838
CVEs
89
Critical
483
High
7
KEV
26
PoC
93
Unpatched C/H
83.5%
Patch Rate
0.1%
Avg EPSS
Severity Breakdown
CRITICAL
89
HIGH
483
MEDIUM
241
LOW
17
Monthly CVE Trend
Affected Products (30)
Windows
1243
Windows Server 2025
712
Windows Server 2022
706
Windows Server 2022 23h2
705
Windows Server 2019
680
Windows 11 23h2
654
Windows 11 24h2
641
Windows 10 22h2
628
Windows 10 21h2
626
Windows 10 1809
600
Windows Server 2016
596
Windows 10 1607
516
Windows 11 22h2
496
Windows Server 2012
480
Windows 10 1507
377
Windows Server 2008
364
Windows 11 25h2
169
365 Apps
132
Office Long Term Servicing Channel
132
Office
119
Python
54
PHP
52
Excel
52
Chrome
49
Office Online Server
48
Sharepoint Server
43
macOS
42
Windows 11 21H2
34
Windows 11 26h1
33
Android
31
Top Risky CVEs
| CVE | Summary | Severity | CVSS | EPSS | Priority | Signals |
|---|---|---|---|---|---|---|
| CVE-2026-42897 | Cross-site scripting (XSS) in Microsoft Exchange Server enables remote attackers to spoof content and steal credentials without authentication. Affects Exchange Server 2016 CU23, 2019 CU14/CU15, and Subscription Edition. Functional exploit code exists (CVSS temporal E:F) though no active exploitation confirmed at analysis time. CVSS 8.1 (High) driven by network vector, no authentication requirement, and dual confidentiality/integrity impact. Microsoft released patches via MSRC security update guide. Medium-high priority for organizations running affected Exchange versions with webmail or OWA exposed. | HIGH | 8.1 | 0.2% | 131 |
KEV
PoC
|
| CVE-2026-33825 | Privilege escalation in Microsoft Defender Antimalware Platform versions before 4.18.26030.3011 allows authenticated local attackers to gain elevated system privileges through insufficiently granular access controls. CVSS 7.8 (High) reflects local attack vector requiring low privileges. EPSS score of 0.04% (12th percentile) indicates low probability of widespread exploitation. Microsoft has released a patched version (4.18.26030.3011) addressing the access control deficiency. | HIGH | 7.8 | 0.0% | 129 |
KEV
PoC
|
| CVE-2026-41091 | Local privilege escalation in Microsoft Defender (Malware Protection Engine) enables an authenticated low-privileged attacker to elevate to SYSTEM by abusing improper link resolution (CWE-59) before file access. The flaw scores CVSS 7.8 with high impact to confidentiality, integrity, and availability, and no public exploit is identified at time of analysis. Microsoft has released a patch via MSRC, and there is no current CISA KEV listing or EPSS signal indicating active mass exploitation. | HIGH | 7.8 | 12.1% | 126 |
KEV
PoC
|
| CVE-2026-8398 | Supply chain compromise of DAEMON Tools Lite for Windows delivered trojanized installers through the legitimate vendor website daemon-tools.cc from April 8 to May 5, 2026. Attackers compromised AVB Disc Soft's build infrastructure and injected malicious code into three binaries (DTHelper.exe, DiscSoftBusServiceLite.exe, DTShellHlp.exe), all signed with the vendor's legitimate code-signing certificate. This allowed remote attackers to achieve arbitrary code execution on systems installing affected versions (12.5.0.2421 through 12.5.0.2434) with no user interaction required beyond normal installation. The legitimate digital signature bypassed security controls that rely on code-signing verification, making detection extremely difficult during the compromise window. | CRITICAL | 9.3 | 0.0% | 117 |
KEV
PoC
|
| CVE-2026-32201 | Improper input validation in Microsoft SharePoint Server enables network-based spoofing attacks without authentication, allowing attackers to forge communications and deceive users. Affects SharePoint Enterprise Server 2016, SharePoint Server 2019, and SharePoint Server Subscription Edition. This vulnerability is confirmed actively exploited (CISA KEV) with publicly available exploit code, making it a critical operational priority despite the moderate CVSS score of 6.5. | MEDIUM | 6.5 | 1.2% | 109 |
KEV
PoC
|
| CVE-2026-45498 | Denial of service in Microsoft Defender Antimalware Platform allows a local, unprivileged attacker to partially degrade availability with low attack complexity and no user interaction required. The CVSS 4.0 score reflects limited impact - confidentiality and integrity are unaffected, and availability impact is rated Low. Vendor patch is available via Microsoft Security Response Center; no public exploit identified at time of analysis and no CISA KEV listing. | MEDIUM | 4.0 | 2.3% | 92 |
KEV
PoC
|
| CVE-2026-32202 | Windows Shell protection mechanism failure (CVE-2026-32202) allows remote attackers to perform spoofing attacks over a network without authentication, requiring only user interaction. This low-severity vulnerability affects multiple Windows versions from Windows 10 1607 through Windows 11 26H1 and Windows Server 2012 through 2025. While not actively exploited in the wild, vendor patches are available across all affected versions, and the low CVSS score (4.3) reflects limited confidentiality impact and no availability impact despite the network-accessible attack vector. | MEDIUM | 4.3 | 0.1% | 92 |
KEV
PoC
|
| CVE-2026-6722 | Use-after-free memory corruption in PHP 8.2.x enables remote attackers to achieve high-impact exploitation through network-accessible attack vectors, despite high attack complexity and specific timing requirements. PHP 8.2.31 addresses this vulnerability along with seven other security issues in a coordinated security release. The CVSS v4.0 score of 9.5 reflects both confidentiality and integrity impact across vulnerable and subsequent systems, with high availability impact. No public exploit code or active exploitation confirmed at time of analysis, but the vendor urgency indicator (U:Red) and release coordinator emphasis (RE:M) signal critical priority for organizations running PHP 8.2.x in production environments. | CRITICAL | 9.5 | 0.3% | 68 |
PoC
|
| CVE-2026-39912 | Authentication bypass in V2Board 1.6.1-1.7.4 and Xboard ≤0.1.9 enables unauthenticated account takeover including admin privileges. When login_with_mail_link_enable is active, attackers POST known email addresses to the loginWithMailLink endpoint, receiving full authentication URLs in HTTP responses. Tokens extracted from these URLs are exchanged at token2Login for valid bearer tokens granting complete account access. Publicly available exploit code exists. CVSS 9.1 critical severity reflects network-accessible attack with no user interaction required. | CRITICAL | 9.1 | 0.1% | 66 |
PoC
|
| CVE-2026-2673 | OpenSSL and Microsoft products using the 'DEFAULT' keyword in TLS 1.3 key exchange group configurations may negotiate weaker cryptographic groups than intended, allowing network-based attackers to potentially downgrade the security of encrypted connections without authentication or user interaction. This affects servers that combine default group lists with custom configurations, particularly impacting hybrid post-quantum key exchange implementations where clients defer group selection. A patch is available to remediate this high-severity confidentiality risk. | MEDIUM | 6.5 | 0.0% | 63 |
PoC
|
| CVE-2017-20218 | Serviio PRO 1.8 and earlier versions contain an unquoted service path vulnerability combined with insecure directory permissions that allows local authenticated users to escalate privileges to SYSTEM level. A public exploit is available, making this vulnerability easily exploitable by any authenticated user on the system. With a CVSS score of 7.8 and multiple proof-of-concept exploits published, this represents a significant risk for organizations running affected versions. | HIGH | 8.5 | 0.0% | 63 |
PoC
No patch
|
| CVE-2026-45369 | Command injection in python-utcp allows remote attackers to execute arbitrary shell commands on Unix and Windows systems when user-controlled tool arguments are processed by the CLI communication protocol module. The _substitute_utcp_args method in cli_communication_protocol.py directly embeds unsanitized user input into bash or PowerShell commands without escaping, enabling full remote code execution. Vendor-released patch available in version 1.1.2 with shell-quoting mitigation (shlex.quote on Unix, single-quoted literals on Windows). CVSS 8.3 indicates high complexity and required user interaction, but scope change enables container/sandbox escape scenarios. No public exploit code or CISA KEV listing identified at time of analysis, though detailed proof-of-concept exists in the GitHub security advisory demonstrating data exfiltration via curl. | HIGH | 8.3 | 0.0% | 62 |
PoC
|
| CVE-2026-25172 | Remote code execution in Windows Routing and Remote Access Service (RRAS) across Windows Server 2012, 2022, and 2022 23h2 stems from an integer overflow vulnerability that authenticated network attackers can exploit with user interaction. Public exploit code exists for this vulnerability, enabling attackers to achieve arbitrary code execution with high impact on confidentiality, integrity, and availability. No patch is currently available. | HIGH | 8.0 | 0.1% | 60 |
PoC
|
| CVE-2026-25173 | Remote code execution in Windows RRAS affects Windows 10 1607 and Windows Server 2022 23h2 through an integer overflow vulnerability exploitable by authenticated network attackers. Public exploit code exists for this vulnerability, enabling authenticated users to execute arbitrary code with high integrity and confidentiality impact. No patch is currently available, making this a critical exposure for affected Windows environments. | HIGH | 8.0 | 0.1% | 60 |
PoC
|
| CVE-2026-26111 | Remote code execution in Windows RRAS across Server 2016, 2022, and 2025 via an integer overflow vulnerability allows authenticated attackers to execute arbitrary code over the network with high privileges. Public exploit code exists for this vulnerability, and no patch is currently available. Authenticated users with network access can trigger the vulnerability through a simple interaction to gain complete system compromise. | HIGH | 8.0 | 0.1% | 60 |
PoC
|