27
Open CVEs
1
Exploited
1
KEV
1
Unpatched
0
No Workaround
21
Internet-facing
Why this provider is risky now
This provider has 27 open CVE(s) in the last 30 days. 1 listed in CISA KEV (known exploited). 1 have no vendor patch. 21 affect internet-facing services. 4 impact the management/identity plane.
1 KEV
1 Exploited
1 Unpatched
4 Mgmt / Admin Plane
1 Public PoC
21 Internet-facing
Top Risky CVEs
CVE-2026-48172
Act Now
LiteSpeed User-End cPanel Plugin before 2.4.5 allows privilege escalation (possibly to root), as exploited in the wild in May 2026. LiteSpeed WHM Plugin (the parent plugin) is unaffected. Detection is
ICT dependency
Active exploitation
KEV
PoC
Patched
Why flagged?
NIS2 Relevant
- • CRITICAL severity
- • Third-party ICT: Redis
- • Exploited in the wild (CISA KEV)
- • Strong evidence (KEV / high EPSS / multi-source)
DORA Relevant
- • CRITICAL severity
- • ICT provider: Redis (Databases & Data Platforms)
- • Known exploited vulnerability (KEV)
10.0
CVSS
0.0%
EPSS
120
Priority
Remote unauthenticated code execution in MixPHP Framework 2.x through 2.2.17 allows attackers to execute arbitrary PHP code by injecting malicious serialized objects into Redis-backed session or cache storage. The framework's RedisHandler directly deserializes untrusted data from Redis using PHP's unserialize() function without validation. CVSS 9.8 with network vector, low complexity, and no privileges required. EPSS and KEV status not provided; SSVC framework marks this as automatable with total technical impact, indicating high exploitability despite no confirmed active exploitation at time of analysis.
Within 24 hours: Identify all systems running MixPHP Framework 2.x and document current versions; implement network-level restrictions to Redis ports and verify only trusted clients can connect. Within 7 days: Evaluate upgrading to MixPHP Framework 2.2.18 or later if available, or apply the RedisHandler deserialization fix from vendor; contact MixPHP maintainers for patch timeline confirmation. Within 30 days: Complete migration to patched version or implement permanent compensating controls; conduct code review of any custom serialization handlers.
Edge exposure
ICT dependency
No patch available
Why flagged?
NIS2 Relevant
- • CRITICAL severity
- • Internet-facing (CWE-502: Deserialization of Untrusted Data)
- • Third-party ICT: Redis
- • No patch available
- • Strong evidence (KEV / high EPSS / multi-source)
DORA Relevant
- • CRITICAL severity
- • ICT provider: Redis (Databases & Data Platforms)
- • No remediation available
9.8
CVSS
0.0%
EPSS
49
Priority
CVE-2026-42088
Act Now
Privilege escalation in OpenC3 COSMOS allows low-privileged authenticated users to bypass API authorization and perform administrative actions by executing crafted Python or Ruby scripts via the Script Runner widget. Attackers can directly access Redis database (exposing secrets and configuration settings) and the MinIO buckets service (containing logs, configs, and plugins) due to unrestricted container-to-container network access in the Docker deployment. Vendor-released patch available in version 7.0.0-rc3 and confirmed in 7.0.0 stable release. EPSS data not available; no CISA KEV listing indicates targeted rather than widespread exploitation. CVSS 9.6 (Critical) with scope change reflects the container escape-like privilege boundary violation.
Within 24 hours: Identify all OpenC3 COSMOS deployments and document current versions. Within 7 days: Upgrade all instances to version 7.0.0 or later; verify upgrade completion and test Script Runner functionality. Within 30 days: Audit logs for unauthorized Script Runner executions, rotate all secrets stored in Redis/MinIO, review IAM policies to restrict low-privileged user access to Script Runner widget, and implement network segmentation to isolate container-to-container communication.
ICT dependency
Management plane
Patched
Why flagged?
NIS2 Relevant
- • CRITICAL severity
- • Third-party ICT: Docker, Redis
- • Management plane (Execution with Unnecessary Privileges)
- • Strong evidence (KEV / high EPSS / multi-source)
DORA Relevant
- • CRITICAL severity
- • ICT provider: Docker (Dev Platforms & CI/CD)
- • ICT provider: Redis (Databases & Data Platforms)
- • Authentication / access control weakness
9.6
CVSS
0.0%
EPSS
48
Priority
CVE-2026-45721
Act Now
Pre-authenticated remote code execution in Algernon web server (≤ 1.17.6) allows attackers who can place a handler.lua file anywhere in a parent directory of the server root to execute arbitrary Lua - including shell commands via run3() and os.execute - in the server process on the next HTTP request. The flaw stems from DirPage walking up to 100 ancestor directories past the configured server root searching for handler.lua, and the permission middleware does not gate this lookup, so an anonymous GET / suffices to trigger execution. Publicly available exploit code exists (the reporter published three working PoC variants and a live verification against 1.17.6).
Within 24 hours: inventory all systems running Algernon web server and document versions in use; immediately isolate any Algernon 1.17.6 or earlier instances from production traffic or restrict network access to trusted sources only. Within 7 days: implement file integrity monitoring to detect unauthorized handler.lua file creation in parent directories of the server root; deploy network-based access controls and WAF rules to block suspicious requests to Algernon endpoints. Within 30 days: evaluate alternatives to Algernon or contact vendor for patch timeline; if continued use is necessary, architect defensive layers (authentication gateway, request filtering, strict filesystem permissions) to compensate for the absence of a vendor fix.
Edge exposure
ICT dependency
Patched
Why flagged?
NIS2 Relevant
- • CRITICAL severity
- • Internet-facing (CWE-20: Improper Input Validation)
- • Third-party ICT: Canonical / Ubuntu, Redis
- • Moderate evidence (PoC / elevated EPSS)
DORA Relevant
- • CRITICAL severity
- • ICT provider: Canonical / Ubuntu (Infrastructure & Virtualization)
- • ICT provider: Redis (Databases & Data Platforms)
9.0
CVSS
0.2%
EPSS
45
Priority
CVE-2026-44552
This Week
Cross-instance cache poisoning in Open WebUI allows administrators on one instance to inject malicious tool server configurations into shared Redis cache, affecting users on other instances. The vulnerability stems from missing Redis key prefixes on tool_servers and terminal_servers cache entries in backend/open_webui/utils/tools.py. When multiple Open WebUI instances share a Redis backend (a documented multi-region/blue-green deployment pattern), an admin on Instance A can configure a malicious tool server that overwrites Instance B's cache, causing Instance B users to send tool call payloads-containing chat content, user identity, and OAuth tokens-to attacker-controlled servers. Exploitation requires privileged access (CVSS PR:H) but crosses instance boundaries (Scope:Changed), enabling data exfiltration and prompt injection delivery. Vendor-released patch: version 0.9.0 addresses the missing prefix issue.
Within 24 hours: Identify all Open WebUI instances sharing Redis backends and document current deployment topology. Within 7 days: Upgrade all affected Open WebUI instances to version 0.9.0 or later; validate Redis cache isolation post-upgrade by restarting services and confirming tool_servers/terminal_servers keys use proper instance-specific prefixes. Within 30 days: Conduct audit of admin accounts across all instances, review Redis access controls to enforce least-privilege connectivity, and implement monitoring for unexpected cache key modifications.
ICT dependency
Patched
Why flagged?
NIS2 Relevant
- • HIGH severity
- • Third-party ICT: Redis
- • Strong evidence (KEV / high EPSS / multi-source)
DORA Relevant
- • HIGH severity
- • ICT provider: Redis (Databases & Data Platforms)
8.7
CVSS
0.0%
EPSS
44
Priority
CVE-2026-25588
This Week
Remote code execution in RedisTimeSeries versions before 1.12.14 allows authenticated attackers with RESTORE command permissions to execute arbitrary code via crafted serialized payloads. The vulnerability stems from improper validation of data processed through Redis RESTORE command, enabling heap buffer overflow exploitation. Attackers with low-level privileges can achieve complete system compromise (CVSS 7.7, CVSS:4.0 High confidentiality/integrity/availability impact) through network-based attacks with high complexity. No public exploit code or active exploitation confirmed at time of analysis.
Within 24 hours: Identify all RedisTimeSeries deployments and document current versions; restrict RESTORE command permissions to essential service accounts only and review access logs for suspicious activity. Within 7 days: Upgrade RedisTimeSeries to version 1.12.14 or later if available from vendor repositories, or implement network segmentation to isolate affected instances from untrusted networks. Within 30 days: Conduct security audit of Redis authentication controls, rotate credentials for accounts with RESTORE permissions, and establish monitoring for RESTORE command usage.
Edge exposure
ICT dependency
Patched
Why flagged?
NIS2 Relevant
- • HIGH severity
- • Internet-facing technique: rce
- • Third-party ICT: SUSE, Redis
- • Strong evidence (KEV / high EPSS / multi-source)
DORA Relevant
- • HIGH severity
- • ICT provider: SUSE (Infrastructure & Virtualization)
- • ICT provider: Redis (Databases & Data Platforms)
7.7
CVSS
0.3%
EPSS
39
Priority
CVE-2026-25589
This Week
Heap-based buffer overflow in RedisBloom versions before 2.8.20 enables remote code execution via Redis RESTORE command when authenticated attackers supply malicious serialized payloads. The vulnerability stems from improper validation of deserialized data in the probabilistic data structures module. Exploitation requires Redis authentication and RESTORE command privileges (PR:L), with CVSS 7.7 rating reflecting the authentication requirement despite critical impact potential. No public exploit code or CISA KEV listing identified at time of analysis, though vendor has released security-focused patch 2.8.20.
Within 24 hours: Inventory all RedisBloom deployments and identify versions prior to 2.8.20; document which systems have authenticated user access. Within 7 days: Upgrade RedisBloom to version 2.8.20 or later on all affected instances; prioritize systems accessible to multiple users or in shared environments. Within 30 days: Audit Redis authentication logs for suspicious RESTORE command activity; implement principle of least privilege by restricting RESTORE command access to administrative accounts only.
Edge exposure
ICT dependency
Patched
Why flagged?
NIS2 Relevant
- • HIGH severity
- • Internet-facing technique: rce
- • Third-party ICT: SUSE, Redis
- • Strong evidence (KEV / high EPSS / multi-source)
DORA Relevant
- • HIGH severity
- • ICT provider: SUSE (Infrastructure & Virtualization)
- • ICT provider: Redis (Databases & Data Platforms)
7.7
CVSS
0.3%
EPSS
39
Priority
CVE-2026-23479
This Week
Use-after-free in Redis 7.2.0 through 8.6.2 allows authenticated attackers to achieve remote code execution by exploiting error handling in the unblock client flow. When a blocked client is evicted during command re-execution, the server fails to handle the error return from processCommandAndResetClient, triggering memory corruption. Redis has released version 8.6.3 with a security fix. No public exploit code or CISA KEV listing identified at time of analysis, suggesting limited observed exploitation despite the critical RCE impact.
Within 24 hours: inventory all Redis deployments and identify instances running versions 7.2.0-8.6.2; verify current version via 'redis-cli info server'. Within 7 days: upgrade to Redis 8.6.3 or later across all affected instances, prioritizing production systems; test upgrades in staging first. Within 30 days: complete upgrade of all remaining Redis instances and validate functionality; review and restrict Redis network access to authenticated users only via firewall rules.
Edge exposure
ICT dependency
Patched
Why flagged?
NIS2 Relevant
- • HIGH severity
- • Internet-facing technique: rce
- • Third-party ICT: Red Hat, SUSE, Redis
- • Strong evidence (KEV / high EPSS / multi-source)
DORA Relevant
- • HIGH severity
- • ICT provider: Red Hat (Infrastructure & Virtualization)
- • ICT provider: SUSE (Infrastructure & Virtualization)
- • ICT provider: Redis (Databases & Data Platforms)
7.7
CVSS
0.1%
EPSS
39
Priority
CVE-2026-25243
This Week
Remote code execution in Redis server versions up to 8.6.3 allows authenticated attackers with RESTORE command privileges to execute arbitrary code by submitting maliciously crafted serialized payloads. The vulnerability stems from insufficient validation of serialized values in the RESTORE command, enabling heap-based buffer overflow conditions. Redis released version 8.6.3 to patch this flaw alongside four other critical RCE vulnerabilities. EPSS data not available; no CISA KEV listing identified at time of analysis, suggesting targeted rather than widespread exploitation.
Within 24 hours: Inventory all Redis instances and document current versions, RESTORE command privileges, and network access controls. Within 7 days: Apply Redis version 8.6.4 or later to all affected instances; if upgrade cannot be completed, restrict RESTORE command privileges to administrative accounts only and enforce network segmentation. Within 30 days: Conduct access audit of all accounts with RESTORE privileges, implement least-privilege controls, and enable Redis command logging and monitoring for RESTORE usage.
Edge exposure
ICT dependency
Patched
Why flagged?
NIS2 Relevant
- • HIGH severity
- • Internet-facing technique: rce
- • Third-party ICT: Red Hat, SUSE, Redis
- • Strong evidence (KEV / high EPSS / multi-source)
DORA Relevant
- • HIGH severity
- • ICT provider: Red Hat (Infrastructure & Virtualization)
- • ICT provider: SUSE (Infrastructure & Virtualization)
- • ICT provider: Redis (Databases & Data Platforms)
7.7
CVSS
0.1%
EPSS
39
Priority
CVE-2026-45061
This Week
Server-Side Request Forgery in Budibase self-hosted instances allows authenticated Global Builder users to bypass SSRF protections via trivial substring manipulation in plugin URL uploads. The vulnerability exploits a flawed validation check that accepts any URL containing '.tar.gz' anywhere in the string, enabling requests to internal cloud metadata services (AWS IMDS at 169.254.169.254), CouchDB, Redis, and private network ranges when chained with the BLACKLIST_IPS bypass (CVE-2026-45060) or via HTTP redirect chains. CVSS 7.7 (High) with Changed Scope indicates cross-boundary impact from application to infrastructure layer. Vendor-released patch available in version 3.35.10 per GitHub security advisory GHSA-xh5j-727m-w6gg. EPSS data not available; no CISA KEV listing at time of analysis. Publicly available exploit code exists in researcher's GitHub repository with Docker-based proof-of-concept.
Within 24 hours: Inventory all Budibase self-hosted instances and their current versions. Within 7 days: Upgrade all instances to Budibase version 3.35.10 or later per GitHub security advisory GHSA-xh5j-727m-w6gg. Within 30 days: Conduct access log review for instances <3.35.10 to identify any suspicious plugin URL uploads or requests to 169.254.169.254, internal CouchDB/Redis endpoints, or private IP ranges from Global Builder accounts; restrict Global Builder role assignment to trusted users only.
Edge exposure
ICT dependency
Patched
Why flagged?
NIS2 Relevant
- • HIGH severity
- • Internet-facing (CWE-918: Server-Side Request Forgery (SSRF))
- • Third-party ICT: Docker, Redis
- • Strong evidence (KEV / high EPSS / multi-source)
DORA Relevant
- • HIGH severity
- • ICT provider: Docker (Dev Platforms & CI/CD)
- • ICT provider: Redis (Databases & Data Platforms)
7.7
CVSS
0.0%
EPSS
39
Priority
By Exposure
Internet-facing
21
Mgmt / Admin Plane
4
Identity / Auth
2
Internal only
4
By Exploitability
Known exploited
1
Public PoC
1
High EPSS (>30%)
0
Remote unauthenticated
9
Local only
1
By Remediation
Patch available
26
No patch
1
Workaround available
14
No workaround
0
Affected Services / Product Families
Redis
27 CVE(s)
+ 17 more