665
CVEs
38
Critical
249
High
1
KEV
18
PoC
63
Unpatched C/H
77.3%
Patch Rate
0.1%
Avg EPSS
Severity Breakdown
CRITICAL
38
HIGH
249
MEDIUM
351
LOW
26
Monthly CVE Trend
Affected Products (30)
Iphone Os
2907
macOS
1894
Mac Os X
1833
Tvos
1491
Ipados
1334
Watchos
1302
Safari
922
Itunes
589
iOS
556
Ios Xe
464
Icloud
319
Ios Xr
159
Visionos
156
Chrome
132
Debian Linux
95
Webkitgtk
87
Fedora
79
Quicktime
72
Webkit
64
Ipad Os
63
Ubuntu Linux
60
Ios And Ipados
56
Jwt Attack
49
Open Redirect
44
Mac Os X Server
43
Firefox
42
Windows
40
Python
35
Enterprise Linux Workstation
34
Enterprise Linux Server
34
Top Risky CVEs
| CVE | Summary | Severity | CVSS | EPSS | Priority | Signals |
|---|---|---|---|---|---|---|
| CVE-2026-20700 | Apple's kernel across all platforms (iOS, macOS, watchOS, visionOS, tvOS) contains a memory corruption vulnerability (CVE-2026-20700, CVSS 7.8) that allows attackers with memory write capability to execute arbitrary code at the kernel level. KEV-listed with Apple confirming reports of sophisticated in-the-wild exploitation, this represents an active zero-day targeting the Apple ecosystem at its most fundamental security boundary. | HIGH | 7.8 | 0.4% | 109 |
KEV
PoC
No patch
|
| CVE-2026-33439 | Remote code execution in OpenIdentityPlatform OpenAM 16.0.5 and earlier allows unauthenticated attackers to execute arbitrary OS commands via unsafe Java deserialization of the jato.clientSession HTTP parameter. This bypass exploits an unpatched deserialization sink in JATO's ClientSession.deserializeAttributes() that was overlooked when CVE-2021-35464 was mitigated. Attackers can target any JATO ViewBean endpoint with <jato:form> tags (commonly found in password reset pages) using a PriorityQue | CRITICAL | 9.3 | 0.1% | 67 |
PoC
|
| CVE-2026-24070 | Native Access on macOS allows local authenticated attackers to inject malicious libraries into the privileged XPC helper process due to overly permissive code signing entitlements, enabling arbitrary code execution with system-level privileges. The vulnerability stems from the application being signed with dyld environment variable and library validation bypass entitlements while communicating with a trusted helper that validates only the signing certificate. Public exploit code exists, and no patch is currently available. | HIGH | 8.8 | 0.0% | 64 |
PoC
No patch
|
| CVE-2026-48801 | Denial of service in linkify-it (npm) through v5.0.0 lets remote unauthenticated attackers wedge a rendering worker by submitting tens of KB of repeated email/link-like text. The core public API LinkifyIt.prototype.match runs an O(N²) scan loop that re-slices the input and re-runs unanchored fuzzy regex searches once per match, so 64 KB of "a@b.com" burns ~2.5 s of single-threaded CPU and 128 KB ~10 s. The flaw is inherited by markdown-it (~21.6M weekly npm downloads) whenever linkify:true is set, exposing forums, chat, wikis and AI chat UIs; publicly available exploit code (a PoC in the GHSA advisory) exists, but there is no evidence of active exploitation. | HIGH | 8.7 | 0.4% | 64 |
PoC
|
| CVE-2021-47973 | Sticky Notes Widget 3.0.6 contains a denial of service vulnerability that allows attackers to crash the application by pasting excessively long character strings into note fields. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available. | HIGH | 8.7 | 0.0% | 64 |
PoC
No patch
|
| CVE-2021-47944 | memono Notepad 4.2 contains a denial of service vulnerability that allows attackers to crash the application by pasting excessively long character buffers into note fields. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available. | HIGH | 8.7 | 0.0% | 64 |
PoC
No patch
|
| CVE-2026-47114 | Arbitrary command execution in IINA media player for macOS versions prior to 1.4.3 allows remote attackers to run shell commands as the logged-in user by tricking the victim into approving an iina://open URL containing malicious mpv_-prefixed parameters. Publicly available exploit code exists and a vendor patch has been released; exploitation requires a single browser protocol prompt approval (UI:A) but no authentication and no valid media file. | HIGH | 8.6 | 0.2% | 63 |
PoC
|
| CVE-2026-30798 | Remote denial-of-service in RustDesk Client through 1.4.5 allows network-positioned attackers to disrupt the remote-access agent by manipulating heartbeat synchronization traffic, abusing weak authenticity checks in the hbbs_http/sync.rs heartbeat loop to trigger the stop-service handler. Publicly available exploit code exists, but EPSS is very low (0.02%, 5th percentile) and there is no public exploit identified at time of analysis being tracked as actively exploited (not in CISA KEV). | HIGH | 8.2 | 0.0% | 61 |
PoC
No patch
|
| CVE-2026-10557 | Hard-coded MQTT broker credentials in Yarbo Android and iOS applications allow remote unauthenticated attackers to subscribe to and publish on the cloud MQTT brokers serving the entire global Yarbo robot fleet. Because the credentials are identical across all users and devices and trivially extractable via APK decompilation, anyone knowing a target robot's serial number can read its telemetry or send arbitrary commands. No public exploit identified at time of analysis, but the CVSS 4.0 base score of 9.3 and CISA ICS advisory reflect the systemic, fleet-wide nature of the exposure. | CRITICAL | 9.3 | 0.0% | 56 |
|
| CVE-2026-52806 | Remote code execution in Gogs through 0.14.2 allows authenticated users (and unauthenticated attackers on default-configured instances with open registration) to execute arbitrary commands as the Gogs server process by crafting a pull request whose base branch name injects a `--exec` flag into the underlying `git rebase` invocation. A working Python proof-of-concept exists and has been validated end-to-end against Docker, Linux binary, and Windows installations, yielding shell access as the `git` user. No CISA KEV listing or EPSS data is provided, so this is treated as publicly available exploit code rather than confirmed active exploitation. | CRITICAL | 9.9 | 1.0% | 51 |
|
| CVE-2026-31852 | Arbitrary code execution in Jellyfin iOS GitHub Actions workflow. CVSS 10.0. | CRITICAL | 10.0 | 0.1% | 50 |
No patch
|
| CVE-2026-39842 | Remote code execution as root in OpenRemote IoT platform's rules engine (versions prior to 1.20.3) allows authenticated non-superuser attackers with write:rules role to execute arbitrary Java code via unsandboxed JavaScript rulesets. The vulnerability stems from Nashorn ScriptEngine.eval() executing user-supplied JavaScript without ClassFilter restrictions, enabling Java.type() access to any JVM class including java.lang.Runtime. Attackers can compromise the entire multi-tenant platform, steal c | CRITICAL | 9.9 | 0.1% | 50 |
|
| CVE-2026-23950 | Symlink poisoning via race condition in node-tar up to version 7.5.3 allows attackers to exploit Unicode normalization on case-insensitive filesystems like macOS APFS, where the path reservation system fails to serialize operations on colliding paths. Public exploit code exists for this vulnerability, enabling concurrent processing that bypasses internal safeguards. Node.js users and applications depending on vulnerable tar versions should update immediately, as attackers can leverage this to manipulate file operations during archive extraction. | MEDIUM | 5.9 | 0.0% | 50 |
PoC
|
| CVE-2026-2634 | Address bar spoofing in Firefox before 148 allows malicious scripts to desynchronize the displayed URL from actual web content before receiving a response, enabling phishing attacks. | CRITICAL | 9.8 | 0.1% | 49 |
No patch
|
| CVE-2026-28858 | Insufficient bounds checking in Apple iOS and iPadOS 26.4 allows unauthenticated remote attackers to trigger buffer overflow conditions that corrupt kernel memory or cause system crashes without user interaction. This critical vulnerability affects all devices running the affected OS versions and has no available patch. An attacker can exploit this flaw over the network to achieve denial of service or potentially escalate privileges through kernel memory corruption. | CRITICAL | 9.8 | 0.0% | 49 |
|