NIS2 & DORA Compliance

Regulatory triage for vulnerability prioritization – classification based on existing CVE data

Regulatory Triage ICT Providers
NIS2 Relevant
433
DORA Relevant
65
Internet-Facing
368
Third-Party ICT
65
Unpatched
437
Exploited
67
Framework:
Period:
Sort:
CVE-2026-5608
Stack-based buffer overflow in Belkin F9K1122 router firmware 1.00.33 enables authenticated remote attackers to achieve full device compromise via crafted 'webpage' parameter in formWlanSetup function. Publicly available exploit code exists, and EPSS data suggests low-probability targeting despite critical CVSS 8.8 severity. Vendor non-responsive to disclosure; no patch released.
No patch available PoC
Why flagged?
7.4
CVSS 4.0
0.0%
EPSS
57
Priority
CVE-2026-5613
Stack-based buffer overflow in Belkin F9K1015 wireless router firmware 1.00.10 allows authenticated remote attackers to achieve code execution and full system compromise via the formReboot endpoint. The vulnerability has a publicly available exploit (GitHub POC) and requires only low-privileged authentication (EPSS risk assessment recommended but data not provided). Vendor did not respond to disclosure, indicating no patch is available.
No patch available PoC
Why flagged?
7.4
CVSS 4.0
0.0%
EPSS
57
Priority
CVE-2026-5628
Stack-based buffer overflow in Belkin F9K1015 wireless router firmware 1.00.10 allows authenticated remote attackers to achieve arbitrary code execution with high confidentiality, integrity, and availability impact. The vulnerability resides in the formSetSystemSettings function within the /goform/formSetSystemSettings endpoint, exploitable via the 'webpage' parameter. Publicly available exploit code exists (GitHub POC), CVSS 8.8 indicating network-exploitable with low complexity requiring only low-privilege authentication. Vendor unresponsive to coordinated disclosure attempts.
No patch available PoC
Why flagged?
7.4
CVSS 4.0
0.0%
EPSS
57
Priority
CVE-2026-5611
Stack-based buffer overflow in Belkin F9K1015 wireless router firmware version 1.00.10 allows authenticated remote attackers to achieve arbitrary code execution with high confidentiality, integrity, and availability impact. The vulnerability resides in the formCrossBandSwitch function accessible via /goform/formCrossBandSwitch endpoint, where unsanitized input to the 'webpage' parameter triggers memory corruption. Publicly available exploit code exists (GitHub POC), elevating practical exploitation risk. CVSS 8.8 score reflects network attack vector with low complexity, requiring only low-privilege authentication. EPSS data not provided, but combination of public exploit and trivial attack complexity suggests elevated real-world risk. Vendor (Belkin) did not respond to coordinated disclosure attempts, and no vendor-released patch identified at time of analysis.
No patch available PoC
Why flagged?
7.4
CVSS 4.0
0.0%
EPSS
57
Priority
CVE-2026-5614
Stack-based buffer overflow in Belkin F9K1015 v1.00.10 allows authenticated remote attackers to achieve code execution via the formSetPassword function. The vulnerability requires low-privilege credentials but no user interaction, carrying a CVSS score of 8.8 (High). Public exploit code exists on GitHub, significantly lowering the barrier to exploitation, though no active exploitation is confirmed (not in CISA KEV). The vendor did not respond to responsible disclosure attempts.
No patch available PoC
Why flagged?
7.4
CVSS 4.0
0.0%
EPSS
57
Priority
CVE-2026-5605
Stack-based buffer overflow in Tenda CH22 router firmware version 1.0.0.1 allows authenticated remote attackers to achieve arbitrary code execution via the formWrlExtraSet function. The vulnerability resides in the /goform/WrlExtraSet endpoint where manipulation of the 'GO' parameter triggers memory corruption. With CVSS 8.8 (network-accessible, low complexity, requires low-privileged authentication), this represents a critical risk to affected devices. Publicly available exploit code exists on GitHub, significantly lowering the barrier to exploitation, though no confirmed active exploitation (CISA KEV) has been reported at time of analysis.
No patch available PoC
Why flagged?
7.4
CVSS 4.0
0.0%
EPSS
57
Priority
CVE-2026-5989
Stack-based buffer overflow in Tenda F451 wireless router firmware 1.0.0.7 allows authenticated remote attackers to execute arbitrary code via crafted page parameter to fromRouteStatic function in /goform/RouteStatic endpoint. Attack requires low-privilege authenticated access to web management interface with no user interaction. Publicly available exploit code exists. Exploitation yields complete compromise of router confidentiality, integrity, and availability.
No patch available PoC
Why flagged?
7.4
CVSS 4.0
0.0%
EPSS
57
Priority
CVE-2026-5981
Buffer overflow in D-Link DIR-605L 2.13B01 wireless router enables remote authenticated attackers to execute arbitrary code via the formAdvFirewall function in POST request handler. Exploitation occurs through manipulation of the curTime parameter in /goform/formAdvFirewall endpoint. Publicly available exploit code exists. This end-of-life product receives no vendor security support, requiring immediate device replacement for affected deployments.
No patch available PoC
Why flagged?
7.4
CVSS 4.0
0.0%
EPSS
57
Priority
CVE-2026-5685
Remote code execution in Tenda CX12L firmware version 16.03.53.12 allows authenticated attackers to overflow stack buffers via malicious 'page' parameter values sent to the addressNat endpoint (/goform/addressNat). The fromAddressNat function fails to validate input length, enabling memory corruption with high impact to confidentiality, integrity, and availability. Publicly available exploit code exists (GitHub POC), elevating practical exploitation risk despite requiring low-privilege authentication. EPSS data not available, but CVSS 7.4 reflects network-accessible attack vector with low complexity.
No patch available PoC
Why flagged?
7.4
CVSS 4.0
0.0%
EPSS
57
Priority
CVE-2026-5982
Buffer overflow in D-Link DIR-605L 2.13B01 wireless router enables remote authenticated attackers to achieve arbitrary code execution via crafted POST requests to /goform/formAdvNetwork endpoint. Exploitation manipulates the curTime parameter in the formAdvNetwork function, triggering memory corruption. This end-of-life device receives no vendor support; publicly available exploit code exists. Affected hardware presents elevated risk in legacy network environments where administrative credentials may be compromised.
No patch available PoC
Why flagged?
7.4
CVSS 4.0
0.0%
EPSS
57
Priority
CVE-2026-5979
Buffer overflow in D-Link DIR-605L 2.13B01 router allows authenticated remote attackers to achieve code execution through malicious curTime parameter in formVirtualServ function via POST request to /goform/formVirtualServ endpoint. Affects end-of-life product with no vendor support. Publicly available exploit code exists. Attack requires low-privilege authentication but no user interaction, enabling remote compromise of device confidentiality and integrity.
No patch available PoC
Why flagged?
7.4
CVSS 4.0
0.0%
EPSS
57
Priority
CVE-2026-5815
Stack-based buffer overflow in D-Link DIR-645 router (versions 1.01, 1.02, 1.03) via hedwigcgi_main function in /cgi-bin/hedwig.cgi allows authenticated remote attackers to achieve complete system compromise. Exploitation requires low-privilege credentials but no user interaction. Publicly available exploit code exists. Product is end-of-life with no vendor support, making remediation limited to device replacement or network isolation.
No patch available PoC
Why flagged?
7.4
CVSS 4.0
0.1%
EPSS
57
Priority
CVE-2026-5844
OS command injection in D-Link DIR-882 router (firmware 1.01B02) allows authenticated remote attackers to execute arbitrary system commands via malicious IPAddress parameter to prog.cgi HNAP1 SetNetworkSettings handler. Requires high privileges (PR:H) but achieves full system compromise (CVSS 7.3). Publicly available exploit code exists. Product discontinued; vendor no longer provides security updates.
NIS2 Edge exposure No patch available PoC
Why flagged?
NIS2 Relevant
  • HIGH severity
  • Internet-facing (CWE-78: OS Command Injection)
  • Proof of concept available
  • No patch available
  • Strong evidence (KEV / high EPSS / multi-source)
7.3
CVSS 4.0
0.2%
EPSS
57
Priority
CVE-2025-13926
Session token exposure in Contemporary Controls BASControl20 3.1 building automation controller enables unauthenticated remote attackers to forge authenticated requests via network traffic interception. Exploitation requires attacker ability to sniff network traffic containing authentication credentials, which can then be replayed to execute arbitrary commands with full system privileges. Classified as CWE-807 (untrusted input reliance), this vulnerability permits complete compromise of controller confidentiality, integrity, and availability without user interaction. No public exploit identified at time of analysis.
No patch available
Why flagged?
9.3
CVSS 4.0
0.1%
EPSS
57
Priority
CVE-2025-14815
Plaintext SQL Server credential storage in Mitsubishi Electric SCADA/HMI products allows local authenticated attackers with low-complexity exploitation to extract database credentials from SQLite cache files, enabling subsequent unauthorized SQL Server access for data manipulation and denial-of-service attacks. Affects multiple product lines including GENESIS64 ≤10.97.3, ICONICS Suite ≤10.97.3, and all MC Works64 versions when local SQLite caching is enabled with SQL authentication. CVSS 9.3 severity reflects extensive downstream impact potential (confidentiality, integrity, availability across both vulnerable system and connected SQL Server). No evidence of active exploitation (not in CISA KEV), but EPSS data unavailable and attack complexity rated low with only local authenticated access required.
No patch available
Why flagged?
9.3
CVSS 4.0
0.0%
EPSS
56
Priority
CVE-2025-14816
SQL Server credentials are displayed in cleartext within the Hyper Historian Splitter GUI across multiple Mitsubishi Electric SCADA/HMI platforms (GENESIS64, ICONICS Suite, MC Works64, and related products), allowing local authenticated attackers with low privileges to capture database credentials and subsequently gain unauthorized access to backend SQL Servers. This affects versions 10.97.3 and prior for most products and all versions of MC Works64. No active exploitation confirmed (not in CISA KEV), though CISA has issued ICS advisory ICSA-26-097-01. With a CVSS 9.3 (Critical) score reflecting high confidentiality, integrity, and availability impact on both vulnerable and subsequent systems, the risk centers on credential theft enabling downstream SQL Server compromise.
No patch available
Why flagged?
9.3
CVSS 4.0
0.0%
EPSS
56
Priority
CVE-2026-4436
Unauthenticated remote attackers can manipulate Modbus register inputs in GPL Odorizers GPL750 industrial control systems (XL4, XL4 Prime, XL7, XL7 Prime variants across versions 1.0-20.0), causing incorrect odorant injection volumes into natural gas distribution pipelines. Authentication bypass (CWE-306) via network-accessible Modbus interface permits direct register value tampering without credential validation, enabling safety-critical process manipulation. No public exploit identified at time of analysis.
NIS2 Edge exposure No patch available Management plane
Why flagged?
NIS2 Relevant
  • HIGH severity
  • Internet-facing (CWE-306: Missing Authentication for Critical Function)
  • No patch available
  • Management plane (Missing Authentication for Critical Function)
  • Strong evidence (KEV / high EPSS / multi-source)
8.6
CVSS 3.1
0.0%
EPSS
53
Priority
CVE-2026-4149
Remote code execution in Sonos Era 300 smart speakers (build 17.5/91.0-70070) allows unauthenticated network attackers to execute arbitrary kernel-level code via malformed SMB server responses. The vulnerability achieves maximum CVSS 10.0 severity due to network accessibility without authentication, low complexity, and kernel-level code execution with scope change. EPSS indicates 1.27% exploitation probability (80th percentile), suggesting moderate real-world risk. No active exploitation confirmed at time of analysis, though ZDI publication increases weaponization likelihood.
NIS2 Edge exposure No patch available
Why flagged?
NIS2 Relevant
  • CRITICAL severity
  • Internet-facing technique: rce
  • No patch available
  • Strong evidence (KEV / high EPSS / multi-source)
10.0
CVSS 3.0
1.3%
EPSS
51
Priority
CVE-2026-39337
Remote code execution in ChurchCRM versions prior to 7.1.0 allows unauthenticated attackers to inject arbitrary PHP code through the unsanitized $dbPassword variable during setup wizard initialization, resulting in complete server compromise. This critical flaw (CVSS 10.0) exists as an incomplete fix for CVE-2025-62521 and requires no authentication or user interaction to exploit. The pre-authentication nature and maximum CVSS severity indicate immediate patching priority for all exposed ChurchCRM installations.
NIS2 Edge exposure No patch available
Why flagged?
NIS2 Relevant
  • CRITICAL severity
  • Internet-facing (CWE-94: Code Injection)
  • No patch available
  • Strong evidence (KEV / high EPSS / multi-source)
10.0
CVSS 3.1
0.3%
EPSS
50
Priority
CVE-2025-54328
Stack-based buffer overflow in Samsung Exynos chipset SMS message processing allows remote attackers to execute arbitrary code or crash devices via malformed SMS RP-DATA messages. Affects 22 Exynos processor and modem variants across mobile, wearable, and IoT devices, requiring no user interaction. CVSS 10.0 with network-level attack vector (PR:N), scope change, and full system impact. EPSS and exploitation status not provided, but SSVC framework indicates automatable attack with total technical impact. No public exploit identified at time of analysis, though the vulnerability class (CWE-121 stack buffer overflow in SMS parsing) has high weaponization potential.
No patch available
Why flagged?
10.0
CVSS 3.1
0.1%
EPSS
50
Priority
CVE-2026-5059
Remote code execution in aws-mcp-server 1.3.0 allows unauthenticated attackers to execute arbitrary commands via command injection in the allowed commands list handler. The vulnerability stems from improper validation of user-supplied strings before system call execution, enabling attackers to run code in the MCP server context with no authentication required. EPSS score of 1.01% (77th percentile) indicates low observed exploitation probability; no public exploit identified at time of analysis.
NIS2 Edge exposure No patch available
Why flagged?
NIS2 Relevant
  • CRITICAL severity
  • Internet-facing (CWE-78: OS Command Injection)
  • No patch available
  • Strong evidence (KEV / high EPSS / multi-source)
9.8
CVSS 3.0
1.0%
EPSS
50
Priority
CVE-2026-5058
Remote code execution in aws-mcp-server 1.3.0 allows unauthenticated attackers to execute arbitrary commands via improper validation of the allowed commands list. The command injection flaw (CWE-78) enables system call execution without authentication barriers. With a CVSS score of 9.8 (critical severity) and EPSS probability of 1.01% (77th percentile), this represents a high-severity vulnerability with moderate real-world exploitation likelihood. No public exploit identified at time of analysis, and no active exploitation confirmed.
NIS2 Edge exposure No patch available
Why flagged?
NIS2 Relevant
  • CRITICAL severity
  • Internet-facing (CWE-78: OS Command Injection)
  • No patch available
  • Strong evidence (KEV / high EPSS / multi-source)
9.8
CVSS 3.0
1.0%
EPSS
50
Priority
CVE-2026-40175
Remote code execution affects Axios HTTP client library versions prior to 1.15.0 via gadget chain escalation of prototype pollution vulnerabilities in third-party dependencies. Unauthenticated network attackers can exploit this chaining mechanism to achieve full remote code execution or cloud compromise through AWS IMDSv2 bypass. Critical severity (CVSS 10.0) with scope change indicates containment boundary violation. No public exploit identified at time of analysis.
NIS2 Edge exposure
Why flagged?
NIS2 Relevant
  • CRITICAL severity
  • Internet-facing (CWE-113: HTTP Response Splitting)
  • Moderate evidence (PoC / elevated EPSS)
10.0
CVSS 3.1
0.2%
EPSS
50
Priority
CVE-2026-39355
Authenticated users can hijack arbitrary team workspaces in Genealogy PHP application versions before 5.9.1 through broken access control, enabling complete takeover of genealogy data belonging to other users. The vulnerability requires only low-privilege authentication (PR:L) with network access (AV:N) and low attack complexity (AC:L), allowing any authenticated user to transfer ownership of non-personal teams to themselves. No public exploit code has been identified at time of analysis, though the straightforward access control flaw and detailed GitHub security advisory make exploitation highly feasible for authenticated attackers.
NIS2 Edge exposure No patch available Management plane
Why flagged?
NIS2 Relevant
  • CRITICAL severity
  • Internet-facing technique: authentication-bypass
  • No patch available
  • Management plane (Missing Authorization)
  • Strong evidence (KEV / high EPSS / multi-source)
9.9
CVSS 3.1
0.0%
EPSS
50
Priority
CVE-2026-5412
Authorization bypass in Canonical Juju Controller facade allows authenticated users to extract bootstrap cloud credentials via CloudSpec API. Affects Juju 2.9.0-2.9.56 and 3.6.0-3.6.20. Low-privileged authenticated attackers can escalate privileges by accessing sensitive cloud provider credentials, enabling lateral movement to infrastructure resources. Network-accessible with low complexity (CVSS 9.9 Critical). No public exploit identified at time of analysis. Patch available in versions 2.9.57 and 3.6.21.
NIS2 Edge exposure Management plane
Why flagged?
NIS2 Relevant
  • CRITICAL severity
  • Internet-facing technique: authentication-bypass
  • Management plane (Improper Authorization)
  • Strong evidence (KEV / high EPSS / multi-source)
9.9
CVSS 3.1
0.0%
EPSS
50
Priority
Prev Page 3 of 25 (619 CVEs) Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy