NIS2 & DORA Compliance

Regulatory triage for vulnerability prioritization – classification based on existing CVE data

Regulatory Triage ICT Providers
NIS2 Relevant
434
DORA Relevant
65
Internet-Facing
369
Third-Party ICT
65
Unpatched
431
Exploited
68
Framework:
Period:
Sort:
CVE-2026-35519
Remote code execution in Pi-hole FTL 6.0 through 6.5 allows authenticated attackers to execute arbitrary commands via newline injection in DNS host record configuration. The vulnerability exploits improper input sanitization in the dns.hostRecord parameter, enabling injection of malicious dnsmasq directives that execute at the system level. With CVSS 8.8 (network-accessible, low complexity, requires low-privilege authentication), this represents a critical risk for Pi-hole deployments where administrative access controls are weak. No public exploit identified at time of analysis, though the attack vector is straightforward for authenticated users.
NIS2 Edge exposure No patch available
Why flagged?
NIS2 Relevant
  • HIGH severity
  • Internet-facing (CWE-78: OS Command Injection)
  • No patch available
  • Strong evidence (KEV / high EPSS / multi-source)
8.8
CVSS 3.1
0.2%
EPSS
44
Priority
CVE-2026-35517
Remote code execution in Pi-hole FTL engine versions 6.0 through 6.5 allows authenticated attackers with low privileges to execute arbitrary system commands by injecting newline-delimited dnsmasq configuration directives into the upstream DNS servers parameter (dns.upstreams). The vulnerability requires network access with authentication (CVSS:3.1 PR:L) but has low attack complexity and no user interaction required. No public exploit identified at time of analysis, though technical details are available in the GitHub Security Advisory.
NIS2 Edge exposure No patch available
Why flagged?
NIS2 Relevant
  • HIGH severity
  • Internet-facing (CWE-78: OS Command Injection)
  • No patch available
  • Strong evidence (KEV / high EPSS / multi-source)
8.8
CVSS 3.1
0.2%
EPSS
44
Priority
CVE-2026-4326
Missing authorization bypass in Vertex Addons for Elementor (WordPress plugin, all versions ≤1.6.4) allows authenticated attackers with Subscriber-level privileges to install and activate arbitrary WordPress plugins. The activate_required_plugins() function checks current_user_can('install_plugins') capability but fails to halt execution on denial, permitting installation/activation to proceed before error response is sent. CVSS 8.8 (High) reflects authenticated (PR:L) network attack enabling high confidentiality, integrity, and availability impact. No public exploit identified at time of analysis.
No patch available Management plane
Why flagged?
8.8
CVSS 3.1
0.1%
EPSS
44
Priority
CVE-2025-65115
Remote code execution in Hitachi's JP1/IT Desktop Management suite allows authenticated network attackers to execute arbitrary code on Windows systems running Manager, Operations Director, and Client components. Affects multiple product generations spanning versions 9.x through 13.x across nine distinct product lines. CVSS score of 8.8 reflects network-accessible attack surface with low complexity requiring only low-privilege authentication. No public exploit identified at time of analysis, though CWE-73 (external control of file name or path) indicates potential for path traversal-based exploitation. Hitachi has released patches addressing versions 13-50-02, 13-11-04, 13-10-07, 13-01-07, 13-00-05, and 12-60-12 for actively supported products.
NIS2 DORA Edge exposure ICT dependency No patch available Microsoft Windows
Why flagged?
NIS2 Relevant
  • HIGH severity
  • Internet-facing technique: rce
  • Third-party ICT: Microsoft Windows
  • No patch available
  • Strong evidence (KEV / high EPSS / multi-source)
DORA Relevant
  • HIGH severity
  • ICT provider: Microsoft Windows (Operating Systems)
  • No remediation available
8.8
CVSS 3.1
0.1%
EPSS
44
Priority
CVE-2026-3357
Remote code execution in IBM Langflow Desktop versions 1.6.0 through 1.8.2 allows authenticated attackers to execute arbitrary code via unsafe deserialization in the FAISS component. The vulnerability stems from an insecure default configuration that permits deserialization of untrusted data. With CVSS 8.8 (High) reflecting network accessibility, low complexity, and full impact on confidentiality, integrity, and availability, this represents a critical risk for organizations running affected versions. Vendor-released patch available through IBM security advisory. No public exploit identified at time of analysis, though the attack path is well-understood given the CWE-502 deserialization vulnerability class.
NIS2 DORA Edge exposure ICT dependency IBM Cloud
Why flagged?
NIS2 Relevant
  • HIGH severity
  • Internet-facing (CWE-502: Deserialization of Untrusted Data)
  • Third-party ICT: IBM Cloud
  • Moderate evidence (PoC / elevated EPSS)
DORA Relevant
  • HIGH severity
  • ICT provider: IBM Cloud (Cloud Providers)
8.8
CVSS 3.1
0.1%
EPSS
44
Priority
CVE-2026-34197
Remote code execution in Apache ActiveMQ Classic versions before 5.19.5 and 6.0.0-6.2.2 allows authenticated attackers to execute arbitrary code on the broker's JVM via Jolokia MBean operations. Attackers with low-privilege web console access can invoke BrokerService.addNetworkConnector() with a malicious discovery URI containing a VM transport brokerConfig parameter that loads remote Spring XML contexts, triggering bean instantiation and code execution through factory methods like Runtime.exec(). CVSS 8.8 (High) with network attack vector and low complexity. EPSS score 0.06% (19th percentile) indicates low observed exploitation probability. No public exploit identified at time of analysis, though SSVC assessment confirms total technical impact with non-automatable exploitation.
NIS2 Edge exposure No patch available PoC
Why flagged?
NIS2 Relevant
  • HIGH severity
  • Internet-facing (CWE-20: Improper Input Validation)
  • Proof of concept available
  • No patch available
  • Strong evidence (KEV / high EPSS / multi-source)
8.8
CVSS 3.1
0.1%
EPSS
44
Priority
CVE-2026-20433
Out-of-bounds write in MediaTek modem firmware enables remote privilege escalation when devices connect to attacker-controlled rogue cellular base stations. The vulnerability affects over 60 MediaTek chipset models widely deployed in smartphones and IoT devices, exploitable by adjacent network attackers without authentication (CVSS:3.1 AV:A/PR:N). While EPSS scores this at only 6% exploitation probability (18th percentile) and no active exploitation is confirmed at time of analysis, the attack scenario requires specialized radio equipment and victim proximity to malicious infrastructure. Patch ID MOLY01088681 addresses the missing bounds check in modem baseband code.
No patch available
Why flagged?
8.8
CVSS 3.1
0.1%
EPSS
44
Priority
CVE-2026-5465
Authenticated privilege escalation to Administrator in Amelia WordPress plugin (all versions ≤2.1.3) allows Provider-level users to hijack any account via Insecure Direct Object Reference. Attackers manipulate the externalId parameter during profile updates to map their session to arbitrary WordPress user IDs, including administrators, bypassing all authorization checks before password reset and user modification operations. EPSS data not provided; no confirmed active exploitation (CISA KEV) at time of analysis, though public exploit code exists via disclosed source code references.
No patch available Management plane
Why flagged?
8.8
CVSS 3.1
0.1%
EPSS
44
Priority
CVE-2026-5144
Privilege escalation in BuddyPress Groupblog (WordPress plugin) allows authenticated attackers with Subscriber-level access to grant Administrator privileges on any blog in a Multisite network, including the main site. Exploitation leverages missing authorization checks in group blog settings handlers, enabling attackers to inject arbitrary WordPress roles (including administrator) and associate groups with any blog ID. When users join the compromised group, they are silently added to the targeted blog with the injected role. Authenticated access required (PR:L). No public exploit identified at time of analysis.
No patch available Management plane
Why flagged?
8.8
CVSS 3.1
0.0%
EPSS
44
Priority
CVE-2026-39891
Template injection in PraisonAI Python package enables remote code execution through unescaped user input in agent-centric tools. Authenticated attackers inject malicious Jinja2 template expressions via agent instructions to execute arbitrary system commands with process privileges. The create_agent_centric_tools() function passes unsanitized user input directly to template-rendering tools under auto-approval mode, causing expressions like {{self.__init__.__globals__.__builtins__.__import__("os").system("touch /tmp/pwned")}} to execute rather than render as literal text. Affects PraisonAI pip package. No public exploit identified at time of analysis beyond proof-of-concept in advisory.
NIS2 Edge exposure
Why flagged?
NIS2 Relevant
  • HIGH severity
  • Internet-facing (CWE-94: Code Injection)
  • Strong evidence (KEV / high EPSS / multi-source)
8.8
CVSS 3.1
0.0%
EPSS
44
Priority
CVE-2026-35567
SQL injection in ChurchCRM versions prior to 7.1.0 allows authenticated users with ManageGroups role to execute arbitrary SQL commands via the NewRole POST parameter in MemberRoleChange.php. The vulnerability requires low-privilege authentication (PR:L) but permits complete database compromise with high confidentiality, integrity, and availability impact. No public exploit code or active exploitation confirmed at time of analysis, though the attack complexity is low (AC:L) and requires no user interaction.
NIS2 Edge exposure No patch available
Why flagged?
NIS2 Relevant
  • HIGH severity
  • Internet-facing (CWE-89: SQL Injection)
  • No patch available
  • Strong evidence (KEV / high EPSS / multi-source)
8.8
CVSS 3.1
0.0%
EPSS
44
Priority
CVE-2026-39937
Information disclosure in MediaWiki CentralAuth extension exposes sensitive authentication data to unauthorized parties through improper removal before storage or transfer. This affects non-release development branches with network-accessible attack vector requiring no authentication (CVSS:4.0 AV:N/PR:N). While no public exploit or active exploitation (not in CISA KEV) is identified at time of analysis, the CVSS 8.8 rating reflects high confidentiality impact and low complexity, making this a significant risk for organizations running development builds.
No patch available
Why flagged?
8.8
CVSS 4.0
0.0%
EPSS
44
Priority
CVE-2026-34184
Unauthorized access to directories in Hydrosystem Control System versions prior to 9.8.5 allows unauthenticated remote attackers to read arbitrary files and execute PHP scripts directly against the connected database. Missing authorization enforcement on specific directories enables direct file access and code execution without authentication, creating critical exposure for database manipulation and data exfiltration. No public exploit identified at time of analysis.
No patch available Management plane
Why flagged?
8.8
CVSS 4.0
0.0%
EPSS
44
Priority
CVE-2026-33510
DOM-based Cross-Site Scripting in Homarr dashboard versions prior to 1.57.0 allows unauthenticated remote attackers to execute arbitrary JavaScript in victims' browsers via malicious callbackUrl parameters on the /auth/login page. Despite the high CVSS score of 8.8, no public exploit code or active exploitation has been identified at time of analysis. The vulnerability enables credential theft and unauthorized actions when authenticated users click crafted links, with scope change indicating potential cross-domain impact.
NIS2 Edge exposure No patch available
Why flagged?
NIS2 Relevant
  • HIGH severity
  • Internet-facing technique: xss
  • No patch available
  • Strong evidence (KEV / high EPSS / multi-source)
8.8
CVSS 3.1
0.0%
EPSS
44
Priority
CVE-2026-35610
Privilege escalation in PolarLearn account-management module allows authenticated non-admin users to arbitrarily reset passwords and delete user accounts due to an inverted admin permission check in versions 0-PRERELEASE-14 and earlier. The inverted logic in setCustomPassword() and deleteUser() functions grants administrative capabilities to regular users while blocking legitimate administrators. With a CVSS score of 8.8 and network-based attack vector requiring only low-privilege authentication, this represents a critical account takeover risk. No public exploit identified at time of analysis, though the authentication bypass nature (per tags) makes exploitation straightforward once the flaw is understood.
NIS2 Edge exposure No patch available Management plane
Why flagged?
NIS2 Relevant
  • HIGH severity
  • Internet-facing technique: authentication-bypass
  • No patch available
  • Management plane (Improper Authorization)
  • Strong evidence (KEV / high EPSS / multi-source)
8.8
CVSS 3.1
0.0%
EPSS
44
Priority
CVE-2026-5866
Remote code execution in Google Chrome Media component (versions prior to 147.0.7727.55) enables unauthenticated attackers to execute arbitrary code within Chrome's sandbox via specially crafted HTML pages. Exploitation requires user interaction to visit a malicious site. The use-after-free memory corruption vulnerability achieves high confidentiality, integrity, and availability impact within the sandboxed environment. No public exploit identified at time of analysis.
NIS2 Edge exposure
Why flagged?
NIS2 Relevant
  • HIGH severity
  • Internet-facing technique: rce
  • Moderate evidence (PoC / elevated EPSS)
8.8
CVSS 3.1
0.0%
EPSS
44
Priority
CVE-2026-5910
Integer overflow in Google Chrome's media handling (versions prior to 147.0.7727.55) enables remote attackers to trigger heap corruption through specially crafted video files, achieving potential arbitrary code execution with high confidentiality, integrity, and availability impact. Attack requires user interaction to open malicious media content. Exploitation is unauthenticated (network-accessible). No public exploit identified at time of analysis. Classified as low severity by Chromium project despite CVSS 8.8 rating.
Why flagged?
8.8
CVSS 3.1
0.0%
EPSS
44
Priority
CVE-2026-5909
Integer overflow in Google Chrome's Media component enables remote heap corruption through malicious video files. Affects Chrome versions prior to 147.0.7727.55 on all desktop platforms. Unauthenticated attackers can achieve arbitrary code execution, data theft, or denial of service by convincing users to open specially crafted video content. CVSS 8.8 severity reflects network-based attack requiring user interaction. No public exploit identified at time of analysis. Low observed exploitation activity (EPSS <1%).
Why flagged?
8.8
CVSS 3.1
0.0%
EPSS
44
Priority
CVE-2026-5908
Integer overflow in Google Chrome's Media component allows remote attackers to trigger heap corruption via specially crafted video files. Affects Chrome versions prior to 147.0.7727.55. Attack requires user interaction (opening malicious video file) but no authentication. Successful exploitation enables arbitrary code execution with high impact to confidentiality, integrity, and availability. No public exploit identified at time of analysis. Chromium project rates severity as Low despite CVSS 8.8 score.
Why flagged?
8.8
CVSS 3.1
0.0%
EPSS
44
Priority
CVE-2026-35182
Privilege escalation in Brave CMS 2.0.x before 2.0.6 allows authenticated users with low-privilege accounts to promote themselves to Super Admin by directly calling the unprotected role update endpoint. The vulnerability stems from a missing authorization middleware check on the /rights/update-role/{id} route, enabling complete takeover of the CMS by any user with valid credentials. No public exploit identified at time of analysis, but exploitation is trivial given the straightforward API endpoint access. With EPSS data unavailable and no KEV listing, risk primarily affects organizations using affected Brave CMS versions in multi-user environments.
NIS2 Edge exposure No patch available Management plane
Why flagged?
NIS2 Relevant
  • HIGH severity
  • Internet-facing technique: authentication-bypass
  • No patch available
  • Management plane (Missing Authorization)
  • Strong evidence (KEV / high EPSS / multi-source)
8.8
CVSS 3.1
0.0%
EPSS
44
Priority
CVE-2026-5912
Integer overflow in Google Chrome's WebRTC component (versions prior to 147.0.7727.55) enables remote attackers to trigger out-of-bounds memory writes through specially crafted HTML pages. Exploitation requires user interaction (visiting malicious page) but no authentication, potentially allowing arbitrary code execution, data corruption, or information disclosure. Vendor-assigned security severity: Low; CVSS 8.8 reflects high impact across confidentiality, integrity, and availability. No public exploit identified at time of analysis.
Why flagged?
8.8
CVSS 3.1
0.0%
EPSS
44
Priority
CVE-2026-39327
SQL injection in ChurchCRM 7.0.5 allows authenticated users with 'Manage Groups & Roles' permission to execute arbitrary SQL commands via the NewRole parameter in /MemberRoleChange.php endpoint. This network-accessible vulnerability requires low-complexity exploitation with no user interaction, enabling complete database compromise including data exfiltration and modification. EPSS data unavailable, no CISA KEV listing indicating no confirmed active exploitation at time of analysis, though CVSS 8.8 (High) reflects significant impact potential. Patched in version 7.1.0.
NIS2 Edge exposure No patch available
Why flagged?
NIS2 Relevant
  • HIGH severity
  • Internet-facing (CWE-89: SQL Injection)
  • No patch available
  • Strong evidence (KEV / high EPSS / multi-source)
8.8
CVSS 3.1
0.0%
EPSS
44
Priority
CVE-2026-39319
Second-order SQL injection in ChurchCRM FundRaiserEditor.php allows authenticated low-privilege users to extract and modify database contents remotely. All versions prior to 7.1.0 are affected. This network-accessible vulnerability requires minimal attack complexity and no user interaction, enabling authenticated attackers to achieve full database compromise (confidentiality, integrity, and availability impact). EPSS data not available; no public exploit identified at time of analysis, though vulnerability details are disclosed in GitHub security advisory.
NIS2 Edge exposure No patch available
Why flagged?
NIS2 Relevant
  • HIGH severity
  • Internet-facing (CWE-89: SQL Injection)
  • No patch available
  • Strong evidence (KEV / high EPSS / multi-source)
8.8
CVSS 3.1
0.0%
EPSS
44
Priority
CVE-2026-39318
SQL injection in ChurchCRM GroupPropsFormRowOps.php allows authenticated attackers to execute arbitrary SQL commands and extract, modify, or destroy database contents. The Field parameter accepts unsanitized user input that is inserted directly into SQL queries; while mysqli_real_escape_string() is applied, it fails to escape backtick characters, enabling attackers to break out of SQL identifier context. Affects all versions prior to 7.1.0. With network-accessible attack vector (AV:N), low complexity (AC:L), and requiring only low-privilege authentication (PR:L), this vulnerability poses significant risk to church management systems with authenticated user access. EPSS data not available; no CISA KEV status indicating confirmed active exploitation; exploit scenario is straightforward given the technical details disclosed in the GitHub advisory.
NIS2 Edge exposure No patch available
Why flagged?
NIS2 Relevant
  • HIGH severity
  • Internet-facing (CWE-89: SQL Injection)
  • No patch available
  • Strong evidence (KEV / high EPSS / multi-source)
8.8
CVSS 3.1
0.0%
EPSS
44
Priority
CVE-2026-39334
SQL injection in ChurchCRM 7.0.5 /SettingsIndividual.php endpoint allows authenticated low-privilege users to extract, modify, or delete database contents remotely. The vulnerability exploits insufficient input validation on the type array parameter, enabling arbitrary SQL statement execution. ChurchCRM is an open-source church management system handling sensitive member data including personal information, donations, and pastoral records. Fixed in version 7.1.0. EPSS data unavailable; no public exploit identified at time of analysis; not listed in CISA KEV.
NIS2 Edge exposure No patch available
Why flagged?
NIS2 Relevant
  • HIGH severity
  • Internet-facing (CWE-89: SQL Injection)
  • No patch available
  • Strong evidence (KEV / high EPSS / multi-source)
8.8
CVSS 3.1
0.0%
EPSS
44
Priority
Prev Page 8 of 25 (613 CVEs) Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy