Skip to main content

NIS2 & DORA Compliance

Regulatory triage for vulnerability prioritization – classification based on existing CVE data

Regulatory Triage ICT Providers
NIS2 Relevant
367
DORA Relevant
67
Internet-Facing
300
Third-Party ICT
67
Unpatched
234
Exploited
15
Framework:
Period:
Sort:
CVE-2026-46621
Remote code execution in Yamcs (the open-source mission control framework, yamcs-core) before 5.12.7 lets an authenticated operator holding the ChangeMissionDatabase privilege overwrite a Python (Jython) algorithm via the Mission Database REST API and run arbitrary OS commands on the host. The Jython script engine is invoked without a sandbox, so injected algorithm text can import java.lang.Runtime and shell out. Publicly available exploit code exists (a full PoC is published in the GitHub Security Advisory), but the issue is not listed in CISA KEV and no public in-the-wild exploitation is identified.
NIS2 Edge exposure
Why flagged?
NIS2 Relevant
  • CRITICAL severity
  • Internet-facing (CWE-94: Code Injection)
  • Moderate evidence (PoC / elevated EPSS)
9.1
CVSS 3.1
46
Priority
CVE-2026-46819
Remote unauthenticated compromise of Oracle Internet Procurement Connector (a component of Oracle E-Business Suite versions 12.2.3 through 12.2.15) allows attackers to read, modify, create, or delete all data accessible to the component over HTTP. The CVSS 9.1 score reflects high confidentiality and integrity impact with low attack complexity and no privileges or user interaction required. No public exploit identified at time of analysis, but the trivial exploitability profile combined with EBS's history of being targeted (e.g., CVE-2025 Cl0p campaigns) makes this a priority patch for any internet-exposed deployment.
DORA Edge exposure ICT dependency No patch available Oracle Database
Why flagged?
DORA Relevant
  • CRITICAL severity
  • ICT provider: Oracle Database (Databases & Data Platforms)
  • No remediation available
9.1
CVSS 3.1
46
Priority
CVE-2026-44449
Argument injection in Lumiverse AI chat application before version 0.9.7 enables authenticated high-privilege attackers to execute arbitrary OS commands on the host. When the primary toSmbPath(fullPath) routine throws, a fallback path concatenates the unvalidated basename into an smbclient -c script, where ';' acts as a subcommand separator and '!cmd' triggers a local shell escape. No public exploit identified at time of analysis, and the issue is not currently in CISA KEV.
Why flagged?
9.1
CVSS 3.1
0.1%
EPSS
46
Priority
CVE-2026-44632
Remote code execution in Yamcs (Yet Another Mission Control System) versions before 5.12.7 allows an authenticated user holding the ChangeMissionDatabase privilege to run arbitrary OS commands on the server host. The flaw lives in the JavaExprAlgorithmExecutionFactory, which dynamically compiles user-supplied algorithm text with the Janino compiler without any sandbox or restrictive ClassLoader, so injected Java (e.g. java.lang.Runtime.exec) executes with the privileges of the Yamcs process. A detailed proof-of-concept exploit using a REST PATCH to override an existing algorithm is publicly available in the vendor advisory; the issue is not listed in CISA KEV.
NIS2 Edge exposure
Why flagged?
NIS2 Relevant
  • CRITICAL severity
  • Internet-facing (CWE-94: Code Injection)
  • Moderate evidence (PoC / elevated EPSS)
9.1
CVSS 3.1
46
Priority
CVE-2026-33000
Command injection in Ubiquiti UniFi OS devices allows a high-privileged attacker on the network to execute arbitrary operating system commands by abusing improperly validated input. The flaw carries a critical CVSS 9.1 score with scope change, indicating successful exploitation can break out of the originating security context, though no public exploit identified at time of analysis.
NIS2 Edge exposure
Why flagged?
NIS2 Relevant
  • CRITICAL severity
  • Internet-facing (CWE-20: Improper Input Validation)
  • Moderate evidence (PoC / elevated EPSS)
9.1
CVSS 3.1
0.1%
EPSS
46
Priority
CVE-2026-46833
Net Service takeover in Oracle Database Server 23.4.0 through 23.26.2 allows unauthenticated remote attackers reaching the TLS-protected Net Service listener to fully compromise confidentiality, integrity, and availability, with scope change indicating impact on adjacent components. CVSS 9.0 reflects high impact tempered by high attack complexity (AC:H), and no public exploit identified at time of analysis. Reported and tracked in Oracle's May 2026 Critical Patch Update advisory.
DORA ICT dependency No patch available Oracle Database
Why flagged?
DORA Relevant
  • CRITICAL severity
  • ICT provider: Oracle Database (Databases & Data Platforms)
  • No remediation available
9.0
CVSS 3.1
45
Priority
CVE-2026-32999
Remote code execution in Comet Backup server allows a tenant administrator to inject arbitrary code into the backup agent signing module via insufficient character filtering, ultimately running code with elevated privileges on the Comet server and on connected backup agent devices. The vendor advisory links the issue to the branding configuration path, and no public exploit has been identified at time of analysis. Combined with a Scope:Changed CVSS:3.1 score of 9.0, successful exploitation pivots from a single tenant context into the underlying server and downstream endpoints.
NIS2 Edge exposure
Why flagged?
NIS2 Relevant
  • CRITICAL severity
  • Internet-facing (CWE-94: Code Injection)
  • Moderate evidence (PoC / elevated EPSS)
9.0
CVSS 3.1
0.0%
EPSS
45
Priority
CVE-2026-48150
Privilege escalation in Budibase before 3.39.0 lets a workspace-scoped builder promote themselves or any other user to global administrator with a single POST to /api/public/v1/roles/assign. The builderOrAdmin middleware admits app-level builders (builder.apps set, builder.global unset) and the controller blindly spreads the request body into the SDK, allowing the caller to set builder.global=true or admin.global=true on arbitrary user IDs. The flaw turns a tenant-confined Enterprise feature into full tenant-wide takeover; no public exploit is identified at time of analysis, but the technique is fully described in the GitHub advisory.
Why flagged?
9.0
CVSS 3.1
0.0%
EPSS
45
Priority
CVE-2026-45659
Authenticated remote code execution in Microsoft SharePoint (Enterprise Server 2016, Server 2019, and Subscription Edition) stems from unsafe deserialization of untrusted data (CWE-502), enabling an authorized attacker to run arbitrary code on the server over the network. CVSS 8.8 with low privileges required and no user interaction makes this attractive to post-authentication adversaries, though no public exploit identified at time of analysis and CVSS temporal data marks exploit code maturity as Unproven.
NIS2 Edge exposure
Why flagged?
NIS2 Relevant
  • HIGH severity
  • Internet-facing (CWE-502: Deserialization of Untrusted Data)
  • Strong evidence (KEV / high EPSS / multi-source)
8.8
CVSS 3.1
0.5%
EPSS
45
Priority
CVE-2026-8832
Remote code execution in the WPCode WordPress plugin (versions through 2.3.5) lets authenticated author-level users run arbitrary PHP on the server. Because the plugin registers its 'wpcode' custom post type without a dedicated capability_type, WordPress falls back to standard post capabilities, so any author can create and publish PHP snippet posts via the XML-RPC wp.newPost method, which are later passed to eval() when rendered through the [wpcode] shortcode. EPSS is modest at 0.44% (63rd percentile) and there is no public exploit identified at time of analysis, but the low privilege bar and full CIA impact make this a high-priority patch for any multi-author site.
NIS2 Edge exposure No patch available
Why flagged?
NIS2 Relevant
  • HIGH severity
  • Internet-facing (CWE-94: Code Injection)
  • No patch available
  • Moderate evidence (PoC / elevated EPSS)
8.8
CVSS 3.1
0.4%
EPSS
44
Priority
CVE-2026-9207
OS command injection in Tanium Connect lets an authenticated, low-privileged user execute arbitrary commands on the underlying host, yielding full confidentiality, integrity, and availability compromise (CVSS 8.8). The flaw affects Connect branches 5.26, 5.29, and 5.37 below their respective fixed builds and is tagged as RCE/Command Injection. There is no public exploit identified at time of analysis, and EPSS estimates exploitation probability at a low 0.07% (22nd percentile).
NIS2 Edge exposure
Why flagged?
NIS2 Relevant
  • HIGH severity
  • Internet-facing (CWE-78: OS Command Injection)
  • Strong evidence (KEV / high EPSS / multi-source)
8.8
CVSS 3.1
0.1%
EPSS
44
Priority
CVE-2026-35430
Privilege escalation in Microsoft Azure Privileged Identity Management (PIM) allows an authenticated attacker to bypass authorization checks by manipulating a user-controlled key, escalating privileges over the network. The flaw stems from an Insecure Direct Object Reference (IDOR) pattern (CWE-639) where the service trusts a client-supplied identifier when making authorization decisions. No public exploit identified at time of analysis, and the vulnerability is not currently listed in CISA KEV.
NIS2 Edge exposure Management plane
Why flagged?
NIS2 Relevant
  • HIGH severity
  • Internet-facing technique: authentication-bypass
  • Management plane (Authorization Bypass via User-Controlled Key)
  • Strong evidence (KEV / high EPSS / multi-source)
8.8
CVSS 3.1
0.1%
EPSS
44
Priority
CVE-2026-46414
Authenticated role spoofing in Microsoft UFO's WebSocket control plane (version 3.0.1-4-ge2626659) lets any client holding the shared server token impersonate the higher-privilege "constellation" role and hijack tasks belonging to other connected devices. The server trusts the client_type and target_id values carried in each TASK message instead of binding them to the role established when the WebSocket connection registered, and it also permits duplicate client_id registration that overwrites a live peer's stored socket and role. Rated CVSS 8.8 (high) with full confidentiality, integrity, and availability impact; no public exploit identified at time of analysis.
NIS2 Edge exposure No patch available
Why flagged?
NIS2 Relevant
  • HIGH severity
  • Internet-facing technique: authentication-bypass
  • No patch available
  • Moderate evidence (PoC / elevated EPSS)
8.8
CVSS 3.1
0.0%
EPSS
44
Priority
CVE-2026-47161
Remote code execution in RELATE LMS (the inducer/relate web courseware platform) stems from its Celery task queue being configured to accept and unpickle untrusted messages (CELERY_ACCEPT_CONTENT included "pickle"). Because the code-execution sandbox lacks network isolation, an authenticated student can reach the message broker and deliver a malicious pickle payload that the worker deserializes, yielding arbitrary command execution on the host. No public exploit identified at time of analysis; the issue is corrected in commit d66ba5659b459bf1ba56b7109b5f9ecf197cbefb.
NIS2 Edge exposure No patch available
Why flagged?
NIS2 Relevant
  • HIGH severity
  • Internet-facing (CWE-502: Deserialization of Untrusted Data)
  • No patch available
  • Strong evidence (KEV / high EPSS / multi-source)
8.7
CVSS 4.0
0.5%
EPSS
44
Priority
CVE-2026-8787
Privilege escalation in the Firebase Support & Chat Management WordPress plugin (all versions up to and including 3.1.1) lets any authenticated Subscriber-level user take over any other account, including Administrator. The plugin's acb_firebase_auth AJAX handler logs the request in as whatever WordPress account matches the attacker-supplied user_email parameter, never verifying the accompanying Firebase ID token. No public exploit was identified at time of analysis and the EPSS probability is very low (0.04%, 13th percentile), but the bug is trivially exploitable wherever the plugin is active and a low-privilege account can be obtained.
No patch available Management plane
Why flagged?
8.8
CVSS 3.1
0.0%
EPSS
44
Priority
CVE-2026-48920
Arbitrary file disclosure in the Jenkins Email Extension Plugin (email-ext) versions 1933.v45cec755423f and earlier lets users who can control email content abuse the data-inline image attribute to supply file: URLs, causing the Jenkins controller to read local files and embed their contents as base64 inside outgoing emails. An authenticated attacker with rights to edit job email configuration or templates (CVSS PR:L) can exfiltrate controller secrets, credentials, and configuration. There is no public exploit identified at time of analysis and CISA's SSVC rates exploitation as none, but the CVSS 8.8 score and 'total' technical impact make controller secret theft a serious concern in shared Jenkins environments.
NIS2 DORA ICT dependency No patch available Jenkins
Why flagged?
NIS2 Relevant
  • HIGH severity
  • Third-party ICT: Jenkins
  • No patch available
  • Strong evidence (KEV / high EPSS / multi-source)
DORA Relevant
  • HIGH severity
  • ICT provider: Jenkins (Dev Platforms & CI/CD)
  • No remediation available
8.8
CVSS 3.1
0.0%
EPSS
44
Priority
CVE-2026-38807
Privilege escalation in kvf-admin v1.0.0 allows authenticated remote attackers to elevate their privileges by abusing insecure permission checks within the UserController.java component. The flaw maps to CWE-639 (Authorization Bypass Through User-Controlled Key), and while publicly available exploit code exists per the referenced GitHub issue, EPSS is very low (0.04%, 13th percentile), indicating limited observed exploitation activity. No CISA KEV listing exists, so this is not confirmed actively exploited.
NIS2 Edge exposure No patch available Management plane
Why flagged?
NIS2 Relevant
  • HIGH severity
  • Internet-facing technique: authentication-bypass
  • No patch available
  • Management plane (Authorization Bypass via User-Controlled Key)
  • Strong evidence (KEV / high EPSS / multi-source)
8.8
CVSS 3.1
0.0%
EPSS
44
Priority
CVE-2026-6898
Privilege escalation in the Wishlist Member WordPress plugin (versions ≤3.30.1) allows authenticated Subscriber-level users to overwrite the plugin's REST API Secret Key and abuse it to create administrator accounts, leading to full site takeover. The flaw stems from a missing capability check on the generate_api_key hook handler. No public exploit identified at time of analysis, though Wordfence has published a threat-intel advisory.
No patch available Management plane
Why flagged?
8.8
CVSS 3.1
0.0%
EPSS
44
Priority
CVE-2026-44988
Out-of-bounds write in LibVNCClient (shipped in the LibVNCServer project, versions 0.9.15 and earlier) lets a malicious or compromised VNC server corrupt memory in any client that connects to it. The Tight encoding decoder's Gradient filter uses fixed 2048-pixel scratch buffers but never validates the server-supplied rectangle width, so a crafted FramebufferUpdate with a width above 2048 overruns those buffers, threatening confidentiality, integrity, and availability (CVSS 8.8). There is no public exploit identified at time of analysis and it is not listed in CISA KEV; the issue is fixed by upstream commit 5b270544.
No patch available
Why flagged?
8.8
CVSS 3.1
0.0%
EPSS
44
Priority
CVE-2026-6895
Privilege escalation in the WishList Member WordPress plugin versions up to 3.30.1 allows authenticated low-privilege users to obtain the REST API Secret Key via the unprotected 'export_settings' AJAX endpoint and leverage it to register arbitrary administrator accounts. The CVSS 8.8 (High) rating reflects full confidentiality, integrity, and availability impact, and while no public exploit is identified at time of analysis, the discovery by Wordfence - a major WordPress security vendor - typically precedes broader exploitation against the large WordPress plugin ecosystem.
No patch available Management plane
Why flagged?
8.8
CVSS 3.1
0.0%
EPSS
44
Priority
CVE-2026-6897
Privilege escalation in the Wishlist Member WordPress plugin (versions through 3.30.1) allows any authenticated user with Subscriber-level access or higher to update arbitrary plugin options, including the REST API Secret Key, leading to full site takeover. The flaw stems from a missing capability check in the Team_Accounts::save_settings function, and although no public exploit identified at time of analysis, the low authentication bar and chained admin-account creation path make it a high-priority risk on any WordPress site that permits public registration.
No patch available Management plane
Why flagged?
8.8
CVSS 3.1
0.0%
EPSS
44
Priority
CVE-2026-6419
Privilege escalation in the WishList Member WordPress plugin (versions through 3.30.1) allows authenticated subscriber-level attackers to extract the plugin's plaintext REST API Secret Key and use it to create administrator accounts, resulting in full site takeover. The flaw is reachable via a single AJAX call (ajax_get_screen) that lacks capability and nonce checks. No public exploit identified at time of analysis, but the attack path is fully described in the Wordfence advisory and requires only low-privileged authenticated access.
No patch available Management plane
Why flagged?
8.8
CVSS 3.1
0.0%
EPSS
44
Priority
CVE-2026-41075
Authenticated SQL injection in Best Practical's Request Tracker (RT) ticketing system affects versions 5.0.0-5.0.9 and 6.0.0-6.0.2 via the entry_aggregator parameter in the JSON search endpoint, allowing any logged-in RT user to read or modify arbitrary data in the underlying database. The flaw was disclosed alongside the rt-5.0.10/6.0.3 release on 2026-05-20 and carries CVSS 8.8 due to high impact across confidentiality, integrity, and availability. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV.
NIS2 Edge exposure No patch available
Why flagged?
NIS2 Relevant
  • HIGH severity
  • Internet-facing (CWE-89: SQL Injection)
  • No patch available
  • Moderate evidence (PoC / elevated EPSS)
8.8
CVSS 3.1
0.0%
EPSS
44
Priority
CVE-2026-44713
Local privilege escalation via OS command injection in pam_usb before 0.8.7 lets a low-privileged local user execute arbitrary commands as root. The flaw lives in src/tmux.c, which reads the attacker-controllable $TMUX environment variable and interpolates its socket-path component, unsanitised, inside a double-quoted string passed to popen(); a value containing a double-quote breaks out of the quoting and injects shell syntax that runs in the root-context PAM stack. No public exploit identified at time of analysis, and no EPSS or CISA KEV data was supplied, but the CVSS 8.8 (scope-changed) rating reflects straightforward, low-complexity root compromise.
NIS2 Edge exposure
Why flagged?
NIS2 Relevant
  • HIGH severity
  • Internet-facing (CWE-78: OS Command Injection)
  • Strong evidence (KEV / high EPSS / multi-source)
8.8
CVSS 3.1
0.0%
EPSS
44
Priority
CVE-2026-9009
Remote code execution in the Crawlomatic Multipage Scraper Post Generator plugin for WordPress (versions up to and including 2.7.2) allows authenticated users with author-level privileges to execute arbitrary PHP code on the server by abusing the 'callback_raw' or 'callback' shortcode attributes processed by the filter_content function. The flaw stems from passing attacker-controlled input directly to call_user_func() guarded only by is_callable(), which still permits dangerous PHP built-ins like system, shell_exec, exec, passthru, and assert. No public exploit identified at time of analysis, but Wordfence has published a detailed advisory and the shortcode sink is trivially reachable for any author-level account.
NIS2 Edge exposure No patch available
Why flagged?
NIS2 Relevant
  • HIGH severity
  • Internet-facing (CWE-434: Unrestricted Upload of File)
  • No patch available
  • Strong evidence (KEV / high EPSS / multi-source)
8.8
CVSS 3.1
0.2%
EPSS
44
Priority
Prev Page 5 of 17 (416 CVEs) Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy