32
CVEs
7
Critical
10
High
1
KEV
12
PoC
4
Unpatched C/H
68.8%
Patch Rate
3.7%
Avg EPSS
Severity Breakdown
CRITICAL
7
HIGH
10
MEDIUM
14
LOW
1
Monthly CVE Trend
Affected Products (5)
Top Risky CVEs
| CVE | Summary | Severity | CVSS | EPSS | Priority | Signals |
|---|---|---|---|---|---|---|
| CVE-2025-24016 | Wazuh SIEM platform versions 4.4.0 through 4.9.0 contain an unsafe deserialization vulnerability in the DistributedAPI that allows remote code execution on Wazuh management servers. | CRITICAL | 9.9 | 93.9% | 228 |
KEV
PoC
|
| CVE-2021-44079 | In the wazuh-slack active response script in Wazuh 4.2.x before 4.2.5, untrusted user agents are passed to a curl command line, potentially resulting in remote code execution. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available. | CRITICAL | 9.8 | 3.3% | 69 |
PoC
|
| CVE-2026-25769 | A critical deserialization vulnerability in Wazuh's cluster mode allows attackers with access to any worker node to achieve remote code execution with root privileges on the master node. The vulnerability affects Wazuh versions 4.0.0 through 4.14.2 and poses severe risk to organizations using Wazuh in distributed deployments, as compromise of any single worker node can lead to full cluster takeover. While no active exploitation has been reported (not in KEV), proof-of-concept materials are publicly available via the Google Drive link in the advisory. | CRITICAL | 9.1 | 0.4% | 66 |
PoC
|
| CVE-2018-19666 | The agent in OSSEC through 3.1.0 on Windows allows local users to gain NT AUTHORITY\SYSTEM access via Directory Traversal by leveraging full access to the associated OSSEC server. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available. | HIGH | 7.8 | 0.8% | 59 |
PoC
No patch
|
| CVE-2024-1243 | CVE-2024-1243 is an improper input validation vulnerability in Wazuh agent for Windows (versions prior to 4.8.0) that allows attackers with control over the Wazuh server or possession of agent keys to redirect agents to malicious UNC paths, resulting in NetNTLMv2 hash leakage. The leaked hash can be relayed for remote code execution or abused for privilege escalation to SYSTEM level via AD CS certificate forging. This vulnerability represents a critical supply-chain/credential-leakage risk for Windows environments using Wazuh, though exploitation requires elevated privileges (high PR requirement) and knowledge of agent keys or server compromise. | HIGH | 7.2 | 0.5% | 57 |
PoC
|
| CVE-2021-41821 | Wazuh Manager in Wazuh through 4.1.5 is affected by a remote Integer Underflow vulnerability that might lead to denial of service. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available. | MEDIUM | 6.5 | 1.1% | 52 |
PoC
No patch
|
| CVE-2026-56699 | NDJSON injection in Wazuh Manager before 5.0.0-beta3 lets any enrolled agent smuggle arbitrary OpenSearch bulk operations because the DataValue.index field is not escaped when the manager builds inventory-sync bulk requests. Because those requests execute under the manager's OpenSearch admin credentials, a single low-trust agent can delete documents, tamper with alerts, and manipulate SIEM state across all other agents. Rated CVSS 10.0 by the reporter (VulnCheck); no public exploit identified at time of analysis and it is not listed in CISA KEV. | CRITICAL | 10.0 | – | 50 |
|
| CVE-2024-32038 | Wazuh is a free and open source platform used for threat prevention, detection, and response. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available. | CRITICAL | 9.8 | 1.0% | 49 |
No patch
|
| CVE-2026-25770 | Privilege escalation in Wazuh Manager versions 3.9.0 through 4.14.2 allows authenticated cluster nodes to achieve unauthenticated root code execution by exploiting insecure file permissions in the cluster synchronization protocol. An attacker with cluster node access can overwrite the manager's configuration file to inject malicious commands that are subsequently executed with root privileges by the logcollector service. This vulnerability affects multi-node Wazuh deployments and has no available patch. | CRITICAL | 9.1 | 0.1% | 46 |
|
| CVE-2026-30893 | Wazuh Manager (4.4.0 through 4.14.3) contains a path traversal vulnerability in the cluster synchronization routine that allows an authenticated cluster peer to write arbitrary files outside the intended extraction directory on other cluster nodes. Writing to sensitive locations such as cron directories or Python module paths leads to remote code execution. CVSS 9.0 Critical (network-accessible, high privilege required, scope changed). Patch available in v4.14.4; no active exploitation identified. | CRITICAL | 9.0 | 0.1% | 45 |
PoC
|
| CVE-2021-26814 | Wazuh API in Wazuh from 4.0.0 to 4.0.3 allows authenticated users to execute arbitrary code with administrative privileges via /manager/files URI. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available. | HIGH | 8.8 | 8.7% | 44 |
|
| CVE-2022-40497 | Wazuh v3.6.1 - v3.13.5, v4.0.0 - v4.2.7, and v4.3.0 - v4.3.7 were discovered to contain an authenticated remote code execution (RCE) vulnerability via the Active Response endpoint. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. This Code Injection vulnerability could allow attackers to inject and execute arbitrary code within the application. | HIGH | 8.8 | 1.3% | 44 |
|
| CVE-2023-42455 | Wazuh is a security detection, visibility, and compliance open source project. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. | HIGH | 8.8 | 0.6% | 44 |
|
| CVE-2025-15617 | GitHub Actions workflow artifacts in Wazuh version 4.12.0 expose GITHUB_TOKEN credentials that unauthenticated network attackers can extract and use within a limited time window to push malicious commits or alter release tags in the project repository. The vulnerability carries a CVSS 4.0 score of 8.3 with high integrity impact and low availability impact. No public exploit identified at time of analysis, though the vulnerability is classified under authentication bypass tags by VulnCheck. | HIGH | 8.3 | 0.0% | 42 |
No patch
|
| CVE-2023-42463 | Wazuh is a free and open source platform used for threat prevention, detection, and response. Rated high severity (CVSS 7.4), this vulnerability is no authentication required. No vendor patch available. | HIGH | 7.4 | 0.1% | 37 |
No patch
|