● Live research · auto-updated 2026-07-11
The Exploitation Gap
CISA's Known Exploited Vulnerabilities catalog tracks in-the-wild exploitation. Public exploit code is a different signal — and it often exists where KEV is silent. CSIRTS.com cross-references the KEV catalog against four public exploit datasets (Metasploit, Exploit-DB, Nuclei templates, PoC-in-GitHub) on every ingest cycle. This page is the live result.
The gap list — patch-priority candidates KEV hasn't flagged
These CVEs have working public exploit code right now but no KEV entry — the classic window where opportunistic exploitation starts. Sorted by severity, then CVSS. This table regenerates from the live database; deep links go to the full CVE record.
| CVE | Severity | CVSS | Exploit source | Description |
|---|---|---|---|---|
| CVE-2026-13768 | critical | 10 | poc-github | Gardyn devices expose a privileged iothubowner key. Access to this key will allow a malicious user to invoke an IoTHub Registry Manager function which returns connection information for all Gardyn Home Kit and Studio dev |
| CVE-2026-50746 | critical | 10 | poc-github | A malicious actor with access to the network could exploit an Improper Access Control vulnerability found in UniFi Connect Application to execute a Command Injection on the host device. |
| CVE-2026-49869 | critical | 10 | poc-github | Kestra is an open-source, event-driven orchestration platform. Prior to 1.0.45 and 1.3.21, AuthenticationFilter in Kestra OSS uses request.getPath().endsWith("/configs") to whitelist the public configuration endpoint fro |
| CVE-2026-54350 | critical | 10 | poc-github | Budibase is an open-source low-code platform. Prior to 3.39.12, an unauthenticated visitor of any published Budibase app reads every document of the backing MongoDB, CouchDB, Elasticsearch, DynamoDB-PartiQL, or REST-wit |
| CVE-2026-34038 | critical | 9.9 | poc-github | Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.469, an authenticated remote command injection vulnerability in application deployment handling allo |
| CVE-2026-11405 | critical | 9.8 | poc-github | The web server binary /bin/httpd contains a hidden backdoor authentication mechanism in the login() function at 004c88b8. - The function contains a normal authentication path using MD5/hash-based password verification |
| CVE-2026-20896 | critical | 9.8 | poc-github | Gitea Docker image versions up to and including 1.26.2 use REVERSE_PROXY_TRUSTED_PROXIES=* by default, allowing any source IP to impersonate a user when reverse-proxy authentication headers such as X-WEBAUTH-USER are ena |
| CVE-2026-5524 | critical | 9.8 | poc-github | The Divi Form Builder plugin for WordPress is vulnerable to Arbitrary File Upload leading to Remote Code Execution in all versions up to and including 5.1.8. This is due to insufficient file extension validation in the d |
| CVE-2026-51947 | critical | 9.8 | poc-github | An issue in Pivotal CRM 6.6.4.08 and systems using patch-ghi-15381-cwe-502-20251225.zip (fixed in Pivotal CRM 6.6.5.10 and Patch_CWE502_20260316.zip) allows a remote attacker to execute arbitrary code via the Pivotal.Eng |
| CVE-2026-57517 | critical | 9.8 | poc-github | Control Web Panel before 0.9.8.1225 contains a blind SQL injection vulnerability that allows unauthenticated remote attackers to execute arbitrary SQL queries by submitting unsanitized input through the userRes POST para |
| CVE-2026-11387 | critical | 9.8 | poc-github | The SMS Alert – SMS & OTP for WooCommerce, Order Notifications & Abandoned Cart Recovery plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.9.5. This i |
| CVE-2026-58138 | critical | 9.8 | poc-github | Orkes Conductor 3.21.21 before 3.30.2 contains an unauthenticated remote code execution vulnerability that allows remote attackers to execute arbitrary OS commands by submitting inline workflow definitions containing mal |
| CVE-2026-58116 | critical | 9.8 | poc-github | LLaMA-Factory through 0.9.5 contains a remote code execution vulnerability that allows attackers with WebUI access to execute arbitrary Python code by supplying a malicious model path in the Chat or Training interfaces. |
| CVE-2026-56782 | critical | 9.8 | nuclei, poc-github | Gorse before 0.5.10 contains an authentication bypass vulnerability in the /api/dump and /api/restore endpoints that allows unauthenticated attackers to access protected functionality when admin_api_key is empty, which i |
| CVE-2026-49048 | critical | 9.8 | poc-github | The Joomla extension JoomCCK exposes a front-end controller task, that builds two SQL statements by directly concatenating a user-supplied request parameter into the query string without escaping or parameterisation. |
| CVE-2026-12415 | critical | 9.8 | poc-github | The Invoice Generator plugin for WordPress is vulnerable to privilege escalation due to a missing capability check on the pravel_invoice_edit_account() AJAX action in versions up to, and including, 1.0.0. The handler is |
| CVE-2026-22874 | critical | 9.6 | poc-github | Gitea versions up to and including 1.26.2 have incomplete SSRF protection in webhook and migration allow-list filtering. |
| CVE-2026-14382 | critical | 9.6 | poc-github | Insufficient validation of untrusted input in ANGLE in Google Chrome prior to 150.0.7871.46 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) |
| CVE-2026-48313 | critical | 9.3 | nuclei | ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could lead to arbitrary file system read and limited wr |
| CVE-2026-40047 | critical | 9.1 | poc-github | Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') vulnerability in Apache Camel Docling component. The camel-docling component invokes the external `docling` command-line tool by assembl |
| CVE-2026-23697 | high | 8.8 | poc-github | Vtiger CRM before 8.4.0 contains an authenticated file upload vulnerability that allows low-privileged users to achieve remote code execution by uploading a .phar file containing arbitrary PHP code through the Documents |
| CVE-2026-14459 | high | 8.8 | poc-github | Improper neutralization of argument delimiters in a command ('argument injection') vulnerability in TUBITAK BILGEM Software Technologies Research Institute pardus-software allows Argument Injection. This issue affects p |
| CVE-2026-54998 | high | 8.8 | poc-github | Incorrect authorization in Microsoft Exchange Online allows an authorized attacker to elevate privileges over a network. |
| CVE-2026-12277 | high | 8.7 | poc-github | The Frontend File Manager Plugin WordPress plugin through 23.6 does not validate a file path derived from user input before deleting the referenced file, allowing unauthenticated users to delete arbitrary files on the se |
| CVE-2026-54424 | high | 8.4 | poc-github | An Incorrect Use of Privileged APIs vulnerability in Unity Parsec on Windows hosts leads to a potential Elevation of Privilege. This issue affects Parsec through v2026-05-04.0. The patched version is Parsec for Windows v |
| CVE-2026-27771 | high | 8.2 | nuclei, poc-github | Gitea versions up to and including 1.26.1 have insufficient permission checks for Composer package source links, which can expose private or internal package source information. |
| CVE-2025-45422 | high | 8.1 | poc-github | Incorrect access control in Proximus b-box v8c.725A allows authenticated attackers to bypass normal restrictions and make arbitrary changes to port forwarding rules. |
| CVE-2026-28699 | high | 8.1 | poc-github | Gitea versions up to and including 1.26.1 allow OAuth2 access token scope enforcement to be bypassed through HTTP Basic authentication. |
| CVE-2026-43735 | high | 8.1 | poc-github | The issue was addressed with improved checks. This issue is fixed in Safari 26.5.2, iOS 26.5.2 and iPadOS 26.5.2, macOS Tahoe 26.5.2. A malicious website may exfiltrate data cross-origin. |
| CVE-2026-56876 | high | 8.1 | poc-github | extract-zip does not validate symlink targets when extracting zip archives. When processing a malicious zip file containing a symlink with a relative path like '../../../../etc/passwd', extract-zip will extract the symli |
KEV additions per month
Confirmed in-the-wild exploitation added to the CISA KEV catalog, last 12 months. The current month is shown to date.
Most-exploited vendors — last 90 days
Vendors with the most actively-exploited advisories across our 24 sources.
Methodology
Exploit availability is synced daily from four public datasets — the Metasploit module index, the Exploit-DB CSV, ProjectDiscovery's Nuclei CVE templates and the nomi-sec PoC-in-GitHub index. KEV membership comes from the CISA KEV JSON feed on every 3-hour ingest cycle. “Exploit code public” means at least one dataset references the CVE; it does not confirm in-the-wild exploitation — that is exactly the gap this page measures. Download the full dataset as JSON or CSV (CC BY 4.0, see /data), or query it live via the JSON API, RSS or the MCP server.
Cite or share this page
Data is CC BY 4.0 — reuse it with a link. Suggested citation: CSIRTS.com, “The Exploitation Gap”, 2026-07-11, https://www.csirts.com/research