Skip to main content

Suse

Vendor security scorecard – 9353 CVEs in the selected period

Period: 30d 90d 6m 1y All
Risk 22822
9353
CVEs
435
Critical
2986
High
20
KEV
691
PoC
82
Unpatched C/H
98.1%
Patch Rate
0.3%
Avg EPSS

Severity Breakdown

CRITICAL
435
HIGH
2986
MEDIUM
5930
LOW
0

Monthly CVE Trend

Top Risky CVEs

CVE Summary Severity CVSS EPSS Priority Signals
CVE-2025-24016 Wazuh SIEM platform versions 4.4.0 through 4.9.0 contain an unsafe deserialization vulnerability in the DistributedAPI that allows remote code execution on Wazuh management servers. CRITICAL 9.9 93.9% 228
KEV PoC
CVE-2025-24813 A critical path equivalence vulnerability in Apache Tomcat's Default Servlet allows unauthenticated remote code execution through specially crafted PUT requests using internal dot notation in filenames. With EPSS of 94% and active exploitation in the wild, this represents one of the most dangerous Tomcat vulnerabilities in recent years, affecting versions 9.0.0-9.0.98, 10.1.0-10.1.34, and 11.0.0-11.0.2. CRITICAL 9.8 94.2% 228
KEV PoC
CVE-2025-49113 Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows authenticated users to achieve remote code execution through a crafted upload URL. With EPSS 90.4% and KEV listing, this vulnerability in one of the most widely deployed open-source webmail platforms enables any email user to compromise the mail server, accessing all hosted mailboxes. CRITICAL 9.9 90.4% 225
KEV PoC
CVE-2026-24061 GNU Inetutils telnetd through version 2.7 contains a critical authentication bypass that allows remote attackers to gain root access by setting the USER environment variable to '-f root' during TELNET negotiation. With EPSS 75% and KEV listing, this trivially exploitable vulnerability (CVE-2026-24061) has been widely weaponized. Public PoC is available and patches exist. CRITICAL 9.8 75.3% 209
KEV PoC
CVE-2025-32433 Erlang/OTP SSH server allows unauthenticated remote code execution by exploiting a flaw in SSH protocol message handling, enabling unauthorized system access with CVSS 10.0. CRITICAL 10.0 50.3% 185
KEV PoC
CVE-2025-33073 Windows SMB contains an improper access control vulnerability (CVE-2025-33073, CVSS 8.8) enabling authenticated attackers to escalate privileges over the network. KEV-listed with EPSS 57.6% and public PoC, this vulnerability in the core Windows file sharing protocol affects every Windows system on the network, enabling lateral movement from any compromised domain account to SYSTEM-level access on SMB-accessible systems. HIGH 8.8 57.6% 172
KEV PoC
CVE-2025-24367 Cacti monitoring platform prior to version 1.2.29 allows authenticated users to achieve remote code execution through the graph creation and template functionality. Attackers abuse the graphing engine to create arbitrary PHP scripts in the web root, escalating from monitoring access to full server control. HIGH 8.7 90.5% 169
PoC
CVE-2025-2945 pgAdmin 4 contains critical remote code execution vulnerabilities in the Query Tool download and Cloud Deployment endpoints. The query_commited and high_availability parameters are passed directly to Python's eval() function, allowing authenticated users to execute arbitrary Python code on the pgAdmin server. CRITICAL 9.9 77.9% 162
PoC
CVE-2025-1974 A critical vulnerability in Kubernetes ingress-nginx controller allows unauthenticated attackers with pod network access to achieve arbitrary code execution in the controller context. Dubbed 'IngressNightmare', this flaw exposes cluster Secrets including TLS certificates and service account tokens accessible to the ingress controller. CRITICAL 9.8 90.3% 159
PoC
CVE-2025-32463 Sudo before 1.9.17p1 contains a local root escalation vulnerability (CVE-2025-32463, CVSS 9.3) through the --chroot option, which loads /etc/nsswitch.conf from the user-controlled chroot directory instead of the host system. KEV-listed with EPSS 26.5% and public PoC, this vulnerability allows any user with sudo --chroot access to achieve root privileges by placing a malicious nsswitch configuration and library in their chroot. CRITICAL 9.3 26.5% 158
KEV PoC
CVE-2025-1094 PostgreSQL libpq functions PQescapeLiteral(), PQescapeIdentifier(), PQescapeString(), and PQescapeStringConn() improperly neutralize quoting syntax, enabling SQL injection when function results are used to construct psql input. This vulnerability was used as the initial access vector in the BeyondTrust RS compromise chain. HIGH 8.1 79.7% 155
PoC
CVE-2025-1302 The jsonpath-plus npm package before version 10.3.0 contains a remote code execution vulnerability due to improper input sanitization in the eval='safe' mode. Despite being labeled 'safe', the evaluation mode allows attackers to escape the sandbox and execute arbitrary JavaScript, affecting any application processing untrusted JSONPath expressions. HIGH 8.9 88.9% 153
PoC
CVE-2025-54123 Hoverfly API simulation tool version 1.11.3 and prior contains a command injection vulnerability in the middleware management endpoint /api/v2/hoverfly/middleware. Insufficient validation of user input allows authenticated attackers to execute arbitrary commands on the Hoverfly server. CRITICAL 9.8 60.2% 129
PoC
CVE-2025-24786 WhoDB open-source database management tool allows unauthenticated path traversal to access any SQLite3 database on the host machine. Beyond data exposure, affected versions enable reading sensitive system files and executing arbitrary commands through SQLite extensions, achieving full server compromise. CRITICAL 10.0 51.3% 121
PoC
CVE-2026-3910 Chrome's V8 JavaScript engine contains an inappropriate implementation (CVE-2026-3910, CVSS 8.8) that allows remote attackers to execute arbitrary code within the browser sandbox via crafted HTML pages. KEV-listed with public PoC, this V8 vulnerability affects all Chromium-based browsers and enables drive-by exploitation through any web page containing malicious JavaScript. HIGH 8.8 0.1% 119
KEV PoC

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy