169
CVEs
24
Critical
76
High
0
KEV
2
PoC
64
Unpatched C/H
46.7%
Patch Rate
0.1%
Avg EPSS
Severity Breakdown
CRITICAL
24
HIGH
76
MEDIUM
60
LOW
6
Monthly CVE Trend
Affected Products (30)
Windows
1267
Windows Server 2025
720
Windows Server 2022
714
Windows Server 2022 23h2
713
Windows Server 2019
687
Windows 11 23h2
662
Windows 11 24h2
649
Windows 10 22h2
636
Windows 10 21h2
634
Windows 10 1809
607
Windows Server 2016
602
Windows 10 1607
522
Windows 11 22h2
497
Windows Server 2012
486
Windows 10 1507
378
Windows Server 2008
367
Memory Corruption
195
Use After Free
187
Windows 11 25h2
177
Heap Overflow
164
Office Long Term Servicing Channel
137
365 Apps
137
Office
130
Race Condition
84
Excel
52
Chrome
51
Office Online Server
49
Command Injection
47
Sharepoint Server
43
macOS
42
Top Risky CVEs
| CVE | Summary | Severity | CVSS | EPSS | Priority | Signals |
|---|---|---|---|---|---|---|
| CVE-2026-39912 | Authentication bypass in V2Board 1.6.1-1.7.4 and Xboard ≤0.1.9 enables unauthenticated account takeover including admin privileges. When login_with_mail_link_enable is active, attackers POST known email addresses to the loginWithMailLink endpoint, receiving full authentication URLs in HTTP responses. Tokens extracted from these URLs are exchanged at token2Login for valid bearer tokens granting complete account access. Publicly available exploit code exists. CVSS 9.1 critical severity reflects network-accessible attack with no user interaction required. | CRITICAL | 9.1 | 0.1% | 66 |
PoC
|
| CVE-2017-20218 | Serviio PRO 1.8 and earlier versions contain an unquoted service path vulnerability combined with insecure directory permissions that allows local authenticated users to escalate privileges to SYSTEM level. A public exploit is available, making this vulnerability easily exploitable by any authenticated user on the system. With a CVSS score of 7.8 and multiple proof-of-concept exploits published, this represents a significant risk for organizations running affected versions. | HIGH | 7.8 | 0.0% | 59 |
PoC
No patch
|
| CVE-2026-30302 | CodeRider-Kilo's command auto-approval module fails to correctly parse Windows CMD escape sequences (^), allowing attackers to bypass its Git command whitelist and achieve arbitrary remote code execution. The vulnerability exploits a mismatch between the Unix-based shell-quote parser used for validation and the actual Windows CMD interpreter behavior, enabling attackers to inject malicious commands through crafted payloads such as git log ^" & malicious_command ^". No public exploit code or active exploitation has been confirmed at the time of analysis. | CRITICAL | 10.0 | 0.4% | 50 |
No patch
|
| CVE-2026-32169 | Azure Cloud Shell contains a server-side request forgery vulnerability that allows unauthenticated remote attackers to escalate privileges without user interaction. The vulnerability affects Microsoft products and has a critical CVSS score of 10.0, though no patch is currently available. Attackers can leverage network access to achieve privilege elevation across system boundaries. | CRITICAL | 10.0 | 0.1% | 50 |
No patch
|
| CVE-2026-32186 | Microsoft Bing contains a server-side request forgery (SSRF) vulnerability that allows elevation of privilege through improperly validated requests. The flaw affects Microsoft Bing across all versions and enables attackers to bypass access controls and escalate privileges by causing the application to make unintended requests to internal or external resources. A vendor-released patch is available. | CRITICAL | 10.0 | 0.1% | 50 |
|
| CVE-2026-33054 | A path traversal vulnerability in A Path Traversal vulnerability (CVSS 10.0). Critical severity with potential for significant impact on affected systems. | CRITICAL | 10.0 | 0.1% | 50 |
|
| CVE-2026-32213 | Azure AI Foundry improper authorization permits unauthenticated remote attackers to escalate privileges and achieve complete compromise with high impact to confidentiality, integrity, and availability. The CVSS 10.0 rating reflects network-based attack vector with low complexity, no user interaction, and scope change indicating containerization/isolation escape. EPSS and KEV status not provided, but the authentication bypass affecting a cloud AI platform poses severe risk. No public exploit identified at time of analysis. | CRITICAL | 10.0 | 0.1% | 50 |
No patch
|
| CVE-2026-33105 | Microsoft Azure Kubernetes Service (AKS) contains an improper authorization vulnerability enabling unauthenticated remote attackers to elevate privileges over a network with critical impact across confidentiality, integrity, and availability. The CVSS 10.0 critical rating reflects network-accessible exploitation requiring no authentication, low complexity, and scope change allowing compromise beyond the vulnerable component. No public exploit identified at time of analysis, though the authentication bypass nature and maximum severity warrant immediate priority. | CRITICAL | 10.0 | 0.1% | 50 |
No patch
|
| CVE-2026-33107 | Server-side request forgery in Azure Databricks enables unauthenticated remote attackers to achieve full privilege escalation with critical impact across confidentiality, integrity, and availability. The vulnerability carries a maximum CVSS 10.0 score with network-based attack vector, low complexity, and scope change, indicating attackers can leverage the SSRF to break out of Databricks' security boundary and access underlying cloud infrastructure or customer data. No public exploit or active exploitation confirmed at time of analysis, though the low attack complexity suggests straightforward exploitation once attack surface is identified. | CRITICAL | 10.0 | 0.1% | 50 |
No patch
|
| CVE-2026-4606 | GV Edge Recording Manager (ERM) v2.3.1 improperly executes application components with SYSTEM-level privileges, allowing any local user to escalate privileges and gain full control of the operating system. The vulnerability stems from the Windows service running under the LocalSystem account and spawning child processes with elevated privileges, particularly when file dialogs are invoked during operations like data import. This is a local privilege escalation vulnerability with high real-world risk due to the ease of exploitation and the severity of the impact. | CRITICAL | 10.0 | 0.0% | 50 |
No patch
|
| CVE-2026-34838 | Remote Code Execution in Group-Office enterprise CRM via insecure deserialization allows authenticated attackers to write arbitrary files and execute code on the server. Affects all versions prior to 6.8.156, 25.0.90, and 26.0.12 across multiple product branches. CVSS 9.9 (Critical) with network-based attack vector requiring only low-privileged authentication. No public exploit identified at time of analysis, though the technical details in the GitHub Security Advisory provide sufficient implementation guidance. EPSS data not available, but the combination of authenticated remote access, low complexity, and direct RCE makes this a priority for patching in exposed Group-Office installations. | CRITICAL | 9.9 | 0.5% | 50 |
No patch
|
| CVE-2026-26137 | Microsoft 365 Copilot's Business Chat contains a server-side request forgery vulnerability that allows authenticated users to escalate privileges across network boundaries. An attacker with valid credentials can exploit this flaw to access or manipulate resources beyond their intended authorization level. No patch is currently available, making this a significant risk for organizations using the affected service. | CRITICAL | 9.9 | 0.1% | 50 |
No patch
|
| CVE-2026-30303 | A command injection vulnerability in command auto-approval module in Axon Code (CVSS 9.8). Critical severity with potential for significant impact on affected systems. | CRITICAL | 9.8 | 0.3% | 49 |
No patch
|
| CVE-2026-32191 | A critical OS command injection vulnerability exists in Microsoft Bing Images that allows remote attackers to execute arbitrary commands without authentication. The vulnerability enables complete system compromise with high impact to confidentiality, integrity, and availability. With a CVSS score of 9.8 and requiring no user interaction, this represents a severe risk to any systems running vulnerable versions of Bing Images. | CRITICAL | 9.8 | 0.1% | 49 |
No patch
|
| CVE-2026-32194 | A critical command injection vulnerability exists in Microsoft Bing Images that allows unauthenticated remote attackers to execute arbitrary commands on affected systems. The vulnerability stems from improper neutralization of special characters in user-supplied input, enabling attackers to inject and execute system commands without any user interaction or authentication. With a CVSS score of 9.8 and requiring no special privileges or user interaction, this represents a severe risk to any exposed Bing Images deployments. | CRITICAL | 9.8 | 0.1% | 49 |
|