832
Open CVEs
1
Exploited
1
KEV
11
Unpatched
8
No Workaround
175
Internet-facing
Why this provider is risky now
This provider has 832 open CVE(s) in the last 30 days. 1 listed in CISA KEV (known exploited). 11 have no vendor patch. 175 affect internet-facing services. 23 impact the management/identity plane.
1 KEV
1 Exploited
11 Unpatched
23 Mgmt / Admin Plane
17 Public PoC
8 No Workaround
175 Internet-facing
Top Risky CVEs
CVE-2026-42208
Act Now
SQL injection in LiteLLM proxy server versions 1.81.16 through 1.83.6 allows unauthenticated remote attackers to read and modify database contents, gaining unauthorized access to managed LLM API credentials. The vulnerability is exploitable via crafted Authorization headers sent to any LLM API route (e.g., POST /chat/completions), triggering the injection through the proxy's error-handling path. Vendor-released patch available in version 1.83.7. No active exploitation confirmed (not in CISA KEV), but the attack vector is simple (CVSS 4.0: AV:N/AC:L/PR:N) and SQL injection POCs are widely known. Discovered by Tencent YunDing Security Lab.
Within 24 hours: Identify all LiteLLM proxy instances running versions 1.81.16 through 1.83.6 using asset inventory and network scans. Within 7 days: Upgrade all affected instances to version 1.83.7 or later per vendor advisory; test in non-production environment first. Within 30 days: Audit database access logs for suspicious Authorization header patterns; rotate all LLM API credentials stored in affected instances; review access controls to LiteLLM proxy endpoints.
Edge exposure
ICT dependency
Active exploitation
KEV
PoC
Patched
Why flagged?
NIS2 Relevant
- • CRITICAL severity
- • Internet-facing (CWE-89: SQL Injection)
- • Third-party ICT: Red Hat
- • Exploited in the wild (CISA KEV)
- • Strong evidence (KEV / high EPSS / multi-source)
DORA Relevant
- • CRITICAL severity
- • ICT provider: Red Hat (Infrastructure & Virtualization)
- • Known exploited vulnerability (KEV)
9.3
CVSS
0.1%
EPSS
117
Priority
CVE-2026-24118
Act Now
Remote code execution in VM2 sandbox (npm package) versions ≤3.10.4 allows attackers to escape the JavaScript isolation boundary and execute arbitrary system commands on the host. The vulnerability exploits prototype chain traversal through Buffer.apply and __lookupGetter__ to access the host Function constructor, bypassing VM2's context isolation. Publicly available exploit code exists, and vendor-released patch version 3.11.0 addresses the issue. This is a complete sandbox escape requiring no authentication or user interaction, making it critical for environments executing untrusted code within VM2 contexts.
Within 24 hours: Audit all systems and applications using VM2 ≤3.10.4 (check package-lock.json and npm ls vm2). Immediately isolate or restrict network access to systems running vulnerable versions. Within 7 days: Upgrade VM2 to version 3.11.0 or later on all production and development systems; test in non-production environment first. Within 30 days: Implement Software Composition Analysis (SCA) tooling to detect vulnerable npm dependencies in CI/CD pipelines and enforce minimum version policies for VM2.
Edge exposure
ICT dependency
PoC
Patched
Why flagged?
NIS2 Relevant
- • CRITICAL severity
- • Internet-facing (CWE-94: Code Injection)
- • Third-party ICT: Red Hat
- • Proof of concept available
- • Strong evidence (KEV / high EPSS / multi-source)
DORA Relevant
- • CRITICAL severity
- • ICT provider: Red Hat (Infrastructure & Virtualization)
9.8
CVSS
0.1%
EPSS
69
Priority
CVE-2026-26956
Act Now
Full sandbox escape with arbitrary code execution allows remote attackers to break out of vm2's Node.js sandbox environment (version 3.10.4) and execute commands on the host system. Attacker-controlled code running inside VM.run() can obtain the host process object and execute arbitrary host commands without any cooperation from the host application. EPSS data not available, but this represents complete failure of the sandbox security boundary. Patch released in version 3.10.5 addresses eleven distinct escape vectors including Function constructor leakage, proxy unwrapping, util.inspect exposure, and WebAssembly exception handling.
Within 24 hours: Identify all systems running vm2 versions ≤3.10.4 using dependency scanning (npm audit, SBOM tools). Within 7 days: Upgrade all instances to vm2 version 3.10.5 or later and validate in staging environment. Within 30 days: Audit logs for suspicious code execution patterns in vm2 sandboxes and confirm full deployment across production, development, and CI/CD environments.
Edge exposure
ICT dependency
PoC
Patched
Why flagged?
NIS2 Relevant
- • CRITICAL severity
- • Internet-facing technique: rce
- • Third-party ICT: Red Hat
- • Proof of concept available
- • Strong evidence (KEV / high EPSS / multi-source)
DORA Relevant
- • CRITICAL severity
- • ICT provider: Red Hat (Infrastructure & Virtualization)
9.8
CVSS
0.1%
EPSS
69
Priority
CVE-2026-24120
Act Now
Sandbox escape in vm2 for Node.js allows remote unauthenticated attackers to execute arbitrary commands on the host system. The vulnerability represents an insufficient fix for CVE-2023-37466, enabling attackers to circumvent sandbox protections through multiple attack vectors including Function constructor extraction, proxy unwrapping, property descriptor manipulation, and WebAssembly JSTag exploitation. CVSS 9.8 (Critical) with EPSS data unavailable, but the existence of a detailed security advisory and comprehensive patch from GitHub indicates active vendor awareness and rapid response. Patched in version 3.10.5 with eleven distinct fixes addressing various bypass techniques.
Within 24 hours: Identify all applications and services using vm2 across your infrastructure and assess exposure scope. Within 7 days: Upgrade vm2 to version 3.10.5 or later on all affected systems; if upgrade is not immediately possible, implement network-level restrictions to prevent untrusted external input from reaching vm2-dependent services. Within 30 days: Conduct code review of all vm2 usage patterns to evaluate whether sandboxing requirements can be met through alternative approaches or vendor products with active security maintenance.
Edge exposure
ICT dependency
PoC
Patched
Why flagged?
NIS2 Relevant
- • CRITICAL severity
- • Internet-facing technique: rce
- • Third-party ICT: Red Hat
- • Proof of concept available
- • Strong evidence (KEV / high EPSS / multi-source)
DORA Relevant
- • CRITICAL severity
- • ICT provider: Red Hat (Infrastructure & Virtualization)
9.8
CVSS
0.1%
EPSS
69
Priority
CVE-2026-31072
Act Now
Remote code execution in APScheduler (all versions through 3.10.x and 4.0.0a5) is achievable when applications deserialize attacker-controlled data via the bundled JSONSerializer or CBORSerializer. The unmarshal_object routine dynamically imports modules and invokes __setstate__ on arbitrary classes, letting an attacker pivot an untrusted payload into code execution; publicly available exploit code exists, though EPSS remains low at 0.06% (19th percentile).
24 hours: Audit all systems running APScheduler versions ≤3.10.x or ≤4.0.0a5 to determine exposure and data sources. 7 days: For systems processing untrusted serialized input, immediately implement controls: disable JSONSerializer and CBORSerializer deserialization, restrict network access to APScheduler instances, or containerize with execution constraints. 30 days: Establish upgrade plan and prepare to deploy patched APScheduler version once vendor releases a fix.
Edge exposure
ICT dependency
PoC
Patched
Why flagged?
NIS2 Relevant
- • CRITICAL severity
- • Internet-facing (CWE-502: Deserialization of Untrusted Data)
- • Third-party ICT: Red Hat, SUSE
- • Proof of concept available
- • Strong evidence (KEV / high EPSS / multi-source)
DORA Relevant
- • CRITICAL severity
- • ICT provider: Red Hat (Infrastructure & Virtualization)
- • ICT provider: SUSE (Infrastructure & Virtualization)
9.8
CVSS
0.1%
EPSS
69
Priority
CVE-2026-42945
Act Now
Heap buffer overflow in NGINX Plus and NGINX Open Source ngx_http_rewrite_module allows remote attackers to crash worker processes and potentially execute code on systems without ASLR. The vulnerability requires specific rewrite directive configurations using PCRE captures with question marks in replacement strings, combined with attacker-crafted HTTP requests and conditions beyond the attacker's control. F5 has released patches addressing this critical flaw. EPSS data unavailable; no KEV listing or public exploit identified at time of analysis, though the specific configuration requirements and dependency on external conditions likely limit widespread exploitation despite the 9.2 CVSS score.
Within 24 hours: Identify all NGINX Plus and Open Source instances in your environment and audit rewrite directive configurations, particularly those using PCRE captures with question marks in replacement strings. Within 7 days: Apply the vendor-released patch from F5 to all affected NGINX instances; test patches in staging environments first. Within 30 days: Complete full production rollout and validate that rewrite module functionality operates correctly post-patch; document all NGINX configurations for future reference.
Edge exposure
ICT dependency
PoC
Patched
Why flagged?
NIS2 Relevant
- • CRITICAL severity
- • Internet-facing technique: rce
- • Third-party ICT: F5, Red Hat, SUSE
- • Proof of concept available
- • Strong evidence (KEV / high EPSS / multi-source)
DORA Relevant
- • CRITICAL severity
- • ICT provider: F5 (Network & Security)
- • ICT provider: Red Hat (Infrastructure & Virtualization)
- • ICT provider: SUSE (Infrastructure & Virtualization)
9.2
CVSS
0.2%
EPSS
66
Priority
CVE-2026-32177
This Week
Local privilege escalation in Microsoft .NET Framework (versions 3.5 through 10.0) and Visual Studio 2017 occurs through heap-based buffer overflow exploitation requiring user interaction with a malicious file. Attackers without initial privileges can achieve high-level code execution and data access by convincing a user to open a specially crafted document or application. Microsoft has released patches across all affected .NET versions per MSRC advisory, indicating this is a vendor-confirmed issue requiring immediate remediation for systems where users process untrusted .NET content.
Within 24 hours: Identify all systems running .NET Framework versions 3.5-10.0 and Visual Studio 2017 using asset inventory or SCCM. Within 7 days: Apply Microsoft-released patches across all affected .NET Framework versions and Visual Studio 2017 per MSRC advisory; prioritize developer workstations and servers processing untrusted .NET content. Within 30 days: Verify patch deployment via vulnerability scanning; document exceptions for systems requiring extended timelines.
ICT dependency
PoC
Patched
Why flagged?
NIS2 Relevant
- • HIGH severity
- • Third-party ICT: Red Hat
- • Proof of concept available
- • Strong evidence (KEV / high EPSS / multi-source)
DORA Relevant
- • HIGH severity
- • ICT provider: Red Hat (Infrastructure & Virtualization)
7.3
CVSS
0.1%
EPSS
62
Priority
CVE-2026-6321
This Week
Path normalization bypass in fast-uri 3.1.0 and earlier allows remote attackers to circumvent path-based access controls through percent-encoded path traversal sequences. The normalize() and equal() functions decode URL-encoded separators (%2F) and dot segments (%2E) before applying normalization rules, causing distinct URIs to collapse onto identical normalized paths. Applications relying on fast-uri for URL validation in authorization checks can be tricked into allowing access to restricted resources. EPSS exploitation probability not yet calculated given recent disclosure; no active exploitation confirmed (not in CISA KEV), but attack vector is trivial (CVSS AV:N/AC:L/PR:N/UI:N) and patch is available in version 3.1.1.
Within 24 hours: identify all applications and services using fast-uri library and document current versions. Within 7 days: upgrade fast-uri to version 3.1.1 or later across all affected systems; validate upgrade in non-production environments first. Within 30 days: conduct access control testing to verify path normalization bypass is eliminated; review authorization logs for suspicious path-traversal patterns in the preceding 90 days.
Edge exposure
ICT dependency
PoC
Patched
Why flagged?
NIS2 Relevant
- • HIGH severity
- • Internet-facing (CWE-22: Path Traversal)
- • Third-party ICT: Red Hat, SUSE
- • Proof of concept available
- • Strong evidence (KEV / high EPSS / multi-source)
DORA Relevant
- • HIGH severity
- • ICT provider: Red Hat (Infrastructure & Virtualization)
- • ICT provider: SUSE (Infrastructure & Virtualization)
7.5
CVSS
0.0%
EPSS
58
Priority
CVE-2026-46333
This Week
Local privilege escalation in the Linux kernel ptrace subsystem allows authenticated users to bypass the traditional capability-dropping security model when accessing kernel thread details via PTRACE_MODE_READ_FSCREDS checks. The flaw stems from get_dumpable() logic returning misleading values for tasks without an associated memory map (mm), enabling uid-0 processes that have dropped capabilities to still read sensitive kernel thread information. Publicly available exploit code exists (referenced in OSS-security and a GitHub PoC against ssh-keysign), though EPSS scoring (0.02%) indicates low likelihood of widespread exploitation.
Within 24 hours: Identify all Linux systems in your environment and determine which kernel versions are vulnerable to CVE-2026-46333. Within 7 days: Prioritize patching of systems containing sensitive data or critical services; apply vendor-released kernel patches and stage reboots. Within 30 days: Complete patching of all systems, review system logs for suspicious privilege escalation attempts, and validate ptrace security controls post-patch.
ICT dependency
Management plane
PoC
Patched
Why flagged?
NIS2 Relevant
- • HIGH severity
- • Third-party ICT: Red Hat, SUSE, Linux
- • Proof of concept available
- • Management plane (Improper Privilege Management)
- • Strong evidence (KEV / high EPSS / multi-source)
DORA Relevant
- • HIGH severity
- • ICT provider: Red Hat (Infrastructure & Virtualization)
- • ICT provider: SUSE (Infrastructure & Virtualization)
- • ICT provider: Linux (Operating Systems)
- • Authentication / access control weakness
7.1
CVSS
0.0%
EPSS
56
Priority
{tenant}/databases/{db}/collections endpoint. The flaw carries a maximum CVSS 4.0 score of 10.0 and was disclosed publicly by HiddenLayer; no public exploit identified at time of analysis, though detailed research has been published.
Within 24 hours: Inventory all ChromaDB Python deployments (1.0.0+) and assess external accessibility of the /api/v2/tenants endpoint. Within 7 days: Immediately disable the trust_remote_code parameter in ChromaDB configuration and implement network-level restrictions limiting collection endpoint access to authorized internal systems only. Within 30 days: Monitor HiddenLayer and ChromaDB advisory channels for a vendor-released patch and deploy immediately upon availability; evaluate alternative vector database solutions if patch timeline is uncertain.
Edge exposure
ICT dependency
No patch available
Why flagged?
NIS2 Relevant
- • CRITICAL severity
- • Internet-facing (CWE-94: Code Injection)
- • Third-party ICT: Red Hat
- • No patch available
- • Strong evidence (KEV / high EPSS / multi-source)
DORA Relevant
- • CRITICAL severity
- • ICT provider: Red Hat (Infrastructure & Virtualization)
- • No remediation available
10.0
CVSS
0.1%
EPSS
50
Priority
By Exposure
Internet-facing
175
Mgmt / Admin Plane
23
Identity / Auth
10
Internal only
646
By Exploitability
Known exploited
1
Public PoC
17
High EPSS (>30%)
0
Remote unauthenticated
358
Local only
414
By Remediation
Patch available
821
No patch
11
Workaround available
288
No workaround
8
Affected Services / Product Families
Red Hat
832 CVE(s)
+ 822 more