384
CVEs
84
Critical
150
High
0
KEV
13
PoC
45
Unpatched C/H
77.3%
Patch Rate
0.2%
Avg EPSS
Severity Breakdown
CRITICAL
84
HIGH
150
MEDIUM
129
LOW
15
Monthly CVE Trend
Affected Products (30)
Java
242
Debian Linux
209
Tomcat
185
Http Server
114
Fedora
101
Ubuntu Linux
77
Airflow
74
Struts
60
Superset
58
Traffic Server
52
Camel
49
PHP
47
Ofbiz
46
Cxf
45
Instantis Enterprisetrack
40
Nifi
40
Enterprise Linux Server
37
Enterprise Linux Workstation
36
Enterprise Linux Desktop
36
Openoffice
33
Open Redirect
33
Communications Session Report Manager
32
Retail Xstore Point Of Service
32
Solr
32
Inlong
32
Communications Element Manager
31
Activemq
30
Communications Session Route Manager
29
Primavera Unifier
29
Enterprise Linux Server Aus
28
Top Risky CVEs
| CVE | Summary | Severity | CVSS | EPSS | Priority | Signals |
|---|---|---|---|---|---|---|
| CVE-2026-33453 | Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Apache Camel Camel-Coap component. Apache Camel's cam | CRITICAL | 10.0 | 0.5% | 71 |
PoC
|
| CVE-2026-39920 | Remote code execution in BridgeHead FileStore pre-24A via Apache Axis2 default credentials allows unauthenticated attackers to deploy malicious web services and execute arbitrary OS commands. The vulnerability exploits exposed Axis2 admin console with unchanged default credentials, enabling full system compromise over the network with no authentication required. Publicly available exploit code exists (GitHub Gist), and CVSS 9.8 reflects critical risk with network vector, low complexity, and no privileges required. EPSS data not provided but exploitation prerequisites are minimal given default credential exposure. | CRITICAL | 9.3 | 0.2% | 66 |
PoC
|
| CVE-2026-23697 | Remote code execution in Vtiger CRM before 8.4.0 lets an authenticated low-privileged user upload a malicious .phar file through the Documents module and execute arbitrary PHP. The extension denylist in config.inc.php omits .phar, and a stale Apache 2.2-syntax .htaccess is silently ignored on Apache 2.4, so the payload lands in a web-accessible directory reachable by unauthenticated HTTP - the attack begins authenticated but the final execution step is unauthenticated. Publicly available exploit code exists (published by VulnCheck/Jiva Security); no CISA KEV listing and no EPSS score were provided. | HIGH | 8.7 | 0.8% | 64 |
PoC
No patch
|
| CVE-2026-40473 | The camel-mina component's MinaConverter.toObjectInput(IoBuffer) type converter wraps an IoBuffer in a java.io.ObjectInputStream without applying any | HIGH | 8.8 | 0.1% | 64 |
PoC
|
| CVE-2026-40858 | The camel-infinispan component's ProtoStream-based remote aggregation repository deserializes data read from a remote Infinispan cache using java.io.O | HIGH | 8.8 | 0.1% | 64 |
PoC
|
| CVE-2026-23918 | Remote code execution via double-free memory corruption in Apache HTTP Server 2.4.66's HTTP/2 protocol implementation allows authenticated attackers to compromise server integrity and confidentiality with high impact. Vendor-released patch 2.4.67 addresses the issue. No public exploit or active exploitation confirmed at time of analysis, but SSVC framework rates technical impact as total, indicating complete system compromise potential. | HIGH | 8.8 | 0.1% | 64 |
PoC
|
| CVE-2026-40466 | Remote code execution in Apache ActiveMQ 5.x (before 5.19.6) and 6.x (before 6.2.5) allows authenticated attackers to bypass prior security fixes (CVE-2026-34197) by injecting malicious Spring XML configurations through HTTP Discovery transport connectors via Jolokia. Attackers leverage a VM transport loophole to invoke arbitrary bean factory methods like Runtime.exec() during Spring context initialization. EPSS score is low (0.06%, 19th percentile) with no confirmed active exploitation (not in CISA KEV), suggesting limited widespread targeting despite high CVSS 8.8 score. Exploitation requires authenticated Jolokia access and presence of activemq-http module on classpath. | HIGH | 8.8 | 0.1% | 64 |
PoC
|
| CVE-2026-23698 | Authenticated remote code execution in Vtiger CRM through version 8.4.0 lets an administrator upload a crafted ZIP archive through the ModuleManager import feature and drop executable PHP files directly into the web-root modules/ directory, yielding a persistent web shell. Because Apache resolves and executes those PHP files before Vtiger's routing layer runs, the resulting shell bypasses the application's authentication entirely and survives independently of the attacker's login session. Publicly available exploit code exists (VulnCheck / Jiva Security), though there is no public exploit identified as being used in active attacks and it is not listed in CISA KEV. | HIGH | 8.6 | 0.9% | 64 |
PoC
No patch
|
| CVE-2026-34059 | Buffer over-read in Apache HTTP Server through 2.4.66 enables remote unauthenticated information disclosure at network scale. Attackers can read sensitive memory content without authentication or user interaction, achieving high confidentiality impact with low attack complexity. EPSS exploitation probability and KEV status not provided, but SSVC framework confirms the vulnerability is automatable with partial technical impact and no active exploitation detected at time of analysis. Patch released in version 2.4.67. | HIGH | 7.5 | 0.1% | 58 |
PoC
|
| CVE-2026-49975 | Denial of service in Apache HTTP Server 2.4.17 through 2.4.67 (via the bundled mod_http2 module) allows remote unauthenticated attackers to exhaust server memory by sending crafted HTTP/2 requests whose cookie headers are not correctly counted against LimitRequestFields. Publicly available exploit code exists and a third-party write-up describes a 'hidden HTTP/2 bomb,' but EPSS exploitation probability is currently very low (0.02%, 5th percentile) and the CVE is not on the CISA KEV list. | HIGH | 7.5 | 0.0% | 58 |
PoC
|
| CVE-2026-33109 | Remote code execution in Azure Managed Instance for Apache Cassandra allows authenticated attackers with low privileges to execute arbitrary code across tenant boundaries. The vulnerability involves improper access control (CWE-284) enabling scope escape with complete compromise of confidentiality, integrity, and availability. Microsoft has released a patch per MSRC advisory. CVSS 9.9 (Critical) reflects network-based attack with low complexity, low privileges required, and changed scope indicating container/tenant escape potential. | CRITICAL | 9.9 | 0.1% | 55 |
|
| CVE-2018-25324 | Simple Fields 0.2 through 0.3.5 WordPress Plugin contains a local file inclusion vulnerability that allows unauthenticated attackers to read arbitrary files by injecting null bytes into the. Rated medium severity (CVSS 6.9), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available. | MEDIUM | 6.9 | 0.0% | 55 |
PoC
No patch
|
| CVE-2026-50229 | Reflected XSS in Apache Tomcat's bundled 'number guess' example application exposes users of that demo page to script injection across all major Tomcat release lines from 7.0 through 11.0. The flaw resides in a sample JSP/servlet, not the core Tomcat runtime, meaning exploitation depends entirely on the example application being deployed and accessible - a configuration that violates standard production hardening guidance. No public exploit code or active exploitation has been identified at time of analysis; no CVSS vector was assigned by the reporter. | MEDIUM | 6.1 | 0.2% | 51 |
PoC
|
| CVE-2026-49257 | Authentication bypass in StarTree mcp-pinot versions 3.0.1 and earlier exposes the Model Context Protocol HTTP server on 0.0.0.0:8080 by default with no authentication, allowing any network-adjacent attacker to invoke every MCP tool - including SQL execution, schema creation, and table-config mutation - against the backing Apache Pinot cluster using the server's own credentials. The maximum CVSS 10.0 score reflects a scope-changing confused-deputy condition. No public exploit identified at time of analysis, but the trivial reachability and presence of write/DDL tooling make exploitation straightforward once the port is found. | CRITICAL | 10.0 | 0.5% | 50 |
|
| CVE-2026-33844 | Remote code execution in Azure Managed Instance for Apache Cassandra allows authenticated attackers with low privileges to execute arbitrary code when a user interacts with a malicious payload. CVSS 9.0 (Critical) with scope change indicates container/tenant escape potential. Microsoft released a patch (MSRC update guide), and CVSS temporal metrics confirm remediation available with complete confidence, though no confirmed active exploitation or public POC identified at time of analysis. | CRITICAL | 9.0 | 0.1% | 50 |
|