NIS2 & DORA Compliance
Regulatory triage for vulnerability prioritization – classification based on existing CVE data
NIS2 Relevant
371
DORA Relevant
68
Internet-Facing
303
Third-Party ICT
68
Unpatched
233
Exploited
15
Framework:
Period:
Sort:
Arbitrary code execution in IBM Aspera High-Speed Transfer Server and Endpoint (versions 3.7.4 through 4.4.7 Fix Pack 1) arises from a stack-based buffer overflow in the asperahttpd component. An authenticated user with network access can corrupt memory in this HTTP handling component to run code in the context of the service, fully compromising confidentiality, integrity, and availability (CVSS 8.8). No public exploit has been identified at time of analysis, and the CVE is not listed in CISA KEV; EPSS data was not provided.
NIS2
DORA
Edge exposure
ICT dependency
No patch available
IBM Cloud
Why flagged?
NIS2 Relevant
- • HIGH severity
- • Internet-facing technique: rce
- • Third-party ICT: IBM Cloud
- • No patch available
- • Moderate evidence (PoC / elevated EPSS)
DORA Relevant
- • HIGH severity
- • ICT provider: IBM Cloud (Cloud Providers)
- • No remediation available
8.8
CVSS 3.1
0.1%
EPSS
44
Priority
SQL injection in Pimcore's admin-ui-classic-bundle (versions <= 2.3.5) allows an authenticated user holding only the translations-view permission to read arbitrary database contents by injecting into the translation grid's date filter. The user-controlled 'property' field of the filter JSON is interpolated directly into a UNIX_TIMESTAMP(DATE(FROM_UNIXTIME(...))) expression at the POST /admin/translation/translations endpoint, behind only a trivially bypassable str_replace('--','') filter. A working proof-of-concept and publicly available exploit code exist; the reporter notes it can be chained with an unsafe-unserialize flaw (GM-249) to reach remote code execution. No EPSS score or CISA KEV listing was supplied.
NIS2
Edge exposure
Why flagged?
NIS2 Relevant
- • HIGH severity
- • Internet-facing (CWE-89: SQL Injection)
- • Moderate evidence (PoC / elevated EPSS)
8.8
CVSS 3.1
44
Priority
Authentication bypass in phpMyFAQ before 4.1.3 lets any unauthenticated remote attacker reset arbitrary user passwords - including SuperAdmin - by sending a PUT request to /api/user/password/update with only a valid username/email pair, with no token, rate limit, or out-of-band confirmation. The vendor-issued GHSA-w9xh-5f39-vq89 advisory and VulnCheck disclosure document the flaw, and publicly available exploit code exists in the form of a PoC curl invocation; no CISA KEV listing or EPSS score is provided in the input.
NIS2
Edge exposure
Management plane
Why flagged?
NIS2 Relevant
- • HIGH severity
- • Internet-facing technique: authentication-bypass
- • Management plane (Improper Restriction of Auth Attempts)
- • Moderate evidence (PoC / elevated EPSS)
8.8
CVSS 4.0
44
Priority
Privilege escalation in the Frontend Admin by DynamiApps WordPress plugin (versions up to and including 3.29.2) allows authenticated subscriber-level users to overwrite arbitrary user profile fields - including administrator passwords and email addresses - by supplying a chosen user_id parameter to a vulnerable Edit-User form. This authorization-bypass flaw (CWE-862) enables full administrator account takeover through direct password replacement or email-redirect password reset, and no public exploit identified at time of analysis. The vulnerability requires a specific misconfiguration where the form's Roles setting is left empty, which limits exploitable installs but is a common default state.
NIS2
Edge exposure
No patch available
Management plane
Why flagged?
NIS2 Relevant
- • HIGH severity
- • Internet-facing technique: authentication-bypass
- • No patch available
- • Management plane (Missing Authorization)
- • Moderate evidence (PoC / elevated EPSS)
8.8
CVSS 3.1
0.1%
EPSS
44
Priority
8.8
CVSS 3.1
0.0%
EPSS
44
Priority
Bluetooth LE bond downgrade in Silicon Labs Simplicity SDK allows an adjacent attacker to weaken connection security by deleting an existing bond, impersonating the previously bonded peer, and forcing a new pairing under attacker-controlled parameters. The flaw enables compromise of confidentiality, integrity, and availability of BLE communications on devices built with the affected SDK, and no public exploit has been identified at time of analysis.
NIS2
Edge exposure
Why flagged?
NIS2 Relevant
- • HIGH severity
- • Internet-facing technique: authentication-bypass
- • Strong evidence (KEV / high EPSS / multi-source)
8.8
CVSS 3.1
0.0%
EPSS
44
Priority
Remote code execution in Ivanti Secure Access Client versions prior to 22.8R6 allows unauthenticated attackers to run arbitrary code on endpoints by exploiting improper TLS certificate validation, contingent on user interaction (UI:R). No public exploit identified at time of analysis, but the CVSS 8.8 rating and Ivanti's own advisory disclosure mark this as a high-priority client-side risk for organizations using the VPN client.
DORA
Edge exposure
ICT dependency
No patch available
Ivanti
Why flagged?
DORA Relevant
- • HIGH severity
- • ICT provider: Ivanti (Network & Security)
- • No remediation available
8.8
CVSS 3.1
0.1%
EPSS
44
Priority
Stack buffer overflow in Music Player Daemon (MPD) versions prior to 0.24.11 allows remote unauthenticated attackers to crash the daemon or potentially execute code by serving a malicious HTTP audio stream processed by the PCM decoder plugin. The flaw stems from an off-by-one miscalculation in pcm_unpack_24be (src/pcm/Pack.cxx) that writes four bytes (three attacker-controlled) past a 1365-entry int32_t stack array. No public exploit identified at time of analysis, but the upstream fix is confirmed via commit 5991102 and release 0.24.11.
NIS2
Edge exposure
Why flagged?
NIS2 Relevant
- • HIGH severity
- • Internet-facing technique: rce
- • Moderate evidence (PoC / elevated EPSS)
8.8
CVSS 4.0
44
Priority
{id}/templates/variables endpoint, which lacks the checkAdmin() guard applied to every other admin-sensitive handler. Because global variables are merged into every project's compose file at deploy time, an attacker can redirect image pulls to a malicious registry to achieve cross-tenant supply-chain code execution on the Docker host, steal credentials from other users' deployments, or break every project on the instance. No public exploit identified at time of analysis, but the GHSA advisory documents the exact vulnerable code path.
NIS2
DORA
Edge exposure
ICT dependency
Management plane
Docker
Why flagged?
NIS2 Relevant
- • HIGH severity
- • Internet-facing technique: authentication-bypass
- • Third-party ICT: Docker
- • Management plane (Missing Authorization)
- • Moderate evidence (PoC / elevated EPSS)
DORA Relevant
- • HIGH severity
- • ICT provider: Docker (Dev Platforms & CI/CD)
- • Authentication / access control weakness
8.8
CVSS 3.1
44
Priority
Arbitrary file upload leading to remote code execution affects the GutenBee – Gutenberg Blocks WordPress plugin in all versions through 2.20.1, enabling authenticated users with Author role or higher to upload PHP files disguised with double extensions such as shell.json.php. The flaw stems from a permissive strpos() substring check in gutenbee_file_and_ext_json that allows attackers to bypass WordPress filetype validation and execute arbitrary PHP on the server. No public exploit is identified at time of analysis, and the issue is not listed in CISA KEV.
NIS2
Edge exposure
No patch available
Why flagged?
NIS2 Relevant
- • HIGH severity
- • Internet-facing (CWE-434: Unrestricted Upload of File)
- • No patch available
- • Strong evidence (KEV / high EPSS / multi-source)
8.8
CVSS 3.1
0.1%
EPSS
44
Priority
Remote code execution in vLLM 0.14.1 occurs because `trust_remote_code=True` is hardcoded inside the NemotronVL and KimiK25 model loaders, silently overriding the operator's explicit `--trust-remote-code=False` safety flag. Any deployment that loads a malicious or compromised HuggingFace repository for these model architectures will execute attacker-controlled Python in the inference process, despite UI:R requiring an operator to initiate the model load. No public exploit is identified at time of analysis, but the issue is an incomplete fix for CVE-2025-66448 and CVE-2026-22807, indicating the regression pattern is already well understood.
NIS2
Edge exposure
No patch available
Why flagged?
NIS2 Relevant
- • HIGH severity
- • Internet-facing (CWE-22: Path Traversal)
- • No patch available
- • Moderate evidence (PoC / elevated EPSS)
8.8
CVSS 3.0
44
Priority
Remote code execution in the Crawlomatic Multipage Scraper Post Generator plugin for WordPress (versions up to and including 2.7.2) allows authenticated users with author-level privileges to execute arbitrary PHP code on the server by abusing the 'callback_raw' or 'callback' shortcode attributes processed by the filter_content function. The flaw stems from passing attacker-controlled input directly to call_user_func() guarded only by is_callable(), which still permits dangerous PHP built-ins like system, shell_exec, exec, passthru, and assert. No public exploit identified at time of analysis, but Wordfence has published a detailed advisory and the shortcode sink is trivially reachable for any author-level account.
NIS2
Edge exposure
No patch available
Why flagged?
NIS2 Relevant
- • HIGH severity
- • Internet-facing (CWE-434: Unrestricted Upload of File)
- • No patch available
- • Strong evidence (KEV / high EPSS / multi-source)
8.8
CVSS 3.1
0.2%
EPSS
44
Priority
Account takeover in Oracle Payroll (Self Service Manager component) of Oracle E-Business Suite versions 12.2.3 through 12.2.15 allows a low-privileged authenticated attacker to fully compromise the Payroll module over HTTP. The CVSS 3.1 base score of 8.8 reflects high impacts to confidentiality, integrity, and availability, and Oracle has issued a fix in the May 2026 Critical Patch Update. No public exploit identified at time of analysis.
DORA
ICT dependency
No patch available
Oracle Database
Why flagged?
DORA Relevant
- • HIGH severity
- • ICT provider: Oracle Database (Databases & Data Platforms)
- • No remediation available
8.8
CVSS 3.1
44
Priority
8.8
CVSS 3.1
0.0%
EPSS
44
Priority
Arbitrary file write leading to remote code execution in Dulwich (pure-Python Git implementation) versions >= 0.10.0 and < 1.2.5 allows attackers controlling a Git repository to plant files inside a Windows victim's .git directory - most notably .git/hooks/pre-commit.exe - which executes on the next commit. The flaw stems from the NTFS path-element validator accepting Windows-hostile bytes (\, :, and git~<n> 8.3 short-name aliases) plus broken handling of core.protectNTFS/core.protectHFS configuration. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV, but the technique is closely modeled on the well-documented Git CVE-2019-1353/1354 class.
NIS2
Edge exposure
No patch available
Why flagged?
NIS2 Relevant
- • HIGH severity
- • Internet-facing (CWE-22: Path Traversal)
- • No patch available
- • Moderate evidence (PoC / elevated EPSS)
8.8
CVSS 3.1
44
Priority
Hard-coded credentials in IBM Controller (versions 11.0.1, 11.1.0, 11.1.1, and 11.1.2) give attackers a static, embedded secret - a password or cryptographic key - that the product uses for inbound authentication, outbound communication, or encryption of internal data. Because the credential is the same across every deployment, an attacker who already holds low-level access (CVSS PR:L) can leverage it to gain full confidentiality, integrity, and availability impact (C:H/I:H/A:H) over the network. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.
NIS2
DORA
Edge exposure
ICT dependency
No patch available
Management plane
IBM Cloud
Why flagged?
NIS2 Relevant
- • HIGH severity
- • Internet-facing technique: authentication-bypass
- • Third-party ICT: IBM Cloud
- • No patch available
- • Management plane (Use of Hard-coded Credentials)
- • Moderate evidence (PoC / elevated EPSS)
DORA Relevant
- • HIGH severity
- • ICT provider: IBM Cloud (Cloud Providers)
- • No remediation available
- • Authentication / access control weakness
8.8
CVSS 3.1
0.0%
EPSS
44
Priority
8.8
CVSS 3.1
0.1%
EPSS
44
Priority
Enhanced Container Isolation (ECI) bypass in Docker Desktop allows a local low-privileged user with Docker CLI access to mount the Docker Engine socket into a container by invoking the --use-api-socket flag, granting full Docker Engine control and exposure of registry credentials. The flaw stems from the API proxy inspecting only HostConfig.Binds while the flag routes the mount through HostConfig.Mounts, slipping past ECI policy. No public exploit identified at time of analysis, but the issue was reported by Docker itself and disclosed via ZDI (ZDI-26-299).
DORA
Edge exposure
ICT dependency
Management plane
Docker
Why flagged?
DORA Relevant
- • HIGH severity
- • ICT provider: Docker (Dev Platforms & CI/CD)
- • Authentication / access control weakness
8.8
CVSS 3.1
0.0%
EPSS
44
Priority
Unauthenticated denial of service and information disclosure in RustFS distributed object storage prior to version 1.0.0-beta.2 allows remote attackers to repeatedly invoke profiling endpoints that the admin router whitelists from authentication. Each request triggers a fixed 60-second CPU profiling operation and leaks the server's absolute filesystem path in the response. CVSS 4.0 scores this 8.8 (High) driven by high availability impact; no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.
NIS2
Edge exposure
Management plane
Why flagged?
NIS2 Relevant
- • HIGH severity
- • Internet-facing (CWE-306: Missing Authentication for Critical Function)
- • Management plane (Missing Authentication for Critical Function)
- • Strong evidence (KEV / high EPSS / multi-source)
8.8
CVSS 4.0
44
Priority
Full product takeover of Oracle Flow Manufacturing (versions 12.2.9 through 12.2.15) is achievable by a low-privileged remote attacker via SQL-based network access, per Oracle's advisory. The flaw scores CVSS 8.8 with high impact across confidentiality, integrity, and availability, and no public exploit has been identified at time of analysis. As a component of Oracle E-Business Suite, exploitation provides an attacker with control over a business-critical manufacturing execution system.
DORA
ICT dependency
No patch available
Oracle Database
Why flagged?
DORA Relevant
- • HIGH severity
- • ICT provider: Oracle Database (Databases & Data Platforms)
- • No remediation available
8.8
CVSS 3.1
44
Priority
OS command injection in the @pensar/apex Node.js agent package (versions 0.0.58 and earlier) lets a remote, unauthenticated attacker run arbitrary operating-system commands by smuggling shell metacharacters into the smart_enumerate tool's url or extensions inputs. The vulnerable createSmartEnumerateTool() routine in src/core/agent/tools.ts builds a shell command string by concatenating those untrusted values and passes it to Node.js child_process.exec(), which spawns a shell that interprets the injected characters, executing them with the privileges of the agent process. CVSS is 8.8 (network vector, low complexity, no privileges, but user/agent interaction required); the source data shows no CISA KEV listing and no EPSS score, and a referenced researcher gist may contain proof-of-concept detail though exploit code is not confirmed in the structured input.
NIS2
Edge exposure
No patch available
Why flagged?
NIS2 Relevant
- • HIGH severity
- • Internet-facing technique: command-injection
- • No patch available
- • Moderate evidence (PoC / elevated EPSS)
8.8
CVSS 3.1
0.1%
EPSS
44
Priority
8.8
CVSS 3.1
0.1%
EPSS
44
Priority
8.8
CVSS 4.0
44
Priority
Account takeover in Oracle Payroll (component: Internal Operations) within Oracle E-Business Suite versions 12.2.3 through 12.2.15 allows a low-privileged remote attacker with HTTPS network access to fully compromise the Payroll application. The CVSS 8.8 vector indicates low complexity and no user interaction, meaning any authenticated EBS user can pivot to full confidentiality, integrity, and availability impact on Payroll. No public exploit identified at time of analysis, but the issue was disclosed in Oracle's Critical Patch Update advisory and warrants prompt patching given the sensitivity of payroll data.
DORA
ICT dependency
No patch available
Oracle Database
Why flagged?
DORA Relevant
- • HIGH severity
- • ICT provider: Oracle Database (Databases & Data Platforms)
- • No remediation available
8.8
CVSS 3.1
44
Priority
Unauthorized file disclosure in Taipy 4.1.1 lets remote unauthenticated attackers read files outside an extension library's intended directory through the GUI ElementLibrary.get_resource() resource handler. The containment check used str.startswith() without a trailing separator, so a crafted request with traversal segments can resolve into a prefix-matching sibling directory on disk while still passing the flawed check. Impact is confined to confidentiality (file read), with no public exploit identified at time of analysis and no CISA KEV listing.
NIS2
Edge exposure
No patch available
Why flagged?
NIS2 Relevant
- • HIGH severity
- • Internet-facing (CWE-22: Path Traversal)
- • No patch available
- • Strong evidence (KEV / high EPSS / multi-source)
8.7
CVSS 4.0
0.2%
EPSS
44
Priority