2123
CVEs
96
Critical
801
High
1
KEV
40
PoC
22
Unpatched C/H
96.4%
Patch Rate
0.1%
Avg EPSS
Severity Breakdown
CRITICAL
96
HIGH
801
MEDIUM
1225
LOW
0
Monthly CVE Trend
Affected Products (30)
Linux Kernel
3898
Ubuntu
753
Chrome
721
Debian Linux
421
Python
158
Java
90
Node.js
85
Imagemagick
69
Kubernetes
68
MySQL
65
Mysql Server
62
AI / ML
50
Enterprise Linux
49
Jboss Enterprise Application Platform
41
Thunderbird
40
Freerdp
35
Windows
33
Tomcat
32
Virtuoso
30
Openshift
27
iOS
24
Vllm
24
Enterprise Linux Server
24
Satellite
23
OpenSSL
23
Enterprise Linux Workstation
22
PHP
22
Docker
22
macOS
21
Enterprise Mrg
21
Top Risky CVEs
| CVE | Summary | Severity | CVSS | EPSS | Priority | Signals |
|---|---|---|---|---|---|---|
| CVE-2026-11645 | Remote code execution in Google Chrome's V8 JavaScript engine prior to 149.0.7827.103 allows a remote attacker to execute arbitrary code inside the renderer sandbox by enticing a victim to visit a crafted HTML page. The flaw is an out-of-bounds read and write (CWE-125) rated High severity by Chromium with a CVSS 8.8, and no public exploit identified at time of analysis, though V8 memory-corruption issues historically attract exploit development. | HIGH | 8.8 | 0.1% | 119 |
KEV
PoC
|
| CVE-2025-71329 | Denial of service in the image-size Node.js library through version 2.0.2 allows remote unauthenticated attackers to permanently hang the Node.js event loop by supplying a crafted JXL or HEIF image containing a box with a zero-valued size field. Publicly available exploit code exists and an upstream fix has been merged, making this a credible availability threat for any service that accepts user-supplied images and runs them through image-size. No active exploitation has been reported in CISA KEV at time of analysis. | HIGH | 8.7 | 0.1% | 64 |
PoC
|
| CVE-2025-71330 | Denial of service in the image-size Node.js library (versions up to and including 2.0.2) allows remote unauthenticated attackers to permanently stall the Node.js event loop by submitting a malformed ICNS image. The flaw stems from an infinite loop in the ICNS parser when an entry length field is zero, and publicly available exploit code exists per VulnCheck and an independent write-up; no public exploit identified at time of analysis indicates active exploitation, but the POC makes weaponization trivial. | HIGH | 8.7 | 0.1% | 64 |
PoC
|
| CVE-2026-41907 | Buffer overwrite vulnerability in uuid JavaScript library versions prior to 14.0.0 enables remote attackers to corrupt memory and potentially disclose sensitive information through out-of-range writes when applications use v3, v5, or v6 UUID generation functions with caller-provided output buffers. The library fails to validate buffer boundaries, allowing partial writes beyond allocated memory regions. Vendor patch available in version 14.0.0 per GitHub security advisory GHSA-w5hq-g745-h8pq. No confirmed active exploitation (not in CISA KEV), and CVSS 4.0 Environmental Score suggests exploitation status is unproven (E:U). | HIGH | 8.1 | 0.0% | 61 |
PoC
|
| CVE-2026-34059 | Buffer over-read in Apache HTTP Server through 2.4.66 enables remote unauthenticated information disclosure at network scale. Attackers can read sensitive memory content without authentication or user interaction, achieving high confidentiality impact with low attack complexity. EPSS exploitation probability and KEV status not provided, but SSVC framework confirms the vulnerability is automatable with partial technical impact and no active exploitation detected at time of analysis. Patch released in version 2.4.67. | HIGH | 7.5 | 0.1% | 58 |
PoC
|
| CVE-2026-42342 | Denial of service in React Router 7.0.0-7.14.x and @remix-run/server-runtime 2.10.0-2.17.4 allows remote unauthenticated attackers to exhaust server resources by sending crafted requests to the __manifest endpoint, which triggers unbounded path expansion. Only applications running in React Router Framework Mode or Remix are affected; Declarative Mode (<BrowserRouter>) and Data Mode (createBrowserRouter) deployments are not. No public exploit identified at time of analysis, and the issue is patched in react-router 7.15.0 and @remix-run/server-runtime 2.17.5. | HIGH | 7.5 | 0.1% | 58 |
PoC
|
| CVE-2026-34077 | Client-side Cross-Site Scripting in React Router 7.7.0 through 7.13.1 affects applications using the unstable React Server Components (RSC) APIs, where redirect handling fails to sanitize destinations originating from untrusted sources. An attacker who can influence redirect targets consumed by RSC handlers may inject script payloads that execute in the victim's browser, with no public exploit identified at time of analysis. The advisory is published as GHSA-rxv8-25v2-qmq8 and the issue is fixed in 7.13.2. | HIGH | 7.5 | 0.0% | 58 |
PoC
|
| CVE-2025-70103 | Heap buffer overflow in libjxl 0.12.0 lets remote attackers corrupt heap memory by feeding a crafted PBM/PNM image to the jxl::extras::DecodeImagePNM routine, which writes decoded rows into an output buffer without first checking that the buffer is large enough for the header-declared dimensions. The CVSS vector (AV:N/AC:L/PR:N/UI:N) describes unauthenticated, low-complexity exploitation with no user interaction, and CISA's SSVC framework rates it automatable with partial technical impact. Publicly available exploit code exists, though it is not listed in CISA KEV and no public exploit has been tied to active exploitation. | HIGH | 7.3 | 0.0% | 57 |
PoC
|
| CVE-2026-6860 | Wildcard TLS certificate validation in Eclipse Vert.x allows remote attackers to bypass Server Name Indication (SNI) hostname verification by presenting arbitrary subdomains matching wildcard patterns, potentially disclosing sensitive server configuration and enabling certificate reuse across unintended service endpoints. The vulnerability affects Vert.x versions using unbounded SNI cache mechanisms without proper hostname validation constraints, and is fixed by implementing bounded LRU caching with proper synchronization and hostname matching enforcement. | MEDIUM | 6.9 | 0.0% | 55 |
PoC
|
| CVE-2018-25282 | Nmap 7.70 contains a denial of service vulnerability that allows local attackers to crash the application by processing malicious XML files with exponential entity expansion. Rated medium severity (CVSS 6.9), this vulnerability is no authentication required, low attack complexity. Public exploit code available. | MEDIUM | 6.9 | 0.0% | 55 |
PoC
|
| CVE-2026-40181 | Open redirect in React Router's programmatic `redirect()` function allows unauthenticated remote attackers to redirect users to arbitrary external domains by supplying path values beginning with `//`, which browsers interpret as protocol-relative (scheme-relative) URLs. Affected are applications in the v7 series (7.0.0-7.14.0) and v6 series (6.7.0-6.30.3) that expose user-influenced input to `redirect()` without validating the path prefix. No public exploit identified at time of analysis - CVSS 4.0 supplemental metric E:U (Unreported) confirms no known active exploitation - but the technique is trivially constructible from the advisory description alone, and patched releases 7.14.1 and 6.30.4 are available. | MEDIUM | 6.6 | 0.0% | 53 |
PoC
|
| CVE-2026-47208 | Remote code execution in the vm2 Node.js sandbox library (versions <= 3.11.3) allows sandboxed JavaScript to escape isolation and execute arbitrary commands on the host. The flaw stems from a missing resetPromiseSpecies call in the localPromise swallow tail, letting a sandbox subclass hijack Promise species resolution and capture a raw host-realm RangeError that exposes the host Function constructor. Publicly available exploit code exists (POC published in the advisory), though no public exploit identified at time of analysis as actively exploited in the wild; given vm2's heavy use as an untrusted-code sandbox in SaaS, CI, and serverless platforms, this is a top-priority issue. | CRITICAL | 10.0 | 0.5% | 50 |
|
| CVE-2026-47137 | Sandbox escape in vm2 (npm package, versions <= 3.11.3) allows full remote code execution by bypassing the GHSA-8hg8-63c5-gwmx (CVE-2023-37903) patch through omission of the require option when nesting:true is set. Publicly available exploit code exists in the GHSA advisory itself, and with a CVSS of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C) any application passing untrusted code to a NodeVM configured this way is trivially compromised on the host. | CRITICAL | 10.0 | 0.2% | 50 |
|
| CVE-2026-47140 | Sandbox escape leading to remote code execution in vm2 NodeVM versions 3.11.3 and earlier allows attackers running untrusted JavaScript inside the sandbox to break out via two missing entries in the dangerous-builtin denylist: `process` (whose `getBuiltinModule()` reloads any core module, including `child_process`) and `inspector/promises` (whose `Session().post('Runtime.evaluate', ...)` evaluates code in the host realm). The flaw is exploitable only when the embedder allows `process`, `inspector/promises`, or wildcard `*` in `require.builtin`. Publicly available exploit code exists (PoC published with the advisory), and a patch is available in vm2 3.11.4; no public exploit identified at time of analysis as actively used in the wild. | CRITICAL | 10.0 | 0.1% | 50 |
|
| CVE-2026-47131 | Sandbox escape in the vm2 Node.js sandbox library (versions <= 3.11.3) allows untrusted JavaScript executed inside a vm2 VM to reach the host realm and achieve arbitrary code execution. By chaining Buffer.call.call indirection with __lookupGetter__/__lookupSetter__ to obtain host Object.prototype.__proto__ accessors and using a WebAssembly.compileStreaming rejection to surface a host TypeError, an attacker severs a host prototype chain, causing the bridge's proto-walk to return the raw host error unwrapped - yielding e.constructor.constructor as host Function and full RCE. Publicly available exploit code exists (advisory ships a working PoC); CVSS is 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H). | CRITICAL | 10.0 | 0.1% | 50 |
|