3939
CVEs
278
Critical
1464
High
6
KEV
237
PoC
51
Unpatched C/H
97.4%
Patch Rate
0.1%
Avg EPSS
Severity Breakdown
CRITICAL
278
HIGH
1464
MEDIUM
2195
LOW
0
Monthly CVE Trend
Affected Products (30)
Linux Kernel
3886
Chrome
840
Ubuntu
801
Debian Linux
414
Python
189
Kubernetes
96
Docker
70
Windows
68
Imagemagick
64
MySQL
61
Mysql Server
56
Mattermost Server
51
AI / ML
47
Java
46
Android
45
Node.js
42
Golang
42
Thunderbird
41
PHP
39
Freerdp
35
macOS
29
OpenSSL
29
TLS
28
Tomcat
26
Suricata
25
Vim
24
iOS
24
PostgreSQL
23
Assimp
21
Red Hat Enterprise Linux 10
18
Top Risky CVEs
| CVE | Summary | Severity | CVSS | EPSS | Priority | Signals |
|---|---|---|---|---|---|---|
| CVE-2026-24061 | GNU Inetutils telnetd through version 2.7 contains a critical authentication bypass that allows remote attackers to gain root access by setting the USER environment variable to '-f root' during TELNET negotiation. With EPSS 75% and KEV listing, this trivially exploitable vulnerability (CVE-2026-24061) has been widely weaponized. Public PoC is available and patches exist. | CRITICAL | 9.8 | 75.3% | 209 |
KEV
PoC
|
| CVE-2026-3910 | Chrome's V8 JavaScript engine contains an inappropriate implementation (CVE-2026-3910, CVSS 8.8) that allows remote attackers to execute arbitrary code within the browser sandbox via crafted HTML pages. KEV-listed with public PoC, this V8 vulnerability affects all Chromium-based browsers and enables drive-by exploitation through any web page containing malicious JavaScript. | HIGH | 8.8 | 0.1% | 119 |
KEV
PoC
|
| CVE-2026-11645 | Remote code execution in Google Chrome's V8 JavaScript engine prior to 149.0.7827.103 allows a remote attacker to execute arbitrary code inside the renderer sandbox by enticing a victim to visit a crafted HTML page. The flaw is an out-of-bounds read and write (CWE-125) rated High severity by Chromium with a CVSS 8.8, and no public exploit identified at time of analysis, though V8 memory-corruption issues historically attract exploit development. | HIGH | 8.8 | 0.1% | 119 |
KEV
PoC
|
| CVE-2026-3909 | Google Chrome's Skia graphics library contains an out-of-bounds write (CVE-2026-3909, CVSS 8.8) enabling remote attackers to perform memory corruption through crafted HTML pages. KEV-listed with public PoC and patches available, this vulnerability in the core graphics rendering engine affects all Chromium-based browsers. | HIGH | 8.8 | 0.1% | 119 |
KEV
PoC
|
| CVE-2026-33634 | Trivy security scanner v0.69.4 was compromised in a supply chain attack where a threat actor used stolen credentials to publish malicious releases and force-push credential-stealing malware to GitHub Actions repositories. | CRITICAL | 9.4 | 0.0% | 117 |
KEV
PoC
|
| CVE-2026-2441 | Google Chrome's CSS engine contains a use-after-free vulnerability (CVE-2026-2441, CVSS 8.8) that allows remote attackers to execute arbitrary code within the browser sandbox through crafted HTML pages. KEV-listed with public PoC, this vulnerability enables drive-by exploitation when users visit malicious or compromised websites. | HIGH | 8.8 | 0.1% | 114 |
KEV
PoC
|
| CVE-2026-27944 | Unauthenticated backup download and RCE in Nginx UI before 2.3.3. EPSS 1.0%. PoC available. | CRITICAL | 9.8 | 1.0% | 70 |
PoC
|
| CVE-2026-30861 | OS command injection in WeKnora from version 0.2.5 allows authenticated users to execute arbitrary system commands. CVSS 9.9 with scope change. PoC available. | CRITICAL | 9.9 | 0.2% | 70 |
PoC
|
| CVE-2026-29042 | Shell command injection in Nuclio serverless framework before 1.15.20. PoC and patch available. | CRITICAL | 9.8 | 0.7% | 70 |
PoC
|
| CVE-2026-30860 | SQL injection in WeKnora LLM document understanding framework allows authenticated users to extract arbitrary database contents. CVSS 9.9 with scope change. PoC available. | CRITICAL | 9.9 | 0.2% | 70 |
PoC
|
| CVE-2026-27626 | OS command injection in OliveTin web shell interface through version 3000.10.0. OliveTin provides web-based access to predefined shell commands — the injection allows executing arbitrary commands beyond the whitelist. PoC available. | CRITICAL | 9.9 | 0.1% | 70 |
PoC
|
| CVE-2026-22039 | Kyverno Kubernetes policy engine prior to 1.x has a privilege escalation vulnerability (CVSS 9.9) allowing policy bypass and unauthorized cluster operations. | CRITICAL | 9.9 | 0.1% | 70 |
PoC
|
| CVE-2026-24740 | Critical access control flaw in Dozzle Docker log viewer allows users restricted by label filters to escape their scope and obtain an interactive root shell on out-of-scope containers. PoC available, patch in v9.0.3. | CRITICAL | 9.9 | 0.0% | 70 |
PoC
|
| CVE-2026-26190 | Unauthenticated API access in Milvus vector database before 2.5.27/2.6.10. TCP port 9091 exposed by default without authentication. EPSS 0.32% with PoC and patch available. | CRITICAL | 9.8 | 0.3% | 69 |
PoC
|
| CVE-2026-27590 | FastCGI path splitting vulnerability in Caddy before 2.11.1 allows request smuggling or path confusion when proxying to FastCGI backends (PHP-FPM). EPSS 0.19% with PoC available. | CRITICAL | 9.8 | 0.2% | 69 |
PoC
|