4919
CVEs
189
Critical
1675
High
9
KEV
308
PoC
50
Unpatched C/H
96.8%
Patch Rate
0.1%
Avg EPSS
Severity Breakdown
CRITICAL
189
HIGH
1675
MEDIUM
3054
LOW
0
Monthly CVE Trend
Affected Products (30)
Linux Kernel
3898
Ubuntu
753
Chrome
721
Debian Linux
421
Python
158
Java
90
Node.js
85
Imagemagick
69
Kubernetes
68
MySQL
65
Mysql Server
62
AI / ML
50
Enterprise Linux
49
Jboss Enterprise Application Platform
41
Thunderbird
40
Freerdp
35
Windows
33
Tomcat
32
Virtuoso
30
Openshift
27
iOS
24
Vllm
24
Enterprise Linux Server
24
Satellite
23
OpenSSL
23
Enterprise Linux Workstation
22
PHP
22
Docker
22
macOS
21
Enterprise Mrg
21
Top Risky CVEs
| CVE | Summary | Severity | CVSS | EPSS | Priority | Signals |
|---|---|---|---|---|---|---|
| CVE-2025-55182 | React Server Components in React 19.x contain a critical pre-authentication remote code execution vulnerability (CVE-2025-55182, CVSS 10.0) through unsafe deserialization of HTTP request payloads. With EPSS 71.1% and KEV listing, this vulnerability affects any application using React Server Components with react-server-dom-webpack, react-server-dom-turbopack, or react-server-dom-parcel — enabling complete server compromise through a single HTTP request. | CRITICAL | 10.0 | 71.1% | 216 |
KEV
PoC
|
| CVE-2026-3910 | Chrome's V8 JavaScript engine contains an inappropriate implementation (CVE-2026-3910, CVSS 8.8) that allows remote attackers to execute arbitrary code within the browser sandbox via crafted HTML pages. KEV-listed with public PoC, this V8 vulnerability affects all Chromium-based browsers and enables drive-by exploitation through any web page containing malicious JavaScript. | HIGH | 8.8 | 0.1% | 119 |
KEV
PoC
|
| CVE-2026-11645 | Remote code execution in Google Chrome's V8 JavaScript engine prior to 149.0.7827.103 allows a remote attacker to execute arbitrary code inside the renderer sandbox by enticing a victim to visit a crafted HTML page. The flaw is an out-of-bounds read and write (CWE-125) rated High severity by Chromium with a CVSS 8.8, and no public exploit identified at time of analysis, though V8 memory-corruption issues historically attract exploit development. | HIGH | 8.8 | 0.1% | 119 |
KEV
PoC
|
| CVE-2026-3909 | Google Chrome's Skia graphics library contains an out-of-bounds write (CVE-2026-3909, CVSS 8.8) enabling remote attackers to perform memory corruption through crafted HTML pages. KEV-listed with public PoC and patches available, this vulnerability in the core graphics rendering engine affects all Chromium-based browsers. | HIGH | 8.8 | 0.1% | 119 |
KEV
PoC
|
| CVE-2026-2441 | Google Chrome's CSS engine contains a use-after-free vulnerability (CVE-2026-2441, CVSS 8.8) that allows remote attackers to execute arbitrary code within the browser sandbox through crafted HTML pages. KEV-listed with public PoC, this vulnerability enables drive-by exploitation when users visit malicious or compromised websites. | HIGH | 8.8 | 0.1% | 114 |
KEV
PoC
|
| CVE-2023-43000 | A use-after-free issue was addressed with improved memory management. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Actively exploited in the wild (cisa kev) and public exploit code available. | HIGH | 8.8 | 0.1% | 114 |
KEV
PoC
|
| CVE-2025-43529 | WebKit arbitrary code execution via use-after-free memory corruption affects Safari 26.2, iOS/iPadOS 18.7.3 through 26.2, macOS Tahoe 26.2, tvOS 26.2, visionOS 26.2, and watchOS 26.2, allowing remote attackers to execute arbitrary code by convincing users to visit malicious websites. This vulnerability is confirmed actively exploited (CISA KEV) in extremely sophisticated targeted attacks against specific individuals on iOS versions prior to iOS 26, per Apple's security bulletin. EPSS score of 0.12% (32nd percentile) significantly understates real-world risk given confirmed exploitation. Related vulnerability CVE-2025-14174 was issued for the same exploitation campaign, suggesting a complex attack chain targeting Apple ecosystem users. | HIGH | 8.8 | 0.1% | 94 |
KEV
|
| CVE-2025-49844 | UAF in Redis 8.2.1 via crafted Lua scripts by authenticated users. EPSS 12.4%. Patch available. | CRITICAL | 9.9 | 12.4% | 92 |
PoC
|
| CVE-2025-12548 | Eclipse Che che-machine-exec exposes an unauthenticated JSON-RPC/WebSocket API on port 3333 that allows remote command execution and secret exfiltration from other users' developer workspace containers. | CRITICAL | 9.0 | 0.3% | 80 |
PoC
|
| CVE-2025-46817 | Redis is an open source, in-memory database that persists on disk. Versions 8.2.1 and below allow an authenticated user to use a specially crafted Lua script to cause an integer overflow and potentially lead to remote code execution The problem exists in all versions of Redis with Lua scripting. This issue is fixed in version 8.2.2. | HIGH | 7.0 | 13.2% | 78 |
PoC
|
| CVE-2025-55190 | Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available. | CRITICAL | 9.9 | 4.0% | 74 |
PoC
|
| CVE-2026-24054 | Sandbox escape in Kata Containers allowing guest VM to access host resources. CVSS 10.0 — undermines the core security guarantee of hardware-isolated containers. PoC and patch available. | CRITICAL | 10.0 | 0.1% | 70 |
PoC
|
| CVE-2025-57052 | cJSON 1.5.0 through 1.7.18 allows out-of-bounds access via the decode_array_index_from_pointer function in cJSON_Utils.c, allowing remote attackers to bypass array bounds checking and access. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available. | CRITICAL | 9.8 | 0.1% | 69 |
PoC
|
| CVE-2026-25952 | Use-after-free in FreeRDP xf_SetWindowMinMaxInfo before version 3.23.0. X11 client window management triggers memory corruption. PoC and patch available. | CRITICAL | 9.8 | 0.1% | 69 |
PoC
|
| CVE-2026-25953 | Use-after-free in FreeRDP xf_AppUpdateWindowFromSurface before 3.23.0. Surface-to-window update triggers memory corruption. PoC and patch available. | CRITICAL | 9.8 | 0.1% | 69 |
PoC
|