NIS2 & DORA Compliance
Regulatory triage for vulnerability prioritization – classification based on existing CVE data
NIS2 Relevant
439
DORA Relevant
65
Internet-Facing
374
Third-Party ICT
65
Unpatched
439
Exploited
70
Framework:
Period:
Sort:
Arbitrary file deletion in Flatpak versions prior to 1.16.4 allows sandboxed applications to delete files on the host system via path traversal during ld.so cache cleanup. The vulnerability stems from improper validation of application-controlled paths when removing outdated cache files, enabling applications to escape sandbox constraints and delete arbitrary host files. No active exploitation or public exploit code is confirmed at time of analysis, though the technical barrier is low given the CVSS vector shows network-accessible attack with low complexity and no authentication required.
NIS2
Edge exposure
No patch available
Why flagged?
NIS2 Relevant
- • HIGH severity
- • Internet-facing (CWE-22: Path Traversal)
- • No patch available
- • Strong evidence (KEV / high EPSS / multi-source)
8.7
CVSS 4.0
0.2%
EPSS
44
Priority
Unauthenticated remote information disclosure in Zammad helpdesk system versions before 7.0.1 and 6.5.4 allows attackers to access sensitive internal entity data through exposed getting started endpoint. The vulnerability bypasses authentication controls, enabling unauthorized access to confidential system information post-setup. Attack vector is network-based with low complexity requiring no user interaction. No public exploit identified at time of analysis. CVSS 8.7 reflects high confidentiality impact.
NIS2
Edge exposure
No patch available
Management plane
Why flagged?
NIS2 Relevant
- • HIGH severity
- • Internet-facing technique: authentication-bypass
- • No patch available
- • Management plane (Improper Access Control)
- • Strong evidence (KEV / high EPSS / multi-source)
8.7
CVSS 4.0
0.1%
EPSS
44
Priority
Man-in-the-middle attackers can truncate AES-GCM authentication tags in wolfSSL's PKCS7 AuthEnvelopedData processing from 16 bytes to 1 byte, degrading cryptographic integrity verification from 2⁻¹²⁸ to 2⁻⁸ probability. Affects wolfSSL versions through 5.9.0 due to missing lower bounds validation in wc_PKCS7_DecodeAuthEnvelopedData(). Unauthenticated network-based attack enables high-severity integrity bypass without user interaction. No public exploit identified at time of analysis.
NIS2
Edge exposure
No patch available
Why flagged?
NIS2 Relevant
- • HIGH severity
- • Internet-facing (CWE-20: Improper Input Validation)
- • No patch available
- • Strong evidence (KEV / high EPSS / multi-source)
8.7
CVSS 4.0
0.1%
EPSS
44
Priority
8.7
CVSS 4.0
0.1%
EPSS
44
Priority
Information disclosure in HAX CMS versions prior to 25.0.0 exposes authentication tokens and user activity via unauthenticated access to the /server-status endpoint. Remote attackers can retrieve active user tokens, monitor real-time interactions, harvest client IP addresses, and map internal infrastructure without authentication (CVSS:4.0 AV:N/AC:L/PR:N). EPSS data not available; no CISA KEV listing indicates no confirmed active exploitation at time of analysis. Publicly available exploit code exists per GitHub security advisory.
NIS2
Edge exposure
No patch available
Management plane
Why flagged?
NIS2 Relevant
- • HIGH severity
- • Internet-facing technique: authentication-bypass
- • No patch available
- • Management plane (Improper Access Control)
- • Strong evidence (KEV / high EPSS / multi-source)
8.7
CVSS 4.0
0.1%
EPSS
44
Priority
HTTP request smuggling and denial of service in Tinyproxy through 1.11.3 allows unauthenticated remote attackers to cause backend worker exhaustion and bypass request inspection controls. The vulnerability stems from case-sensitive Transfer-Encoding header parsing that violates RFC 7230, enabling attackers to send 'Transfer-Encoding: Chunked' (capitalized) to desynchronize Tinyproxy's request state from RFC-compliant backends like Node.js and Nginx. No public exploit identified at time of analysis, though EPSS data not available and technical details are publicly documented in GitHub issue #604. Authentication requirements not confirmed from available data, but CVSS vector indicates network-accessible attack requiring no privileges.
NIS2
Edge exposure
No patch available
Why flagged?
NIS2 Relevant
- • HIGH severity
- • Internet-facing technique: request-smuggling
- • No patch available
- • Strong evidence (KEV / high EPSS / multi-source)
8.7
CVSS 4.0
0.0%
EPSS
44
Priority
8.7
CVSS 4.0
0.0%
EPSS
44
Priority
SQL injection in MATCHA INVOICE 2.6.6 and earlier allows authenticated users with low-level privileges to extract or modify database contents via network access. With CVSS 8.8 (High severity), low attack complexity, and no user interaction required, authenticated attackers can achieve full confidentiality, integrity, and availability impact on the application database. No public exploit identified at time of analysis, with EPSS data not available for this recently disclosed vulnerability.
NIS2
Edge exposure
No patch available
Why flagged?
NIS2 Relevant
- • HIGH severity
- • Internet-facing (CWE-89: SQL Injection)
- • No patch available
- • Strong evidence (KEV / high EPSS / multi-source)
8.7
CVSS 4.0
0.0%
EPSS
44
Priority
Reflected XSS in ChurchCRM GeoPage.php enables authenticated attackers to execute arbitrary JavaScript in victims' browsers and hijack administrator sessions without user interaction. The vulnerability affects all versions prior to 7.1.0 and leverages autofocus to automatically trigger malicious payloads when authenticated users are socially engineered into submitting a crafted form. Session cookie theft leads to complete account takeover including administrative privileges. No public exploit identified at time of analysis, though technical details are available in the GitHub security advisory.
NIS2
Edge exposure
No patch available
Why flagged?
NIS2 Relevant
- • HIGH severity
- • Internet-facing (CWE-79: Cross-site Scripting (XSS))
- • No patch available
- • Strong evidence (KEV / high EPSS / multi-source)
8.7
CVSS 3.1
0.0%
EPSS
44
Priority
Stored cross-site scripting in ChurchCRM versions prior to 7.0.0 allows authenticated users to inject malicious JavaScript through the Person Property Management subsystem, executing when other users view affected profiles. This vulnerability persists despite previous CVE-2023-38766 patches and enables session hijacking or account compromise through persistent payload execution. No public exploit identified at time of analysis, though CVSS score of 8.7 reflects high impact with cross-site scripting scope allowing privilege escalation beyond the attacker's session context.
NIS2
Edge exposure
No patch available
Why flagged?
NIS2 Relevant
- • HIGH severity
- • Internet-facing (CWE-79: Cross-site Scripting (XSS))
- • No patch available
- • Strong evidence (KEV / high EPSS / multi-source)
8.7
CVSS 3.1
0.0%
EPSS
44
Priority
Reflected cross-site scripting (XSS) in ChurchCRM versions prior to 7.1.0 allows authenticated attackers to execute arbitrary JavaScript in victims' browsers via crafted URLs targeting the FindFundRaiser.php endpoint. The vulnerability stems from improper output encoding of DateStart and DateEnd parameters in HTML attributes. CVSS 8.7 reflects the changed scope (S:C) enabling potential session hijacking and account compromise across the church management platform. No public exploit code or active exploitation (CISA KEV) identified at time of analysis, though exploitation probability remains moderate given the authenticated requirement and user interaction dependency.
NIS2
Edge exposure
No patch available
Why flagged?
NIS2 Relevant
- • HIGH severity
- • Internet-facing (CWE-79: Cross-site Scripting (XSS))
- • No patch available
- • Strong evidence (KEV / high EPSS / multi-source)
8.7
CVSS 3.1
0.0%
EPSS
44
Priority
SQL injection in EcclesiaCRM v2/templates/query/queryview.php allows authenticated remote attackers to execute arbitrary SQL commands via unsanitized 'custom' and 'value' parameters. All versions prior to 8.0.0 are affected. CVSS 8.7 (High) with network vector, low complexity, and low privileges required. Publicly available exploit code exists (detailed PoC published in referenced Gist). EPSS data not provided, but the combination of public PoC, clear attack path, and critical CWE-89 classification elevates real-world exploitation risk. No confirmed active exploitation (CISA KEV) at time of analysis.
NIS2
Edge exposure
No patch available
Why flagged?
NIS2 Relevant
- • HIGH severity
- • Internet-facing (CWE-89: SQL Injection)
- • No patch available
- • Strong evidence (KEV / high EPSS / multi-source)
8.7
CVSS 4.0
0.0%
EPSS
44
Priority
SQL injection in Hydrosystem Control System versions before 9.8.5 allows authenticated attackers to execute arbitrary SQL commands via unprotected input parameters across multiple scripts. Exploitation requires low-privilege authentication but no user interaction, enabling attackers to compromise database confidentiality and integrity with potential for full database control. No public exploit identified at time of analysis.
NIS2
Edge exposure
No patch available
Why flagged?
NIS2 Relevant
- • HIGH severity
- • Internet-facing (CWE-89: SQL Injection)
- • No patch available
- • Strong evidence (KEV / high EPSS / multi-source)
8.7
CVSS 4.0
0.0%
EPSS
44
Priority
Buffer use-after-free in Apache Kafka Java producer client (versions ≤3.9.1, ≤4.0.1, ≤4.1.1) can silently route messages to incorrect topics when batch expiration races with in-flight network requests. CVSS 8.7 (High) with network-accessible attack vector and high complexity. CISA SSVC indicates no active exploitation, non-automatable attack, and partial technical impact. No public exploit identified at time of analysis. EPSS data not provided, but the combination of high CVSS, cross-scope impact (S:C), and dual confidentiality/integrity impact warrants prioritization for environments processing sensitive message streams.
NIS2
Edge exposure
No patch available
Why flagged?
NIS2 Relevant
- • HIGH severity
- • Internet-facing technique: deserialization
- • No patch available
- • Strong evidence (KEV / high EPSS / multi-source)
8.7
CVSS 3.1
0.0%
EPSS
44
Priority
TLS 1.3 client authentication bypass in Botan cryptography library versions prior to 3.11.1 allows unauthenticated remote attackers to skip certificate validation by sending ApplicationData records before the Finished handshake message. Exploiting this vulnerability requires no authentication (PR:N), low attack complexity (AC:L), and no user interaction (UI:N), resulting in complete integrity compromise (VI:H) for TLS 1.3 servers relying on mutual authentication. CVSS 8.7 severity reflects the network-accessible attack surface and direct violation of cryptographic protocol invariants (CWE-841: Improper Enforcement of Behavioral Workflow). No public exploit identified at time of analysis, though the protocol-level flaw in a widely-used cryptographic library presents significant risk to certificate-based access control mechanisms.
NIS2
Edge exposure
No patch available
Why flagged?
NIS2 Relevant
- • HIGH severity
- • Internet-facing technique: authentication-bypass
- • No patch available
- • Strong evidence (KEV / high EPSS / multi-source)
8.7
CVSS 4.0
0.0%
EPSS
44
Priority
Unauthenticated root access in Egate Atom 3x Projector enables complete device compromise via exposed Android Debug Bridge service on local network. Attacker on same network segment can execute arbitrary commands with full system privileges without credentials due to missing authentication controls and network exposure of ADB service. No public exploit identified at time of analysis. Critical impact includes data exfiltration, malware installation, and persistent backdoor deployment.
NIS2
Edge exposure
No patch available
Management plane
Why flagged?
NIS2 Relevant
- • HIGH severity
- • Internet-facing (CWE-306: Missing Authentication for Critical Function)
- • No patch available
- • Management plane (Missing Authentication for Critical Function)
- • Strong evidence (KEV / high EPSS / multi-source)
8.7
CVSS 4.0
0.0%
EPSS
44
Priority
8.7
CVSS 4.0
0.0%
EPSS
44
Priority
IP address spoofing in Bulwark Webmail versions prior to 1.4.11 allows unauthenticated remote attackers to bypass IP-based rate limiting and forge audit log entries by manipulating the X-Forwarded-For HTTP header. The vulnerability enables brute-force attacks against admin login interfaces and allows malicious actors to mask their true origin in security logs. CVSS 8.7 reflects high integrity impact (VI:H) with network-accessible attack vector requiring no privileges (AV:N, PR:N). No public exploit identified at time of analysis, though exploitation is straightforward given the trust-boundary violation in HTTP header processing.
NIS2
Edge exposure
No patch available
Why flagged?
NIS2 Relevant
- • HIGH severity
- • Internet-facing technique: authentication-bypass
- • No patch available
- • Strong evidence (KEV / high EPSS / multi-source)
8.7
CVSS 4.0
0.0%
EPSS
44
Priority
Memory corruption in Amazon Firecracker's virtio PCI transport (versions 1.13.0-1.14.3, 1.15.0) enables guest root users to crash the host VMM process or achieve host code execution through malicious virtio queue register modifications post-device activation. Affects x86_64 and aarch64 architectures. While exploitation requires guest root privileges and high attack complexity (CVSS AC:H, PR:H), successful compromise breaches VM isolation boundaries with high impact to host confidentiality, integrity, and availability (CVSS 8.7). No public exploit identified at time of analysis; vendor-released patches available in versions 1.14.4 and 1.15.1.
NIS2
Edge exposure
No patch available
Why flagged?
NIS2 Relevant
- • HIGH severity
- • Internet-facing technique: rce
- • No patch available
- • Strong evidence (KEV / high EPSS / multi-source)
8.7
CVSS 4.0
0.0%
EPSS
44
Priority
NTLM credential theft in SiYuan personal knowledge management system (prior to 3.6.4) allows remote attackers to capture Windows user password hashes without authentication or user interaction. Misconfigured Mermaid.js rendering with securityLevel:loose permits unsanitized <img> tags within SVG foreignObject blocks. Protocol-relative URLs in malicious Mermaid diagrams trigger automatic SMB authentication on Windows, transmitting NTLMv2 hashes to attacker-controlled servers when victims open compromised notes. Electron client processes the SVG via innerHTML without secondary sanitization, enabling SSRF to UNC paths.
NIS2
Edge exposure
Why flagged?
NIS2 Relevant
- • HIGH severity
- • Internet-facing (CWE-918: Server-Side Request Forgery (SSRF))
- • Moderate evidence (PoC / elevated EPSS)
8.7
CVSS 4.0
0.1%
EPSS
44
Priority
8.7
CVSS 4.0
0.1%
EPSS
44
Priority
8.7
CVSS 4.0
0.0%
EPSS
44
Priority
Remote code execution in Zammad open-source helpdesk system versions prior to 7.0.1 through server-side template injection in AI Agent configuration. Attackers with high-privilege administrative access who can control or influence type_enrichment_data parameters can execute arbitrary code on the server. Exploitation requires authenticated administrative credentials and user interaction. No public exploit identified at time of analysis.
NIS2
Edge exposure
No patch available
Why flagged?
NIS2 Relevant
- • HIGH severity
- • Internet-facing (CWE-94: Code Injection)
- • No patch available
- • Moderate evidence (PoC / elevated EPSS)
8.7
CVSS 4.0
0.0%
EPSS
44
Priority
Denial of service in Juniper Networks Junos OS on SRX Series allows unauthenticated remote attackers to crash srxpfe process via malformed ICMPv6 packets during NAT64 translation. Repeated exploitation sustains DoS by forcing continuous process restarts. Affects wide range of Junos OS versions from 21.2 through 25.2 on SRX hardware. Vulnerability limited to ICMPv6 traffic; IPv4 and standard IPv6 cannot trigger. No public exploit identified at time of analysis.
NIS2
DORA
ICT dependency
No patch available
Juniper
Why flagged?
NIS2 Relevant
- • HIGH severity
- • Third-party ICT: Juniper
- • No patch available
- • Moderate evidence (PoC / elevated EPSS)
DORA Relevant
- • HIGH severity
- • ICT provider: Juniper (Network & Security)
- • No remediation available
8.7
CVSS 4.0
0.0%
EPSS
44
Priority
Memory leak in Juniper Networks Junos OS jdhcpd daemon enables adjacent unauthenticated attackers to crash DHCP services on MX Series routers. Each DHCPv6 subscriber logout in PPPoE or VLAN configurations with active/bulk lease query leaks memory, eventually exhausting resources and triggering jdhcpd crash. Service remains unavailable until process restart completes. Affects all Junos OS versions before 22.4R3-S1, 23.2 versions before 23.2R2, and 23.4 versions before 23.4R2. No public exploit identified at time of analysis.
NIS2
DORA
ICT dependency
No patch available
Juniper
Why flagged?
NIS2 Relevant
- • HIGH severity
- • Third-party ICT: Juniper
- • No patch available
- • Moderate evidence (PoC / elevated EPSS)
DORA Relevant
- • HIGH severity
- • ICT provider: Juniper (Network & Security)
- • No remediation available
8.7
CVSS 4.0
0.0%
EPSS
44
Priority