319
CVEs
24
Critical
83
High
6
KEV
28
PoC
17
Unpatched C/H
82.4%
Patch Rate
4.2%
Avg EPSS
Severity Breakdown
CRITICAL
24
HIGH
83
MEDIUM
199
LOW
13
Monthly CVE Trend
Affected Products (30)
Debian Linux
43
PHP
30
Fedora
19
Open Redirect
11
Peoplesoft Enterprise Peopletools
10
Application Express
10
Open Social
8
Miniorange 2fa
6
Jd Edwards Enterpriseone Tools
6
Ckeditor
6
Weblogic Server
6
Communications Operations Monitor
5
H300E Firmware
5
Banking Platform
5
H500s Firmware
5
H410c Firmware
5
Agile Plm
5
H500E Firmware
5
Rest Data Services
5
H410s Firmware
5
H700E Firmware
5
Artificial Intelligence
5
Policy Automation
5
H700s Firmware
5
Communications Interactive Session Recorder
5
H300s Firmware
5
Hospitality Materials Control
4
Two Factor Authentication
4
Banking Digital Experience
4
Symfony
4
Top Risky CVEs
| CVE | Summary | Severity | CVSS | EPSS | Priority | Signals |
|---|---|---|---|---|---|---|
| CVE-2014-3704 | The expandArguments function in the database abstraction API in Drupal core 7.x before 7.32 does not properly construct prepared statements, which allows remote attackers to conduct SQL injection. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 93.9%. | HIGH | 7.5 | 93.9% | 166 |
PoC
|
| CVE-2016-5385 | PHP through 7.0.8 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and EPSS exploitation probability 81.3%. | HIGH | 8.1 | 81.3% | 142 |
PoC
|
| CVE-2014-9016 | The password hashing API in Drupal 7.x before 7.34 and the Secure Password Hashes (aka phpass) module 6.x-2.x before 6.x-2.1 for Drupal allows remote attackers to cause a denial of service (CPU and. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 79.8%. | MEDIUM | 5.0 | 79.8% | 125 |
PoC
|
| CVE-2014-5266 | The Incutio XML-RPC (IXR) Library, as used in WordPress before 3.9.2 and Drupal 6.x before 6.33 and 7.x before 7.31, does not limit the number of elements in an XML document, which allows remote. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 76.3%. | MEDIUM | 5.0 | 76.3% | 121 |
PoC
No patch
|
| CVE-2012-4554 | The OpenID module in Drupal 7.x before 7.16 allows remote OpenID servers to read arbitrary files via a crafted DOCTYPE declaration in an XRDS file. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 55.1%. | MEDIUM | 5.0 | 55.1% | 100 |
PoC
|
| CVE-2018-7600 | Drupal before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1 allows remote attackers to execute arbitrary code because of an issue affecting multiple subsystems with default or. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available. | CRITICAL | 9.8 | 100.0% | 84 |
KEV
PoC
|
| CVE-2019-6340 | Some field types do not properly sanitize data from non-form sources in Drupal 8.5.x before 8.5.11 and Drupal 8.6.x before 8.6.10. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. Public exploit code available. | HIGH | 8.1 | 91.9% | 76 |
KEV
PoC
|
| CVE-2020-28949 | Archive_Tar through 1.4.10 has :// filename sanitization only to address phar attacks, and thus any other stream-wrapper attack (such as file:// to overwrite files) can still succeed. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available. | HIGH | 7.8 | 84.6% | 74 |
KEV
PoC
|
| CVE-2018-7602 | A remote code execution vulnerability exists within multiple subsystems of Drupal 7.x and 8.x. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available. | CRITICAL | 9.8 | 99.2% | 69 |
KEV
PoC
|
| CVE-2019-10910 | In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, when service ids allow user input, this could allow for SQL Injection and remote code. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available. | CRITICAL | 9.8 | 5.9% | 69 |
PoC
|
| CVE-2020-28948 | Archive_Tar through 1.4.10 allows an unserialization attack because phar: is blocked but PHAR: is not blocked. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available. | HIGH | 7.8 | 47.5% | 59 |
PoC
|
| CVE-2026-0750 | Commerce Paybox versions up to 7.X-1.5. is affected by improper verification of cryptographic signature (CVSS 7.5). | HIGH | 7.5 | 0.0% | 58 |
PoC
No patch
|
| CVE-2020-11022 | In jQuery starting with 1.12.0 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required. Public exploit code available. | MEDIUM | 6.9 | 2.1% | 57 |
PoC
|
| CVE-2026-24478 | AnythingLLM versions prior to 1.10.0 contain a path traversal vulnerability in the DrupalWiki integration that allows malicious administrators or attackers with admin privileges to write arbitrary files to the server, potentially achieving remote code execution through configuration file overwriting or malicious script injection. Public exploit code exists for this vulnerability, and no patch is currently available for affected deployments. The attack requires high-level privileges but carries critical risk due to the ability to completely compromise server integrity. | HIGH | 7.2 | 0.2% | 56 |
PoC
No patch
|
| CVE-2015-6659 | SQL injection vulnerability in the SQL comment filtering system in the Database API in Drupal 7.x before 7.39 allows remote attackers to execute arbitrary SQL commands via an SQL comment. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. Epss exploitation probability 14.5%. | HIGH | 7.5 | 14.5% | 52 |
|