601
CVEs
109
Critical
255
High
1
KEV
43
PoC
80
Unpatched C/H
76.7%
Patch Rate
0.3%
Avg EPSS
Severity Breakdown
CRITICAL
109
HIGH
255
MEDIUM
207
LOW
22
Monthly CVE Trend
Affected Products (30)
Java
242
Debian Linux
209
Tomcat
185
Http Server
114
Fedora
101
Ubuntu Linux
77
Airflow
74
Struts
60
Superset
58
Traffic Server
52
Camel
49
PHP
47
Ofbiz
46
Cxf
45
Nifi
40
Instantis Enterprisetrack
40
Enterprise Linux Server
37
Enterprise Linux Workstation
36
Enterprise Linux Desktop
36
Openoffice
33
Open Redirect
33
Communications Session Report Manager
32
Solr
32
Inlong
32
Retail Xstore Point Of Service
32
Communications Element Manager
31
Activemq
30
Primavera Unifier
29
Communications Session Route Manager
29
Enterprise Linux Server Aus
28
Top Risky CVEs
| CVE | Summary | Severity | CVSS | EPSS | Priority | Signals |
|---|---|---|---|---|---|---|
| CVE-2026-34197 | Remote code execution in Apache ActiveMQ Classic versions before 5.19.5 and 6.0.0-6.2.2 allows authenticated attackers to execute arbitrary code on the broker's JVM via Jolokia MBean operations. Attackers with low-privilege web console access can invoke BrokerService.addNetworkConnector() with a malicious discovery URI containing a VM transport brokerConfig parameter that loads remote Spring XML contexts, triggering bean instantiation and code execution through factory methods like Runtime.exec( | HIGH | 8.8 | 0.1% | 129 |
KEV
PoC
|
| CVE-2012-10062 | A vulnerability in XAMPP, developed by Apache Friends, version 1.7.3's default WebDAV configuration allows remote authenticated attackers to upload and execute arbitrary PHP code. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 49.3%. | HIGH | 8.7 | 49.3% | 128 |
PoC
No patch
|
| CVE-2016-15057 | Command injection in Apache Continuum (unsupported). EPSS 37.9% indicates active exploitation of this legacy CI/CD system. No patch available — product is end-of-life. | CRITICAL | 9.9 | 37.9% | 122 |
PoC
No patch
|
| CVE-2026-27636 | Remote code execution in FreeScout prior to version 1.8.206 allows authenticated users to upload `.htaccess` files that bypass file upload restrictions, enabling arbitrary code execution on Apache servers with `AllowOverride All` enabled. Public exploit code exists for this vulnerability. The attack requires valid user credentials but affects all FreeScout installations using the vulnerable PHP Laravel framework configuration. | HIGH | 8.8 | 0.3% | 79 |
PoC
|
| CVE-2012-10022 | Kloxo versions 6.1.12 and earlier contain two setuid root binaries-lxsuexec and lxrestart-that allow local privilege escalation from uid 48. Rated high severity (CVSS 8.5), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available. | HIGH | 8.5 | 1.4% | 79 |
PoC
No patch
|
| CVE-2026-33453 | Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Apache Camel Camel-Coap component. Apache Camel's cam | CRITICAL | 10.0 | 0.5% | 71 |
PoC
|
| CVE-2026-33439 | Remote code execution in OpenIdentityPlatform OpenAM 16.0.5 and earlier allows unauthenticated attackers to execute arbitrary OS commands via unsafe Java deserialization of the jato.clientSession HTTP parameter. This bypass exploits an unpatched deserialization sink in JATO's ClientSession.deserializeAttributes() that was overlooked when CVE-2021-35464 was mitigated. Attackers can target any JATO ViewBean endpoint with <jato:form> tags (commonly found in password reset pages) using a PriorityQue | CRITICAL | 9.3 | 0.1% | 67 |
PoC
|
| CVE-2016-20026 | Critical hardcoded credentials vulnerability in ZKTeco ZKBioSecurity 3.0's bundled Apache Tomcat server that allows unauthenticated remote attackers to upload malicious WAR files and execute arbitrary code with SYSTEM privileges. Multiple public exploits are available (Exploit-DB, Packet Storm), making this a high-risk vulnerability for organizations using this biometric security management software. | CRITICAL | 9.3 | 0.1% | 67 |
PoC
No patch
|
| CVE-2026-39920 | Remote code execution in BridgeHead FileStore pre-24A via Apache Axis2 default credentials allows unauthenticated attackers to deploy malicious web services and execute arbitrary OS commands. The vulnerability exploits exposed Axis2 admin console with unchanged default credentials, enabling full system compromise over the network with no authentication required. Publicly available exploit code exists (GitHub Gist), and CVSS 9.8 reflects critical risk with network vector, low complexity, and no privileges required. EPSS data not provided but exploitation prerequisites are minimal given default credential exposure. | CRITICAL | 9.3 | 0.2% | 66 |
PoC
|
| CVE-2025-51991 | XWiki through version 17.3.0 is vulnerable to Server-Side Template Injection (SSTI) in the Administration interface, specifically within the HTTP Meta Info field of the Global Preferences. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available. | HIGH | 8.8 | 1.9% | 66 |
PoC
No patch
|
| CVE-2026-23552 | Cross-realm token acceptance bypass in Apache Camel Keycloak security policy. The KeycloakSecurityPolicy fails to properly validate token issuers, accepting tokens from different Keycloak realms. PoC available. | CRITICAL | 9.1 | 0.0% | 66 |
PoC
|
| CVE-2026-23697 | Remote code execution in Vtiger CRM before 8.4.0 lets an authenticated low-privileged user upload a malicious .phar file through the Documents module and execute arbitrary PHP. The extension denylist in config.inc.php omits .phar, and a stale Apache 2.2-syntax .htaccess is silently ignored on Apache 2.4, so the payload lands in a web-accessible directory reachable by unauthenticated HTTP - the attack begins authenticated but the final execution step is unauthenticated. Publicly available exploit code exists (published by VulnCheck/Jiva Security); no CISA KEV listing and no EPSS score were provided. | HIGH | 8.7 | 0.8% | 64 |
PoC
No patch
|
| CVE-2026-25747 | Deserialization of Untrusted Data vulnerability in Apache Camel LevelDB component. The Camel-LevelDB DefaultLevelDBSerializer class deserializes data read from the LevelDB aggregation repository using java.io.ObjectInputStream without applying any ObjectInputFilter or class-loading restrictions. [CVSS 8.8 HIGH] | HIGH | 8.8 | 0.1% | 64 |
PoC
|
| CVE-2026-40473 | The camel-mina component's MinaConverter.toObjectInput(IoBuffer) type converter wraps an IoBuffer in a java.io.ObjectInputStream without applying any | HIGH | 8.8 | 0.1% | 64 |
PoC
|
| CVE-2026-40858 | The camel-infinispan component's ProtoStream-based remote aggregation repository deserializes data read from a remote Infinispan cache using java.io.O | HIGH | 8.8 | 0.1% | 64 |
PoC
|