137
CVEs
7
Critical
72
High
0
KEV
2
PoC
0
Unpatched C/H
100.0%
Patch Rate
0.1%
Avg EPSS
Severity Breakdown
CRITICAL
7
HIGH
72
MEDIUM
24
LOW
4
Monthly CVE Trend
Affected Products (30)
Ubuntu
992
Linux Kernel
769
Debian Linux
146
Chrome
55
Python
22
Windows
14
Htslib
10
PHP
10
MongoDB
9
Docker
8
Android
8
Juju
7
Lxd
7
Mattermost Server
6
Streaming Media
5
Http Server
5
Nextcloud
5
Django
5
Redis
5
Open Redirect
4
Suricata
4
Freshrss
4
Node.js
4
Enterprise Linux
4
OpenSSL
4
Rlottie
4
Java
4
Mbed Tls
4
Nextcloud Server
4
PostgreSQL
4
Top Risky CVEs
| CVE | Summary | Severity | CVSS | EPSS | Priority | Signals |
|---|---|---|---|---|---|---|
| CVE-2026-41640 | SQL injection in NocoBase's @nocobase/database package allows authenticated users with record-creation privileges to execute arbitrary SQL queries and extract database credentials. The vulnerability exists in the queryParentSQL() function, which constructs recursive Common Table Expression (CTE) queries using string concatenation instead of parameterized queries when processing tree collections with string primary keys. An attacker can inject malicious SQL by creating records with crafted primary key values, triggering the vulnerability when recursive eager loading occurs. Successful exploitation leads to full database compromise, with confirmed extraction of administrator credentials (emails and password hashes) in testing against PostgreSQL. On databases where the service account has elevated privileges, attackers can achieve operating system command execution via PostgreSQL's COPY...TO PROGRAM feature. Vendor patch available via GitHub PR #9133. | HIGH | 7.5 | 4.2% | 62 |
PoC
|
| CVE-2026-34156 | Remote code execution in NocoBase Workflow Script Node (npm @nocobase/plugin-workflow-javascript) allows authenticated low-privilege attackers to escape Node.js vm sandbox and execute arbitrary commands as root inside Docker containers. The vulnerability exploits exposed WritableWorkerStdio stream objects in the sandbox console to traverse the prototype chain, access the host-realm Function constructor, load unrestricted Node.js modules (child_process), and spawn system commands. Confirmed exploited with reverse shell access, database credential theft (DB_PASSWORD, INIT_ROOT_PASSWORD), and arbitrary filesystem operations. EPSS data not available; public exploit code exists with detailed proof-of-concept demonstrating root shell access in nocobase/nocobase:latest Docker image. Critical 10.0 CVSS score reflects network-exploitable, low-complexity attack with complete confidentiality, integrity, and availability impact plus scope change (container escape implications). | CRITICAL | 9.9 | 5.2% | 55 |
PoC
|
| CVE-2026-23428 | Use-after-free in Linux kernel ksmbd SMB server allows local or remote attackers to read freed memory and potentially achieve denial of service or code execution via compound SMB2 requests that reuse a tree connection after it has been disconnected and its associated share_conf structure freed. The vulnerability exists because smb2_get_ksmbd_tcon() bypasses state validation checks when reusing connections in compound requests, enabling subsequent commands to dereference already-freed share_conf pointers. No CVE severity metrics are available, but KASAN confirms memory corruption is triggered in smb2_write operations during tree disconnect sequences. | CRITICAL | 9.8 | 0.0% | 49 |
|
| CVE-2026-23427 | Use-after-free in Linux kernel's ksmbd SMB server allows remote attackers to crash the kernel or potentially execute code via malicious SMB2 DURABLE_REQ_V2 replay operations. The vulnerability occurs when parse_durable_handle_context() unconditionally reassigns file handle connection pointers during replay operations, causing stale pointer dereferences when the reassigned connection is subsequently freed. A KASAN report confirms the use-after-free in spin_lock operations during file descriptor closure, triggered during SMB2 connection handling in the ksmbd-io workqueue. No public exploit code or active exploitation has been confirmed at time of analysis. | CRITICAL | 9.8 | 0.0% | 49 |
|
| CVE-2026-5289 | Use-after-free in Google Chrome's Navigation component prior to version 146.0.7680.178 enables sandbox escape for attackers who have already compromised the renderer process, allowing them to potentially execute arbitrary code with elevated privileges via a malicious HTML page. Chromium rates this as high severity; patch availability confirmed from vendor. | CRITICAL | 9.6 | 0.0% | 48 |
|
| CVE-2026-5290 | Use-after-free in Chrome's compositing engine allows remote attackers who have compromised the renderer process to escape the sandbox via crafted HTML pages in Google Chrome prior to version 146.0.7680.178. This high-severity vulnerability requires prior renderer compromise but enables privilege escalation from the sandboxed renderer to system-level access, making it a critical sandbox bypass vector. Vendor-released patch addresses the issue in Chrome 146.0.7680.178 and later. | CRITICAL | 9.6 | 0.0% | 48 |
|
| CVE-2026-5288 | Use-after-free in Chrome's WebView on Android prior to version 146.0.7680.178 allows a remote attacker with a compromised renderer process to escape the sandbox via crafted HTML, potentially leading to arbitrary code execution outside the browser's security boundary. This vulnerability requires prior renderer compromise but eliminates a critical containment layer, classified as High severity by Chromium. | CRITICAL | 9.6 | 0.0% | 48 |
|
| CVE-2026-43407 | Integer overflow in Linux kernel's libceph authentication handler enables remote memory corruption and potential system crash against unpatched systems. A malicious Ceph monitor can send a specially crafted CEPH_MSG_AUTH_REPLY message with payload_len exceeding INT_MAX, causing ceph_handle_auth_reply() to underflow a pointer and trigger out-of-bounds memory access. This allows remote unauthenticated attackers to potentially read sensitive kernel memory (high confidentiality impact) or crash the kernel (high availability impact) on systems using Ceph storage. CVSS 9.1 (Critical) reflects network attack vector with no authentication or user interaction required. EPSS score of 0.02% (7th percentile) suggests low observed exploitation likelihood. Vendor patches available for all affected kernel series (5.10.253, 5.15.203, 6.1.167, 6.6.130, 6.12.78, 6.18.19, 6.19.9, 7.0), but no active exploitation confirmed via CISA KEV. | CRITICAL | 9.1 | 0.0% | 46 |
|
| CVE-2026-32748 | Squid proxy versions prior to 7.5 contain use-after-free and premature resource release vulnerabilities in ICP (Internet Cache Protocol) traffic handling that enable reliable, repeatable denial of service attacks. Remote attackers can exploit these memory safety bugs to crash the Squid service by sending specially crafted ICP packets, affecting deployments that have explicitly enabled ICP support via non-zero icp_port configuration. While no CVSS score or EPSS value is currently published, the vulnerability is confirmed by vendor advisory and includes a public patch commit, indicating moderate to high real-world risk for affected deployments. | HIGH | 8.7 | 1.8% | 45 |
|
| CVE-2026-4680 | Remote code execution in Google Chrome's Federated Credential Management (FedCM) prior to version 146.0.7680.165 enables unauthenticated attackers to execute arbitrary code within the browser sandbox through a malicious HTML page. This use-after-free vulnerability in memory management affects Chrome on all supported platforms and requires only user interaction to trigger. A patch is available in Chrome 146.0.7680.165 and later. | HIGH | 8.8 | 0.1% | 44 |
|
| CVE-2026-31962 | HTSlib versions prior to 1.23.1, 1.22.2, and 1.21.1 contain a heap buffer overflow vulnerability in the cram_decode_seq() function when processing CRAM-formatted bioinformatics files with omitted sequence and quality data. An attacker can craft a malicious CRAM file that triggers an out-of-bounds read followed by an attacker-controlled single-byte write to heap memory, potentially enabling arbitrary code execution, data corruption, or denial of service when a user opens the file. No public exploit proof-of-concept has been identified, but the vulnerability is confirmed and patched by the HTSlib project. | HIGH | 8.8 | 0.1% | 44 |
|
| CVE-2026-31963 | HTSlib contains a heap buffer overflow vulnerability in its CRAM decoder caused by an out-by-one error when validating feature boundaries. When a user opens a maliciously crafted CRAM file, an attacker can write one controlled byte beyond the end of a heap buffer, potentially causing application crashes, data corruption, or arbitrary code execution. Versions 1.23.1, 1.22.2, and 1.21.1 include fixes, and patches are available via the official GitHub repository. | HIGH | 8.8 | 0.1% | 44 |
|
| CVE-2026-4678 | Sandboxed code execution in Google Chrome's WebGPU implementation (prior to 146.0.7680.165) stems from a use-after-free memory vulnerability that can be triggered via malicious HTML pages. An unauthenticated remote attacker can exploit this to execute arbitrary code within the Chrome sandbox without user interaction beyond viewing a crafted webpage. A patch is available for affected users. | HIGH | 8.8 | 0.1% | 44 |
|
| CVE-2026-4674 | Out of bounds memory read in Google Chrome's CSS parser prior to version 146.0.7680.165 allows remote attackers to access sensitive memory contents through a malicious HTML page. The vulnerability requires user interaction and affects Chrome on multiple platforms including Debian systems, enabling attackers to potentially leak confidential data with high impact on confidentiality and integrity. | HIGH | 8.8 | 0.1% | 44 |
|
| CVE-2026-4676 | Sandbox escape in Google Chrome prior to version 146.0.7680.165 via a use-after-free vulnerability in the Dawn graphics component enables remote attackers to execute arbitrary code when users visit malicious HTML pages. The vulnerability affects multiple platforms including Debian systems and requires only user interaction to trigger, bypassing Chrome's sandbox isolation. A patch is available to remediate this high-severity memory corruption flaw. | HIGH | 8.8 | 0.1% | 44 |
|