511
CVEs
101
Critical
210
High
1
KEV
27
PoC
62
Unpatched C/H
78.3%
Patch Rate
0.2%
Avg EPSS
Severity Breakdown
CRITICAL
101
HIGH
210
MEDIUM
173
LOW
20
Monthly CVE Trend
Affected Products (30)
Java
242
Debian Linux
209
Tomcat
185
Http Server
114
Fedora
101
Ubuntu Linux
77
Airflow
74
Struts
60
Superset
58
Traffic Server
52
Camel
49
PHP
47
Ofbiz
46
Cxf
45
Nifi
40
Instantis Enterprisetrack
40
Enterprise Linux Server
37
Enterprise Linux Workstation
36
Enterprise Linux Desktop
36
Openoffice
33
Open Redirect
33
Communications Session Report Manager
32
Solr
32
Inlong
32
Retail Xstore Point Of Service
32
Communications Element Manager
31
Activemq
30
Primavera Unifier
29
Communications Session Route Manager
29
Enterprise Linux Server Aus
28
Top Risky CVEs
| CVE | Summary | Severity | CVSS | EPSS | Priority | Signals |
|---|---|---|---|---|---|---|
| CVE-2026-34197 | Remote code execution in Apache ActiveMQ Classic versions before 5.19.5 and 6.0.0-6.2.2 allows authenticated attackers to execute arbitrary code on the broker's JVM via Jolokia MBean operations. Attackers with low-privilege web console access can invoke BrokerService.addNetworkConnector() with a malicious discovery URI containing a VM transport brokerConfig parameter that loads remote Spring XML contexts, triggering bean instantiation and code execution through factory methods like Runtime.exec( | HIGH | 8.8 | 0.1% | 129 |
KEV
PoC
|
| CVE-2016-15057 | Command injection in Apache Continuum (unsupported). EPSS 37.9% indicates active exploitation of this legacy CI/CD system. No patch available — product is end-of-life. | CRITICAL | 9.9 | 37.9% | 122 |
PoC
No patch
|
| CVE-2026-27636 | Remote code execution in FreeScout prior to version 1.8.206 allows authenticated users to upload `.htaccess` files that bypass file upload restrictions, enabling arbitrary code execution on Apache servers with `AllowOverride All` enabled. Public exploit code exists for this vulnerability. The attack requires valid user credentials but affects all FreeScout installations using the vulnerable PHP Laravel framework configuration. | HIGH | 8.8 | 0.3% | 79 |
PoC
|
| CVE-2026-33453 | Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Apache Camel Camel-Coap component. Apache Camel's cam | CRITICAL | 10.0 | 0.5% | 71 |
PoC
|
| CVE-2026-33439 | Remote code execution in OpenIdentityPlatform OpenAM 16.0.5 and earlier allows unauthenticated attackers to execute arbitrary OS commands via unsafe Java deserialization of the jato.clientSession HTTP parameter. This bypass exploits an unpatched deserialization sink in JATO's ClientSession.deserializeAttributes() that was overlooked when CVE-2021-35464 was mitigated. Attackers can target any JATO ViewBean endpoint with <jato:form> tags (commonly found in password reset pages) using a PriorityQue | CRITICAL | 9.3 | 0.1% | 67 |
PoC
|
| CVE-2016-20026 | Critical hardcoded credentials vulnerability in ZKTeco ZKBioSecurity 3.0's bundled Apache Tomcat server that allows unauthenticated remote attackers to upload malicious WAR files and execute arbitrary code with SYSTEM privileges. Multiple public exploits are available (Exploit-DB, Packet Storm), making this a high-risk vulnerability for organizations using this biometric security management software. | CRITICAL | 9.3 | 0.1% | 67 |
PoC
No patch
|
| CVE-2026-39920 | Remote code execution in BridgeHead FileStore pre-24A via Apache Axis2 default credentials allows unauthenticated attackers to deploy malicious web services and execute arbitrary OS commands. The vulnerability exploits exposed Axis2 admin console with unchanged default credentials, enabling full system compromise over the network with no authentication required. Publicly available exploit code exists (GitHub Gist), and CVSS 9.8 reflects critical risk with network vector, low complexity, and no privileges required. EPSS data not provided but exploitation prerequisites are minimal given default credential exposure. | CRITICAL | 9.3 | 0.2% | 66 |
PoC
|
| CVE-2026-23552 | Cross-realm token acceptance bypass in Apache Camel Keycloak security policy. The KeycloakSecurityPolicy fails to properly validate token issuers, accepting tokens from different Keycloak realms. PoC available. | CRITICAL | 9.1 | 0.0% | 66 |
PoC
|
| CVE-2026-23697 | Remote code execution in Vtiger CRM before 8.4.0 lets an authenticated low-privileged user upload a malicious .phar file through the Documents module and execute arbitrary PHP. The extension denylist in config.inc.php omits .phar, and a stale Apache 2.2-syntax .htaccess is silently ignored on Apache 2.4, so the payload lands in a web-accessible directory reachable by unauthenticated HTTP - the attack begins authenticated but the final execution step is unauthenticated. Publicly available exploit code exists (published by VulnCheck/Jiva Security); no CISA KEV listing and no EPSS score were provided. | HIGH | 8.7 | 0.8% | 64 |
PoC
No patch
|
| CVE-2026-25747 | Deserialization of Untrusted Data vulnerability in Apache Camel LevelDB component. The Camel-LevelDB DefaultLevelDBSerializer class deserializes data read from the LevelDB aggregation repository using java.io.ObjectInputStream without applying any ObjectInputFilter or class-loading restrictions. [CVSS 8.8 HIGH] | HIGH | 8.8 | 0.1% | 64 |
PoC
|
| CVE-2026-40473 | The camel-mina component's MinaConverter.toObjectInput(IoBuffer) type converter wraps an IoBuffer in a java.io.ObjectInputStream without applying any | HIGH | 8.8 | 0.1% | 64 |
PoC
|
| CVE-2026-40858 | The camel-infinispan component's ProtoStream-based remote aggregation repository deserializes data read from a remote Infinispan cache using java.io.O | HIGH | 8.8 | 0.1% | 64 |
PoC
|
| CVE-2026-23918 | Remote code execution via double-free memory corruption in Apache HTTP Server 2.4.66's HTTP/2 protocol implementation allows authenticated attackers to compromise server integrity and confidentiality with high impact. Vendor-released patch 2.4.67 addresses the issue. No public exploit or active exploitation confirmed at time of analysis, but SSVC framework rates technical impact as total, indicating complete system compromise potential. | HIGH | 8.8 | 0.1% | 64 |
PoC
|
| CVE-2026-40466 | Remote code execution in Apache ActiveMQ 5.x (before 5.19.6) and 6.x (before 6.2.5) allows authenticated attackers to bypass prior security fixes (CVE-2026-34197) by injecting malicious Spring XML configurations through HTTP Discovery transport connectors via Jolokia. Attackers leverage a VM transport loophole to invoke arbitrary bean factory methods like Runtime.exec() during Spring context initialization. EPSS score is low (0.06%, 19th percentile) with no confirmed active exploitation (not in CISA KEV), suggesting limited widespread targeting despite high CVSS 8.8 score. Exploitation requires authenticated Jolokia access and presence of activemq-http module on classpath. | HIGH | 8.8 | 0.1% | 64 |
PoC
|
| CVE-2019-25671 | VA MAX 8.3.4 contains a remote code execution vulnerability that allows authenticated attackers to execute arbitrary commands by injecting shell metacharacters into the mtu_eth0 parameter. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available. | HIGH | 8.7 | 0.4% | 64 |
PoC
No patch
|