NIS2 & DORA Compliance
Regulatory triage for vulnerability prioritization – classification based on existing CVE data
NIS2 Relevant
442
DORA Relevant
65
Internet-Facing
377
Third-Party ICT
65
Unpatched
444
Exploited
71
Framework:
Period:
Sort:
Improper certificate validation in Red Hat's Open Cluster Management (OCM) and Multicluster Engine for Kubernetes allows managed cluster administrators with high-level local access to forge client certificates, achieving cross-cluster privilege escalation to other managed clusters including the hub cluster. The CVSS 8.2 rating reflects high impact across confidentiality, integrity, and availability with scope change, though exploitation requires existing high-privilege local access (PR:H) and local attack vector (AV:L). No public exploit code or CISA KEV listing identified at time of analysis, though technical details are publicly documented in researcher blog post.
NIS2
DORA
ICT dependency
Red Hat
Why flagged?
NIS2 Relevant
- • HIGH severity
- • Third-party ICT: Red Hat
- • Moderate evidence (PoC / elevated EPSS)
DORA Relevant
- • HIGH severity
- • ICT provider: Red Hat (Infrastructure & Virtualization)
8.2
CVSS 3.1
0.0%
EPSS
41
Priority
8.2
CVSS 4.0
0.0%
EPSS
41
Priority
Arbitrary OS command execution in Vim prior to version 9.2.0276 occurs when users open maliciously crafted files containing modeline directives that bypass sandbox protections. The vulnerability exploits missing security flags on the complete, guitabtooltip, and printheader options, plus an unchecked mapset() function, enabling attackers to escape Vim's modeline sandbox and execute system commands. Publicly available exploit code exists. With EPSS data unavailable and no CISA KEV listing, real-world exploitation risk depends heavily on social engineering success, though the low attack complexity (CVSS AC:L) and no authentication requirement (PR:N) lower the barrier for opportunistic attacks against users who routinely open untrusted files.
NIS2
Edge exposure
No patch available
Why flagged?
NIS2 Relevant
- • HIGH severity
- • Internet-facing (CWE-78: OS Command Injection)
- • No patch available
- • Strong evidence (KEV / high EPSS / multi-source)
8.2
CVSS 3.1
0.0%
EPSS
41
Priority
Unauthenticated access to kcp root shard cache server exposes cluster topology, RBAC policies, and API configurations to network-reachable attackers. The cache server at /services/cache/* bypasses authentication and authorization middleware, allowing any attacker with network access to the root shard (CVSS:3.1/AV:N/AC:L/PR:N) to read replicated resources including ClusterRoles, LogicalClusters, Shards, APIExports, and admission control policies. A secondary race condition permits temporary privilege escalation via injected RBAC objects, though the sub-second window and self-healing replication controller make practical exploitation challenging. Vendor-released patches available in kcp v0.29.3 and v0.30.3. No public exploit identified at time of analysis, though the straightforward network-based attack vector (documented curl example in advisory) enables trivial exploitation once discovered.
NIS2
Edge exposure
Management plane
Why flagged?
NIS2 Relevant
- • HIGH severity
- • Internet-facing (CWE-306: Missing Authentication for Critical Function)
- • Management plane (Missing Authentication for Critical Function)
- • Moderate evidence (PoC / elevated EPSS)
8.2
CVSS 3.1
0.1%
EPSS
41
Priority
LDAP filter injection in OPNsense firewall allows unauthenticated attackers to enumerate valid LDAP usernames and bypass group membership restrictions via the WebGUI login page. Affects OPNsense versions prior to 26.1.6. The vulnerability stems from failure to escape user-supplied input before insertion into LDAP search filters, enabling metacharacter injection. Attackers can authenticate as any LDAP user with known credentials, circumventing Extended Query group membership controls. No public exploit identified at time of analysis.
NIS2
Edge exposure
No patch available
Why flagged?
NIS2 Relevant
- • HIGH severity
- • Internet-facing (CWE-90: LDAP Injection)
- • No patch available
- • Strong evidence (KEV / high EPSS / multi-source)
8.2
CVSS 3.1
0.2%
EPSS
41
Priority
Unauthenticated path traversal in Saltcorn no-code application builder enables remote attackers to write arbitrary JSON files and create directories anywhere on the server filesystem via /sync/offline_changes endpoint, and read JSON files plus list directory contents via /sync/upload_finished endpoint. Affects Saltcorn versions prior to 1.4.5, 1.5.5, and 1.6.0-beta.4. No public exploit identified at time of analysis. Exploitation requires no authentication (CVSS PR:N), permitting arbitrary file write with high integrity impact and limited confidentiality exposure.
NIS2
Edge exposure
Why flagged?
NIS2 Relevant
- • HIGH severity
- • Internet-facing (CWE-22: Path Traversal)
- • Moderate evidence (PoC / elevated EPSS)
8.2
CVSS 3.1
0.1%
EPSS
41
Priority
Server-side request forgery in Postiz (gitroomhq postiz-app) versions prior to 2.21.5 allows unauthenticated remote attackers to access internal network resources and exfiltrate sensitive data via the /api/public/stream endpoint. The vulnerability exploits inadequate redirect validation: attackers supply public HTTPS URLs that pass initial validation but redirect server requests to private internal hosts, bypassing security controls. High confidentiality impact with potential service disruption. No public exploit identified at time of analysis.
NIS2
Edge exposure
No patch available
Why flagged?
NIS2 Relevant
- • HIGH severity
- • Internet-facing (CWE-918: Server-Side Request Forgery (SSRF))
- • No patch available
- • Moderate evidence (PoC / elevated EPSS)
8.2
CVSS 3.1
0.0%
EPSS
41
Priority
8.1
CVSS 3.1
0.1%
EPSS
41
Priority
Authenticated arbitrary file overwrite in Perfmatters WordPress plugin ≤2.5.9 allows low-privileged attackers (Subscriber-level and above) to corrupt critical server files via path traversal. The PMCS::action_handler() method processes bulk activate/deactivate actions without authorization checks or nonce verification, passing unsanitized $_GET['snippets'][] values through Snippet::activate()/deactivate() to file_put_contents(). Attackers can overwrite files like .htaccess or index.php with fixed PHP docblock content, causing denial of service. Exploitation requires authenticated access with minimal privileges. No public exploit identified at time of analysis.
NIS2
Edge exposure
No patch available
Why flagged?
NIS2 Relevant
- • HIGH severity
- • Internet-facing (CWE-22: Path Traversal)
- • No patch available
- • Strong evidence (KEV / high EPSS / multi-source)
8.1
CVSS 3.1
0.1%
EPSS
41
Priority
Arbitrary file write via Zip Slip in PraisonAI allows remote attackers to overwrite system files and achieve code execution when users install malicious community templates. The vulnerability affects the PraisonAI Python package's template installation feature, which uses unsafe `zipfile.extractall()` without path traversal validation. A publicly available proof-of-concept demonstrates creating ZIP archives with directory traversal paths (e.g., `../../../../tmp/evil.sh`) that escape the intended extraction directory. With CVSS 8.1 (High) and requiring only user interaction (UI:R) but no authentication (PR:N), this poses significant risk to organizations using PraisonAI's community template ecosystem. EPSS data not available, but exploitation is straightforward given the documented PoC.
NIS2
Edge exposure
Why flagged?
NIS2 Relevant
- • HIGH severity
- • Internet-facing technique: rce
- • Moderate evidence (PoC / elevated EPSS)
8.1
CVSS 3.1
0.0%
EPSS
41
Priority
8.1
CVSS 3.1
0.0%
EPSS
41
Priority
8.1
CVSS 3.1
0.0%
EPSS
41
Priority
8.1
CVSS 3.1
0.0%
EPSS
41
Priority
Out-of-bounds memory write in Google Chrome's WebML component (versions prior to 147.0.7727.55) allows remote attackers to corrupt memory via malicious HTML pages, enabling potential code execution or denial of service. Exploitation requires user interaction to visit a crafted webpage. CVSS 8.1 severity reflects unauthenticated network-based attack with high integrity and availability impact. No public exploit identified at time of analysis. Low observed exploitation activity (EPSS 0.04%).
NIS2
Edge exposure
Why flagged?
NIS2 Relevant
- • HIGH severity
- • Internet-facing (CWE-20: Improper Input Validation)
- • Moderate evidence (PoC / elevated EPSS)
8.1
CVSS 3.1
0.0%
EPSS
41
Priority
8.1
CVSS 3.1
0.0%
EPSS
41
Priority
Insecure Direct Object Reference (IDOR) in ChurchCRM API allows authenticated low-privilege users to manipulate arbitrary family records without proper authorization checks. Attackers with any valid API credentials can modify family verification status, trigger spam emails, activate/deactivate accounts, and force geocoding operations on any family record by manipulating the familyId parameter in API requests. Affects all ChurchCRM versions prior to 7.1.0. CVSS 8.1 (High) reflects the network-accessible attack vector with low complexity and high integrity/availability impact. No evidence of active exploitation (CISA KEV negative) or public exploit code at time of analysis, but the vulnerability is trivially exploitable given the low attack complexity and published security advisory.
NIS2
Edge exposure
No patch available
Management plane
Why flagged?
NIS2 Relevant
- • HIGH severity
- • Internet-facing technique: authentication-bypass
- • No patch available
- • Management plane (Authorization Bypass via User-Controlled Key)
- • Strong evidence (KEV / high EPSS / multi-source)
8.1
CVSS 3.1
0.0%
EPSS
41
Priority
8.1
CVSS 3.1
0.0%
EPSS
41
Priority
Reflected Cross-Site Scripting (XSS) in ChurchCRM login page allows remote attackers to execute arbitrary JavaScript in victims' browsers through malicious URLs containing unsanitized username parameters. ChurchCRM versions prior to 7.1.0 fail to encode the username parameter, enabling attackers to craft URLs that inject malicious scripts capable of stealing session cookies or displaying phishing forms. With CVSS 8.1 (AV:N/AC:L/PR:N/UI:R) and no public exploit identified at time of analysis, this represents a moderate-priority risk requiring user interaction but no authentication for exploitation.
NIS2
Edge exposure
No patch available
Why flagged?
NIS2 Relevant
- • HIGH severity
- • Internet-facing (CWE-79: Cross-site Scripting (XSS))
- • No patch available
- • Strong evidence (KEV / high EPSS / multi-source)
8.1
CVSS 3.0
0.0%
EPSS
41
Priority
Time-based blind SQL injection in GLPI's Search engine allows remote unauthenticated attackers to extract sensitive database contents and potentially achieve code execution. GLPI versions 11.0.0 through 11.0.5 are vulnerable. The CVSS vector (PR:N) confirms no authentication required, though attack complexity is rated high (AC:H). EPSS data not available, no CISA KEV listing indicates no confirmed active exploitation at time of analysis, but the unauthenticated remote attack surface and SQL injection nature present significant risk for this widely-deployed IT asset management platform.
NIS2
Edge exposure
No patch available
Why flagged?
NIS2 Relevant
- • HIGH severity
- • Internet-facing (CWE-89: SQL Injection)
- • No patch available
- • Strong evidence (KEV / high EPSS / multi-source)
8.1
CVSS 3.1
0.0%
EPSS
41
Priority
Authenticated users can modify and expose private recipes in Tandoor Recipes through broken object-level authorization in the batch update API endpoint. Any authenticated user within a shared Space can modify recipes marked private by other users, force-share private recipes, and tamper with metadata by exploiting the PUT /api/recipe/batch_update/ endpoint which bypasses authorization checks enforced on single-recipe endpoints. Affects all versions prior to 2.6.4. CVSS 8.1 (High) reflects network-accessible attack requiring only low-privilege authentication with no user interaction. No public exploit identified at time of analysis, though exploitation is straightforward for authenticated attackers.
NIS2
Edge exposure
No patch available
Management plane
Why flagged?
NIS2 Relevant
- • HIGH severity
- • Internet-facing technique: authentication-bypass
- • No patch available
- • Management plane (Authorization Bypass via User-Controlled Key)
- • Strong evidence (KEV / high EPSS / multi-source)
8.1
CVSS 3.1
0.0%
EPSS
41
Priority
8.1
CVSS 3.1
0.0%
EPSS
41
Priority
Time-based SQL injection in ChurchCRM versions before 7.1.0 allows authenticated remote attackers to extract sensitive database contents through the ConfirmReportEmail.php endpoint. The familyId parameter fails to properly sanitize user input in SQL query construction, enabling attackers with low-privilege accounts to exfiltrate high-value data including confidential church member information. EPSS data not available; no confirmed active exploitation (CISA KEV) or public exploit code identified at time of analysis, though the vulnerability class (CWE-89) is well-understood and exploitation techniques are widely documented.
NIS2
Edge exposure
No patch available
Why flagged?
NIS2 Relevant
- • HIGH severity
- • Internet-facing (CWE-89: SQL Injection)
- • No patch available
- • Strong evidence (KEV / high EPSS / multi-source)
8.1
CVSS 3.1
0.0%
EPSS
41
Priority
SQL injection in ChurchCRM's PropertyTypeEditor.php allows authenticated users with MenuOptions role permission to exfiltrate database contents including password hashes. The vulnerability stems from replacing SQL-escaping function legacyFilterInput() with sanitizeText() which only strips HTML, leaving Name and Description fields in property type management vulnerable to time-based blind injection. CVSS 8.1 reflects high confidentiality and integrity impact with low attack complexity from network-accessible authenticated attackers. No public exploit identified at time of analysis, though exploitation requires only basic staff-level permissions rather than administrative access.
NIS2
Edge exposure
No patch available
Why flagged?
NIS2 Relevant
- • HIGH severity
- • Internet-facing (CWE-89: SQL Injection)
- • No patch available
- • Strong evidence (KEV / high EPSS / multi-source)
8.1
CVSS 3.1
0.0%
EPSS
41
Priority
Cross-Site Request Forgery (CSRF) in RedwoodSDK 1.0.0-beta.50 through 1.0.5 allows unauthenticated remote attackers to execute state-changing server functions via crafted GET requests. The vulnerability stems from server functions exported from 'use server' files accepting GET requests despite being intended for POST-only invocation, enabling exploitation through cross-site navigation in cookie-authenticated applications where browsers automatically attach SameSite=Lax cookies to top-level GET requests. CVSS score 8.1 reflects high integrity and availability impact with low attack complexity requiring only user interaction. No public exploit identified at time of analysis, with EPSS data unavailable. Fixed in version 1.0.6.
NIS2
Edge exposure
Why flagged?
NIS2 Relevant
- • HIGH severity
- • Internet-facing (CWE-352: Cross-Site Request Forgery (CSRF))
- • Strong evidence (KEV / high EPSS / multi-source)
8.1
CVSS 3.1
0.0%
EPSS
41
Priority
Arbitrary file manipulation in MW WP Form plugin (WordPress) versions ≤5.1.1 allows unauthenticated attackers to move sensitive server files into web-accessible directories, enabling remote code execution. The vulnerability stems from insufficient validation of upload field keys in generate_user_file_dirpath(), exploiting WordPress's path_join() behavior with absolute paths. Attackers inject malicious keys via mwf_upload_files[] POST parameter to relocate critical files like wp-config.php. Exploitation requires forms with enabled file upload fields and 'Saving inquiry data in database' option. No public exploit identified at time of analysis.
NIS2
Edge exposure
No patch available
Why flagged?
NIS2 Relevant
- • HIGH severity
- • Internet-facing (CWE-22: Path Traversal)
- • No patch available
- • Moderate evidence (PoC / elevated EPSS)
8.1
CVSS 3.1
0.2%
EPSS
40
Priority