Skip to main content

NIS2 & DORA Compliance

Regulatory triage for vulnerability prioritization – classification based on existing CVE data

Regulatory Triage ICT Providers
NIS2 Relevant
353
DORA Relevant
46
Internet-Facing
307
Third-Party ICT
46
Unpatched
217
Exploited
13
Framework:
Period:
Sort:
CVE-2026-38703
Remote unauthenticated command injection in the ZeroTier VPN feature of InHand Networks IR302, IR305, IR315, and IR615 industrial routers grants ROOT-level code execution on affected devices. The flaw carries a CVSS 9.8 critical rating with no authentication required, exposing industrial network gateways to full compromise; no public exploit identified at time of analysis, but the vendor (InHand Networks PSA-2026-05) has acknowledged the issue.
Edge exposure No patch available
Why flagged?
9.8
CVSS 3.1
49
Priority
CVE-2026-45039
Authentication bypass in RustFS distributed object storage (versions prior to 1.0.0-beta.2) allows unauthenticated remote attackers to forge valid internode RPC requests by exploiting a hardcoded fallback secret 'rustfsadmin' used when neither RUSTFS_RPC_SECRET nor the global S3 secret key is configured. With a CVSS of 9.8 and full CIA impact, this represents a critical pre-auth compromise vector against the storage cluster's internal trust boundary. No public exploit identified at time of analysis, though the fallback secret is publicly visible in the source tree, making weaponization trivial.
NIS2 Edge exposure No patch available Management plane
Why flagged?
NIS2 Relevant
  • CRITICAL severity
  • Internet-facing technique: authentication-bypass
  • No patch available
  • Management plane (Use of Hard-coded Credentials)
  • Moderate evidence (PoC / elevated EPSS)
9.8
CVSS 3.1
49
Priority
CVE-2026-8175
Remote code execution and authentication bypass are possible in IBM Aspera High-Speed Transfer Server and High-Speed Transfer Endpoint (versions 3.7.4 through 4.4.7 Fix Pack 1) through a heap-based buffer overflow in the asperahttpd component. An unauthenticated network attacker can corrupt memory to crash the service (denial of service) and, in the worst case, hijack execution flow to run arbitrary code or bypass authentication. There is no public exploit identified at time of analysis and SSVC lists exploitation as none, but the CVSS 9.8 rating and 'Automatable: yes' assessment mark this as a high-priority patching target.
NIS2 DORA Edge exposure ICT dependency No patch available IBM Cloud
Why flagged?
NIS2 Relevant
  • CRITICAL severity
  • Internet-facing technique: authentication-bypass, rce
  • Third-party ICT: IBM Cloud
  • No patch available
  • Moderate evidence (PoC / elevated EPSS)
DORA Relevant
  • CRITICAL severity
  • ICT provider: IBM Cloud (Cloud Providers)
  • No remediation available
9.8
CVSS 3.1
0.4%
EPSS
49
Priority
CVE-2026-25879
Remote code execution in Langroid before 0.63.0 arises because its SQLChatAgent executes SQL text generated by an LLM, and that LLM is steerable through prompt injection — including indirect injection via data returned from the database into the model's context. When the agent connects with a database role holding code-execution or filesystem privileges, an attacker who shapes the agent's input can drive emission of dialect-specific primitives like PostgreSQL's COPY ... FROM PROGRAM to run OS commands on the database host. A full working proof-of-concept (Base64-smuggled COPY FROM PROGRAM running 'id') is published in the GitHub advisory; there is no entry in CISA KEV, so this reflects publicly available exploit code rather than confirmed active exploitation.
NIS2 DORA Edge exposure ICT dependency PostgreSQL
Why flagged?
NIS2 Relevant
  • CRITICAL severity
  • Internet-facing (CWE-89: SQL Injection)
  • Third-party ICT: PostgreSQL
  • Moderate evidence (PoC / elevated EPSS)
DORA Relevant
  • CRITICAL severity
  • ICT provider: PostgreSQL (Databases & Data Platforms)
9.8
CVSS 3.1
49
Priority
CVE-2026-38707
Remote code execution as root in InHand Networks industrial cellular routers (IR302, IR305, IR315, IR615) allows unauthenticated network attackers to inject operating system commands through the IPSec VPN feature. The CVSS 9.8 score reflects network-reachable, low-complexity, unauthenticated exploitation with full confidentiality, integrity, and availability impact. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.
Edge exposure No patch available
Why flagged?
9.8
CVSS 3.1
49
Priority
CVE-2026-38704
Remote root command injection in InHand Networks industrial routers (IR302, IR305, IR315, IR615) allows unauthenticated network attackers to fully compromise affected devices via the WireGuard VPN feature. With CVSS 9.8 and no required privileges or user interaction, this flaw grants attackers ROOT-level control over edge industrial networking equipment. No public exploit identified at time of analysis, but a vendor advisory (InHand-PSA-2026-05) has been published.
Edge exposure No patch available
Why flagged?
9.8
CVSS 3.1
49
Priority
CVE-2026-9642
Unauthenticated remote database access in Delta Electronics DIAView allows network-based attackers to reach configured project databases without credentials, bypassing the prior mitigation issued for CVE-2025-62582. The flaw carries a CVSS 9.8 rating with full confidentiality, integrity, and availability impact; no public exploit identified at time of analysis, but the original CVE it incompletely patches has known prior research from Tenable.
NIS2 Edge exposure No patch available
Why flagged?
NIS2 Relevant
  • CRITICAL severity
  • Internet-facing technique: authentication-bypass
  • No patch available
  • Strong evidence (KEV / high EPSS / multi-source)
9.8
CVSS 3.1
0.0%
EPSS
49
Priority
CVE-2026-8363
Remote code execution in Gladinet Triofox is possible through a stack-based buffer overflow in the WOSDeviceDropFolder.dll component, which mishandles overly long URL paths that begin with /resources. The CVSS 9.8 vector indicates an unauthenticated, network-reachable flaw requiring no user interaction, meaning any attacker who can reach the Triofox web service can corrupt the stack and potentially execute arbitrary code. The issue was reported by Tenable (TRA-2026-45); no public exploit identified at time of analysis and no EPSS score was provided in the source data.
Why flagged?
9.8
CVSS 3.1
0.0%
EPSS
49
Priority
CVE-2026-46614
Authentication bypass in Fission (Kubernetes serverless framework) versions 1.22.0 and earlier allows unauthenticated remote callers reaching the public router (svc/router, port 8888) to invoke any Function object by guessing its metadata.name and namespace via the /fission-function/<ns>/<name> route, completely bypassing HTTPTrigger host, path, method, and method-allow-list restrictions. The flaw also enables function-name enumeration and crosses tenant boundaries in multi-tenant deployments; no public exploit identified at time of analysis, though the fix commits and root-cause analysis are public on GitHub.
NIS2 Edge exposure Management plane
Why flagged?
NIS2 Relevant
  • CRITICAL severity
  • Internet-facing technique: authentication-bypass
  • Management plane (Improper Access Control)
  • Moderate evidence (PoC / elevated EPSS)
9.8
CVSS 3.1
49
Priority
CVE-2026-38702
Remote root command injection in InHand Networks IR302, IR305, IR315, and IR615 industrial cellular routers allows unauthenticated attackers to execute arbitrary OS commands as root via the Admin Access feature. The flaw affects IR302 V3.5.108, IR305/IR315/IR615 V1.0.118, and earlier firmware, with CVSS 9.8 reflecting network-reachable, no-auth exploitation; no public exploit identified at time of analysis but vendor PSA-2026-05 confirms the issue.
Edge exposure No patch available
Why flagged?
9.8
CVSS 3.1
49
Priority
CVE-2026-39821
Privilege escalation in Go's golang.org/x/net/idna package (all versions before 0.55.0) stems from ToASCII and ToUnicode accepting Punycode labels that decode to an ASCII-only label, so ToUnicode("xn--example-.com") returns "example.com" instead of an error. Applications that perform authorization checks on an ASCII hostname and then convert it to Unicode can be tricked into permitting a name that the direct check would have rejected. This is a library-level flaw (CVSS 9.6, scope-changed) reported by the Go team; there is no public exploit identified at time of analysis and EPSS is very low (0.04%, 14th percentile).
Why flagged?
9.6
CVSS 3.1
0.0%
EPSS
48
Priority
CVE-2026-46703
Arbitrary file write on the host in Boxlite sandbox service versions prior to 0.9.0 allows attackers to escape the OCI image extraction root via crafted symlink entries in layer tarballs, enabling remote code execution on the host (typically as root). Exploitation requires a user to pull and load a malicious OCI image distributed through registries such as DockerHub. Publicly available exploit code exists (vendor-published PoC); no public exploit identified in CISA KEV at time of analysis.
NIS2 Edge exposure
Why flagged?
NIS2 Relevant
  • CRITICAL severity
  • Internet-facing (CWE-22: Path Traversal)
  • Moderate evidence (PoC / elevated EPSS)
9.6
CVSS 3.1
48
Priority
CVE-2026-8670
Session replay weakness in syslink software AG's Avantra monitoring platform (versions before 25.3.1) on Linux and Windows allows remote attackers to reuse captured session identifiers because sessions are not properly expired. With CVSS 9.6 and scope change, an attacker who obtains a valid session ID can impersonate users and pivot into systems Avantra manages; no public exploit identified at time of analysis.
Why flagged?
9.6
CVSS 3.1
0.0%
EPSS
48
Priority
CVE-2026-45323
Stored cross-site scripting in MeshCore Card (Lovelace card for Home Assistant) prior to 0.3.3 allows any MeshCore radio node within direct or repeated mesh range to inject JavaScript into the Home Assistant frontend by setting a malicious node name. Exploitation requires a victim to view the card, and no public exploit has been identified at time of analysis, though the GHSA-5vrg-xpcj-xppc advisory confirms the issue and the 0.3.3 fix.
NIS2 Edge exposure
Why flagged?
NIS2 Relevant
  • CRITICAL severity
  • Internet-facing (CWE-79: Cross-site Scripting (XSS))
  • Moderate evidence (PoC / elevated EPSS)
9.6
CVSS 3.1
48
Priority
CVE-2026-8134
Authenticated remote code execution in Concrete CMS 9.5.0 and earlier allows an administrator with composer form editing privileges to chain a path traversal flaw in the ptComposerFormLayoutSetControlCustomTemplate field with the platform's permissive file uploader to execute arbitrary PHP on the server. The vendor scored this 9.4 (CVSS v4.0) reflecting high confidentiality, integrity, and availability impact across both the vulnerable component and downstream subsequent systems. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.
NIS2 Edge exposure No patch available
Why flagged?
NIS2 Relevant
  • CRITICAL severity
  • Internet-facing (CWE-98: Improper Control of Filename (LFI/RFI))
  • No patch available
  • Strong evidence (KEV / high EPSS / multi-source)
9.4
CVSS 4.0
0.4%
EPSS
47
Priority
CVE-2026-44590
Command injection in the Sherlock username-hunting tool's CI/CD pipeline (versions prior to 0.16.1) allows any GitHub user to run arbitrary commands on the project's GitHub Actions runner. The flaw lives in the validate_modified_targets.yml workflow, which uses the dangerous pull_request_target trigger; simply opening a pull request executes attacker-controlled code with no approval, review, or merge required. Fixed in 0.16.1; with a CVSS of 9.3 it is a high-severity supply-chain issue, though no public exploit was identified at time of analysis and the technique class is well documented.
NIS2 Edge exposure
Why flagged?
NIS2 Relevant
  • CRITICAL severity
  • Internet-facing (CWE-78: OS Command Injection)
  • Strong evidence (KEV / high EPSS / multi-source)
9.3
CVSS 3.1
0.8%
EPSS
47
Priority
CVE-2026-9739
Cross-origin data exposure in Google's MCP Toolbox for Databases stems from the SSE initialization handler unconditionally emitting an `Access-Control-Allow-Origin: *` header, which overrides the `allowed-origins`/`allowed-hosts` controls added during beta and opens the endpoint to DNS rebinding. Any deployment using the SSE transport under MCP specification v2024-11-05 is affected, letting a remote attacker who lures a victim to a malicious web page read the victim's Toolbox/database tool responses cross-origin. Rated CVSS 4.0 9.4 with an upstream fix merged in PR #3054; no public exploit has been identified and the issue is not on CISA KEV.
No patch available
Why flagged?
9.4
CVSS 4.0
0.0%
EPSS
47
Priority
CVE-2026-49103
Path traversal in Webmin's mailboxes component before version 2.640 lets an authenticated user write saved attachment files outside the intended directory by controlling the attachment's filename. The flaw lives in mailboxes/detachall.cgi, which constructs the on-disk filename directly from the email attachment's MIME name without stripping path separators, so a crafted name can redirect the write to an attacker-chosen location. Carrying a CVSS 4.0 base score of 9.4 with total technical impact, the issue is fixed in 2.640; CISA's SSVC framework currently lists exploitation status as none and no public exploit has been identified.
Why flagged?
9.4
CVSS 4.0
0.0%
EPSS
47
Priority
CVE-2026-32998
Remote code execution in Veeam Service Provider Console versions 9.0 through 9.2 allows authenticated remote attackers to execute arbitrary code on the server, per the CVSS 4.0 vector requiring low privileges (PR:L) over the network. With a CVSS score of 9.4 and a scope change indicating impact beyond the vulnerable component (SC:H/SI:H/SA:H), successful exploitation could compromise managed downstream customer environments. No public exploit identified at time of analysis, and the CVE is not listed in CISA KEV.
NIS2 Edge exposure No patch available
Why flagged?
NIS2 Relevant
  • CRITICAL severity
  • Internet-facing technique: rce
  • No patch available
  • Moderate evidence (PoC / elevated EPSS)
9.4
CVSS 4.0
0.3%
EPSS
47
Priority
CVE-2026-48906
Arbitrary file deletion in the Novarain/Tassos Framework system plugin (plg_system_nrframework) and the suite of Tassos.gr Joomla extensions that bundle it lets remote unauthenticated attackers delete arbitrary files on affected sites. The CVSS 4.0 vector (PR:N/UI:N) and the 'Authentication Bypass' tag indicate no credentials or interaction are needed, and the high integrity/availability impact reflects that deleting core files such as Joomla's configuration.php can lead to denial of service or site takeover. There is no public exploit identified at time of analysis, and EPSS is low (0.07%, 21st percentile) with no CISA KEV listing, indicating no observed exploitation despite the critical 9.3 base score.
NIS2 Edge exposure No patch available Management plane
Why flagged?
NIS2 Relevant
  • CRITICAL severity
  • Internet-facing technique: authentication-bypass
  • No patch available
  • Management plane (Improper Access Control)
  • Strong evidence (KEV / high EPSS / multi-source)
9.3
CVSS 4.0
0.1%
EPSS
47
Priority
CVE-2026-41090
Command injection in Microsoft 365 Copilot for iOS allows remote unauthenticated attackers to tamper with system integrity over the network when a user is convinced to interact with malicious content. The flaw carries a critical CVSS score of 9.3 with a scope change indicating impact beyond the vulnerable component, though no public exploit identified at time of analysis. An official vendor patch is available via MSRC.
NIS2 Edge exposure
Why flagged?
NIS2 Relevant
  • CRITICAL severity
  • Internet-facing (CWE-77: Command Injection)
  • Strong evidence (KEV / high EPSS / multi-source)
9.3
CVSS 3.1
0.0%
EPSS
47
Priority
CVE-2026-9058
Szafir SDK returns a success status code from the cryptographic digital signature verification process (i.e. /VerifyingTaskItem/Signature/VerificationResult/Result/@code == 0, "Positively verified") e
NIS2 Edge exposure
Why flagged?
NIS2 Relevant
  • CRITICAL severity
  • Internet-facing technique: authentication-bypass
  • Strong evidence (KEV / high EPSS / multi-source)
9.3
CVSS 4.0
0.0%
EPSS
47
Priority
CVE-2026-42755
Unauthenticated blind SQL injection in the RealMag777 TableOn (posts-table-filterable) WordPress plugin through version 1.0.5.1 lets remote attackers inject crafted SQL into backend queries without credentials or user interaction. Because the CVSS scope is marked changed (S:C) with high confidentiality impact, a successful attack can read data beyond the vulnerable component, including the WordPress database. No public exploit is identified at time of analysis, and the EPSS score is very low (0.03%, 9th percentile), indicating no current sign of widespread exploitation despite the 9.3 base score.
NIS2 Edge exposure No patch available
Why flagged?
NIS2 Relevant
  • CRITICAL severity
  • Internet-facing (CWE-89: SQL Injection)
  • No patch available
  • Moderate evidence (PoC / elevated EPSS)
9.3
CVSS 3.1
0.0%
EPSS
47
Priority
CVE-2026-42747
Blind SQL injection in the Easy Form Builder WordPress plugin (by hassantafreshi), affecting all versions up to and including 4.0.6, lets remote unauthenticated attackers inject crafted SQL into backend database queries. With a CVSS of 9.3 and a scope-changed vector, a successful attack can read sensitive data across the database and impact availability. There is no public exploit identified at time of analysis, and the EPSS score is very low (0.03%, 9th percentile), indicating no observed mass exploitation yet despite the high severity rating.
NIS2 Edge exposure No patch available
Why flagged?
NIS2 Relevant
  • CRITICAL severity
  • Internet-facing (CWE-89: SQL Injection)
  • No patch available
  • Moderate evidence (PoC / elevated EPSS)
9.3
CVSS 3.1
0.0%
EPSS
47
Priority
CVE-2026-42740
Blind SQL injection in the Tainacan WordPress plugin (versions up to and including 1.0.3) lets remote unauthenticated attackers inject crafted SQL into backend database queries. The CVSS vector (AV:N/AC:L/PR:N/UI:N) indicates exploitation requires no authentication or user interaction, and the changed scope plus high confidentiality impact drive the 9.3 score. There is no public exploit identified at the time of analysis and the issue is not listed in CISA KEV, but the low attack complexity and unauthenticated reach make it a high-priority patch candidate.
Edge exposure No patch available
Why flagged?
9.3
CVSS 3.1
0.0%
EPSS
46
Priority
Prev Page 3 of 17 (408 CVEs) Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy