285
CVEs
50
Critical
124
High
1
KEV
17
PoC
30
Unpatched C/H
82.5%
Patch Rate
0.2%
Avg EPSS
Severity Breakdown
CRITICAL
50
HIGH
124
MEDIUM
90
LOW
7
Monthly CVE Trend
Affected Products (30)
Java
48
Tomcat
37
Http Server
15
PHP
14
Ubuntu
11
Superset
11
Kubernetes
9
Cloudstack
7
Iotdb
7
Openoffice
7
Python
7
Traffic Server
7
Node.js
7
PostgreSQL
6
Camel
6
Windows
6
Airflow
5
Nuttx
5
Docker
5
LDAP
5
Ranger
5
Kylin
5
TLS
4
Cassandra
4
Inlong
4
Ofbiz
4
Apache Airflow
4
Hertzbeat
4
Solr
4
Kvrocks
4
Top Risky CVEs
| CVE | Summary | Severity | CVSS | EPSS | Priority | Signals |
|---|---|---|---|---|---|---|
| CVE-2026-34197 | Remote code execution in Apache ActiveMQ Classic versions before 5.19.5 and 6.0.0-6.2.2 allows authenticated attackers to execute arbitrary code on the broker's JVM via Jolokia MBean operations. Attackers with low-privilege web console access can invoke BrokerService.addNetworkConnector() with a malicious discovery URI containing a VM transport brokerConfig parameter that loads remote Spring XML contexts, triggering bean instantiation and code execution through factory methods like Runtime.exec( | HIGH | 8.8 | 0.1% | 114 |
KEV
PoC
|
| CVE-2016-15057 | Command injection in Apache Continuum (unsupported). EPSS 37.9% indicates active exploitation of this legacy CI/CD system. No patch available — product is end-of-life. | CRITICAL | 9.9 | 37.9% | 87 |
No patch
|
| CVE-2016-20026 | Critical hardcoded credentials vulnerability in ZKTeco ZKBioSecurity 3.0's bundled Apache Tomcat server that allows unauthenticated remote attackers to upload malicious WAR files and execute arbitrary code with SYSTEM privileges. Multiple public exploits are available (Exploit-DB, Packet Storm), making this a high-risk vulnerability for organizations using this biometric security management software. | CRITICAL | 9.3 | 0.1% | 67 |
PoC
No patch
|
| CVE-2026-39920 | Remote code execution in BridgeHead FileStore pre-24A via Apache Axis2 default credentials allows unauthenticated attackers to deploy malicious web services and execute arbitrary OS commands. The vulnerability exploits exposed Axis2 admin console with unchanged default credentials, enabling full system compromise over the network with no authentication required. Publicly available exploit code exists (GitHub Gist), and CVSS 9.8 reflects critical risk with network vector, low complexity, and no privileges required. EPSS data not provided but exploitation prerequisites are minimal given default credential exposure. | CRITICAL | 9.3 | 0.2% | 66 |
PoC
|
| CVE-2026-23552 | Cross-realm token acceptance bypass in Apache Camel Keycloak security policy. The KeycloakSecurityPolicy fails to properly validate token issuers, accepting tokens from different Keycloak realms. PoC available. | CRITICAL | 9.1 | 0.0% | 66 |
PoC
|
| CVE-2026-27636 | Remote code execution in FreeScout prior to version 1.8.206 allows authenticated users to upload `.htaccess` files that bypass file upload restrictions, enabling arbitrary code execution on Apache servers with `AllowOverride All` enabled. Public exploit code exists for this vulnerability. The attack requires valid user credentials but affects all FreeScout installations using the vulnerable PHP Laravel framework configuration. | HIGH | 8.8 | 0.3% | 64 |
PoC
|
| CVE-2026-25747 | Deserialization of Untrusted Data vulnerability in Apache Camel LevelDB component. The Camel-LevelDB DefaultLevelDBSerializer class deserializes data read from the LevelDB aggregation repository using java.io.ObjectInputStream without applying any ObjectInputFilter or class-loading restrictions. [CVSS 8.8 HIGH] | HIGH | 8.8 | 0.1% | 64 |
PoC
|
| CVE-2020-36939 | Cassandra Web 0.5.0 contains a directory traversal vulnerability that allows unauthenticated attackers to read arbitrary files by manipulating path traversal parameters. [CVSS 7.5 HIGH] | HIGH | 7.5 | 0.7% | 58 |
PoC
No patch
|
| CVE-2026-22265 | Authenticated command injection in Roxy-WI versions prior to 8.2.8.2 enables attackers to execute arbitrary system commands through improper sanitization of the grep parameter in log viewing functionality. Public exploit code exists for this vulnerability, affecting users managing HAProxy, Nginx, Apache, and Keepalived servers through the web interface. A patch is available in version 8.2.8.2 and later. | HIGH | 7.5 | 0.2% | 58 |
PoC
|
| CVE-2025-64775 | Denial of Service vulnerability in Apache Struts, file leak in multipart request processing causes disk exhaustion. This issue affects Apache Struts: from 2.0.0 through 6.7.0, from 7.0.0 through 7.0.3. Users are recommended to upgrade to version 6.8.0 or 7.1.1, which fixes the issue. | HIGH | 7.5 | 0.1% | 58 |
PoC
|
| CVE-2026-27161 | Unauthenticated attackers can access sensitive files in GetSimple CMS when Apache's AllowOverride directive is disabled, bypassing .htaccess protections that restrict directory access. This configuration is common in hardened and shared hosting environments, exposing authorization credentials, API keys, and cryptographic salts in files like authorization.xml. Public exploit code exists for this vulnerability, and no patch is currently available. | HIGH | 7.5 | 0.1% | 58 |
PoC
No patch
|
| CVE-2026-33109 | Remote code execution in Azure Managed Instance for Apache Cassandra allows authenticated attackers with low privileges to execute arbitrary code across tenant boundaries. The vulnerability involves improper access control (CWE-284) enabling scope escape with complete compromise of confidentiality, integrity, and availability. Microsoft has released a patch per MSRC advisory. CVSS 9.9 (Critical) reflects network-based attack with low complexity, low privileges required, and changed scope indicating container/tenant escape potential. | CRITICAL | 9.9 | 0.1% | 55 |
|
| CVE-2026-33453 | Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Apache Camel Camel-Coap component. Apache Camel's cam | CRITICAL | 10.0 | 0.5% | 51 |
|
| CVE-2026-33844 | Remote code execution in Azure Managed Instance for Apache Cassandra allows authenticated attackers with low privileges to execute arbitrary code when a user interacts with a malicious payload. CVSS 9.0 (Critical) with scope change indicates container/tenant escape potential. Microsoft released a patch (MSRC update guide), and CVSS temporal metrics confirm remediation available with complete confidence, though no confirmed active exploitation or public POC identified at time of analysis. | CRITICAL | 9.0 | 0.1% | 50 |
|
| CVE-2026-21962 | Oracle HTTP Server and WebLogic Server Proxy Plug-in have a CVSS 10.0 access control vulnerability allowing unauthenticated network attackers to fully compromise the middleware layer. | CRITICAL | 10.0 | 0.0% | 50 |
|