3200
CVEs
142
Critical
1140
High
4
KEV
135
PoC
30
Unpatched C/H
96.4%
Patch Rate
0.1%
Avg EPSS
Severity Breakdown
CRITICAL
142
HIGH
1140
MEDIUM
1917
LOW
0
Monthly CVE Trend
Affected Products (30)
Linux Kernel
3898
Ubuntu
753
Chrome
721
Debian Linux
421
Python
158
Java
90
Node.js
85
Imagemagick
69
Kubernetes
68
MySQL
65
Mysql Server
62
AI / ML
50
Enterprise Linux
49
Jboss Enterprise Application Platform
41
Thunderbird
40
Freerdp
35
Windows
33
Tomcat
32
Virtuoso
30
Openshift
27
iOS
24
Vllm
24
Enterprise Linux Server
24
Satellite
23
OpenSSL
23
Enterprise Linux Workstation
22
PHP
22
Docker
22
macOS
21
Enterprise Mrg
21
Top Risky CVEs
| CVE | Summary | Severity | CVSS | EPSS | Priority | Signals |
|---|---|---|---|---|---|---|
| CVE-2026-3910 | Chrome's V8 JavaScript engine contains an inappropriate implementation (CVE-2026-3910, CVSS 8.8) that allows remote attackers to execute arbitrary code within the browser sandbox via crafted HTML pages. KEV-listed with public PoC, this V8 vulnerability affects all Chromium-based browsers and enables drive-by exploitation through any web page containing malicious JavaScript. | HIGH | 8.8 | 0.1% | 119 |
KEV
PoC
|
| CVE-2026-11645 | Remote code execution in Google Chrome's V8 JavaScript engine prior to 149.0.7827.103 allows a remote attacker to execute arbitrary code inside the renderer sandbox by enticing a victim to visit a crafted HTML page. The flaw is an out-of-bounds read and write (CWE-125) rated High severity by Chromium with a CVSS 8.8, and no public exploit identified at time of analysis, though V8 memory-corruption issues historically attract exploit development. | HIGH | 8.8 | 0.1% | 119 |
KEV
PoC
|
| CVE-2026-3909 | Google Chrome's Skia graphics library contains an out-of-bounds write (CVE-2026-3909, CVSS 8.8) enabling remote attackers to perform memory corruption through crafted HTML pages. KEV-listed with public PoC and patches available, this vulnerability in the core graphics rendering engine affects all Chromium-based browsers. | HIGH | 8.8 | 0.1% | 119 |
KEV
PoC
|
| CVE-2026-2441 | Google Chrome's CSS engine contains a use-after-free vulnerability (CVE-2026-2441, CVSS 8.8) that allows remote attackers to execute arbitrary code within the browser sandbox through crafted HTML pages. KEV-listed with public PoC, this vulnerability enables drive-by exploitation when users visit malicious or compromised websites. | HIGH | 8.8 | 0.1% | 114 |
KEV
PoC
|
| CVE-2026-24054 | Sandbox escape in Kata Containers allowing guest VM to access host resources. CVSS 10.0 — undermines the core security guarantee of hardware-isolated containers. PoC and patch available. | CRITICAL | 10.0 | 0.1% | 70 |
PoC
|
| CVE-2026-25952 | Use-after-free in FreeRDP xf_SetWindowMinMaxInfo before version 3.23.0. X11 client window management triggers memory corruption. PoC and patch available. | CRITICAL | 9.8 | 0.1% | 69 |
PoC
|
| CVE-2026-25953 | Use-after-free in FreeRDP xf_AppUpdateWindowFromSurface before 3.23.0. Surface-to-window update triggers memory corruption. PoC and patch available. | CRITICAL | 9.8 | 0.1% | 69 |
PoC
|
| CVE-2026-25997 | Use-after-free in FreeRDP xf_clipboard_format_equal before 3.23.0. Clipboard format comparison uses freed memory. Fifth FreeRDP UAF. PoC and patch available. | CRITICAL | 9.8 | 0.1% | 69 |
PoC
|
| CVE-2026-25959 | Use-after-free in FreeRDP xf_cliprdr_provide_data clipboard handling before 3.23.0. Clipboard data exchange triggers memory corruption. PoC and patch available. | CRITICAL | 9.8 | 0.1% | 69 |
PoC
|
| CVE-2026-25955 | Use-after-free in FreeRDP xf_AppUpdateWindowFromSurface before 3.23.0. Different code path from CVE-2026-25953. PoC and patch available. | CRITICAL | 9.8 | 0.1% | 69 |
PoC
|
| CVE-2026-27699 | Path traversal in basic-ftp Node.js FTP client library before 5.2.0 allows malicious FTP servers to write files outside the intended download directory. PoC and patch available. | CRITICAL | 9.1 | 0.1% | 66 |
PoC
|
| CVE-2026-26331 | yt-dlp is a command-line audio/video downloader. [CVSS 8.8 HIGH] | HIGH | 8.8 | 0.7% | 65 |
PoC
|
| CVE-2025-71329 | Denial of service in the image-size Node.js library through version 2.0.2 allows remote unauthenticated attackers to permanently hang the Node.js event loop by supplying a crafted JXL or HEIF image containing a box with a zero-valued size field. Publicly available exploit code exists and an upstream fix has been merged, making this a credible availability threat for any service that accepts user-supplied images and runs them through image-size. No active exploitation has been reported in CISA KEV at time of analysis. | HIGH | 8.7 | 0.1% | 64 |
PoC
|
| CVE-2025-71330 | Denial of service in the image-size Node.js library (versions up to and including 2.0.2) allows remote unauthenticated attackers to permanently stall the Node.js event loop by submitting a malformed ICNS image. The flaw stems from an infinite loop in the ICNS parser when an entry length field is zero, and publicly available exploit code exists per VulnCheck and an independent write-up; no public exploit identified at time of analysis indicates active exploitation, but the POC makes weaponization trivial. | HIGH | 8.7 | 0.1% | 64 |
PoC
|
| CVE-2026-25635 | Remote code execution in Calibre prior to version 9.2.0 through a path traversal flaw in the CHM reader allows local attackers to write arbitrary files with user permissions, enabling payload execution via the Windows Startup folder. Public exploit code exists for this vulnerability. Windows users should upgrade to Calibre 9.2.0 or later to remediate the risk. | HIGH | 8.6 | 0.2% | 63 |
PoC
|