1955
CVEs
107
Critical
884
High
16
KEV
136
PoC
382
Unpatched C/H
56.3%
Patch Rate
0.4%
Avg EPSS
Severity Breakdown
CRITICAL
107
HIGH
884
MEDIUM
819
LOW
126
Monthly CVE Trend
Affected Products (30)
Android
685
Chrome
369
Linux Kernel
88
Ubuntu
71
PHP
55
Windows
40
Java
29
Edge Chromium
25
Docker
24
Python
22
Yocto
21
Openwrt
20
Debian Linux
19
macOS
18
iOS
16
Open Redirect
13
Rdk B
12
Node.js
12
N A
8
Software Development Kit
8
Chrome Os
7
AI / ML
7
Edge
5
Fedora
5
Kubernetes
4
Helm Charts
4
Mobile Security Framework
4
Zephyr
4
Xtool Anyscan
4
Gallery
4
Top Risky CVEs
| CVE | Summary | Severity | CVSS | EPSS | Priority | Signals |
|---|---|---|---|---|---|---|
| CVE-2011-0611 | Adobe Flash Player contains a type confusion vulnerability in object handling that allows remote attackers to execute arbitrary code via malicious SWF content, actively exploited in targeted attacks in April 2011. | HIGH | 8.8 | 93.6% | 218 |
KEV
PoC
|
| CVE-2011-0609 | Adobe Flash Player 10.2 and earlier across all platforms contain an unspecified vulnerability allowing remote code execution, exploited in the wild via Flash content embedded in Microsoft Office documents and web pages. | HIGH | 7.8 | 92.0% | 211 |
KEV
PoC
No patch
|
| CVE-2023-32117 | Missing authorization in the Integrate Google Drive WordPress plugin (versions up to and including 1.1.99) lets unauthenticated remote attackers bypass access control checks to reach functionality that should be restricted. EPSS is exceptionally high at 88.16% (99th percentile), indicating strong exploitation likelihood, though no public exploit identified at time of analysis and the CVE is not on CISA KEV. | CRITICAL | 9.8 | 88.2% | 137 |
No patch
|
| CVE-2026-3910 | Chrome's V8 JavaScript engine contains an inappropriate implementation (CVE-2026-3910, CVSS 8.8) that allows remote attackers to execute arbitrary code within the browser sandbox via crafted HTML pages. KEV-listed with public PoC, this V8 vulnerability affects all Chromium-based browsers and enables drive-by exploitation through any web page containing malicious JavaScript. | HIGH | 8.8 | 0.1% | 119 |
KEV
PoC
|
| CVE-2026-3909 | Google Chrome's Skia graphics library contains an out-of-bounds write (CVE-2026-3909, CVSS 8.8) enabling remote attackers to perform memory corruption through crafted HTML pages. KEV-listed with public PoC and patches available, this vulnerability in the core graphics rendering engine affects all Chromium-based browsers. | HIGH | 8.8 | 0.1% | 119 |
KEV
PoC
|
| CVE-2026-5281 | Remote code execution in Google Chrome prior to version 146.0.7680.178 via a use-after-free vulnerability in the Dawn graphics component allows attackers who have already compromised the renderer process to execute arbitrary code through a crafted HTML page. The vulnerability requires prior renderer compromise but results in full code execution with high severity per Chromium's security classification. | HIGH | 8.8 | 0.0% | 119 |
KEV
PoC
|
| CVE-2025-5419 | Chrome's V8 JavaScript engine contains an out-of-bounds read and write vulnerability (CVE-2025-5419, CVSS 8.8) enabling remote heap corruption through crafted HTML pages. KEV-listed with EPSS 3.0% and public PoC, this vulnerability provides both read and write primitives in V8's heap, making it highly reliable for exploitation. | HIGH | 8.8 | 3.0% | 117 |
KEV
PoC
|
| CVE-2026-2441 | Google Chrome's CSS engine contains a use-after-free vulnerability (CVE-2026-2441, CVSS 8.8) that allows remote attackers to execute arbitrary code within the browser sandbox through crafted HTML pages. KEV-listed with public PoC, this vulnerability enables drive-by exploitation when users visit malicious or compromised websites. | HIGH | 8.8 | 0.1% | 114 |
KEV
PoC
|
| CVE-2025-6554 | Chrome's V8 engine contains a type confusion vulnerability (CVE-2025-6554, CVSS 8.1) enabling arbitrary read/write operations through crafted HTML pages. KEV-listed with public PoC, type confusion in V8 is the most reliable class of browser exploitation primitives, providing full memory read/write capability for code execution within the renderer sandbox. | HIGH | 8.1 | 0.5% | 111 |
KEV
PoC
|
| CVE-2025-13223 | Google Chrome V8 contains a type confusion vulnerability in the JavaScript engine, the second V8 type confusion zero-day in 2025, exploited in targeted attacks. | HIGH | 8.8 | 2.5% | 94 |
KEV
|
| CVE-2025-48572 | Android contains a missing authentication vulnerability (CVE-2025-48572, CVSS 7.8) in multiple locations that allows background activity launches through a permissions bypass, enabling local privilege escalation without user interaction. KEV-listed, this vulnerability enables malicious apps to perform privileged operations silently in the background, bypassing Android's activity launch restrictions. | HIGH | 7.8 | 0.2% | 89 |
KEV
No patch
|
| CVE-2025-27038 | Qualcomm Adreno GPU drivers in Chrome contain a use-after-free vulnerability (CVE-2025-27038, CVSS 7.5) enabling memory corruption during graphics rendering. KEV-listed, this vulnerability can be triggered through Chrome on Android devices with Qualcomm chipsets, providing a kernel-level exploitation path from web content. | HIGH | 7.5 | 1.1% | 89 |
KEV
No patch
|
| CVE-2025-48633 | CVE-2025-48633 is a security vulnerability (CVSS 5.5). Risk factors: actively exploited (KEV-listed). Vendor patch is available. | MEDIUM | 5.5 | 0.2% | 78 |
KEV
|
| CVE-2025-59834 | ADB MCP Server is a MCP (Model Context Protocol) server for interacting with Android devices through ADB. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available. | CRITICAL | 9.8 | 1.2% | 70 |
PoC
|
| CVE-2024-12450 | In infiniflow/ragflow versions 0.12.0, the `web_crawl` function in `document_app.py` contains multiple vulnerabilities. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available. | CRITICAL | 9.8 | 0.3% | 69 |
PoC
|