334
CVEs
26
Critical
132
High
0
KEV
3
PoC
28
Unpatched C/H
85.6%
Patch Rate
0.0%
Avg EPSS
Severity Breakdown
CRITICAL
26
HIGH
132
MEDIUM
162
LOW
13
Monthly CVE Trend
Affected Products (30)
macOS
370
iOS
210
Ipados
79
Iphone Os
74
Windows
46
Open Redirect
32
Ios Xe
31
Android
31
Safari
29
Visionos
26
Tvos
23
Watchos
23
Python
22
Docker
15
Node.js
14
Ios Xr
13
PHP
10
Jwt Attack
7
Chrome
7
Linux Kernel
7
Ubuntu
6
Virtual Appliance Application
5
Virtual Appliance Host
5
Mobile Security Framework
4
Meeting Software Development Kit
4
Java
4
Workplace Desktop
4
PostgreSQL
3
Video Software Development Kit
3
Rooms
3
Top Risky CVEs
| CVE | Summary | Severity | CVSS | EPSS | Priority | Signals |
|---|---|---|---|---|---|---|
| CVE-2026-47114 | Arbitrary command execution in IINA media player for macOS versions prior to 1.4.3 allows remote attackers to run shell commands as the logged-in user by tricking the victim into approving an iina://open URL containing malicious mpv_-prefixed parameters. Publicly available exploit code exists and a vendor patch has been released; exploitation requires a single browser protocol prompt approval (UI:A) but no authentication and no valid media file. | HIGH | 8.6 | 0.2% | 63 |
PoC
|
| CVE-2026-31852 | Arbitrary code execution in Jellyfin iOS GitHub Actions workflow. CVSS 10.0. | CRITICAL | 10.0 | 0.1% | 50 |
No patch
|
| CVE-2026-39842 | Remote code execution as root in OpenRemote IoT platform's rules engine (versions prior to 1.20.3) allows authenticated non-superuser attackers with write:rules role to execute arbitrary Java code via unsandboxed JavaScript rulesets. The vulnerability stems from Nashorn ScriptEngine.eval() executing user-supplied JavaScript without ClassFilter restrictions, enabling Java.type() access to any JVM class including java.lang.Runtime. Attackers can compromise the entire multi-tenant platform, steal c | CRITICAL | 9.9 | 0.1% | 50 |
|
| CVE-2026-28858 | Insufficient bounds checking in Apple iOS and iPadOS 26.4 allows unauthenticated remote attackers to trigger buffer overflow conditions that corrupt kernel memory or cause system crashes without user interaction. This critical vulnerability affects all devices running the affected OS versions and has no available patch. An attacker can exploit this flaw over the network to achieve denial of service or potentially escalate privileges through kernel memory corruption. | CRITICAL | 9.8 | 0.0% | 49 |
|
| CVE-2026-42090 | Remote code execution in Notesnook Desktop (Electron-based) via stored XSS in the note export-to-PDF flow allows unauthenticated remote attackers to execute arbitrary code when a user opens a maliciously crafted note. The vulnerability stems from unescaped HTML in exported note fields (title, headline, content) that execute in an Electron iframe with nodeIntegration enabled and contextIsolation disabled, escalating browser-based XSS to full RCE. Affects Notesnook Web/Desktop <3.3.15 and iOS/Android <3.3.20. CVSS 9.6 with changed scope (S:C) reflects privilege escalation from browser context to system-level code execution. EPSS and KEV data not provided, but requires user interaction (UI:R) to export/view the malicious note, limiting automated exploitation. | CRITICAL | 9.6 | 0.2% | 48 |
|
| CVE-2026-33976 | Remote code execution via stored XSS in Notesnook Web Clipper affects all platforms prior to version 3.3.11 (Web/Desktop) and 3.3.17 (Android/iOS). Attackers can inject malicious HTML attributes into clipped web content that execute JavaScript in the application's security context when victims open the clip. On Electron desktop builds, unsafe Node.js integration (nodeIntegration: true, contextIsolation: false) escalates this XSS to full RCE with system-level access. CVSS 9.6 (Critical) reflects network-based attack requiring no authentication but user interaction. No public exploit identified at time of analysis, though attack methodology is detailed in vendor advisory. | CRITICAL | 9.6 | 0.1% | 48 |
|
| CVE-2026-28373 | Stackfield Desktop App before version 1.10.2 for macOS and Windows allows arbitrary file writes to the filesystem through a path traversal vulnerability in its decryption functionality when processing the filePath property. A malicious export file can enable attackers to overwrite critical system or application files, potentially leading to code execution or application compromise without requiring user interaction beyond opening the malicious export. | CRITICAL | 9.6 | 0.0% | 48 |
No patch
|
| CVE-2026-44211 | ## Summary The `kanban` npm package (used by the `cline` CLI) starts a WebSocket server on `127.0.0.1:3484` with no Origin header validation. Any web | CRITICAL | 9.6 | – | 48 |
No patch
|
| CVE-2026-44670 | Remote code execution in SiYuan's Electron desktop application allows authenticated attackers (or browser extensions on localhost) to inject malicious JavaScript through unescaped Attribute View names, escalating from stored XSS to arbitrary system command execution. The Go kernel backend stores AV names without HTML escaping, then embeds them via string replacement into HTML templates pushed over WebSocket. Three TypeScript renderer paths (render.ts, Title.ts, transaction.ts) consume this data using innerHTML/outerHTML without sanitization. Because the Electron main window runs with nodeIntegration:true and contextIsolation:false, script injection grants full Node.js API access—enabling attackers to spawn child processes (calc.exe/xcalc demonstrated in PoC), exfiltrate SSH keys, install backdoors, or pivot to cloud credentials. Payloads persist in JSON files under data/storage/av/, replicate across all sync transports (S3/WebDAV/cloud), survive .sy.zip export-import, and trigger for any user role (Administrator/Editor/Reader/Visitor) opening a document bound to the poisoned database view. CVSS 9.4 (Network/Low/None/High Confidentiality-Integrity-Availability + Scope Changed) reflects worst-case remote network vector, though the primary realistic attack path is via installed browser extensions (chrome-extension:// Origin explicitly allowlisted in session.go:277) calling the /api/transactions endpoint as an auto-granted admin on default installations with no Access Authorization Code. GitHub advisory GHSA-2h64-c999-c9r6 confirms patch available in kernel commit 0.0.0-20260512140701-d7b77d945e0d. No public exploit code identified at time of analysis, but detailed reproduction steps with curl payloads and Electron DevTools inspection are published in the advisory. | CRITICAL | 9.4 | 0.1% | 47 |
|
| CVE-2026-44588 | Remote code execution in SiYuan's Electron renderer occurs when users hover over search results, file tree items, or attribute view elements containing URL-encoded XSS payloads in document titles or metadata. The vulnerability chains a URL-decoding step (decodeURIComponent) with unsafe innerHTML assignment in tooltip rendering, bypassing the escapeAriaLabel sanitizer that only handles HTML entities but ignores %XX URL escapes. Because SiYuan's renderer runs with nodeIntegration:true and contextIsolation:false, the XSS escalates to arbitrary code execution via require('child_process'). Exploitation requires user interaction (hovering) but no authentication, and malicious payloads survive .sy.zip export/import and sync replication, enabling supply-chain and shared-workspace attacks. No public exploit code identified at time of analysis, though detailed proof-of-concept is published in the GitHub advisory. | CRITICAL | 9.4 | 0.1% | 47 |
|
| CVE-2026-33439 | Remote code execution in OpenIdentityPlatform OpenAM 16.0.5 and earlier allows unauthenticated attackers to execute arbitrary OS commands via unsafe Java deserialization of the jato.clientSession HTTP parameter. This bypass exploits an unpatched deserialization sink in JATO's ClientSession.deserializeAttributes() that was overlooked when CVE-2021-35464 was mitigated. Attackers can target any JATO ViewBean endpoint with <jato:form> tags (commonly found in password reset pages) using a PriorityQue | CRITICAL | 9.3 | 0.1% | 47 |
|
| CVE-2026-30797 | Security vulnerability in RustDesk remote desktop client/server. One of 6+ critical CVEs affecting the open-source remote access platform. | CRITICAL | 9.3 | 0.1% | 47 |
No patch
|
| CVE-2026-30790 | Security vulnerability in RustDesk remote desktop client/server. One of 6+ critical CVEs affecting the open-source remote access platform. | CRITICAL | 9.3 | 0.0% | 47 |
No patch
|
| CVE-2026-30789 | Security vulnerability in RustDesk remote desktop client/server. One of 6+ critical CVEs affecting the open-source remote access platform. | CRITICAL | 9.3 | 0.0% | 47 |
No patch
|
| CVE-2026-30793 | Security vulnerability in RustDesk remote desktop client/server. One of 6+ critical CVEs affecting the open-source remote access platform. | CRITICAL | 9.3 | 0.0% | 47 |
No patch
|