NIS2 & DORA Compliance

Regulatory triage for vulnerability prioritization – classification based on existing CVE data

Regulatory Triage ICT Providers
NIS2 Relevant
441
DORA Relevant
61
Internet-Facing
380
Third-Party ICT
61
Unpatched
420
Exploited
73
Framework:
Period:
Sort:
CVE-2026-5959
Remote authentication bypass in GL.iNet GL-RM1, GL-RM10, GL-RM10RC, and GL-RM1PE versions up to 1.8.1 allows authenticated remote attackers with high privileges to manipulate the Factory Reset Handler component, resulting in improper authentication controls. The vulnerability requires high attack complexity and is difficult to exploit but enables unauthorized access to sensitive device functionality. A vendor-released patch addressing this issue is available in version 1.8.2.
NIS2 Edge exposure Management plane
Why flagged?
NIS2 Relevant
  • HIGH severity
  • Internet-facing (CWE-287: Improper Authentication)
  • Management plane (Improper Authentication)
  • Strong evidence (KEV / high EPSS / multi-source)
7.5
CVSS 4.0
0.1%
EPSS
38
Priority
CVE-2026-35523
Authentication bypass in Strawberry GraphQL WebSocket subscriptions (versions <0.312.3) allows unauthenticated remote attackers to access protected GraphQL subscription endpoints by exploiting the legacy graphql-ws subprotocol handler. Attackers can skip the on_ws_connect authentication hook by connecting with graphql-ws and sending subscription start messages without completing the connection_init handshake. No public exploit identified at time of analysis, though exploitation is straightforward given the protocol-level nature of the bypass. CVSS 7.5 reflects network-accessible unauthenticated attack with high confidentiality impact.
NIS2 Edge exposure Management plane
Why flagged?
NIS2 Relevant
  • HIGH severity
  • Internet-facing (CWE-306: Missing Authentication for Critical Function)
  • Management plane (Missing Authentication for Critical Function)
  • Moderate evidence (PoC / elevated EPSS)
7.5
CVSS 3.1
0.1%
EPSS
38
Priority
CVE-2026-3360
Unauthenticated attackers can overwrite billing profile data (name, email, phone, address) for any WordPress user with an incomplete manual order in Tutor LMS plugin versions ≤3.9.7. The pay_incomplete_order() function accepts attacker-controlled order_id parameters without identity verification, writing billing fields directly to the order owner's profile. Exploitation is simplified by predictable Tutor nonce exposure on public pages, enabling targeted profile manipulation via crafted POST requests with enumerated order IDs. No public exploit or active exploitation confirmed at time of analysis.
NIS2 Edge exposure No patch available Management plane
Why flagged?
NIS2 Relevant
  • HIGH severity
  • Internet-facing technique: authentication-bypass
  • No patch available
  • Management plane (Missing Authorization)
  • Strong evidence (KEV / high EPSS / multi-source)
7.5
CVSS 3.1
0.1%
EPSS
38
Priority
CVE-2026-39312
Remote unauthenticated denial-of-service in SoftEther VPN Developer Edition 5.2.5188 and earlier allows attackers to crash the vpnserver process and terminate all active VPN sessions by sending a single malformed EAP-TLS packet over raw L2TP (UDP port 1701). This pre-authentication vulnerability requires no privileges or user interaction (CVSS vector AV:N/AC:L/PR:N/UI:N), enabling trivial service disruption. No public exploit identified at time of analysis, though the attack mechanism is well-documented in vendor advisory GHSA-q5g3-qhc6-pr3h.
No patch available
Why flagged?
7.5
CVSS 3.1
0.1%
EPSS
38
Priority
CVE-2026-3396
Time-based SQL injection in WCAPF (WooCommerce Ajax Product Filter) WordPress plugin versions up to 4.2.3 allows unauthenticated remote attackers to extract sensitive database information via the 'post-author' parameter. The vulnerability stems from inadequate input sanitization and SQL query preparation, enabling attackers to append malicious SQL commands to existing queries. EPSS data not provided, but the unauthenticated network-accessible attack vector and public disclosure via Wordfence Threat Intelligence create immediate exploitation risk for WordPress sites using this e-commerce filtering plugin. No active exploitation confirmed (not in CISA KEV), though publicly available proof-of-concept code exists in security advisories.
NIS2 Edge exposure No patch available
Why flagged?
NIS2 Relevant
  • HIGH severity
  • Internet-facing (CWE-89: SQL Injection)
  • No patch available
  • Strong evidence (KEV / high EPSS / multi-source)
7.5
CVSS 3.1
0.1%
EPSS
38
Priority
CVE-2026-1584
NULL pointer dereference in GnuTLS TLS handshake processing enables unauthenticated remote attackers to crash servers via malformed ClientHello messages containing invalid Pre-Shared Key binder values. Vulnerability affects Red Hat Enterprise Linux 6-10, OpenShift Container Platform 4, and Red Hat Hardened Images. Attack requires network access only with low complexity and no user interaction. CVSS 7.5 (High) reflects severe availability impact. No public exploit identified at time of analysis.
No patch available
Why flagged?
7.5
CVSS 3.1
0.1%
EPSS
38
Priority
CVE-2025-5804
Local file inclusion in Case Themes Case Theme User WordPress plugin (versions prior to 1.0.4) enables unauthenticated remote attackers to include arbitrary local files via PHP require/include statements. Successful exploitation requires high attack complexity and user interaction, but grants full compromise of confidentiality, integrity, and availability. Attackers may read sensitive configuration files, execute malicious code if file upload exists, or escalate to remote code execution through log poisoning techniques. No public exploit identified at time of analysis.
NIS2 Edge exposure No patch available
Why flagged?
NIS2 Relevant
  • HIGH severity
  • Internet-facing (CWE-98: Improper Control of Filename (LFI/RFI))
  • No patch available
  • Strong evidence (KEV / high EPSS / multi-source)
7.5
CVSS 3.1
0.1%
EPSS
38
Priority
CVE-2026-4156
Stack-based buffer overflow in ChargePoint Home Flex electric vehicle chargers enables network-adjacent attackers to execute arbitrary code as root via malformed OCPP messages. Unauthenticated exploitation allows complete device compromise through improper length validation in OCPP getpreq message handling. Attack complexity is high (CVSS AC:H), requiring local network access. No public exploit identified at time of analysis.
NIS2 Edge exposure No patch available
Why flagged?
NIS2 Relevant
  • HIGH severity
  • Internet-facing technique: rce
  • No patch available
  • Strong evidence (KEV / high EPSS / multi-source)
7.5
CVSS 3.0
0.1%
EPSS
38
Priority
CVE-2026-6067
Heap buffer overflow in Netwide Assembler (NASM) 3.02rc5 obj_directive() function enables arbitrary code execution and denial of service when processing maliciously crafted .asm files. Missing bounds validation allows attackers to corrupt heap memory through specially constructed assembly source files. Publicly available exploit code exists. Impacts NASM users assembling untrusted input files, particularly automated build systems and development environments processing external assembly code.
NIS2 Edge exposure No patch available
Why flagged?
NIS2 Relevant
  • HIGH severity
  • Internet-facing technique: rce
  • No patch available
  • Strong evidence (KEV / high EPSS / multi-source)
7.5
CVSS 3.1
0.1%
EPSS
38
Priority
CVE-2026-39613
Local file inclusion in kutethemes Boutique WordPress theme versions ≤2.3.3 allows authenticated attackers with low privileges to include arbitrary PHP files, leading to high-severity impacts including information disclosure, code execution, and system compromise. Exploitation requires network access with high attack complexity. No public exploit identified at time of analysis. Authenticated attack vector (PR:L) limits exposure to users with existing credentials.
NIS2 Edge exposure No patch available
Why flagged?
NIS2 Relevant
  • HIGH severity
  • Internet-facing (CWE-98: Improper Control of Filename (LFI/RFI))
  • No patch available
  • Moderate evidence (PoC / elevated EPSS)
7.5
CVSS 3.1
0.1%
EPSS
38
Priority
CVE-2026-39611
Local File Inclusion vulnerability in KuteShop WordPress theme versions ≤4.2.9 enables authenticated attackers with low privileges to include arbitrary PHP files through improper filename control in require/include statements. Exploitation requires high attack complexity and yields complete confidentiality, integrity, and availability compromise within the application context. No public exploit identified at time of analysis. EPSS 0.05% indicates low observed exploitation activity.
NIS2 Edge exposure No patch available
Why flagged?
NIS2 Relevant
  • HIGH severity
  • Internet-facing (CWE-98: Improper Control of Filename (LFI/RFI))
  • No patch available
  • Moderate evidence (PoC / elevated EPSS)
7.5
CVSS 3.1
0.1%
EPSS
38
Priority
CVE-2026-39623
Local file inclusion vulnerability in kutethemes Biolife WordPress theme versions up to 3.2.3 enables authenticated attackers with low privileges to include and execute arbitrary PHP files from the server filesystem via improper filename control in include/require statements. Exploitation requires network access and high complexity conditions (CVSS:3.1 AV:N/AC:H/PR:L), potentially leading to information disclosure, code execution, and full system compromise. No public exploit identified at time of analysis. EPSS score indicates low observed exploitation activity (0.05%).
NIS2 Edge exposure No patch available
Why flagged?
NIS2 Relevant
  • HIGH severity
  • Internet-facing (CWE-98: Improper Control of Filename (LFI/RFI))
  • No patch available
  • Moderate evidence (PoC / elevated EPSS)
7.5
CVSS 3.1
0.1%
EPSS
38
Priority
CVE-2026-39684
Local file inclusion in UnTheme OrganicFood WordPress theme versions up to 3.6.4 enables authenticated attackers with low privileges to read arbitrary files on the server and potentially achieve remote code execution. Exploitation requires network access and high attack complexity (CVSS AC:H), allowing disclosure of sensitive configuration data, credentials, and system files. Authenticated access (PR:L) is required. No public exploit identified at time of analysis. Low observed exploitation activity (EPSS 0.05%).
NIS2 Edge exposure No patch available
Why flagged?
NIS2 Relevant
  • HIGH severity
  • Internet-facing (CWE-98: Improper Control of Filename (LFI/RFI))
  • No patch available
  • Moderate evidence (PoC / elevated EPSS)
7.5
CVSS 3.1
0.1%
EPSS
38
Priority
CVE-2026-35526
Unauthenticated denial-of-service in Strawberry GraphQL WebSocket handlers allows remote attackers to crash Python servers via subscription flooding. The vulnerability affects both graphql-transport-ws and legacy graphql-ws protocol implementations, which fail to enforce per-connection subscription limits. An attacker can exhaust server memory and saturate the asyncio event loop by sending unlimited subscribe messages over a single WebSocket connection, leading to service degradation or out-of-memory crashes. EPSS data not available for this recent CVE; no public exploit identified at time of analysis, though exploitation is trivial given the low attack complexity (CVSS AC:L) and lack of authentication requirement (PR:N).
Why flagged?
7.5
CVSS 3.1
0.0%
EPSS
38
Priority
CVE-2026-35611
Regular expression denial of service (ReDoS) in the Addressable Ruby library versions 2.3.0 through 2.8.x allows unauthenticated remote attackers to cause application-level denial of service through maliciously crafted URIs that trigger catastrophic backtracking in URI template expansion. The vulnerability affects URI templates using explode modifiers (e.g., {foo*}, {+var*}) and multi-variable templates with + or # operators (e.g., {+v1,v2,v3}), generating O(2^n) and O(n^k) complexity regex patterns respectively. EPSS exploitation probability and KEV status data not available; no public exploit identified at time of analysis. Vendor-released patch: version 2.9.0.
Why flagged?
7.5
CVSS 3.1
0.0%
EPSS
38
Priority
CVE-2026-6069
Stack-based buffer overflow in NASM's disasm() function enables unauthenticated denial-of-service when processing malicious assembly input. Attacker-controlled disassembly formatting triggers out-of-bounds write when string length exceeds buffer capacity, causing application crash. Affects NASM assembler version 3.02rc5. Publicly available exploit code exists. CVSS 7.5 (High) reflects network-accessible attack vector requiring no privileges or user interaction, with availability impact only.
No patch available
Why flagged?
7.5
CVSS 3.1
0.0%
EPSS
38
Priority
CVE-2026-39376
Unbounded recursion in FastFeedParser (Python RSS/Atom parser) allows remote attackers to crash applications via malicious HTML meta-refresh redirect chains. Affecting all versions prior to 0.5.10, attackers can trigger denial-of-service by serving infinite meta-refresh redirects when parse() fetches attacker-controlled URLs, exhausting the Python call stack with no recursion depth limit. EPSS data not available, no public exploit identified at time of analysis, but exploit development is trivial given the straightforward attack vector requiring only HTTP server control.
NIS2 Edge exposure
Why flagged?
NIS2 Relevant
  • HIGH severity
  • Internet-facing technique: ssrf
  • Strong evidence (KEV / high EPSS / multi-source)
7.5
CVSS 3.1
0.0%
EPSS
38
Priority
CVE-2026-29181
Resource exhaustion in OpenTelemetry Go propagation library (v1.41.0 and earlier) enables remote attackers to trigger severe CPU and memory amplification via crafted HTTP baggage headers. The vulnerability allows unauthenticated attackers to send multiple baggage header lines that bypass the 8192-byte per-value parse limit by triggering repeated parsing operations - achieving 77x memory amplification (10.3MB vs 133KB per request) in vendor-provided proof-of-concept testing. Vendor-released patch available in v1.41.0. EPSS data not available; no confirmed active exploitation (not in CISA KEV); publicly available exploit code exists (vendor-provided PoC demonstrating 77x amplification).
NIS2 DORA ICT dependency Canonical / Ubuntu
Why flagged?
NIS2 Relevant
  • HIGH severity
  • Third-party ICT: Canonical / Ubuntu
  • Strong evidence (KEV / high EPSS / multi-source)
DORA Relevant
  • HIGH severity
  • ICT provider: Canonical / Ubuntu (Infrastructure & Virtualization)
7.5
CVSS 3.1
0.0%
EPSS
38
Priority
CVE-2026-24174
Remote denial of service in NVIDIA Triton Inference Server (all versions prior to r26.02) allows unauthenticated attackers to crash the server via malformed requests. The vulnerability has a CVSS score of 7.5 with network-accessible attack vector and low complexity, requiring no privileges or user interaction. EPSS data not provided; no public exploit identified at time of analysis. The issue stems from improper conversion between numeric types (CWE-681), enabling trivial service disruption for ML inference workloads.
No patch available
Why flagged?
7.5
CVSS 3.1
0.0%
EPSS
38
Priority
CVE-2026-24146
NVIDIA Triton Inference Server crashes when processing inference requests with insufficient input validation combined with large output counts, enabling remote denial of service without authentication (CVSS 7.5, EPSS data not available). The vulnerability affects all versions prior to r26.02, with no public exploit identified at time of analysis. Unauthenticated remote attackers can exploit this flaw with low complexity (AV:N/AC:L/PR:N) to completely disrupt machine learning inference services.
No patch available
Why flagged?
7.5
CVSS 3.1
0.0%
EPSS
38
Priority
CVE-2026-24173
Integer overflow in NVIDIA Triton Inference Server allows unauthenticated remote attackers to crash the server through malformed requests, causing denial of service. All versions prior to r26.02 are affected. CVSS 7.5 (High) with network attack vector, low complexity, and no authentication required. EPSS and KEV data not provided; no public exploit identified at time of analysis. Organizations running Triton Inference Server for ML model deployment should prioritize patching to prevent service disruption.
No patch available
Why flagged?
7.5
CVSS 3.1
0.0%
EPSS
38
Priority
CVE-2026-24175
Remote denial of service in NVIDIA Triton Inference Server versions prior to r26.02 allows unauthenticated attackers to crash the server by sending malformed HTTP request headers over the network. The vulnerability scores 7.5 (High) with maximum availability impact, requires no authentication or user interaction, and has low attack complexity. EPSS and KEV data not provided; no public exploit identified at time of analysis.
No patch available
Why flagged?
7.5
CVSS 3.1
0.0%
EPSS
38
Priority
CVE-2026-31940
Session fixation in Chamilo LMS versions prior to 1.11.38 and 2.0.0-RC.3 enables unauthenticated remote attackers to hijack user sessions via main/lp/aicc_hacp.php. User-controlled request parameters directly manipulate PHP session IDs before application bootstrap, allowing attackers to force victims into attacker-controlled sessions. Successful exploitation grants high-severity access to confidential data and platform integrity. No public exploit identified at time of analysis.
NIS2 Edge exposure No patch available
Why flagged?
NIS2 Relevant
  • HIGH severity
  • Internet-facing (CWE-384: Session Fixation)
  • No patch available
  • Strong evidence (KEV / high EPSS / multi-source)
7.5
CVSS 3.1
0.0%
EPSS
38
Priority
CVE-2026-3902
Header spoofing in Django 4.2 through 6.0 allows remote attackers to bypass security controls by exploiting ambiguous ASGI header normalization. The ASGIRequest handler incorrectly maps both hyphenated and underscored header variants to the same underscored version, enabling attackers to send conflicting headers where the malicious version overwrites legitimate security headers. Affects Django 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. No public exploit identified at time of analysis. EPSS data not available, but the unauthenticated network attack vector and high integrity impact warrant immediate patching.
NIS2 Edge exposure
Why flagged?
NIS2 Relevant
  • HIGH severity
  • Internet-facing technique: authentication-bypass
  • Strong evidence (KEV / high EPSS / multi-source)
7.5
CVSS 3.1
0.0%
EPSS
38
Priority
CVE-2026-40116
Unauthenticated resource exhaustion in PraisonAI versions prior to 4.5.128 allows remote attackers to drain OpenAI API credits and exhaust server resources. The /media-stream WebSocket endpoint in the call module accepts connections without authentication or Twilio signature validation, enabling unlimited concurrent sessions to OpenAI's Realtime API using the server's credentials. No public exploit identified at time of analysis. Affects PraisonAI deployments exposing the call module's WebSocket interface.
Why flagged?
7.5
CVSS 3.1
0.0%
EPSS
38
Priority
Prev Page 18 of 25 (611 CVEs) Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy