NIS2 & DORA Compliance

Regulatory triage for vulnerability prioritization – classification based on existing CVE data

Regulatory Triage ICT Providers
NIS2 Relevant
441
DORA Relevant
65
Internet-Facing
376
Third-Party ICT
65
Unpatched
442
Exploited
71
Framework:
Period:
Sort:
CVE-2026-5329
Remote code execution in Rapid7 Velociraptor server (versions <0.76.2, primarily Linux) allows authenticated attackers to write arbitrary messages to privileged internal queues via crafted client monitoring messages with malicious queue names. Improper input validation in the server's client monitoring message handler fails to sanitize queue names supplied by rogue clients, enabling queue injection attacks that escalate to RCE. Affects self-hosted instances only; Rapid7 Hosted Velociraptor instances are not vulnerable. No public exploit identified at time of analysis.
NIS2 Edge exposure No patch available
Why flagged?
NIS2 Relevant
  • HIGH severity
  • Internet-facing (CWE-20: Improper Input Validation)
  • No patch available
  • Moderate evidence (PoC / elevated EPSS)
8.5
CVSS 3.1
0.2%
EPSS
42
Priority
CVE-2026-39942
Authenticated file overwrite vulnerability in Directus < 11.17.0 allows low-privileged users to corrupt arbitrary files by manipulating the filename_disk parameter in PATCH /files/{id} requests. Attackers can overwrite other users' file content and forge metadata fields (e.g., uploaded_by) to hide evidence of tampering. Requires authenticated access (PR:L). Scope change (S:C) indicates potential cross-tenant impact. No public exploit identified at time of analysis.
Management plane
Why flagged?
8.5
CVSS 3.1
0.0%
EPSS
42
Priority
CVE-2026-39974
Server-Side Request Forgery in n8n-mcp (npm package) versions ≤2.47.3 allows authenticated attackers with valid AUTH_TOKEN to force the server to issue HTTP requests to arbitrary URLs via manipulated multi-tenant HTTP headers (x-n8n-url, x-n8n-key). Response bodies are reflected through JSON-RPC, enabling unauthorized access to cloud instance metadata endpoints (AWS IMDS, GCP, Azure, Oracle, Alibaba), internal network services, and any host reachable by the server process. Multi-tenant HTTP deployments with shared or multiple AUTH_TOKENs are at highest risk. No public exploit identified at time of analysis.
NIS2 DORA Edge exposure ICT dependency Oracle Database
Why flagged?
NIS2 Relevant
  • HIGH severity
  • Internet-facing (CWE-918: Server-Side Request Forgery (SSRF))
  • Third-party ICT: Oracle Database
  • Moderate evidence (PoC / elevated EPSS)
DORA Relevant
  • HIGH severity
  • ICT provider: Oracle Database (Databases & Data Platforms)
8.5
CVSS 3.1
0.0%
EPSS
42
Priority
CVE-2026-5173
Improper access control in GitLab CE/EE 16.9.6-18.10.2 enables authenticated attackers to invoke unauthorized server-side methods via websocket connections, achieving high-severity information disclosure with changed scope. Affects continuous integration/deployment platforms running vulnerable GitLab instances. Exploitation requires low-privilege authentication but no user interaction, enabling lateral information access across security boundaries.
DORA ICT dependency No patch available GitLab
Why flagged?
DORA Relevant
  • HIGH severity
  • ICT provider: GitLab (Dev Platforms & CI/CD)
  • No remediation available
8.5
CVSS 3.1
0.0%
EPSS
42
Priority
CVE-2026-3466
Stored cross-site scripting (XSS) in Checkmk dashboard functionality allows authenticated users with dashboard creation privileges to inject malicious scripts through unsanitized dashlet title links, achieving high confidentiality and integrity impact (CVSS 8.5) when victims click crafted links on shared dashboards. Affects Checkmk 2.2.0 (EOL), 2.3.0 before p46, 2.4.0 before p25, and beta 2.5.0 before b3. SSVC framework indicates no active exploitation and non-automatable attack requiring user interaction, but classifies technical impact as total. No public exploit identified at time of analysis.
NIS2 Edge exposure No patch available
Why flagged?
NIS2 Relevant
  • HIGH severity
  • Internet-facing (CWE-79: Cross-site Scripting (XSS))
  • No patch available
  • Moderate evidence (PoC / elevated EPSS)
8.5
CVSS 4.0
0.0%
EPSS
42
Priority
CVE-2026-40032
Command injection in Unix-like Artifacts Collector (UAC) pre-3.3.0-rc1 enables arbitrary code execution through unsanitized placeholder substitution in the _run_command() pipeline. Attackers inject shell metacharacters via %line%, %user%, or %user_home% placeholders processed by foreach iterators and system file parsers, exploiting direct eval() execution without input validation. Exploitation requires local access with user interaction but no authentication, executing commands at UAC process privilege level. No public exploit identified at time of analysis.
NIS2 Edge exposure
Why flagged?
NIS2 Relevant
  • HIGH severity
  • Internet-facing (CWE-78: OS Command Injection)
  • Strong evidence (KEV / high EPSS / multi-source)
8.5
CVSS 4.0
0.0%
EPSS
42
Priority
CVE-2026-34885
SQL injection in WordPress Media Library Assistant plugin through version 3.34 allows authenticated attackers with low-level privileges to extract sensitive database contents and potentially disrupt availability. The vulnerability has a CVSS score of 8.5 (High) with scope change, indicating authenticated attackers can access data beyond their permission level. EPSS data not available; no public exploit identified at time of analysis. No CISA KEV listing indicates this is not confirmed as actively exploited in the wild.
NIS2 Edge exposure No patch available PoC
Why flagged?
NIS2 Relevant
  • HIGH severity
  • Internet-facing (CWE-89: SQL Injection)
  • Proof of concept available
  • No patch available
  • Strong evidence (KEV / high EPSS / multi-source)
8.5
CVSS 3.1
0.0%
EPSS
42
Priority
CVE-2026-40031
DLL and shared-library hijacking in ufrisk MemProcFS versions prior to 5.17 enables local arbitrary code execution through six distinct attack surfaces. Unsafe library-loading patterns-including unqualified LoadLibraryU and dlopen calls for vmmpyc, libMSCompression, and plugin DLLs-allow attackers to plant malicious libraries in the working directory or manipulate LD_LIBRARY_PATH. Exploitation requires user interaction (CVSS UI:P) but no authentication (PR:N), achieving high confidentiality, integrity, and availability impact. No public exploit identified at time of analysis.
NIS2 Edge exposure
Why flagged?
NIS2 Relevant
  • HIGH severity
  • Internet-facing technique: rce
  • Strong evidence (KEV / high EPSS / multi-source)
8.5
CVSS 4.0
0.0%
EPSS
42
Priority
CVE-2026-40029
OS command injection in parseusbs <1.9 enables arbitrary code execution on forensic examiner systems through maliciously crafted .lnk filenames. The parseUSBs.py module passes LNK file paths unsanitized into os.popen() shell commands, allowing attackers to embed shell metacharacters in filenames that execute during USB artifact parsing. Exploitation requires no authentication (PR:N) but necessitates user interaction (UI:P) when the examiner processes USB artifacts containing weaponized .lnk files. No public exploit identified at time of analysis.
NIS2 Edge exposure
Why flagged?
NIS2 Relevant
  • HIGH severity
  • Internet-facing (CWE-78: OS Command Injection)
  • Strong evidence (KEV / high EPSS / multi-source)
8.5
CVSS 4.0
0.0%
EPSS
42
Priority
CVE-2026-35625
Privilege escalation in OpenClaw (versions prior to 2026.3.25) enables authenticated local attackers to silently elevate permissions from operator.read to operator.admin during shared-auth reconnection events, achieving remote code execution on affected nodes. The vulnerability exploits auto-approval of scope-upgrade requests in local reconnection flows, requiring low-privilege local access (PR:L) with no user interaction. No public exploit identified at time of analysis. Vendor-released patch available via commit 81ebc7e0344fd19c85778e883bad45e2da972229.
NIS2 Edge exposure
Why flagged?
NIS2 Relevant
  • HIGH severity
  • Internet-facing technique: rce
  • Strong evidence (KEV / high EPSS / multi-source)
8.5
CVSS 4.0
0.0%
EPSS
42
Priority
CVE-2026-30818
OS command injection in TP-Link Archer AX53 v1.0 dnsmasq module allows authenticated adjacent attackers to execute arbitrary code through maliciously crafted configuration files. Successful exploitation enables device configuration modification, sensitive data access, and complete system compromise. Affects TP-Link Archer AX53 v1.0 firmware versions prior to 1.7.1 Build 20260213. Requires high-privilege adjacent network access (CVSS:4.0 AV:A/PR:H). No public exploit identified at time of analysis.
NIS2 Edge exposure
Why flagged?
NIS2 Relevant
  • HIGH severity
  • Internet-facing (CWE-78: OS Command Injection)
  • Moderate evidence (PoC / elevated EPSS)
8.5
CVSS 4.0
0.4%
EPSS
42
Priority
CVE-2026-33793
Local privilege escalation in Juniper Networks Junos OS and Junos OS Evolved allows low-privileged authenticated users to execute arbitrary code with root privileges. When unsigned Python operation scripts are enabled in device configuration, attackers can inject and execute malicious op scripts under root-equivalent context, achieving complete system compromise. Affects all Junos OS versions before 22.4R3-S7 and multiple branches through 24.4, plus corresponding Junos OS Evolved releases. No public exploit identified at time of analysis. CVSS 8.5 (High) with local attack vector requiring low privileges and no user interaction.
NIS2 DORA ICT dependency No patch available Management plane Juniper
Why flagged?
NIS2 Relevant
  • HIGH severity
  • Third-party ICT: Juniper
  • No patch available
  • Management plane (Execution with Unnecessary Privileges)
  • Moderate evidence (PoC / elevated EPSS)
DORA Relevant
  • HIGH severity
  • ICT provider: Juniper (Network & Security)
  • No remediation available
  • Authentication / access control weakness
8.5
CVSS 4.0
0.0%
EPSS
42
Priority
CVE-2026-33788
Local privilege escalation in Juniper Networks Junos OS Evolved on PTX Series routers allows authenticated users with low privileges to gain high-privileged direct access to Flexible PIC Concentrators (FPCs), enabling potential full compromise of affected line cards. Impacts PTX10004, PTX10008, PTX10016 with JNP10K-LC1201 or JNP10K-LC1202 line cards across multiple firmware branches. Missing authentication on critical FPC management functions permits unauthorized privilege elevation. No public exploit identified at time of analysis.
NIS2 DORA Edge exposure ICT dependency No patch available Management plane Juniper
Why flagged?
NIS2 Relevant
  • HIGH severity
  • Internet-facing (CWE-306: Missing Authentication for Critical Function)
  • Third-party ICT: Juniper
  • No patch available
  • Management plane (Missing Authentication for Critical Function)
  • Moderate evidence (PoC / elevated EPSS)
DORA Relevant
  • HIGH severity
  • ICT provider: Juniper (Network & Security)
  • No remediation available
  • Authentication / access control weakness
8.5
CVSS 4.0
0.0%
EPSS
42
Priority
CVE-2026-30815
OS command injection in TP-Link Archer AX53 v1.0 OpenVPN module allows authenticated adjacent attackers to execute arbitrary system commands through maliciously crafted configuration files. Exploitation requires high-privilege adjacency access but enables complete device compromise including configuration modification, credential disclosure, and persistent backdoor installation. Affects AX53 v1.0 firmware prior to 1.7.1 Build 20260213. No public exploit identified at time of analysis.
NIS2 Edge exposure
Why flagged?
NIS2 Relevant
  • HIGH severity
  • Internet-facing (CWE-78: OS Command Injection)
  • Moderate evidence (PoC / elevated EPSS)
8.5
CVSS 4.0
0.3%
EPSS
42
Priority
CVE-2026-34975
CRLF injection in Plunk email platform's SESService.ts allows authenticated API users to inject arbitrary MIME headers by embedding carriage return/line feed sequences in user-controlled fields (from.name, subject, custom headers, attachment filenames). Attackers can silently add Bcc headers for email forwarding, manipulate Reply-To addresses, or spoof senders by exploiting the lack of input sanitization before MIME message construction. CVSS 8.5 severity reflects network-accessible exploitation with low complexity requiring only low-privilege authentication. No public exploit identified at time of analysis, with EPSS data unavailable for this 2026 CVE identifier. Vendor-released patch: version 0.8.0 implements schema-level validation rejecting CR/LF characters.
NIS2 Edge exposure No patch available
Why flagged?
NIS2 Relevant
  • HIGH severity
  • Internet-facing technique: code-injection
  • No patch available
  • Moderate evidence (PoC / elevated EPSS)
8.5
CVSS 3.1
0.0%
EPSS
42
Priority
CVE-2026-39416
Stored cross-site scripting in AIL Framework <6.8 allows authenticated high-privilege attackers to inject malicious JavaScript through the modal item preview function. When processing item content exceeding 800 characters, the application returns attacker-controlled content without explicit text/plain content-type headers, enabling browser interpretation as HTML. Successful exploitation executes arbitrary JavaScript in victim browsers viewing crafted items, compromising confidentiality and integrity across system and user contexts. No public exploit identified at time of analysis.
NIS2 Edge exposure No patch available
Why flagged?
NIS2 Relevant
  • HIGH severity
  • Internet-facing (CWE-79: Cross-site Scripting (XSS))
  • No patch available
  • Moderate evidence (PoC / elevated EPSS)
8.5
CVSS 4.0
0.1%
EPSS
42
Priority
CVE-2026-5483
Service Account token disclosure in Red Hat OpenShift AI odh-dashboard component exposes Kubernetes credentials through unprotected NodeJS endpoint. Low-privilege authenticated attackers can retrieve service account tokens enabling unauthorized access to Kubernetes cluster resources. Affects Red Hat OpenShift AI 2.16 and multiple RHOAI versions. Cross-scope impact allows privilege escalation beyond dashboard component boundaries. No public exploit identified at time of analysis.
NIS2 DORA Edge exposure ICT dependency No patch available Red Hat
Why flagged?
NIS2 Relevant
  • HIGH severity
  • Internet-facing technique: authentication-bypass
  • Third-party ICT: Red Hat
  • No patch available
  • Strong evidence (KEV / high EPSS / multi-source)
DORA Relevant
  • HIGH severity
  • ICT provider: Red Hat (Infrastructure & Virtualization)
  • No remediation available
8.5
CVSS 3.1
0.1%
EPSS
42
Priority
CVE-2026-5936
Server-Side Request Forgery (SSRF) in Foxit PDF Services API allows low-privileged remote attackers to force the server to make HTTP requests to arbitrary destinations, including internal network services and cloud metadata endpoints. With a CVSS score of 8.5 and changed scope (S:C), authenticated attackers can leverage this to probe internal infrastructure, access restricted resources like AWS/Azure metadata services (169.254.169.254), and exfiltrate sensitive information including credentials and configuration data. No public exploit identified at time of analysis, though SSRF exploitation techniques are well-documented and the low attack complexity (AC:L) makes this readily exploitable once an attacker obtains valid credentials.
Edge exposure No patch available
Why flagged?
8.5
CVSS 3.1
42
Priority
CVE-2025-30650
Privilege escalation in Juniper Networks Junos OS allows high-privileged local attackers to gain root access on Linux-based line cards running Junos OS Evolved. Missing authentication in critical command processing functions enables authenticated administrators with elevated privileges to bypass access controls and execute commands as root on affected hardware modules including MPC7-11, LC2101/2103, LC480/4800/9600, MX304 built-in FPC, MX-SPC3, SRX5K-SPC3, EX9200-40XS, and PTX-series line cards. No public exploit identified at time of analysis.
NIS2 DORA Edge exposure ICT dependency No patch available Management plane Juniper
Why flagged?
NIS2 Relevant
  • HIGH severity
  • Internet-facing (CWE-306: Missing Authentication for Critical Function)
  • Third-party ICT: Juniper
  • No patch available
  • Management plane (Missing Authentication for Critical Function)
  • Strong evidence (KEV / high EPSS / multi-source)
DORA Relevant
  • HIGH severity
  • ICT provider: Juniper (Network & Security)
  • No remediation available
  • Authentication / access control weakness
8.4
CVSS 4.0
0.0%
EPSS
42
Priority
CVE-2026-34589
Integer overflow in OpenEXR's DWA lossy decoder (versions 3.2.0-3.2.6, 3.3.0-3.3.8, 3.4.0-3.4.8) enables local attackers to trigger out-of-bounds memory writes when processing maliciously crafted EXR image files. The vulnerability stems from signed 32-bit arithmetic overflow in block pointer calculations for large image widths, causing decoder operations to write outside allocated memory buffers. User interaction is required (victim must open a malicious EXR file), but no authentication is needed. No public exploit identified at time of analysis, though the technical details in the GitHub security advisory provide sufficient information for proof-of-concept development.
Why flagged?
8.4
CVSS 4.0
0.0%
EPSS
42
Priority
CVE-2026-28704
DLL hijacking in JPCERT's Emocheck malware detection tool allows local code execution when malicious DLL placed in application directory. Unauthenticated attacker with local access can achieve arbitrary code execution at user privilege level by exploiting insecure library loading (CWE-427). User must invoke Emocheck executable with crafted DLL present. No public exploit identified at time of analysis. CVSS 7.8 indicates high severity requiring user interaction and local access.
NIS2 Edge exposure No patch available
Why flagged?
NIS2 Relevant
  • HIGH severity
  • Internet-facing technique: rce
  • No patch available
  • Strong evidence (KEV / high EPSS / multi-source)
8.4
CVSS 4.0
0.0%
EPSS
42
Priority
CVE-2026-4788
Sensitive information disclosure in IBM Tivoli Netcool Impact versions 7.1.0.0 through 7.1.0.37 allows local attackers with no authentication required to extract credentials and configuration secrets from application log files. With CVSS 8.4 and High impact to confidentiality, integrity, and availability, the CWE-532 flaw enables privilege escalation through exposed secrets. No public exploit identified at time of analysis, with EPSS data unavailable, though the low attack complexity (AC:L) suggests straightforward exploitation once local access is obtained.
NIS2 DORA ICT dependency IBM Cloud
Why flagged?
NIS2 Relevant
  • HIGH severity
  • Third-party ICT: IBM Cloud
  • Strong evidence (KEV / high EPSS / multi-source)
DORA Relevant
  • HIGH severity
  • ICT provider: IBM Cloud (Cloud Providers)
8.4
CVSS 3.1
0.0%
EPSS
42
Priority
CVE-2026-22682
Improper access control in OpenHarness (prior to commit 166fcfe) allows local authenticated attackers with influence over agent tool execution to read arbitrary local files and write/overwrite files outside intended repository boundaries. The vulnerability stems from inconsistent parameter handling where the path parameter is not passed to PermissionChecker in four file operation tools (read_file, write_file, edit_file, notebook_edit), enabling bypass of deny rules to access sensitive credentials, SSH keys, and configuration files. Upstream fix available (PR/commit); released patched version not independently confirmed. EPSS data not available; no public exploit identified at time of analysis.
NIS2 Edge exposure Management plane
Why flagged?
NIS2 Relevant
  • HIGH severity
  • Internet-facing technique: authentication-bypass
  • Management plane (Incorrect Authorization)
  • Strong evidence (KEV / high EPSS / multi-source)
8.4
CVSS 4.0
0.0%
EPSS
42
Priority
CVE-2026-35641
Arbitrary code execution in OpenClaw versions prior to 2026.3.24 enables local attackers to execute malicious code during npm package installation by crafting a malicious .npmrc file that overrides the git executable. When npm install runs in the staged package directory with git dependencies, the attacker-controlled .npmrc configuration triggers execution of arbitrary programs specified by the attacker. Exploitation requires user interaction to install the malicious plugin or hook locally. No public exploit identified at time of analysis.
NIS2 Edge exposure
Why flagged?
NIS2 Relevant
  • HIGH severity
  • Internet-facing technique: rce
  • Strong evidence (KEV / high EPSS / multi-source)
8.4
CVSS 4.0
0.0%
EPSS
42
Priority
CVE-2026-33791
Command injection in Juniper Networks Junos OS and Junos OS Evolved CLI processing allows high-privileged local attackers to execute arbitrary shell commands as root through crafted 'set system' arguments, enabling complete system compromise. Affects all versions before multiple fixed releases across both operating systems. Authentication required (high-privileged local access). No public exploit identified at time of analysis.
NIS2 DORA Edge exposure ICT dependency No patch available Juniper
Why flagged?
NIS2 Relevant
  • HIGH severity
  • Internet-facing (CWE-78: OS Command Injection)
  • Third-party ICT: Juniper
  • No patch available
  • Moderate evidence (PoC / elevated EPSS)
DORA Relevant
  • HIGH severity
  • ICT provider: Juniper (Network & Security)
  • No remediation available
8.4
CVSS 4.0
0.0%
EPSS
42
Priority
Prev Page 12 of 25 (624 CVEs) Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy