NIS2 & DORA Compliance

Regulatory triage for vulnerability prioritization – classification based on existing CVE data

Regulatory Triage ICT Providers
NIS2 Relevant
442
DORA Relevant
65
Internet-Facing
377
Third-Party ICT
65
Unpatched
443
Exploited
71
Framework:
Period:
Sort:
CVE-2026-40030
OS command injection in parseusbs (versions prior to 1.9) allows local attackers to execute arbitrary commands through unsanitized volume path arguments passed to the -v flag. The vulnerability stems from passing user-controlled input directly to os.popen() with shell=True during volume enumeration via ls command, enabling shell metacharacter injection. Exploitation requires user interaction to execute parseusbs with a malicious -v argument. No public exploit identified at time of analysis, though proof-of-concept exists in commit history.
NIS2 Edge exposure
Why flagged?
NIS2 Relevant
  • HIGH severity
  • Internet-facing (CWE-78: OS Command Injection)
  • Strong evidence (KEV / high EPSS / multi-source)
8.4
CVSS 4.0
0.0%
EPSS
42
Priority
CVE-2026-35204
Path traversal in Helm 4.0.0 through 4.1.3 allows malicious plugin installation to write arbitrary files to any filesystem location. When users install or update a specially crafted Helm plugin containing directory traversal sequences (/../) in the version field of plugin.yaml, the package manager writes plugin contents outside intended directories. Exploitation requires user interaction to install or update the malicious plugin. No public exploit identified at time of analysis. Impacts Kubernetes environments using Helm for package management, enabling potential system compromise through arbitrary file write.
NIS2 Edge exposure
Why flagged?
NIS2 Relevant
  • HIGH severity
  • Internet-facing (CWE-22: Path Traversal)
  • Strong evidence (KEV / high EPSS / multi-source)
8.4
CVSS 4.0
0.0%
EPSS
42
Priority
CVE-2026-33791
Command injection in Juniper Networks Junos OS and Junos OS Evolved CLI processing allows high-privileged local attackers to execute arbitrary shell commands as root through crafted 'set system' arguments, enabling complete system compromise. Affects all versions before multiple fixed releases across both operating systems. Authentication required (high-privileged local access). No public exploit identified at time of analysis.
NIS2 DORA Edge exposure ICT dependency No patch available Juniper
Why flagged?
NIS2 Relevant
  • HIGH severity
  • Internet-facing (CWE-78: OS Command Injection)
  • Third-party ICT: Juniper
  • No patch available
  • Moderate evidence (PoC / elevated EPSS)
DORA Relevant
  • HIGH severity
  • ICT provider: Juniper (Network & Security)
  • No remediation available
8.4
CVSS 4.0
0.0%
EPSS
42
Priority
CVE-2026-21915
Command injection in Juniper Networks Support Insights Virtual Lightweight Collector (JSI vLWC) CLI enables local high-privileged attackers to escalate privileges to root. Inadequate input validation in the CLI menu permits shell command injection, with injected commands executing at root level. All JSI vLWC versions before 3.0.94 affected. CVSS 8.4 (High severity, local vector). Requires high-level existing privileges (PR:H). No public exploit identified at time of analysis.
NIS2 DORA Edge exposure ICT dependency No patch available Juniper
Why flagged?
NIS2 Relevant
  • HIGH severity
  • Internet-facing technique: command-injection
  • Third-party ICT: Juniper
  • No patch available
  • Moderate evidence (PoC / elevated EPSS)
DORA Relevant
  • HIGH severity
  • ICT provider: Juniper (Network & Security)
  • No remediation available
8.4
CVSS 4.0
0.0%
EPSS
42
Priority
CVE-2026-35205
Signature verification bypass in Helm 4.0.0 through 4.1.3 allows installation of unverified plugins despite enabled provenance checking. When users require plugin signature verification, Helm incorrectly permits installation of plugins lacking provenance (.prov) files, enabling potential supply chain attacks where malicious code executes with Helm's privileges. Affects Kubernetes package manager deployments using plugin verification. No public exploit identified at time of analysis.
Why flagged?
8.4
CVSS 4.0
0.0%
EPSS
42
Priority
CVE-2026-35553
Stack-based buffer overflow in Dynabook Bluetooth ACPI drivers (tosrfec.sys, drfec.sys) allows local administrators to execute arbitrary code by manipulating specific registry values. This CVSS 8.4 vulnerability requires high privileges (administrative access) but enables complete system compromise with low attack complexity. No public exploit identified at time of analysis, though the attack surface is limited to users who already possess elevated credentials.
NIS2 Edge exposure No patch available
Why flagged?
NIS2 Relevant
  • HIGH severity
  • Internet-facing technique: rce
  • No patch available
  • Moderate evidence (PoC / elevated EPSS)
8.4
CVSS 4.0
42
Priority
CVE-2026-40024
Path traversal in The Sleuth Kit (tsk_recover) through version 4.14.0 allows local attackers to write files outside intended recovery directories via malicious filesystem images. Crafted filenames with ../ sequences in processed disk images can overwrite arbitrary files, enabling potential code execution through shell configuration or cron file manipulation. Exploitation requires user interaction (processing attacker-supplied filesystem image). No public exploit identified at time of analysis.
NIS2 Edge exposure
Why flagged?
NIS2 Relevant
  • HIGH severity
  • Internet-facing (CWE-22: Path Traversal)
  • Strong evidence (KEV / high EPSS / multi-source)
8.4
CVSS 4.0
0.0%
EPSS
42
Priority
CVE-2026-40113
Environment variable injection in PraisonAI deploy.py (versions prior to 4.5.128) allows authenticated local attackers to inject arbitrary environment variables into Google Cloud Run services during deployment. The vulnerability stems from improper validation of comma-separated gcloud CLI arguments, enabling attackers to manipulate openai_model, openai_key, or openai_base parameters with embedded commas, causing gcloud to parse injected content as additional KEY=VALUE pairs. This grants high-level access to confidential service configuration and permits unauthorized modifications. No public exploit identified at time of analysis.
NIS2 Edge exposure
Why flagged?
NIS2 Relevant
  • HIGH severity
  • Internet-facing technique: code-injection
  • Moderate evidence (PoC / elevated EPSS)
8.4
CVSS 3.1
0.0%
EPSS
42
Priority
CVE-2026-40027
Path traversal in ALEAPP (Android Logs Events And Protobuf Parser) 3.4.0 and earlier enables arbitrary file writes outside the report directory through malicious NQ_Vault.py artifact parser database entries. Attackers embedding traversal sequences (e.g., ../../../target.bin) in file_name_from database values can overwrite system executables or configuration files, achieving local code execution. Exploitation requires user interaction to process a crafted Android database artifact. CVSS:4.0 base score 8.4 (High). No public exploit identified at time of analysis.
NIS2 Edge exposure
Why flagged?
NIS2 Relevant
  • HIGH severity
  • Internet-facing (CWE-22: Path Traversal)
  • Strong evidence (KEV / high EPSS / multi-source)
8.4
CVSS 4.0
0.0%
EPSS
42
Priority
CVE-2026-34719
Server-side request forgery in Zammad webhook implementation allows authenticated administrators to retrieve confidential cloud provider metadata by exploiting insufficient validation of loopback and link-local addresses. Affects versions before 7.0.1 and 6.5.4. Attackers with privileged access can configure malicious webhook URLs targeting internal infrastructure endpoints, bypassing intended URL scheme restrictions. No public exploit identified at time of analysis. CVSS 8.3 reflects high confidentiality and availability impacts on vulnerable and subsequent systems.
NIS2 Edge exposure No patch available
Why flagged?
NIS2 Relevant
  • HIGH severity
  • Internet-facing (CWE-918: Server-Side Request Forgery (SSRF))
  • No patch available
  • Strong evidence (KEV / high EPSS / multi-source)
8.3
CVSS 4.0
0.0%
EPSS
42
Priority
CVE-2026-28808
Authorization bypass in Erlang OTP's inets HTTP server allows unanauthenticated remote attackers to execute CGI scripts protected by directory-level access controls. The vulnerability stems from a path mismatch where mod_auth validates access against DocumentRoot-relative paths while mod_cgi executes scripts at ScriptAlias-resolved paths outside DocumentRoot. With CVSS 8.3 (AV:N/AC:L/PR:N), the attack requires no authentication and low complexity but depends on specific ScriptAlias configurations (AT:P). SSVC assessment confirms the vulnerability is automatable with partial technical impact. No public exploit identified at time of analysis, though SSVC indicates exploitation status 'none'. Vendor-released patches available for affected OTP versions 17.0 through 28.4.1.
NIS2 Edge exposure Management plane
Why flagged?
NIS2 Relevant
  • HIGH severity
  • Internet-facing technique: authentication-bypass, path-traversal
  • Management plane (Incorrect Authorization)
  • Strong evidence (KEV / high EPSS / multi-source)
8.3
CVSS 4.0
0.0%
EPSS
42
Priority
CVE-2026-35618
Authentication bypass in OpenClaw versions prior to 2026.3.23 enables attackers to forge Plivo V2 signature-verified requests without credentials. The vulnerability stems from replay key derivation using full URLs with query parameters rather than canonicalized base URLs, allowing unauthenticated remote attackers to manipulate query strings on signed requests and generate new valid verification keys. This permits bypassing webhook authentication controls and injecting malicious requests into Plivo-integrated telephony workflows. No public exploit or active exploitation confirmed at time of analysis.
NIS2 Edge exposure
Why flagged?
NIS2 Relevant
  • HIGH severity
  • Internet-facing technique: authentication-bypass
  • Strong evidence (KEV / high EPSS / multi-source)
8.3
CVSS 4.0
0.0%
EPSS
42
Priority
CVE-2026-35595
Privilege escalation in Vikunja API (v2.2.2 and prior) allows authenticated users with Write permission on a shared project to escalate to Admin by reparenting the project under their own hierarchy. The vulnerability exploits insufficient authorization checks in project reparenting (CanWrite instead of IsAdmin), causing the recursive permission CTE to grant Admin rights. Attackers can then delete projects, remove user access, and manage sharing settings. Publicly available exploit code exists.
Management plane
Why flagged?
8.3
CVSS 3.1
0.0%
EPSS
42
Priority
CVE-2026-31939
Path traversal in Chamilo LMS main/exercise/savescores.php enables authenticated attackers to delete arbitrary files on the server. Vulnerable versions prior to 1.11.38 fail to sanitize the 'test' parameter from $_REQUEST, allowing directory traversal sequences to escape intended paths and target critical system or application files. Attackers with low-level authenticated access can exploit this remotely without user interaction, resulting in high integrity and availability impact through targeted file deletion.
NIS2 Edge exposure No patch available
Why flagged?
NIS2 Relevant
  • HIGH severity
  • Internet-facing (CWE-22: Path Traversal)
  • No patch available
  • Moderate evidence (PoC / elevated EPSS)
8.3
CVSS 3.1
0.0%
EPSS
42
Priority
CVE-2026-33779
Certificate chain validation bypass in Juniper Junos OS J-Web on SRX Series enables person-in-the-middle attackers to intercept Security Director cloud communications, exposing credentials and sensitive data. All SRX devices connecting to SD cloud fail to properly verify server certificates, allowing interception of authentication material and configuration data. Affects Junos OS versions across all branches prior to 22.4R3-S9, 23.2R2-S6, 23.4R2-S7, 24.2R2-S3, 24.4R2-S2, and 25.2R1-S2/25.2R2. No public exploit identified at time of analysis. Network-positioned attacker with high complexity required (CVSS AC:H).
NIS2 DORA ICT dependency No patch available Juniper
Why flagged?
NIS2 Relevant
  • HIGH severity
  • Third-party ICT: Juniper
  • No patch available
  • Moderate evidence (PoC / elevated EPSS)
DORA Relevant
  • HIGH severity
  • ICT provider: Juniper (Network & Security)
  • No remediation available
8.3
CVSS 4.0
0.0%
EPSS
42
Priority
CVE-2026-5264
Heap buffer overflow in wolfSSL DTLS 1.3 ACK message handler allows unauthenticated remote attackers to achieve integrity and availability impacts via crafted network packets. The vulnerability triggers memory corruption during ACK message processing in DTLS 1.3 sessions, enabling potential arbitrary code execution or denial of service. No public exploit identified at time of analysis, though low observed exploitation activity noted.
No patch available
Why flagged?
8.3
CVSS 4.0
0.2%
EPSS
42
Priority
CVE-2026-35478
Authentication bypass in InvenTree open source inventory management system allows any authenticated user to generate API tokens for arbitrary users, including administrators, enabling complete account takeover. Affected versions 0.16.0 through 1.2.6 permit low-privileged users to forge API credentials by manipulating the user field in POST requests to /api/user/tokens/. Resulting tokens provide full API access from any network location without requiring victim interaction. No public exploit identified at time of analysis.
NIS2 Edge exposure No patch available Management plane
Why flagged?
NIS2 Relevant
  • HIGH severity
  • Internet-facing technique: authentication-bypass
  • No patch available
  • Management plane (Authorization Bypass via User-Controlled Key)
  • Strong evidence (KEV / high EPSS / multi-source)
8.3
CVSS 3.1
0.1%
EPSS
42
Priority
CVE-2026-39363
Vite dev server WebSocket allows unauthorized file system access, bypassing server.fs.allow restrictions when developers expose dev servers to networks (via --host). Attackers exploiting this can read arbitrary files (credentials, source code, secrets) from the development machine or CI environment through a WebSocket vite:invoke event calling fetchModule with file:// URLs. Vendor-released patches available in versions 6.4.2, 7.3.2, and 8.0.5. Public exploit code exists with detailed proof-of-concept demonstrating /etc/passwd retrieval via WebSocket without Origin header validation.
Why flagged?
8.2
CVSS 4.0
0.1%
EPSS
41
Priority
CVE-2026-34045
Unauthenticated network access to Podman Desktop's HTTP server enables remote denial-of-service attacks and information disclosure via verbose error messages. Attackers can exhaust file descriptors and kernel memory without authentication, causing application crashes or complete host freezes, while error responses leak internal paths and Windows usernames. Fixed in version 1.26.2. EPSS data not available; no public exploit identified at time of analysis.
No patch available
Why flagged?
8.2
CVSS 3.1
0.1%
EPSS
41
Priority
CVE-2026-35525
Path traversal via symlink in LiquidJS npm package allows authenticated template contributors to read arbitrary filesystem content outside configured template roots. The vulnerability affects applications where untrusted users can influence template directories (uploaded themes, extracted archives, repository-controlled templates). LiquidJS validates template paths using string-based directory containment checks but fails to resolve canonical filesystem paths before file access, enabling symlinks placed within allowed partials/layouts directories to reference external files. Publicly available exploit code exists. No EPSS score available, but impact is limited to information disclosure in specific deployment scenarios requiring attacker filesystem access.
NIS2 DORA ICT dependency Canonical / Ubuntu
Why flagged?
NIS2 Relevant
  • HIGH severity
  • Third-party ICT: Canonical / Ubuntu
  • Strong evidence (KEV / high EPSS / multi-source)
DORA Relevant
  • HIGH severity
  • ICT provider: Canonical / Ubuntu (Infrastructure & Virtualization)
8.2
CVSS 4.0
0.1%
EPSS
41
Priority
CVE-2026-35604
Authorization bypass in File Browser allows unauthenticated access to shared files after permissions revoked. When administrators revoke a user's Share and Download permissions in File Browser (versions prior to 2.63.1), previously created share links remain accessible to unauthenticated users due to missing permission re-validation in the public share handler. This CWE-863 authorization flaw enables persistent unauthorized data access with high confidentiality impact (CVSS 8.2), though no public exploit or active exploitation (not in CISA KEV) has been identified at time of analysis.
NIS2 Edge exposure Management plane
Why flagged?
NIS2 Relevant
  • HIGH severity
  • Internet-facing technique: authentication-bypass
  • Management plane (Incorrect Authorization)
  • Strong evidence (KEV / high EPSS / multi-source)
8.2
CVSS 4.0
0.1%
EPSS
41
Priority
CVE-2026-5208
Command injection in CoolerControl/coolercontrold versions prior to 4.0.0 allows high-privileged local attackers to escalate privileges to root by injecting malicious bash commands into alert names. The vulnerability affects the alerts functionality where user-controlled input is passed unsanitized to shell execution contexts. With CVSS 8.2 and local attack vector requiring high privileges, exploitation demands existing administrative access but enables full system compromise. No public exploit identified at time of analysis.
NIS2 Edge exposure No patch available
Why flagged?
NIS2 Relevant
  • HIGH severity
  • Internet-facing (CWE-78: OS Command Injection)
  • No patch available
  • Strong evidence (KEV / high EPSS / multi-source)
8.2
CVSS 3.1
0.1%
EPSS
41
Priority
CVE-2026-5477
Integer overflow in wolfSSL CMAC implementation (versions ≤5.9.0) enables zero-effort cryptographic forgery. The wc_CmacUpdate function uses a 32-bit counter (totalSz) that wraps to zero after processing 4 GiB of data, erroneously discarding live CBC-MAC chain state. Attackers can forge CMAC authentication tags by crafting messages with identical suffixes beyond the 4 GiB boundary, undermining message authentication integrity in unauthenticated network contexts. No public exploit identified at time of analysis.
No patch available
Why flagged?
8.2
CVSS 4.0
0.0%
EPSS
41
Priority
CVE-2026-39364
Vite development server allows unauthorized file disclosure by bypassing server.fs.deny restrictions when specific query parameters (?raw, ?import&raw, ?import&url&inline) are appended to file requests. The npm package 'vite' is affected when the dev server is explicitly exposed to the network and sensitive files exist within allowed directories but are supposedly blocked by deny patterns. A publicly available exploit code exists demonstrating retrieval of .env files and certificates. Fixed in versions 7.3.2 and 8.0.5 according to vendor release tags.
PoC
Why flagged?
8.2
CVSS 4.0
0.0%
EPSS
41
Priority
CVE-2026-1116
Cross-site scripting in parisneo/lollms prior to version 2.2.0 allows unauthenticated remote attackers to execute arbitrary JavaScript in victim browsers via malicious HTML payloads injected through the unsanitized `content` field in the `AppLollmsMessage.from_dict` deserialization method. The changed scope (CVSS S:C) indicates impact beyond the vulnerable component, enabling session hijacking, account takeover, and potentially wormable attacks. Publicly available exploit code exists (reported via huntr.com bug bounty). EPSS data not provided, but the low attack complexity (AC:L) and network attack vector (AV:N) combined with high confidentiality impact (C:H) and scope change indicate significant exploitation risk for applications exposing this deserialization functionality to untrusted input.
NIS2 Edge exposure No patch available
Why flagged?
NIS2 Relevant
  • HIGH severity
  • Internet-facing (CWE-79: Cross-site Scripting (XSS))
  • No patch available
  • Strong evidence (KEV / high EPSS / multi-source)
8.2
CVSS 3.0
0.0%
EPSS
41
Priority
Prev Page 13 of 25 (625 CVEs) Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy