125
CVEs
8
Critical
35
High
0
KEV
6
PoC
3
Unpatched C/H
92.8%
Patch Rate
0.2%
Avg EPSS
Severity Breakdown
CRITICAL
8
HIGH
35
MEDIUM
80
LOW
1
Monthly CVE Trend
Affected Products (30)
Iphone Os
2907
macOS
1894
Mac Os X
1833
Tvos
1491
Ipados
1334
Watchos
1302
Safari
922
Itunes
589
iOS
556
Ios Xe
464
Icloud
319
Ios Xr
159
Visionos
156
Chrome
132
Debian Linux
95
Webkitgtk
87
Fedora
79
Quicktime
72
Webkit
64
Ipad Os
63
Ubuntu Linux
60
Ios And Ipados
56
Jwt Attack
49
Open Redirect
44
Mac Os X Server
43
Firefox
42
Windows
40
Python
35
Enterprise Linux Workstation
34
Enterprise Linux Server
34
Top Risky CVEs
| CVE | Summary | Severity | CVSS | EPSS | Priority | Signals |
|---|---|---|---|---|---|---|
| CVE-2026-48801 | Denial of service in linkify-it (npm) through v5.0.0 lets remote unauthenticated attackers wedge a rendering worker by submitting tens of KB of repeated email/link-like text. The core public API LinkifyIt.prototype.match runs an O(N²) scan loop that re-slices the input and re-runs unanchored fuzzy regex searches once per match, so 64 KB of "a@b.com" burns ~2.5 s of single-threaded CPU and 128 KB ~10 s. The flaw is inherited by markdown-it (~21.6M weekly npm downloads) whenever linkify:true is set, exposing forums, chat, wikis and AI chat UIs; publicly available exploit code (a PoC in the GHSA advisory) exists, but there is no evidence of active exploitation. | HIGH | 8.7 | 0.4% | 64 |
PoC
|
| CVE-2026-52806 | Remote code execution in Gogs through 0.14.2 allows authenticated users (and unauthenticated attackers on default-configured instances with open registration) to execute arbitrary commands as the Gogs server process by crafting a pull request whose base branch name injects a `--exec` flag into the underlying `git rebase` invocation. A working Python proof-of-concept exists and has been validated end-to-end against Docker, Linux binary, and Windows installations, yielding shell access as the `git` user. No CISA KEV listing or EPSS data is provided, so this is treated as publicly available exploit code rather than confirmed active exploitation. | CRITICAL | 9.9 | 1.0% | 51 |
|
| CVE-2026-14802 | OS command injection in create-react-app's react-dev-utils component enables remote code execution on macOS developer workstations running version 5.0.1 or earlier. The vulnerability resides in the startBrowserProcess function of openBrowser.js, which processes unsanitized input that reaches a shell invocation. A publicly available proof-of-concept exploit exists via the project's GitHub issue tracker; no vendor patch has been released and the maintainers have not responded to disclosure, leaving the entire supported version history of this widely-used but now-archived tool permanently unpatched. | MEDIUM | 5.5 | 1.3% | 49 |
PoC
No patch
|
| CVE-2026-33646 | Arbitrary code execution in mise (jdx/mise) versions prior to 2026.3.10 allows attackers to run shell commands as the victim user simply by having them `cd` into a directory containing a malicious `.tool-versions` file. Unlike `.mise.toml`, `.tool-versions` files bypass the trust verification gate in non-paranoid mode, so the Tera template engine's `exec()` function fires silently from the shell `hook-env`. No public exploit identified at time of analysis beyond the detailed reporter PoC, but exploitation is trivial and a working PoC is embedded in the advisory. | CRITICAL | 9.6 | 0.7% | 49 |
|
| CVE-2026-13843 | Insufficient validation of untrusted input in Chrome for iOS in Google Chrome on iOS prior to 150.0.7871.47 allowed a remote attacker who had compromi | CRITICAL | 9.6 | 0.2% | 48 |
|
| CVE-2026-53649 | Unauthenticated remote code execution in Joro ≤ v1.1.0 (BishopFox's offensive-security tooling) allows an attacker to gain a shell as the operator's user when that operator merely visits a malicious web page. In the default proxy mode, Joro exposes an unauthenticated local API on 127.0.0.1:9090 with a wildcard CORS policy; because plugin uploads use the CORS-safelisted multipart/form-data content type, cross-origin JavaScript can upload a native Go plugin and trigger a restart through the operator's browser with no preflight or credentials, and the plugin's init() executes on load. No public exploit is identified at time of analysis, but the advisory documents a complete, reproducible attack chain, and the assigned CVSS is 9.6 (Critical). | CRITICAL | 9.6 | – | 48 |
|
| CVE-2026-55666 | Authentication bypass leading to account takeover in Rocket.Chat affects the Apple Sign-In OAuth flow prior to versions 8.5.1, 8.4.4, 8.3.6, 8.2.6, 8.1.6, 8.0.7, and 7.10.13. The handleIdentityToken function in the Apple login handler falls back to trusting an attacker-supplied email value when the Apple-issued JWT omits an email claim, so a remote unauthenticated attacker can forge an email-less Apple JWT and log in as any victim by their email address. No public exploit is identified at time of analysis, but the CVSS 4.0 base score of 9.3 (critical) and trivial exploitation conditions make this a high priority for any instance with Apple login enabled. | CRITICAL | 9.3 | 0.3% | 47 |
|
| CVE-2026-55954 | Authentication bypass by spoofing in the Elixir ueberauth_apple strategy (0.1.0 through 0.6.1) allows full account takeover because the callback id_token's signature is checked against Apple's JWKS but its registered claims are never validated. Remote unauthenticated attackers who obtain any Apple-signed token carrying the victim's sub - an expired token or one issued to a sibling client in the same Apple developer team - can replay it to log in as the victim. No public exploit identified at time of analysis, but the vendor-confirmed fix (0.6.2) and a clear replay path make this a high-priority auth flaw; EPSS and KEV data were not provided. | CRITICAL | 9.1 | 0.4% | 46 |
|
| CVE-2026-39868 | Kernel memory corruption in Apple iOS/iPadOS (before 26.5.2) and macOS Tahoe (before 26.5.2) allows a malicious or compromised app to corrupt kernel memory or trigger unexpected system termination via malformed input that bypasses validation. Reported by Apple internally and fixed with improved input validation; no public exploit identified at time of analysis and the issue is not listed in CISA KEV. Despite a high CVSS of 9.1, the practical attack surface is bound to code already executing on the device as an app. | CRITICAL | 9.1 | 0.2% | 46 |
|
| CVE-2026-52811 | Authenticated arbitrary file write in Gogs (self-hosted Git service) versions below 0.14.3 on Linux/macOS lets a user with repository write access escape the working tree and overwrite any file the gogs UID can touch, escalating to remote code execution. The flaw stems from `UploadRepoFiles` validating symlinks only on the leaf path while sibling functions correctly walk every component; combined with a crafted multipart filename containing a literal backslash, the write is redirected through a previously committed directory symlink to targets like `~git/.ssh/authorized_keys` or `<repo>.git/hooks/post-receive`. No CISA KEV listing and no EPSS provided, but a detailed, tested proof-of-concept is published in the vendor advisory, so publicly available exploit code exists. | CRITICAL | 9.0 | 0.5% | 45 |
|
| CVE-2026-43715 | Memory corruption in Apple's WebKit browser engine (Safari and the system WebView on iOS, iPadOS, and macOS before 26.5.2) allows a remote attacker to corrupt process memory when a victim loads maliciously crafted web content. The flaw is a use-after-free (CWE-416) and carries a CVSS 8.8 with required user interaction; there is no public exploit identified at time of analysis and it is not listed in CISA KEV, though Apple reported and patched it in coordinated releases on 2026 advisories. | HIGH | 8.8 | 0.4% | 44 |
|
| CVE-2026-43705 | Memory corruption via type confusion in Apple's WebKit browser engine allows attackers to corrupt memory by luring a victim to maliciously crafted web content, affecting Safari, iOS/iPadOS, and macOS before version 26.5.2. The flaw (CWE-843) is network-reachable but requires user interaction (visiting a page), and no public exploit has been identified at time of analysis. Apple has shipped patches across Safari 26.5.2, iOS/iPadOS 26.5.2, and macOS Tahoe 26.5.2. | HIGH | 8.8 | 0.3% | 44 |
|
| CVE-2026-14067 | Use after free in Chrome for iOS in Google Chrome on iOS prior to 150.0.7871.47 allowed a remote attacker to execute arbitrary code via a crafted HTML | HIGH | 8.8 | 0.3% | 44 |
|
| CVE-2026-13915 | Heap corruption in Google Chrome for iOS before 150.0.7871.47 lets a remote attacker who lures a user through specific in-page UI gestures on a crafted HTML page trigger a use-after-free (CWE-416), potentially leading to arbitrary code execution in the renderer. Rated Medium by the Chromium security team but scored CVSS 8.8 due to full confidentiality/integrity/availability impact; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. EPSS is low at 0.21% (11th percentile), consistent with a freshly patched browser bug that has no known weaponization. | HIGH | 8.8 | 0.2% | 44 |
|
| CVE-2026-13918 | Use after free in Chrome for iOS in Google Chrome on iOS prior to 150.0.7871.47 allowed a remote attacker to potentially exploit heap corruption via a | HIGH | 8.8 | 0.2% | 44 |
|