484
CVEs
82
Critical
202
High
5
KEV
44
PoC
53
Unpatched C/H
79.8%
Patch Rate
1.4%
Avg EPSS
Severity Breakdown
CRITICAL
82
HIGH
202
MEDIUM
173
LOW
12
Monthly CVE Trend
Affected Products (30)
Java
48
Tomcat
37
Http Server
15
PHP
14
Ubuntu
11
Superset
11
Kubernetes
9
Cloudstack
7
Iotdb
7
Openoffice
7
Python
7
Traffic Server
7
Node.js
7
PostgreSQL
6
Camel
6
Windows
6
Airflow
5
Nuttx
5
Docker
5
LDAP
5
Ranger
5
Kylin
5
TLS
4
Cassandra
4
Inlong
4
Ofbiz
4
Apache Airflow
4
Hertzbeat
4
Solr
4
Kvrocks
4
Top Risky CVEs
| CVE | Summary | Severity | CVSS | EPSS | Priority | Signals |
|---|---|---|---|---|---|---|
| CVE-2016-3088 | Remote code execution in Apache ActiveMQ 5.x before 5.14.0 allows unauthenticated attackers to upload and execute arbitrary files on the message broker server by chaining HTTP PUT and MOVE requests against the Fileserver web application. This vulnerability is confirmed actively exploited (CISA KEV) with EPSS score of 94.29%, publicly available exploit code exists, and vendor-released patch is available in ActiveMQ 5.14.0. | CRITICAL | 9.8 | 94.3% | 223 |
KEV
PoC
|
| CVE-2015-7450 | Remote code execution in IBM Sterling B2B Integrator, Sterling Integrator, and Tivoli Common Reporting allows unauthenticated network attackers to execute arbitrary commands by sending malicious serialized Java objects exploiting the Apache Commons Collections InvokerTransformer class. This vulnerability is confirmed actively exploited in the wild per CISA KEV, with public exploit code available (Exploit-DB 41613) and an exceptionally high EPSS score of 93.49%, indicating near-certain exploitation probability. Affected products include Sterling B2B Integrator 5.2, Sterling Integrator 5.1, and Tivoli Common Reporting versions 2.1 through 3.1.2.1. | CRITICAL | 9.8 | 93.5% | 222 |
KEV
PoC
No patch
|
| CVE-2017-3066 | Remote unauthenticated attackers can execute arbitrary code on Adobe ColdFusion servers through Java deserialization flaws in the bundled Apache BlazeDS library. This critical vulnerability affects ColdFusion 10 (all updates through 22), ColdFusion 11 (through Update 11), and ColdFusion 2016 (through Update 3). CISA confirms active exploitation in the wild with publicly available exploit code (Exploit-DB 43993), and EPSS scoring at 93.36% (100th percentile) indicates extremely high real-world exploitation likelihood. The network-accessible attack vector requiring no authentication or user interaction makes this a top-priority remediation target for any organization running affected ColdFusion versions. | CRITICAL | 9.8 | 93.4% | 222 |
KEV
PoC
|
| CVE-2025-24813 | A critical path equivalence vulnerability in Apache Tomcat's Default Servlet allows unauthenticated remote code execution through specially crafted PUT requests using internal dot notation in filenames. With EPSS of 94% and active exploitation in the wild, this represents one of the most dangerous Tomcat vulnerabilities in recent years, affecting versions 9.0.0-9.0.98, 10.1.0-10.1.34, and 11.0.0-11.0.2. | CRITICAL | 9.8 | 94.2% | 213 |
KEV
PoC
|
| CVE-2026-34197 | Remote code execution in Apache ActiveMQ Classic versions before 5.19.5 and 6.0.0-6.2.2 allows authenticated attackers to execute arbitrary code on the broker's JVM via Jolokia MBean operations. Attackers with low-privilege web console access can invoke BrokerService.addNetworkConnector() with a malicious discovery URI containing a VM transport brokerConfig parameter that loads remote Spring XML contexts, triggering bean instantiation and code execution through factory methods like Runtime.exec( | HIGH | 8.8 | 0.1% | 114 |
KEV
PoC
|
| CVE-2025-27636 | Bypass/Injection vulnerability in Apache Camel components under particular conditions.10.0 through <= 4.10.1, from 4.8.0 through <= 4.8.4, from 3.10.0 through <= 3.22.3. Rated medium severity (CVSS 5.6), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and EPSS exploitation probability 47.8%. | MEDIUM | 5.6 | 47.8% | 96 |
PoC
|
| CVE-2016-15057 | Command injection in Apache Continuum (unsupported). EPSS 37.9% indicates active exploitation of this legacy CI/CD system. No patch available — product is end-of-life. | CRITICAL | 9.9 | 37.9% | 87 |
No patch
|
| CVE-2025-31650 | Improper Input Validation vulnerability in Apache Tomcat. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 20.3%. | HIGH | 7.5 | 20.3% | 78 |
PoC
|
| CVE-2025-30065 | Schema parsing in the parquet-avro module of Apache Parquet 1.15.0 and previous versions allows bad actors to execute arbitrary code Users are recommended to upgrade to version 1.15.1, which fixes. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available. | CRITICAL | 10.0 | 0.5% | 71 |
PoC
|
| CVE-2024-13869 | The Migration, Backup, Staging - WPvivid Backup & Migration plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'upload_files' function in all. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 10.7%. | HIGH | 7.2 | 10.7% | 67 |
PoC
|
| CVE-2016-20026 | Critical hardcoded credentials vulnerability in ZKTeco ZKBioSecurity 3.0's bundled Apache Tomcat server that allows unauthenticated remote attackers to upload malicious WAR files and execute arbitrary code with SYSTEM privileges. Multiple public exploits are available (Exploit-DB, Packet Storm), making this a high-risk vulnerability for organizations using this biometric security management software. | CRITICAL | 9.3 | 0.1% | 67 |
PoC
No patch
|
| CVE-2026-39920 | Remote code execution in BridgeHead FileStore pre-24A via Apache Axis2 default credentials allows unauthenticated attackers to deploy malicious web services and execute arbitrary OS commands. The vulnerability exploits exposed Axis2 admin console with unchanged default credentials, enabling full system compromise over the network with no authentication required. Publicly available exploit code exists (GitHub Gist), and CVSS 9.8 reflects critical risk with network vector, low complexity, and no privileges required. EPSS data not provided but exploitation prerequisites are minimal given default credential exposure. | CRITICAL | 9.3 | 0.2% | 66 |
PoC
|
| CVE-2026-23552 | Cross-realm token acceptance bypass in Apache Camel Keycloak security policy. The KeycloakSecurityPolicy fails to properly validate token issuers, accepting tokens from different Keycloak realms. PoC available. | CRITICAL | 9.1 | 0.0% | 66 |
PoC
|
| CVE-2026-27636 | Remote code execution in FreeScout prior to version 1.8.206 allows authenticated users to upload `.htaccess` files that bypass file upload restrictions, enabling arbitrary code execution on Apache servers with `AllowOverride All` enabled. Public exploit code exists for this vulnerability. The attack requires valid user credentials but affects all FreeScout installations using the vulnerable PHP Laravel framework configuration. | HIGH | 8.8 | 0.3% | 64 |
PoC
|
| CVE-2026-25747 | Deserialization of Untrusted Data vulnerability in Apache Camel LevelDB component. The Camel-LevelDB DefaultLevelDBSerializer class deserializes data read from the LevelDB aggregation repository using java.io.ObjectInputStream without applying any ObjectInputFilter or class-loading restrictions. [CVSS 8.8 HIGH] | HIGH | 8.8 | 0.1% | 64 |
PoC
|