218
CVEs
44
Critical
87
High
1
KEV
6
PoC
19
Unpatched C/H
84.4%
Patch Rate
0.1%
Avg EPSS
Severity Breakdown
CRITICAL
44
HIGH
87
MEDIUM
71
LOW
3
Monthly CVE Trend
Affected Products (30)
Java
48
Tomcat
37
Http Server
15
PHP
14
Ubuntu
11
Superset
11
Kubernetes
9
Cloudstack
7
Iotdb
7
Openoffice
7
Python
7
Traffic Server
7
Node.js
7
PostgreSQL
6
Camel
6
Windows
6
Airflow
5
Nuttx
5
Docker
5
LDAP
5
Ranger
5
Kylin
5
TLS
4
Cassandra
4
Inlong
4
Ofbiz
4
Apache Airflow
4
Hertzbeat
4
Solr
4
Kvrocks
4
Top Risky CVEs
| CVE | Summary | Severity | CVSS | EPSS | Priority | Signals |
|---|---|---|---|---|---|---|
| CVE-2026-34197 | Remote code execution in Apache ActiveMQ Classic versions before 5.19.5 and 6.0.0-6.2.2 allows authenticated attackers to execute arbitrary code on the broker's JVM via Jolokia MBean operations. Attackers with low-privilege web console access can invoke BrokerService.addNetworkConnector() with a malicious discovery URI containing a VM transport brokerConfig parameter that loads remote Spring XML contexts, triggering bean instantiation and code execution through factory methods like Runtime.exec( | HIGH | 8.8 | 0.1% | 114 |
KEV
PoC
|
| CVE-2016-20026 | Critical hardcoded credentials vulnerability in ZKTeco ZKBioSecurity 3.0's bundled Apache Tomcat server that allows unauthenticated remote attackers to upload malicious WAR files and execute arbitrary code with SYSTEM privileges. Multiple public exploits are available (Exploit-DB, Packet Storm), making this a high-risk vulnerability for organizations using this biometric security management software. | CRITICAL | 9.3 | 0.1% | 67 |
PoC
No patch
|
| CVE-2026-39920 | Remote code execution in BridgeHead FileStore pre-24A via Apache Axis2 default credentials allows unauthenticated attackers to deploy malicious web services and execute arbitrary OS commands. The vulnerability exploits exposed Axis2 admin console with unchanged default credentials, enabling full system compromise over the network with no authentication required. Publicly available exploit code exists (GitHub Gist), and CVSS 9.8 reflects critical risk with network vector, low complexity, and no privileges required. EPSS data not provided but exploitation prerequisites are minimal given default credential exposure. | CRITICAL | 9.3 | 0.2% | 66 |
PoC
|
| CVE-2026-33109 | Remote code execution in Azure Managed Instance for Apache Cassandra allows authenticated attackers with low privileges to execute arbitrary code across tenant boundaries. The vulnerability involves improper access control (CWE-284) enabling scope escape with complete compromise of confidentiality, integrity, and availability. Microsoft has released a patch per MSRC advisory. CVSS 9.9 (Critical) reflects network-based attack with low complexity, low privileges required, and changed scope indicating container/tenant escape potential. | CRITICAL | 9.9 | 0.1% | 55 |
|
| CVE-2026-33453 | Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Apache Camel Camel-Coap component. Apache Camel's cam | CRITICAL | 10.0 | 0.5% | 51 |
|
| CVE-2026-33844 | Remote code execution in Azure Managed Instance for Apache Cassandra allows authenticated attackers with low privileges to execute arbitrary code when a user interacts with a malicious payload. CVSS 9.0 (Critical) with scope change indicates container/tenant escape potential. Microsoft released a patch (MSRC update guide), and CVSS temporal metrics confirm remediation available with complete confidence, though no confirmed active exploitation or public POC identified at time of analysis. | CRITICAL | 9.0 | 0.1% | 50 |
|
| CVE-2026-40453 | The fix for CVE-2025-27636 added setLowerCase(true) to HttpHeaderFilterStrategy so that case-variant header names such as 'CAmelExecCommandExecutable' | CRITICAL | 9.9 | 0.1% | 50 |
|
| CVE-2026-33502 | An unauthenticated server-side request forgery (SSRF) vulnerability exists in AVideo's Live plugin test.php endpoint that allows remote attackers to force the server to send HTTP requests to arbitrary URLs. The vulnerability affects AVideo installations with the Live plugin enabled and can be exploited to probe internal network services, access cloud metadata endpoints, and retrieve content from internal HTTP resources. A proof-of-concept has been published demonstrating localhost service enumeration, and the vulnerability requires no authentication or user interaction to exploit. | CRITICAL | 9.3 | 3.0% | 50 |
|
| CVE-2025-59059 | RCE in Apache Ranger <= 2.7.0 via NashornScriptEngineCreator. EPSS 0.42%. | CRITICAL | 9.8 | 0.4% | 49 |
|
| CVE-2026-40860 | JmsBinding.extractBodyFromJms() in camel-jms, and the equivalent JmsBinding class in camel-sjms, deserialized the payload of incoming JMS ObjectMessag | CRITICAL | 9.8 | 0.3% | 49 |
|
| CVE-2026-42027 | Apache OpenNLP's model loading mechanism executes arbitrary static initializers through crafted manifest entries, enabling attackers to trigger side effects in any classpath class before type validation occurs. Affects OpenNLP versions before 2.5.9 and 3.0.0-M3. While not direct RCE, exploitation becomes viable when third-party models from untrusted sources (community repositories, model-sharing platforms) are loaded in environments containing classes with JNDI lookups, network I/O, or filesystem operations in static initializers. EPSS score of 0.29% suggests low widespread exploitation probability despite CVSS 9.8, though attack surface grows with model-sharing ecosystem adoption. No public exploit identified at time of analysis; vendor-released patches available. | CRITICAL | 9.8 | 0.3% | 49 |
|
| CVE-2026-24713 | Input validation vulnerability in Apache IoTDB from 1.0.0 before 1.3.7 and from 2.0.0 before 2.0.7. Second critical CVE affecting the IoT database. | CRITICAL | 9.8 | 0.1% | 49 |
|
| CVE-2026-24015 | Vulnerability in Apache IoTDB from 1.0.0 before 1.3.7 and from 2.0.0 before 2.0.7. Critical severity issue in the IoT time-series database platform. | CRITICAL | 9.8 | 0.1% | 49 |
|
| CVE-2026-45434 | Remote code execution in Apache OFBiz before 24.09.06 stems from an improper authentication flaw in the password-change logic that allows unauthenticated remote attackers to bypass authentication and ultimately execute arbitrary code on the server. The CVSS 9.8 rating reflects network-reachable, no-interaction exploitation against a widely deployed open-source ERP platform, though EPSS sits at only 0.07% and SSVC currently marks exploitation as 'none' - meaning no public exploit identified at time of analysis despite the severe technical impact. | CRITICAL | 9.8 | 0.1% | 49 |
|
| CVE-2026-41635 | Remote code execution in Apache MINA 2.0.0-2.0.27, 2.1.0-2.1.10, and 2.2.0-2.2.5 allows unauthenticated network attackers to execute arbitrary code by exploiting unsafe deserialization in AbstractIoBuffer.resolveClass(). The vulnerability bypasses classname allowlist protections due to incomplete validation of static classes and primitive types. CVSS 9.8 critical severity reflects trivial network-based exploitation requiring no authentication or user interaction. Applications using IoBuffer.getObject() are affected. Vendor-released patches available in versions 2.0.28, 2.1.11, and 2.2.6. | CRITICAL | 9.8 | 0.0% | 49 |
|