53
CVEs
5
Critical
27
High
0
KEV
2
PoC
11
Unpatched C/H
73.6%
Patch Rate
0.1%
Avg EPSS
Severity Breakdown
CRITICAL
5
HIGH
27
MEDIUM
20
LOW
1
Monthly CVE Trend
Affected Products (30)
Java
29
Tomcat
28
Deserialization
24
Http Server
15
PHP
12
Superset
11
Ubuntu
11
Apache Tomcat
10
Openoffice
7
Traffic Server
7
Cloudstack
7
Iotdb
7
Camel
6
Integer Overflow
6
Command Injection
6
Windows
6
Request Smuggling
5
Ranger
5
Airflow
5
Nuttx
5
Kubernetes
5
Kylin
5
Docker
4
Ofbiz
4
Use After Free
4
Zeppelin
4
Solr
4
Kvrocks
4
Apache Airflow
4
Hertzbeat
4
Top Risky CVEs
| CVE | Summary | Severity | CVSS | EPSS | Priority | Signals |
|---|---|---|---|---|---|---|
| CVE-2016-20026 | Critical hardcoded credentials vulnerability in ZKTeco ZKBioSecurity 3.0's bundled Apache Tomcat server that allows unauthenticated remote attackers to upload malicious WAR files and execute arbitrary code with SYSTEM privileges. Multiple public exploits are available (Exploit-DB, Packet Storm), making this a high-risk vulnerability for organizations using this biometric security management software. | CRITICAL | 9.8 | 0.1% | 69 |
PoC
No patch
|
| CVE-2026-33502 | An unauthenticated server-side request forgery (SSRF) vulnerability exists in AVideo's Live plugin test.php endpoint that allows remote attackers to force the server to send HTTP requests to arbitrary URLs. The vulnerability affects AVideo installations with the Live plugin enabled and can be exploited to probe internal network services, access cloud metadata endpoints, and retrieve content from internal HTTP resources. A proof-of-concept has been published demonstrating localhost service enumeration, and the vulnerability requires no authentication or user interaction to exploit. | CRITICAL | 9.3 | 3.0% | 50 |
|
| CVE-2026-33439 | Remote code execution in OpenIdentityPlatform OpenAM 16.0.5 and earlier allows unauthenticated attackers to execute arbitrary OS commands via unsafe Java deserialization of the jato.clientSession HTTP parameter. This bypass exploits an unpatched deserialization sink in JATO's ClientSession.deserializeAttributes() that was overlooked when CVE-2021-35464 was mitigated. Attackers can target any JATO ViewBean endpoint with <jato:form> tags (commonly found in password reset pages) using a PriorityQueue→TemplatesImpl gadget chain with libraries bundled in OpenAM's WAR file. Vendor-released patch available in version 16.0.6 (GitHub commit 014007c). No public exploit code identified at time of analysis, but detailed technical writeup with gadget chain specifics has been published. | CRITICAL | 9.3 | 0.1% | 47 |
|
| CVE-2026-35573 | Remote code execution in ChurchCRM versions prior to 6.5.3 allows authenticated administrators to upload malicious files via path traversal in the backup restore functionality, overwriting Apache .htaccess files to execute arbitrary code. The vulnerability exploits unsanitized user input in RestoreJob.php, enabling attackers with high-privilege access to bypass intended upload restrictions. No public exploit identified at time of analysis, though CVSS 9.1 reflects the critical impact of complete system compromise through changed security scope. | CRITICAL | 9.1 | 0.2% | 46 |
No patch
|
| CVE-2026-29145 | Authentication bypass in Apache Tomcat 9.x through 11.x and Tomcat Native 1.1.23-2.0.13 allows unauthenticated remote attackers to bypass CLIENT_CERT authentication when soft-fail is disabled, achieving unauthorized access to confidentiality- and integrity-sensitive resources. Exploitation requires no user interaction or privileges (CVSS:3.1 PR:N/UI:N). The flaw affects CLIENT_CERT authentication logic, permitting access under conditions where authentication should fail. No public exploit identified at time of analysis; low observed exploitation activity (EPSS 0.04%). | CRITICAL | 9.1 | 0.0% | 46 |
|
| CVE-2026-3533 | The Jupiter X Core plugin for WordPress contains an unrestricted file upload vulnerability allowing authenticated users with Subscriber-level privileges or higher to upload dangerous file types including .phar, .svg, .dfxp, and .xhtml files. This stems from missing authorization checks in the import_popup_templates() function and insufficient file type validation in the upload_files() function. Successful exploitation leads to Remote Code Execution on Apache servers with mod_php configured to execute .phar files, or Stored Cross-Site Scripting attacks via malicious SVG and other file types on any server configuration. | HIGH | 8.8 | 0.2% | 44 |
No patch
|
| CVE-2026-27811 | Roxy-WI versions prior to 8.2.6.3 contain a command injection vulnerability in the configuration comparison endpoint that allows authenticated users to execute arbitrary system commands on the host server. The flaw stems from unsanitized user input being directly embedded into template strings executed by the application. An attacker with valid credentials can exploit this to achieve full system compromise with high impact on confidentiality, integrity, and availability. | HIGH | 8.8 | 0.2% | 44 |
No patch
|
| CVE-2025-54920 | This issue affects Apache Spark: before 3.5.7 and 4.0.1. | HIGH | 8.8 | 0.2% | 44 |
|
| CVE-2026-34197 | Remote code execution in Apache ActiveMQ Classic versions before 5.19.5 and 6.0.0-6.2.2 allows authenticated attackers to execute arbitrary code on the broker's JVM via Jolokia MBean operations. Attackers with low-privilege web console access can invoke BrokerService.addNetworkConnector() with a malicious discovery URI containing a VM transport brokerConfig parameter that loads remote Spring XML contexts, triggering bean instantiation and code execution through factory methods like Runtime.exec(). CVSS 8.8 (High) with network attack vector and low complexity. EPSS score 0.06% (19th percentile) indicates low observed exploitation probability. No public exploit identified at time of analysis, though SSVC assessment confirms total technical impact with non-automatable exploitation. | HIGH | 8.8 | 0.1% | 44 |
PoC
No patch
|
| CVE-2026-27314 | Apache Cassandra 5.0 through 5.0.6 in mTLS environments using MutualTlsAuthenticator allows authenticated users with only CREATE permission to escalate privileges to superuser via certificate identity manipulation through the ADD IDENTITY command. CVSS 8.8 reflects high impact across confidentiality, integrity, and availability. No public exploit identified at time of analysis, with SSVC indicating non-automatable exploitation but total technical impact. Apache released patch version 5.0.7+ addressing this privilege escalation flaw (CWE-267: Privilege Defined With Unsafe Actions). | HIGH | 8.8 | 0.0% | 44 |
|
| CVE-2026-34728 | Path traversal and CSRF vulnerability in phpMyFAQ's MediaBrowserController enables remote deletion of critical server files. Authenticated admin accounts can be exploited via CSRF to delete arbitrary files including database configurations, .htaccess files, and application code. GitHub advisory confirms the vulnerability with POC demonstration. Attack requires low-privilege authentication (PR:L) but succeeds with minimal user interaction (UI:R), achieving high integrity and availability impact with scope change (S:C). No public exploit identified at time of analysis beyond the disclosed POC, and patch availability not confirmed from available data. | HIGH | 8.7 | 0.2% | 44 |
|
| CVE-2026-28367 | Undertow HTTP request smuggling via malformed header terminator allows remote unauthenticated attackers to bypass security controls and manipulate web requests through vulnerable proxies including older Apache Traffic Server and Google Cloud Classic Application Load Balancer. With CVSS 8.7 (High/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N), the vulnerability affects multiple Red Hat product lines including JBoss EAP 7 and 8, Fuse 7, Data Grid 8, and RHEL 8-10 distributions. No public exploit identified at time of analysis, though the attack vector is network-accessible and requires no authentication. | HIGH | 8.7 | 0.0% | 44 |
No patch
|
| CVE-2026-35554 | Buffer use-after-free in Apache Kafka Java producer client (versions ≤3.9.1, ≤4.0.1, ≤4.1.1) can silently route messages to incorrect topics when batch expiration races with in-flight network requests. CVSS 8.7 (High) with network-accessible attack vector and high complexity. CISA SSVC indicates no active exploitation, non-automatable attack, and partial technical impact. No public exploit identified at time of analysis. EPSS data not provided, but the combination of high CVSS, cross-scope impact (S:C), and dual confidentiality/integrity impact warrants prioritization for environments processing sensitive message streams. | HIGH | 8.7 | 0.0% | 44 |
No patch
|
| CVE-2026-33038 | A critical authentication bypass vulnerability in AVideo's installation endpoint allows unauthenticated remote attackers to take over uninitialized deployments by completing the installation process with attacker-controlled credentials and database settings. The vulnerability affects AVideo installations where the configuration file does not exist (fresh deployments, container restarts without persistent storage, or re-deployments), enabling attackers to become the sole administrator with full control over the application. A detailed proof-of-concept is publicly available, and while no active exploitation has been reported in KEV, the vulnerability has a moderate EPSS score and requires only network access to exploit. | HIGH | 8.1 | 0.1% | 41 |
|
| CVE-2026-30911 | CVE-2026-30911 is a security vulnerability (CVSS 8.1) that allows any authenticated task instance. High severity vulnerability requiring prompt remediation. Vendor patch is available. | HIGH | 8.1 | 0.0% | 41 |
|