5103
CVEs
213
Critical
1709
High
14
KEV
559
PoC
102
Unpatched C/H
96.1%
Patch Rate
0.4%
Avg EPSS
Severity Breakdown
CRITICAL
213
HIGH
1709
MEDIUM
3173
LOW
3
Monthly CVE Trend
Affected Products (30)
Linux Kernel
2756
Ubuntu
776
Null Pointer Dereference
595
Debian Linux
561
Memory Corruption
521
Use After Free
425
Firefox
185
Thunderbird
183
Race Condition
124
Python
122
Integer Overflow
94
Chrome
88
Node.js
76
AI / ML
73
MySQL
64
Mysql Server
62
Java
61
Imagemagick
56
Heap Overflow
55
Kubernetes
55
Freerdp
45
Windows
44
Stack Overflow
34
Deserialization
34
Command Injection
32
Enterprise Linux
32
Virtuoso
30
OpenSSL
28
macOS
25
Tls
25
Top Risky CVEs
| CVE | Summary | Severity | CVSS | EPSS | Priority | Signals |
|---|---|---|---|---|---|---|
| CVE-2025-24813 | A critical path equivalence vulnerability in Apache Tomcat's Default Servlet allows unauthenticated remote code execution through specially crafted PUT requests using internal dot notation in filenames. With EPSS of 94% and active exploitation in the wild, this represents one of the most dangerous Tomcat vulnerabilities in recent years, affecting versions 9.0.0-9.0.98, 10.1.0-10.1.34, and 11.0.0-11.0.2. | CRITICAL | 9.8 | 94.2% | 213 |
KEV
PoC
|
| CVE-2025-49113 | Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows authenticated users to achieve remote code execution through a crafted upload URL. With EPSS 90.4% and KEV listing, this vulnerability in one of the most widely deployed open-source webmail platforms enables any email user to compromise the mail server, accessing all hosted mailboxes. | CRITICAL | 9.9 | 90.4% | 210 |
KEV
PoC
|
| CVE-2025-55182 | React Server Components in React 19.x contain a critical pre-authentication remote code execution vulnerability (CVE-2025-55182, CVSS 10.0) through unsafe deserialization of HTTP request payloads. With EPSS 71.1% and KEV listing, this vulnerability affects any application using React Server Components with react-server-dom-webpack, react-server-dom-turbopack, or react-server-dom-parcel — enabling complete server compromise through a single HTTP request. | CRITICAL | 10.0 | 71.1% | 201 |
KEV
PoC
|
| CVE-2025-27363 | A critical out-of-bounds write vulnerability in FreeType versions 2.13.0 and below affects font rendering across virtually all Linux distributions, Android devices, and applications embedding FreeType. The integer signedness error in TrueType GX/variable font parsing leads to heap buffer overflow, enabling arbitrary code execution when processing malicious fonts. KEV-listed with EPSS 76%, this vulnerability has been actively exploited. | HIGH | 8.1 | 76.2% | 167 |
KEV
|
| CVE-2025-29927 | Next.js versions 1.11.4 through 15.2.2 contain a critical middleware authorization bypass via the x-middleware-subrequest header. Attackers can send crafted requests that skip middleware entirely, bypassing authentication, authorization, and security headers enforced at the middleware layer. | CRITICAL | 9.1 | 93.0% | 158 |
PoC
|
| CVE-2025-32463 | Sudo before 1.9.17p1 contains a local root escalation vulnerability (CVE-2025-32463, CVSS 9.3) through the --chroot option, which loads /etc/nsswitch.conf from the user-controlled chroot directory instead of the host system. KEV-listed with EPSS 26.5% and public PoC, this vulnerability allows any user with sudo --chroot access to achieve root privileges by placing a malicious nsswitch configuration and library in their chroot. | CRITICAL | 9.3 | 26.5% | 143 |
KEV
PoC
|
| CVE-2025-1302 | The jsonpath-plus npm package before version 10.3.0 contains a remote code execution vulnerability due to improper input sanitization in the eval='safe' mode. Despite being labeled 'safe', the evaluation mode allows attackers to escape the sandbox and execute arbitrary JavaScript, affecting any application processing untrusted JSONPath expressions. | HIGH | 8.9 | 88.9% | 133 |
|
| CVE-2025-1094 | PostgreSQL libpq functions PQescapeLiteral(), PQescapeIdentifier(), PQescapeString(), and PQescapeStringConn() improperly neutralize quoting syntax, enabling SQL injection when function results are used to construct psql input. This vulnerability was used as the initial access vector in the BeyondTrust RS compromise chain. | HIGH | 8.1 | 79.7% | 120 |
PoC
|
| CVE-2026-2441 | Google Chrome's CSS engine contains a use-after-free vulnerability (CVE-2026-2441, CVSS 8.8) that allows remote attackers to execute arbitrary code within the browser sandbox through crafted HTML pages. KEV-listed with public PoC, this vulnerability enables drive-by exploitation when users visit malicious or compromised websites. | HIGH | 8.8 | 0.1% | 114 |
KEV
PoC
|
| CVE-2025-31277 | WebKit memory corruption in Safari 18.6 and multiple Apple platforms allows remote code execution when processing maliciously crafted web content, exploited in the wild as a zero-day. | HIGH | 8.8 | 0.1% | 114 |
KEV
PoC
|
| CVE-2025-1098 | Kubernetes ingress-nginx contains a configuration injection vulnerability via the mirror-target and mirror-host Ingress annotations. Attackers can inject arbitrary NGINX configuration directives that lead to code execution in the ingress controller context, exposing cluster Secrets. This is a companion vulnerability to CVE-2025-1974 (IngressNightmare). | HIGH | 8.8 | 49.9% | 114 |
PoC
|
| CVE-2025-6554 | Chrome's V8 engine contains a type confusion vulnerability (CVE-2025-6554, CVSS 8.1) enabling arbitrary read/write operations through crafted HTML pages. KEV-listed with public PoC, type confusion in V8 is the most reliable class of browser exploitation primitives, providing full memory read/write capability for code execution within the renderer sandbox. | HIGH | 8.1 | 0.5% | 111 |
KEV
PoC
|
| CVE-2025-26794 | Exim mail server version 4.98 before 4.98.1 contains a remote SQL injection vulnerability when SQLite hints and ETRN serialization features are enabled. The vulnerability allows remote attackers to inject SQL through crafted SMTP commands, potentially compromising the mail server's configuration and queued messages. | HIGH | 7.5 | 72.1% | 110 |
|
| CVE-2025-27636 | Bypass/Injection vulnerability in Apache Camel components under particular conditions.10.0 through <= 4.10.1, from 4.8.0 through <= 4.8.4, from 3.10.0 through <= 3.22.3. Rated medium severity (CVSS 5.6), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and EPSS exploitation probability 47.8%. | MEDIUM | 5.6 | 47.8% | 96 |
PoC
|
| CVE-2025-43529 | WebKit arbitrary code execution via use-after-free memory corruption affects Safari 26.2, iOS/iPadOS 18.7.3 through 26.2, macOS Tahoe 26.2, tvOS 26.2, visionOS 26.2, and watchOS 26.2, allowing remote attackers to execute arbitrary code by convincing users to visit malicious websites. This vulnerability is confirmed actively exploited (CISA KEV) in extremely sophisticated targeted attacks against specific individuals on iOS versions prior to iOS 26, per Apple's security bulletin. EPSS score of 0.12% (32nd percentile) significantly understates real-world risk given confirmed exploitation. Related vulnerability CVE-2025-14174 was issued for the same exploitation campaign, suggesting a complex attack chain targeting Apple ecosystem users. | HIGH | 8.8 | 0.1% | 94 |
KEV
|