CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

● Live research · auto-updated 2026-07-11

The Exploitation Gap

CISA's Known Exploited Vulnerabilities catalog tracks in-the-wild exploitation. Public exploit code is a different signal — and it often exists where KEV is silent. CSIRTS.com cross-references the KEV catalog against four public exploit datasets (Metasploit, Exploit-DB, Nuclei templates, PoC-in-GitHub) on every ingest cycle. This page is the live result.

Exploit code public · not in KEV
73
Of those critical / high
54
KEV entries with public exploits
66%
KEV catalog tracked
1,637

The gap list — patch-priority candidates KEV hasn't flagged

These CVEs have working public exploit code right now but no KEV entry — the classic window where opportunistic exploitation starts. Sorted by severity, then CVSS. This table regenerates from the live database; deep links go to the full CVE record.

CVESeverityCVSSExploit sourceDescription
CVE-2026-13768critical10poc-githubGardyn devices expose a privileged iothubowner key. Access to this key will allow a malicious user to invoke an IoTHub Registry Manager function which returns connection information for all Gardyn Home Kit and Studio dev
CVE-2026-50746critical10poc-githubA malicious actor with access to the network could exploit an Improper Access Control vulnerability found in UniFi Connect Application to execute a Command Injection on the host device.
CVE-2026-49869critical10poc-githubKestra is an open-source, event-driven orchestration platform. Prior to 1.0.45 and 1.3.21, AuthenticationFilter in Kestra OSS uses request.getPath().endsWith("/configs") to whitelist the public configuration endpoint fro
CVE-2026-54350critical10poc-githubBudibase is an open-source low-code platform. Prior to 3.39.12, an unauthenticated visitor of any published Budibase app reads every document of the backing MongoDB, CouchDB, Elasticsearch, DynamoDB-PartiQL, or REST-wit
CVE-2026-34038critical9.9poc-githubCoolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.469, an authenticated remote command injection vulnerability in application deployment handling allo
CVE-2026-11405critical9.8poc-githubThe web server binary /bin/httpd contains a hidden backdoor authentication mechanism in the login() function at 004c88b8. - The function contains a normal authentication path using MD5/hash-based password verification
CVE-2026-20896critical9.8poc-githubGitea Docker image versions up to and including 1.26.2 use REVERSE_PROXY_TRUSTED_PROXIES=* by default, allowing any source IP to impersonate a user when reverse-proxy authentication headers such as X-WEBAUTH-USER are ena
CVE-2026-5524critical9.8poc-githubThe Divi Form Builder plugin for WordPress is vulnerable to Arbitrary File Upload leading to Remote Code Execution in all versions up to and including 5.1.8. This is due to insufficient file extension validation in the d
CVE-2026-51947critical9.8poc-githubAn issue in Pivotal CRM 6.6.4.08 and systems using patch-ghi-15381-cwe-502-20251225.zip (fixed in Pivotal CRM 6.6.5.10 and Patch_CWE502_20260316.zip) allows a remote attacker to execute arbitrary code via the Pivotal.Eng
CVE-2026-57517critical9.8poc-githubControl Web Panel before 0.9.8.1225 contains a blind SQL injection vulnerability that allows unauthenticated remote attackers to execute arbitrary SQL queries by submitting unsanitized input through the userRes POST para
CVE-2026-11387critical9.8poc-githubThe SMS Alert – SMS & OTP for WooCommerce, Order Notifications & Abandoned Cart Recovery plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.9.5. This i
CVE-2026-58138critical9.8poc-githubOrkes Conductor 3.21.21 before 3.30.2 contains an unauthenticated remote code execution vulnerability that allows remote attackers to execute arbitrary OS commands by submitting inline workflow definitions containing mal
CVE-2026-58116critical9.8poc-githubLLaMA-Factory through 0.9.5 contains a remote code execution vulnerability that allows attackers with WebUI access to execute arbitrary Python code by supplying a malicious model path in the Chat or Training interfaces.
CVE-2026-56782critical9.8nuclei, poc-githubGorse before 0.5.10 contains an authentication bypass vulnerability in the /api/dump and /api/restore endpoints that allows unauthenticated attackers to access protected functionality when admin_api_key is empty, which i
CVE-2026-49048critical9.8poc-githubThe Joomla extension JoomCCK exposes a front-end controller task, that builds two SQL statements by directly concatenating a user-supplied request parameter into the query string without escaping or parameterisation.
CVE-2026-12415critical9.8poc-githubThe Invoice Generator plugin for WordPress is vulnerable to privilege escalation due to a missing capability check on the pravel_invoice_edit_account() AJAX action in versions up to, and including, 1.0.0. The handler is
CVE-2026-22874critical9.6poc-githubGitea versions up to and including 1.26.2 have incomplete SSRF protection in webhook and migration allow-list filtering.
CVE-2026-14382critical9.6poc-githubInsufficient validation of untrusted input in ANGLE in Google Chrome prior to 150.0.7871.46 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
CVE-2026-48313critical9.3nucleiColdFusion versions 2025.9, 2023.20 and earlier are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could lead to arbitrary file system read and limited wr
CVE-2026-40047critical9.1poc-githubImproper Neutralization of Argument Delimiters in a Command ('Argument Injection') vulnerability in Apache Camel Docling component. The camel-docling component invokes the external `docling` command-line tool by assembl
CVE-2026-23697high8.8poc-githubVtiger CRM before 8.4.0 contains an authenticated file upload vulnerability that allows low-privileged users to achieve remote code execution by uploading a .phar file containing arbitrary PHP code through the Documents
CVE-2026-14459high8.8poc-githubImproper neutralization of argument delimiters in a command ('argument injection') vulnerability in TUBITAK BILGEM Software Technologies Research Institute pardus-software allows Argument Injection. This issue affects p
CVE-2026-54998high8.8poc-githubIncorrect authorization in Microsoft Exchange Online allows an authorized attacker to elevate privileges over a network.
CVE-2026-12277high8.7poc-githubThe Frontend File Manager Plugin WordPress plugin through 23.6 does not validate a file path derived from user input before deleting the referenced file, allowing unauthenticated users to delete arbitrary files on the se
CVE-2026-54424high8.4poc-githubAn Incorrect Use of Privileged APIs vulnerability in Unity Parsec on Windows hosts leads to a potential Elevation of Privilege. This issue affects Parsec through v2026-05-04.0. The patched version is Parsec for Windows v
CVE-2026-27771high8.2nuclei, poc-githubGitea versions up to and including 1.26.1 have insufficient permission checks for Composer package source links, which can expose private or internal package source information.
CVE-2025-45422high8.1poc-githubIncorrect access control in Proximus b-box v8c.725A allows authenticated attackers to bypass normal restrictions and make arbitrary changes to port forwarding rules.
CVE-2026-28699high8.1poc-githubGitea versions up to and including 1.26.1 allow OAuth2 access token scope enforcement to be bypassed through HTTP Basic authentication.
CVE-2026-43735high8.1poc-githubThe issue was addressed with improved checks. This issue is fixed in Safari 26.5.2, iOS 26.5.2 and iPadOS 26.5.2, macOS Tahoe 26.5.2. A malicious website may exfiltrate data cross-origin.
CVE-2026-56876high8.1poc-githubextract-zip does not validate symlink targets when extracting zip archives. When processing a malicious zip file containing a symlink with a relative path like '../../../../etc/passwd', extract-zip will extract the symli

KEV additions per month

Confirmed in-the-wild exploitation added to the CISA KEV catalog, last 12 months. The current month is shown to date.

2025-08: 15 KEV additionsAug2025-09: 16 KEV additionsSep2025-10: 31 KEV additions31Oct2025-11: 11 KEV additionsNov2025-12: 20 KEV additionsDec2026-01: 17 KEV additionsJan2026-02: 28 KEV additionsFeb2026-03: 26 KEV additionsMar2026-04: 31 KEV additionsApr2026-05: 21 KEV additionsMay2026-06: 23 KEV additionsJun2026-07: 7 KEV additions (month to date)7Jul
KEV additions per month: 2025-08: 15; 2025-09: 16; 2025-10: 31; 2025-11: 11; 2025-12: 20; 2026-01: 17; 2026-02: 28; 2026-03: 26; 2026-04: 31; 2026-05: 21; 2026-06: 23; 2026-07: 7.

Most-exploited vendors — last 90 days

Vendors with the most actively-exploited advisories across our 24 sources.

Methodology

Exploit availability is synced daily from four public datasets — the Metasploit module index, the Exploit-DB CSV, ProjectDiscovery's Nuclei CVE templates and the nomi-sec PoC-in-GitHub index. KEV membership comes from the CISA KEV JSON feed on every 3-hour ingest cycle. “Exploit code public” means at least one dataset references the CVE; it does not confirm in-the-wild exploitation — that is exactly the gap this page measures. Download the full dataset as JSON or CSV (CC BY 4.0, see /data), or query it live via the JSON API, RSS or the MCP server.

Cite or share this page

Data is CC BY 4.0 — reuse it with a link. Suggested citation: CSIRTS.com, “The Exploitation Gap”, 2026-07-11, https://www.csirts.com/research