998
CVEs
61
Critical
508
High
6
KEV
34
PoC
144
Unpatched C/H
70.9%
Patch Rate
0.0%
Avg EPSS
Severity Breakdown
CRITICAL
61
HIGH
508
MEDIUM
350
LOW
64
Monthly CVE Trend
Affected Products (30)
Android
685
Chrome
369
Linux Kernel
88
Ubuntu
71
PHP
55
Windows
40
Java
29
Edge Chromium
25
Docker
24
Python
22
Yocto
21
Openwrt
20
Debian Linux
19
macOS
18
iOS
16
Open Redirect
13
Rdk B
12
Node.js
12
N A
8
Software Development Kit
8
Chrome Os
7
AI / ML
7
Edge
5
Fedora
5
Kubernetes
4
Helm Charts
4
Mobile Security Framework
4
Zephyr
4
Xtool Anyscan
4
Gallery
4
Top Risky CVEs
| CVE | Summary | Severity | CVSS | EPSS | Priority | Signals |
|---|---|---|---|---|---|---|
| CVE-2026-3910 | Chrome's V8 JavaScript engine contains an inappropriate implementation (CVE-2026-3910, CVSS 8.8) that allows remote attackers to execute arbitrary code within the browser sandbox via crafted HTML pages. KEV-listed with public PoC, this V8 vulnerability affects all Chromium-based browsers and enables drive-by exploitation through any web page containing malicious JavaScript. | HIGH | 8.8 | 0.1% | 119 |
KEV
PoC
|
| CVE-2026-3909 | Google Chrome's Skia graphics library contains an out-of-bounds write (CVE-2026-3909, CVSS 8.8) enabling remote attackers to perform memory corruption through crafted HTML pages. KEV-listed with public PoC and patches available, this vulnerability in the core graphics rendering engine affects all Chromium-based browsers. | HIGH | 8.8 | 0.1% | 119 |
KEV
PoC
|
| CVE-2026-5281 | Remote code execution in Google Chrome prior to version 146.0.7680.178 via a use-after-free vulnerability in the Dawn graphics component allows attackers who have already compromised the renderer process to execute arbitrary code through a crafted HTML page. The vulnerability requires prior renderer compromise but results in full code execution with high severity per Chromium's security classification. | HIGH | 8.8 | 0.0% | 119 |
KEV
PoC
|
| CVE-2026-2441 | Google Chrome's CSS engine contains a use-after-free vulnerability (CVE-2026-2441, CVSS 8.8) that allows remote attackers to execute arbitrary code within the browser sandbox through crafted HTML pages. KEV-listed with public PoC, this vulnerability enables drive-by exploitation when users visit malicious or compromised websites. | HIGH | 8.8 | 0.1% | 114 |
KEV
PoC
|
| CVE-2025-48572 | Android contains a missing authentication vulnerability (CVE-2025-48572, CVSS 7.8) in multiple locations that allows background activity launches through a permissions bypass, enabling local privilege escalation without user interaction. KEV-listed, this vulnerability enables malicious apps to perform privileged operations silently in the background, bypassing Android's activity launch restrictions. | HIGH | 7.8 | 0.2% | 89 |
KEV
No patch
|
| CVE-2025-48633 | CVE-2025-48633 is a security vulnerability (CVSS 5.5). Risk factors: actively exploited (KEV-listed). Vendor patch is available. | MEDIUM | 5.5 | 0.2% | 78 |
KEV
|
| CVE-2026-4092 | Remote code execution in Clasp versions below 3.2.0 allows unauthenticated attackers to execute arbitrary code by uploading Google Apps Script projects with specially crafted filenames that exploit path traversal weaknesses. Public exploit code exists for this vulnerability, and no patch is currently available. The attack requires minimal user interaction and affects Google's Clasp tooling across all configurations. | HIGH | 8.7 | 1.0% | 65 |
PoC
|
| CVE-2026-23233 | F2FS swapfile memory corruption in Linux kernel 6.6+ allows local attackers with user privileges to cause data corruption through improper physical block mapping when using fragmented swapfiles smaller than the F2FS section size. Public exploit code exists for this vulnerability, and attackers can trigger dm-verity corruption errors or F2FS node corruption leading to system crashes and data loss. No patch is currently available. | HIGH | 7.8 | 0.0% | 59 |
PoC
|
| CVE-2025-63896 | An issue in the Bluetooth Human Interface Device (HID) of JXL 9 Inch Car Android Double Din Player Android v12.0 allows attackers to inject arbitrary keystrokes via a spoofed Bluetooth HID device. | HIGH | 7.6 | 0.0% | 58 |
PoC
No patch
|
| CVE-2025-36911 | Android versions up to - contains a vulnerability that allows attackers to remote (proximal/adjacent) information disclosure of user's conversations and lo (CVSS 7.1). | HIGH | 7.1 | 0.0% | 56 |
PoC
No patch
|
| CVE-2026-2031 | Remote code execution in Google Cloud Application Integration allows unauthenticated attackers to access exposed internal API endpoints and execute arbitrary code. The vulnerability stems from improper access controls on internal APIs that were inadvertently exposed to external networks. With a CVSS 4.0 score of 10.0, this represents a critical risk allowing both information disclosure and full system compromise without authentication. | CRITICAL | 10.0 | 0.3% | 50 |
|
| CVE-2026-40281 | Argument injection in Gotenberg v8.30.1 and earlier allows unauthenticated remote attackers to manipulate filesystem operations by embedding newline characters in PDF metadata values. The vulnerability bypasses an incomplete fix from v8.30.1 that sanitized only metadata keys while leaving values unvalidated, enabling injection of ExifTool pseudo-tags like -FileName, -Directory, -SymLink, and -HardLink through the /forms/pdfengines/metadata/write endpoint. Attackers can move files to arbitrary paths (including overwriting /etc/passwd), create symlinks for read/write primitives, and persist data via hard links - all without authentication against default configurations. Vendor-released patch: version 8.31.0. CVSS 10.0 severity reflects the network attack vector (AV:N), no authentication requirement (PR:N), low complexity (AC:L), and scope change (S:C) enabling container escape scenarios. No public exploit identified at time of analysis, though complete PoC reproduction steps are documented in GitHub advisory GHSA-q7r4-hc83-hf2q. | CRITICAL | 10.0 | 0.1% | 50 |
|
| CVE-2025-64231 | Unrestricted Upload of File with Dangerous Type vulnerability in RedefiningTheWeb WordPress Contact Form 7 PDF, Google Sheet & Database rtwwcfp-wordpr | CRITICAL | 9.9 | 0.1% | 50 |
No patch
|
| CVE-2026-32731 | Path traversal in ApostropheCMS import-export module allows authenticated users with content modification permissions to write files outside the intended export directory via malicious archive entries containing directory traversal sequences. An attacker with editor-level access can exploit this vulnerability to overwrite arbitrary files on the system with CVSS 9.9 critical severity. No patch is currently available for this vulnerability affecting Node.js environments. | CRITICAL | 9.9 | 0.1% | 50 |
|
| CVE-2026-40453 | The fix for CVE-2025-27636 added setLowerCase(true) to HttpHeaderFilterStrategy so that case-variant header names such as 'CAmelExecCommandExecutable' | CRITICAL | 9.9 | 0.1% | 50 |
|