NIS2 & DORA Compliance

Regulatory triage for vulnerability prioritization – classification based on existing CVE data

Regulatory Triage ICT Providers
NIS2 Relevant
432
DORA Relevant
65
Internet-Facing
367
Third-Party ICT
65
Unpatched
434
Exploited
71
Framework:
Period:
Sort:
CVE-2025-71058
DNS cache poisoning vulnerability in Dual DHCP DNS Server 8.01 allows unauthenticated remote attackers to inject forged DNS responses by exploiting improper source validation. The server accepts UDP responses matched only by transaction ID without verifying originating upstream DNS server, enabling attackers to poison the cache and redirect victims to malicious destinations. No public exploit identified at time of analysis. CVSS 9.1 (Critical) reflects network-accessible attack requiring no privileges or user interaction.
NIS2 Edge exposure No patch available
Why flagged?
NIS2 Relevant
  • CRITICAL severity
  • Internet-facing (CWE-94: Code Injection)
  • No patch available
  • Strong evidence (KEV / high EPSS / multi-source)
9.1
CVSS 3.1
0.1%
EPSS
46
Priority
CVE-2026-39847
Path traversal in Emmett Python web framework versions 2.5.0 through 2.8.0 allows unauthenticated remote attackers to read arbitrary files from the server filesystem via malicious requests to the RSGI static handler endpoint. Attackers can bypass directory restrictions by inserting ../ sequences in /__emmett__ asset paths (e.g., /__emmett__/../rsgi/handlers.py) to access sensitive files including source code, configuration files, and credentials. With CVSS 9.1 (Critical) and network-based attack vector requiring no privileges or user interaction, this vulnerability poses severe confidentiality and availability risks. EPSS data not available; no confirmed active exploitation (CISA KEV) or public exploit code identified at time of analysis.
NIS2 Edge exposure
Why flagged?
NIS2 Relevant
  • CRITICAL severity
  • Internet-facing (CWE-22: Path Traversal)
  • Strong evidence (KEV / high EPSS / multi-source)
9.1
CVSS 3.1
0.1%
EPSS
46
Priority
CVE-2026-34178
Backup import in Canonical LXD before 6.8 bypasses project security restrictions, enabling privilege escalation to full host compromise. An authenticated remote attacker with instance-creation permission in a restricted project crafts malicious backup archives containing conflicting configuration files: backup/index.yaml passes validation, while backup/container/backup.yaml (never validated) carries forbidden directives like security.privileged=true or raw.lxc commands. Exploiting this dual-file validation gap allows unrestricted container creation that breaks isolation boundaries. No public exploit identified at time of analysis.
NIS2 DORA Edge exposure ICT dependency Canonical / Ubuntu
Why flagged?
NIS2 Relevant
  • CRITICAL severity
  • Internet-facing (CWE-20: Improper Input Validation)
  • Third-party ICT: Canonical / Ubuntu
  • Strong evidence (KEV / high EPSS / multi-source)
DORA Relevant
  • CRITICAL severity
  • ICT provider: Canonical / Ubuntu (Infrastructure & Virtualization)
9.1
CVSS 3.1
0.0%
EPSS
46
Priority
CVE-2026-26026
Remote code execution in GLPI asset management software versions 11.0.0 through 11.0.5 allows authenticated administrators to execute arbitrary code via template injection. The vulnerability requires high privileges (administrator access) but enables complete system compromise with changed scope, indicating potential breakout from the application context. CVSS 9.1 (Critical). No public exploit identified at time of analysis, with EPSS data unavailable for this recent CVE. Fixed in version 11.0.6.
NIS2 Edge exposure No patch available
Why flagged?
NIS2 Relevant
  • CRITICAL severity
  • Internet-facing (CWE-94: Code Injection)
  • No patch available
  • Strong evidence (KEV / high EPSS / multi-source)
9.1
CVSS 3.1
0.0%
EPSS
46
Priority
CVE-2026-29145
Authentication bypass in Apache Tomcat 9.x through 11.x and Tomcat Native 1.1.23-2.0.13 allows unauthenticated remote attackers to bypass CLIENT_CERT authentication when soft-fail is disabled, achieving unauthorized access to confidentiality- and integrity-sensitive resources. Exploitation requires no user interaction or privileges (CVSS:3.1 PR:N/UI:N). The flaw affects CLIENT_CERT authentication logic, permitting access under conditions where authentication should fail. No public exploit identified at time of analysis; low observed exploitation activity (EPSS 0.04%).
NIS2 Edge exposure Management plane
Why flagged?
NIS2 Relevant
  • CRITICAL severity
  • Internet-facing (CWE-287: Improper Authentication)
  • Management plane (Improper Authentication)
  • Moderate evidence (PoC / elevated EPSS)
9.1
CVSS 3.1
0.0%
EPSS
46
Priority
CVE-2026-5627
Path traversal in mintplex-labs/anything-llm (versions ≤1.9.1) allows authenticated administrators to read or delete arbitrary JSON files on the server, bypassing directory restrictions in the AgentFlows component. Exploitation requires high privileges (administrator access) but achieves cross-scope impact including leaking sensitive API keys from configuration files or destroying critical package.json files. Fixed in version 1.12.1. No public exploit identified at time of analysis, though technical details are disclosed via Huntr bounty platform.
NIS2 Edge exposure No patch available
Why flagged?
NIS2 Relevant
  • CRITICAL severity
  • Internet-facing technique: path-traversal
  • No patch available
  • Strong evidence (KEV / high EPSS / multi-source)
9.1
CVSS 3.0
0.0%
EPSS
46
Priority
CVE-2026-28386
Out-of-bounds read in OpenSSL 3.6.0-3.6.1 allows denial of service when AES-CFB128 encryption or decryption processes partial cipher blocks on x86-64 systems with AVX-512 and VAES support. Vulnerability triggers when input buffer ends at a memory page boundary with subsequent unmapped page, causing crashes. Exploitation requires unauthenticated network access but demands specific architectural conditions (AVX-512/VAES) and partial block handling. No public exploit identified at time of analysis. EPSS percentile 5% indicates low observed exploitation activity.
Why flagged?
9.1
CVSS 3.1
0.0%
EPSS
46
Priority
CVE-2025-69515
GPS spoofing vulnerability in JXL 9 Inch Car Android Double Din Player (Android 12.0) allows unauthenticated remote attackers to inject falsified GPS signals that the infotainment system accepts as legitimate, forcing incorrect or static location reporting. Exploitation requires no user interaction and achieves high integrity and availability impact through manipulation of navigation data. No public exploit identified at time of analysis. CVSS 9.1 reflects network-accessible attack vector with low complexity.
No patch available
Why flagged?
9.1
CVSS 3.1
0.0%
EPSS
46
Priority
CVE-2026-31017
Server-Side Request Forgery in ERPNext 16.0.1 and Frappe Framework 16.1.1 enables unauthenticated attackers to force servers to make arbitrary HTTP requests to internal services through insufficiently sanitized HTML in Print Format PDF generation. Attackers inject HTML elements like <iframe> referencing external resources, which the PDF rendering engine automatically fetches server-side, exposing cloud metadata endpoints and internal network resources. No public exploit identified at time of analysis. CVSS 9.1 severity reflects network-accessible attack vector requiring no authentication or user interaction.
NIS2 Edge exposure No patch available
Why flagged?
NIS2 Relevant
  • CRITICAL severity
  • Internet-facing (CWE-918: Server-Side Request Forgery (SSRF))
  • No patch available
  • Strong evidence (KEV / high EPSS / multi-source)
9.1
CVSS 3.1
0.0%
EPSS
46
Priority
CVE-2026-35580
Shell command injection in Emissary workflow engine below version 8.39.0 allows high-privileged attackers with repository write access to execute arbitrary commands via GitHub Actions workflow_dispatch inputs. Attackers exploit unsanitized ${{ }} expression syntax in workflow files to inject malicious shell commands, enabling repository poisoning and supply chain attacks affecting downstream users. CVSS 9.1 (Critical) with Changed scope indicates potential to compromise beyond the vulnerable component. No public exploit code or CISA KEV listing identified at time of analysis, though exploitation requires only repository write access with low attack complexity.
NIS2 Edge exposure
Why flagged?
NIS2 Relevant
  • CRITICAL severity
  • Internet-facing (CWE-77: Command Injection)
  • Strong evidence (KEV / high EPSS / multi-source)
9.1
CVSS 3.1
0.0%
EPSS
46
Priority
CVE-2025-57735
JWT token reuse vulnerability in Apache Airflow 3.0.0 through 3.1.x allows unauthenticated remote attackers to impersonate authenticated users by intercepting and replaying tokens after legitimate logout. The framework failed to invalidate JWT authentication tokens during user logout operations, enabling session persistence beyond intended termination. Attackers with network access to intercept tokens can achieve unauthorized access to high-integrity operations. EPSS indicates low observed exploitation activity; no public exploit identified at time of analysis.
Why flagged?
9.1
CVSS 3.1
0.0%
EPSS
46
Priority
CVE-2026-33771
Juniper Networks CTP OS 9.2R1 and 9.2R2 fail to persist password complexity settings, enabling unauthenticated attackers to exploit predictable weak passwords on local accounts. The password management function allows administrators to configure complexity requirements but does not save these configurations, verifiable through 'Show password requirements' menu. This defect permits trivial passwords that attackers can brute-force remotely to gain full device control. No public exploit identified at time of analysis.
NIS2 DORA Edge exposure ICT dependency No patch available Juniper
Why flagged?
NIS2 Relevant
  • CRITICAL severity
  • Internet-facing technique: authentication-bypass
  • Third-party ICT: Juniper
  • No patch available
  • Moderate evidence (PoC / elevated EPSS)
DORA Relevant
  • CRITICAL severity
  • ICT provider: Juniper (Network & Security)
  • No remediation available
9.1
CVSS 4.0
0.0%
EPSS
46
Priority
CVE-2026-32892
OS command injection in Chamilo LMS 1.x (prior to 1.11.38) and 2.0.0-RC.x (prior to RC.3) allows authenticated teacher-role users to execute arbitrary system commands via unsanitized file path parameters. The move() function in fileManage.lib.php concatenates user-controlled move_to POST values directly into exec() shell commands without proper escaping. Any authenticated user can exploit this by creating a course (enabled by default), uploading a directory with shell metacharacters via Course Backup Import, then moving a document to trigger command execution as www-data. No public exploit identified at time of analysis.
NIS2 Edge exposure No patch available
Why flagged?
NIS2 Relevant
  • CRITICAL severity
  • Internet-facing (CWE-78: OS Command Injection)
  • No patch available
  • Moderate evidence (PoC / elevated EPSS)
9.1
CVSS 3.1
0.2%
EPSS
46
Priority
CVE-2026-39980
Server-Side Template Injection in OpenCTI platform versions before 6.9.5 allows authenticated administrators with 'Manage customization' capability to execute arbitrary JavaScript during notifier template processing. The vulnerability stems from improper EJS template sanitization in safeEjs.ts, enabling attackers to achieve remote code execution with platform process privileges. CVSS 9.1 reflects cross-scope impact with high confidentiality, integrity, and availability consequences. No public exploit identified at time of analysis.
NIS2 Edge exposure No patch available
Why flagged?
NIS2 Relevant
  • CRITICAL severity
  • Internet-facing technique: ssti
  • No patch available
  • Strong evidence (KEV / high EPSS / multi-source)
9.1
CVSS 3.1
0.1%
EPSS
46
Priority
CVE-2026-35050
Arbitrary Python file overwrite in text-generation-webui versions prior to 4.1.1 enables authenticated high-privilege users to achieve remote code execution by overwriting critical application files like download-model.py through malicious extension settings saved in .py format, then triggering execution via the Model download interface. No public exploit identified at time of analysis, though EPSS data not available for this recent CVE and exploitation methodology is straightforward for authenticated attackers.
NIS2 Edge exposure No patch available
Why flagged?
NIS2 Relevant
  • CRITICAL severity
  • Internet-facing (CWE-22: Path Traversal)
  • No patch available
  • Moderate evidence (PoC / elevated EPSS)
9.1
CVSS 3.1
0.1%
EPSS
46
Priority
CVE-2026-35174
Path traversal in Chyrp Lite administration console allows privileged users with Change Settings permissions to manipulate the uploads path, enabling arbitrary file read (including database credentials from config.json.php) and arbitrary file write leading to remote code execution. Affects all versions prior to 2026.01. CVSS 9.1 (Critical) reflects post-authentication impact with scope change. EPSS data not available; no public exploit identified at time of analysis, no CISA KEV listing.
NIS2 Edge exposure No patch available
Why flagged?
NIS2 Relevant
  • CRITICAL severity
  • Internet-facing (CWE-22: Path Traversal)
  • No patch available
  • Moderate evidence (PoC / elevated EPSS)
9.1
CVSS 3.1
0.3%
EPSS
46
Priority
CVE-2026-40258
Path traversal (Zip Slip) in gramps-web-api media archive import allows authenticated owner-privileged users to write arbitrary files outside intended directories via malicious ZIP archives. Exploitation requires owner-level access and enables cross-tree data corruption in multi-tree SQLite deployments or config file overwrite in volume-mounted configurations. Postgres+S3 deployments limit impact to ephemeral container storage. No public exploit identified at time of analysis.
NIS2 DORA Edge exposure ICT dependency Docker PostgreSQL
Why flagged?
NIS2 Relevant
  • CRITICAL severity
  • Internet-facing (CWE-22: Path Traversal)
  • Third-party ICT: Docker, PostgreSQL
  • Moderate evidence (PoC / elevated EPSS)
DORA Relevant
  • CRITICAL severity
  • ICT provider: Docker (Dev Platforms & CI/CD)
  • ICT provider: PostgreSQL (Databases & Data Platforms)
9.1
CVSS 3.1
46
Priority
CVE-2026-39846
Remote code execution in SiYuan Electron desktop client (prior to version 3.6.4) allows authenticated attackers to execute arbitrary code on victim systems through maliciously crafted notes synced across workspaces. The vulnerability chains a stored XSS flaw in table caption rendering with insecure Electron configuration (nodeIntegration enabled, contextIsolation disabled), elevating DOM-based script injection to full Node.js API access. No public exploit identified at time of analysis, though the attack vector is well-documented in the GitHub security advisory. CVSS 9.0 reflects the scope change and high impact across confidentiality, integrity, and availability.
NIS2 Edge exposure
Why flagged?
NIS2 Relevant
  • CRITICAL severity
  • Internet-facing (CWE-79: Cross-site Scripting (XSS))
  • Strong evidence (KEV / high EPSS / multi-source)
9.0
CVSS 3.1
0.1%
EPSS
45
Priority
CVE-2026-39305
Path traversal in PraisonAI Action Orchestrator (v<4.5.113) allows arbitrary file write via directory traversal sequences in action target paths. Attackers can exploit this through malicious ActionStep payloads containing '../' sequences to overwrite critical system files (SSH keys, shell profiles) or plant executables, achieving local privilege escalation or remote code execution. CVSS 9.0 (Critical). Vendor-released patch available in v4.5.113. No public exploit identified at time of analysis, though detailed proof-of-concept demonstrates trivial exploitation via crafted ActionStep objects targeting paths like '../../../tmp/pwned.txt'.
NIS2 Edge exposure
Why flagged?
NIS2 Relevant
  • CRITICAL severity
  • Internet-facing (CWE-22: Path Traversal)
  • Moderate evidence (PoC / elevated EPSS)
9.0
CVSS 3.1
0.0%
EPSS
45
Priority
CVE-2026-34971
Arbitrary memory read/write vulnerability in Bytecode Alliance Wasmtime versions 32.0.0 through 36.0.6, 42.0.0-42.0.1, and 43.0.0 allows authenticated remote attackers to escape WebAssembly sandbox restrictions. The Cranelift compilation backend on aarch64 architecture miscompiles specific heap access patterns, creating divergent address computations where bounds checks validate one address while loads access another, enabling sandbox escape through unrestricted host memory access. Exploitation requires 64-bit WebAssembly linear memories with Spectre mitigations and signals-based-traps disabled. No public exploit identified at time of analysis.
Why flagged?
9.0
CVSS 4.0
0.0%
EPSS
45
Priority
CVE-2026-34987
Memory sandbox escape in Wasmtime's Winch compiler (versions 25.0.0 to before 36.0.7, 42.0.2, 43.0.1) enables authenticated WebAssembly guests to access arbitrary host process memory outside linear-memory boundaries. Exploitation requires non-default Winch backend activation via -Ccompiler=winch flag. Attackers can read up to 32KiB before memory start or ~4GiB after, with theoretical potential for unlimited in-process memory access due to improper 32-bit offset handling in 64-bit registers. Consequences include host process crashes (DoS), sensitive data exfiltration, or remote code execution through memory writes. Affects aarch64 (confirmed PoC) and x86-64 (theoretical). Publicly available exploit code exists.
Why flagged?
9.0
CVSS 4.0
0.0%
EPSS
45
Priority
CVE-2026-39860
Local privilege escalation in Nix package manager daemon (versions prior to 2.34.5/2.33.4/2.32.7/2.31.4/2.30.4/2.29.3/2.28.6) allows unprivileged users to gain root access in multi-user Linux installations. Incomplete fix for CVE-2024-27297 permits symlink attacks during fixed-output derivation registration, enabling arbitrary file overwrites as root. Attackers exploit sandboxed build registration by placing symlinks in temporary output paths, causing the daemon to follow symlinks and overwrite sensitive system files with controlled content. Affects default configurations where all users can submit builds. No public exploit identified at time of analysis.
NIS2 DORA ICT dependency No patch available Apple
Why flagged?
NIS2 Relevant
  • CRITICAL severity
  • Third-party ICT: Apple
  • No patch available
  • Moderate evidence (PoC / elevated EPSS)
DORA Relevant
  • CRITICAL severity
  • ICT provider: Apple (Operating Systems)
  • No remediation available
9.0
CVSS 3.1
0.0%
EPSS
45
Priority
CVE-2026-39328
ChurchCRM church management system versions before 7.1.0 allow authenticated users with EditSelf permission to exfiltrate administrator session cookies through stored XSS in social media profile fields. Attackers chain JavaScript payloads across Facebook, LinkedIn, and X fields using onfocus event handlers to bypass 50-character limits, automatically executing when any user (including administrators) views the malicious profile. No public exploit code or confirmed active exploitation identified at time of analysis, though EPSS data unavailable. CVSS 8.9 reflects high impact but requires authenticated access and user interaction.
NIS2 Edge exposure No patch available
Why flagged?
NIS2 Relevant
  • HIGH severity
  • Internet-facing (CWE-79: Cross-site Scripting (XSS))
  • No patch available
  • Strong evidence (KEV / high EPSS / multi-source)
8.9
CVSS 3.1
0.0%
EPSS
45
Priority
CVE-2026-3243
Arbitrary file deletion in DanbiLabs Advanced Members for ACF plugin for WordPress (versions ≤1.2.5) allows authenticated attackers with Subscriber-level privileges to delete critical server files via path traversal, enabling remote code execution by removing wp-config.php or similar critical files. The vulnerability stems from insufficient path validation in the create_crop function and was only partially patched in version 1.2.5, leaving residual risk. CVSS 8.8 (High) reflects network accessibility with low attack complexity requiring only low-privilege authentication. No public exploit identified at time of analysis, though the attack path is straightforward for authenticated users.
NIS2 Edge exposure No patch available
Why flagged?
NIS2 Relevant
  • HIGH severity
  • Internet-facing (CWE-22: Path Traversal)
  • No patch available
  • Strong evidence (KEV / high EPSS / multi-source)
8.8
CVSS 3.1
0.3%
EPSS
44
Priority
CVE-2026-35521
Remote code execution in Pi-hole FTL engine versions 6.0 through 6.5 allows authenticated attackers to execute arbitrary system commands by injecting malicious dnsmasq configuration directives through newline characters in the DHCP hosts configuration parameter. Exploitation requires low-complexity network access with low-level authentication (CVSS 8.8, AV:N/AC:L/PR:L). No public exploit identified at time of analysis, though the vulnerability's straightforward injection mechanism and the popularity of Pi-hole as a DNS/DHCP solution elevate practical risk for environments with multiple administrative users or compromised credentials.
NIS2 Edge exposure No patch available
Why flagged?
NIS2 Relevant
  • HIGH severity
  • Internet-facing (CWE-78: OS Command Injection)
  • No patch available
  • Strong evidence (KEV / high EPSS / multi-source)
8.8
CVSS 3.1
0.3%
EPSS
44
Priority
Prev Page 7 of 25 (616 CVEs) Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy