential theft impact (S:C/C:H/I:H), though exploitation requires user-initiated package installation (UI:R).
**Within 24 hours:** Identify all internal and CI/CD usage of TanStack packages (query package-lock.json, yarn.lock, and pnpm-lock.yaml across all repos); audit npm/GitHub/AWS/Vault access logs for anomalous activity from 2026-05-11 forward; revoke and rotate all developer AWS keys, GCP service accounts, Kubernetes tokens, npm tokens, GitHub personal access tokens, and SSH keys accessed from affected machines. **Within 7 days:** Re-scan all development and production systems for presence of TanStack compromised versions using GHSA-g7cv-rxg3-hmpx advisory artifact signatures; conduct forensic analysis of any affected workstations for lateral movement indicators; purge node_modules and lock files, then reinstall from uncompromised upstream sources or verified commit hashes. **Within 30 days:** Implement npm package verification (checksums, provenance attestation via sigstore); enforce pull_request_target->pull_request migration in internal GitHub Actions; deploy software composition analysis (SCA) tooling with real-time KEV/GHSA matching in CI/CD pipeline.
ICT dependency
Active exploitation
KEV
PoC
Patched
Why flagged?
NIS2 Relevant
- • CRITICAL severity
- • Third-party ICT: HashiCorp
- • Exploited in the wild (CISA KEV)
- • Strong evidence (KEV / high EPSS / multi-source)
DORA Relevant
- • CRITICAL severity
- • ICT provider: HashiCorp (Dev Platforms & CI/CD)
- • Known exploited vulnerability (KEV)
9.6
CVSS
0.0%
EPSS
118
Priority
CVE-2026-33722
This Week
Authenticated users in n8n versions prior to 1.123.23 and 2.6.4 can bypass external secrets permission checks to retrieve plaintext secret values from configured vaults by referencing secrets by name in credentials, even without list permissions. This allows unauthorized access to sensitive vault-stored credentials without requiring admin or owner privileges, provided the attacker knows or can guess the target secret name. Public exploit code exists for this vulnerability.
Within 24 hours: Inventory all n8n deployments and identify instances with external vault configurations; disable external secrets vault integration if business-critical. Within 7 days: Audit access logs for suspicious secret retrieval attempts; reset all credentials accessed through affected n8n instances; engage n8n support for patch timeline. Within 30 days: Implement network segmentation to restrict n8n's vault access; enforce least-privilege credential access policies; deploy additional monitoring on vault access patterns.
Edge exposure
ICT dependency
Management plane
PoC
Patched
Why flagged?
NIS2 Relevant
- • HIGH severity
- • Internet-facing technique: authentication-bypass
- • Third-party ICT: HashiCorp
- • Proof of concept available
- • Management plane (Incorrect Authorization)
- • Strong evidence (KEV / high EPSS / multi-source)
DORA Relevant
- • HIGH severity
- • ICT provider: HashiCorp (Dev Platforms & CI/CD)
- • Authentication / access control weakness
7.3
CVSS
0.0%
EPSS
57
Priority
A missing authentication vulnerability exists in the Altium 365 SearchService. A legacy SOAP endpoint exposes search index operations without requiring authentication, session tokens, or any form of i
Edge exposure
ICT dependency
No patch available
Management plane
Why flagged?
NIS2 Relevant
- • CRITICAL severity
- • Internet-facing (CWE-306: Missing Authentication for Critical Function)
- • Third-party ICT: HashiCorp
- • No patch available
- • Management plane (Missing Authentication for Critical Function)
- • Strong evidence (KEV / high EPSS / multi-source)
DORA Relevant
- • CRITICAL severity
- • ICT provider: HashiCorp (Dev Platforms & CI/CD)
- • No remediation available
- • Authentication / access control weakness
10.0
CVSS
0.1%
EPSS
50
Priority
CVE-2026-34976
Act Now
Unauthenticated remote attackers can trigger complete database overwrites, server-side file reads, and SSRF attacks against Dgraph graph database servers (v24.x, v25.x prior to v25.3.1) via the admin API's restoreTenant mutation. The mutation bypasses all authentication middleware due to missing authorization configuration, allowing attackers to provide arbitrary backup source URLs (including file:// schemes for local filesystem access), S3/MinIO credentials, Vault configuration paths, and encry
Within 24 hours: Identify all Dgraph instances running v24.x or v25.x prior to v25.3.1 using asset inventory and network scanning; isolate affected systems from production traffic if immediate patching is infeasible. Within 7 days: Apply vendor-released patch to upgrade all Dgraph instances to v25.3.1 or later (commit b15c87e9 minimum). Within 30 days: Conduct database integrity audit on all affected systems, rotate all credentials and encryption keys that may have been exposed, review access logs for exploitation indicators, and implement network segmentation to restrict admin API access to trusted internal networks only.
Edge exposure
ICT dependency
Management plane
Patched
Why flagged?
NIS2 Relevant
- • CRITICAL severity
- • Internet-facing technique: authentication-bypass, ssrf
- • Third-party ICT: HashiCorp, Docker
- • Management plane (Missing Authorization)
- • Strong evidence (KEV / high EPSS / multi-source)
DORA Relevant
- • CRITICAL severity
- • ICT provider: HashiCorp (Dev Platforms & CI/CD)
- • ICT provider: Docker (Dev Platforms & CI/CD)
- • Authentication / access control weakness
10.0
CVSS
0.0%
EPSS
50
Priority
Supply-chain compromise of the npm package @beproduct/nestjs-auth (versions 0.1.2 through 0.1.19) delivered the Mini Shai-Hulud worm payload via a malicious postinstall script, harvesting npm, GitHub, AWS, and HashiCorp Vault credentials from any developer or CI host that ran npm install during a 2h37m publication window on 2026-05-11. Confirmed actively exploited during that window via an attacker-controlled npm publish token; clean version 0.1.20 republishes the original 0.1.1 source tree. CVSS 10.0 reflects the unauthenticated, network-driven supply-chain delivery and scope change into the install environment.
Within 24 hours: Identify all systems (developers, CI/CD pipelines, build servers) that installed affected versions via package-lock.json, yarn.lock, or CI logs; immediately rotate all AWS access keys, GitHub personal access tokens, npm publish tokens, and HashiCorp Vault credentials; quarantine affected systems for forensic analysis. Within 7 days: Upgrade all projects to @beproduct/nestjs-auth version 0.1.20 or remove dependency entirely; run npm audit across entire dependency tree; audit AWS CloudTrail, GitHub audit logs, and Vault access logs for post-2026-05-11 unauthorized activity. Within 30 days: Implement Software Composition Analysis (SCA) tooling for continuous package monitoring; mandate pre-install signature verification for npm packages; complete forensic investigation and incident report; evaluate replacing @beproduct/nestjs-auth with alternative packages.
ICT dependency
No patch available
Why flagged?
NIS2 Relevant
- • CRITICAL severity
- • Third-party ICT: HashiCorp
- • No patch available
- • Moderate evidence (PoC / elevated EPSS)
DORA Relevant
- • CRITICAL severity
- • ICT provider: HashiCorp (Dev Platforms & CI/CD)
- • No remediation available
10.0
CVSS
50
Priority
Insecure password saving enforcement in Devolutions Remote Desktop Manager 2025.3.
Within 24 hours: Identify all Remote Desktop Manager 2025.3.30 and earlier deployments and restrict access to authorized administrators only. Within 7 days: Audit vault entries for unauthorized credential persistence and rotate all credentials stored in affected systems. Within 30 days: Upgrade to patched version when available or implement compensating controls such as disabling connection entry creation/editing until patch is released.
Edge exposure
ICT dependency
No patch available
Why flagged?
NIS2 Relevant
- • CRITICAL severity
- • Internet-facing (CWE-20: Improper Input Validation)
- • Third-party ICT: HashiCorp
- • No patch available
- • Moderate evidence (PoC / elevated EPSS)
DORA Relevant
- • CRITICAL severity
- • ICT provider: HashiCorp (Dev Platforms & CI/CD)
- • No remediation available
9.8
CVSS
0.1%
EPSS
49
Priority
CVE-2026-7428
Act Now
Prior to 2025-11-03, well-intended users of Terraform or REST API for Google Cloud AlloyDB for PostgreSQL could have created clusters with an insecure default password which could have been exploited
ICT dependency
Patched
Why flagged?
NIS2 Relevant
- • CRITICAL severity
- • Third-party ICT: HashiCorp, PostgreSQL
- • Moderate evidence (PoC / elevated EPSS)
DORA Relevant
- • CRITICAL severity
- • ICT provider: HashiCorp (Dev Platforms & CI/CD)
- • ICT provider: PostgreSQL (Databases & Data Platforms)
9.2
CVSS
0.0%
EPSS
46
Priority
Server-Side Request Forgery in Tenable Terrascan v1.18.3 and prior allows unauthenticated remote attackers to coerce the server into fetching arbitrary URLs, including file:// URIs that enable local file disclosure. The flaw is triggered when Terrascan runs in server mode and parses uploaded ARM or CloudFormation templates whose templateLink.uri, parametersLink.uri, or AWS::CloudFormation::Stack TemplateURL fields point to attacker-controlled destinations. No public exploit identified at time of analysis, and because Terrascan was archived in August 2023, no patch will ever be released.
24 hours: Identify all Terrascan deployments (v1.18.3 and earlier) running in server mode and assess network exposure. 7 days: Implement network access controls restricting inbound connections to Terrascan servers; disable server mode if operationally feasible; validate all uploaded template URIs to reject file:// schemes. 30 days: Migrate to an actively maintained infrastructure-as-code scanning solution (alternatives include Tenable Nessus, Qualys, or community-maintained forks); plan decommissioning of Terrascan.
Edge exposure
ICT dependency
No patch available
Why flagged?
NIS2 Relevant
- • CRITICAL severity
- • Internet-facing (CWE-918: Server-Side Request Forgery (SSRF))
- • Third-party ICT: HashiCorp
- • No patch available
- • Strong evidence (KEV / high EPSS / multi-source)
DORA Relevant
- • CRITICAL severity
- • ICT provider: HashiCorp (Dev Platforms & CI/CD)
- • No remediation available
9.2
CVSS
0.0%
EPSS
46
Priority
Server-Side Request Forgery in Tenable's Terrascan IaC scanner (versions 1.18.3 and prior) lets unauthenticated remote attackers read arbitrary local files and exfiltrate ~/.netrc credentials when the tool runs in server mode. Because Terrascan was archived in August 2023, no vendor patch will ever be released, and the daemon binds to 0.0.0.0 with no authentication by default. No public exploit identified at time of analysis, but the CVSS 4.0 score of 9.2 reflects trivial network-reachable abuse paired with significant confidentiality scope change.
Within 24 hours: Inventory all systems running Terrascan versions 1.18.3 and prior, prioritizing those with network exposure. Within 7 days: Disable Terrascan server mode on all affected systems and implement network isolation for any remaining instances. Within 30 days: Decommission Terrascan entirely and migrate to actively maintained Infrastructure-as-Code scanning tools such as Checkov, TFLint, or Snyk.
Edge exposure
ICT dependency
No patch available
Why flagged?
NIS2 Relevant
- • CRITICAL severity
- • Internet-facing (CWE-918: Server-Side Request Forgery (SSRF))
- • Third-party ICT: HashiCorp
- • No patch available
- • Strong evidence (KEV / high EPSS / multi-source)
DORA Relevant
- • CRITICAL severity
- • ICT provider: HashiCorp (Dev Platforms & CI/CD)
- • No remediation available
9.2
CVSS
0.0%
EPSS
46
Priority
CVE-2026-46354
Act Now
Unauthenticated agent token theft in Coder v2 (self-hosted developer workspace platform) stems from azureidentity.Validate() verifying the PKCS#7 signer's certificate chain but skipping signature verification of the signed content itself. Remote attackers who know a target VM's vmId (a UUIDv4) can forge a PKCS#7 envelope containing a legitimate Azure certificate alongside attacker-controlled content and POST it to the unauthenticated /api/v2/workspaceagents/azure-instance-identity endpoint to receive the victim workspace agent's session token, which then unlocks Git SSH keys, OAuth tokens for GitHub/GitLab/Bitbucket, and workspace secrets. No public exploit identified at time of analysis, but the vulnerability is vendor-confirmed via GHSA-6x44-w3xg-hqqf and a detailed root-cause analysis with attack-path diagram is published.
Within 24 hours: Identify all Coder v2 instances and assess integration with Git systems (GitHub/GitLab/Bitbucket) and OAuth providers; isolate critical instances if necessary. Within 7 days: Apply vendor-released patch to all Coder v2 instances. Within 30 days: Audit workspace agent token usage logs for anomalies and proactively rotate all Git SSH keys and OAuth tokens.
Edge exposure
ICT dependency
Patched
Why flagged?
NIS2 Relevant
- • CRITICAL severity
- • Internet-facing technique: rce
- • Third-party ICT: GitLab, HashiCorp
- • Moderate evidence (PoC / elevated EPSS)
DORA Relevant
- • CRITICAL severity
- • ICT provider: GitLab (Dev Platforms & CI/CD)
- • ICT provider: HashiCorp (Dev Platforms & CI/CD)
9.1
CVSS
46
Priority
By Exposure
Internet-facing
22
Mgmt / Admin Plane
11
Identity / Auth
9
Internal only
14
By Exploitability
Known exploited
1
Public PoC
2
High EPSS (>30%)
0
Remote unauthenticated
15
Local only
2
By Remediation
Patch available
23
No patch
13
Workaround available
18
No workaround
7
Affected Services / Product Families
Hashicorp
36 CVE(s)
+ 26 more