772
CVEs
52
Critical
399
High
3
KEV
28
PoC
95
Unpatched C/H
76.0%
Patch Rate
0.0%
Avg EPSS
Severity Breakdown
CRITICAL
52
HIGH
399
MEDIUM
263
LOW
55
Monthly CVE Trend
Affected Products (30)
Android
685
Chrome
369
Linux Kernel
88
Ubuntu
71
PHP
55
Windows
40
Java
29
Edge Chromium
25
Docker
24
Python
22
Yocto
21
Openwrt
20
Debian Linux
19
macOS
18
iOS
16
Open Redirect
13
Rdk B
12
Node.js
12
N A
8
Software Development Kit
8
Chrome Os
7
AI / ML
7
Edge
5
Fedora
5
Kubernetes
4
Helm Charts
4
Mobile Security Framework
4
Zephyr
4
Xtool Anyscan
4
Gallery
4
Top Risky CVEs
| CVE | Summary | Severity | CVSS | EPSS | Priority | Signals |
|---|---|---|---|---|---|---|
| CVE-2026-3910 | Chrome's V8 JavaScript engine contains an inappropriate implementation (CVE-2026-3910, CVSS 8.8) that allows remote attackers to execute arbitrary code within the browser sandbox via crafted HTML pages. KEV-listed with public PoC, this V8 vulnerability affects all Chromium-based browsers and enables drive-by exploitation through any web page containing malicious JavaScript. | HIGH | 8.8 | 0.1% | 119 |
KEV
PoC
|
| CVE-2026-3909 | Google Chrome's Skia graphics library contains an out-of-bounds write (CVE-2026-3909, CVSS 8.8) enabling remote attackers to perform memory corruption through crafted HTML pages. KEV-listed with public PoC and patches available, this vulnerability in the core graphics rendering engine affects all Chromium-based browsers. | HIGH | 8.8 | 0.1% | 119 |
KEV
PoC
|
| CVE-2026-5281 | Remote code execution in Google Chrome prior to version 146.0.7680.178 via a use-after-free vulnerability in the Dawn graphics component allows attackers who have already compromised the renderer process to execute arbitrary code through a crafted HTML page. The vulnerability requires prior renderer compromise but results in full code execution with high severity per Chromium's security classification. | HIGH | 8.8 | 0.0% | 119 |
KEV
PoC
|
| CVE-2026-4092 | Remote code execution in Clasp versions below 3.2.0 allows unauthenticated attackers to execute arbitrary code by uploading Google Apps Script projects with specially crafted filenames that exploit path traversal weaknesses. Public exploit code exists for this vulnerability, and no patch is currently available. The attack requires minimal user interaction and affects Google's Clasp tooling across all configurations. | HIGH | 8.7 | 1.0% | 65 |
PoC
|
| CVE-2026-23233 | F2FS swapfile memory corruption in Linux kernel 6.6+ allows local attackers with user privileges to cause data corruption through improper physical block mapping when using fragmented swapfiles smaller than the F2FS section size. Public exploit code exists for this vulnerability, and attackers can trigger dm-verity corruption errors or F2FS node corruption leading to system crashes and data loss. No patch is currently available. | HIGH | 7.8 | 0.0% | 59 |
PoC
|
| CVE-2026-2031 | Remote code execution in Google Cloud Application Integration allows unauthenticated attackers to access exposed internal API endpoints and execute arbitrary code. The vulnerability stems from improper access controls on internal APIs that were inadvertently exposed to external networks. With a CVSS 4.0 score of 10.0, this represents a critical risk allowing both information disclosure and full system compromise without authentication. | CRITICAL | 10.0 | 0.3% | 50 |
|
| CVE-2026-40281 | Argument injection in Gotenberg v8.30.1 and earlier allows unauthenticated remote attackers to manipulate filesystem operations by embedding newline characters in PDF metadata values. The vulnerability bypasses an incomplete fix from v8.30.1 that sanitized only metadata keys while leaving values unvalidated, enabling injection of ExifTool pseudo-tags like -FileName, -Directory, -SymLink, and -HardLink through the /forms/pdfengines/metadata/write endpoint. Attackers can move files to arbitrary paths (including overwriting /etc/passwd), create symlinks for read/write primitives, and persist data via hard links - all without authentication against default configurations. Vendor-released patch: version 8.31.0. CVSS 10.0 severity reflects the network attack vector (AV:N), no authentication requirement (PR:N), low complexity (AC:L), and scope change (S:C) enabling container escape scenarios. No public exploit identified at time of analysis, though complete PoC reproduction steps are documented in GitHub advisory GHSA-q7r4-hc83-hf2q. | CRITICAL | 10.0 | 0.1% | 50 |
|
| CVE-2026-32731 | Path traversal in ApostropheCMS import-export module allows authenticated users with content modification permissions to write files outside the intended export directory via malicious archive entries containing directory traversal sequences. An attacker with editor-level access can exploit this vulnerability to overwrite arbitrary files on the system with CVSS 9.9 critical severity. No patch is currently available for this vulnerability affecting Node.js environments. | CRITICAL | 9.9 | 0.1% | 50 |
|
| CVE-2026-40453 | The fix for CVE-2025-27636 added setLowerCase(true) to HttpHeaderFilterStrategy so that case-variant header names such as 'CAmelExecCommandExecutable' | CRITICAL | 9.9 | 0.1% | 50 |
|
| CVE-2026-3535 | Remote code execution in DSGVO Google Web Fonts GDPR WordPress plugin (all versions ≤1.1) allows unauthenticated attackers to upload PHP webshells via arbitrary file upload. The DSGVOGWPdownloadGoogleFonts() function, exposed through wp_ajax_nopriv_ hooks, accepts user-supplied URLs without file type validation and writes content to publicly accessible directories. Exploitation requires the target site to use specific themes (twentyfifteen, twentyseventeen, twentysixteen, storefront, salient, or shapely). CVSS 9.8 Critical reflects network-accessible, unauthenticated attack vector with full system compromise potential. No public exploit identified at time of analysis, though the vulnerability class (CWE-434 unrestricted file upload) is well-understood and commonly weaponized. | CRITICAL | 9.8 | 0.3% | 49 |
No patch
|
| CVE-2026-3136 | Improper authorization in Google Cloud Build GitHub Trigger allowing unauthenticated build execution. EPSS 0.19%. | CRITICAL | 9.8 | 0.2% | 49 |
No patch
|
| CVE-2026-0110 | Samsung/Qualcomm modem has an out-of-bounds write in NR SM message handling enabling privilege escalation through crafted cellular signaling. | CRITICAL | 9.8 | 0.2% | 49 |
No patch
|
| CVE-2026-0111 | Modem OOB write in cell broadcast utilities enabling privilege escalation. | CRITICAL | 9.8 | 0.2% | 49 |
No patch
|
| CVE-2026-0113 | Modem has a third OOB write in cell broadcast utilities. | CRITICAL | 9.8 | 0.2% | 49 |
No patch
|
| CVE-2026-0114 | Modem has a fourth OOB write due to incorrect bounds check. | CRITICAL | 9.8 | 0.2% | 49 |
No patch
|