FactualRisk — Dashboard CVE

P1 P2 KEV only EPSS≥0.20 REMOTE PoC CRITICAL 🆕 Nouveaux

Priority

Vendor

Sévérité

EPSS min: 0.00

CVSS min: 0.0

Exports

Publié entre et

Heatmap CVSS × EPSS (visible)survol = détail CVE

Prio	CVE	Sev	CVSS	EPSS	Score	Vendor	Produit	CWE	Description	Signaux
P0	CVE-2008-4250	CRITICAL	9.8	0.921	279.3	Microsoft	Windows	CWE-94	Microsoft Windows Buffer Overflow Vulnerability	KEV EPSS↑ CWE! 🦠 RANSOM 🗺 ATT&CK
P0	CVE-2026-41940	CRITICAL	9.8	0.905	277.4	WebPros	cPanel & WHM and WP2 (WordPress Squared)	CWE-306	WebPros cPanel & WHM and WP2 (WordPress Squared) Missing Authentication for Critical Function Vulnerability	KEV EPSS↑ CWE! 🦠 RANSOM 🗺 ATT&CK
P0	CVE-2010-0249	HIGH	8.8	0.888	269.4	Microsoft	Internet Explorer	CWE-416	Microsoft Internet Explorer Use-After-Free Vulnerability	KEV EPSS↑ CWE! 🦠 RANSOM 🗺 ATT&CK
P0	CVE-2009-3459	HIGH	8.8	0.881	268.5	Adobe	Acrobat and Reader	CWE-119	Adobe Acrobat and Reader Heap-Based Buffer Overflow Vulnerability	KEV EPSS↑ CWE! 🦠 RANSOM 🗺 ATT&CK
P0	CVE-2010-0806	HIGH	8.8	0.873	262.5	Microsoft	Internet Explorer	CWE-399	Microsoft Internet Explorer Use-After-Free Vulnerability	KEV EPSS↑ 🦠 RANSOM 🗺 ATT&CK
P0	CVE-2026-42208	CRITICAL	9.8	0.543	233.9	BerriAI	LiteLLM	CWE-89	BerriAI LiteLLM SQL Injection Vulnerability	KEV EPSS↑ CWE! 🦠 RANSOM 🗺 ATT&CK
P0	CVE-2026-20182	CRITICAL	10.0	0.773	227.8	Cisco	Catalyst SD-WAN	CWE-287	Cisco Catalyst SD-WAN Controller Authentication Bypass Vulnerability	KEV EPSS↑ CWE! 🗺 ATT&CK
P0	CVE-2009-1537	HIGH	8.8	0.530	221.4	Microsoft	DirectX	NVD-CWE-noinfo	Microsoft DirectX NULL Byte Overwrite Vulnerability	KEV EPSS↑ 🦠 RANSOM 🗺 ATT&CK
P0	CVE-2026-9082	CRITICAL	9.8	0.342	209.8	Drupal	Core	CWE-89	Drupal Core SQL Injection Vulnerability	KEV EPSS↑ CWE! 🦠 RANSOM 🗺 ATT&CK
P0	CVE-2025-34291	HIGH	8.8	0.348	199.6	Langflow	Langflow	CWE-346	Langflow Origin Validation Error Vulnerability	KEV EPSS↑ 🦠 RANSOM 🗺 ATT&CK
P0	CVE-2026-48027	CRITICAL	9.8	0.268	196.0	Nx	Nx Console	CWE-506	Nx Console Embedded Malicious Code Vulnerability	KEV EPSS↑ 🦠 RANSOM
P0	CVE-2026-0300	CRITICAL	9.8	0.045	174.2	Palo Alto Networks	PAN-OS	CWE-787	Palo Alto Networks PAN-OS Out-of-bounds Write Vulnerability	KEV CWE! 🦠 RANSOM 🗺 ATT&CK
P0	CVE-2026-8398	CRITICAL	9.8	0.000	173.8	Daemon	Daemon Tools Lite	CWE-506	Daemon Tools Lite Embedded Malicious Code Vulnerability	KEV 🦠 RANSOM ⛓ SUPPLY 🗺 ATT&CK
P0	CVE-2026-48172	CRITICAL	9.8	0.080	173.3	LiteSpeed	cPanel Plugin	CWE-266	LiteSpeed cPanel Plugin Privilege Escalation Vulnerability	KEV 🦠 RANSOM
P0	CVE-2026-45321	CRITICAL	9.6	0.000	172.6	TanStack	TanStack	CWE-506	TanStack Unspecified Vulnerability	KEV 🦠 RANSOM ⛓ SUPPLY 🗺 ATT&CK
P0	CVE-2026-42897	HIGH	8.1	0.075	167.6	Microsoft	Microsoft	CWE-79	Microsoft Exchange Server Cross-Site Scripting Vulnerability	KEV CWE! 🦠 RANSOM 🗺 ATT&CK
P0	CVE-2026-6973	HIGH	7.2	0.049	159.1	Ivanti	Endpoint Manager Mobile (EPMM)	CWE-20	Ivanti Endpoint Manager Mobile (EPMM) Improper Input Validation Vulnerability	KEV CWE! 🦠 RANSOM 🗺 ATT&CK
P0	CVE-2026-41091	HIGH	7.8	0.059	158.9	Microsoft	Defender	CWE-59	Microsoft Defender Link Following Vulnerability	KEV 🦠 RANSOM
P0	CVE-2026-31431	HIGH	7.8	0.022	154.5	Linux	Kernel	CWE-669	Linux Kernel Incorrect Resource Transfer Between Spheres Vulnerability	KEV 🦠 RANSOM 🗺 ATT&CK
P1	CVE-2026-34926	MEDIUM	6.7	0.008	146.1	Trend Micro	Apex One	CWE-23	Trend Micro Apex One (On-Premise) Directory Traversal Vulnerability	KEV 🦠 RANSOM 🗺 ATT&CK
P0	CVE-2026-45618	CRITICAL	10.0	0.000	135.0	npm	liquidjs	CWE-94	LiquidJS is Vulnerable to Remote Code Execution	CWE! 🦠 RANSOM 📡 ITW ⛓ SUPPLY 🗺 ATT&CK
P1	CVE-2026-45498	MEDIUM	4.0	0.041	133.9	Microsoft	Defender	CWE-400	Microsoft Defender Denial of Service Vulnerability	KEV 🦠 RANSOM
P1	CVE-2026-31233	CRITICAL	9.8	0.004	74.2	pip	guardrails-ai	CWE-94	Guardrails AI contains a code injection vulnerability in its Hub package installation mechanism	CWE! ⛓ SUPPLY 🗺 ATT&CK
P1	CVE-2026-46562	CRITICAL	9.8	0.000	73.8	maven	org.yamcs:yamcs-core	CWE-94	Yamcs Vulnerable to Remote Code Execution via Mission Database algorithm override	CWE! ⛓ SUPPLY 🗺 ATT&CK
P3	CVE-2026-46621	CRITICAL	9.1	0.000	69.6	maven	org.yamcs:yamcs-core	CWE-94	Yamcs Vulnerable to Authenticated Remote Code Execution (RCE) via Jython Algorithm Code Injection	CWE! ⛓ SUPPLY 🗺 ATT&CK
P3	CVE-2026-48527 ●	HIGH	8.7	0.000	67.2	npm	@haxtheweb/haxcms-nodejs	CWE-79	HaxCMS has a stored Cross-Site Scripting (XSS) bypass in its saveNode endpoint	CWE! ⛓ SUPPLY 🗺 ATT&CK
P3	CVE-2026-44492 ●	HIGH	8.6	0.000	66.6	npm	axios	CWE-918	axios's shouldBypassProxy does not recognize IPv4-mapped IPv6 addresses, allowing NO_PROXY bypass (incomplete fix for CVE-2025-62718)	CWE! ⛓ SUPPLY 🗺 ATT&CK
P3	CVE-2026-45077	HIGH	0.0	0.000	65.0	composer	symfony/monolog-bridge	CWE-502	Symfony has Unauthenticated PHP Object Deserialization in MonologBridge server:log Listener	CWE! 🦠 RANSOM 📡 ITW 🗺 ATT&CK
P1	CVE-2026-31234	CRITICAL	9.8	0.007	64.7	pip	horovod	CWE-502	Horovod contains an insecure deserialization vulnerability in its KVStore HTTP server component	CWE! 🗺 ATT&CK
P1	CVE-2026-31237	CRITICAL	9.8	0.005	64.4	pip	ludwig	CWE-502	Ludwig framework is vulnerable to insecure deserialization through its predict() method.	CWE! 🗺 ATT&CK
P1	CVE-2026-31236	CRITICAL	9.8	0.001	63.9	pip	llm	CWE-94	llm CLI tool contains a code injection vulnerability via `--functions` command-line argument	CWE! 🗺 ATT&CK
P1	CVE-2026-31235	CRITICAL	9.8	0.001	63.9	pip	imgaug	CWE-502	imgaug contains an insecure deserialization vulnerability in BackgroundAugmenter class within multicore.py module	CWE! 🗺 ATT&CK
P1	CVE-2026-31238	CRITICAL	9.8	0.001	63.9	pip	ludwig	CWE-502	Ludwig framework is vulnerable to insecure deserialization in its model serving component	CWE! 🗺 ATT&CK
P1	CVE-2026-31239	CRITICAL	9.8	0.001	63.9	pip	mamba-ssm	CWE-502	mamba language model framework vulnerable to insecure deserialization when loading pre-trained models from HuggingFace Hub	CWE! 🗺 ATT&CK
P1	CVE-2026-25879	CRITICAL	9.8	0.000	63.8	pip	langroid	CWE-89	Langroid has Prompt to SQL Injection, Leading to RCE	CWE! 🗺 ATT&CK
P3	GHSA-cwj3-vqpp-pmxr	HIGH	8.8	0.000	62.8	npm	openclaw	CWE-862	OpenClaw's gateway config mutation guard allowed unsafe model-driven config writes	⛓ SUPPLY 🗺 ATT&CK
P3	CVE-2026-45074	MEDIUM	0.0	0.000	60.0	composer	symfony/security-http	CWE-290	Symfony's Cas2Handler Derives CAS service URL from Client Host Header → Cross-Service Ticket Replay	🦠 RANSOM 📡 ITW
P3	CVE-2026-42305	HIGH	8.8	0.000	57.8	pip	dulwich	CWE-22	Dulwich has an arbitrary file write via NTFS-hostile tree entries on Windows	CWE! 🗺 ATT&CK
P3	CVE-2026-45401	HIGH	8.5	0.000	56.0	pip	open-webui	CWE-918	Open WebUI has a SSRF Bypass via HTTP Redirect Following in Web-Fetch and Image-Load Endpoints (not addressed by CVE-2025-65958)	CWE! 🗺 ATT&CK
P3	CVE-2026-46345	HIGH	8.4	0.000	55.4	pip	compliance-trestle	CWE-22	compliance-trestle - jinja has an Arbitrary File Write via Path Traversal	CWE! 🗺 ATT&CK
P3	CVE-2026-47717	HIGH	7.5	0.000	55.0	npm	fuxa-server	CWE-201	FUXA's Unauthenticated Project Data Disclosure Exposes Server-Side Scripts and Device Configurations	⛓ SUPPLY 🗺 ATT&CK
P3	CVE-2026-45617	HIGH	7.5	0.000	55.0	npm	liquidjs	CWE-1333	LiquidJS Vulnerable to ReDoS via Quadratic Backtracking in `strip_html` Filter Regex	⛓ SUPPLY 🗺 ATT&CK
P3	CVE-2026-8771	MEDIUM	7.3	0.000	53.8	maven	org.linlinjava:litemall-wx-api	CWE-74	org.linlinjava:litemall-wx-api has an Injection issue	⛓ SUPPLY 🗺 ATT&CK
P3	CVE-2026-35671	HIGH	8.8	0.000	52.9	composer	thorsten/phpmyfaq	CWE-266	phpMyFAQ: IDOR Account Takeover
P3	CVE-2026-41236 ●	HIGH	8.8	0.000	52.8	composer	froxlor/froxlor	CWE-59	Froxlor has privilege escalation in SSH key synchronization via symlinked `authorized_keys` path	🗺 ATT&CK
P3	CVE-2026-41235 ●	HIGH	8.8	0.000	52.8	composer	froxlor/froxlor	CWE-863	Froxlor has an authorization bypass in FTP shell assignment via missing server-side `available_shells` enforcement	🗺 ATT&CK
P3	CVE-2026-46439	HIGH	7.8	0.000	51.8	pip	compliance-trestle	CWE-94	compliance-trestle Vulnerable to Remote Code Execution via Recursive Server-Side Template Injection (SSTI)	CWE! 🗺 ATT&CK
P3	CVE-2026-47179	HIGH	7.7	0.000	51.2	go	github.com/getarcaneapp/arcane/backend	CWE-22	Arcane Has an Authenticated Arbitrary Host File Read via Docker Compose Include Directives	CWE! 🗺 ATT&CK
P3	CVE-2026-31240	HIGH	7.5	0.001	50.1	pip	mem0ai	CWE-306	mem0 server lacks authentication and authorization controls for its memory management API endpoints	CWE! 🗺 ATT&CK
P3	CVE-2026-35675	HIGH	8.2	0.001	49.3	composer	thorsten/phpmyfaq	CWE-307	phpMyFAQ: Missing Password Reset Token Allows Account Takeover via Username/Email Enumeration	🗺 ATT&CK
P3	CVE-2026-35676	HIGH	8.2	0.000	49.2	composer	thorsten/phpmyfaq	CWE-640	phpMyFAQ: Unauthenticated Password Reset Endpoint Allows User Enumeration and Forced Password Change Without Token Validation	🗺 ATT&CK
P3	CVE-2025-11222	MEDIUM	6.1	0.000	46.6	maven	com.linecorp.centraldogma:centraldogma-server-auth-shiro	CWE-601	Central Dogma's Login Function Has an Open Redirect Vulnerability	⛓ SUPPLY 🗺 ATT&CK
P3	CVE-2023-38709	LOW	0.0	0.044	45.2	Ubuntu		—	USN-8338-2: Apache HTTP Server regression
P3	CVE-2026-46380	MEDIUM	6.7	0.000	45.2	pip	compliance-trestle	CWE-918	compliance-trestle Vulnerable to SSRF in Remote Fetching Subsystem	CWE! 🗺 ATT&CK
P3	CVE-2026-31246	MEDIUM	6.5	0.010	45.2	pip	gpt-pilot	CWE-78	GPT-Pilot contains a command injection vulnerability in the Executor.run() method	CWE! 🗺 ATT&CK
P3	CVE-2026-35672	HIGH	7.5	0.001	45.1	composer	thorsten/phpmyfaq	CWE-1188	phpMyFAQ: Default Empty API Token Authentication Bypass	🗺 ATT&CK
P3	CVE-2026-45332	HIGH	7.5	0.000	45.0	composer	automad/automad	CWE-200	Automad has Broken Access Control: Unauthenticated exposure of administrator bcrypt password hashes and TOTP secrets via public API endpoint
P3	CVE-2026-48501 ●	HIGH	7.4	0.000	44.4	go	github.com/cli/cli/v2	CWE-863	GitHub CLI has an incorrect authorization header in API requests to TUF repository mirrors via `gh attestation`, `gh release verify`, and `gh release verify-asset` commands
P3	CVE-2026-44726	HIGH	7.4	0.000	44.4	rust	deno	CWE-319	Deno's TLS retry copies stale upgrade hook, risking plaintext traffic
P3	CVE-2026-31241	MEDIUM	6.5	0.002	44.2	pip	mem0ai	CWE-306	mem0 server lacks authentication and authorization controls for its memory deletion API endpoint	CWE! 🗺 ATT&CK
P3	CVE-2026-34531	MEDIUM	6.5	0.000	44.0	pip	Flask-HTTPAuth	CWE-287	Flask-HTTPAuth invokes token verification callback when missing or empty token was given by client	CWE! 🗺 ATT&CK
P3	CVE-2025-46734	MEDIUM	6.4	0.001	43.5	composer	league/commonmark	CWE-79	league/commonmark contains a XSS vulnerability in Attributes extension	CWE! 🗺 ATT&CK
P3	CVE-2023-45802	LOW	0.0	0.028	43.4	Ubuntu		—	USN-8338-2: Apache HTTP Server regression
P3	CVE-2026-44730	HIGH	7.2	0.000	43.2	pip	pycti	CWE-284	OpenCTI: Privilege escalation via graphQL API is abusable by organization admins, due to incorrect ACL on userEdit relationAdd
P3	CVE-2026-44982	HIGH	7.2	0.000	43.2	go	github.com/crowdsecurity/crowdsec	CWE-693	CrowdSec AppSec silently drops request body for chunked / HTTP-2 requests
P3	CVE-2018-19869	LOW	0.0	0.017	42.0	Ubuntu		—	USN-8337-1: QtSvg vulnerabilities
P3	CVE-2026-22016	LOW	0.0	0.002	40.2	Ubuntu		—	USN-8341-1: OpenJDK 26 vulnerabilities	🗺 ATT&CK
P3	CVE-2026-34282	LOW	0.0	0.001	40.1	Ubuntu		—	USN-8341-1: OpenJDK 26 vulnerabilities	🗺 ATT&CK
P3	CVE-2021-3481	LOW	0.0	0.001	40.1	Ubuntu		—	USN-8337-1: QtSvg vulnerabilities
P3	CVE-2024-35195	LOW	0.0	0.000	40.1	Ubuntu		—	USN-8344-1: pip vulnerabilities	🗺 ATT&CK
P3	CVE-2025-66418	LOW	0.0	0.000	40.0	Ubuntu		—	USN-8344-1: pip vulnerabilities	🗺 ATT&CK
P3	CVE-2026-44490 ●	MEDIUM	4.8	0.000	38.8	npm	axios	CWE-1321	axios has DoS & Header Injection via Prototype Pollution Read-Side Gadgets in axios merge functions	⛓ SUPPLY 🗺 ATT&CK
P3	CVE-2026-45703	MEDIUM	6.4	0.000	38.4	composer	pimcore/pimcore	CWE-863	Pimcore has a WordExport Authorization Bypass for Unauthorized Document Export	🗺 ATT&CK
P3	CVE-2026-47144	MEDIUM	5.5	0.000	38.0	pip	shamefile	CWE-22	Shamefile has an arbitrary file read via shamefile.yaml in shame next	CWE! 🗺 ATT&CK
P3	CVE-2026-31245	MEDIUM	5.3	0.001	36.9	pip	mem0ai	CWE-306	mem0 server lacks authentication and authorization controls for its memory creation API endpoint	CWE! 🗺 ATT&CK
P3	CVE-2026-47128	MEDIUM	6.1	0.000	36.6	rust	nono-cli	CWE-863	nono: Sandbox escape on Linux via D-Bus: `systemd-run --user`
P3	CVE-2026-40091	MEDIUM	6.0	0.000	36.0	go	github.com/authzed/spicedb	CWE-532	SpiceDB's SPICEDB_DATASTORE_CONN_URI is leaked on startup logs
P3	CVE-2026-44997	MEDIUM	4.3	0.000	35.8	npm	openclaw	CWE-277	OpenClaw's ACP child sessions inherit subagent security envelope constraints	⛓ SUPPLY 🗺 ATT&CK
P3	CVE-2026-8766	LOW	4.3	0.000	35.8	npm	@kilocode/cli	CWE-200	@kilocode/cli Vulnerable to Exposure of Sensitive Information to an Unauthorized Actor	⛓ SUPPLY 🗺 ATT&CK
P3	CVE-2026-44991	MEDIUM	4.2	0.000	35.2	npm	openclaw	CWE-862	OpenClaw: Owner-enforced commands could accept wildcard channel senders as command owners	⛓ SUPPLY 🗺 ATT&CK
P3	CVE-2026-46526	MEDIUM	5.0	0.000	35.0	pip	local-deep-research	CWE-918	local-deep-research has an SSRF bypass in `safe_get`	CWE! 🗺 ATT&CK
P3	CVE-2026-44489 ●	LOW	3.7	0.000	32.2	npm	axios	CWE-113	Axios has a Patch Bypass: Proxy-Authorization Header Injection via Prototype Pollution — Incomplete Null-Prototype Fix	⛓ SUPPLY 🗺 ATT&CK
P3	CVE-2026-46405	MEDIUM	5.3	0.000	31.8	go	github.com/openbao/openbao	CWE-770	OpenBao's Kerberos Auth Method Accumulates Unaccessible Tokens	🗺 ATT&CK
P3	CVE-2026-41178	MEDIUM	5.3	0.000	31.8	go	go.opentelemetry.io/otel/baggage	CWE-789	opentelemetry-go's baggage parsing no longer caps raw header length
P3	CVE-2026-8780	LOW	4.3	0.001	30.9	go	github.com/omec-project/amf	CWE-119	AMF Improperly Restricts Operations within the Bounds of a Memory Buffer	CWE! 🗺 ATT&CK
P3	CVE-2026-8779	LOW	4.3	0.001	30.9	go	github.com/omec-project/amf	CWE-119	AMF Improperly Restricts Operations within the Bounds of a Memory Buffer	CWE! 🗺 ATT&CK
P3	CVE-2026-30963	LOW	3.9	0.000	28.4	go	github.com/projectcapsule/capsule	CWE-20	Capsule Namespace Hijacking via subresource	CWE! 🗺 ATT&CK
P3	CVE-2026-4054	MEDIUM	4.3	0.001	25.9	go	github.com/mattermost/mattermost-server	CWE-754	Mattermost doesn't validate the response body of proxied images	🗺 ATT&CK
P3	CVE-2026-8782	LOW	4.3	0.001	25.9	go	github.com/omec-project/amf	CWE-404	AMF Vulnerable to Improper Resource Shutdown or Release	🗺 ATT&CK
P3	CVE-2026-8781	LOW	4.3	0.001	25.9	go	github.com/omec-project/amf	CWE-404	AMF Vulnerable to Improper Resource Shutdown or Release	🗺 ATT&CK
P3	CVE-2026-8783	LOW	4.3	0.000	25.8	go	github.com/omec-project/amf	CWE-404	AMF Vulnerable to Improper Resource Shutdown or Release	🗺 ATT&CK
P3	GHSA-qp9x-wp8f-qgjj	MEDIUM	4.0	0.000	24.0	pip	tuf	CWE-178	tuf has platform-dependent delegation path matching	🗺 ATT&CK
P3	CVE-2026-4053	LOW	3.1	0.001	18.7	go	github.com/mattermost/mattermost-server	CWE-672	Mattermost doesn't enforce the PostEditTimeLimit on non-message post fields	🗺 ATT&CK
P3	GHSA-93rg-2xm5-2p9v	MEDIUM	0.0	0.000	15.0	npm	openclaw	CWE-287	OpenClaw's Gateway Control UI bootstrap config required Gateway auth	CWE! ⛓ SUPPLY 🗺 ATT&CK
P3	GHSA-gfg9-5357-hv4c	MEDIUM	0.0	0.000	15.0	npm	openclaw	CWE-22	OpenClaw: Webchat audio embedding could read local files without local-root containment	CWE! ⛓ SUPPLY 🗺 ATT&CK
P3	CVE-2026-47718	MEDIUM	0.0	0.000	15.0	npm	fuxa-server	CWE-287	FUXA provides guest and invalid-token access to protected read APIs in secure mode	CWE! ⛓ SUPPLY 🗺 ATT&CK
P3	CVE-2026-41237 ●	MEDIUM	0.0	0.000	10.0	composer	froxlor/froxlor	CWE-74	Froxlor has an incomplete fix for CVE-2026-30932	⛓ SUPPLY 🗺 ATT&CK
P3	CVE-2025-54957	LOW	0.0	0.000	8.0			—	GPZ: A 0-click exploit chain for the Pixel 10: When a Door Closes, a Window Opens	PoC
P3	CVE-2025-55743	HIGH	0.0	0.001	5.2	composer	unopim/unopim	CWE-434	UnoPim vulnerable to remote code execution through Arbitrary File upload	CWE! 🗺 ATT&CK
P3	CVE-2026-5394	HIGH	0.0	0.000	5.0	composer	pimcore/pimcore	CWE-89	Pimcore Platform - SQL Injection in DataObject composite index handling during class definition import/save	CWE! 🗺 ATT&CK
P3	CVE-2026-42563	HIGH	0.0	0.000	5.0	pip	dulwich	CWE-78	Dulwich Vulnerable to Command Injection via Merge Driver Path	CWE! 🗺 ATT&CK
P3	GHSA-c8g3-x47w-8q7p	HIGH	0.0	0.000	5.0	composer	pimcore/pimcore	CWE-89	Duplicate Advisory: Pimcore admin users can trigger SQL Injection	CWE! 🗺 ATT&CK
P3	CVE-2026-45774	MEDIUM	0.0	0.000	5.0	pip	compliance-trestle	CWE-22	compliance-trestle Profile Import has an Arbitrary File Read via trestle:// URI and Relative Path Traversal	CWE! 🗺 ATT&CK
P3	CVE-2026-45755	MEDIUM	0.0	0.000	5.0	composer	symfony/mailtrap-mailer	CWE-306	Symfony's Mailtrap Mailer Webhook Parser Never Verifies the X-Mt-Signature HMAC — Unauthenticated Webhook Event Injection	CWE! 🗺 ATT&CK
P3	CVE-2026-45754	MEDIUM	0.0	0.000	5.0	composer	symfony/lox24-notifier	CWE-287	Symfony's Mailjet Mailer Webhook Parser Never Verifies the Configured Secret — Unauthenticated Webhook Event Injection	CWE! 🗺 ATT&CK
P3	CVE-2026-22872	MEDIUM	0.0	0.000	5.0	go	github.com/projectcapsule/capsule	CWE-20	Capsule TenantResource RawItems Cluster-Scoped Resource Creation Vulnerability	CWE! 🗺 ATT&CK
P3	CVE-2026-45753	LOW	0.0	0.000	5.0	composer	symfony/html-sanitizer	CWE-79	Symfony's HtmlSanitizer UrlAttributeSanitizer Omits action/formaction/poster/cite — `javascript`: URI Survives Sanitization (XSS)	CWE! 🗺 ATT&CK
P3	CVE-2026-47243	HIGH	0.0	0.000	5.0	go	github.com/kata-containers/kata-containers	CWE-22	Kata guest escape: runtime-rs guest-root to host-root escape via virtiofs	CWE! 🗺 ATT&CK
P3	CVE-2026-45309	MEDIUM	0.0	0.000	5.0	pip	asyncssh	CWE-22	AsyncSSH `AuthorizedKeysFile %u` path traversal allows attacker-selected authorized keys to authenticate a traversal username	CWE! 🗺 ATT&CK
P3	CVE-2026-45073	MEDIUM	0.0	0.000	5.0	composer	symfony/cache	CWE-89	Symfony Vulnerable to SQL Injection in PdoAdapter::doClear() via Unsanitized $prefix	CWE! 🗺 ATT&CK
P3	CVE-2026-45072	LOW	0.0	0.000	5.0	composer	symfony/symfony	CWE-79	Symfony Vulnerable to stored XSS in WebProfiler CodeExtension::fileExcerpt() — Unescaped Non-PHP File Rendering	CWE! 🗺 ATT&CK
P3	CVE-2026-45071	LOW	0.0	0.000	5.0	composer	symfony/dom-crawler	CWE-611	Symfony has XXE (Local File Disclosure) in DomCrawler::addXmlContent() via validateOnParse = true	CWE! 🗺 ATT&CK
P3	CVE-2026-46644	LOW	0.0	0.000	0.0	composer	symfony/polyfill	CWE-1289	symfony/polyfill-intl-idn: xn-- labels with ASCII-only Punycode payloads are treated as equivalent to their decoded form	🗺 ATT&CK
P3	CVE-2026-46358	MEDIUM	0.0	0.000	0.0	go	github.com/openbao/openbao	CWE-532	OpenBao's Inline Auth Incorrectly Redacted Headers	🗺 ATT&CK
P3	CVE-2026-45808	HIGH	0.0	0.000	0.0	go	github.com/openbao/openbao	CWE-863	OpenBao's cross-namespace lease revocation via legacy sys/revoke path bypasses ACL	🗺 ATT&CK
P3	CVE-2026-45756	LOW	0.0	0.000	0.0	composer	symfony/json-path	CWE-400	Symfony's JsonPath Evaluates Attacker-Controlled Regular Expressions in match()/search() Without Limits — ReDoS
P3	CVE-2026-45287	LOW	0.0	0.000	0.0	go	go.opentelemetry.io/otel/schema/v1.1	CWE-772	opentelemetry-go's Schema ParseFile leaks file descriptors on each parse
P3	CVE-2026-45725	HIGH	0.0	0.000	0.0	pip	compliance-trestle	CWE-73	compliance-trestle Remote Fetching Mechanism has an Arbitrary File Write via Cache Path Traversal	🗺 ATT&CK
P3	CVE-2026-45704	HIGH	0.0	0.000	0.0	composer	pimcore/pimcore	CWE-863	Pimcore has a CustomReports Share Bypass
P3	CVE-2026-45305	LOW	0.0	0.000	0.0	composer	symfony/yaml	CWE-1333	Symfony's YAML Parser has a ReDoS via Catastrophic Backtracking in Parser::cleanup() Regex
P3	CVE-2026-45304	LOW	0.0	0.000	0.0	composer	symfony/yaml	CWE-776	Symfony's YAML Parser Vulnerable to Exponential Memory Allocation via Recursive Collection-Alias Expansion ("Billion Laughs")
P3	CVE-2026-45133	LOW	0.0	0.000	0.0	composer	symfony/yaml	CWE-674	Symfony hardened the parser when handling untrusted input
P3	CVE-2026-45075	MEDIUM	0.0	0.000	0.0	composer	symfony/http-kernel	CWE-863	Synfony's HEAD Request Bypasses methods: ['GET'] Filter in #[IsGranted] / #[IsSignatureValid] / #[IsCsrfTokenValid]	🗺 ATT&CK
P3	CVE-2026-45070	MEDIUM	0.0	0.000	0.0	composer	symfony/mime	CWE-93	Symfony has Email Header Injection via Non-Token Characters in Mime Parameter Names	🗺 ATT&CK
P3	CVE-2026-45069	MEDIUM	0.0	0.000	0.0	composer	symfony/security-http	CWE-345	Symfony's OidcTokenHandler Accepts JWTs Missing aud/iss/exp Claims
P3	CVE-2026-45068	MEDIUM	0.0	0.000	0.0	composer	symfony/mailer	CWE-88	Symfony has an Argument Injection in SendmailTransport via Dash-Prefixed Recipient Address	🗺 ATT&CK
P3	CVE-2026-45067	HIGH	0.0	0.000	0.0	composer	symfony/mime	CWE-93	Symfony has Email Header / SMTP Command Injection via CRLF in Symfony\Component\Mime\Address	🗺 ATT&CK
P3	CVE-2026-45066	MEDIUM	0.0	0.000	0.0	composer	symfony/html-sanitizer	CWE-184	Symfony has an HtmlSanitizer allowLinkHosts() / allowMediaHosts() Bypass via URL-Parser Differentials and <area> Misclassification
P3	CVE-2026-45064	MEDIUM	0.0	0.000	0.0	composer	symfony/html-sanitizer	CWE-451	Symfony's HtmlSanitizer URL Attributes Pass Through BiDi Override Characters → Visual href Spoofing
P3	CVE-2026-44981	MEDIUM	0.0	0.000	0.0	go	github.com/crowdsecurity/crowdsec	CWE-409	CrowdSec LAPI: Denial of Service via Unbounded Gzip Decompression	🗺 ATT&CK