13
CVEs
1
Critical
5
High
0
KEV
0
PoC
2
Unpatched C/H
53.8%
Patch Rate
0.0%
Avg EPSS
Severity Breakdown
CRITICAL
1
HIGH
5
MEDIUM
6
LOW
0
Monthly CVE Trend
Affected Products (30)
Linux Kernel
8
PHP
4
Virtual Appliance Application
4
Virtual Appliance Host
4
Debian Linux
3
Autopass License Server
3
W1A29A Firmware
2
4Ra86E Firmware
2
W1Y43A Firmware
2
4Ra81E Firmware
2
W1A56A Firmware
2
499N1A Firmware
2
4Ra81Fr Firmware
2
4Ra80A Firmware
2
74T92E Firmware
2
W1A28A Firmware
2
W1A48A Firmware
2
4Ra85V Firmware
2
5Hh52A Firmware
2
499Q6F Firmware
2
W1A66A Firmware
2
499Q6A Firmware
2
499Q3F Firmware
2
4Ra88F Firmware
2
499Q8F Firmware
2
499N5A Firmware
2
499Q3A Firmware
2
7Kw66A Firmware
2
499Q8E Firmware
2
499Q7F Firmware
2
Top Risky CVEs
| CVE | Summary | Severity | CVSS | EPSS | Priority | Signals |
|---|---|---|---|---|---|---|
| CVE-2026-8631 | Heap-based integer overflow in the hpcups component of HP Linux Imaging and Printing Software (HPLIP) allows attackers to achieve arbitrary code execution and/or privilege escalation by submitting crafted print data. The CVSS 4.0 base score of 9.3 reflects network-reachable exploitation against the printing subsystem with no authentication or user interaction required, though no public exploit identified at time of analysis and the issue has not been added to CISA KEV. | CRITICAL | 9.3 | 0.0% | 47 |
|
| CVE-2026-4682 | Certain HP DeskJet All in One devices may be vulnerable to remote code execution caused by a buffer overflow when specially crafted Web Services for D | HIGH | 8.7 | 0.0% | 44 |
No patch
|
| CVE-2026-8632 | Local privilege escalation in HP Linux Imaging and Printing Software (HPLIP) allows authenticated low-privileged users to execute arbitrary OS commands via command injection, potentially gaining elevated privileges on affected Linux hosts. The CVSS 4.0 score of 8.5 reflects high impact to confidentiality, integrity, and availability with low attack complexity, and no public exploit identified at time of analysis. The vulnerability is reported directly by HP PSIRT under advisory hpsbpi04118. | HIGH | 8.5 | 0.1% | 43 |
|
| CVE-2025-37165 | router mode configuration of HPE Instant On Access Points exposed certain network configuration details to unintended interfaces. A malicious actor is affected by information exposure (CVSS 7.5). | HIGH | 7.5 | 0.0% | 38 |
No patch
|
| CVE-2026-4667 | HP System Optimizer might potentially be vulnerable to escalation of privilege. HP is releasing an update to mitigate this potential vulnerability. | HIGH | 7.3 | 0.0% | 37 |
|
| CVE-2025-71101 | In the Linux kernel, the following vulnerability has been resolved: platform/x86: hp-bioscfg: Fix out-of-bounds array access in ACPI package parsing The hp_populate_*_elements_from_package() functions in the hp-bioscfg driver contain out-of-bounds array access vulnerabilities. | HIGH | 7.1 | 0.0% | 36 |
|
| CVE-2026-3291 | Samsung Print Service Plugin for Android is potentially vulnerable to information disclosure when using an outdated version of the application via mob | MEDIUM | 6.9 | 0.0% | 35 |
No patch
|
| CVE-2026-1902 | Stored XSS in the Hammas Calendar WordPress plugin through version 1.5.11 allows authenticated contributors and above to inject malicious scripts via the 'apix' parameter in the 'hp-calendar-manage-redirect' shortcode due to inadequate input sanitization. When users access pages containing the injected payload, the scripts execute in their browsers, potentially leading to session hijacking, credential theft, or malware distribution. No patch is currently available. | MEDIUM | 6.4 | 0.0% | 32 |
No patch
|
| CVE-2025-71121 | In the Linux kernel, the following vulnerability has been resolved: parisc: Do not reprogram affinitiy on ASP chip The ASP chip is a very old variant of the GSP chip and is used e.g. in HP 730 workstations. | MEDIUM | 5.5 | 0.1% | 28 |
|
| CVE-2026-23131 | The HP BIOS configuration driver in the Linux kernel fails to validate attribute names before kobject registration, causing kernel warnings and potential denial of service when HP BIOS returns empty name strings. A local user with standard privileges can trigger this vulnerability to crash or destabilize the system by supplying malformed BIOS attribute data. No patch is currently available for this medium-severity flaw affecting Linux systems with HP BIOS configuration support. | MEDIUM | 5.5 | 0.0% | 28 |
|
| CVE-2026-1997 | HP OfficeJet Pro printers (D9l18a, D9l20a, D9l21a, D9l63a firmware) are vulnerable to information disclosure through CORS misconfiguration when administrators enable the feature on the Embedded Web Server. An unauthenticated remote attacker can exploit this to access sensitive device resources from untrusted web origins. CORS remains disabled by default as a mitigation, but organizations that have explicitly enabled it should apply patches when available. | MEDIUM | 5.3 | 0.0% | 27 |
No patch
|
| CVE-2026-6180 | Race condition in PaperCut MF badge-swipe processing from HP multifunction devices allows unauthorized user login when custom badge-ID post-processing scripts transform truncated badge strings into valid credentials of different users. The vulnerability requires specific network conditions (dropped packets, out-of-order sequence counters, failed sequence reset notifications) and custom script configuration, affecting physical device authentication in networked printing environments. No public exploit identified at time of analysis. | MEDIUM | 4.1 | 0.0% | 21 |
|
| CVE-2026-42626 | HP ENVY 5000 series printers VERBASPP1N003.2237A.00 do not properly manage concurrent TCP connections to port 9100 (JetDirect/RAW printing). An unauth | 5.9 | 0.0% | – |
No patch
|