73
CVEs
12
Critical
35
High
0
KEV
12
PoC
16
Unpatched C/H
63.0%
Patch Rate
0.2%
Avg EPSS
Severity Breakdown
CRITICAL
12
HIGH
35
MEDIUM
19
LOW
5
Monthly CVE Trend
Affected Products (30)
Docker
12
Kubernetes
10
PHP
8
Command Injection
6
Nginx Ui
4
Modsecurity
3
Nginx Plus
3
Request Smuggling
2
Nginx Open Source
2
Java
2
OpenSSL
2
Heap Overflow
2
Ubuntu
2
Tinyweb
2
Python
2
Integer Overflow
1
Nginx Instance Manager
1
Cpp Httplib
1
Nginx Unit
1
Kan
1
Virtual Appliance Application
1
Open Security Issue Management
1
Race Condition
1
Frappe
1
Virtual Appliance Host
1
Null Pointer Dereference
1
Roxy Wi
1
Github
1
Termix
1
Lua Nginx Module
1
Top Risky CVEs
| CVE | Summary | Severity | CVSS | EPSS | Priority | Signals |
|---|---|---|---|---|---|---|
| CVE-2026-27944 | Unauthenticated backup download and RCE in Nginx UI before 2.3.3. EPSS 1.0%. PoC available. | CRITICAL | 9.8 | 1.0% | 70 |
PoC
|
| CVE-2025-34203 | Vasion Print (formerly PrinterLogic) Virtual Appliance Host versions prior to 22.0.1002 and Application versions prior to 20.0.2614 (VA and SaaS deployments) contain multiple Docker containers that. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available. | CRITICAL | 9.3 | 0.1% | 67 |
PoC
No patch
|
| CVE-2025-59951 | Docker default credentials in Termix server management. PoC and patch available. | CRITICAL | 9.1 | 0.1% | 66 |
PoC
|
| CVE-2024-33452 | An issue in OpenResty lua-nginx-module v.0.10.26 and before allows a remote attacker to conduct HTTP request smuggling via a crafted HEAD request. Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available. | HIGH | 7.7 | 0.7% | 59 |
PoC
No patch
|
| CVE-2025-46728 | cpp-httplib is a C++ header-only HTTP/HTTPS server and client library. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available. | HIGH | 7.5 | 1.0% | 59 |
PoC
|
| CVE-2025-48866 | ModSecurity versions prior to 2.9.10 contain a denial of service vulnerability in the `sanitiseArg` and `sanitizeArg` actions that allows unauthenticated remote attackers to cause service disruption by submitting requests with an excessive number of arguments. This is a network-accessible DoS vulnerability with high impact on availability that affects widely-deployed WAF deployments across Apache, IIS, and Nginx platforms. | HIGH | 7.5 | 0.4% | 58 |
PoC
|
| CVE-2026-22265 | Authenticated command injection in Roxy-WI versions prior to 8.2.8.2 enables attackers to execute arbitrary system commands through improper sanitization of the grep parameter in log viewing functionality. Public exploit code exists for this vulnerability, affecting users managing HAProxy, Nginx, Apache, and Keepalived servers through the web interface. A patch is available in version 8.2.8.2 and later. | HIGH | 7.5 | 0.2% | 58 |
PoC
|
| CVE-2025-5961 | The Migration, Backup, Staging - WPvivid Backup & Migration plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'wpvivid_upload_import_files' function in all versions up to, and including, 0.9.116. This makes it possible for authenticated attackers, with Administrator-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. NOTE: Uploaded files are only accessible on WordPress instances running on the NGINX web server as the existing .htaccess within the target file upload folder prevents access on Apache servers. | HIGH | 7.2 | 1.3% | 57 |
PoC
|
| CVE-2026-33494 | Ory Oathkeeper, an identity and access proxy, contains an authorization bypass vulnerability via HTTP path traversal that allows attackers to access protected resources without authentication. The vulnerability affects Ory Oathkeeper installations where the software uses un-normalized paths for rule matching, enabling requests like '/public/../admin/secrets' to bypass authentication requirements. With a CVSS score of 10.0 (Critical) and network-based exploitation requiring no privileges or user interaction, this represents a severe authentication bypass, though no current EPSS score or KEV listing indicates limited evidence of active exploitation at this time. | CRITICAL | 10.0 | 0.0% | 50 |
|
| CVE-2026-33502 | An unauthenticated server-side request forgery (SSRF) vulnerability exists in AVideo's Live plugin test.php endpoint that allows remote attackers to force the server to send HTTP requests to arbitrary URLs. The vulnerability affects AVideo installations with the Live plugin enabled and can be exploited to probe internal network services, access cloud metadata endpoints, and retrieve content from internal HTTP resources. A proof-of-concept has been published demonstrating localhost service enumeration, and the vulnerability requires no authentication or user interaction to exploit. | CRITICAL | 9.3 | 3.0% | 50 |
|
| CVE-2026-23837 | MyTube self-hosted video downloader has an authorization bypass (CVSS 9.8) that allows unauthenticated access to administrative functions in versions 1.7.65 and prior. | CRITICAL | 9.8 | 0.3% | 49 |
|
| CVE-2026-33032 | Remote unauthenticated nginx service takeover in nginx-ui's MCP integration allows network attackers to create, modify, or delete nginx configuration files and trigger automatic reloads without authentication. The /mcp_message endpoint lacks authentication middleware while exposing the same MCP tool handlers as the protected /mcp endpoint, and the IP whitelist defaults to empty (allow-all). Attackers can inject malicious server blocks to intercept credentials, exfiltrate backend topology, or crash nginx with invalid configs. CVSS 9.8 (Critical) with network attack vector, no authentication required, and high impact across confidentiality, integrity, and availability. No public exploit identified at time of analysis, though detailed proof-of-concept HTTP request provided in advisory. | CRITICAL | 9.8 | 0.1% | 49 |
No patch
|
| CVE-2026-33026 | Remote authenticated attackers can achieve arbitrary command execution on nginx-ui v2.3.3 servers by manipulating encrypted backup archives during restoration. The vulnerability stems from a circular trust model where backup integrity metadata is encrypted using the same AES key provided to clients, allowing attackers to decrypt backups, inject malicious configuration (including command execution directives), recompute valid hashes, and re-encrypt the archive. The restore process accepts tampered backups despite hash verification warnings. Publicly available exploit code exists with detailed proof-of-concept demonstrating configuration injection leading to arbitrary command execution. Vendor-released patch available in nginx-ui v2.3.4. This represents a regression from GHSA-g9w5-qffc-6762, which addressed backup access control but not the underlying cryptographic design flaw. | CRITICAL | 9.4 | 0.0% | 47 |
No patch
|
| CVE-2026-34759 | Authentication bypass in OneUptime notification API endpoints allows unauthenticated remote attackers to manipulate Twilio account resources via missing authorization middleware. Affects all versions prior to 10.0.42. Attackers can purchase phone numbers on victim Twilio accounts and delete configured alerting numbers by exploiting unprotected /notification/ endpoints, using leaked projectId values from public Status Page APIs. No public exploit identified at time of analysis, though attack complexity is rated high (CVSS AC:H) and proof-of-concept details are available in the GitHub security advisory. | CRITICAL | 9.2 | 0.1% | 46 |
No patch
|
| CVE-2026-33419 | MinIO AIStor's Security Token Service (STS) AssumeRoleWithLDAPIdentity endpoint contains two combined vulnerabilities that enable LDAP credential brute-forcing: distinguishable error messages allowing username enumeration (CWE-204) and missing rate limiting (CWE-307). All MinIO deployments through the final open-source release with LDAP authentication enabled are affected. Unauthenticated network attackers can enumerate valid LDAP usernames, perform unlimited password guessing attacks, and obtain temporary AWS-style STS credentials granting full access to victim users' S3 buckets and objects. | CRITICAL | 9.1 | 0.1% | 46 |
No patch
|