2549
CVEs
523
Critical
972
High
42
KEV
382
PoC
368
Unpatched C/H
75.0%
Patch Rate
9.5%
Avg EPSS
Severity Breakdown
CRITICAL
523
HIGH
972
MEDIUM
982
LOW
64
Monthly CVE Trend
Affected Products (30)
Java
242
Debian Linux
209
Tomcat
185
Http Server
114
Fedora
101
Ubuntu Linux
77
Airflow
74
Struts
60
Superset
58
Traffic Server
52
Camel
49
PHP
47
Ofbiz
46
Cxf
45
Nifi
40
Instantis Enterprisetrack
40
Enterprise Linux Server
37
Enterprise Linux Workstation
36
Enterprise Linux Desktop
36
Openoffice
33
Open Redirect
33
Communications Session Report Manager
32
Solr
32
Inlong
32
Retail Xstore Point Of Service
32
Communications Element Manager
31
Activemq
30
Primavera Unifier
29
Communications Session Route Manager
29
Enterprise Linux Server Aus
28
Top Risky CVEs
| CVE | Summary | Severity | CVSS | EPSS | Priority | Signals |
|---|---|---|---|---|---|---|
| CVE-2016-3088 | Remote code execution in Apache ActiveMQ 5.x before 5.14.0 allows unauthenticated attackers to upload and execute arbitrary files on the message broker server by chaining HTTP PUT and MOVE requests against the Fileserver web application. This vulnerability is confirmed actively exploited (CISA KEV) with EPSS score of 94.29%, publicly available exploit code exists, and vendor-released patch is available in ActiveMQ 5.14.0. | CRITICAL | 9.8 | 94.3% | 238 |
KEV
PoC
|
| CVE-2015-7450 | Remote code execution in IBM Sterling B2B Integrator, Sterling Integrator, and Tivoli Common Reporting allows unauthenticated network attackers to execute arbitrary commands by sending malicious serialized Java objects exploiting the Apache Commons Collections InvokerTransformer class. This vulnerability is confirmed actively exploited in the wild per CISA KEV, with public exploit code available (Exploit-DB 41613) and an exceptionally high EPSS score of 93.49%, indicating near-certain exploitation probability. Affected products include Sterling B2B Integrator 5.2, Sterling Integrator 5.1, and Tivoli Common Reporting versions 2.1 through 3.1.2.1. | CRITICAL | 9.8 | 93.5% | 237 |
KEV
PoC
No patch
|
| CVE-2013-2251 | Apache Struts 2.0.0 through 2.3.15 allows remote attackers to execute arbitrary OGNL expressions via a parameter with a crafted (1) action:, (2) redirect:, or (3) redirectAction: prefix. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Actively exploited in the wild (cisa kev) and public exploit code available. | CRITICAL | 9.8 | 94.3% | 228 |
KEV
PoC
|
| CVE-2017-5638 | The Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 has incorrect exception handling and error-message generation during file-upload attempts, which allows. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Actively exploited in the wild (cisa kev) and public exploit code available. | CRITICAL | 9.8 | 94.3% | 228 |
KEV
PoC
|
| CVE-2017-9791 | The Struts 1 plugin in Apache Struts 2.1.x and 2.3.x might allow remote code execution via a malicious field value passed in a raw message to the ActionMessage. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Actively exploited in the wild (cisa kev) and public exploit code available. | CRITICAL | 9.8 | 94.2% | 228 |
KEV
PoC
|
| CVE-2025-24813 | A critical path equivalence vulnerability in Apache Tomcat's Default Servlet allows unauthenticated remote code execution through specially crafted PUT requests using internal dot notation in filenames. With EPSS of 94% and active exploitation in the wild, this represents one of the most dangerous Tomcat vulnerabilities in recent years, affecting versions 9.0.0-9.0.98, 10.1.0-10.1.34, and 11.0.0-11.0.2. | CRITICAL | 9.8 | 94.2% | 228 |
KEV
PoC
|
| CVE-2016-4437 | Apache Shiro before 1.2.5, when a cipher key has not been configured for the "remember me" feature, allows remote attackers to execute arbitrary code or bypass intended access restrictions via an. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Actively exploited in the wild (cisa kev) and public exploit code available. | CRITICAL | 9.8 | 94.2% | 228 |
KEV
PoC
|
| CVE-2014-6271 | GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment,. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Actively exploited in the wild (cisa kev) and public exploit code available. | CRITICAL | 9.8 | 94.2% | 228 |
KEV
PoC
|
| CVE-2015-4852 | The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers to execute arbitrary commands via a crafted serialized Java object in T3. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Actively exploited in the wild (cisa kev) and public exploit code available. | CRITICAL | 9.8 | 92.9% | 227 |
KEV
PoC
|
| CVE-2017-3066 | Remote unauthenticated attackers can execute arbitrary code on Adobe ColdFusion servers through Java deserialization flaws in the bundled Apache BlazeDS library. This critical vulnerability affects ColdFusion 10 (all updates through 22), ColdFusion 11 (through Update 11), and ColdFusion 2016 (through Update 3). CISA confirms active exploitation in the wild with publicly available exploit code (Exploit-DB 43993), and EPSS scoring at 93.36% (100th percentile) indicates extremely high real-world exploitation likelihood. The network-accessible attack vector requiring no authentication or user interaction makes this a top-priority remediation target for any organization running affected ColdFusion versions. | CRITICAL | 9.8 | 93.4% | 222 |
KEV
PoC
|
| CVE-2012-0391 | The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during certain exception handling for mismatched data types of properties, which. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Actively exploited in the wild (cisa kev) and public exploit code available. | CRITICAL | 9.8 | 88.3% | 222 |
KEV
PoC
|
| CVE-2017-12617 | When running Apache Tomcat versions 9.0.0.M1 to 9.0.0, 8.5.0 to 8.5.22, 8.0.0.RC1 to 8.0.46 and 7.0.0 to 7.0.81 with HTTP PUTs enabled (e.g. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. Actively exploited in the wild (cisa kev) and public exploit code available. | HIGH | 8.1 | 94.4% | 220 |
KEV
PoC
|
| CVE-2017-9805 | The REST Plugin in Apache Struts 2.1.1 through 2.3.x before 2.3.34 and 2.5.x before 2.5.13 uses an XStreamHandler with an instance of XStream for deserialization without any type filtering, which can. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. Actively exploited in the wild (cisa kev) and public exploit code available. | HIGH | 8.1 | 94.3% | 220 |
KEV
PoC
|
| CVE-2014-6278 | GNU Bash through 4.3 bash43-026 does not properly parse function definitions in the values of environment variables, which allows remote attackers to execute arbitrary commands via a crafted. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Actively exploited in the wild (cisa kev) and public exploit code available. | HIGH | 8.8 | 90.1% | 219 |
KEV
PoC
|
| CVE-2016-8735 | Remote code execution is possible with Apache Tomcat before 6.0.48, 7.x before 7.0.73, 8.x before 8.0.39, 8.5.x before 8.5.7, and 9.x before 9.0.0.M12 if JmxRemoteLifecycleListener is used and an. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Actively exploited in the wild (cisa kev) and public exploit code available. | CRITICAL | 9.8 | 93.8% | 213 |
KEV
PoC
|