Skip to main content

NIS2 & DORA Compliance

Regulatory triage for vulnerability prioritization – classification based on existing CVE data

Regulatory Triage ICT Providers
NIS2 Relevant
343
DORA Relevant
45
Internet-Facing
298
Third-Party ICT
45
Unpatched
209
Exploited
13
Framework:
Period:
Sort:
CVE-2026-40411
Remote code execution in Microsoft Azure Virtual Network Gateway allows an authenticated attacker with low privileges to execute arbitrary code across a network boundary due to improper input validation. The CVSS 9.9 score reflects scope-changed impact (S:C) where exploitation can compromise resources beyond the vulnerable component itself, affecting confidentiality, integrity, and availability. No public exploit identified at time of analysis, though the high score and managed-service nature warrant priority attention.
NIS2 Edge exposure
Why flagged?
NIS2 Relevant
  • CRITICAL severity
  • Internet-facing (CWE-20: Improper Input Validation)
  • Strong evidence (KEV / high EPSS / multi-source)
9.9
CVSS 3.1
0.1%
EPSS
50
Priority
CVE-2026-42757
Path traversal in the WebinarIgnition WordPress plugin (Saleswonder Team: Tobias) affects all versions up to and including 4.08.253 and allows authenticated low-privilege users to manipulate file paths outside the intended plugin directory. The linked Patchstack advisory characterizes the concrete impact as arbitrary file deletion, which can corrupt the WordPress installation or enable further compromise. EPSS probability is very low (0.05%, 15th percentile) and there is no public exploit identified at time of analysis, despite the 9.9 CVSS score.
NIS2 Edge exposure No patch available
Why flagged?
NIS2 Relevant
  • CRITICAL severity
  • Internet-facing (CWE-22: Path Traversal)
  • No patch available
  • Moderate evidence (PoC / elevated EPSS)
9.9
CVSS 3.1
0.0%
EPSS
50
Priority
CVE-2026-42748
Arbitrary file upload in the WPify Woo Czech WordPress/WooCommerce plugin (versions through 5.4.1) lets a low-privileged authenticated user upload a dangerous file type - i.e., a PHP web shell - to the web server, leading to remote code execution. The CVSS 3.1 vector (PR:L, S:C, C:H/I:H/A:H) reflects a scope-changing critical-severity flaw scored 9.9 that compromises the entire host once exploited. There is no public exploit identified at time of analysis, it is not listed in CISA KEV, and the EPSS score is very low (0.04%, 13th percentile), indicating little observed exploitation pressure despite the high CVSS.
NIS2 Edge exposure No patch available
Why flagged?
NIS2 Relevant
  • CRITICAL severity
  • Internet-facing (CWE-434: Unrestricted Upload of File)
  • No patch available
  • Moderate evidence (PoC / elevated EPSS)
9.9
CVSS 3.1
0.0%
EPSS
50
Priority
CVE-2026-46425
Privilege escalation via missing authorization in Budibase before 3.38.2 lets any authenticated user — including low-privilege BASIC accounts and workspace-scoped builders — reach the worker's SCIM API and perform full CRUD on every user and group in the tenant. The SCIM router only enforced an Enterprise feature flag and SCIM context, never a role/admin check, so identity-management operations meant for administrators were exposed to all sessions. Fixed in 3.38.2; no public exploit identified at time of analysis, but the trivial nature of the flaw (a single missing middleware) makes it easy to weaponize once known.
NIS2 Edge exposure Management plane
Why flagged?
NIS2 Relevant
  • CRITICAL severity
  • Internet-facing technique: authentication-bypass
  • Management plane (Missing Authorization)
  • Moderate evidence (PoC / elevated EPSS)
9.9
CVSS 3.1
0.0%
EPSS
50
Priority
CVE-2026-44450
Remote code execution in Lumiverse AI chat application prior to 0.9.7 allows any authenticated user to run arbitrary OS-level commands on the server by abusing the MCP server creation endpoint. Although the endpoint allowlists binary names (node, bun, python3, deno), it forwards user-controlled args unfiltered to the child process, and every allowed binary supports inline code execution flags (-e or -c). No public exploit identified at time of analysis, but the CVSS 9.9 rating reflects the trivial exploit path and the fact that the server binds on all interfaces with a bypassable host-header rebinding check.
NIS2 Edge exposure
Why flagged?
NIS2 Relevant
  • CRITICAL severity
  • Internet-facing technique: rce
  • Moderate evidence (PoC / elevated EPSS)
9.9
CVSS 3.1
0.1%
EPSS
50
Priority
CVE-2026-42756
Path traversal in the QuickWebP WordPress plugin (versions up to and including 3.2.7) allows authenticated low-privilege users to manipulate file paths and delete arbitrary files on the server, per the Patchstack advisory titling this an arbitrary file deletion flaw. With a CVSS of 9.9 and a changed scope, deletion of sensitive files such as wp-config.php can cascade into full site compromise. There is no public exploit identified at time of analysis.
Edge exposure No patch available
Why flagged?
9.9
CVSS 3.1
0.0%
EPSS
50
Priority
CVE-2026-45102
Sandbox escape in OneUptime before 10.0.98 lets an authenticated user break out of the Node.js vm-module isolation that the platform relies on to safely run untrusted logic, gaining code execution in the host context. The vm module was never intended as a security boundary and can be escaped using error objects and infinite recursion, yielding full confidentiality, integrity, and availability impact (CVSS 9.9, scope-changed). No public exploit is identified at time of analysis, but the escape technique is well-documented for the Node.js vm module generally.
Why flagged?
9.9
CVSS 3.1
0.1%
EPSS
50
Priority
CVE-2026-46716
Cross-tenant remote code execution in Nezha Monitoring dashboard (versions >= 1.4.0, < 1.14.15-0.20260517022419-d7526351cf97) allows any authenticated RoleMember user to execute arbitrary shell commands as root on every monitored agent host in the deployment. The flaw stems from cron API endpoints being gated by commonHandler instead of adminHandler, combined with a vacuous-true permission check when the Servers list is empty, enabling fanout to all tenants' servers. No public exploit identified at time of analysis, but a complete proof-of-concept is included in the GitHub Security Advisory.
NIS2 Edge exposure
Why flagged?
NIS2 Relevant
  • CRITICAL severity
  • Internet-facing (CWE-78: OS Command Injection)
  • Moderate evidence (PoC / elevated EPSS)
9.9
CVSS 3.1
50
Priority
CVE-2026-44887
Unauthenticated remote code execution affects Pi.Alert, an open-source WiFi/LAN intruder detector with web-based service monitoring, in all versions prior to the 2026-05-07 release. The web configuration editor writes attacker-controlled content into pialert.conf, which the background scan daemon subsequently evaluates with Python's exec(), so injected statements run with the daemon's privileges. Because the product ships with web protection disabled by default, an attacker reaching the web interface needs no credentials, yielding a CVSS 9.8 critical flaw; no public exploit identified at time of analysis.
NIS2 Edge exposure
Why flagged?
NIS2 Relevant
  • CRITICAL severity
  • Internet-facing (CWE-94: Code Injection)
  • Strong evidence (KEV / high EPSS / multi-source)
9.8
CVSS 3.1
0.2%
EPSS
49
Priority
CVE-2026-44888
Unauthenticated remote code execution affects Pi.Alert, a Python-based Wi-Fi/LAN intruder detector, in all releases prior to the 2026-05-07 fix. The web UI's SaveConfigFile() endpoint writes attacker-supplied numeric configuration values such as SMTP_PORT into pialert.conf with no validation, and because that file is reloaded via Python's exec() by a background cron job every 3-5 minutes, injected Python executes at the OS level. On default installations (PIALERT_WEB_PROTECTION = False) no credentials are required, matching the CVSS 9.8 network/no-privilege rating; there is no public exploit identified at time of analysis and the CVE is not in CISA KEV, but trivial complexity and full CIA impact make it a high-priority patch.
NIS2 Edge exposure
Why flagged?
NIS2 Relevant
  • CRITICAL severity
  • Internet-facing (CWE-94: Code Injection)
  • Strong evidence (KEV / high EPSS / multi-source)
9.8
CVSS 3.1
0.0%
EPSS
49
Priority
CVE-2026-8362
Remote code execution in Gladinet Triofox is possible through a stack-based buffer overflow in WOSDefaultHttpModule.dll, which fails to bounds-check overly long URL paths beginning with /woshome. Because the flaw is reachable over the network with no authentication and no user interaction (CVSS 9.8), an attacker who can reach the Triofox web service can corrupt the stack and potentially execute arbitrary code in the context of the web module. No public exploit has been identified at the time of analysis, and the issue was reported by Tenable (TRA-2026-45).
Why flagged?
9.8
CVSS 3.1
0.0%
EPSS
49
Priority
CVE-2026-42758
Privilege escalation in the WebinarIgnition WordPress plugin (Saleswonder Team: Tobias) affects all versions through 4.08.252 and allows remote attackers to obtain elevated privileges due to incorrect privilege assignment. The CVSS 9.8 rating reflects network-reachable, unauthenticated exploitation with full confidentiality, integrity, and availability impact. No public exploit identified at time of analysis, and the EPSS score is very low (0.04%, 13th percentile), indicating no observed exploitation activity despite the critical severity.
No patch available
Why flagged?
9.8
CVSS 3.1
0.0%
EPSS
49
Priority
CVE-2026-32253
Authentication bypass in LizardByte Sunshine self-hosted game stream host (versions prior to 2026.516.143833) allows remote unauthenticated attackers to bypass client-certificate authentication and access protected HTTPS endpoints. The custom OpenSSL verification callback in src/crypto.cpp incorrectly treats several certificate validation errors as successful verification, enabling untrusted certificates to pass authentication. No public exploit identified at time of analysis, but the CVSS 9.8 rating reflects trivial network-based exploitation against default deployments.
NIS2 Edge exposure No patch available Management plane
Why flagged?
NIS2 Relevant
  • CRITICAL severity
  • Internet-facing (CWE-287: Improper Authentication)
  • No patch available
  • Management plane (Improper Authentication)
  • Moderate evidence (PoC / elevated EPSS)
9.8
CVSS 3.1
0.0%
EPSS
49
Priority
CVE-2026-8376
Heap-based buffer overflow in Perl interpreters up to and including 5.43.10 on 32-bit builds lets a caller that compiles an attacker-controlled regular expression corrupt heap memory at regex compile time, with potential for code execution. The flaw stems from an integer overflow in Perl_study_chunk when optimizing a repeated fixed substring, and is rated CVSS 9.8 by NVD. EPSS is very low (0.02%, 5th percentile) and there is no public exploit identified at time of analysis; the issue is limited to 32-bit Perl builds and applications that feed untrusted input into regex compilation.
Why flagged?
9.8
CVSS 3.1
0.0%
EPSS
49
Priority
CVE-2026-48902
Transport encryption downgrade in Joomla! CMS password and username reset workflows causes reset links to be generated with plain HTTP URLs instead of HTTPS when the 'Force SSL' configuration flag is not explicitly enabled. Affected installations span Joomla! 3.9.0 through 5.4.5 and 6.0.0 through 6.1.0, exposing reset tokens to network interception. No public exploit identified at time of analysis, and EPSS scores exploitation probability at 0.02% (5th percentile) despite the 9.8 CVSS rating.
No patch available
Why flagged?
9.8
CVSS 3.1
0.0%
EPSS
49
Priority
CVE-2026-48691
Heap buffer overflow in FastNetMon Community Edition through 1.2.9 originates from a CWE-190 integer overflow in the BGP AS_PATH attribute encoder (IPv4UnicastAnnounce::get_attributes() in src/bgp_protocol.hpp). When an AS_PATH carries more than 63 ASNs, the computed attribute length is silently truncated into a uint8_t field used for buffer sizing while the full data is still written, corrupting the heap. The CVSS 9.8 score implies remote unauthenticated code execution, though the flaw lives in FastNetMon's outbound BGP announcement encoder; no public exploit is identified at time of analysis and no EPSS or KEV data was supplied.
No patch available
Why flagged?
9.8
CVSS 3.1
0.0%
EPSS
49
Priority
CVE-2026-48687
OS command injection in FastNetMon Community Edition (through 1.2.9) lets attacker-controlled input reach an unescaped exec() call inside the Juniper router integration plugin, enabling arbitrary shell command execution on the host. The flaw lives in the _log() function of src/juniper_plugin/fastnetmon_juniper.php, where the $msg argument (built from argv[1]-argv[3]: attack IP, direction, power) is concatenated directly into a shell command. Although rated CVSS 9.8, practical exploitation is gated: FastNetMon's C++ core currently feeds IPs through inet_ntoa(), which only yields safe dotted-decimal strings, so injection requires the script to be driven directly or by a third-party orchestrator. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.
NIS2 DORA Edge exposure ICT dependency No patch available Juniper
Why flagged?
NIS2 Relevant
  • CRITICAL severity
  • Internet-facing (CWE-78: OS Command Injection)
  • Third-party ICT: Juniper
  • No patch available
  • Moderate evidence (PoC / elevated EPSS)
DORA Relevant
  • CRITICAL severity
  • ICT provider: Juniper (Network & Security)
  • No remediation available
9.8
CVSS 3.1
0.1%
EPSS
49
Priority
CVE-2026-9642
Unauthenticated remote database access in Delta Electronics DIAView allows network-based attackers to reach configured project databases without credentials, bypassing the prior mitigation issued for CVE-2025-62582. The flaw carries a CVSS 9.8 rating with full confidentiality, integrity, and availability impact; no public exploit identified at time of analysis, but the original CVE it incompletely patches has known prior research from Tenable.
NIS2 Edge exposure No patch available
Why flagged?
NIS2 Relevant
  • CRITICAL severity
  • Internet-facing technique: authentication-bypass
  • No patch available
  • Strong evidence (KEV / high EPSS / multi-source)
9.8
CVSS 3.1
0.0%
EPSS
49
Priority
CVE-2026-46614
Authentication bypass in Fission (Kubernetes serverless framework) versions 1.22.0 and earlier allows unauthenticated remote callers reaching the public router (svc/router, port 8888) to invoke any Function object by guessing its metadata.name and namespace via the /fission-function/<ns>/<name> route, completely bypassing HTTPTrigger host, path, method, and method-allow-list restrictions. The flaw also enables function-name enumeration and crosses tenant boundaries in multi-tenant deployments; no public exploit identified at time of analysis, though the fix commits and root-cause analysis are public on GitHub.
NIS2 Edge exposure Management plane
Why flagged?
NIS2 Relevant
  • CRITICAL severity
  • Internet-facing technique: authentication-bypass
  • Management plane (Improper Access Control)
  • Moderate evidence (PoC / elevated EPSS)
9.8
CVSS 3.1
49
Priority
CVE-2026-6960
Unauthenticated arbitrary file upload in the BookingPress Pro WordPress plugin (versions ≤5.6) enables remote code execution by abusing missing file type validation in the bookingpress_validate_submitted_booking_form_func function. Exploitation requires the booking form to include a signature custom field, but otherwise needs no authentication or user interaction. No public exploit identified at time of analysis, though Wordfence's disclosure and the CWE-434 pattern make weaponization straightforward.
NIS2 Edge exposure No patch available
Why flagged?
NIS2 Relevant
  • CRITICAL severity
  • Internet-facing (CWE-434: Unrestricted Upload of File)
  • No patch available
  • Moderate evidence (PoC / elevated EPSS)
9.8
CVSS 3.1
0.1%
EPSS
49
Priority
CVE-2026-8175
Remote code execution and authentication bypass are possible in IBM Aspera High-Speed Transfer Server and High-Speed Transfer Endpoint (versions 3.7.4 through 4.4.7 Fix Pack 1) through a heap-based buffer overflow in the asperahttpd component. An unauthenticated network attacker can corrupt memory to crash the service (denial of service) and, in the worst case, hijack execution flow to run arbitrary code or bypass authentication. There is no public exploit identified at time of analysis and SSVC lists exploitation as none, but the CVSS 9.8 rating and 'Automatable: yes' assessment mark this as a high-priority patching target.
NIS2 DORA Edge exposure ICT dependency No patch available IBM Cloud
Why flagged?
NIS2 Relevant
  • CRITICAL severity
  • Internet-facing technique: authentication-bypass, rce
  • Third-party ICT: IBM Cloud
  • No patch available
  • Moderate evidence (PoC / elevated EPSS)
DORA Relevant
  • CRITICAL severity
  • ICT provider: IBM Cloud (Cloud Providers)
  • No remediation available
9.8
CVSS 3.1
0.4%
EPSS
49
Priority
CVE-2026-48689
Remote code execution in FastNetMon Community Edition through 1.2.9 stems from an off-by-one heap write in the pervasively-used dynamic_binary_buffer_t class, reachable by anyone who can send NetFlow, sFlow, IPFIX, or BGP traffic to the DDoS-detection appliance. Because the flawed buffer is exercised during BGP encoding/decoding, NetFlow template parsing, and Flow Spec NLRI construction, an unauthenticated network attacker can corrupt adjacent heap metadata and potentially execute arbitrary code. The flaw carries a critical CVSS 9.8 (AV:N/AC:L/PR:N/UI:N), but no public exploit is identified at time of analysis and it is not listed in CISA KEV.
NIS2 Edge exposure No patch available
Why flagged?
NIS2 Relevant
  • CRITICAL severity
  • Internet-facing technique: rce
  • No patch available
  • Strong evidence (KEV / high EPSS / multi-source)
9.8
CVSS 3.1
0.0%
EPSS
49
Priority
CVE-2026-8760
Authentication bypass in the Login with OTP plugin for WordPress (all versions up to and including 1.6) lets unauthenticated attackers log in as any user, including administrators. The flaw is an incomplete fix for CVE-2024-11178: the brute-force lockout was added only to the OTP-generation code path and never checked when an OTP is validated, and the 6-digit codes never expire, so an attacker can exhaustively guess the ~900,000-value OTP space and receive a valid WordPress session cookie. CVSS is 9.8; this is rated unauthenticated (CVSS PR:N) with low attack complexity, but there is no public exploit identified at time of analysis and the issue is not in CISA KEV.
Edge exposure No patch available Management plane
Why flagged?
9.8
CVSS 3.1
0.3%
EPSS
49
Priority
CVE-2025-12686
Remote code execution in Synology BeeStation OS versions before 1.3.2-65648 stems from a classic buffer overflow in the AdminCenter component, the device's web-based management interface. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N) indicates a network-reachable flaw exploitable by unauthenticated attackers with low complexity and no user interaction, yielding full compromise of confidentiality, integrity, and availability (9.8 Critical). There is no public exploit identified at time of analysis, and the issue is not listed in CISA KEV, but the unauthenticated network-RCE profile on a consumer NAS device makes this a high-priority patch target.
Edge exposure
Why flagged?
9.8
CVSS 3.1
0.2%
EPSS
49
Priority
CVE-2026-42731
Privilege escalation in the miniOrange OTP Verification WordPress plugin (all versions up to and including 5.4.9) lets remote unauthenticated attackers gain elevated privileges due to incorrect privilege assignment (CWE-266). With a CVSS 9.8 vector indicating network reach, no authentication, and no user interaction, a successful attack can fully compromise the confidentiality, integrity, and availability of the affected WordPress site. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
No patch available
Why flagged?
9.8
CVSS 3.1
0.0%
EPSS
49
Priority
Prev Page 2 of 16 (398 CVEs) Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy