61
CVEs
10
Critical
24
High
0
KEV
3
PoC
1
Unpatched C/H
95.1%
Patch Rate
0.0%
Avg EPSS
Severity Breakdown
CRITICAL
10
HIGH
24
MEDIUM
19
LOW
3
Monthly CVE Trend
Affected Products (19)
Top Risky CVEs
| CVE | Summary | Severity | CVSS | EPSS | Priority | Signals |
|---|---|---|---|---|---|---|
| CVE-2026-33309 | An authenticated path traversal vulnerability in Langflow's file upload functionality allows attackers to write arbitrary files anywhere on the host system, leading to remote code execution. The vulnerability affects Langflow version 1.7.3 and earlier, where the multipart upload filename bypasses security checks due to missing boundary containment in the LocalStorageService layer. A proof-of-concept exploit is publicly available demonstrating successful arbitrary file write outside the intended user directory. | CRITICAL | 9.9 | 0.1% | 70 |
PoC
|
| CVE-2026-32731 | Path traversal in ApostropheCMS import-export module allows authenticated users with content modification permissions to write files outside the intended export directory via malicious archive entries containing directory traversal sequences. An attacker with editor-level access can exploit this vulnerability to overwrite arbitrary files on the system with CVSS 9.9 critical severity. No patch is currently available for this vulnerability affecting Node.js environments. | CRITICAL | 9.9 | 0.1% | 50 |
|
| CVE-2026-40453 | The fix for CVE-2025-27636 added setLowerCase(true) to HttpHeaderFilterStrategy so that case-variant header names such as 'CAmelExecCommandExecutable' | CRITICAL | 9.9 | 0.1% | 50 |
|
| CVE-2026-44257 | efw4.X is an Enterprise Framework for Web. Prior to 4.08.010, efw.file.FileManager.unZip writes zip entries to disk using new File(baseDir, zipEntry.g | CRITICAL | 9.3 | 0.2% | 47 |
|
| CVE-2026-41583 | Consensus failure in Zebra nodes before 4.3.1 allows remote attackers to trigger network partitioning by submitting V4 or V5 transactions with invalid sighash hash types. After a refactoring removed critical validation logic from C++ FFI code, Zebra failed to enforce consensus rules restricting hash type values in transparent transaction signatures, creating divergence from zcashd nodes. Attackers can exploit this remotely without authentication (CVSS:4.0 AV:N/AC:L/PR:N) to partition the Zcash network and enable potential double-spend attacks. No public exploit identified at time of analysis, but GitHub advisory (GHSA-8m29-fpq5-89jj) confirms the attack mechanism and vendor-released patches are available. | CRITICAL | 9.3 | 0.0% | 46 |
|
| CVE-2026-34177 | Privilege escalation in Canonical LXD 4.12-6.7 allows authenticated remote attackers with VM instance editing rights to bypass project restrictions via incomplete denylist validation. Attackers inject AppArmor rules and QEMU chardev configurations through unblocked raw.apparmor and raw.qemu.conf keys, bridging the LXD Unix socket into guest VMs. Successful exploitation enables escalation to LXD cluster administrator and subsequently to host root access. No public exploit identified at time of analysis. Authenticated remote exploitation (PR:H) with cross-scope impact on confidentiality, integrity, and availability. | CRITICAL | 9.1 | 0.1% | 46 |
|
| CVE-2026-34179 | Privilege escalation in Canonical LXD 4.12 through 6.7 enables remote authenticated restricted TLS certificate users to gain cluster admin privileges. Exploitation requires high-privilege authentication (PR:H) but no user interaction. The vulnerability stems from missing Type field validation in doCertificateUpdate function when processing PUT/PATCH requests to the certificates API endpoint. Attack scope is changed (S:C), allowing attackers to break containment and achieve full cluster compromise with high impact to confidentiality, integrity, and availability. No public exploit identified at time of analysis. | CRITICAL | 9.1 | 0.1% | 46 |
|
| CVE-2026-34178 | Backup import in Canonical LXD before 6.8 bypasses project security restrictions, enabling privilege escalation to full host compromise. An authenticated remote attacker with instance-creation permission in a restricted project crafts malicious backup archives containing conflicting configuration files: backup/index.yaml passes validation, while backup/container/backup.yaml (never validated) carries forbidden directives like security.privileged=true or raw.lxc commands. Exploiting this dual-file validation gap allows unrestricted container creation that breaks isolation boundaries. No public exploit identified at time of analysis. | CRITICAL | 9.1 | 0.0% | 46 |
|
| CVE-2026-33186 | An authorization bypass vulnerability in gRPC-Go allows attackers to circumvent path-based access control by sending HTTP/2 requests with malformed :path pseudo-headers that omit the mandatory leading slash (e.g., 'Service/Method' instead of '/Service/Method'). This affects gRPC-Go servers using path-based authorization interceptors like google.golang.org/grpc/authz with deny rules for canonical paths but fallback allow rules. The vulnerability has a CVSS score of 9.1 (Critical) with network-based exploitation requiring no privileges or user interaction, enabling attackers to access restricted services and potentially exfiltrate or modify sensitive data. | CRITICAL | 9.1 | 0.0% | 46 |
PoC
|
| CVE-2026-45721 | Pre-authenticated remote code execution in Algernon web server (≤ 1.17.6) allows attackers who can place a handler.lua file anywhere in a parent directory of the server root to execute arbitrary Lua - including shell commands via run3() and os.execute - in the server process on the next HTTP request. The flaw stems from DirPage walking up to 100 ancestor directories past the configured server root searching for handler.lua, and the permission middleware does not gate this lookup, so an anonymous GET / suffices to trigger execution. Publicly available exploit code exists (the reporter published three working PoC variants and a live verification against 1.17.6). | CRITICAL | 9.0 | 0.2% | 45 |
|
| CVE-2026-43249 | Double-free memory corruption in Linux kernel's Xen 9P filesystem driver (9p/xen) allows adjacent network attackers to crash the kernel or potentially execute arbitrary code. The xenwatch thread racing with back-end state changes triggers use-after-free during teardown of xen_9pfs_front_free(), causing general protection faults. Vendor patches available for mainline 7.0 and stable branches 6.19.6, 6.18.16, and 6.12.75. EPSS score of 0.02% (5th percentile) suggests low exploitation probability in the wild; no public exploit or CISA KEV listing at time of analysis. | HIGH | 8.8 | 0.0% | 44 |
|
| CVE-2026-46366 | {id}.html endpoint, leaking titles, internal IDs, languages, and category bindings via 301 redirect Location headers. The flaw stems from a missing permission filter in the getIdFromSolutionId() method, and a publicly available exploit code path is documented in the GitHub Security Advisory (GHSA-99qv-g4x9-mgc3) with SSVC marking exploitation as PoC and automatable. EPSS is low (0.06%, 19th percentile) and the issue is not in CISA KEV, indicating no confirmed active exploitation despite the high CVSS 4.0 score of 8.7. | HIGH | 8.7 | 0.1% | 44 |
|
| CVE-2026-22665 | Identity confusion in prompts.chat (prior to commit 1464475) enables authenticated attackers to impersonate users and hijack profile URLs by creating case-variant usernames (e.g., 'Alice' vs 'alice'). Inconsistent case-handling between write and read operations allows bypass of uniqueness validation, letting attackers inject malicious content on canonical victim profiles. EPSS data not available; no public exploit identified at time of analysis, though attack complexity is low (CVSS:4.0 AC:L) requiring only low-privilege access (PR:L). VulnCheck disclosed this vulnerability with vendor patch released via GitHub commit. | HIGH | 8.6 | 0.0% | 43 |
|
| CVE-2026-49238 | Virtual machine escape in Canonical Multipass before 1.16.3 allows a root user inside a guest VM to read arbitrary files on the host filesystem by bypassing the host-side sshfs_server path containment. The flaw lives in the validate_path function (CWE-22 path traversal), which uses naive string prefix matching and accepts dot-dot sequences. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV, though the technical write-up in the GHSA advisory provides enough detail to make exploitation reproducible. | HIGH | 8.4 | – | 42 |
|
| CVE-2026-35525 | Path traversal via symlink in LiquidJS npm package allows authenticated template contributors to read arbitrary filesystem content outside configured template roots. The vulnerability affects applications where untrusted users can influence template directories (uploaded themes, extracted archives, repository-controlled templates). LiquidJS validates template paths using string-based directory containment checks but fails to resolve canonical filesystem paths before file access, enabling symlinks placed within allowed partials/layouts directories to reference external files. Publicly available exploit code exists. No EPSS score available, but impact is limited to information disclosure in specific deployment scenarios requiring attacker filesystem access. | HIGH | 8.2 | 0.1% | 41 |
|