18
CVEs
2
Critical
10
High
0
KEV
4
PoC
1
Unpatched C/H
94.4%
Patch Rate
0.2%
Avg EPSS
Severity Breakdown
CRITICAL
2
HIGH
10
MEDIUM
4
LOW
0
Monthly CVE Trend
Affected Products (30)
Ubuntu
991
Linux Kernel
766
Debian Linux
173
Chrome
68
Python
27
Ubuntu Linux
19
PHP
17
Docker
14
Windows
14
Htslib
10
MongoDB
9
Android
9
Lxd
7
Juju
7
Mattermost Server
6
PostgreSQL
6
OpenSSL
6
Redis
6
Streaming Media
5
Django
5
Dpkg
5
Nextcloud
5
Node.js
5
Http Server
5
Open Redirect
4
Rlottie
4
Freshrss
4
Nextcloud Server
4
Java
4
Tomcat
4
Top Risky CVEs
| CVE | Summary | Severity | CVSS | EPSS | Priority | Signals |
|---|---|---|---|---|---|---|
| CVE-2026-55229 | Server-side request forgery in Gotenberg v8.33.0 and earlier allows remote unauthenticated attackers to coerce the server into making arbitrary outbound HTTP(S) requests and to disclose local image files by uploading a crafted DOCX to the /forms/libreoffice/convert endpoint. The flaw stems from LibreOffice automatically resolving external and local resources referenced in <img> tags during conversion, exposing internal networks and on-disk image files. Publicly available exploit code exists via the vendor's GHSA-2mrg-35hw-x3x9 advisory, though no CISA KEV listing or EPSS data is available at time of analysis. | HIGH | 7.5 | 0.4% | 58 |
PoC
|
| CVE-2026-48751 | Privilege escalation and project-restriction bypass in Incus before 7.2.0 lets a low-privileged user with access to an unrestricted project craft an instance whose snapshot carries malicious low-level hooks (raw.lxc/raw.qemu), then move and restore it into a project protected by restricted.containers.lowlevel=block, executing arbitrary commands on the host as root. The snapshot-restore path fails to re-enforce the lowlevel restriction, so the security control is silently bypassed. Publicly available exploit code exists (full PoC published in the vendor GHSA advisory); there is no public evidence of active exploitation. | CRITICAL | 9.9 | – | 50 |
PoC
|
| CVE-2026-47846 | Authentication bypass in Bitnami Cassandra container images (4.0.x, 4.1.x, 5.0.x lines) allows remote attackers to access the database as superuser using the built-in cassandra:cassandra credentials, even when operators configure a custom administrator via CASSANDRA_USER. The container init script provisions the new superuser but, in certain scenarios, fails to drop the default account, leaving an unintended privileged login path. No public exploit identified at time of analysis, but the trivially guessable default credentials make discovery and abuse straightforward once the CQL port is reachable. | CRITICAL | 9.8 | 0.3% | 49 |
|
| CVE-2026-12565 | Path traversal in BBOT's unarchive internal module enables a malicious archive hosted by attacker-controlled infrastructure to write files outside the intended extraction directory when BBOT runs on systems with GNU tar < 1.34. This vulnerability is a residual gap from CVE-2025-10284, which resolved git-specific RCE vectors but left the underlying archive extraction path validation entirely unimplemented, relying instead on inconsistent external tool behavior across platforms. No public exploit has been identified at time of analysis; the CVSS vector (AC:H/UI:R) constrains real-world risk to BBOT operators actively scanning attacker-controlled targets on affected OS distributions, but the high integrity impact (I:H) and zero privilege requirement (PR:N) are significant for red-team and CI/CD BBOT deployments running on legacy base images. | MEDIUM | 5.3 | 0.2% | 47 |
PoC
|
| CVE-2026-1609 | Access-control bypass in Keycloak (fixed in 26.5.3) lets a disabled user account still obtain valid tokens through the JWT authorization grant preview feature. When that feature is enabled, Keycloak omits the account-enabled check during JWT authorization grant processing, so a low-privileged remote attacker who can present a valid assertion token from an external identity provider can mint a JWT for an account an administrator has explicitly disabled, regaining access to protected resources. No public exploit identified at time of analysis and it is not listed in CISA KEV. | HIGH | 8.1 | – | 40 |
|
| CVE-2026-52910 | Local privilege escalation / memory corruption in the Linux kernel's SO_REUSEPORT BPF handling allows a local user to trigger a use-after-free (vmalloc out-of-bounds read) by replacing a classic BPF (cBPF) reuseport program via setsockopt() while another thread routes UDP traffic through the same reuseport group. Because the cBPF program is freed immediately by sk_reuseport_prog_free() without waiting for an RCU grace period, in-flight readers in reuseport_select_sock() dereference freed memory; the fix defers freeing until after one RCU grace period. No public exploit identified at time of analysis and EPSS probability is low (0.17%), but the bug is confirmed and fixed upstream. | HIGH | 7.8 | 0.2% | 39 |
|
| CVE-2026-53005 | Local use-after-free in the Linux kernel's AF_UNIX subsystem occurs when SOCKMAP (BPF socket map) redirects skbs carrying inflight file descriptors, hiding them from the AF_UNIX garbage collector and breaking the Tarjan-based GC's assumption that unix_edge.successor stays alive — producing a slab use-after-free in unix_del_edges() plus inflight-socket leaks and incorrect fdinfo accounting. Affected are kernels supporting SOCKMAP/sk_psock redirect (roughly 5.15 through pre-fix 7.x trees); a local attacker who can set up SOCKMAP redirection and pass SCM_RIGHTS descriptors can corrupt kernel memory toward privilege escalation or denial of service. There is no public exploit identified at time of analysis, EPSS is low (0.16%, 6th percentile), and it is not in CISA KEV. | HIGH | 7.8 | 0.2% | 39 |
|
| CVE-2026-46606 | Local privilege escalation via command injection in Glances 4.5.5_dev1 and earlier allows users with libvirt domain-creation rights to execute arbitrary commands as the Glances process owner (typically root on hypervisor hosts). The flaw lives in the KVM/QEMU monitoring plugin, where VM domain names parsed from `virsh list --all` are interpolated into command strings handled by `secure_popen()`, which intentionally treats `&&`, `|`, and `>` as control operators. No public exploit identified at time of analysis, but a detailed PoC accompanies the GHSA-v5r2-qh84-fjx5 advisory. | HIGH | 7.8 | 0.2% | 39 |
|
| CVE-2026-3842 | Out-of-bounds heap write in QEMU lets a local attacker operating inside a guest virtual machine corrupt memory in the host emulator process, enabling information disclosure, data-integrity corruption, or denial of service. The flaw stems from cpu_physical_memory_map() returning a shorter buffer length than the caller assumes, so subsequent writes spill past the allocation. Rated CVSS 7.8 (CWE-787); no public exploit identified at time of analysis, but multiple distributions (Red Hat, Ubuntu, SUSE, Debian) have shipped fixes. | HIGH | 7.8 | – | 39 |
No patch
|
| CVE-2026-50158 | Arbitrary file write in yutu, a Go-based YouTube CLI and MCP server, lets any caller of the built-in `caption-download` MCP tool place attacker-controlled bytes at any filesystem path the yutu process can write to. The vulnerable `Caption.Download()` calls `os.Create()` on the caller-supplied `file` parameter, bypassing the `YUTU_ROOT` (`pkg.Root`/`os.OpenRoot`) confinement that every other caption write path enforces. Publicly available exploit code exists (a self-contained Docker PoC ships with the advisory); the flaw is not in CISA KEV and no active exploitation is reported, and the vendor has released a fixed version (0.10.9-dev1). | HIGH | 7.7 | – | 38 |
|
| CVE-2026-48863 | Denial of service in libsolv's PGP signature verification (solv_pgpvrfy) allows remote attackers to crash automated package and repository processing by supplying a crafted Ed25519 signature. The flaw is a stack-based buffer overflow (CWE-121) triggered when the EdDSA 's' MPI is copied into a fixed 64-byte stack buffer using an attacker-controlled mismatched length. It affects the libsolv dependency solver embedded in Red Hat Enterprise Linux 7/8/9/10, OpenShift, Satellite, RHUI, openSUSE/SUSE, Ubuntu and Debian; no public exploit identified at time of analysis and it is not in CISA KEV. | HIGH | 7.5 | – | 38 |
|
| CVE-2026-54695 | Unauthenticated call-control abuse in pipecat-ai development runner (>=0.0.77, <1.4.0) allows remote attackers reaching an exposed `/ws` telephony WebSocket to inject an attacker-controlled `callSid` that the server then submits to Twilio, Telnyx, or Plivo REST APIs using the operator's own credentials, forcibly terminating victim calls. Publicly available exploit code exists (a full Dockerized PoC is published in the GHSA advisory) and the maintainers shipped a fix in v1.4.0; no CISA KEV listing at time of analysis. | MEDIUM | 6.5 | 0.3% | 33 |
|
| CVE-2026-52961 | In the Linux kernel, the following vulnerability has been resolved: ceph: fix BUG_ON in __ceph_build_xattrs_blob() due to stale blob size The generi | MEDIUM | 5.5 | 0.2% | 28 |
|
| CVE-2026-47847 | Hardcoded default credentials in Bitnami MariaDB Galera container images and Helm chart expose all default deployments to unauthenticated replication status enumeration over the network. The health-check user `monitor` with password `monitor` is granted REPLICATION CLIENT privileges from any host (`%`), meaning any network-accessible cluster running affected images (10.6.x through 12.3.x) or Helm chart prior to 18.3.0 can be accessed using these publicly known credentials. The Helm chart structurally prevented operators from overriding these credentials at deploy time, making the exposure pervasive across all standard chart-based deployments; no public exploit has been identified and the vulnerability is not in CISA KEV at time of analysis. | MEDIUM | 5.3 | 0.2% | 26 |
|
| CVE-2026-53111 | In the Linux kernel, the following vulnerability has been resolved: bpf: test_run: Fix the null pointer dereference issue in bpf_lwt_xmit_push_encap | – | 0.2% | 0 |
|