Skip to main content

Suse

Vendor security scorecard – 3939 CVEs in the selected period

Period: 30d 90d 6m 1y All
Risk 10832
3939
CVEs
278
Critical
1464
High
6
KEV
237
PoC
51
Unpatched C/H
97.4%
Patch Rate
0.1%
Avg EPSS

Severity Breakdown

CRITICAL
278
HIGH
1464
MEDIUM
2195
LOW
0

Monthly CVE Trend

Top Risky CVEs

CVE Summary Severity CVSS EPSS Priority Signals
CVE-2026-24061 GNU Inetutils telnetd through version 2.7 contains a critical authentication bypass that allows remote attackers to gain root access by setting the USER environment variable to '-f root' during TELNET negotiation. With EPSS 75% and KEV listing, this trivially exploitable vulnerability (CVE-2026-24061) has been widely weaponized. Public PoC is available and patches exist. CRITICAL 9.8 75.3% 209
KEV PoC
CVE-2026-3910 Chrome's V8 JavaScript engine contains an inappropriate implementation (CVE-2026-3910, CVSS 8.8) that allows remote attackers to execute arbitrary code within the browser sandbox via crafted HTML pages. KEV-listed with public PoC, this V8 vulnerability affects all Chromium-based browsers and enables drive-by exploitation through any web page containing malicious JavaScript. HIGH 8.8 0.1% 119
KEV PoC
CVE-2026-11645 Remote code execution in Google Chrome's V8 JavaScript engine prior to 149.0.7827.103 allows a remote attacker to execute arbitrary code inside the renderer sandbox by enticing a victim to visit a crafted HTML page. The flaw is an out-of-bounds read and write (CWE-125) rated High severity by Chromium with a CVSS 8.8, and no public exploit identified at time of analysis, though V8 memory-corruption issues historically attract exploit development. HIGH 8.8 0.1% 119
KEV PoC
CVE-2026-3909 Google Chrome's Skia graphics library contains an out-of-bounds write (CVE-2026-3909, CVSS 8.8) enabling remote attackers to perform memory corruption through crafted HTML pages. KEV-listed with public PoC and patches available, this vulnerability in the core graphics rendering engine affects all Chromium-based browsers. HIGH 8.8 0.1% 119
KEV PoC
CVE-2026-33634 Trivy security scanner v0.69.4 was compromised in a supply chain attack where a threat actor used stolen credentials to publish malicious releases and force-push credential-stealing malware to GitHub Actions repositories. CRITICAL 9.4 0.0% 117
KEV PoC
CVE-2026-2441 Google Chrome's CSS engine contains a use-after-free vulnerability (CVE-2026-2441, CVSS 8.8) that allows remote attackers to execute arbitrary code within the browser sandbox through crafted HTML pages. KEV-listed with public PoC, this vulnerability enables drive-by exploitation when users visit malicious or compromised websites. HIGH 8.8 0.1% 114
KEV PoC
CVE-2026-27944 Unauthenticated backup download and RCE in Nginx UI before 2.3.3. EPSS 1.0%. PoC available. CRITICAL 9.8 1.0% 70
PoC
CVE-2026-30861 OS command injection in WeKnora from version 0.2.5 allows authenticated users to execute arbitrary system commands. CVSS 9.9 with scope change. PoC available. CRITICAL 9.9 0.2% 70
PoC
CVE-2026-29042 Shell command injection in Nuclio serverless framework before 1.15.20. PoC and patch available. CRITICAL 9.8 0.7% 70
PoC
CVE-2026-30860 SQL injection in WeKnora LLM document understanding framework allows authenticated users to extract arbitrary database contents. CVSS 9.9 with scope change. PoC available. CRITICAL 9.9 0.2% 70
PoC
CVE-2026-27626 OS command injection in OliveTin web shell interface through version 3000.10.0. OliveTin provides web-based access to predefined shell commands — the injection allows executing arbitrary commands beyond the whitelist. PoC available. CRITICAL 9.9 0.1% 70
PoC
CVE-2026-22039 Kyverno Kubernetes policy engine prior to 1.x has a privilege escalation vulnerability (CVSS 9.9) allowing policy bypass and unauthorized cluster operations. CRITICAL 9.9 0.1% 70
PoC
CVE-2026-24740 Critical access control flaw in Dozzle Docker log viewer allows users restricted by label filters to escape their scope and obtain an interactive root shell on out-of-scope containers. PoC available, patch in v9.0.3. CRITICAL 9.9 0.0% 70
PoC
CVE-2026-26190 Unauthenticated API access in Milvus vector database before 2.5.27/2.6.10. TCP port 9091 exposed by default without authentication. EPSS 0.32% with PoC and patch available. CRITICAL 9.8 0.3% 69
PoC
CVE-2026-27590 FastCGI path splitting vulnerability in Caddy before 2.11.1 allows request smuggling or path confusion when proxying to FastCGI backends (PHP-FPM). EPSS 0.19% with PoC available. CRITICAL 9.8 0.2% 69
PoC

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy