8628
CVEs
274
Critical
2646
High
18
KEV
567
PoC
212
Unpatched C/H
93.2%
Patch Rate
0.3%
Avg EPSS
Severity Breakdown
CRITICAL
274
HIGH
2646
MEDIUM
5634
LOW
71
Monthly CVE Trend
Affected Products (30)
Linux Kernel
3898
Ubuntu
753
Chrome
721
Debian Linux
421
Python
158
Java
90
Node.js
85
Imagemagick
69
Kubernetes
68
MySQL
65
Mysql Server
62
AI / ML
50
Enterprise Linux
49
Jboss Enterprise Application Platform
41
Thunderbird
40
Freerdp
35
Windows
33
Tomcat
32
Virtuoso
30
Openshift
27
iOS
24
Vllm
24
Enterprise Linux Server
24
Satellite
23
OpenSSL
23
Enterprise Linux Workstation
22
PHP
22
Docker
22
macOS
21
Enterprise Mrg
21
Top Risky CVEs
| CVE | Summary | Severity | CVSS | EPSS | Priority | Signals |
|---|---|---|---|---|---|---|
| CVE-2010-1871 | JBoss Seam 2 in Red Hat JBoss EAP 4.3.0 fails to sanitize JBoss Expression Language inputs, allowing remote attackers to achieve arbitrary code execution via crafted URL parameters when the Java Security Manager is misconfigured. | HIGH | 8.8 | 93.7% | 233 |
KEV
PoC
No patch
|
| CVE-2025-24813 | A critical path equivalence vulnerability in Apache Tomcat's Default Servlet allows unauthenticated remote code execution through specially crafted PUT requests using internal dot notation in filenames. With EPSS of 94% and active exploitation in the wild, this represents one of the most dangerous Tomcat vulnerabilities in recent years, affecting versions 9.0.0-9.0.98, 10.1.0-10.1.34, and 11.0.0-11.0.2. | CRITICAL | 9.8 | 94.2% | 228 |
KEV
PoC
|
| CVE-2025-49113 | Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows authenticated users to achieve remote code execution through a crafted upload URL. With EPSS 90.4% and KEV listing, this vulnerability in one of the most widely deployed open-source webmail platforms enables any email user to compromise the mail server, accessing all hosted mailboxes. | CRITICAL | 9.9 | 90.4% | 225 |
KEV
PoC
|
| CVE-2025-55182 | React Server Components in React 19.x contain a critical pre-authentication remote code execution vulnerability (CVE-2025-55182, CVSS 10.0) through unsafe deserialization of HTTP request payloads. With EPSS 71.1% and KEV listing, this vulnerability affects any application using React Server Components with react-server-dom-webpack, react-server-dom-turbopack, or react-server-dom-parcel — enabling complete server compromise through a single HTTP request. | CRITICAL | 10.0 | 71.1% | 216 |
KEV
PoC
|
| CVE-2017-12149 | In Jboss Application Server as shipped with Red Hat Enterprise Application Platform 5.2, it was found that the doFilter method in the ReadOnlyAccessFilter of the HTTP Invoker does not restrict. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Actively exploited in the wild (cisa kev) and public exploit code available. | CRITICAL | 9.8 | 94.3% | 213 |
KEV
PoC
No patch
|
| CVE-2025-31125 | Vite is a frontend tooling framework for javascript. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required. Actively exploited in the wild (cisa kev) and public exploit code available. | MEDIUM | 5.3 | 83.3% | 180 |
KEV
PoC
|
| CVE-2013-2068 | Multiple directory traversal vulnerabilities in the AgentController in Red Hat CloudForms Management Engine 2.0 allow remote attackers to create and overwrite arbitrary files via a .. Rated critical severity (CVSS 9.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 78.5%. | CRITICAL | 9.4 | 78.5% | 160 |
PoC
No patch
|
| CVE-2025-1974 | A critical vulnerability in Kubernetes ingress-nginx controller allows unauthenticated attackers with pod network access to achieve arbitrary code execution in the controller context. Dubbed 'IngressNightmare', this flaw exposes cluster Secrets including TLS certificates and service account tokens accessible to the ingress controller. | CRITICAL | 9.8 | 90.3% | 159 |
PoC
|
| CVE-2025-29927 | Next.js versions 1.11.4 through 15.2.2 contain a critical middleware authorization bypass via the x-middleware-subrequest header. Attackers can send crafted requests that skip middleware entirely, bypassing authentication, authorization, and security headers enforced at the middleware layer. | CRITICAL | 9.1 | 93.0% | 158 |
PoC
|
| CVE-2025-32463 | Sudo before 1.9.17p1 contains a local root escalation vulnerability (CVE-2025-32463, CVSS 9.3) through the --chroot option, which loads /etc/nsswitch.conf from the user-controlled chroot directory instead of the host system. KEV-listed with EPSS 26.5% and public PoC, this vulnerability allows any user with sudo --chroot access to achieve root privileges by placing a malicious nsswitch configuration and library in their chroot. | CRITICAL | 9.3 | 26.5% | 158 |
KEV
PoC
|
| CVE-2025-1094 | PostgreSQL libpq functions PQescapeLiteral(), PQescapeIdentifier(), PQescapeString(), and PQescapeStringConn() improperly neutralize quoting syntax, enabling SQL injection when function results are used to construct psql input. This vulnerability was used as the initial access vector in the BeyondTrust RS compromise chain. | HIGH | 8.1 | 79.7% | 155 |
PoC
|
| CVE-2025-1302 | The jsonpath-plus npm package before version 10.3.0 contains a remote code execution vulnerability due to improper input sanitization in the eval='safe' mode. Despite being labeled 'safe', the evaluation mode allows attackers to escape the sandbox and execute arbitrary JavaScript, affecting any application processing untrusted JSONPath expressions. | HIGH | 8.9 | 88.9% | 153 |
PoC
|
| CVE-2017-7504 | HTTPServerILServlet.java in JMS over HTTP Invocation Layer of the JbossMQ implementation, which is enabled by default in Red Hat Jboss Application Server <= Jboss 4.X does not restrict the classes. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Epss exploitation probability 90.3% and no vendor patch available. | CRITICAL | 9.8 | 90.3% | 139 |
No patch
|
| CVE-2025-30208 | Vite, a provider of frontend development tooling, has a vulnerability in versions prior to 6.2.3, 6.1.2, 6.0.12, 5.4.15, and 4.5.10. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and EPSS exploitation probability 89.0%. | MEDIUM | 5.3 | 89.0% | 135 |
PoC
|
| CVE-2013-2186 | The DiskFileItem class in Apache Commons FileUpload, as used in Red Hat JBoss BRMS 5.3.1; JBoss Portal 4.3 CP07, 5.2.2, and 6.0.0; and Red Hat JBoss Web Server 1.0.2 allows remote attackers to write. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. Epss exploitation probability 87.1%. | HIGH | 7.5 | 87.1% | 125 |
|