33
CVEs
3
Critical
15
High
0
KEV
5
PoC
10
Unpatched C/H
36.4%
Patch Rate
1.6%
Avg EPSS
Severity Breakdown
CRITICAL
3
HIGH
15
MEDIUM
14
LOW
0
Monthly CVE Trend
Affected Products (30)
Linux Kernel
8
PHP
4
Virtual Appliance Application
4
Virtual Appliance Host
4
Debian Linux
3
Autopass License Server
3
W1A29A Firmware
2
4Ra86E Firmware
2
W1Y43A Firmware
2
4Ra81E Firmware
2
W1A56A Firmware
2
499N1A Firmware
2
4Ra81Fr Firmware
2
4Ra80A Firmware
2
74T92E Firmware
2
W1A28A Firmware
2
W1A48A Firmware
2
4Ra85V Firmware
2
5Hh52A Firmware
2
499Q6F Firmware
2
W1A66A Firmware
2
499Q6A Firmware
2
499Q3F Firmware
2
4Ra88F Firmware
2
499Q8F Firmware
2
499N5A Firmware
2
499Q3A Firmware
2
7Kw66A Firmware
2
499Q8E Firmware
2
499Q7F Firmware
2
Top Risky CVEs
| CVE | Summary | Severity | CVSS | EPSS | Priority | Signals |
|---|---|---|---|---|---|---|
| CVE-2024-51978 | Certain devices expose serial numbers via HTTP/HTTPS/IPP and SNMP that can be used to generate the default administrator password. An unauthenticated attacker who discovers the serial number can calculate the admin password and gain full administrative control of the device without brute force. | CRITICAL | 9.8 | 48.3% | 117 |
PoC
No patch
|
| CVE-2026-8631 | Heap-based integer overflow in the hpcups component of HP Linux Imaging and Printing Software (HPLIP) allows attackers to achieve arbitrary code execution and/or privilege escalation by submitting crafted print data. The CVSS 4.0 base score of 9.3 reflects network-reachable exploitation against the printing subsystem with no authentication or user interaction required, though no public exploit identified at time of analysis and the issue has not been added to CISA KEV. | CRITICAL | 9.3 | 0.0% | 47 |
|
| CVE-2026-4682 | Certain HP DeskJet All in One devices may be vulnerable to remote code execution caused by a buffer overflow when specially crafted Web Services for D | HIGH | 8.7 | 0.0% | 44 |
No patch
|
| CVE-2026-8632 | Local privilege escalation in HP Linux Imaging and Printing Software (HPLIP) allows authenticated low-privileged users to execute arbitrary OS commands via command injection, potentially gaining elevated privileges on affected Linux hosts. The CVSS 4.0 score of 8.5 reflects high impact to confidentiality, integrity, and availability with low attack complexity, and no public exploit identified at time of analysis. The vulnerability is reported directly by HP PSIRT under advisory hpsbpi04118. | HIGH | 8.5 | 0.1% | 43 |
|
| CVE-2024-51768 | CVE-2024-51768 is a remote code execution vulnerability in HPE AutoPass License Server (APLS) versions prior to 9.17, stemming from unsafe deserialization in the embedded HSQLDB database library. An authenticated attacker with local network access can execute arbitrary code with the privileges of the APLS service, potentially leading to complete system compromise. The vulnerability has a CVSS score of 8.0 and represents a significant risk to organizations using affected APLS versions, particularly given the authentication requirement is modest (PR:L) and the attack complexity is low. | HIGH | 8.0 | 0.4% | 40 |
|
| CVE-2025-43026 | Local privilege escalation vulnerability in HP Support Assistant versions before 9.44.18.0 that allows a local attacker with limited user privileges to write arbitrary files and escalate to higher privilege levels without user interaction. The vulnerability carries a CVSS score of 7.8 (high severity) and exploits improper file permission handling in the support application; while KEV status and active exploitation data are not provided in the source material, the low attack complexity and local attack vector suggest this is a realistic threat for systems running vulnerable versions. | HIGH | 7.8 | 0.0% | 39 |
No patch
|
| CVE-2024-51982 | CVE-2024-51982 is a denial-of-service vulnerability affecting network-connected printers and multifunction devices that expose the Printer Job Language (PJL) interface on TCP port 9100. An unauthenticated remote attacker can send a malformed PJL command with an invalid FORMLINES variable to crash the device repeatedly, causing service disruption without authentication or user interaction. The CVSS 7.5 score reflects the high availability impact, and while specific KEV/POC data was not provided in the source material, the straightforward nature of the exploit (malformed input causing crash) suggests practical exploitability. | HIGH | 7.5 | 0.6% | 38 |
No patch
|
| CVE-2024-51769 | CVE-2024-51769 is an information disclosure vulnerability in HPE AutoPass License Server (APLS) versions prior to 9.17 that allows unauthenticated network attackers to access sensitive information without requiring user interaction. The vulnerability has a CVSS 3.1 score of 7.5 with a high confidentiality impact (CWE-200: Exposure of Sensitive Information to an Unauthorized Actor), making it a significant risk for organizations relying on APLS for license management across their HPE infrastructure. | HIGH | 7.5 | 0.1% | 38 |
|
| CVE-2024-51770 | CVE-2024-51770 is an information disclosure vulnerability in HPE AutoPass License Server (APLS) versions prior to 9.17 that allows unauthenticated remote attackers to access sensitive information over the network. The vulnerability has a CVSS score of 7.5 with high confidentiality impact, enabling attackers to extract confidential data without requiring authentication, special privileges, or user interaction. The network-accessible nature of this information disclosure makes it a significant risk for organizations running vulnerable APLS versions. | HIGH | 7.5 | 0.1% | 38 |
|
| CVE-2025-37165 | router mode configuration of HPE Instant On Access Points exposed certain network configuration details to unintended interfaces. A malicious actor is affected by information exposure (CVSS 7.5). | HIGH | 7.5 | 0.0% | 38 |
No patch
|
| CVE-2024-5477 | A potential security vulnerability has been identified in the System BIOS for some HP PC products which may allow escalation of privilege, arbitrary code execution, denial of service, or information. Rated high severity (CVSS 7.3), this vulnerability is no authentication required. No vendor patch available. | HIGH | 7.3 | 0.0% | 37 |
No patch
|
| CVE-2026-4667 | HP System Optimizer might potentially be vulnerable to escalation of privilege. HP is releasing an update to mitigate this potential vulnerability. | HIGH | 7.3 | 0.0% | 37 |
|
| CVE-2025-37091 | Command injection remote code execution vulnerability in HPE StoreOnce Software that allows authenticated attackers with high privileges to execute arbitrary commands on affected systems. The vulnerability has a CVSS score of 7.2 (high severity) and requires authenticated access but no user interaction. Given the command injection nature (CWE-77) and network attack vector, this poses significant risk to organizations running vulnerable HPE StoreOnce deployments, particularly if KEV status or active exploitation is confirmed. | HIGH | 7.2 | 0.4% | 36 |
|
| CVE-2025-71101 | In the Linux kernel, the following vulnerability has been resolved: platform/x86: hp-bioscfg: Fix out-of-bounds array access in ACPI package parsing The hp_populate_*_elements_from_package() functions in the hp-bioscfg driver contain out-of-bounds array access vulnerabilities. | HIGH | 7.1 | 0.0% | 36 |
|
| CVE-2026-3291 | Samsung Print Service Plugin for Android is potentially vulnerable to information disclosure when using an outdated version of the application via mob | MEDIUM | 6.9 | 0.0% | 35 |
No patch
|