NIS2 & DORA Compliance

Regulatory triage for vulnerability prioritization – classification based on existing CVE data

Regulatory Triage ICT Providers
NIS2 Relevant
434
DORA Relevant
65
Internet-Facing
369
Third-Party ICT
65
Unpatched
438
Exploited
68
Framework:
Period:
Sort:
CVE-2026-39324
Session authentication bypass in Rack::Session::Cookie 2.0.0 through 2.1.1 allows unauthenticated remote attackers to forge valid session cookies and gain unauthorized access. When configured with secrets, the implementation incorrectly falls back to a default decoder on decryption failures rather than rejecting malformed cookies, enabling attackers to manipulate session state without any secret knowledge. CVSS 9.3 (Critical) with network attack vector, low complexity, and no privileges required. No public exploit or active exploitation (CISA KEV) identified at time of analysis, though the simplicity of the attack vector (AC:L, PR:N) suggests exploitation is straightforward once the vulnerability is understood.
NIS2 Edge exposure Management plane
Why flagged?
NIS2 Relevant
  • CRITICAL severity
  • Internet-facing (CWE-287: Improper Authentication)
  • Management plane (Improper Authentication)
  • Strong evidence (KEV / high EPSS / multi-source)
9.3
CVSS 4.0
0.0%
EPSS
47
Priority
CVE-2026-34580
Certificate validation bypass in Botan 3.11.0 allows unauthenticated remote attackers to impersonate trusted certificate authorities by presenting end-entity certificates with matching Distinguished Names and subject key identifiers. The flaw in Certificate_Store::certificate_known incorrectly accepts malicious certificates as trusted roots without verifying actual certificate identity, enabling complete TLS/PKI chain validation bypass. This affects only version 3.11.0 and is fixed in 3.11.1. EPSS data not available; no public exploit identified at time of analysis, though the attack vector is network-accessible with low complexity (CVSS:4.0 AV:N/AC:L/PR:N).
No patch available
Why flagged?
9.3
CVSS 4.0
0.0%
EPSS
47
Priority
CVE-2026-1346
Local privilege escalation to root in IBM Verify/Security Verify Access products 10.0-11.0.2 allows unauthenticated local users to gain full system control via excessive process privileges (CWE-250). The CVSS 9.3 score reflects local attack vector but no authentication requirement (PR:N) and complete system compromise with scope change. Patch available per vendor advisory. No public exploit identified at time of analysis, though the local attack vector and low complexity (AC:L) suggest straightforward exploitation once local access is obtained.
NIS2 DORA ICT dependency Management plane IBM Cloud
Why flagged?
NIS2 Relevant
  • CRITICAL severity
  • Third-party ICT: IBM Cloud
  • Management plane (Execution with Unnecessary Privileges)
  • Strong evidence (KEV / high EPSS / multi-source)
DORA Relevant
  • CRITICAL severity
  • ICT provider: IBM Cloud (Cloud Providers)
  • Authentication / access control weakness
9.3
CVSS 3.1
0.0%
EPSS
47
Priority
CVE-2026-5194
ECDSA signature verification in wolfSSL 3.12.0 through 5.9.0 accepts cryptographically weak digest sizes below protocol-mandated minimums, enabling authentication bypass when attackers possess the public CA key. Authenticated network attackers can exploit this to compromise confidentiality and integrity of certificate-based sessions. Vulnerability arises specifically when EdDSA or ML-DSA algorithms are concurrently enabled alongside ECDSA/ECC verification. No public exploit identified at time of analysis.
Why flagged?
9.3
CVSS 4.0
0.0%
EPSS
46
Priority
CVE-2026-40154
Remote code execution in PraisonAI multi-agent framework (versions prior to 4.5.128) allows unauthenticated attackers to execute arbitrary code via malicious template files fetched from remote sources. The framework downloads and executes template files without integrity verification, origin validation, or user confirmation, creating a supply chain attack vector. Attackers with network access can distribute weaponized templates that execute when retrieved by victims, achieving high confidentiality and integrity compromise with scope change. No public exploit identified at time of analysis.
Why flagged?
9.3
CVSS 3.1
0.0%
EPSS
46
Priority
CVE-2026-40177
Authentication bypass in Ajenti admin panel versions prior to 0.112 allows unauthenticated remote attackers to completely circumvent password authentication when two-factor authentication (2FA) is enabled. Attackers can gain full administrative access to the Ajenti server management interface without valid credentials, compromising confidentiality and integrity of managed systems. No public exploit identified at time of analysis.
NIS2 Edge exposure Management plane
Why flagged?
NIS2 Relevant
  • CRITICAL severity
  • Internet-facing (CWE-287: Improper Authentication)
  • Management plane (Improper Authentication)
  • Moderate evidence (PoC / elevated EPSS)
9.3
CVSS 4.0
0.1%
EPSS
46
Priority
CVE-2026-39987
Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/terminal/ws` WebSocket endpoint. The terminal handler skips authentication validation entirely, accepting connections without credential checks and spawning PTY shells directly. Attackers obtain full interactive shell access as root in default Docker deployments through a single WebSocket connection, bypassing Marimo's authentication middleware. No public exploit identified at time of analysis.
NIS2 DORA Edge exposure ICT dependency Management plane Docker
Why flagged?
NIS2 Relevant
  • CRITICAL severity
  • Internet-facing (CWE-306: Missing Authentication for Critical Function)
  • Third-party ICT: Docker
  • Management plane (Missing Authentication for Critical Function)
  • Moderate evidence (PoC / elevated EPSS)
DORA Relevant
  • CRITICAL severity
  • ICT provider: Docker (Dev Platforms & CI/CD)
  • Authentication / access control weakness
9.3
CVSS 4.0
2.7%
EPSS
46
Priority
CVE-2026-40189
Critical authorization bypass in goshs (Go-based HTTP server) versions prior to 2.0.0-beta.4 allows unauthenticated attackers to upload, delete, and modify files in directories protected by .goshs ACL configurations. Attackers can execute state-changing operations (PUT uploads, POST /upload, directory creation via ?mkdir, file deletion via ?delete) without credentials, bypassing documented per-folder authentication mechanisms. Deleting the .goshs file itself removes authentication policies, enabling unrestricted access to previously protected content. Affects confidentiality, integrity, and availability of protected resources. No public exploit identified at time of analysis.
NIS2 Edge exposure No patch available Management plane
Why flagged?
NIS2 Relevant
  • CRITICAL severity
  • Internet-facing technique: authentication-bypass
  • No patch available
  • Management plane (Missing Authorization)
  • Moderate evidence (PoC / elevated EPSS)
9.3
CVSS 4.0
0.1%
EPSS
46
Priority
CVE-2026-33698
Arbitrary file write vulnerability in Chamilo LMS versions before 1.11.38 allows unauthenticated remote attackers to modify existing files or create new files with system-level permissions through a chained attack exploiting the main/install/ directory. Attackers can bypass PHP execution restrictions when the installation directory remains accessible post-deployment, enabling complete system compromise where filesystem permissions permit. This vulnerability affects portals that have not removed the main/install/ directory after initial setup. No public exploit identified at time of analysis.
NIS2 Edge exposure No patch available
Why flagged?
NIS2 Relevant
  • CRITICAL severity
  • Internet-facing technique: path-traversal
  • No patch available
  • Moderate evidence (PoC / elevated EPSS)
9.3
CVSS 4.0
0.1%
EPSS
46
Priority
CVE-2026-35178
Remote code execution in Workbench for Salesforce (forceworkbench) prior to version 65.0.0 allows unauthenticated remote attackers to execute arbitrary code by injecting malicious payloads into timezone conversion cookie parameters. The vulnerability stems from unsafe processing of attacker-controlled cookie values (CWE-94: Code Injection). CVSS 9.3 (Critical) with network attack vector, low complexity, and no privileges required, though user interaction is needed. Publicly available exploit code exists via GitHub pull request #869, significantly elevating immediate risk despite no confirmed active exploitation (not in CISA KEV).
NIS2 Edge exposure No patch available
Why flagged?
NIS2 Relevant
  • CRITICAL severity
  • Internet-facing (CWE-94: Code Injection)
  • No patch available
  • Strong evidence (KEV / high EPSS / multi-source)
9.3
CVSS 4.0
0.5%
EPSS
46
Priority
CVE-2026-34424
Supply chain compromise in Smart Slider 3 Pro 3.5.1.35 for WordPress and Joomla delivers multi-stage remote access toolkit via compromised update mechanism. Unauthenticated attackers achieve pre-authentication remote code execution through malicious HTTP headers, deploy authenticated backdoors accepting arbitrary PHP/OS commands, create hidden administrator accounts, exfiltrate credentials and API keys, and establish persistence via must-use plugins and core file modifications. Vendor confirmed malicious build distributed through official update channel. No public exploit identified at time of analysis.
NIS2 Edge exposure No patch available
Why flagged?
NIS2 Relevant
  • CRITICAL severity
  • Internet-facing technique: rce
  • No patch available
  • Moderate evidence (PoC / elevated EPSS)
9.3
CVSS 4.0
0.2%
EPSS
46
Priority
CVE-2026-31845
Reflected cross-site scripting (XSS) in Rukovoditel CRM 3.6.4's Zadarma telephony API endpoint allows remote attackers to execute arbitrary JavaScript in victim browsers without authentication. The vulnerability stems from direct reflection of the 'zd_echo' GET parameter without sanitization. With CVSS 9.3 (Critical), changed scope (S:C), and no authentication required (PR:N), this enables session hijacking and account takeover via malicious links. No public exploit identified at time of analysis, though proof-of-concept is trivial given the code-level disclosure. EPSS data not available.
NIS2 Edge exposure No patch available
Why flagged?
NIS2 Relevant
  • CRITICAL severity
  • Internet-facing (CWE-79: Cross-site Scripting (XSS))
  • No patch available
  • Moderate evidence (PoC / elevated EPSS)
9.3
CVSS 4.0
0.0%
EPSS
46
Priority
CVE-2025-62718
Hostname normalization bypass in Axios (JavaScript HTTP client) versions prior to 1.15.0 allows unauthenticated remote attackers to circumvent NO_PROXY configuration rules and force HTTP requests through configured proxies. Attackers can exploit malformed loopback addresses (localhost. with trailing dot, [::1] IPv6 literals) to bypass proxy restrictions and conduct Server-Side Request Forgery (SSRF) attacks against protected internal services. Publicly available exploit code exists. Affects all Axios implementations in Node.js and browser environments with NO_PROXY configurations.
NIS2 Edge exposure
Why flagged?
NIS2 Relevant
  • CRITICAL severity
  • Internet-facing technique: ssrf
  • Strong evidence (KEV / high EPSS / multi-source)
9.3
CVSS 4.0
0.0%
EPSS
46
Priority
CVE-2025-39666
Local privilege escalation in Checkmk allows site users with high privileges to escalate to root by manipulating site context files processed by the root-executed 'omd' administrative command. Affects Checkmk 2.2.0 (EOL), 2.3.0 before p46, 2.4.0 before p25, and 2.5.0 beta before b3. No public exploit identified at time of analysis. CVSS 9.3 reflects total technical impact, but SSVC assessment indicates non-automatable exploitation requiring existing high-privilege access, tempering the real-world urgency for organizations with strict site user access controls.
No patch available
Why flagged?
9.3
CVSS 4.0
0.0%
EPSS
46
Priority
CVE-2026-33784
Full device takeover in Juniper Networks Support Insights Virtual Lightweight Collector (vLWC) before 3.0.94 via hardcoded default credentials. The vLWC software ships with an unchangeable initial password for a high-privileged account with no enforced password change during provisioning, enabling unauthenticated remote attackers to gain complete system control. CVSS v4.0 score 9.3 (Critical). No public exploit identified at time of analysis.
NIS2 DORA Edge exposure ICT dependency No patch available Juniper
Why flagged?
NIS2 Relevant
  • CRITICAL severity
  • Internet-facing technique: authentication-bypass
  • Third-party ICT: Juniper
  • No patch available
  • Moderate evidence (PoC / elevated EPSS)
DORA Relevant
  • CRITICAL severity
  • ICT provider: Juniper (Network & Security)
  • No remediation available
9.3
CVSS 4.0
0.0%
EPSS
46
Priority
CVE-2026-40111
Command injection in PraisonAIAgents memory hooks executor allows authenticated local attackers to execute arbitrary shell commands through unsanitized user input passed to subprocess.run() with shell=True. Affects versions prior to 1.5.128. Two attack vectors exist: direct exploitation via hook configuration (pre_run_command/post_run_command) and automated exploitation through .praisonai/hooks.json lifecycle hooks (BEFORE_TOOL/AFTER_TOOL). Agent prompt injection enables persistent compromise by overwriting hooks.json, executing payloads silently at every lifecycle event without user interaction. No public exploit identified at time of analysis.
NIS2 Edge exposure
Why flagged?
NIS2 Relevant
  • CRITICAL severity
  • Internet-facing (CWE-78: OS Command Injection)
  • Moderate evidence (PoC / elevated EPSS)
9.3
CVSS 4.0
0.0%
EPSS
46
Priority
CVE-2026-35615
Path traversal in PraisonAI's praisonai-agents package allows unauthenticated remote attackers to read or write arbitrary files on affected systems. The vulnerability stems from a critical logic flaw where path validation checks for '..' sequences after normalization has already collapsed them, rendering the security check completely ineffective. Attackers can trivially bypass protections using standard path traversal sequences (e.g., '/tmp/../etc/passwd') to access sensitive files including system credentials, SSH keys, or write malicious content. Publicly available exploit code exists demonstrating trivial exploitation. While no CVSS score is officially assigned, the vendor assessment indicates CVSS 4.0 score of 9.2 (Critical), and this represents a high-priority remediation given the ease of exploitation and severe impact.
NIS2 Edge exposure
Why flagged?
NIS2 Relevant
  • CRITICAL severity
  • Internet-facing (CWE-22: Path Traversal)
  • Moderate evidence (PoC / elevated EPSS)
9.2
CVSS 4.0
0.1%
EPSS
46
Priority
CVE-2026-39322
Authentication bypass in PolarLearn ≤0-PRERELEASE-15 allows unauthenticated remote attackers to gain authenticated session access as banned users without password verification. The flaw enables complete account takeover and unauthorized data access through a session generation vulnerability in the /api/v1/auth/sign-in endpoint. CVSS 9.2 (Critical) reflects network-based attack with low complexity and no authentication required. No public exploit identified at time of analysis, but exploitation is straightforward given the authentication bypass mechanism.
NIS2 Edge exposure No patch available Management plane
Why flagged?
NIS2 Relevant
  • CRITICAL severity
  • Internet-facing (CWE-287: Improper Authentication)
  • No patch available
  • Management plane (Improper Authentication)
  • Strong evidence (KEV / high EPSS / multi-source)
9.2
CVSS 4.0
0.0%
EPSS
46
Priority
CVE-2026-28205
Authentication bypass in OpenPLC_V3 allows unauthenticated remote attackers to gain unauthorized system access through insecurely configured API endpoints. The vulnerability stems from insecure default resource initialization (CWE-1188), enabling complete circumvention of authentication mechanisms. Attackers can exploit this over the network with low attack complexity to achieve high confidentiality, integrity, and availability impact across vulnerable and subsequent systems. No public exploit identified at time of analysis.
NIS2 Edge exposure No patch available
Why flagged?
NIS2 Relevant
  • CRITICAL severity
  • Internet-facing technique: authentication-bypass
  • No patch available
  • Moderate evidence (PoC / elevated EPSS)
9.2
CVSS 4.0
0.1%
EPSS
46
Priority
CVE-2026-35556
Plaintext credential storage in OpenPLC_V3 enables network-based attackers to retrieve authentication credentials without requiring prior authentication or user interaction, leading to complete system compromise. The CVSS v4.0 score of 9.2 reflects critical-severity risk from network-accessible credential exposure affecting confidentiality and integrity across all OpenPLC_V3 deployments. No public exploit identified at time of analysis.
No patch available
Why flagged?
9.2
CVSS 4.0
0.0%
EPSS
46
Priority
CVE-2026-35573
Remote code execution in ChurchCRM versions prior to 6.5.3 allows authenticated administrators to upload malicious files via path traversal in the backup restore functionality, overwriting Apache .htaccess files to execute arbitrary code. The vulnerability exploits unsanitized user input in RestoreJob.php, enabling attackers with high-privilege access to bypass intended upload restrictions. No public exploit identified at time of analysis, though CVSS 9.1 reflects the critical impact of complete system compromise through changed security scope.
NIS2 Edge exposure No patch available
Why flagged?
NIS2 Relevant
  • CRITICAL severity
  • Internet-facing (CWE-22: Path Traversal)
  • No patch available
  • Strong evidence (KEV / high EPSS / multi-source)
9.1
CVSS 3.1
0.2%
EPSS
46
Priority
CVE-2026-34177
Privilege escalation in Canonical LXD 4.12-6.7 allows authenticated remote attackers with VM instance editing rights to bypass project restrictions via incomplete denylist validation. Attackers inject AppArmor rules and QEMU chardev configurations through unblocked raw.apparmor and raw.qemu.conf keys, bridging the LXD Unix socket into guest VMs. Successful exploitation enables escalation to LXD cluster administrator and subsequently to host root access. No public exploit identified at time of analysis. Authenticated remote exploitation (PR:H) with cross-scope impact on confidentiality, integrity, and availability.
NIS2 DORA ICT dependency Canonical / Ubuntu
Why flagged?
NIS2 Relevant
  • CRITICAL severity
  • Third-party ICT: Canonical / Ubuntu
  • Strong evidence (KEV / high EPSS / multi-source)
DORA Relevant
  • CRITICAL severity
  • ICT provider: Canonical / Ubuntu (Infrastructure & Virtualization)
9.1
CVSS 3.1
0.1%
EPSS
46
Priority
CVE-2026-39339
Authentication bypass in ChurchCRM API middleware enables unauthenticated remote attackers to access all protected endpoints by manipulating URL paths with 'api/public' strings, exposing complete church member databases and system configurations. Affects ChurchCRM versions prior to 7.1.0 with critical CVSS 9.1 rating. EPSS exploitation probability data unavailable; no public exploit code confirmed at time of analysis, though the trivial attack complexity (path manipulation) significantly increases exploitation risk for internet-exposed installations.
NIS2 Edge exposure No patch available Management plane
Why flagged?
NIS2 Relevant
  • CRITICAL severity
  • Internet-facing technique: authentication-bypass
  • No patch available
  • Management plane (Improper Access Control)
  • Strong evidence (KEV / high EPSS / multi-source)
9.1
CVSS 3.1
0.1%
EPSS
46
Priority
CVE-2026-34179
Privilege escalation in Canonical LXD 4.12 through 6.7 enables remote authenticated restricted TLS certificate users to gain cluster admin privileges. Exploitation requires high-privilege authentication (PR:H) but no user interaction. The vulnerability stems from missing Type field validation in doCertificateUpdate function when processing PUT/PATCH requests to the certificates API endpoint. Attack scope is changed (S:C), allowing attackers to break containment and achieve full cluster compromise with high impact to confidentiality, integrity, and availability. No public exploit identified at time of analysis.
NIS2 DORA Edge exposure ICT dependency Canonical / Ubuntu
Why flagged?
NIS2 Relevant
  • CRITICAL severity
  • Internet-facing technique: authentication-bypass
  • Third-party ICT: Canonical / Ubuntu
  • Strong evidence (KEV / high EPSS / multi-source)
DORA Relevant
  • CRITICAL severity
  • ICT provider: Canonical / Ubuntu (Infrastructure & Virtualization)
9.1
CVSS 3.1
0.1%
EPSS
46
Priority
CVE-2025-71058
DNS cache poisoning vulnerability in Dual DHCP DNS Server 8.01 allows unauthenticated remote attackers to inject forged DNS responses by exploiting improper source validation. The server accepts UDP responses matched only by transaction ID without verifying originating upstream DNS server, enabling attackers to poison the cache and redirect victims to malicious destinations. No public exploit identified at time of analysis. CVSS 9.1 (Critical) reflects network-accessible attack requiring no privileges or user interaction.
NIS2 Edge exposure No patch available
Why flagged?
NIS2 Relevant
  • CRITICAL severity
  • Internet-facing (CWE-94: Code Injection)
  • No patch available
  • Strong evidence (KEV / high EPSS / multi-source)
9.1
CVSS 3.1
0.1%
EPSS
46
Priority
Prev Page 6 of 25 (620 CVEs) Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy