{
  "critical_count": 612,
  "critical_cves": [
    {
      "cvss_score": 9.8,
      "description": "An authentication bypass vulnerability exists in the embedded HTTP server of Panabit PAP-XM320 up to and including v7.7. The server validates session cookies using a filesystem existence check based o",
      "epss_score": 0.01268,
      "id": "CVE-2026-36829"
    },
    {
      "cvss_score": 9.1,
      "description": "In ScadaBR version 1.2.0, a Missing Authentication for Critical Function vulnerability could allow an unauthenticated attacker to send a HTTP GET requests to the SCADA system and inject arbitrary sens",
      "epss_score": 0.00448,
      "id": "CVE-2026-8602"
    },
    {
      "cvss_score": 9.8,
      "description": "In ScadaBR version 1.2.0, an OS Command Injection vulnerability could allow an attacker to execute commands as root on the SCADA system.",
      "epss_score": 0.01317,
      "id": "CVE-2026-8603"
    },
    {
      "cvss_score": 9.8,
      "description": "In ScadaBR version 1.2.0, a Use of Hard-Coded Credentials vulnerability could allow an attacker to access the SCADA system as admin.",
      "epss_score": 0.00387,
      "id": "CVE-2026-8605"
    },
    {
      "cvss_score": 9.9,
      "description": "Kitty is a cross-platform GPU based terminal. In versions 0.46.2 and below, the handle_compose_command() function in kitty/graphics.c performs bounds validation on composition offsets using unsigned 3",
      "epss_score": 0.00286,
      "id": "CVE-2026-33642"
    }
  ],
  "high_count": 2644,
  "high_risk_cves": [
    {
      "cvss_score": 7.5,
      "description": "The (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process m",
      "epss_score": 0.99999,
      "id": "CVE-2014-0160",
      "is_kev": true,
      "severity": "HIGH"
    },
    {
      "cvss_score": 9.8,
      "description": "GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as",
      "epss_score": 0.99999,
      "id": "CVE-2014-6271",
      "is_kev": true,
      "severity": "CRITICAL"
    },
    {
      "cvss_score": 9.8,
      "description": "HTTP.sys in Microsoft Windows 7 SP1, Windows Server 2008 R2 SP1, Windows 8, Windows 8.1, and Windows Server 2012 Gold and R2 allows remote attackers to execute arbitrary code via crafted HTTP requests",
      "epss_score": 0.99999,
      "id": "CVE-2015-1635",
      "is_kev": true,
      "severity": "CRITICAL"
    },
    {
      "cvss_score": 9.8,
      "description": "The Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 has incorrect exception handling and error-message generation during file-upload attempts, which allows re",
      "epss_score": 0.99999,
      "id": "CVE-2017-5638",
      "is_kev": true,
      "severity": "CRITICAL"
    },
    {
      "cvss_score": 9.8,
      "description": "Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP code via HTTP POST data beginning with a \"<?php \" substring, as demonstrated by a",
      "epss_score": 0.99999,
      "id": "CVE-2017-9841",
      "is_kev": true,
      "severity": "CRITICAL"
    },
    {
      "cvss_score": 10.0,
      "description": "In Pulse Secure Pulse Connect Secure (PCS) 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4, an unauthenticated remote attacker can send a specially crafted URI to perform an arbitrary ",
      "epss_score": 0.99999,
      "id": "CVE-2019-11510",
      "is_kev": true,
      "severity": "CRITICAL"
    },
    {
      "cvss_score": 9.8,
      "description": "A remote code execution vulnerability exists in Remote Desktop Services formerly known as Terminal Services when an unauthenticated attacker connects to the target system using RDP and sends specially",
      "epss_score": 0.99999,
      "id": "CVE-2019-0708",
      "is_kev": true,
      "severity": "CRITICAL"
    },
    {
      "cvss_score": 9.1,
      "description": "An Improper Limitation of a Pathname to a Restricted Directory (\"Path Traversal\") in Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.3 to 5.6.7 and 5.4.6 to 5.4.12 and FortiProxy 2.0.0, 1.2.0 to 1.2.8, 1.1.0 to ",
      "epss_score": 0.99999,
      "id": "CVE-2018-13379",
      "is_kev": true,
      "severity": "CRITICAL"
    },
    {
      "cvss_score": 9.8,
      "description": "An issue was discovered in Citrix Application Delivery Controller (ADC) and Gateway 10.5, 11.1, 12.0, 12.1, and 13.0. They allow Directory Traversal.",
      "epss_score": 0.99999,
      "id": "CVE-2019-19781",
      "is_kev": true,
      "severity": "CRITICAL"
    },
    {
      "cvss_score": 9.8,
      "description": "In BIG-IP versions 15.0.0-15.1.0.3, 14.1.0-14.1.2.5, 13.1.0-13.1.3.3, 12.1.0-12.1.5.1, and 11.6.1-11.6.5.1, the Traffic Management User Interface (TMUI), also referred to as the Configuration utility,",
      "epss_score": 0.99999,
      "id": "CVE-2020-5902",
      "is_kev": true,
      "severity": "CRITICAL"
    }
  ],
  "kev_added": 30,
  "last_sync": "2026-06-18T17:00:34.969408",
  "low_count": 239,
  "medium_count": 2555,
  "news_articles": 342,
  "news_sources": 4,
  "period_end": "2026-06-18",
  "period_start": "2026-05-19",
  "severity_breakdown": {
    "CRITICAL": 612,
    "HIGH": 2644,
    "LOW": 239,
    "MEDIUM": 2555,
    "NONE": 1,
    "Unknown": 763
  },
  "total_new_cves": 6814
}