46
Open CVEs
1
Exploited
1
KEV
6
Unpatched
0
No Workaround
39
Internet-facing
Why this provider is risky now
This provider has 46 open CVE(s) in the last 90 days. 1 listed in CISA KEV (known exploited). 6 have no vendor patch. 39 affect internet-facing services. 6 impact the management/identity plane.
1 KEV
1 Exploited
6 Unpatched
6 Mgmt / Admin Plane
2 Public PoC
39 Internet-facing
Top Risky CVEs
CVE-2026-48172
Act Now
LiteSpeed User-End cPanel Plugin before 2.4.5 allows privilege escalation (possibly to root), as exploited in the wild in May 2026. LiteSpeed WHM Plugin (the parent plugin) is unaffected. Detection is
ICT dependency
Active exploitation
KEV
PoC
Patched
Why flagged?
NIS2 Relevant
- • CRITICAL severity
- • Third-party ICT: Redis
- • Exploited in the wild (CISA KEV)
- • Strong evidence (KEV / high EPSS / multi-source)
DORA Relevant
- • CRITICAL severity
- • ICT provider: Redis (Databases & Data Platforms)
- • Known exploited vulnerability (KEV)
10.0
CVSS
0.0%
EPSS
120
Priority
Remote unauthenticated code execution in MixPHP Framework 2.x through 2.2.17 allows attackers to execute arbitrary PHP code by injecting malicious serialized objects into Redis-backed session or cache storage. The framework's RedisHandler directly deserializes untrusted data from Redis using PHP's unserialize() function without validation. CVSS 9.8 with network vector, low complexity, and no privileges required. EPSS and KEV status not provided; SSVC framework marks this as automatable with total technical impact, indicating high exploitability despite no confirmed active exploitation at time of analysis.
Within 24 hours: Identify all systems running MixPHP Framework 2.x and document current versions; implement network-level restrictions to Redis ports and verify only trusted clients can connect. Within 7 days: Evaluate upgrading to MixPHP Framework 2.2.18 or later if available, or apply the RedisHandler deserialization fix from vendor; contact MixPHP maintainers for patch timeline confirmation. Within 30 days: Complete migration to patched version or implement permanent compensating controls; conduct code review of any custom serialization handlers.
Edge exposure
ICT dependency
No patch available
Why flagged?
NIS2 Relevant
- • CRITICAL severity
- • Internet-facing (CWE-502: Deserialization of Untrusted Data)
- • Third-party ICT: Redis
- • No patch available
- • Strong evidence (KEV / high EPSS / multi-source)
DORA Relevant
- • CRITICAL severity
- • ICT provider: Redis (Databases & Data Platforms)
- • No remediation available
9.8
CVSS
0.0%
EPSS
49
Priority
CVE-2026-42088
Act Now
Privilege escalation in OpenC3 COSMOS allows low-privileged authenticated users to bypass API authorization and perform administrative actions by executing crafted Python or Ruby scripts via the Script Runner widget. Attackers can directly access Redis database (exposing secrets and configuration settings) and the MinIO buckets service (containing logs, configs, and plugins) due to unrestricted container-to-container network access in the Docker deployment. Vendor-released patch available in version 7.0.0-rc3 and confirmed in 7.0.0 stable release. EPSS data not available; no CISA KEV listing indicates targeted rather than widespread exploitation. CVSS 9.6 (Critical) with scope change reflects the container escape-like privilege boundary violation.
Within 24 hours: Identify all OpenC3 COSMOS deployments and document current versions. Within 7 days: Upgrade all instances to version 7.0.0 or later; verify upgrade completion and test Script Runner functionality. Within 30 days: Audit logs for unauthorized Script Runner executions, rotate all secrets stored in Redis/MinIO, review IAM policies to restrict low-privileged user access to Script Runner widget, and implement network segmentation to isolate container-to-container communication.
ICT dependency
Management plane
Patched
Why flagged?
NIS2 Relevant
- • CRITICAL severity
- • Third-party ICT: Docker, Redis
- • Management plane (Execution with Unnecessary Privileges)
- • Strong evidence (KEV / high EPSS / multi-source)
DORA Relevant
- • CRITICAL severity
- • ICT provider: Docker (Dev Platforms & CI/CD)
- • ICT provider: Redis (Databases & Data Platforms)
- • Authentication / access control weakness
9.6
CVSS
0.0%
EPSS
48
Priority
A deserialization vulnerability exists in the wvp-GB28181-pro project (a video streaming platform using GB28181 protocol) through version 2.7.4, specifically in the GenericFastJsonRedisSerializer implementation within the Redis configuration. The flaw allows unauthenticated remote attackers to exploit insecure deserialization through the API endpoint, potentially achieving code execution or data manipulation with low complexity. A public proof-of-concept exploit has been released on GitHub, significantly increasing the risk of active exploitation, and the vendor has not responded to disclosure attempts.
Within 24 hours: Inventory all systems running wvp-GB28181-pro and immediately isolate affected instances from production networks or disable external API access; establish incident response readiness. Within 7 days: Implement network segmentation restricting API endpoint access to trusted sources only, deploy WAF rules blocking malicious deserialization payloads, and monitor logs for exploitation attempts. Within 30 days: Evaluate alternative vendors or forked versions with security patches; if continued use is necessary, establish a vendor communication escalation with legal/procurement to demand patch timeline or prepare migration strategy.
Edge exposure
ICT dependency
PoC
Why flagged?
5.5
CVSS
0.0%
EPSS
48
Priority
CVE-2026-34977
Act Now
Unauthenticated remote code execution (RCE) at root level in Aperi'Solve <3.2.1 allows attackers to execute arbitrary commands via unsanitized password input in JPEG upload functionality. Attack requires no authentication (PR:N) and low complexity (AC:L), with CVSS 9.3 critical severity. Publicly available exploit code exists via GitHub advisory. Attackers gain full container compromise with potential pivot to PostgreSQL/Redis databases and, in misconfigured deployments with Docker socket mounts, possible host system takeover. EPSS data not provided, but given unauthenticated network-based vector and public disclosure with fix details, exploitation risk is substantial for exposed instances.
Within 24 hours: Identify all Aperi'Solve instances and their versions (check docker images, deployment manifests). If running <3.2.1, immediately isolate from internet or restrict network access to trusted sources only. Within 7 days: Upgrade all instances to Aperi'Solve 3.2.1 or later per vendor release notes; test in non-production environment first. Within 30 days: Review access logs for successful JPEG uploads to exploited instances during exposure window; audit PostgreSQL and Redis database access; if Docker socket is mounted, conduct full host system security assessment.
Edge exposure
ICT dependency
Patched
Why flagged?
NIS2 Relevant
- • CRITICAL severity
- • Internet-facing (CWE-78: OS Command Injection)
- • Third-party ICT: Docker, PostgreSQL, Redis
- • Strong evidence (KEV / high EPSS / multi-source)
DORA Relevant
- • CRITICAL severity
- • ICT provider: Docker (Dev Platforms & CI/CD)
- • ICT provider: PostgreSQL (Databases & Data Platforms)
- • ICT provider: Redis (Databases & Data Platforms)
9.3
CVSS
0.1%
EPSS
47
Priority
CVE-2026-40872
Act Now
Stored cross-site scripting in mailcow dockerized versions before 2026-03b enables remote attackers to execute arbitrary JavaScript in admin sessions by injecting malicious code through unauthenticated Autodiscover requests. The payload persists in Redis and triggers when administrators view Autodiscover logs on the admin dashboard. CVSS 9.3 reflects the network attack vector and high cross-scope impact, though exploitation requires admin interaction (UI:P) and no public exploit has been identified at time of analysis.
Within 24 hours: Inventory all mailcow Dockerized deployments and document current versions via `docker inspect` or internal asset management; restrict admin dashboard access to trusted networks using firewall/WAF rules. Within 7 days: Disable or restrict unauthenticated Autodiscover requests at the reverse proxy or network perimeter; implement input validation on Autodiscover endpoints if possible through mailcow configuration. Within 30 days: Upgrade to mailcow Dockerized version 2026-03b or later immediately upon release; conduct Redis data audit for injected payloads and purge Autodiscover log entries; review admin session logs for unauthorized activity during the interim period.
Edge exposure
ICT dependency
Patched
Why flagged?
NIS2 Relevant
- • CRITICAL severity
- • Internet-facing (CWE-79: Cross-site Scripting (XSS))
- • Third-party ICT: Docker, Redis
- • Strong evidence (KEV / high EPSS / multi-source)
DORA Relevant
- • CRITICAL severity
- • ICT provider: Docker (Dev Platforms & CI/CD)
- • ICT provider: Redis (Databases & Data Platforms)
9.3
CVSS
0.0%
EPSS
47
Priority
CVE-2026-45721
Act Now
Pre-authenticated remote code execution in Algernon web server (≤ 1.17.6) allows attackers who can place a handler.lua file anywhere in a parent directory of the server root to execute arbitrary Lua - including shell commands via run3() and os.execute - in the server process on the next HTTP request. The flaw stems from DirPage walking up to 100 ancestor directories past the configured server root searching for handler.lua, and the permission middleware does not gate this lookup, so an anonymous GET / suffices to trigger execution. Publicly available exploit code exists (the reporter published three working PoC variants and a live verification against 1.17.6).
Within 24 hours: inventory all systems running Algernon web server and document versions in use; immediately isolate any Algernon 1.17.6 or earlier instances from production traffic or restrict network access to trusted sources only. Within 7 days: implement file integrity monitoring to detect unauthorized handler.lua file creation in parent directories of the server root; deploy network-based access controls and WAF rules to block suspicious requests to Algernon endpoints. Within 30 days: evaluate alternatives to Algernon or contact vendor for patch timeline; if continued use is necessary, architect defensive layers (authentication gateway, request filtering, strict filesystem permissions) to compensate for the absence of a vendor fix.
Edge exposure
ICT dependency
Patched
Why flagged?
NIS2 Relevant
- • CRITICAL severity
- • Internet-facing (CWE-20: Improper Input Validation)
- • Third-party ICT: Canonical / Ubuntu, Redis
- • Moderate evidence (PoC / elevated EPSS)
DORA Relevant
- • CRITICAL severity
- • ICT provider: Canonical / Ubuntu (Infrastructure & Virtualization)
- • ICT provider: Redis (Databases & Data Platforms)
9.0
CVSS
0.2%
EPSS
45
Priority
CVE-2026-44552
This Week
Cross-instance cache poisoning in Open WebUI allows administrators on one instance to inject malicious tool server configurations into shared Redis cache, affecting users on other instances. The vulnerability stems from missing Redis key prefixes on tool_servers and terminal_servers cache entries in backend/open_webui/utils/tools.py. When multiple Open WebUI instances share a Redis backend (a documented multi-region/blue-green deployment pattern), an admin on Instance A can configure a malicious tool server that overwrites Instance B's cache, causing Instance B users to send tool call payloads-containing chat content, user identity, and OAuth tokens-to attacker-controlled servers. Exploitation requires privileged access (CVSS PR:H) but crosses instance boundaries (Scope:Changed), enabling data exfiltration and prompt injection delivery. Vendor-released patch: version 0.9.0 addresses the missing prefix issue.
Within 24 hours: Identify all Open WebUI instances sharing Redis backends and document current deployment topology. Within 7 days: Upgrade all affected Open WebUI instances to version 0.9.0 or later; validate Redis cache isolation post-upgrade by restarting services and confirming tool_servers/terminal_servers keys use proper instance-specific prefixes. Within 30 days: Conduct audit of admin accounts across all instances, review Redis access controls to enforce least-privilege connectivity, and implement monitoring for unexpected cache key modifications.
ICT dependency
Patched
Why flagged?
NIS2 Relevant
- • HIGH severity
- • Third-party ICT: Redis
- • Strong evidence (KEV / high EPSS / multi-source)
DORA Relevant
- • HIGH severity
- • ICT provider: Redis (Databases & Data Platforms)
8.7
CVSS
0.0%
EPSS
44
Priority
Budibase, a low-code platform distributed as a Docker/Kubernetes application, contains a Server-Side Request Forgery (SSRF) vulnerability in its REST datasource query preview endpoint. Authenticated admin users can force the server to make HTTP requests to arbitrary URLs including cloud metadata services, internal networks, and Kubernetes APIs. A detailed proof-of-concept exists demonstrating theft of GCP OAuth2 tokens with cloud-platform scope, CouchDB credential extraction, and internal service enumeration. The CVSS score of 8.7 reflects high confidentiality and integrity impact with changed scope, requiring high privileges but low attack complexity.
Within 24 hours: Inventory all Budibase deployments and document which have admin access to users with elevated privileges; restrict admin access to trusted personnel only and review recent admin activity logs for suspicious REST datasource queries. Within 7 days: Implement network segmentation to isolate Budibase instances from cloud metadata services (169.254.169.254), internal credential stores, and sensitive Kubernetes APIs; disable or restrict the REST datasource query preview feature if business operations allow. Within 30 days: Migrate to alternative low-code platforms or implement comprehensive API gateway controls with request inspection; monitor vendor for patch availability and deploy immediately upon release.
Edge exposure
ICT dependency
No patch available
Why flagged?
NIS2 Relevant
- • HIGH severity
- • Internet-facing (CWE-918: Server-Side Request Forgery (SSRF))
- • Third-party ICT: Docker, Redis
- • No patch available
- • Strong evidence (KEV / high EPSS / multi-source)
DORA Relevant
- • HIGH severity
- • ICT provider: Docker (Dev Platforms & CI/CD)
- • ICT provider: Redis (Databases & Data Platforms)
- • No remediation available
8.7
CVSS
0.0%
EPSS
44
Priority
AVideo, an open-source video platform, contains a server-side request forgery (SSRF) vulnerability that allows unauthenticated attackers to bypass URL validation using IPv4-mapped IPv6 addresses (::ffff:x.x.x.x format). The vulnerable endpoint plugin/LiveLinks/proxy.php can be exploited to access cloud metadata services (AWS, GCP, Azure), internal networks, and localhost services without authentication. A detailed proof-of-concept is publicly available demonstrating credential theft from AWS instance metadata, making this a critical risk for cloud-hosted installations.
Within 24 hours: Identify all AVideo instances in production and disable the LiveLinks plugin or restrict access to plugin/LiveLinks/proxy.php via network controls. Within 7 days: Implement WAF rules blocking IPv6-mapped IPv4 addresses (::ffff:*) and audit cloud metadata service access logs for suspicious activity. Within 30 days: Evaluate migration to alternative video platforms, implement network segmentation to restrict metadata service access, and monitor vendor communications for patch availability.
Edge exposure
ICT dependency
No patch available
Why flagged?
NIS2 Relevant
- • HIGH severity
- • Internet-facing (CWE-918: Server-Side Request Forgery (SSRF))
- • Third-party ICT: Redis
- • No patch available
- • Strong evidence (KEV / high EPSS / multi-source)
DORA Relevant
- • HIGH severity
- • ICT provider: Redis (Databases & Data Platforms)
- • No remediation available
8.6
CVSS
0.0%
EPSS
43
Priority
By Exposure
Internet-facing
39
Mgmt / Admin Plane
6
Identity / Auth
3
Internal only
5
By Exploitability
Known exploited
1
Public PoC
2
High EPSS (>30%)
0
Remote unauthenticated
20
Local only
1
By Remediation
Patch available
40
No patch
6
Workaround available
28
No workaround
0
Affected Services / Product Families
Redis
46 CVE(s)
+ 36 more