52
CVEs
9
Critical
31
High
0
KEV
1
PoC
1
Unpatched C/H
96.2%
Patch Rate
0.0%
Avg EPSS
Severity Breakdown
CRITICAL
9
HIGH
31
MEDIUM
11
LOW
1
Monthly CVE Trend
Affected Products (27)
Thunderbird
42
Open Redirect
9
Firefox
5
PHP
5
Cors Misconfiguration
4
Node.js
3
Python
2
Prototype Pollution
2
H300s Firmware
1
H410c Firmware
1
H410s Firmware
1
AI / ML
1
H700s Firmware
1
Jwt Attack
1
Kubernetes
1
Mail Server
1
Neqo
1
Open Xchange Appsuite Frontend
1
Safari
1
H500s Firmware
1
Anything Llm
1
Bootstrap Os
1
Chrome
1
Curl
1
Debian Linux
1
Dify
1
Docker
1
Top Risky CVEs
| CVE | Summary | Severity | CVSS | EPSS | Priority | Signals |
|---|---|---|---|---|---|---|
| CVE-2026-8956 | Integer overflow in the Networking: JAR component. This vulnerability was fixed in Firefox 151 and Firefox ESR 140.11. | CRITICAL | 9.8 | 0.0% | 49 |
|
| CVE-2026-8401 | Sandbox escape in the Profile Backup component. This vulnerability was fixed in Firefox 150.0.3. | CRITICAL | 9.8 | 0.0% | 49 |
|
| CVE-2026-8091 | Remote code execution in Firefox ESR allows unauthenticated network attackers to achieve complete system compromise via malformed audio/video content. Mozilla has released patches in Firefox ESR 140.10.2 and Firefox ESR 115.35.2. Despite a critical CVSS 9.8 score and SSVC rating of 'total' technical impact with automatable exploitation, EPSS assigns only 0.01% exploitation probability (1st percentile), and no public exploit or active exploitation has been identified. The severity stems from the unauthenticated network attack vector against a boundary condition flaw in media playback - a user-facing feature in a widely-deployed browser component. | CRITICAL | 9.8 | 0.0% | 49 |
|
| CVE-2026-8094 | Remote code execution in Firefox ESR's WebRTC component allows unauthenticated network attackers to achieve arbitrary code execution with complete system compromise. The vulnerability affects Firefox ESR versions prior to 140.10.2 and carries a critical CVSS score of 9.8 with network attack vector requiring no authentication or user interaction. Despite the critical severity, EPSS probability remains exceptionally low at 0.01% (0th percentile) with no evidence of active exploitation, suggesting limited awareness or exploitation complexity despite the automatable nature assessed by CISA SSVC framework. | CRITICAL | 9.8 | 0.0% | 49 |
|
| CVE-2026-8959 | Sandbox escape due to incorrect boundary conditions in the Widget: Win32 component. This vulnerability was fixed in Firefox 151 and Firefox ESR 140.11 | CRITICAL | 9.6 | 0.1% | 48 |
|
| CVE-2026-44211 | ## Summary The `kanban` npm package (used by the `cline` CLI) starts a WebSocket server on `127.0.0.1:3484` with no Origin header validation. Any web | CRITICAL | 9.6 | – | 48 |
No patch
|
| CVE-2026-8953 | Sandbox escape due to use-after-free in the Disability Access APIs component. This vulnerability was fixed in Firefox 151, Firefox ESR 115.36, and Fir | CRITICAL | 9.6 | 0.0% | 48 |
|
| CVE-2026-8950 | Same-origin policy bypass in the Networking: HTTP component. This vulnerability was fixed in Firefox 151 and Firefox ESR 140.11. | CRITICAL | 9.3 | 0.0% | 47 |
|
| CVE-2026-8948 | Same-origin policy bypass in the DOM: Networking component. This vulnerability was fixed in Firefox 151. | CRITICAL | 9.1 | 0.0% | 46 |
|
| CVE-2026-42611 | Stored cross-site scripting in Grav CMS allows low-privileged users with page-creation permissions to inject malicious SVG payloads that execute when administrators view the page. The vulnerability stems from regex-based XSS detection that fails to catch unquoted event handlers and omits SVG/MathML from dangerous tags. Exploitation exfiltrates the admin-nonce token from /admin/config/info, enabling CSRF bypass and chained remote code execution through scheduled tasks or plugin endpoints. GitHub advisory GHSA-w8cg-7jcj-4vv2 confirms exploit details; patch available in Grav 2.0.0-beta.2 (commit 5a12f9be8). CVSS 8.9 (High) with network attack vector, low complexity, and scope change reflecting cross-context session hijacking. | HIGH | 8.9 | 0.0% | 45 |
|
| CVE-2026-8975 | Memory corruption in Mozilla Firefox 150 and Firefox ESR (115.35, 140.10) allows remote attackers to potentially execute arbitrary code when a user visits a crafted web page. The flaws stem from memory safety bugs reported by Mozilla developers, some showing evidence of exploitable memory corruption. No public exploit identified at time of analysis, and EPSS scoring (0.06%) suggests low near-term exploitation likelihood despite the high CVSS rating. | HIGH | 8.8 | 0.1% | 44 |
|
| CVE-2026-8974 | Memory corruption in Mozilla Firefox 150 and Firefox ESR 140.10 allows remote attackers to potentially execute arbitrary code when a victim visits a crafted web page. The flaw stems from multiple memory safety bugs reported by Mozilla developers, with some showing evidence of exploitable memory corruption; no public exploit identified at time of analysis and EPSS exploitation probability is low (0.05%, 14th percentile). Mozilla has shipped fixes in Firefox 151 and Firefox ESR 140.11. | HIGH | 8.8 | 0.0% | 44 |
|
| CVE-2026-8970 | Privilege escalation in Mozilla Firefox's Security component allows remote attackers to elevate privileges within the browser when a victim interacts with attacker-controlled content, affecting Firefox versions prior to 151 and Firefox ESR prior to 140.11. With CVSS 8.8 (high) and user interaction required, exploitation is plausible via malicious web content, though EPSS sits at just 0.04% (12th percentile) and no public exploit identified at time of analysis. SSVC rates exploitation as 'none' but flags the issue as automatable with partial technical impact, suggesting concerning scalability if a working exploit emerges. | HIGH | 8.8 | 0.0% | 44 |
|
| CVE-2026-8973 | Memory corruption vulnerabilities in Mozilla Firefox 150 could enable remote code execution when a user visits a maliciously crafted web page, with Mozilla acknowledging that some of the bugs showed evidence of memory corruption potentially exploitable for arbitrary code execution. The issue is resolved in Firefox 151 per Mozilla advisory MFSA2026-46/MFSA2026-50. No public exploit identified at time of analysis and EPSS remains low (0.04%), but SSVC rates technical impact as total and automatable. | HIGH | 8.8 | 0.0% | 44 |
|
| CVE-2026-8955 | Privilege escalation in Mozilla Firefox's DOM Workers component allows remote attackers to elevate privileges within the browser when a victim interacts with a malicious web page. Affects Firefox versions prior to 151 and Firefox ESR prior to 140.11, with high impact to confidentiality, integrity, and availability. No public exploit identified at time of analysis, and EPSS rates exploitation probability at only 0.03% (9th percentile). | HIGH | 8.8 | 0.0% | 44 |
|