18
CVEs
7
Critical
5
High
1
KEV
1
PoC
6
Unpatched C/H
44.4%
Patch Rate
0.0%
Avg EPSS
Severity Breakdown
CRITICAL
7
HIGH
5
MEDIUM
3
LOW
0
Monthly CVE Trend
Affected Products (23)
Top Risky CVEs
| CVE | Summary | Severity | CVSS | EPSS | Priority | Signals |
|---|---|---|---|---|---|---|
| CVE-2026-45321 | Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actions exploitation. Attackers combined pull_request_target misconfiguration, Actions cache poisoning, and OIDC token memory extraction to publish malicious code under the legitimate TanStack identity. Installing any affected version executes a 2.3 MB obfuscated payload that exfiltrates AWS/GCP/Kubernetes credentials, npm tokens, GitHub secrets, SSH keys, and HashiCorp Vault tokens over encrypted Session/Oxen messenger infrastructure. The payload propagates by republishing victim-maintained packages with identical injection. Socket.dev and the TanStack team confirmed the incident via GHSA-g7cv-rxg3-hmpx. No EPSS or CISA KEV data available for this recent supply-chain attack. CVSS 9.6 reflects the cross-scope credential theft impact (S:C/C:H/I:H), though exploitation requires user-initiated package installation (UI:R). | CRITICAL | 9.6 | 0.0% | 118 |
KEV
PoC
|
| CVE-2026-9152 | A missing authentication vulnerability exists in the Altium 365 SearchService. A legacy SOAP endpoint exposes search index operations without requirin | CRITICAL | 10.0 | 0.1% | 50 |
No patch
|
| CVE-2026-46412 | Supply-chain compromise of the npm package @beproduct/nestjs-auth (versions 0.1.2 through 0.1.19) delivered the Mini Shai-Hulud worm payload via a malicious postinstall script, harvesting npm, GitHub, AWS, and HashiCorp Vault credentials from any developer or CI host that ran npm install during a 2h37m publication window on 2026-05-11. Confirmed actively exploited during that window via an attacker-controlled npm publish token; clean version 0.1.20 republishes the original 0.1.1 source tree. CVSS 10.0 reflects the unauthenticated, network-driven supply-chain delivery and scope change into the install environment. | CRITICAL | 10.0 | – | 50 |
No patch
|
| CVE-2026-7428 | Prior to 2025-11-03, well-intended users of Terraform or REST API for Google Cloud AlloyDB for PostgreSQL could have created clusters with an insecure | CRITICAL | 9.2 | 0.0% | 46 |
|
| CVE-2026-47358 | Server-Side Request Forgery in Tenable Terrascan v1.18.3 and prior allows unauthenticated remote attackers to coerce the server into fetching arbitrary URLs, including file:// URIs that enable local file disclosure. The flaw is triggered when Terrascan runs in server mode and parses uploaded ARM or CloudFormation templates whose templateLink.uri, parametersLink.uri, or AWS::CloudFormation::Stack TemplateURL fields point to attacker-controlled destinations. No public exploit identified at time of analysis, and because Terrascan was archived in August 2023, no patch will ever be released. | CRITICAL | 9.2 | 0.0% | 46 |
No patch
|
| CVE-2026-47357 | Server-Side Request Forgery in Tenable's Terrascan IaC scanner (versions 1.18.3 and prior) lets unauthenticated remote attackers read arbitrary local files and exfiltrate ~/.netrc credentials when the tool runs in server mode. Because Terrascan was archived in August 2023, no vendor patch will ever be released, and the daemon binds to 0.0.0.0 with no authentication by default. No public exploit identified at time of analysis, but the CVSS 4.0 score of 9.2 reflects trivial network-reachable abuse paired with significant confidentiality scope change. | CRITICAL | 9.2 | 0.0% | 46 |
No patch
|
| CVE-2026-46354 | Unauthenticated agent token theft in Coder v2 (self-hosted developer workspace platform) stems from azureidentity.Validate() verifying the PKCS#7 signer's certificate chain but skipping signature verification of the signed content itself. Remote attackers who know a target VM's vmId (a UUIDv4) can forge a PKCS#7 envelope containing a legitimate Azure certificate alongside attacker-controlled content and POST it to the unauthenticated /api/v2/workspaceagents/azure-instance-identity endpoint to receive the victim workspace agent's session token, which then unlocks Git SSH keys, OAuth tokens for GitHub/GitLab/Bitbucket, and workspace secrets. No public exploit identified at time of analysis, but the vulnerability is vendor-confirmed via GHSA-6x44-w3xg-hqqf and a detailed root-cause analysis with attack-path diagram is published. | CRITICAL | 9.1 | – | 46 |
|
| CVE-2026-42278 | Authentication bypass in UltraDAG Core blockchain allows remote unauthenticated attackers to drain all pocket-derived sub-addresses on smart accounts, completely bypassing vault delays and daily spending limits. The StateEngine fails to resolve pocket addresses to their parent account during policy enforcement, treating virtual pocket addresses as unrestricted accounts. Confirmed actively exploited (CISA KEV). Vendor-released patch: commit fb6ef59 resolves pocket-to-parent mapping before all policy checks. EPSS data unavailable but attack vector is network-accessible with no complexity (CVSS 4.0 AV:N/AC:L/PR:N), making this a critical priority for any UltraDAG deployment using smart account pockets. | HIGH | 8.8 | 0.0% | 44 |
No patch
|
| CVE-2026-7474 | HashiCorp Nomad and Nomad Enterprise prior to 2.0.1 are vulnerable to code execution on the client host through a path traversal attack. This vulnerab | HIGH | 8.8 | 0.0% | 44 |
|
| CVE-2026-43912 | Vaultwarden is a Bitwarden-compatible server written in Rust. Prior to 1.35.5, Vaultwarden does not enforce that a groups_users.users_organizations_uu | HIGH | 8.7 | 0.0% | 44 |
|
| CVE-2026-42602 | ### Summary A server-side authentication bypass in `azureauthextension` allows any party who holds a single valid Azure access token for *any scope t | HIGH | 8.1 | 0.0% | 41 |
No patch
|
| CVE-2026-43913 | Vaultwarden is a Bitwarden-compatible server written in Rust. Prior to 1.35.5, Vaultwarden allows an unconfirmed organization owner to purge the entir | HIGH | 8.1 | 0.0% | 41 |
|
| CVE-2026-8052 | HashiCorp Nomad’s exec2 task driver prior to 0.1.2 is vulnerable to arbitrary file read and write on the client host as the Nomad process user through | MEDIUM | 6.0 | 0.0% | 30 |
|
| CVE-2026-6959 | HashiCorp Nomad and Nomad Enterprise prior to 2.0.1 are vulnerable to arbitrary file read and write on the client host as the Nomad process user throu | MEDIUM | 6.0 | 0.0% | 30 |
|
| CVE-2026-8903 | Cross-Site Request Forgery in the Two-factor Authentication (formerly IP Vault) WordPress plugin versions up to and including 2.1 enables unauthenticated remote attackers to manipulate the plugin's firewall rules and 2FA configuration - potentially disabling protection entirely - by inducing an authenticated site administrator to click a crafted link. The vulnerable surface is the `ipv_save_changes` function in `admin-settings.php`, which lacks proper nonce validation. No public exploit has been identified at time of analysis, and EPSS at 0.02% (6th percentile) reflects very low automated exploitation probability, though the downstream security impact of silently disabling 2FA or firewall rules is disproportionate to the raw CVSS score of 4.3. | MEDIUM | 4.3 | 0.0% | 22 |
No patch
|