351
CVEs
40
Critical
198
High
4
KEV
13
PoC
26
Unpatched C/H
86.0%
Patch Rate
0.1%
Avg EPSS
Severity Breakdown
CRITICAL
40
HIGH
198
MEDIUM
97
LOW
9
Monthly CVE Trend
Affected Products (30)
Windows
1243
Windows Server 2025
712
Windows Server 2022
706
Windows Server 2022 23h2
705
Windows Server 2019
680
Windows 11 23h2
654
Windows 11 24h2
641
Windows 10 22h2
628
Windows 10 21h2
626
Windows 10 1809
600
Windows Server 2016
596
Windows 10 1607
516
Windows 11 22h2
496
Windows Server 2012
480
Windows 10 1507
377
Windows Server 2008
364
Windows 11 25h2
169
365 Apps
132
Office Long Term Servicing Channel
132
Office
119
Python
54
PHP
52
Excel
52
Chrome
49
Office Online Server
48
Sharepoint Server
43
macOS
42
Windows 11 21H2
34
Windows 11 26h1
33
Android
31
Top Risky CVEs
| CVE | Summary | Severity | CVSS | EPSS | Priority | Signals |
|---|---|---|---|---|---|---|
| CVE-2026-42897 | Cross-site scripting (XSS) in Microsoft Exchange Server enables remote attackers to spoof content and steal credentials without authentication. Affects Exchange Server 2016 CU23, 2019 CU14/CU15, and Subscription Edition. Functional exploit code exists (CVSS temporal E:F) though no active exploitation confirmed at analysis time. CVSS 8.1 (High) driven by network vector, no authentication requirement, and dual confidentiality/integrity impact. Microsoft released patches via MSRC security update guide. Medium-high priority for organizations running affected Exchange versions with webmail or OWA exposed. | HIGH | 8.1 | 0.2% | 131 |
KEV
PoC
|
| CVE-2026-41091 | Local privilege escalation in Microsoft Defender (Malware Protection Engine) enables an authenticated low-privileged attacker to elevate to SYSTEM by abusing improper link resolution (CWE-59) before file access. The flaw scores CVSS 7.8 with high impact to confidentiality, integrity, and availability, and no public exploit is identified at time of analysis. Microsoft has released a patch via MSRC, and there is no current CISA KEV listing or EPSS signal indicating active mass exploitation. | HIGH | 7.8 | 12.1% | 126 |
KEV
PoC
|
| CVE-2026-8398 | Supply chain compromise of DAEMON Tools Lite for Windows delivered trojanized installers through the legitimate vendor website daemon-tools.cc from April 8 to May 5, 2026. Attackers compromised AVB Disc Soft's build infrastructure and injected malicious code into three binaries (DTHelper.exe, DiscSoftBusServiceLite.exe, DTShellHlp.exe), all signed with the vendor's legitimate code-signing certificate. This allowed remote attackers to achieve arbitrary code execution on systems installing affected versions (12.5.0.2421 through 12.5.0.2434) with no user interaction required beyond normal installation. The legitimate digital signature bypassed security controls that rely on code-signing verification, making detection extremely difficult during the compromise window. | CRITICAL | 9.3 | 0.0% | 117 |
KEV
PoC
|
| CVE-2026-45498 | Denial of service in Microsoft Defender Antimalware Platform allows a local, unprivileged attacker to partially degrade availability with low attack complexity and no user interaction required. The CVSS 4.0 score reflects limited impact - confidentiality and integrity are unaffected, and availability impact is rated Low. Vendor patch is available via Microsoft Security Response Center; no public exploit identified at time of analysis and no CISA KEV listing. | MEDIUM | 4.0 | 2.3% | 92 |
KEV
PoC
|
| CVE-2026-6722 | Use-after-free memory corruption in PHP 8.2.x enables remote attackers to achieve high-impact exploitation through network-accessible attack vectors, despite high attack complexity and specific timing requirements. PHP 8.2.31 addresses this vulnerability along with seven other security issues in a coordinated security release. The CVSS v4.0 score of 9.5 reflects both confidentiality and integrity impact across vulnerable and subsequent systems, with high availability impact. No public exploit code or active exploitation confirmed at time of analysis, but the vendor urgency indicator (U:Red) and release coordinator emphasis (RE:M) signal critical priority for organizations running PHP 8.2.x in production environments. | CRITICAL | 9.5 | 0.3% | 68 |
PoC
|
| CVE-2026-45369 | Command injection in python-utcp allows remote attackers to execute arbitrary shell commands on Unix and Windows systems when user-controlled tool arguments are processed by the CLI communication protocol module. The _substitute_utcp_args method in cli_communication_protocol.py directly embeds unsanitized user input into bash or PowerShell commands without escaping, enabling full remote code execution. Vendor-released patch available in version 1.1.2 with shell-quoting mitigation (shlex.quote on Unix, single-quoted literals on Windows). CVSS 8.3 indicates high complexity and required user interaction, but scope change enables container/sandbox escape scenarios. No public exploit code or CISA KEV listing identified at time of analysis, though detailed proof-of-concept exists in the GitHub security advisory demonstrating data exfiltration via curl. | HIGH | 8.3 | 0.0% | 62 |
PoC
|
| CVE-2026-7461 | Command injection in Amazon ECS Agent on Windows allows authenticated attackers with task definition permissions to execute arbitrary shell commands with SYSTEM privileges on the underlying host. The vulnerability exists in the FSx Windows File Server volume mounting component (versions prior to 1.103.0), where username field input is not properly sanitized before being passed to OS commands. This affects AWS customers running Windows-based ECS container workloads with FSx volumes - exploitation requires IAM permissions to register ECS task definitions or write to credential stores (Secrets Manager/SSM Parameter Store) used by FSx configurations. Vendor-released patch: version 1.103.0. EPSS and KEV data not provided; no public exploit identified at time of analysis. | HIGH | 7.5 | 0.0% | 58 |
PoC
|
| CVE-2026-42151 | Prometheus monitoring system exposes Azure AD OAuth client secrets in plaintext via its /-/config HTTP API endpoint. Versions prior to 3.5.3 and 3.11.3 incorrectly type the client_secret field as a plain string instead of Prometheus's redacted Secret type, allowing remote unauthenticated attackers to retrieve sensitive Azure credentials from any exposed Prometheus instance configured for Azure AD remote write. The vulnerability has low exploitation complexity (CVSS AV:N/AC:L/PR:N) with 7.5 severity. Vendor-confirmed patches available in versions 3.5.3 and 3.11.3 (GitHub releases confirmed). EPSS data not provided; no CISA KEV listing indicating targeted exploitation campaigns at time of analysis. | HIGH | 7.5 | 0.0% | 58 |
PoC
|
| CVE-2026-42826 | Unauthorized information disclosure in Azure DevOps allows remote unauthenticated attackers to access sensitive data via network requests and potentially compromise the system with high confidentiality, integrity, and availability impact. The vulnerability carries a maximum CVSS 10.0 score with scope change, indicating cross-boundary impact. Microsoft has released an official patch, and no active exploitation has been reported via CISA KEV at the time of analysis. | CRITICAL | 10.0 | 0.1% | 55 |
|
| CVE-2026-42898 | Improper control of generation of code ('code injection') in Microsoft Dynamics 365 (on-premises) allows an authorized attacker to execute code over a | CRITICAL | 9.9 | 0.1% | 55 |
|
| CVE-2026-33109 | Remote code execution in Azure Managed Instance for Apache Cassandra allows authenticated attackers with low privileges to execute arbitrary code across tenant boundaries. The vulnerability involves improper access control (CWE-284) enabling scope escape with complete compromise of confidentiality, integrity, and availability. Microsoft has released a patch per MSRC advisory. CVSS 9.9 (Critical) reflects network-based attack with low complexity, low privileges required, and changed scope indicating container/tenant escape potential. | CRITICAL | 9.9 | 0.1% | 55 |
|
| CVE-2026-42823 | Improper access control in Azure Logic Apps allows an authorized attacker to elevate privileges over a network. | CRITICAL | 9.9 | 0.1% | 55 |
|
| CVE-2026-41089 | Stack-based buffer overflow in Windows Netlogon allows an unauthorized attacker to execute code over a network. | CRITICAL | 9.8 | 0.1% | 54 |
|
| CVE-2026-41096 | Heap-based buffer overflow in Microsoft Windows DNS allows an unauthorized attacker to execute code over a network. | CRITICAL | 9.8 | 0.1% | 54 |
|
| CVE-2026-35428 | Command injection in Azure Cloud Shell enables remote attackers to execute arbitrary commands and spoof user sessions when victims interact with malicious content. The vulnerability requires user interaction (UI:R) but no authentication (PR:N), allowing network-based attackers to achieve high impact across confidentiality, integrity, and availability with scope change (S:C), indicating potential container escape or cross-tenant impact. Microsoft has released a patch per MSRC advisory. EPSS data not available, no CISA KEV listing identified, suggesting targeted rather than widespread exploitation at time of analysis. | CRITICAL | 9.6 | 0.1% | 53 |
|