3986
CVEs
179
Critical
1378
High
11
KEV
428
PoC
58
Unpatched C/H
96.5%
Patch Rate
0.1%
Avg EPSS
Severity Breakdown
CRITICAL
179
HIGH
1378
MEDIUM
2423
LOW
1
Monthly CVE Trend
Affected Products (30)
Linux Kernel
2756
Ubuntu
776
Null Pointer Dereference
595
Debian Linux
561
Memory Corruption
521
Use After Free
425
Firefox
185
Thunderbird
183
Race Condition
124
Python
122
Integer Overflow
94
Chrome
88
Node.js
76
AI / ML
73
MySQL
64
Mysql Server
62
Java
61
Imagemagick
56
Heap Overflow
55
Kubernetes
55
Freerdp
45
Windows
44
Stack Overflow
34
Deserialization
34
Command Injection
32
Enterprise Linux
32
Virtuoso
30
OpenSSL
28
macOS
25
Tls
25
Top Risky CVEs
| CVE | Summary | Severity | CVSS | EPSS | Priority | Signals |
|---|---|---|---|---|---|---|
| CVE-2025-49113 | Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows authenticated users to achieve remote code execution through a crafted upload URL. With EPSS 90.4% and KEV listing, this vulnerability in one of the most widely deployed open-source webmail platforms enables any email user to compromise the mail server, accessing all hosted mailboxes. | CRITICAL | 9.9 | 90.4% | 210 |
KEV
PoC
|
| CVE-2025-55182 | React Server Components in React 19.x contain a critical pre-authentication remote code execution vulnerability (CVE-2025-55182, CVSS 10.0) through unsafe deserialization of HTTP request payloads. With EPSS 71.1% and KEV listing, this vulnerability affects any application using React Server Components with react-server-dom-webpack, react-server-dom-turbopack, or react-server-dom-parcel — enabling complete server compromise through a single HTTP request. | CRITICAL | 10.0 | 71.1% | 201 |
KEV
PoC
|
| CVE-2025-32463 | Sudo before 1.9.17p1 contains a local root escalation vulnerability (CVE-2025-32463, CVSS 9.3) through the --chroot option, which loads /etc/nsswitch.conf from the user-controlled chroot directory instead of the host system. KEV-listed with EPSS 26.5% and public PoC, this vulnerability allows any user with sudo --chroot access to achieve root privileges by placing a malicious nsswitch configuration and library in their chroot. | CRITICAL | 9.3 | 26.5% | 143 |
KEV
PoC
|
| CVE-2026-2441 | Google Chrome's CSS engine contains a use-after-free vulnerability (CVE-2026-2441, CVSS 8.8) that allows remote attackers to execute arbitrary code within the browser sandbox through crafted HTML pages. KEV-listed with public PoC, this vulnerability enables drive-by exploitation when users visit malicious or compromised websites. | HIGH | 8.8 | 0.1% | 114 |
KEV
PoC
|
| CVE-2025-31277 | WebKit memory corruption in Safari 18.6 and multiple Apple platforms allows remote code execution when processing maliciously crafted web content, exploited in the wild as a zero-day. | HIGH | 8.8 | 0.1% | 114 |
KEV
PoC
|
| CVE-2025-6554 | Chrome's V8 engine contains a type confusion vulnerability (CVE-2025-6554, CVSS 8.1) enabling arbitrary read/write operations through crafted HTML pages. KEV-listed with public PoC, type confusion in V8 is the most reliable class of browser exploitation primitives, providing full memory read/write capability for code execution within the renderer sandbox. | HIGH | 8.1 | 0.5% | 111 |
KEV
PoC
|
| CVE-2025-43529 | WebKit arbitrary code execution via use-after-free memory corruption affects Safari 26.2, iOS/iPadOS 18.7.3 through 26.2, macOS Tahoe 26.2, tvOS 26.2, visionOS 26.2, and watchOS 26.2, allowing remote attackers to execute arbitrary code by convincing users to visit malicious websites. This vulnerability is confirmed actively exploited (CISA KEV) in extremely sophisticated targeted attacks against specific individuals on iOS versions prior to iOS 26, per Apple's security bulletin. EPSS score of 0.12% (32nd percentile) significantly understates real-world risk given confirmed exploitation. Related vulnerability CVE-2025-14174 was issued for the same exploitation campaign, suggesting a complex attack chain targeting Apple ecosystem users. | HIGH | 8.8 | 0.1% | 94 |
KEV
|
| CVE-2025-13223 | Google Chrome V8 contains a type confusion vulnerability in the JavaScript engine, the second V8 type confusion zero-day in 2025, exploited in targeted attacks. | HIGH | 8.8 | 2.5% | 94 |
KEV
|
| CVE-2025-48384 | Git contains a CRLF injection vulnerability (CVE-2025-48384, CVSS 8.0) in its config handling that allows attackers to escape header lines and modify config values. KEV-listed, this vulnerability in the world's most widely used version control system enables config injection attacks that could lead to arbitrary code execution through Git hooks, credential theft, or repository manipulation. | HIGH | 8.0 | 0.5% | 90 |
KEV
|
| CVE-2025-31650 | Improper Input Validation vulnerability in Apache Tomcat. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 20.3%. | HIGH | 7.5 | 20.3% | 78 |
PoC
|
| CVE-2025-32444 | vLLM is a high-throughput and memory-efficient inference and serving engine for LLMs. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available. | CRITICAL | 10.0 | 2.5% | 72 |
PoC
|
| CVE-2025-49844 | UAF in Redis 8.2.1 via crafted Lua scripts by authenticated users. EPSS 12.4%. Patch available. | CRITICAL | 9.9 | 12.4% | 72 |
PoC
|
| CVE-2025-14009 | Critical code execution vulnerability in NLTK (Natural Language Toolkit) downloader component. The _unzip_iter function can be exploited to achieve arbitrary code execution through crafted downloads. CVSS 10.0, EPSS 0.57%. PoC available. | CRITICAL | 10.0 | 0.6% | 71 |
PoC
|
| CVE-2026-24054 | Sandbox escape in Kata Containers allowing guest VM to access host resources. CVSS 10.0 — undermines the core security guarantee of hardware-isolated containers. PoC and patch available. | CRITICAL | 10.0 | 0.1% | 70 |
PoC
|
| CVE-2025-2828 | A remote code execution vulnerability in langchain-ai/langchain (CVSS 10.0). Risk factors: public PoC available. Vendor patch is available. | CRITICAL | 10.0 | 0.1% | 70 |
PoC
|