NIS2 & DORA Compliance

Regulatory triage for vulnerability prioritization – classification based on existing CVE data

Regulatory Triage ICT Providers
NIS2 Relevant
452
DORA Relevant
65
Internet-Facing
387
Third-Party ICT
65
Unpatched
441
Exploited
73
Framework:
Period:
Sort:
CVE-2025-47391
Local privilege escalation in Qualcomm Snapdragon allows authenticated users to execute arbitrary code through memory corruption when processing frame requests. This CWE-121 stack-based buffer overflow enables complete system compromise (high confidentiality, integrity, and availability impact). No public exploit identified at time of analysis, with CVSS 7.8 indicating high severity requiring low attack complexity and low privileges. Qualcomm's April 2026 security bulletin addresses this vulnerability.
No patch available
Why flagged?
7.8
CVSS 3.1
0.0%
EPSS
39
Priority
CVE-2026-21371
Memory corruption in Qualcomm Snapdragon components allows local authenticated attackers to execute arbitrary code with high privileges. A buffer overflow vulnerability (CWE-126) occurs during output buffer retrieval due to insufficient size validation, enabling complete system compromise with high confidentiality, integrity, and availability impact. EPSS risk data not available; no confirmed active exploitation (not in CISA KEV) and no public exploit code identified at time of analysis. The local attack vector (AV:L) and low complexity (AC:L) make this exploitable by malicious apps or local users on affected Snapdragon-powered devices.
No patch available
Why flagged?
7.8
CVSS 3.1
0.0%
EPSS
39
Priority
CVE-2026-21376
Local privilege escalation in Qualcomm Snapdragon camera sensor drivers allows authenticated attackers with low privileges to execute arbitrary code with elevated permissions through unchecked output buffer access during IOCTL operations. This out-of-bounds read vulnerability (CWE-126) achieves complete system compromise (confidentiality, integrity, and availability impact all rated High in CVSS). No public exploit identified at time of analysis, though the local attack vector and low complexity suggest proof-of-concept development is feasible for researchers with device access.
No patch available
Why flagged?
7.8
CVSS 3.1
0.0%
EPSS
39
Priority
CVE-2026-21372
Local privilege escalation in Qualcomm Snapdragon components allows authenticated local attackers to corrupt kernel memory through malformed IOCTL requests. Exploitation requires low-privilege local access but no user interaction (CVSS 7.8, AV:L/PR:L). The vulnerability enables attackers to achieve high impact across confidentiality, integrity, and availability through unsafe memcpy operations that fail to validate buffer sizes. No public exploit identified at time of analysis, though the straightforward attack complexity (AC:L) suggests exploitation development is feasible for adversaries with local access.
No patch available
Why flagged?
7.8
CVSS 3.1
0.0%
EPSS
39
Priority
CVE-2025-47389
Local privilege escalation in Qualcomm Snapdragon components enables authenticated users to achieve arbitrary code execution with elevated privileges through memory corruption triggered by integer overflow during attestation report generation. The vulnerability requires low attack complexity and low-level authentication (CVSS:3.1/AV:L/AC:L/PR:L), allowing complete compromise of confidentiality, integrity, and availability on affected devices. With CVSS 7.8 (High severity) and local attack vector, this represents a significant risk on multi-user Android devices where malicious apps could exploit the flaw to break out of sandboxing. No public exploit identified at time of analysis, though the buffer overflow class (CWE-120) is well-understood by exploit developers.
No patch available
Why flagged?
7.8
CVSS 3.1
0.0%
EPSS
39
Priority
CVE-2026-21374
Memory corruption in Qualcomm Snapdragon auxiliary sensor I/O control processing allows authenticated local attackers to achieve arbitrary code execution with high integrity and confidentiality impact. The vulnerability stems from insufficient buffer size validation (CWE-126: Buffer Over-read) when handling sensor control commands. With CVSS 7.8 and local attack vector requiring low privileges, this represents a moderate real-world risk for privilege escalation attacks on Android and IoT devices using affected Snapdragon chipsets. No public exploit code or CISA KEV listing identified at time of analysis, though the April 2026 bulletin date suggests recent disclosure.
No patch available
Why flagged?
7.8
CVSS 3.1
0.0%
EPSS
39
Priority
CVE-2026-5726
Stack-based buffer overflow in Delta Electronics ASDA-Soft allows local attackers with no privileges to execute arbitrary code by tricking users into opening a malicious file. The vulnerability achieves complete system compromise (confidentiality, integrity, availability all rated High in CVSS) through user interaction with crafted input. No public exploit identified at time of analysis, though the low attack complexity and lack of required privileges increase realistic exploitation risk once details emerge.
No patch available
Why flagged?
7.8
CVSS 3.1
0.0%
EPSS
39
Priority
CVE-2026-39853
Stack buffer overflow in osslsigncode <2.12 allows local attackers to execute arbitrary code during signature verification. The vulnerability affects PE, MSI, CAB, and script file verification handlers that copy digest values from SpcIndirectDataContent structures into fixed 64-byte stack buffers without length validation. Attackers craft malicious signed files with oversized digest fields triggering memcpy overflow when users verify files via osslsigncode verify command, corrupting stack state and enabling code execution with high confidentiality, integrity, and availability impact.
No patch available
Why flagged?
7.8
CVSS 3.1
0.0%
EPSS
39
Priority
CVE-2026-27806
Local privilege escalation to root in Fleet Orbit agent (macOS) allows authenticated local users to inject arbitrary Tcl commands via malformed FileVault password input. The vulnerability stems from unsafe interpolation of user-supplied passwords into expect scripts executed as root. CVSS 7.8 (High) with EPSS data unavailable; no public exploit identified at time of analysis, though exploitation requires only a specially crafted password containing closing brace characters. Impacts organizations using Fleet's macOS disk encryption management.
NIS2 Edge exposure
Why flagged?
NIS2 Relevant
  • HIGH severity
  • Internet-facing (CWE-78: OS Command Injection)
  • Moderate evidence (PoC / elevated EPSS)
7.8
CVSS 3.1
0.0%
EPSS
39
Priority
CVE-2026-40156
Arbitrary code execution occurs in PraisonAI (all versions prior to 4.5.128) when a malicious tools.py file exists in the working directory. The framework automatically imports and executes this file during startup without validation or user consent, enabling unauthenticated local attackers to execute arbitrary Python code by placing a weaponized tools.py in directories accessed by users or CI/CD pipelines. User interaction is required (running praisonai command). No public exploit identified at time of analysis.
NIS2 Edge exposure
Why flagged?
NIS2 Relevant
  • HIGH severity
  • Internet-facing (CWE-94: Code Injection)
  • Moderate evidence (PoC / elevated EPSS)
7.8
CVSS 3.1
0.0%
EPSS
39
Priority
CVE-2026-28261
Local privilege escalation in Dell Elastic Cloud Storage (≤3.8.1.7) and ObjectScale (<4.1.0.3, =4.2.0.0) allows authenticated users with low privileges to extract credentials from log files and escalate to compromised account privileges. CVSS 7.8 (High). No public exploit identified at time of analysis. EPSS data not available, but local access requirement and low attack complexity suggest moderate exploitation likelihood in multi-tenant or shared administrative environments.
NIS2 DORA ICT dependency No patch available Elastic Dell
Why flagged?
NIS2 Relevant
  • HIGH severity
  • Third-party ICT: Elastic, Dell
  • No patch available
  • Moderate evidence (PoC / elevated EPSS)
DORA Relevant
  • HIGH severity
  • ICT provider: Elastic (Databases & Data Platforms)
  • ICT provider: Dell (Hardware & Firmware)
  • No remediation available
7.8
CVSS 3.1
0.0%
EPSS
39
Priority
CVE-2026-30232
Server-Side Request Forgery in Chartbrew versions prior to 4.8.5 allows authenticated users to create API data connections with arbitrary URLs, enabling attacks against internal networks and cloud metadata endpoints. The vulnerability stems from unvalidated URL fetching via request-promise library, permitting attackers to probe internal infrastructure, access cloud instance metadata (AWS, Azure, GCP), and potentially retrieve sensitive credentials or configuration data. No public exploit identified at time of analysis. CVSS 7.8 with network attack vector and no authentication requirement in subsequent chain exploitation.
NIS2 Edge exposure No patch available
Why flagged?
NIS2 Relevant
  • HIGH severity
  • Internet-facing (CWE-918: Server-Side Request Forgery (SSRF))
  • No patch available
  • Moderate evidence (PoC / elevated EPSS)
7.8
CVSS 4.0
0.0%
EPSS
39
Priority
CVE-2026-34734
Heap use-after-free in HDF5 h5dump utility allows local attackers to achieve arbitrary code execution when processing malicious HDF5 files. Affects HDF5 versions 1.14.1-2 and earlier from HDFGroup. Attacker must convince user to open crafted file (user interaction required, CVSS UI:R). Unauthenticated attack vector enables high-impact compromise of confidentiality, integrity, and availability. No public exploit identified at time of analysis. Vulnerability stems from premature deallocation in H5D__typeinfo_term followed by unsafe reference in H5T__conv_struct memmove operation.
No patch available
Why flagged?
7.8
CVSS 3.1
0.0%
EPSS
39
Priority
CVE-2026-33092
Local privilege escalation in Acronis True Image for macOS enables authenticated low-privileged users to gain elevated system privileges through improper environment variable handling. Affects Acronis True Image OEM (macOS) versions prior to build 42571 and Acronis True Image (macOS) prior to build 42902. Attackers with existing local access can achieve complete system compromise (high confidentiality, integrity, and availability impact). No public exploit identified at time of analysis. Exploitation requires low attack complexity with no user interaction.
NIS2 DORA ICT dependency No patch available Apple
Why flagged?
NIS2 Relevant
  • HIGH severity
  • Third-party ICT: Apple
  • No patch available
  • Moderate evidence (PoC / elevated EPSS)
DORA Relevant
  • HIGH severity
  • ICT provider: Apple (Operating Systems)
  • No remediation available
7.8
CVSS 3.0
0.0%
EPSS
39
Priority
CVE-2026-5709
Remote command injection in AWS Research and Engineering Studio (RES) 2024.10 through 2025.12.01 allows authenticated users to execute arbitrary commands on cluster-manager EC2 instances through unsanitized input in the FileBrowser API. Vendor-released patch available (version 2026.03). No public exploit identified at time of analysis, though CVSS 7.7 reflects high impact if exploited by low-privileged authenticated users with network access.
NIS2 Edge exposure
Why flagged?
NIS2 Relevant
  • HIGH severity
  • Internet-facing (CWE-78: OS Command Injection)
  • Strong evidence (KEV / high EPSS / multi-source)
7.7
CVSS 4.0
0.1%
EPSS
39
Priority
CVE-2026-39361
Server-Side Request Forgery (SSRF) in OpenObserve up to 0.70.3 allows authenticated attackers to bypass IPv6 address validation and access internal network resources, including cloud metadata services. The vulnerability enables retrieval of AWS IMDSv1 credentials at 169.254.169.254, GCP metadata endpoints, and Azure IMDS on cloud deployments, or probing of internal services in self-hosted environments. CVSS score of 7.7 reflects high confidentiality impact with changed scope. No public exploit identified at time of analysis, though exploitation requires only low-complexity authenticated network access.
NIS2 Edge exposure No patch available
Why flagged?
NIS2 Relevant
  • HIGH severity
  • Internet-facing (CWE-918: Server-Side Request Forgery (SSRF))
  • No patch available
  • Strong evidence (KEV / high EPSS / multi-source)
7.7
CVSS 3.1
0.0%
EPSS
39
Priority
CVE-2026-35533
Local trust-control bypass in mise (Rust task runner) versions ≤2026.3.17 allows attackers to inject malicious configuration through `.mise.toml` files, leading to arbitrary code execution. By setting `trusted_config_paths = ["/"]` in a project-local config file, attackers bypass the trust verification mechanism that should prevent execution of dangerous directives like `[env] _.source`, hooks, templates, and tasks. Exploitation requires victim interaction (cloning/opening a malicious repository), but no authentication. EPSS data not available; no confirmed active exploitation or public exploit code beyond the GitHub advisory's proof-of-concept. Attack complexity is high due to the requirement for victim action and specific execution context (mise hook-env invocation).
NIS2 DORA Edge exposure ICT dependency No patch available Management plane Docker
Why flagged?
NIS2 Relevant
  • HIGH severity
  • Internet-facing technique: authentication-bypass
  • Third-party ICT: Docker
  • No patch available
  • Management plane (Improper Access Control)
  • Strong evidence (KEV / high EPSS / multi-source)
DORA Relevant
  • HIGH severity
  • ICT provider: Docker (Dev Platforms & CI/CD)
  • No remediation available
  • Authentication / access control weakness
7.7
CVSS 3.1
0.0%
EPSS
39
Priority
CVE-2026-34853
Permission bypass in Huawei HarmonyOS and EMUI LBS (Location-Based Services) module enables highly-privileged local attackers with user interaction to achieve full compromise across security contexts (confidentiality, integrity, availability impact). CVSS 7.7 HIGH severity. No public exploit identified at time of analysis. Attack requires local access, high privileges (administrator/root), user interaction, but succeeds with low complexity once prerequisites met. Scope change (S:C) indicates container escape or privilege boundary violation beyond the vulnerable component.
NIS2 Edge exposure No patch available
Why flagged?
NIS2 Relevant
  • HIGH severity
  • Internet-facing technique: authentication-bypass
  • No patch available
  • Moderate evidence (PoC / elevated EPSS)
7.7
CVSS 3.1
0.0%
EPSS
39
Priority
CVE-2026-40150
Server-side request forgery in PraisonAIAgents multi-agent system allows authenticated attackers to force internal network reconnaissance and data exfiltration through unvalidated URL crawling. The web_crawl() function in versions prior to 1.5.128 accepts arbitrary URLs from AI agents without scheme allowlisting, hostname blocking, or private network checks, enabling access to cloud metadata endpoints (AWS/Azure/GCP), internal services, and local filesystems via file:// URIs. Exploitation requires low-privileged authenticated access with network reachability and no user interaction. No public exploit identified at time of analysis.
NIS2 Edge exposure
Why flagged?
NIS2 Relevant
  • HIGH severity
  • Internet-facing (CWE-918: Server-Side Request Forgery (SSRF))
  • Moderate evidence (PoC / elevated EPSS)
7.7
CVSS 3.1
0.0%
EPSS
38
Priority
CVE-2026-39843
Server-Side Request Forgery (SSRF) in Makeplane Plane (versions 0.28.0 to before 1.3.0) allows authenticated attackers with low privileges to perform full-read SSRF attacks against internal network resources. The vulnerability exists because incomplete remediation of a previous SSRF issue (GHSA-jcc6-f9v6-f7jw) left the favicon fetch path vulnerable to redirect-based attacks. When an attacker supplies an HTML page containing a link tag with an href redirecting to a private IP address via the 'Add link' feature, the fetch_and_encode_favicon() function follows redirects without validation, enabling unauthorized access to internal resources. Requires authenticated access; no public exploit identified at time of analysis.
NIS2 Edge exposure No patch available
Why flagged?
NIS2 Relevant
  • HIGH severity
  • Internet-facing (CWE-918: Server-Side Request Forgery (SSRF))
  • No patch available
  • Moderate evidence (PoC / elevated EPSS)
7.7
CVSS 3.1
0.0%
EPSS
38
Priority
CVE-2026-33461
Authorization bypass in Elastic Kibana allows authenticated users with limited Fleet privileges to retrieve sensitive configuration data including private keys and authentication tokens through an internal API endpoint. The vulnerability affects network-accessible instances and bypasses intended privilege boundaries by returning full configuration objects without proper authorization checks. CVSS score of 7.7 reflects high confidentiality impact with scope change. No public exploit identified at time of analysis, though the attack vector is straightforward for authenticated users.
NIS2 DORA Edge exposure ICT dependency No patch available Management plane Elastic
Why flagged?
NIS2 Relevant
  • HIGH severity
  • Internet-facing technique: authentication-bypass
  • Third-party ICT: Elastic
  • No patch available
  • Management plane (Incorrect Authorization)
  • Moderate evidence (PoC / elevated EPSS)
DORA Relevant
  • HIGH severity
  • ICT provider: Elastic (Databases & Data Platforms)
  • No remediation available
  • Authentication / access control weakness
7.7
CVSS 3.1
0.1%
EPSS
38
Priority
CVE-2026-4498
Authenticated Kibana users with Fleet management privileges can read Elasticsearch index data beyond their intended RBAC permissions through debug route handlers in the Fleet plugin. This scope bypass affects Elastic Kibana deployments where users hold Fleet sub-feature privileges (agent policies, settings management). The vulnerability requires low-privilege authentication (PR:L) and has network attack vector (AV:N) with low complexity (AC:L), enabling cross-scope data confidentiality breach (S:C/C:H). No public exploit identified at time of analysis. EPSS data not available, but the specific privilege escalation vector and remote exploitability warrant prioritization in Kibana Fleet deployments.
NIS2 DORA ICT dependency No patch available Management plane Elastic
Why flagged?
NIS2 Relevant
  • HIGH severity
  • Third-party ICT: Elastic
  • No patch available
  • Management plane (Execution with Unnecessary Privileges)
  • Moderate evidence (PoC / elevated EPSS)
DORA Relevant
  • HIGH severity
  • ICT provider: Elastic (Databases & Data Platforms)
  • No remediation available
  • Authentication / access control weakness
7.7
CVSS 3.1
0.0%
EPSS
38
Priority
CVE-2026-35666
Allowlist bypass in OpenClaw before 2026.3.22 permits authenticated attackers to execute arbitrary commands by wrapping disallowed executables with /usr/bin/time. The vulnerability exploits incomplete validation in system.run approvals, which fail to detect time wrapper prefixes, allowing reuse of approval state for inner prohibited commands. Remote exploitation requires low-privilege authentication (PR:L) with network access, enabling full system compromise through command injection. No public exploit identified at time of analysis.
NIS2 Edge exposure
Why flagged?
NIS2 Relevant
  • HIGH severity
  • Internet-facing technique: authentication-bypass
  • Strong evidence (KEV / high EPSS / multi-source)
7.7
CVSS 4.0
0.0%
EPSS
38
Priority
CVE-2026-31941
Server-Side Request Forgery in Chamilo LMS Social Wall feature enables authenticated attackers to force the server to make arbitrary HTTP requests to internal resources. The read_url_with_open_graph endpoint accepts user-controlled URLs via social_wall_new_msg_main POST parameter without validating internal versus external targets, allowing internal port scanning, access to cloud instance metadata (AWS/GCP/Azure), and reconnaissance of private network services. Affects Chamilo LMS versions before 1.11.38 and 2.0.0-RC.3. Attack requires low-privilege authenticated access; no public exploit identified at time of analysis.
NIS2 Edge exposure No patch available
Why flagged?
NIS2 Relevant
  • HIGH severity
  • Internet-facing (CWE-918: Server-Side Request Forgery (SSRF))
  • No patch available
  • Strong evidence (KEV / high EPSS / multi-source)
7.7
CVSS 3.1
0.0%
EPSS
38
Priority
CVE-2026-40180
Path traversal vulnerability in Quarkus OpenAPI Generator (Quarkiverse) versions prior to 2.16.0 and 2.15.0-lts allows unauthenticated remote attackers to write arbitrary files outside intended directories via malicious ZIP archives. The ApicurioCodegenWrapper.java unzip() method fails to validate file paths during extraction, enabling path traversal sequences (../../) to bypass output directory restrictions and achieve arbitrary file write with high integrity impact. No public exploit identified at time of analysis. Affects Java-based Quarkus extensions for REST client and server stub generation.
NIS2 Edge exposure
Why flagged?
NIS2 Relevant
  • HIGH severity
  • Internet-facing (CWE-22: Path Traversal)
  • Moderate evidence (PoC / elevated EPSS)
7.7
CVSS 4.0
0.0%
EPSS
38
Priority
Prev Page 17 of 26 (637 CVEs) Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy