31
CVEs
7
Critical
17
High
0
KEV
0
PoC
9
Unpatched C/H
61.3%
Patch Rate
0.1%
Avg EPSS
Severity Breakdown
CRITICAL
7
HIGH
17
MEDIUM
6
LOW
1
Monthly CVE Trend
Affected Products (30)
Docker
12
Kubernetes
10
PHP
8
Command Injection
6
Nginx Ui
4
Modsecurity
3
Nginx Plus
3
Request Smuggling
2
Nginx Open Source
2
Java
2
OpenSSL
2
Heap Overflow
2
Ubuntu
2
Tinyweb
2
Python
2
Integer Overflow
1
Nginx Instance Manager
1
Cpp Httplib
1
Nginx Unit
1
Kan
1
Virtual Appliance Application
1
Open Security Issue Management
1
Race Condition
1
Frappe
1
Virtual Appliance Host
1
Null Pointer Dereference
1
Roxy Wi
1
Github
1
Termix
1
Lua Nginx Module
1
Top Risky CVEs
| CVE | Summary | Severity | CVSS | EPSS | Priority | Signals |
|---|---|---|---|---|---|---|
| CVE-2026-33494 | Ory Oathkeeper, an identity and access proxy, contains an authorization bypass vulnerability via HTTP path traversal that allows attackers to access protected resources without authentication. The vulnerability affects Ory Oathkeeper installations where the software uses un-normalized paths for rule matching, enabling requests like '/public/../admin/secrets' to bypass authentication requirements. With a CVSS score of 10.0 (Critical) and network-based exploitation requiring no privileges or user interaction, this represents a severe authentication bypass, though no current EPSS score or KEV listing indicates limited evidence of active exploitation at this time. | CRITICAL | 10.0 | 0.0% | 50 |
|
| CVE-2026-33502 | An unauthenticated server-side request forgery (SSRF) vulnerability exists in AVideo's Live plugin test.php endpoint that allows remote attackers to force the server to send HTTP requests to arbitrary URLs. The vulnerability affects AVideo installations with the Live plugin enabled and can be exploited to probe internal network services, access cloud metadata endpoints, and retrieve content from internal HTTP resources. A proof-of-concept has been published demonstrating localhost service enumeration, and the vulnerability requires no authentication or user interaction to exploit. | CRITICAL | 9.3 | 3.0% | 50 |
|
| CVE-2026-33032 | Remote unauthenticated nginx service takeover in nginx-ui's MCP integration allows network attackers to create, modify, or delete nginx configuration files and trigger automatic reloads without authentication. The /mcp_message endpoint lacks authentication middleware while exposing the same MCP tool handlers as the protected /mcp endpoint, and the IP whitelist defaults to empty (allow-all). Attackers can inject malicious server blocks to intercept credentials, exfiltrate backend topology, or crash nginx with invalid configs. CVSS 9.8 (Critical) with network attack vector, no authentication required, and high impact across confidentiality, integrity, and availability. No public exploit identified at time of analysis, though detailed proof-of-concept HTTP request provided in advisory. | CRITICAL | 9.8 | 0.1% | 49 |
No patch
|
| CVE-2026-33026 | Remote authenticated attackers can achieve arbitrary command execution on nginx-ui v2.3.3 servers by manipulating encrypted backup archives during restoration. The vulnerability stems from a circular trust model where backup integrity metadata is encrypted using the same AES key provided to clients, allowing attackers to decrypt backups, inject malicious configuration (including command execution directives), recompute valid hashes, and re-encrypt the archive. The restore process accepts tampered backups despite hash verification warnings. Publicly available exploit code exists with detailed proof-of-concept demonstrating configuration injection leading to arbitrary command execution. Vendor-released patch available in nginx-ui v2.3.4. This represents a regression from GHSA-g9w5-qffc-6762, which addressed backup access control but not the underlying cryptographic design flaw. | CRITICAL | 9.4 | 0.0% | 47 |
No patch
|
| CVE-2026-34759 | Authentication bypass in OneUptime notification API endpoints allows unauthenticated remote attackers to manipulate Twilio account resources via missing authorization middleware. Affects all versions prior to 10.0.42. Attackers can purchase phone numbers on victim Twilio accounts and delete configured alerting numbers by exploiting unprotected /notification/ endpoints, using leaked projectId values from public Status Page APIs. No public exploit identified at time of analysis, though attack complexity is rated high (CVSS AC:H) and proof-of-concept details are available in the GitHub security advisory. | CRITICAL | 9.2 | 0.1% | 46 |
No patch
|
| CVE-2026-33419 | MinIO AIStor's Security Token Service (STS) AssumeRoleWithLDAPIdentity endpoint contains two combined vulnerabilities that enable LDAP credential brute-forcing: distinguishable error messages allowing username enumeration (CWE-204) and missing rate limiting (CWE-307). All MinIO deployments through the final open-source release with LDAP authentication enabled are affected. Unauthenticated network attackers can enumerate valid LDAP usernames, perform unlimited password guessing attacks, and obtain temporary AWS-style STS credentials granting full access to victim users' S3 buckets and objects. | CRITICAL | 9.1 | 0.1% | 46 |
No patch
|
| CVE-2026-33186 | An authorization bypass vulnerability in gRPC-Go allows attackers to circumvent path-based access control by sending HTTP/2 requests with malformed :path pseudo-headers that omit the mandatory leading slash (e.g., 'Service/Method' instead of '/Service/Method'). This affects gRPC-Go servers using path-based authorization interceptors like google.golang.org/grpc/authz with deny rules for canonical paths but fallback allow rules. The vulnerability has a CVSS score of 9.1 (Critical) with network-based exploitation requiring no privileges or user interaction, enabling attackers to access restricted services and potentially exfiltrate or modify sensitive data. | CRITICAL | 9.1 | 0.0% | 46 |
|
| CVE-2026-27811 | Roxy-WI versions prior to 8.2.6.3 contain a command injection vulnerability in the configuration comparison endpoint that allows authenticated users to execute arbitrary system commands on the host server. The flaw stems from unsanitized user input being directly embedded into template strings executed by the application. An attacker with valid credentials can exploit this to achieve full system compromise with high impact on confidentiality, integrity, and availability. | HIGH | 8.8 | 0.2% | 44 |
No patch
|
| CVE-2026-4342 | A configuration injection vulnerability in Kubernetes ingress-nginx controller allows authenticated attackers to inject arbitrary nginx configuration through specially crafted Ingress annotations, leading to remote code execution with controller privileges and exposure of all cluster Secrets. The vulnerability has a high CVSS score of 8.8 and affects the ingress-nginx controller's annotation parsing mechanism. No active exploitation (not in KEV) or public POC has been reported, though the attack requires only low privileges and network access. | HIGH | 8.8 | 0.0% | 44 |
|
| CVE-2026-27654 | Buffer overflow in NGINX's DAV module allows remote attackers to crash worker processes or manipulate file names outside the document root when MOVE/COPY methods are combined with prefix location and alias directives. The vulnerability affects NGINX Open Source and NGINX Plus installations using vulnerable configurations, though the low-privilege worker process context limits the scope of file manipulation. No patch is currently available for this high-severity issue. | HIGH | 8.8 | 0.0% | 44 |
|
| CVE-2026-33030 | Insecure Direct Object Reference (IDOR) in nginx-ui up to v2.3.3 allows authenticated low-privilege users to access, modify, and delete any resource across all user accounts, including plaintext DNS provider API tokens (Cloudflare, AWS Route53, Alibaba Cloud) and ACME private keys. The application's base Model struct lacks user_id fields, and all resource endpoints query by ID without ownership verification. CVSS 8.8 reflects scope change to external services—stolen Cloudflare tokens enable DNS hijacking and fraudulent certificate issuance. No public exploit identified at time of analysis, but trivial to execute via standard HTTP requests. Vendor-released patch: v2.3.4. | HIGH | 8.8 | 0.0% | 44 |
No patch
|
| CVE-2026-26061 | Fleet server memory exhaustion via unbounded request bodies allows unauthenticated denial-of-service against multiple HTTP endpoints. The vulnerability affects Fleet v4 (github.com/fleetdm/fleet/v4) and was responsibly disclosed by @fuzzztf. Attackers can exhaust available memory and force server restarts by sending oversized or repeated HTTP requests to unauthenticated endpoints lacking size limits. No public exploit identified at time of analysis, though the attack mechanism is straightforward given the CWE-770 resource allocation vulnerability class. | HIGH | 8.7 | 0.1% | 44 |
|
| CVE-2026-27651 | NGINX worker process crashes via null pointer dereference in the mail authentication module when CRAM-MD5 or APOP authentication is configured with retry-enabled backend servers. This denial of service vulnerability affects NGINX Plus and NGINX Open Source with no patch currently available, allowing unauthenticated remote attackers to terminate worker processes and degrade service availability. | HIGH | 8.7 | 0.0% | 44 |
|
| CVE-2026-33661 | The yansongda/pay PHP library contains an authentication bypass vulnerability that allows attackers to forge WeChat Pay payment notifications by including a 'Host: localhost' header in HTTP requests. The verify_wechat_sign() function unconditionally skips RSA signature verification when it detects localhost as the hostname, enabling attackers to send fake payment success callbacks that applications may process as legitimate transactions. A proof-of-concept exploit exists demonstrating the attack, though the vendor notes most production environments with properly configured reverse proxies, WAFs, or CDNs will reject forged Host headers, significantly reducing real-world exploitability. | HIGH | 8.6 | 0.1% | 43 |
|
| CVE-2026-32255 | Kan, an open-source project management tool, contains a Server-Side Request Forgery (SSRF) vulnerability in its unauthenticated /api/download/attatchment endpoint in versions 0.5.4 and below. Attackers can exploit this to make arbitrary HTTP requests from the server to internal services, cloud metadata endpoints (such as AWS EC2 metadata at 169.254.169.254), or private network resources without any authentication. With a CVSS score of 8.6 (High) reflecting network-based attack vector, low complexity, and no privileges required, this poses significant risk for confidentiality breaches in affected deployments. | HIGH | 8.6 | 0.1% | 43 |
No patch
|