Top Exploited Vulnerabilities

Name: Top Exploited Vulnerabilities
Creator: Rankiteo
License: https://www.rankiteo.com/our-company/terms-and-condition

The most actively exploited vulnerabilities across the companies tracked by Rankiteo. Aggregated from real incident data to help you prioritize patching.

5377

Vulnerabilities Tracked

4309

Critical Severity

639

High Severity

6,932

Total Exposures

Vulnerability Rankings

#	Vulnerability	Severity	CVSS	Incidents	Attack Type
1	Human Error	critical	10.0	143	Privacy Breach, Phishing, HIPAA Breach
2	Unauthorized Access	critical	10.0	79	Data Exfiltration, Security Concerns, Data Breach
3	Email Account	critical	8.5	54	Phishing Scam, Data Breach
4	Lack of Multi-Factor Authentication (MFA)	critical	10.0	42	Cyber Extortion, Supply Chain Attack, social engineering
5	Physical Security	critical	10.0	40	Data Breach, Data Theft
6	Human	critical	10.0	31	Phishing, Data Breach
7	Misconfiguration	critical	10.0	30	Data Exposure, API Security Breach, Supply Chain Attack
8	Email Account Compromise	critical	10.0	28	Data Breach
9	Improper Access Control	critical	10.0	28	Data Exposure, SCADA Tampering / Insider Threat, Data Breach
10	Employee Email Account	critical	8.5	27	Data Breach
11	Social Engineering	critical	10.0	26	Phishing, Financial Theft, data breach
12	Unauthorized Access to Email Account	critical	10.0	21	Data Breach, Data Theft
13	Insider Threat	critical	10.0	18	Malicious Insider, Data Breach, Unauthorized Access
14	SQL Injection	critical	10.0	17	SQL Injection, vulnerability_exploitation, Data Breach
15	Unpatched systems	critical	10.0	16	third-party breach, Ransomware, Data Breach
16	Weak password	critical	10.0	16	Data Breach, Phishing, Phishing, Espionage
17	MOVEit software vulnerability	critical	10.0	15	Data Breach
18	Improper Data Handling	critical	10.0	14	Data Exposure, Data Breach, Fraud
19	Website Vulnerability	critical	10.0	14	Data Breach
20	Unsecured Database	critical	10.0	13	Data Exposure, Data Breach, Data Leak
21	Unencrypted Data	critical	10.0	12	ransomware, data breach, Data Breach
22	Human Error (Phishing Susceptibility)	critical	10.0	12	Phishing, Data Breach (Phishing), Data Breach
23	CVE-2024-57727	critical	10.0	11	ransomware, Ransomware, Supply-Chain Attack
24	Inadequate security measures	critical	10.0	11	Data Breach
25	Weak or Stolen Credentials	critical	10.0	11	ransomware, Data Breach (General Discussion), Data Breach
26	Lack of Physical Security	critical	10.0	11	Data Breach, Data Leak, cybercrime
27	Lack of Password Protection	critical	10.0	11	Data Exposure, Data Breach
28	Compromised Email Account	critical	10.0	11	Data Breach
29	Unsecured cloud environment	critical	10.0	10	Data Breach
30	Previously unknown vulnerability	critical	10.0	10	Data Breach, Ransomware Attack, Ransomware
31	Stolen Credentials	critical	10.0	10	Phishing, Supply Chain Attack, Data Breach
32	Human Error (Social Engineering)	critical	10.0	10	Cyber Extortion, Phishing, Data Breach
33	Unsecured Laptop	critical	10.0	9	Data Breach
34	lack of access controls	critical	10.0	9	data breach, data exposure, Data Breach
35	Weak Access Controls	critical	10.0	9	Cyber Attack, Data Breach, cyber attack
36	Compromised credentials	critical	10.0	9	Extortion, Source Code Theft, Quantum Computing Threat, Data Breach
37	MOVEit Transfer application vulnerability	critical	8.5	9	Data Breach
38	Unknown	critical	10.0	8	Data Breach, Data Leak, Data Breach, Website Defacement
39	Unencrypted Laptop	critical	10.0	8	Data Breach
40	Unpatched vulnerabilities	critical	10.0	8	Ransomware, Extortion / Data Leak Threat, ransomware
41	Weak Password Policies	critical	10.0	8	election fraud, Data Breach, Ransomware
42	Outdated software	critical	10.0	8	Data Breach, Ransomware, ransomware
43	MOVEit Transfer software vulnerability	critical	8.5	8	Data Breach
44	Unencrypted Data Storage	critical	8.5	8	Data Breach, Data Security Incident
45	Zero-day vulnerability	critical	10.0	7	Data Breach, Ransomware Attack, Cyber Attack
46	CVE-2025-55182 (React2Shell)	critical	10.0	7	Vulnerability Exploitation, Credential Theft, Ransomware
47	Unprotected Database	critical	10.0	7	Data Exposure, Data Breach, Data Leak
48	Lack of MFA	critical	10.0	7	Data Breach, Social Engineering, Compliance Failure
49	Inadequately secured network	critical	10.0	7	Data Breach
50	MOVEit file transfer software	critical	10.0	7	Data Breach, Ransomware Attack, Ransomware
51	Unpatched vulnerability	critical	10.0	7	Ransomware Attack, Data Breach, Ransomware, Data Breach
52	Inadequate Access Controls	critical	10.0	7	Data Breach, Data Breach Risk, ransomware
53	Lack of Network Segmentation	critical	10.0	7	Cyber-Physical Attack, Data Breach, cyber-espionage
54	MOVEit Transfer software	critical	8.5	7	Data Breach
55	Configuration Error	critical	8.5	7	Data Breach, Data Leak
56	Email Compromise	critical	8.5	7	Data Breach
57	MOVEit file transfer software vulnerability	critical	10.0	6	Data Breach, Ransomware, Cyber Attack
58	Phishing	critical	10.0	6	Phishing, Ransomware, Phishing Attack
59	CVE-2024-57726	critical	10.0	6	ransomware, Ransomware, Supply-Chain Attack
60	CVE-2025-47812	critical	10.0	6	Information Disclosure, Remote Code Execution, Vulnerability Exploitation, Remote Code Execution
61	Weak OAuth Token Security	critical	10.0	6	Data Breach, Supply Chain Attack
62	MOVEit Transfer application	critical	10.0	6	Data Breach
63	CVE-2024-57728	critical	10.0	6	ransomware, Ransomware, Supply-Chain Attack
64	Human Factor	critical	10.0	6	Social Engineering, Ransomware, Phishing Attack, Data Breach
65	Software Vulnerability	critical	10.0	6	Data Breach, Cyber Attack
66	Zero-day vulnerabilities	critical	10.0	6	Ransomware, Zero-day Exploit, Cyber Espionage
67	Lack of Multi-Factor Authentication (MFA) Enforcement	critical	10.0	6	Phishing, Data Breach, phishing
68	Lack of Multifactor Authentication (MFA)	critical	10.0	6	Ransomware, Unauthorized Access, Data Breach
69	unpatched software	critical	10.0	6	ransomware, general cybersecurity awareness, Data Breach
70	MOVEit Transfer	critical	8.5	6	Data Breach, Cyber Attack
71	Weak or Reused Passwords	critical	8.5	6	Credential-Stuffing Attack, Account Compromise, Data Breach
72	Unauthorized Data Transfer	critical	8.0	6	Data Breach
73	CVE-2025-61882	critical	10.0	5	ransomware, Cyberattack, Data Breach
74	CVE-2025-11953	critical	10.0	5	Botnet Infection, OS Command Injection, Remote Code Execution (RCE)
75	CVE-2023-27532	critical	10.0	5	ransomware, Ransomware Attack, Cyber Intrusion
76	Human Error (Phishing)	critical	10.0	5	Targeted Cyberattack, Data Breach, Targeted Attack
77	React2Shell	critical	10.0	5	Web Traffic Hijacking, Data Breach, Malware Campaign
78	CVE-2023-34362	critical	10.0	5	Data Breach, Ransomware, Data Breach and Ransomware Attack
79	CVE-2025-61882 (Oracle E-Business Suite)	critical	10.0	5	Data Breach, Ransomware, Data Breach, Cybercriminal Alliance Formation
80	Default credentials	critical	10.0	5	DDoS Attack, Data Breach, Ransomware
81	Unsecured cloud storage	critical	10.0	5	Data Exposure, Data Breach, Data Leak
82	Insecure Direct Object Reference (IDOR)	critical	10.0	5	unauthorized access, Data Breach, API Vulnerability
83	Online Payment System	critical	10.0	5	Data Breach
84	Human Vulnerability	critical	10.0	5	Sex Trafficking and Deepfake Pornography, Phishing, Data Breach
85	Weak authentication	critical	10.0	5	Ransomware, Data Breach, Cyber Espionage
86	Legacy systems	critical	10.0	5	ransomware, Cyberattack, Data Breach
87	Insufficient access controls	critical	10.0	5	data breach, Data Breach, Supply Chain Attack
88	MOVEit Transfer programme	critical	8.5	5	Data Breach
89	Human (Employee Email Compromise)	critical	8.5	5	Data Breach
90	Lack of Authentication	critical	8.5	5	Data Exposure, Data Leak
91	Password Reuse	critical	8.5	5	Credential Theft, Data Breach, Credential Leak
92	Inadequate data protection measures	critical	8.5	5	Data Breach
93	Lack of Encryption and Password Protection	critical	8.5	5	Data Exposure, Data Breach, data breach
94	Email Phishing Scam	high	6.0	5	Data Breach
95	Email Phishing	high	6.0	5	Data Breach
96	human trust	critical	10.0	4	social engineering, fraud, phishing
97	Security breach on a third-party vendor	critical	10.0	4	Data Breach
98	Unknown vulnerability	critical	10.0	4	Data Breach, Ransomware, Data Breach, Ransomware Attack
99	Cloudbleed	critical	10.0	4	Data Breach
100	Weak or Compromised Credentials	critical	10.0	4	Cyberattack, Data Breach
101	CVE-2025-49706	critical	10.0	4	Cyber Espionage, Cyberattack, Ransomware
102	Internal Access	critical	10.0	4	Data Breach, Data Theft
103	CVE-2025-49704	critical	10.0	4	Cyber Espionage, Cyberattack, Ransomware
104	MOVEit Transfer tool	critical	10.0	4	Data Breach
105	CVE-2025-53770	critical	10.0	4	Cyberattack, Ransomware Attack, Ransomware
106	Web Application Vulnerability	critical	10.0	4	Data Breach, Cyber Attack
107	Zero-day vulnerability in MOVEit Transfer programme	critical	10.0	4	Data Breach
108	MOVEit	critical	10.0	4	Data Breach, Ransomware
109	CVE-2024-40711	critical	10.0	4	ransomware, Ransomware, Vulnerability
110	SonicWall firewall vulnerability	critical	10.0	4	Data Breach, Ransomware
111	Insufficient Employee Training	critical	10.0	4	Data Breach, Data Breach Risk, Cyber Attack
112	MOVEit file transfer software vulnerabilities	critical	10.0	4	Data Breach, Ransomware Attack, Data Breach, Unauthorized Access
113	Network Vulnerability	critical	10.0	4	Ransomware Attack, Data Breach
114	Cloud misconfiguration	critical	10.0	4	Data Breach, Data Breach, Extortion, Cloud Misconfiguration Exploitation
115	Employee credentials	critical	10.0	4	Data Breach, Phishing, Data Breach, Phishing Attack
116	Publicly Accessible Server	critical	10.0	4	Data Exposure, data exposure, Data Breach
117	Weak email security	critical	10.0	4	Cyberattack, Data Breach, defacement
118	Point-of-Sale System	critical	10.0	4	Data Breach
119	Inadequate employee training	critical	10.0	4	Data Leakage, Data Breach, phishing
120	Reused Passwords	critical	10.0	4	Account Compromise, Data Breach, data breach (unverified)
121	Lack of Encryption	critical	8.5	4	Data Breach
122	Coding Error	critical	8.5	4	Data Breach
123	MOVEit Transfer vulnerability	critical	8.5	4	Data Breach
124	Unsecured Server	critical	8.5	4	Data Breach, Data Leak
125	Compromised login credentials	critical	8.5	4	Data Breach
126	Unauthorized Access by Former Employee	critical	8.5	4	Data Breach
127	Compromised Employee Email Account	critical	8.5	4	Data Breach
128	Publicly Accessible Database	critical	8.5	4	Data Exposure, Data Breach, Data Leak
129	Inadequately secured systems	critical	10.0	3	Data Breach
130	CVE-2025-53521	critical	10.0	3	Vulnerability Exploitation, Remote Code Execution (RCE)
131	Lack of Oversight	critical	10.0	3	Data Breach (Alleged), Data Breach, Unauthorized Disclosure
132	CVE-2026-23760	critical	10.0	3	Ransomware, Ransomware Attack, Remote Code Execution (RCE)
133	Weak Authentication System	critical	10.0	3	Data Breach
134	Lack of Role-Based Access Control (RBAC)	critical	10.0	3	Data Breach, Data Breach Risk
135	Microsoft Exchange Server	critical	10.0	3	Cyber Espionage, Ransomware, Security Breach
136	CVE-2024-7029	critical	10.0	3	Malware, Botnet
137	CVE-2026-31431 (Copy Fail)	critical	10.0	3	Privilege Escalation
138	CVE-2024-40766	critical	10.0	3	Ransomware
139	CVE-2026-20963	critical	10.0	3	Vulnerability Exploitation, Cyberespionage, Remote Code Execution (RCE)
140	React2Shell vulnerability	critical	10.0	3	Data Breach, Ransomware
141	Stolen Employee Credentials	critical	10.0	3	Data Breach
142	SQL Injection Flaws	critical	10.0	3	Data Breach
143	Supply chain vulnerabilities	critical	10.0	3	Data Breach, Ransomware
144	Third-party software vulnerability	critical	10.0	3	Data Breach, Ransomware Attack
145	Weak or Reused Credentials	critical	10.0	3	Data Breach, Unauthorized Access
146	CVE-2021-36942 (PetitPotam)	critical	10.0	3	Cyber Espionage
147	CVE-2023-27351 (PaperCut)	critical	10.0	3	ransomware, Ransomware
148	External System Breach	critical	10.0	3	Data Breach
149	Unauthorized Access to Sensitive Data	critical	10.0	3	Extortion, Data Breach
150	Weak Password Security	critical	10.0	3	Data Breach
151	CVE-2026-21509	critical	10.0	3	Zero-Day Vulnerability, Zero-day exploitation
152	Lack of Data Encryption	critical	10.0	3	Data Breach
153	CVE-2025-53771	critical	10.0	3	Ransomware Attack, Ransomware
154	Excessive Permissions	critical	10.0	3	Data Breach, Malware Infiltration
155	null	critical	10.0	3	Data Breach and Ransomware, Data Breach, DDoS
156	CVE-2017-11882	critical	10.0	3	Cyber Espionage, cyber espionage
157	CVE-2025-5777	critical	10.0	3	Vulnerability Exploitation, ransomware, Ransomware
158	Zero-day vulnerability in Oracle’s E-Business Suite	critical	10.0	3	Data Breach, Ransomware
159	Weak/Stolen Credentials	critical	10.0	3	Data Breach
160	Weak Identity Controls	critical	10.0	3	Data Exfiltration, EDR/XDR Evasion, Data Breach
161	weak endpoint security	critical	10.0	3	ransomware, data breach, Data Breach
162	outdated systems	critical	10.0	3	ransomware, data breach, Ransomware
163	Third-party risks	critical	10.0	3	AI-driven vulnerability exploitation, Data Breach
164	Default passwords	critical	10.0	3	Exposure of Critical Infrastructure, Data Exposure, espionage
165	Weak Credential Management	critical	10.0	3	Data Breach
166	Sandbox escape	critical	10.0	3	Exploit Kit, Exploit Kit / Cyber Espionage, Espionage
167	credential harvesting	critical	10.0	3	ransomware, wire fraud, Phishing-as-a-Service (PhaaS)
168	Improper Email Handling	critical	10.0	3	Data Breach
169	lack of cybersecurity expertise	critical	10.0	3	ransomware, Data Breach
170	Poor network segmentation	critical	10.0	3	cyber attack, Ransomware
171	Zero-day exploit	critical	10.0	3	Data Breach, Ransomware, Compliance Failure
172	Misconfigured Amazon S3 bucket	critical	9.0	3	Data Breach
173	MOVEit Transfer server	critical	8.5	3	Data Breach
174	MOVEit Transfer solution	critical	8.5	3	Data Breach
175	Security Vulnerability	critical	8.5	3	Data Breach
176	Physical Theft	critical	8.5	3	Data Breach
177	Point of Sale Systems	critical	8.5	3	Data Breach
178	Weak security controls	critical	8.5	3	Data Breach, Ransomware
179	Third-party vendor vulnerability	critical	8.5	3	Data Breach
180	human trust (social engineering)	critical	8.5	3	phishing, Malware, cyber theft
181	Server Misconfiguration	critical	8.5	3	Data Breach, Botnet
182	Third-party service provider	critical	8.5	3	Data Breach
183	MOVEit file transfer application	critical	8.5	3	Data Breach
184	Payment Processing System	critical	8.5	3	Data Breach
185	Email Misconfiguration	high	6.0	3	Data Breach
186	Lack of two-factor authentication	high	6.0	3	Data Breach, Cyber Attack
187	Unauthorized Data Access	high	6.0	3	Data Exfiltration, Data Breach
188	Weak or Stolen Password	high	6.0	3	Authentication Security Improvement, Data Breach, Data Breach (Unauthorized Access)
189	Insider Access	low	0.0	3	Data Breach, Insider Threat
190	Unauthorized access to an employee’s email account	critical	10.0	2	Data Breach
191	Lack of Multi-Factor Authentication (MFA) (implied)	critical	10.0	2	Phishing, Ransomware Attack
192	CVE-2026-23760 (SmarterMail)	critical	10.0	2	ransomware, Ransomware
193	Citrix Vulnerability	critical	10.0	2	Cyberattack
194	MOVEit Transfer zero-day vulnerability	critical	10.0	2	Data Breach
195	Improper Credential Management	critical	10.0	2	Credential Exposure, Supply Chain Attack
196	Cross-Site Scripting (XSS)	critical	10.0	2	Vulnerability
197	CVE-2025-59528	critical	10.0	2	Code Injection, Remote Code Execution (RCE)
198	Human (Help Desk Personnel)	critical	10.0	2	Ransomware and Data Breach, Ransomware and Data Theft
199	CVE-2025-6543	critical	10.0	2	Zero-day exploitation, Cyber Attack
200	Human vulnerability through phishing	critical	10.0	2	Phishing, Ransomware
201	CVE-2026-34980	critical	10.0	2	Vulnerability Exploitation, Zero-Day Vulnerability
202	Unpatched IoT Devices	critical	10.0	2	Data Breach, Distributed Denial-of-Service (DDoS) Attack
203	CVE-2026-4480	critical	10.0	2	Vulnerability Exploitation, Remote Code Execution (RCE)
204	Leaked credentials	critical	10.0	2	Phishing, Cloud Misconfiguration Exploitation
205	Weak Password Management	critical	10.0	2	Data Breach, Malware Infection
206	CVE-2025-8110	critical	10.0	2	Remote Code Execution (RCE)
207	CVE-2026-24291 (RegPwn)	critical	10.0	2	Privilege Escalation
208	CVE-2024-55591	critical	10.0	2	Ransomware, Cyber-Attack
209	Unattended Devices	critical	10.0	2	Awareness Campaign, Insider Threat
210	CVE-2026-34990	critical	10.0	2	Vulnerability Exploitation, Zero-Day Vulnerability
211	CVE-2024-36401	critical	10.0	2	Malware Distribution and Data Exfiltration, Exploitation of Vulnerability
212	CVE-2025-49113	critical	10.0	2	Remote Code Execution (RCE)
213	CVE-2023-27350 (PaperCut)	critical	10.0	2	ransomware, Ransomware
214	Remote code execution	critical	10.0	2	Data Privacy and Cybersecurity Advisory, Espionage
215	Internal Account Compromise	critical	10.0	2	Data Breach
216	Non-password protected database	critical	10.0	2	Data Breach
217	Poor Data Governance	critical	10.0	2	Data Breach
218	CVE-2026-42271	critical	10.0	2	Command Injection, Remote Code Execution (RCE)
219	CVE-2024-55956	critical	10.0	2	Data Breach, Ransomware
220	Unencrypted, non-password-protected database	critical	10.0	2	Data Leak
221	Network infrastructure	critical	10.0	2	Cyber Sabotage, Data Breach
222	CVE-2025-4322	critical	10.0	2	Privilege Escalation
223	Email System Vulnerability	critical	10.0	2	Data Breach
224	CVE-unknown (MOVEit Transfer zero-day)	critical	10.0	2	ransomware, Data Breach
225	Default or Weak Credentials	critical	10.0	2	Cyberattack, Cloud Security Breach
226	Weak OAuth Token Management	critical	10.0	2	Data Breach
227	Phished login credentials	critical	10.0	2	Hack, Cyber Attack
228	SonicWall firewall	critical	10.0	2	Data Breach, Ransomware Attack
229	CVE-2025-48827	critical	10.0	2	Vulnerability Exploitation, Remote Code Execution
230	Known vulnerability that had not been patched	critical	10.0	2	Data Breach, Ransomware
231	CVE-2024-9680	critical	10.0	2	Cyber Espionage, Zero-Day Exploit
232	Known vulnerability not patched in time	critical	10.0	2	Data Breach, Ransomware
233	CVE-2025-53770 (ToolShell)	critical	10.0	2	Cyber Espionage
234	Known software vulnerabilities	critical	10.0	2	Vulnerability Exploitation, Cyber Espionage, Sabotage
235	CVE-2023-21529 (Microsoft Exchange)	critical	10.0	2	ransomware, Ransomware
236	CVE-2025-55182	critical	10.0	2	Supply Chain Attack, Remote Code Execution (RCE)
237	CVE-2024-21412	critical	10.0	2	Cyberattack, Ransomware
238	MOVEit Transfer software zero-day vulnerability	critical	10.0	2	Data Breach
239	CVE-2017-0199	critical	10.0	2	cyber espionage, Cyber Espionage
240	Oracle eBusiness Suite vulnerability	critical	10.0	2	Data Breach
241	API vulnerabilities	critical	10.0	2	Quantum Computing Threat, Data Breach
242	Outdated infrastructure	critical	10.0	2	GPS spoofing, Ransomware
243	CVE-2021-44026	critical	10.0	2	Cyberespionage, Data Breach
244	inadequate network segmentation	critical	10.0	2	ransomware
245	CVE-2024-21887	critical	10.0	2	Ransomware, Zero-Day Exploit
246	human vulnerability (social engineering)	critical	10.0	2	data breach, phishing
247	Improper security configuration	critical	10.0	2	Data Breach
248	CVE-2025-3248	critical	10.0	2	Vulnerability Exploitation, Remote Code Execution
249	CVE-2026-0920	critical	10.0	2	Backdoor
250	Human vulnerability through impersonation	critical	10.0	2	Social Engineering Attack, Data Breach
251	Oracle EBS vulnerability	critical	10.0	2	Data Breach
252	Old vulnerabilities	critical	10.0	2	Spyware, Data Theft
253	CVE-2025-1268	critical	10.0	2	Vulnerability and Potential Breach, Vulnerability
254	CVE-2024-1708 (ConnectWise ScreenConnect)	critical	10.0	2	ransomware, Ransomware
255	Weak SSH credentials	critical	10.0	2	DDoS Attack, DDoS
256	Email System	critical	10.0	2	Data Breach
257	CVE-2024-50623	critical	10.0	2	Data Breach, Ransomware
258	Signature-Based Detection Gaps	critical	10.0	2	Operational Risk, Supply Chain Attack
259	Cleo file transfer software	critical	10.0	2	Ransomware
260	CVE-2026-48710	critical	10.0	2	Command Injection, Remote Code Execution (RCE)
261	CVE-2025-33053	critical	10.0	2	Advanced Persistent Threat (APT), Remote Code Execution
262	Lack of Encryption (Data at Rest/In Transit)	critical	10.0	2	Data Breach (General Discussion), Data Breach
263	Code Vulnerability	critical	10.0	2	Data Breach
264	CVE-2025-20362	critical	10.0	2	Vulnerability Exploitation, Data Breach, Persistent Malware, Unauthorized Access
265	CI/CD pipeline compromise	critical	10.0	2	supply chain attack, Supply Chain Attack
266	Lack of Employee Awareness	critical	10.0	2	Human Error, Data Breach
267	Infostealer Malware	critical	10.0	2	Data Breach
268	CVE-2025-54309	critical	10.0	2	Zero-Day Vulnerability, Zero-Day Exploitation
269	CVE-2024-1709 (ConnectWise ScreenConnect)	critical	10.0	2	ransomware, Ransomware
270	CVE-2024-49039	critical	10.0	2	Cyber Espionage, Zero-Day Exploit
271	CVE-2024-27198 (JetBrains TeamCity)	critical	10.0	2	ransomware, Ransomware
272	CVE-2017-17215	critical	10.0	2	Malware, Botnet
273	EternalBlue	critical	10.0	2	Ransomware
274	CVE-2024-1086	critical	10.0	2	vulnerability exploitation, Privilege Escalation
275	CVE-2026-20131 (Cisco Secure Firewall Management Center)	critical	10.0	2	ransomware, Ransomware
276	CVE-2025-7775 (Citrix NetScaler)	critical	10.0	2	Ransomware
277	Oracle eBusiness Suite security flaw	critical	10.0	2	Data Breach
278	Arbitrary Code Execution	critical	10.0	2	Vulnerability Exploitation, Misconfiguration
279	lack of user awareness	critical	10.0	2	social engineering, phishing
280	CVE-2025-48828	critical	10.0	2	Vulnerability Exploitation, Remote Code Execution
281	Microsoft Exchange Server vulnerabilities (HAFNIUM campaign)	critical	10.0	2	Cyber Espionage
282	MFA bypass	critical	10.0	2	ransomware, Phishing-as-a-Service (PhaaS)
283	Hardcoded credentials	critical	10.0	2	Misconfiguration, Cyber Attack
284	Compromised Vendor Credentials	critical	10.0	2	Phishing, Malware Distribution, Data Breach
285	ATM network processing	critical	10.0	2	Data Breach
286	outdated operating systems	critical	10.0	2	data breach, Cyberattack
287	Weak Authentication Mechanisms	critical	10.0	2	Data Breach, cybercrime
288	Lack of phishing-resistant MFA	critical	10.0	2	Extortion, Data Breach
289	Cloud Storage Service Vulnerability	critical	10.0	2	Data Breach
290	third-party integration risks	critical	10.0	2	third-party breach, Data Breach
291	Lack of multifactor authentication	critical	10.0	2	Supply Chain Breach, Awareness Campaign
292	Delayed patch management	critical	10.0	2	Data Breach, Ransomware
293	CVE-2025-61884 (Oracle E-Business Suite Zero-Day)	critical	10.0	2	data breach, Data Breach
294	Misconfigured system	critical	10.0	2	Data Breach, Alleged Data Breach
295	Known vulnerability	critical	10.0	2	Ransomware Attack, Data Leak
296	Zero-day vulnerability in SonicWall SSL VPN	critical	10.0	2	Ransomware
297	System Misconfiguration	critical	10.0	2	AI-driven cyberattack, Data Breach
298	Remote access vulnerabilities	critical	10.0	2	ransomware, Ransomware
299	Fortinet vulnerabilities	critical	10.0	2	Vulnerability Exploitation, Ransomware
300	Lack of Signal Authentication	critical	10.0	2	Data Interception, spoofing
301	Citrix Netscaler ADC/Gateway vulnerabilities	critical	10.0	2	Vulnerability Exploitation, Ransomware
302	Misconfigured deployments	critical	10.0	2	Misconfiguration, Ransomware
303	Misconfigured Access Controls	critical	10.0	2	Data Privacy and Cybersecurity Advisory, Data Breach
304	poor password hygiene	critical	10.0	2	ransomware, Human Error
305	poor security practices	critical	10.0	2	Data Breach, espionage
306	lack_of_MFA	critical	10.0	2	ransomware, data_breach
307	Lack of multi-factor authentication	critical	10.0	2	general cybersecurity awareness, Data Breach
308	Legacy Infrastructure	critical	10.0	2	AI-Powered Cyberattack, Ransomware
309	public-facing application vulnerabilities	critical	10.0	2	ransomware, Data Breach
310	Legacy IT Systems	critical	10.0	2	Ransomware Attack, Cyber Attack
311	Brute force attacks	critical	10.0	2	Extortion / Data Leak Threat, Authentication Security Improvement
312	unknown security gap	critical	10.0	2	ransomware
313	User Trust in App Store	critical	10.0	2	Malware
314	Online Payment System Vulnerability	critical	10.0	2	Data Breach
315	network vulnerabilities	critical	10.0	2	ransomware, Ransomware
316	Misconfigured MongoDB Database	critical	10.0	2	Data Exposure, Data Breach
317	Lack of Package Integrity Verification	critical	10.0	2	supply-chain attack, Supply Chain Attack
318	lack of employee training	critical	10.0	2	Ransomware, phishing
319	Microsoft Exchange server vulnerabilities	critical	10.0	2	Vulnerability Exploitation, Ransomware
320	Phishing Email	critical	10.0	2	Data Breach
321	Misconfigured cloud storage	critical	10.0	2	Data Breach
322	Remote code execution vulnerability	critical	10.0	2	Remote Code Execution, Remote Code Execution (RCE)
323	Human error (social engineering susceptibility)	critical	10.0	2	Data Breach, Ransomware
324	Social Engineering / Phishing	critical	10.0	2	Business Email Compromise (BEC), Spear Phishing
325	CVE-2025-47813	critical	8.5	2	Vulnerability Exploitation, Information Disclosure, Remote Code Execution
326	Unpatched network devices	critical	8.5	2	Malware, DDoS
327	CVE-2026-22218	critical	8.5	2	Vulnerability Exploitation, Data Breach
328	Social Engineering, Trust Exploitation	critical	8.5	2	Phishing
329	Information Disclosure	critical	8.5	2	Data Breach, Data Leak
330	CVE-2026-3910	critical	8.5	2	Zero-day Exploitation, Zero-Day Vulnerability Exploitation
331	Okta SSO Credentials	critical	8.5	2	Data Breach
332	Unprotected Server	critical	8.5	2	Data Breach
333	Compromised employee account	critical	8.5	2	Data Breach
334	Broken Access Control	critical	8.5	2	Vulnerability Exploitation, API Vulnerability
335	System Configuration Error	critical	8.5	2	Data Breach
336	Progress Software's MOVEit Transfer software	critical	8.5	2	Data Breach
337	Human Error (Falling for Phishing Scam)	critical	8.5	2	Data Breach (Phishing), Data Breach
338	MOVEit web transfer application vulnerability	critical	8.5	2	Data Breach
339	CVE-2025-54309 (CrushFTP)	critical	8.5	2	Ransomware, Exploit Trends
340	Insufficient Multi-Factor Authentication (MFA)	critical	8.5	2	Data Breach
341	Misconfigured Elasticsearch Database	critical	8.5	2	Data Exposure, Data Leak
342	CVE-2026-21510	critical	8.5	2	Zero-Day Vulnerability
343	Code Injection	critical	8.5	2	Data Breach
344	CVE-2025-41244	critical	8.5	2	Privilege Escalation
345	CVE-2026-32201 (Improper Input Validation - CWE-20)	critical	8.5	2	Zero-Day Vulnerability, Zero-Day Exploitation
346	Inadequate Vendor Vetting	critical	8.5	2	Data Breach
347	CVE-2026-23795	critical	8.5	2	XXE (XML External Entity) Vulnerability, Supply Chain Attack
348	CVE-2026-34621 (Adobe Acrobat Reader)	critical	8.5	2	Vulnerability Exploitation, Data Breach
349	inadequate vendor oversight	critical	8.5	2	ransomware, data breach
350	Lack of Identity Verification	critical	8.5	2	Data Breach, Fraud
351	Inadvertent Disclosure	critical	8.5	2	Data Breach
352	Critical security flaw in License Express system	critical	8.5	2	Data Breach, Data Security Failure
353	Weak email account security	critical	8.5	2	Data Breach
354	CVE-2026-26110 (Type Confusion - CWE-843)	critical	8.5	2	Vulnerability, Remote Code Execution (RCE)
355	Oracle E-Business Suite software vulnerability	critical	8.5	2	Data Breach
356	Software Coding Issue	critical	8.5	2	Data Breach
357	CVE-2025-66376	critical	8.5	2	Phishing, Espionage, Cyberespionage
358	MOVEit Transfer (CVE-2023-34362 or related)	critical	8.5	2	Data Breach
359	Compromised User Account	critical	8.5	2	Data Breach
360	Incorrect privacy settings on a public mapping website	critical	8.5	2	Data Exposure, Data Breach
361	CVE-2025-55177 (WhatsApp incomplete authorization)	critical	8.5	2	Zero-day vulnerability, Zero-day exploit
362	Overprivileged Access	critical	8.5	2	Data Breach
363	Poor data visibility settings	critical	8.5	2	Data Exposure
364	Insufficient security measures	critical	8.5	2	Data Breach
365	CVE-2026-2413	critical	8.5	2	SQL Injection
366	CVE-2026-22219	critical	8.5	2	Vulnerability Exploitation, Data Breach
367	Access Control	critical	8.5	2	Data Breach
368	CVE-2026-3909	critical	8.5	2	Zero-day Exploitation, Zero-Day Vulnerability Exploitation
369	missing authentication	critical	8.5	2	data breach
370	Unsecured MongoDB Database	critical	8.5	2	Data Breach
371	Publicly available data	critical	8.5	2	Data Breach
372	Oracle E-Business Suite (EBS) Vulnerability	critical	8.5	2	Data Breach
373	Lack of Physical Security for Sensitive Device	critical	8.5	2	Data Breach (Physical Theft)
374	CVE-2025-21043 (Out-of-bounds Write in libimagecodec.quram.so)	critical	8.5	2	Vulnerability Exploitation
375	Improper Access Controls (Publicly Accessible Database)	critical	8.5	2	data breach, Data Leak
376	Misconfigured Elasticsearch Instance	critical	8.5	2	Data Exposure, Data Breach
377	Long-Lived Tokens	critical	8.5	2	Data Breach
378	Access Credentials	critical	8.5	2	Data Breach
379	Unencrypted sensitive data	critical	8.5	2	data breach, Quantum Computing Threat
380	Unsecured Amazon S3 Bucket	critical	8.5	2	Data Breach
381	Missing Access Controls	critical	8.5	2	Data Exposure, Unauthorized Access
382	GoAnywhere Zero-Day Vulnerability	critical	8.5	2	Data Breach, Ransomware, Ransomware
383	lack of awareness	critical	8.5	2	data breach, Awareness Campaign
384	Misconfigured Rsync Server	critical	8.5	2	Data Exposure, Data Breach
385	weak email security controls	critical	8.5	2	data breach, Data Breach
386	Salesforce Misconfiguration	critical	8.5	2	Data Breach
387	Improper Access Controls on Amazon S3 Bucket	critical	8.5	2	Data Breach
388	Credential Theft	critical	8.5	2	Data Breach, Malware
389	Unsecured MongoDB Instance	critical	8.5	2	Data Exposure, Data Breach
390	Unauthorized code injection	critical	8.5	2	Data Breach
391	Unsecured Flash Drive	critical	8.5	2	Data Breach
392	Compromised employee credentials	critical	8.5	2	Data Breach
393	Improper Disposal of Sensitive Information	critical	8.0	2	Data Breach
394	Unauthorized Data Sharing	critical	8.0	2	Data Breach
395	Identity Theft	critical	8.0	2	Data Breach, Identity Theft
396	Technical Glitch	critical	8.0	2	Data Breach
397	Inadequate Physical Security	high	7.5	2	Data Breach, physical cyber convergence
398	CVE-2018-3952	high	6.0	2	Vulnerability Exploitation, Vulnerability Exploit
399	Corporate Email Account	high	6.0	2	Data Breach
400	ATM Security	high	6.0	2	Data Breach, ATM Skimming/Shimming
401	Website Misconfiguration	high	6.0	2	Data Exposure, Data Breach
402	Compromised Account Credentials	high	6.0	2	Data Breach, Unauthorized Access, DNS Manipulation
403	Inadvertent Email	high	6.0	2	Data Breach
404	Loss of Physical Media	high	6.0	2	Data Breach
405	Unencrypted Payment Card Information	high	6.0	2	Data Breach
406	MOVEit Transfer service	high	6.0	2	Data Breach
407	Human Error/Insider Threat	high	6.0	2	Data Breach
408	Unauthorized Access to Employee Email Account	high	6.0	2	Data Breach
409	lack of multi-factor authentication (MFA) on Slack	high	6.0	2	data breach, Data Breach
410	Compromised Microsoft Office 365 account	high	6.0	2	Business Email Compromise (BEC), Data Breach
411	Point-of-Sale Device	high	6.0	2	Data Breach
412	Tax Filing Software	medium	5.0	2	Data Breach
413	MOVEit Transfer software vulnerabilities	medium	5.0	2	Data Breach
414	Improper Disposal	medium	5.0	2	Data Breach
415	Reused credentials	medium	5.0	2	Data Breach
416	HTML Injection	medium	5.0	2	Vulnerability Exploitation, Prompt Injection
417	Unsecured Physical Records	low	2.5	2	Data Breach
418	CVE-2026-1504	low	2.5	2	Vulnerability
419	CVE-2026-0049	low	2.5	2	Vulnerability
420	CVE-2024-7399	low	2.5	2	Vulnerability Exploitation, Botnet Infection
421	Citrix Bleed	critical	10.0	1	Ransomware Attack
422	Unencrypted POS devices	critical	10.0	1	Data Breach
423	lack of threat detection tuning	critical	10.0	1	ransomware
424	CVE-2025-64175	critical	10.0	1	Remote Code Execution (RCE)
425	Social Engineering (Disguised as Legitimate npm Package)	critical	10.0	1	Malware Campaign
426	Critical RCE vulnerability in widely used VPN	critical	10.0	1	RCE (Remote Code Execution)
427	CVE-2024-45347	critical	10.0	1	Authentication Bypass Vulnerability
428	weak supply chain links	critical	10.0	1	ransomware
429	CitrixBleed (CVE-2023-4966) - CVSS 9.3 in Netscaler ADC and Gateway (Session Token Theft, MFA Bypass)	critical	10.0	1	Data Breach
430	Lack of basic security features such as two-factor authentication	critical	10.0	1	Data Breach
431	CVE-2023-50224	critical	10.0	1	Credential Harvesting
432	ATM Skimming Devices	critical	10.0	1	ATM Skimming
433	Heap Metadata Corruption	critical	10.0	1	Memory Corruption Vulnerability
434	Data susceptible to interception or misuse during cloud processing	critical	10.0	1	Privacy Breach
435	unique implementation flaws	critical	10.0	1	supply chain attack
436	Third-party AI tool vulnerabilities	critical	10.0	1	DDoS
437	Human error (opening infected email attachment)	critical	10.0	1	cyber espionage
438	CVE-2026-28289 (bypass of CVE-2026-27636)	critical	10.0	1	Remote Code Execution (RCE)
439	Disabled authentication in VNC servers	critical	10.0	1	Exposed Servers
440	Third-Party Integration Vulnerabilities (Salesforce-connected apps)	critical	10.0	1	Data Breach
441	Spring4Shell	critical	10.0	1	Vulnerability Exploitation
442	System Migration Bug	critical	10.0	1	Data Breach
443	Poor Patch Management	critical	10.0	1	Compliance Failure
444	Ivanti Endpoint Manager Mobile	critical	10.0	1	Vulnerability Exploitation
445	Unauthorized access to sensitive databases, insecure data handling	critical	10.0	1	Data Breach
446	cloud migration risks	critical	10.0	1	ransomware
447	CVE-2025-20362 (Memory corruption in Cisco ASA Software)	critical	10.0	1	Zero-day exploitation
448	Unauthorized system access via help desk	critical	10.0	1	Ransomware
449	CVE-2025-1449	critical	10.0	1	Vulnerability Exploit
450	Limited staffing	critical	10.0	1	Cyberattack
451	over-reliance on vendors	critical	10.0	1	data breach
452	SolarWinds Orion Software	critical	10.0	1	Supply Chain Attack
453	Compromised Mailing List	critical	10.0	1	Phishing
454	ProxyShell (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207)	critical	10.0	1	ransomware
455	Legitimate Administrative Tools (ScreenConnect, AnyDesk, RMM Platforms)	critical	10.0	1	Social Engineering
456	Hardcoded cryptographic keys in Unitree’s G1 humanoid	critical	10.0	1	Privacy Breach
457	Unpatched Web Browser/Plugin Vulnerabilities	critical	10.0	1	Cyber Espionage
458	Outdated Software (e.g., Iranian oil tankers)	critical	10.0	1	Ransomware
459	Misconfigured Email Security Solutions (Mimecast, Proofpoint, Barracuda)	critical	10.0	1	Data Breach
460	Unpatched Software (50% of CVEs in last 5 years)	critical	10.0	1	Ransomware
461	CVE-2024-20353 (Infinite Loop DoS)	critical	10.0	1	Cyberattack
462	Fraudulently obtained digital certificates, Lack of Azure tenant credential security	critical	10.0	1	Malware Distribution / Ransomware Enablement
463	GPS reliance	critical	10.0	1	GPS spoofing (disputed)
464	urgency/authority manipulation	critical	10.0	1	social engineering
465	Zero-Day in Network Appliances (e.g., VMware vCenter, ESXi)	critical	10.0	1	Espionage
466	Unauthorized access to cloud servers	critical	10.0	1	Data Breach
467	Lack of monitoring for east-west traffic in cloud environments	critical	10.0	1	Ransomware
468	CVE-2025-34067 (Hikvision - remote code execution)	critical	10.0	1	Cyber Espionage, Reconnaissance
469	Improper Access Controls (Shared Credentials)	critical	10.0	1	Cybersecurity Vulnerability Exposure
470	Unknown flaw in Oracle E-Business Suite (EBS)	critical	10.0	1	Data Breach
471	Data Scraping Vulnerability	critical	10.0	1	Data Breach
472	Reused passwords from previous breaches	critical	10.0	1	Data Breach
473	CVE-2026-1579 (Missing Authentication for Critical Function)	critical	10.0	1	Vulnerability Exploitation
474	Unknown vulnerability in Microsoft SharePoint servers	critical	10.0	1	Cyber Espionage
475	overlooked vulnerabilities	critical	10.0	1	ransomware
476	CVE-2026-40701	critical	10.0	1	Vulnerability Exploitation
477	CVE-2026-21571	critical	10.0	1	OS Command Injection
478	insecure use of pull_request_target in GitHub Actions	critical	10.0	1	supply chain attack
479	Insufficient Identity Security Policies for AI Agents	critical	10.0	1	Identity Security Crisis
480	Improper Pointer Nullification	critical	10.0	1	Memory Corruption Vulnerability
481	Ivanti Policy Secure	critical	10.0	1	Vulnerability Exploitation
482	Adobe Magento e-commerce platform	critical	10.0	1	Magecart Attack
483	lack of package verification in CI/CD pipelines	critical	10.0	1	supply chain attack
484	Security flaw in SonicWall’s systems	critical	10.0	1	Ransomware
485	Unauthenticated Reboot Commands	critical	10.0	1	Vulnerability Disclosure
486	Lack of BCC usage in group emails	critical	10.0	1	Data Breach
487	Delayed access revocation for terminated employees	critical	10.0	1	Data Breach, Unauthorized Access, Data Deletion
488	CVE-2026-25611	critical	10.0	1	Denial of Service (DoS)
489	Newly disclosed vulnerabilities	critical	10.0	1	Botnet, Cyber Espionage
490	CVE-2025-2492	critical	10.0	1	botnet
491	Zero-day vulnerability (claimed by Qilin)	critical	10.0	1	Ransomware
492	Command Injection (QVD-2026-14149)	critical	10.0	1	Remote Code Execution (RCE)
493	Known Exploited Vulnerabilities (CISA Catalog)	critical	10.0	1	System Intrusion
494	CVE-2026-21509 (Microsoft Office OLE flaw)	critical	10.0	1	Cyberespionage
495	Unclear Accountability Frameworks	critical	10.0	1	Data Privacy Violation
496	CVE-2025-10035 (Critical, CVSS 10.0) in Fortra GoAnywhere MFT	critical	10.0	1	Vulnerability Exploitation
497	Unpatched Adobe Reader zero-day vulnerability	critical	10.0	1	Zero-Day Exploit
498	CVE-2026-20223	critical	10.0	1	Vulnerability Exploitation
499	unmanaged systems (for data theft and ransomware deployment)	critical	10.0	1	ransomware
500	CVE-2026-42946	critical	10.0	1	Vulnerability Exploitation
501	Unsecured BIM/cloud platforms	critical	10.0	1	Ransomware
502	Input validation bypass in MWEB transactions	critical	10.0	1	Denial-of-Service (DoS)
503	CVE-2025-14847	critical	10.0	1	Vulnerability Disclosure
504	CVE (CVSS 9.7) - Lack of origin validation, authentication tokens, and CORS protections in WebSocket listener	critical	10.0	1	Vulnerability Exploitation
505	Coding error in 'DNA Relatives' feature	critical	10.0	1	Data Breach
506	lack of AIS authentication mechanisms	critical	10.0	1	sabotage
507	Remote Terminal Units (RTUs)	critical	10.0	1	Cyber Sabotage
508	Lack of Data Review Process / Gross Negligence	critical	10.0	1	Data Breach
509	over_permissive_cloud_settings	critical	10.0	1	ransomware
510	CVE-2026-33825 (CVSS 7.8, High)	critical	10.0	1	Zero-Day Vulnerability
511	CVE-2026-41940 (cPanel Authentication Bypass)	critical	10.0	1	Data Breach
512	CVE-2026-28318 (Uncontrolled Resource Consumption, CWE-400)	critical	10.0	1	Denial-of-Service (DoS)
513	Legacy system integration vulnerabilities during platform consolidation	critical	10.0	1	Ransomware Attack
514	identity governance gaps	critical	10.0	1	ransomware
515	Insecure Third-Party Integration Controls	critical	10.0	1	Data Breach
516	Insufficient Real-Time Threat Intelligence	critical	10.0	1	Domain Hijacking
517	Content management system vulnerability	critical	10.0	1	Data Breach
518	Default Teams App Permissions	critical	10.0	1	Social Engineering
519	Poor IT-OT segmentation	critical	10.0	1	Ransomware, Cyber Espionage, Industrial Sabotage
520	Unpatched Web Applications	critical	10.0	1	AI-Powered Cyberattack
521	Legacy OT systems, lack of OT security prioritization, IT-OT convergence	critical	10.0	1	Ransomware
522	Third-Party Customer Service Provider (Discord)	critical	10.0	1	Data Breach
523	Long-standing vulnerabilities in SonicWall firewall systems, unmanaged exceptions, temporary rules, unprotected backups, administrative credentials	critical	10.0	1	Ransomware, Data Breach
524	Outdated software in critical sectors (hospitals, governments)	critical	10.0	1	Extortion
525	Misconfigured or unmonitored edge devices	critical	10.0	1	Ransomware
526	Browser session tokens	critical	10.0	1	Ransomware
527	Absence of AI Governance Frameworks	critical	10.0	1	Unauthorized AI Deployment
528	Known flaw in a widely used healthcare management platform	critical	10.0	1	Ransomware
529	Unknown network vulnerability	critical	10.0	1	Ransomware Attack
530	Inadequate Cybersecurity Defenses	critical	10.0	1	Data Breach
531	CVE-2025-5309	critical	10.0	1	Remote Code Execution
532	Delayed Breach Detection (avg. 276 days per IBM 2025 report)	critical	10.0	1	Supply Chain Attack
533	external-facing systems vulnerabilities	critical	10.0	1	ransomware
534	Vulnerabilities present during high-risk phases like satellite deployment, where telemetry, software loadouts, and encryption keys are most exposed.	critical	10.0	1	Cyber Espionage
535	Insufficient Real-Time Monitoring	critical	10.0	1	Insider Threat
536	CVE-2025-59469	critical	10.0	1	Vulnerability Exploitation
537	Outdated Operating Systems/Applications	critical	10.0	1	Malware
538	Third-Party Supplier Weakness	critical	10.0	1	Ransomware
539	Memory Leak	critical	10.0	1	Vulnerability Exploitation
540	User Trust in Fake App	critical	10.0	1	Malware Attack
541	Lack of Monitoring for Insider Threats	critical	10.0	1	SCADA Tampering / Insider Threat
542	CVE-2025-55182 (React2Shell, CVSS 10.0)	critical	10.0	1	Web Application Exploitation
543	OAuth Token Theft	critical	10.0	1	Data Breach
544	weak backup protection (backups were deleted by attacker)	critical	10.0	1	ransomware
545	Poorly maintained systems	critical	10.0	1	Ransomware
546	Lack of IT/OT Security Maturity (65% misalignment with NIST CSF 2.0)	critical	10.0	1	Cyber-Physical Attack
547	Weaknesses and biases in AI models	critical	10.0	1	Red-Teaming Event
548	CVE-2020-3580 (Cisco)	critical	10.0	1	ransomware
549	UNECE R155 Non-Compliance (Insecure Deployed Software)	critical	10.0	1	Cybersecurity Vulnerability Assessment
550	Unpatched software, firmware, and operating systems	critical	10.0	1	Ransomware
551	BDU:2025-10114 (CVSS 7.5) - Insufficient access control	critical	10.0	1	Cyber Espionage
552	aging infrastructure	critical	10.0	1	ransomware
553	Fortinet Fortigate	critical	10.0	1	Supply Chain Attack
554	Undetected network vulnerability	critical	10.0	1	Data Breach
555	static credential storage	critical	10.0	1	fraud
556	Lack of access controls (broad permissions)	critical	10.0	1	Ransomware
557	Progress Software's MOVEit Transfer vulnerability	critical	10.0	1	ransomware
558	Design Flaws	critical	10.0	1	Data Breach
559	Mismanagement of data storage	critical	10.0	1	Data Breach
560	virtualized environment exploits	critical	10.0	1	ransomware
561	Poor IAM practices	critical	10.0	1	Ransomware
562	CVE-2022-41328	critical	10.0	1	Advanced Persistent Threat (APT)
563	Lack of Network Segmentation in Targeted Systems	critical	10.0	1	Distributed Denial of Service (DDoS)
564	User Trust in Browser Prompts (Copy-Paste Commands, Fake Error Messages)	critical	10.0	1	Browser-Based Attack
565	CV_2025_03_1	critical	10.0	1	Vulnerability Exploitation
566	CVE-2022-22948	critical	10.0	1	Advanced Persistent Threat (APT)
567	CVE-2017-12637	critical	10.0	1	Vulnerability Exploitation
568	Supply chain compromise of open-source security tool	critical	10.0	1	Supply Chain Attack
569	CVE-2025-69258 (LoadLibraryEX vulnerability in MsgReceiver.exe)	critical	10.0	1	Remote Code Execution (RCE)
570	Cleo file sharing tool	critical	10.0	1	Data Breach
571	CVE-2026-4681 (CWE-94)	critical	10.0	1	Remote Code Execution (RCE)
572	JetBrains TeamCity	critical	10.0	1	Ransomware
573	CVE-2026-20127 (CVSS 10.0)	critical	10.0	1	Zero-Day Exploitation
574	REST API endpoints	critical	10.0	1	Data Breach
575	external-facing RDP/VPN misconfigurations	critical	10.0	1	ransomware
576	CVE-2026-42934	critical	10.0	1	Vulnerability Exploitation
577	Improper input validation in the plugin’s `prepare_post_data()` function, allowing PHP function injection via placeholders (e.g., `{entryCounter}`).	critical	10.0	1	Remote Code Execution (RCE)
578	CVE-2025-7027	critical	10.0	1	Firmware Vulnerability
579	Excessive agent authority	critical	10.0	1	AI-driven breach
580	Weaknesses in satellite-ground station security	critical	10.0	1	Cyber-Physical Threat
581	firewall vulnerabilities	critical	10.0	1	ransomware
582	Backdoor in M.E.Doc software updates (Intellect Service)	critical	10.0	1	Cyber Attack
583	CVE-2024-12297	critical	10.0	1	Vulnerability Exploit
584	CVE-2025-8876 (Command Injection via Improper Input Sanitization)	critical	10.0	1	Vulnerability Exposure
585	AES-CMAC algorithm flaw	critical	10.0	1	Vulnerability Exploitation
586	Exposure of GitHub token	critical	10.0	1	Vulnerability
587	myCare Integrity EMR system	critical	10.0	1	Data Breach
588	understaffed municipal services	critical	10.0	1	physical security breach
589	Exploitation of Android’s Accessibility Service, Google Play Protect bypass techniques	critical	10.0	1	Malware (Remote Access Trojan - RAT)
590	Poorly secured ATG systems	critical	10.0	1	Cyberattack
591	delayed AV detection due to obfuscation	critical	10.0	1	ransomware
592	CVE-2025-64155 (CWE-78: Improper Neutralization of Special Elements used in an OS Command)	critical	10.0	1	Vulnerability Exploitation
593	lack of backups	critical	10.0	1	data breach
594	Unsecured devices and networks	critical	10.0	1	Ransomware
595	Lack of security monitoring	critical	10.0	1	Cyberattack
596	Persistent jailbreak of Google Gemini AI, Weak non-English safety controls, Memory retention flaws, Stolen API keys, Trojanized software (StellarMonster)	critical	10.0	1	Fraud, Credential Theft, Cryptocurrency Theft, Social Engineering
597	CVE-2025-47167 (Windows KDC Proxy Service Use-After-Free)	critical	10.0	1	Patch Release
598	Accellion sharing software	critical	10.0	1	Ransomware
599	CVE-2024-3721	critical	10.0	1	Malware
600	FortiOS (unspecified CVEs)	critical	10.0	1	ransomware
601	Microsoft SharePoint zero-day	critical	10.0	1	ransomware
602	Schneider Electric safety equipment	critical	10.0	1	Cyberattack
603	Ghost Logins (Unmonitored Active Sessions)	critical	10.0	1	Phishing (Non-Email)
604	CVE-2025-42957 (ABAP Code Injection in SAP S/4HANA)	critical	10.0	1	Vulnerability Exploitation
605	Fragmented Security Posture (On-Premises vs. Cloud Visibility Gaps)	critical	10.0	1	Data Breach
606	CVE-2026-32202 (Windows Shell Spoofing)	critical	10.0	1	Data Breach
607	Unpatched vulnerability disclosed in December 2024	critical	10.0	1	Data Breach
608	Improper handling of configuration objects in the `mergeConfig` function (CVE-2026-25639)	critical	10.0	1	Denial-of-Service (DoS)
609	MOVEit Software Vulnerabilities	critical	10.0	1	Cyber Attack
610	Overlooked Access Rights	critical	10.0	1	Data Breach
611	Improper input sanitization in GNU InetUtils telnetd (USER environment variable handling)	critical	10.0	1	Authentication Bypass
612	Weakness in mobile payment verification system (KT)	critical	10.0	1	Data Breach
613	Lack of two-factor authentication (2FA), persistent access to Aeroflot’s infrastructure	critical	10.0	1	Supply-Chain Attack
614	Unsupervised automation	critical	10.0	1	AI-driven breach
615	CWE-22: Path Traversal in Docker build context configuration (smithery.yaml)	critical	10.0	1	Supply Chain Attack
616	Compromised software supply chain	critical	10.0	1	Supply Chain Attack
617	Outdated accounting infrastructure	critical	10.0	1	Ransomware
618	tasks.json file execution	critical	10.0	1	Financial Theft
619	Vulnerability allowing linkage of email addresses and phone numbers to Twitter accounts	critical	10.0	1	Data Breach
620	Critical RCE flaw in Apache Tomcat	critical	10.0	1	Remote Code Execution (RCE)
621	Unintentional Misconfiguration	critical	10.0	1	Data Exposure
622	Embedded Credentials in BIG-IP	critical	10.0	1	Supply Chain Attack
623	CVE-2023-23397	critical	10.0	1	Cyberespionage
624	Compromised Subcontractor Credentials	critical	10.0	1	Data Breach
625	BeyondTrust	critical	10.0	1	Ransomware
626	LiteLLM	critical	10.0	1	Ransomware
627	Unsecured Email Channels	critical	10.0	1	Data Breach (General Discussion)
628	CVE-2026-27944	critical	10.0	1	Vulnerability Exploitation
629	Outdated IT Systems	critical	10.0	1	Cybercrime
630	Vulnerabilities in SonicWall, Veeam, and Cisco products	critical	10.0	1	Ransomware
631	Outdated Fortinet VPNs	critical	10.0	1	Ransomware
632	Weak Authentication (e.g., VPN Passwords)	critical	10.0	1	Cyber Espionage
633	Unsecured internet-facing devices (used by China-affiliated actors)	critical	10.0	1	Extortion
634	CVE-2026-1995 (Improper file permission handling in id_service.exe)	critical	10.0	1	Privilege Escalation
635	Misconfigured cloud databases	critical	10.0	1	Ransomware
636	BlueKeep	critical	10.0	1	Ransomware
637	CVE-2025-37164	critical	10.0	1	Botnet Campaign
638	Weak login credentials	critical	10.0	1	Data Breach
639	inadequate least-privilege access controls	critical	10.0	1	cyberespionage
640	CVE-2026-21902	critical	10.0	1	Vulnerability Exploitation
641	Ageing infrastructure, shared IT systems, lack of network segmentation	critical	10.0	1	Data Breach
642	CVE-2026-29058 (CWE-78: Improper Neutralization of Special Elements)	critical	10.0	1	Remote Code Execution (RCE)
643	Unpatched VPN software	critical	10.0	1	Ransomware
644	Zero-day vulnerabilities in cloud infrastructure/SaaS platforms	critical	10.0	1	Cybercriminal Alliance Formation
645	CVE-2024-20359 (Privilege Escalation: Admin → Root)	critical	10.0	1	Cyberattack
646	Abstract Threat Perception	critical	10.0	1	Data Breach
647	Unsecured GitHub Personal Access Tokens (PATs)	critical	10.0	1	Supply-Chain Attack
648	Unpatched IoT/OT Systems	critical	10.0	1	EDR/XDR Evasion
649	visibility gaps	critical	10.0	1	ransomware
650	shadow IT (unapproved third-party tool integrations)	critical	10.0	1	third-party breach
651	Single-point-of-failure in 1/1 validation setup, lack of redundant verifiers	critical	10.0	1	Exploit
652	Lack of Real-Time Threat Detection	critical	10.0	1	Third-Party Breach
653	CVE-2025-48595	critical	10.0	1	Zero-Day Exploitation
654	Compromised digital certificate, trusted update infrastructure	critical	10.0	1	Supply Chain Attack
655	Weakness in `url_safe` feature (Bing.com tracking link evasion)	critical	10.0	1	Vulnerability Exploitation
656	Redis/Memcache session poisoning for arbitrary file deletion	critical	10.0	1	SQL Injection
657	IMSI-capturing	critical	10.0	1	Surveillance
658	Bun runtime environment detection	critical	10.0	1	supply chain attack
659	Lack of real-time detection for initial intrusion (May 14 to August 24)	critical	10.0	1	Ransomware Attack
660	Unmonitored third-party script dependencies	critical	10.0	1	Data Breach
661	CVE-2025-32434	critical	10.0	1	Vulnerability Exploitation
662	CVE-2025-47953 (Microsoft Office Heap-Based Buffer Overflow)	critical	10.0	1	Patch Release
663	Email Spoofing, Unsecured Computer System	critical	10.0	1	Hacking
664	Absence of two-factor authentication	critical	10.0	1	Ransomware
665	CVE-2025-44179	critical	10.0	1	Vulnerability Exploitation
666	unsecured copper infrastructure	critical	10.0	1	infrastructure vulnerability
667	Insufficient Physical Security for Fiber-Optic Cables	critical	10.0	1	Cyber Espionage
668	CNVD-2020-26585	critical	10.0	1	Remote Code Execution (RCE)
669	Unsecured Network Servers	critical	10.0	1	Cybersecurity Incident
670	Plaintext Credential Storage	critical	10.0	1	Vulnerability Exploitation
671	Open Academic Networks in Universities	critical	10.0	1	Data Breach
672	Unguarded Museum	critical	10.0	1	Theft
673	Publicly accessible management interfaces	critical	10.0	1	Cloud Exploitation Campaign
674	AI's inability to recognize malicious intent in fragmented tasks	critical	10.0	1	cyberespionage
675	Systemic weaknesses in government cybersecurity	critical	10.0	1	Unauthorized Access
676	CVE-2024-21893	critical	10.0	1	Ransomware
677	Unauthorized access to Tetra mobile device signals, lack of robust signal authentication	critical	10.0	1	Radio Signal Spoofing
678	Unsecured Public Wi-Fi	critical	10.0	1	Awareness Campaign
679	CVE-2025-30333	critical	10.0	1	Data Breach, Persistent Malware, Unauthorized Access
680	Lack of MFA Enforcement	critical	10.0	1	Social Engineering
681	React2Shell (CVE-2025-29927)	critical	10.0	1	Cloud Exploitation Campaign
682	CVE-2025-5777 (CitrixBleed2)	critical	10.0	1	ransomware
683	Unsecured directory with unrestricted access	critical	10.0	1	Data Leak
684	CVE-2026-43500	critical	10.0	1	Privilege Escalation
685	Critical vulnerabilities, unpatched systems, dark web credentials	critical	10.0	1	Supply Chain Attack
686	Supply chain compromise	critical	10.0	1	Supply Chain Attack
687	Government mismanagement, lack of security protocols	critical	10.0	1	Data Breach
688	Delayed Incident Notification	critical	10.0	1	Cybersecurity Incident
689	lack of MFA on critical systems	critical	10.0	1	ransomware
690	ProxyLogon (Microsoft Exchange)	critical	10.0	1	cyberespionage
691	Citrix VPN vulnerabilities	critical	10.0	1	Cybercrime Forum Seizure
692	Four zero-days	critical	10.0	1	Exploit Kit / Cyber Espionage
693	Zero-day exploits, Supply-chain weaknesses	critical	10.0	1	Supply-chain attack, Data exfiltration, Reconnaissance
694	Lack of adequate detection and response capabilities for drone threats	critical	10.0	1	Physical Security Threat
695	Improper security configurations in Windows Named Pipe implementation within the Acer Control Center Service (ACCSvc.exe)	critical	10.0	1	Vulnerability Exploitation
696	Exposed Secrets in GitHub Repository	critical	10.0	1	Data Breach
697	Improper escaping of LangChain’s internal marker key during serialization	critical	10.0	1	Serialization/Deserialization Injection
698	Server Crash	critical	10.0	1	Vulnerability Exploitation
699	Orion Software Vulnerability	critical	10.0	1	Software Exploitation
700	Hidden malicious proxy in AI agents	critical	10.0	1	Vulnerability Exploit
701	CVE-2023-20269 (Cisco)	critical	10.0	1	ransomware
702	CVE-2025-32711 (EchoLeak)	critical	10.0	1	Data Exposure
703	CVE-2026-41096 (Heap-based buffer overflow in DNSAPI.dll)	critical	10.0	1	Remote Code Execution (RCE)
704	CVE-2025-34291 (Origin Validation Error - CWE-346)	critical	10.0	1	Remote Code Execution (RCE)
705	User Data Misuse	critical	10.0	1	Data Breach
706	Malicious form injection	critical	10.0	1	Data Breach
707	CVE-2025-43200	critical	10.0	1	Spyware
708	Human factor (credentials theft)	critical	10.0	1	Phishing
709	Insufficient access controls, lack of root account protection	critical	10.0	1	Data Destruction
710	Fortinet SSL VPN vulnerabilities	critical	10.0	1	ransomware
711	CVE-2025-55182 (CVSS 10.0)	critical	10.0	1	worm-driven campaign
712	Low Digital Literacy in Business Software	critical	10.0	1	Ransomware Attack
713	Poor Kubernetes configurations	critical	10.0	1	Cloud Infrastructure Compromise
714	VMware virtual machines	critical	10.0	1	Cyberespionage
715	Legacy Firewall Deployments (single point of failure for ecosystems)	critical	10.0	1	Predictive Analysis
716	insufficient incident response plans	critical	10.0	1	phishing
717	Tool sprawl and visibility gaps	critical	10.0	1	Data Breach
718	CVE-2025-34300	critical	10.0	1	Remote Code Execution
719	Unknown vulnerabilities in routers and VPN appliances	critical	10.0	1	Botnet
720	CVE-2025-10725 (CVSS 9.9)	critical	10.0	1	Privilege Escalation / Vulnerability Exploitation
721	Potential lack of redundant navigation systems	critical	10.0	1	GPS spoofing (disputed)
722	Insufficient Workforce Training (phishing/social engineering)	critical	10.0	1	Ransomware
723	Legacy Protocols (NTLM Enabled for Backward Compatibility)	critical	10.0	1	Data Breach
724	Employee downloaded malware from untrusted source	critical	10.0	1	Ransomware Attack
725	Inconsistent authentication	critical	10.0	1	Data Breach
726	Vulnerability in the virtual private network	critical	10.0	1	Ransomware
727	Human psychology	critical	10.0	1	AI-driven cyberattack
728	budget reductions	critical	10.0	1	data breach
729	Unhashed Passwords	critical	10.0	1	Data Breach
730	Direct Internet Exposure	critical	10.0	1	Cyber-Physical Attack
731	CVE-2024-30103 (Remote Code Execution)	critical	10.0	1	Zero-Day Exploit
732	Sinkclose vulnerability	critical	10.0	1	Vulnerability Exploitation
733	CVE-2026-32746 (Buffer Overflow - CWE-120)	critical	10.0	1	Remote Code Execution (RCE)
734	Improper handling of BOOTP file field in DHCP server responses (CVE-2026-42511)	critical	10.0	1	Vulnerability Exploitation
735	OAuth vulnerability	critical	10.0	1	Exploit
736	delayed patching	critical	10.0	1	phishing
737	Unmonitored API Queries (Graph, Teams)	critical	10.0	1	Social Engineering
738	SQL Injection in Main Application	critical	10.0	1	Data Breach
739	Ivanti Connect Secure	critical	10.0	1	Vulnerability Exploitation
740	Third-Party Repository Access	critical	10.0	1	AI Cybersecurity Risk
741	Systemic design flaw in Anthropic’s Model Context Protocol (MCP)	critical	10.0	1	Remote Command Execution (RCE)
742	Outdated network infrastructure	critical	10.0	1	Data Breach
743	GraphQL interfaces	critical	10.0	1	Data Breach
744	Lack of Multi-Factor Authentication (Assumed)	critical	10.0	1	Ransomware
745	Lack of Multi-Factor Authentication (MFA) for Vendor Logins	critical	10.0	1	Cyberattack
746	Weak Password Hashing (Early Breaches like LinkedIn 2012)	critical	10.0	1	Data Breach
747	GenAI Prompt Leakage	critical	10.0	1	Cyber-Attack
748	CVE-2025-22226	critical	10.0	1	Ransomware
749	NVIDIA NeMo Framework Vulnerabilities	critical	10.0	1	Vulnerability Exploitation
750	Exposed long-term IAM user credentials, Lambda function code injection	critical	10.0	1	Cloud Breach
751	Process Drift in Third-Party Service Desk	critical	10.0	1	Social Engineering
752	Informant Malfeasance	critical	10.0	1	Dissemination of Propaganda and Child Abuse Material
753	Kernel-level hooks in EDR products (28+ vendors targeted)	critical	10.0	1	Ransomware
754	CVE-2021-44228 (Log4j)	critical	10.0	1	cyberespionage
755	unpatched Windows SMB flaw (WannaCry)	critical	10.0	1	ransomware
756	CVE-2023-38831	critical	10.0	1	Cyberespionage
757	Progress MOVEit transfer systems	critical	10.0	1	Data Breach
758	SaaS platforms	critical	10.0	1	Ransomware
759	Vulnerable drivers (BYOVD), misused legitimate software, obfuscation techniques (VX Crypt, VMProtect, control-flow flattening)	critical	10.0	1	Ransomware
760	Compromised Polyfill.io service	critical	10.0	1	Supply Chain Attack
761	Stolen credentials, malicious links in trusted email chains, phishing campaigns	critical	10.0	1	Supply Chain Attack, Cargo Theft
762	IoT Device Vulnerabilities	critical	10.0	1	Cybercrime
763	Technical error (premature website publication)	critical	10.0	1	Data Leak / Unauthorized Disclosure
764	Stack Buffer Overflow	critical	10.0	1	Vulnerability Exploitation
765	LLM Susceptibility to Prompt Injection	critical	10.0	1	Prompt Injection
766	Trojanized update	critical	10.0	1	Supply Chain Attack
767	Outdated Ethernet systems	critical	10.0	1	Ransomware
768	Compromised third-party vendor credentials	critical	10.0	1	Data Breach
769	Potential Salesforce Misconfigurations	critical	10.0	1	Data Breach
770	Known vulnerabilities in DNN platform	critical	10.0	1	Data Breach
771	CVE-2025-2172	critical	10.0	1	Vulnerability Exploitation
772	Outdated and vulnerable infrastructure	critical	10.0	1	State-sponsored cyberattack
773	CVE-2024-12856	critical	10.0	1	DDoS
774	Weakened power grid infrastructure	critical	10.0	1	Cyberattack
775	lack of tamper-proof audit trails	critical	10.0	1	ransomware
776	Browser Fetch API abuse via Service Workers (CVE not specified)	critical	10.0	1	Vulnerability Exploitation
777	Legacy Authentication Protocols	critical	10.0	1	Social Engineering
778	Unsanitized Metadata	critical	10.0	1	Data Leak
779	weak identity management systems	critical	10.0	1	cyberespionage
780	Lack of Monitoring for Renamed Binaries	critical	10.0	1	APT (Advanced Persistent Threat)
781	CVE-2025-20363 (Cisco ASA VPN)	critical	10.0	1	Ransomware
782	Non-shard-isolated user directory, unencrypted public chat rooms	critical	10.0	1	Data Breach
783	Disconnected IAM Systems	critical	10.0	1	Predictive Analysis
784	CVE-2025-27915 (Stored XSS in Zimbra Classic Web Client via ICS files)	critical	10.0	1	Cyber Espionage
785	Fortinet VPN vulnerabilities	critical	10.0	1	Cybercrime Forum Seizure
786	Internal System Compromise (mechanism unspecified)	critical	10.0	1	Data Breach
787	Lack of Secure Boot/Trust Anchor in ASA 5500-X Series	critical	10.0	1	Zero-day exploitation
788	Cached Administrative Credentials in Workstation Memory	critical	10.0	1	Data Breach
789	CVE-2026-8053	critical	10.0	1	Vulnerability
790	Absence de formation des employés en cybersécurité	critical	10.0	1	Cyberattaque ciblée
791	Unvetted Browser Extensions (Cyberhaven Hack, 35+ Extensions in 2024)	critical	10.0	1	Browser-Based Attack
792	lack of physical security for copper wiring	critical	10.0	1	physical security breach
793	Poor Vendor/Third-Party Risk Management	critical	10.0	1	Ransomware
794	Exposed Database Credentials	critical	10.0	1	Data Exposure
795	CVE-2025-55125	critical	10.0	1	Vulnerability Exploitation
796	cross-border supplier networks	critical	10.0	1	ransomware
797	Weak Access Controls (e.g., AWS Misconfigurations)	critical	10.0	1	Unauthorized AI Deployment
798	Limited Supply Chain Visibility (beyond first-tier vendors)	critical	10.0	1	Ransomware
799	Technical know-how gap in solvent extraction	critical	10.0	1	Geopolitical Risk
800	Unsecured ElasticSearch Database	critical	10.0	1	Data Exposure
801	Full Disk Access Exploitation	critical	10.0	1	AI Cybersecurity Risk
802	insufficient encryption	critical	10.0	1	data breach
803	Insecure Withdrawal Locking Mechanism	critical	10.0	1	Data Breach
804	Weak VPN authentication	critical	10.0	1	Data Breach
805	SonicWall SSL VPN Misconfiguration	critical	10.0	1	Unauthorized Access
806	Plaintext access to JSON payloads in AI agent tool calls, lack of cryptographic verification for tool-call integrity	critical	10.0	1	Supply Chain Attack
807	Accidental transmission of private key information	critical	10.0	1	Data Breach
808	potential prior SharePoint vulnerabilities (historical context for Storm-2603)	critical	10.0	1	ransomware
809	Legitimate utilities repurposed for malicious use (e.g., gpscript.exe)	critical	10.0	1	Ransomware
810	Inadequate Data Encryption	critical	10.0	1	Ransomware
811	underwater sensor network vulnerabilities	critical	10.0	1	espionage
812	third-party services and integrations	critical	10.0	1	ransomware
813	Enabled dangerous features (xp_cmdshell, CLR, OLE Automation)	critical	10.0	1	Ransomware
814	CVE-2025-20352 (Cisco IOS SNMP Flaw)	critical	10.0	1	Ransomware
815	PowerShell script abuse	critical	10.0	1	spear-phishing
816	Trust Exploitation	critical	10.0	1	Cryptocurrency Scam
817	Insufficient Access Management	critical	10.0	1	Data Breach
818	Login bypass vulnerability, improper access controls	critical	10.0	1	Data Leak, Unauthorized Access, Remote Exploitation
819	Accellion File Transfer Appliance (FTA) vulnerabilities	critical	10.0	1	Data Breach
820	CVE-2025-60021 (Inadequate input validation in Apache bRPC heap profiler endpoint)	critical	10.0	1	Remote Command Injection
821	Typosquatting	critical	10.0	1	Cyber Theft
822	Misconfigured MongoDB databases (lack of authentication, outdated versions)	critical	10.0	1	Ransomware
823	Wide Attack Surfaces (Retail: staff, suppliers, IT systems)	critical	10.0	1	Ransomware
824	Poor access controls and credential management for third-party code repositories	critical	10.0	1	Data Breach
825	Weak passwords, lack of two-factor authentication (2FA)	critical	10.0	1	Ransomware
826	API code change flaw, predictable device serial numbers, unencrypted MFA scratch codes	critical	10.0	1	Ransomware
827	Absence of Memoranda of Agreement (MOAs) with LGUs	critical	10.0	1	Data Privacy Violation
828	Exposed Database	critical	10.0	1	Ransomware Attack
829	Stolen credentials from 2023 Salesloft Drift breach, weak credential management, lack of MFA enforcement	critical	10.0	1	Data Breach
830	AI Model Jailbreak (Disguised Malicious Tasks as Benign)	critical	10.0	1	Espionage
831	LLM scope violation (CVE-2025-32711)	critical	10.0	1	Data Breach Vulnerability
832	Architectural flaw in Model Context Protocol (MCP)	critical	10.0	1	Remote Code Execution (RCE)
833	Misconfigured Cloud Identity and Access Management (IAM)	critical	10.0	1	Data Breach
834	Google Docs	critical	10.0	1	Data Leak
835	Fake suspicious activity notifications	critical	10.0	1	Phishing
836	CVE-2025-29927	critical	10.0	1	worm-driven campaign
837	Minimal/No Authentication	critical	10.0	1	Exposure of Vulnerable Systems
838	Insufficient insider threat controls	critical	10.0	1	Data Breach
839	Interception and editing of RF signals	critical	10.0	1	Vulnerability
840	Citrix device vulnerabilities (specific CVE not disclosed)	critical	10.0	1	Cyberattack
841	Poorly Secured ICS	critical	10.0	1	Cyberattack
842	Legacy Operational Technology (OT) systems with known vulnerabilities	critical	10.0	1	Ransomware
843	Undisclosed vulnerabilities in F5 BIG-IP (actively patched but stolen pre-disclosure)	critical	10.0	1	Supply Chain Compromise
844	CVE-2026-24423 (Missing Authentication for Critical Function - CWE-306)	critical	10.0	1	Ransomware
845	Weak private key generation algorithm	critical	10.0	1	Cryptocurrency Theft
846	Legitimate Windows driver truesight.sys (Adlice Software’s RogueKiller) with IOCTL command abuse	critical	10.0	1	ransomware
847	Client-side file type restrictions without server-side validation	critical	10.0	1	Cloud Account Takeover
848	CVE-2026-40369	critical	10.0	1	Privilege Escalation
849	Uncontrolled AI Tool Integration	critical	10.0	1	Data Breach Risk
850	CVE-2023-3596	critical	10.0	1	Cyber Espionage
851	CVE-2026-7473	critical	10.0	1	Zero-Day Exploit
852	CVE-2026-35616 (Fortinet flaw)	critical	10.0	1	Botnet, Cyber Espionage
853	Cisco IOS vulnerabilities	critical	10.0	1	Data Breach
854	no password protection on critical servers	critical	10.0	1	data breach
855	CVE-2018-13379	critical	10.0	1	Ransomware
856	CVE-2026-31431 (Linux Kernel Privilege Escalation)	critical	10.0	1	Data Breach
857	CVE-2025-61882 (Oracle E-Business Suite - Unauthenticated RCE)	critical	10.0	1	Data Breach
858	Stack overflow (CVE-2026-3608)	critical	10.0	1	Denial-of-Service (DoS)
859	Remote Work Security Blind Spots	critical	10.0	1	Cybercrime
860	CVE-2018-0171	critical	10.0	1	Vulnerability Exploitation
861	insecure credential storage in CI/CD environments	critical	10.0	1	supply chain attack
862	CVE-2026-8181	critical	10.0	1	Authentication Bypass
863	automated package update mechanisms	critical	10.0	1	supply chain attack
864	Remote Disabling Capability	critical	10.0	1	Repurposing of Commercial Technology for Military Use
865	SonicWall vulnerabilities	critical	10.0	1	Ransomware
866	Lack of Automated PII Detection	critical	10.0	1	Data Leak
867	Lack of Centralized Log Management	critical	10.0	1	Data Breach
868	weak credential governance	critical	10.0	1	phishing
869	Compromised IoT devices and routers, primarily Android TVs	critical	10.0	1	DDoS
870	Claude Code tool's contextual safeguard limitations	critical	10.0	1	cyberespionage
871	Palo Alto PAN-OS	critical	10.0	1	Ransomware
872	CVE-2025-12556 (Improper input validation in ICM Viewer’s WebSocket communication)	critical	10.0	1	Remote Code Execution (RCE)
873	Inadequate safeguards for sensitive data	critical	10.0	1	Data Breach
874	CVE-2026-44963	critical	10.0	1	Remote Code Execution (RCE)
875	Blind SQL Vulnerability	critical	10.0	1	Data Breach
876	CVE-2025-23319	critical	10.0	1	Vulnerability Exploitation
877	Remote code execution vulnerability in SharePoint’s authentication mechanism	critical	10.0	1	Cyberattack
878	Social Engineering, Impersonation	critical	10.0	1	Phishing, Cyber Espionage
879	OAuth Application Abuse	critical	10.0	1	Data Breach
880	Liquidity Token Contracts	critical	10.0	1	Cyberattack
881	Unsecured MSSQL Database	critical	10.0	1	Data Breach
882	Hidden preinstall scripts	critical	10.0	1	Supply Chain Attack
883	CVE-2022-26134 (Atlassian OGNL Injection)	critical	10.0	1	cyberespionage
884	abuse of elevated privileges post-compromise (e.g., Trend Vision One uninstaller)	critical	10.0	1	ransomware
885	Over-the-Air Broadcast Without Protection	critical	10.0	1	Data Interception
886	Type Confusion via Memory Reuse	critical	10.0	1	Memory Corruption Vulnerability
887	Design flaw in VSCode’s webview security model (Window.postMessage() API misuse), lack of CSRF protections in github.dev, unrestricted Node.js API access in extensions	critical	10.0	1	Vulnerability Exploitation
888	Lack of physical security for sensitive data display	critical	10.0	1	Data Breach
889	CVE-2026-0229	critical	10.0	1	Denial-of-Service (DoS)
890	Lack of AIS/GPS signal authentication	critical	10.0	1	GPS spoofing
891	Shared-Service Model Vulnerabilities	critical	10.0	1	Cyberattack
892	Outdated encryption, weak cryptographic practices, poor key management	critical	10.0	1	Cyber Threat Warning
893	identity and access weaknesses	critical	10.0	1	ransomware
894	Absence of Multifactor Authentication	critical	10.0	1	Ransomware
895	CVE-2026-3854	critical	10.0	1	Remote Code Execution (RCE)
896	Poor Spam Filtering	critical	10.0	1	Ransomware
897	Misconfigured AWS Bucket	critical	10.0	1	Data Exposure
898	VMware Fusion root access bug	critical	10.0	1	Zero-day Exploit
899	Six vulnerabilities	critical	10.0	1	Exploit Kit / Cyber Espionage
900	Data Sharing with Third-Party AI Services	critical	10.0	1	Unauthorized AI Deployment
901	CWE-93 (CRLF Injection)	critical	10.0	1	Privilege Escalation
902	third-party ecosystem dependencies	critical	10.0	1	ransomware
903	third-party cybersecurity dependencies	critical	10.0	1	cyberattack
904	Palo Alto vulnerabilities	critical	10.0	1	Ransomware
905	Legitimate Cybersecurity Testing Impersonation	critical	10.0	1	Espionage
906	CVE-2017-17215 (TP-Link Routers)	critical	10.0	1	Botnet / DDoS Campaign
907	React2Shell vulnerability in React frontend application	critical	10.0	1	Data Breach
908	Critical CVSS-rated vulnerabilities in legacy and new ICS devices	critical	10.0	1	Exposure of Critical Infrastructure
909	CVE-2025-32713 (Windows Common Log File System Driver EoP)	critical	10.0	1	Patch Release
910	Unmonitored Privileged Accounts	critical	10.0	1	Data Breach
911	NPM package integrity weakness	critical	10.0	1	supply chain attack
912	unmonitored vendor access to sensitive data	critical	10.0	1	supply chain attack
913	high market value of copper	critical	10.0	1	infrastructure vulnerability
914	Poor Email Security Practices	critical	10.0	1	Data Breach
915	Inadequate Access Controls for PowerSource Portal	critical	10.0	1	Data Breach
916	Weak Third-Party Security Controls	critical	10.0	1	Data Breach
917	Novel method	critical	10.0	1	Ransomware
918	Weak supply chain controls for hardware distribution	critical	10.0	1	Espionage
919	lack of real-time cross-verification of vessel identities	critical	10.0	1	AIS spoofing
920	unsecured_API	critical	10.0	1	ransomware
921	Hardcoded Credentials in Binaries	critical	10.0	1	Supply Chain Attack
922	CVE-2025-25012	critical	10.0	1	Vulnerability Exploit
923	CVE-2021-22681 (Rockwell Automation ICS)	critical	10.0	1	ransomware
924	unsecured GenAI prompts	critical	10.0	1	ransomware
925	Weak Detection/Response Capabilities (SMEs)	critical	10.0	1	Ransomware
926	Over-Permissive Tool Access (e.g., Password Crackers, Network Scanners)	critical	10.0	1	Espionage
927	Insufficient client-side runtime monitoring	critical	10.0	1	Data Breach
928	AI supply chain threats (e.g., LangFlow RCE)	critical	10.0	1	Malware Framework
929	CVE-2025-69263 (CVSS 7.5)	critical	10.0	1	Supply Chain Attack
930	Insecure data storage and handling	critical	10.0	1	Data Breach
931	Lapse of CISA 2015 liability protections	critical	10.0	1	Policy/Regulatory Failure
932	CNAME DNS record	critical	10.0	1	Data Breach
933	AI Training Data Exposure	critical	10.0	1	Cyber Espionage
934	Human Error (Support Staff Tricked via Impersonation)	critical	10.0	1	Data Breach
935	Time-Triggered Ethernet (TTEthernet) vulnerabilities	critical	10.0	1	Time Synchronization Attack
936	OS auto-enumeration of mice on Windows 11 and macOS Sonoma, lack of HID trust models	critical	10.0	1	Hardware-based Attack
937	Failure to Implement Security Recommendations	critical	10.0	1	Data Breach
938	Reduced Workforce Capacity	critical	10.0	1	Operational Risk
939	CVE-2024-* (Buffer manipulation in NTFS disk image handling)	critical	10.0	1	Remote Code Execution (RCE)
940	CVE-2024-54085	critical	10.0	1	Vulnerability Exploitation
941	CVE-2025-46811	critical	10.0	1	Vulnerability Exploitation
942	CVE-2025-48595 (CWE-190 - Integer Overflow)	critical	10.0	1	Vulnerability Exploitation
943	Log4Shell vulnerability	critical	10.0	1	Cyber Attack
944	Remote desktop gateway vulnerability	critical	10.0	1	Ransomware
945	Lack of backup systems	critical	10.0	1	Ransomware
946	Lack of Multi-Factor Authentication (2FA) Enforcement	critical	10.0	1	Data Breach
947	Unsecured cloud environment, lack of proper oversight	critical	10.0	1	Data Breach
948	weak MFA implementations (Evilginx tool)	critical	10.0	1	ransomware
949	Lack of User Awareness for Non-Email Threats	critical	10.0	1	Social Engineering
950	Lack of Business Continuity Plans	critical	10.0	1	Ransomware
951	Default or Weak ESXi Authentication Mechanisms	critical	10.0	1	Ransomware Prevention Guide
952	Backup Restoration Failures	critical	10.0	1	Ransomware
953	CVE-2025-5777 (Citrix Bleed 2)	critical	10.0	1	Ransomware
954	CVE-2025-58434 (Unauthenticated Password Reset Token Disclosure in `/api/v1/account/forgot-password`)	critical	10.0	1	Vulnerability Exploitation
955	Exposed credentials through configuration API calls	critical	10.0	1	Vulnerability Exploitation
956	Salesforce Instance Misconfiguration	critical	10.0	1	Data Breach
957	AI Browser Design Flaw (Fragment Inclusion in Context)	critical	10.0	1	Prompt Injection
958	uneven cybersecurity maturity	critical	10.0	1	data breach
959	network vulnerabilities (unspecified)	critical	10.0	1	ransomware
960	Dormant Backdoors	critical	10.0	1	Supply Chain Attack
961	CVE-2023-41347	critical	10.0	1	botnet
962	CVE-2025-25181	critical	10.0	1	Security Breach
963	Unknown vulnerability in file transfer software	critical	10.0	1	Ransomware
964	Security holes in Verizon's systems	critical	10.0	1	Data Breach
965	weaknesses in AIS (Automatic Identification System) authentication	critical	10.0	1	AIS spoofing
966	Lack of MFA on Personal/Social Media Accounts	critical	10.0	1	Phishing (Non-Email)
967	CVE-2025-7742	critical	10.0	1	Vulnerability Exploitation
968	Unrestricted Access Controls	critical	10.0	1	Ransomware
969	CVE-2025-33064 (Windows SMB Improper Access Control)	critical	10.0	1	Patch Release
970	Firewall rule exposing RDP on a management server	critical	10.0	1	Ransomware
971	Unmaintained Software (e.g., FreeImage in Audi Vehicles)	critical	10.0	1	Cybersecurity Vulnerability Assessment
972	Cisco AnyConnect software vulnerability	critical	10.0	1	Data Breach
973	CVE-2024-37079 (CWE-787 - Out-of-bounds Write)	critical	10.0	1	Remote Code Execution (RCE)
974	Over-permissioning	critical	10.0	1	AI-driven breach
975	Windows minifilter drivers	critical	10.0	1	Ransomware
976	Unmonitored API Traffic	critical	10.0	1	Data Breach
977	Pool initialization bypass	critical	10.0	1	Exploit
978	Stolen personal data (Social Security numbers, birthdates, account credentials)	critical	10.0	1	Data Breach, Identity Fraud, Account Takeover
979	Unpatched legacy systems	critical	10.0	1	Ransomware
980	Poor authentication controls	critical	10.0	1	Data Breach
981	Fragmented Cybersecurity Governance (no common procedures)	critical	10.0	1	Ransomware
982	Vulnerability in Ivanti's security products	critical	10.0	1	Malware
983	Trello	critical	10.0	1	Data Leak
984	WordPress vulnerabilities	critical	10.0	1	Botnet
985	CVE-2026-25049 (insufficient input sanitization in expression evaluation mechanism)	critical	10.0	1	Remote Code Execution (RCE)
986	Remote Code Execution (RCE) in AhsayCBS backup system	critical	10.0	1	Remote Code Execution
987	CVE-2026-5027 (Path Traversal)	critical	10.0	1	Vulnerability Exploitation
988	Weak Passwords (WordPress Admin Accounts)	critical	10.0	1	Influence Operation
989	CVE-2025-42999	critical	10.0	1	vulnerability
990	Insufficient Threat Hunting Capabilities	critical	10.0	1	EDR/XDR Evasion
991	API misconfiguration	critical	10.0	1	Data Breach
992	kernel-level access via vulnerable driver	critical	10.0	1	ransomware
993	NtQuerySystemInformation abuse (SystemCodeFlowTransition parameter)	critical	10.0	1	Supply Chain Attack
994	Alta Payment Portal	critical	10.0	1	Data Breach
995	Password reminder bug	critical	10.0	1	Account Takeover
996	Unauthorized remote access, ATM jackpotting, Point-of-sale data compromise	critical	10.0	1	Cyber Attack
997	Weaknesses in SolarWinds' Orion platform	critical	10.0	1	Supply Chain Attack
998	Lack of End-to-End Email Encryption	critical	10.0	1	Data Breach
999	QR Code Vulnerability	critical	10.0	1	Espionage
1000	Lack of 'Two Pairs of Eyes' Review (Pre-November 2021)	critical	10.0	1	Data Breach
1001	Lateral Movement via Salesforce OAuth	critical	10.0	1	Supply Chain Attack
1002	Weak Supplier Security Controls	critical	10.0	1	Ransomware
1003	Oracle zero-day vulnerability	critical	10.0	1	Ransomware
1004	CVE-2023-4966	critical	10.0	1	Vulnerability Exploitation
1005	Improper data classification procedures	critical	10.0	1	Data Breach
1006	CVE-2025-53771 (Path Traversal)	critical	10.0	1	Cyber Espionage
1007	disabled antivirus processes	critical	10.0	1	ransomware
1008	Lack of contractual compliance and oversight, unauthorized offshore access	critical	10.0	1	Data Breach
1009	CVE-2025-31324 (SAP NetWeaver)	critical	10.0	1	Ransomware
1010	Human Vulnerability (Social Engineering via Impersonation)	critical	10.0	1	Cyber Attack
1011	Microsoft Exchange Server flaw	critical	10.0	1	Zero-day Exploit
1012	CVE-2022-41040	critical	10.0	1	Ransomware
1013	CVE-2016-10033	critical	10.0	1	Vulnerability Exploitation
1014	CVE-2026-9082	critical	10.0	1	SQL Injection
1015	Vulnerabilities in the email system	critical	10.0	1	Data Breach
1016	SSO Misconfigurations (e.g., Microsoft Entra, Google Workspace, Okta)	critical	10.0	1	Phishing (Non-Email)
1017	Default/Weak Admin Credentials	critical	10.0	1	Data Breach
1018	MongoBleed	critical	10.0	1	Data Breach
1019	Security Vulnerabilities in Verizon’s Web site	critical	10.0	1	Data Breach
1020	CVE-2017-17562 (GoAhead RCE)	critical	10.0	1	cyberespionage
1021	Insufficient Code Review for Open-Source Dependencies	critical	10.0	1	Supply Chain Attack
1022	Cross-jurisdictional regulatory gaps	critical	10.0	1	Cyber-Physical Threat
1023	CVE-2026-24423	critical	10.0	1	Ransomware
1024	improper access controls on cloud storage (public bucket setting)	critical	10.0	1	data breach
1025	Outdated Junos OS routers	critical	10.0	1	Espionage
1026	inadequate security of payment systems	critical	10.0	1	data breach
1027	Lack of Behavioral Anomaly Detection	critical	10.0	1	Insider Threat
1028	Delegated Administrative Privileges (DAP) in Microsoft cloud solutions	critical	10.0	1	cyberespionage
1029	Absence of Multi-Factor Authentication (MFA)	critical	10.0	1	Ransomware
1030	Malicious APKs	critical	10.0	1	Cryptocurrency Scam
1031	Political Distractions	critical	10.0	1	Operational Risk
1032	External call to 'transfer' function using a fake hash	critical	10.0	1	Cryptocurrency Theft
1033	Microsoft SharePoint Server Vulnerabilities (On-Premises)	critical	10.0	1	Data Breach
1034	Lack of Behavioral Analytics for Insider Threat Detection	critical	10.0	1	Insider Threat (Attempted)
1035	CVE-2024-53676	critical	10.0	1	Vulnerability Exploitation
1036	CVE-2026-XXXXX (PolyShell - unauthenticated arbitrary file upload via REST API)	critical	10.0	1	Payment Skimmer Attack
1037	Insufficient Contractual Safeguards	critical	10.0	1	Third-Party Breach
1038	Inadequate Training	critical	10.0	1	Data Breach
1039	CVE-2026-34909	critical	10.0	1	Remote Code Execution (RCE)
1040	Known vulnerability in cloud storage services	critical	10.0	1	Data Breach
1041	Manual Recovery Reliance	critical	10.0	1	Supply Chain Attack
1042	Reused Apple ID logins	critical	10.0	1	Data Breach, Phishing
1043	Potential vulnerability in Citrix NetScaler	critical	10.0	1	Cyberattack
1044	Weak DNS Security Extensions (DNSSEC) Implementation	critical	10.0	1	Domain Hijacking
1045	Shared Responsibility Model Gaps in Cloud Security	critical	10.0	1	Predictive Analysis
1046	Weak supply-chain security	critical	10.0	1	Data Breach
1047	CVE-2025-29927 (React2Shell)	critical	10.0	1	Cloud Misconfiguration Exploitation
1048	misconfigured multi-factor authentication (MFA)	critical	10.0	1	ransomware
1049	blind spots in network visibility	critical	10.0	1	ransomware
1050	Insufficient IT resources	critical	10.0	1	Cyberattack
1051	Weak Authentication (compromised social media accounts)	critical	10.0	1	Cyber Theft
1052	CVE-2025-22224	critical	10.0	1	Ransomware
1053	VPN vulnerabilities	critical	10.0	1	ransomware
1054	Previously unknown vulnerability in email system	critical	10.0	1	Ransomware
1055	reliance on IT generalists without specialized security training	critical	10.0	1	ransomware
1056	Lack of Vendor Oversight	critical	10.0	1	Data Breach
1057	Improper GitHub Access Controls	critical	10.0	1	Supply Chain Attack
1058	Open Amazon S3 bucket	critical	10.0	1	Data Breach
1059	Unchecked external input in workflow scripts	critical	10.0	1	Supply Chain Attack
1060	Publicly exposed servers and computers	critical	10.0	1	Cyberattack
1061	Local privilege escalation	critical	10.0	1	Exploit Kit / Cyber Espionage
1062	human error (social engineering via phishing)	critical	10.0	1	cyberespionage
1063	CVE-2017-11882 (Microsoft Office)	critical	10.0	1	APT (Advanced Persistent Threat)
1064	CVE-2026-21858	critical	10.0	1	Vulnerability Exploitation
1065	Weak credentials (e.g., built-in sa account)	critical	10.0	1	Ransomware
1066	Outsourced Business Process Provider Vulnerabilities	critical	10.0	1	Data Breach
1067	Kerberoasting in Active Directory	critical	10.0	1	ransomware
1068	Windows kernel vulnerabilities	critical	10.0	1	Data Exfiltration, Ransomware, Extortion
1069	unpatched software (suspected)	critical	10.0	1	data breach
1070	Vulnerabilities in MOVEit software	critical	10.0	1	Cyberattack
1071	CVE-2025-64111	critical	10.0	1	Remote Code Execution (RCE)
1072	CVE-2023-41345	critical	10.0	1	botnet
1073	Potential vulnerabilities in NSCC’s infrastructure, outdated 2020 admin manual for HPC3 supercomputer cluster	critical	10.0	1	Data Breach
1074	Weak data protections	critical	10.0	1	Data Breach
1075	Untrusted forked code in CI/CD pipelines	critical	10.0	1	Supply Chain Attack
1076	CVE-2025-7026	critical	10.0	1	Firmware Vulnerability
1077	CVE-2025-27363	critical	10.0	1	Vulnerability Exploitation
1078	Website Software	critical	10.0	1	Data Breach
1079	Phone data hijacking via malicious vCard	critical	10.0	1	Vulnerability Exploitation
1080	Unpatched Software Vulnerabilities	critical	10.0	1	Malware
1081	CVE-2025-55241 (Token Validation Failure in Microsoft Entra ID / Azure AD Graph API)	critical	10.0	1	Privilege Escalation
1082	JIT compiler hijacking, .NET Reactor obfuscation, static constructor execution	critical	10.0	1	Supply Chain Attack
1083	Improperly secured AJAX action (CVE not specified)	critical	10.0	1	Privilege Escalation
1084	Unauthorized physical access to sensitive data	critical	10.0	1	Data Theft
1085	Supply Chain Weakness	critical	10.0	1	Supply Chain Attack
1086	CVE-2025-26399	critical	10.0	1	Ransomware
1087	Auto-update mechanisms	critical	10.0	1	Session Hijacking
1088	YellowKey (Windows zero-day)	critical	10.0	1	Zero-day Exploit
1089	Absence of Standardized Risk Assessments	critical	10.0	1	Ransomware
1090	CVE-2024-8299	critical	10.0	1	Vulnerabilities in SCADA Systems
1091	CVE-2026-1731 (OS command injection, CWE-78)	critical	10.0	1	Zero-Day Vulnerability
1092	Reduced CISA staffing (from ~2,500 to <900)	critical	10.0	1	Policy/Regulatory Failure
1093	CVE-2026-6644	critical	10.0	1	Zero-Day Exploit
1094	Encrypted master key printed in plain, unencrypted digital language	critical	10.0	1	Data Breach
1095	Zero-Authentication (Zero-Auth) Flaw	critical	10.0	1	Data Breach
1096	Lack of authentication/logging in OT systems	critical	10.0	1	Ransomware, Cyber Espionage, Industrial Sabotage
1097	cloud security misconfigurations	critical	10.0	1	cyber espionage
1098	unrestricted PowerShell usage	critical	10.0	1	ransomware
1099	CVE-2025-59468	critical	10.0	1	Vulnerability Exploitation
1100	Poor detection of abnormal system activity	critical	10.0	1	Data Breach
1101	CVE-2025-14733 (Out-of-bounds write in iked process)	critical	10.0	1	Remote Code Execution (RCE)
1102	Unpatched APIs	critical	10.0	1	Cyberattack Surge
1103	CVE-2026-27966	critical	10.0	1	Zero-Day Vulnerability
1104	CVE-2025-8110 (Path traversal in PutContents API via symbolic links)	critical	10.0	1	Remote Code Execution (RCE)
1105	Unknown vulnerabilities in operating systems and browsers	critical	10.0	1	Ransomware
1106	Over-reliance on single-source supply chain (China)	critical	10.0	1	Geopolitical Risk
1107	Manual SOC inefficiencies	critical	10.0	1	Data Breach
1108	Network	critical	10.0	1	Data Breach
1109	Email reply-chain exploitation	critical	10.0	1	Phishing
1110	Insufficient permission checks	critical	10.0	1	DeFi Exploit
1111	Log4j (CVE-2021-44228)	critical	10.0	1	ransomware
1112	CVE-2023-28252	critical	10.0	1	Ransomware
1113	No rate-limiting or access restrictions on user data	critical	10.0	1	Data Breach
1114	Lack of Fragment Inspection in Security Tools	critical	10.0	1	Prompt Injection
1115	CVE-2025-1316	critical	10.0	1	Vulnerability Exploitation
1116	Untrusted data deserialization in LeRobot's PolicyServer	critical	10.0	1	Phishing
1117	compromised backup configurations (SonicWall cloud breach)	critical	10.0	1	ransomware
1118	Unpinned GitHub Actions dependencies	critical	10.0	1	Supply Chain Attack
1119	CVE-2026-44962 (Improper Neutralization of Data within XPath Expressions - CWE-643)	critical	10.0	1	Vulnerability Exploitation
1120	Valid Login Information	critical	10.0	1	Data Breach
1121	CVE-2024-36401 (Critical RCE in GeoServer)	critical	10.0	1	Cyber Espionage
1122	CVE-2026-34197 (13-year-old flaw in Apache ActiveMQ Classic) and CVE-2024-32114 (authentication bypass)	critical	10.0	1	Remote Code Execution (RCE)
1123	Command execution flaws	critical	10.0	1	Cyber Attack
1124	CVE-2025-49144	critical	10.0	1	Privilege Escalation
1125	Undisclosed (stolen vulnerability data)	critical	10.0	1	Data Breach
1126	Alert Fatigue and False Positives	critical	10.0	1	EDR/XDR Evasion
1127	CVE-2024-3721 (TBK DVRs)	critical	10.0	1	Botnet / DDoS Campaign
1128	CVE-2025-68947 (NsecSoft NSecKrnl driver)	critical	10.0	1	Ransomware
1129	SCADA-IT Data Convergence	critical	10.0	1	Cyber Espionage
1130	CVE-2026-3502 (Download of Code Without Integrity Check - CWE-494)	critical	10.0	1	Vulnerability Exploitation
1131	Compromised Passwords	critical	10.0	1	Data Breach
1132	Unsalted MD5	critical	10.0	1	Data Breach
1133	Known vulnerability in database software	critical	10.0	1	Data Breach
1134	CVE in Tridium’s Niagara Framework (13 vulnerabilities, Nozomi Networks)	critical	10.0	1	Cybersecurity Vulnerability Exposure
1135	Known vulnerability in IT infrastructure	critical	10.0	1	Data Breach
1136	Dual-use technology misuse	critical	10.0	1	Policy Violation and Dual-Use Technology Misuse
1137	Human Error (Compliance with Fraudulent Requests)	critical	10.0	1	Data Breach
1138	Unknown vulnerability in online platforms	critical	10.0	1	Data Breach
1139	Third-party library bug in Google Chrome	critical	10.0	1	Zero-Day Exploit
1140	Oracle Cloud Infrastructure Flaw (from March 2025 breach)	critical	10.0	1	Data Breach
1141	Misconfigured Security Controls	critical	10.0	1	Malware
1142	Obsolete Traditional Detection Systems	critical	10.0	1	Ransomware
1143	SonicWall SSLVPN (Weak MFA/Access Controls)	critical	10.0	1	Ransomware
1144	Malicious PowerPoint Add-Ins	critical	10.0	1	Cyber Espionage
1145	Understaffed security operations	critical	10.0	1	Data Breach
1146	Atlassian Confluence	critical	10.0	1	Cyberattack (Reconnaissance Campaign)
1147	Default public location sharing settings in fitness app	critical	10.0	1	Data Exposure
1148	Trustwave’s miscategorization of breach alert as 'moderate' (delayed response)	critical	10.0	1	Ransomware
1149	Misconfigured Cloud Storage (S3, MongoDB)	critical	10.0	1	Data Breach
1150	insufficient cloud-native security controls	critical	10.0	1	ransomware
1151	Static Authentication Methods (vulnerable to deepfakes)	critical	10.0	1	Predictive Analysis
1152	Vulnerable signed drivers (exploited via BYOVD)	critical	10.0	1	Ransomware
1153	RenderShock 0-Click Vulnerability	critical	10.0	1	Zero-Click Attack
1154	Dependence on unencrypted GPS signals for navigation and communication	critical	10.0	1	GPS jamming
1155	SCADA system vulnerabilities	critical	10.0	1	DDoS
1156	Privacy Regulation Non-Compliance	critical	10.0	1	Ransomware
1157	Unknown Third-Party Relationships	critical	10.0	1	Data Breach
1158	privileged credential abuse	critical	10.0	1	ransomware
1159	lack of asset visibility	critical	10.0	1	unauthorized access
1160	CVE-2026-0755 (ZDI-26-021, ZDI-CAN-27783)	critical	10.0	1	Zero-Day Vulnerability
1161	OpenSSL flaws	critical	10.0	1	Ransomware
1162	Poor Oversight of Third-Party Vendor (PowerSchool)	critical	10.0	1	Data Breach
1163	Fortinet software	critical	10.0	1	Cyber Attack
1164	Abuse of Native Windows Utilities (curl, certutil)	critical	10.0	1	APT (Advanced Persistent Threat)
1165	Misconfigured OAuth integrations (historical, via Salesloft's Drift)	critical	10.0	1	Extortion
1166	Compromised Microsoft 365 Account	critical	10.0	1	Data Breach
1167	legacy software vulnerabilities	critical	10.0	1	cyber espionage
1168	Shor's Algorithm (theoretical)	critical	10.0	1	Emerging Threat
1169	Trust in open-source packages	critical	10.0	1	Supply Chain Attack
1170	Weak Entra ID Configurations (e.g., external access policies)	critical	10.0	1	Social Engineering
1171	exposed remote services	critical	10.0	1	Ransomware
1172	CVE-2024-9852	critical	10.0	1	Vulnerabilities in SCADA Systems
1173	open ports	critical	10.0	1	Ransomware
1174	Apache Log4j vulnerability	critical	10.0	1	Cyberattack (Reconnaissance Campaign)
1175	Legacy systems, architectural weaknesses in industrial security, IT-OT convergence	critical	10.0	1	Cyberattack on Operational Technology (OT)
1176	CVE-2023-6895 (Hikvision - OS command injection)	critical	10.0	1	Cyber Espionage, Reconnaissance
1177	Outdated or unpatched consumer and small office devices	critical	10.0	1	Cyber Espionage
1178	User Information Exposure	critical	10.0	1	Data Breach
1179	poor_network_segmentation	critical	10.0	1	ransomware
1180	Physical accessibility of undersea infrastructure	critical	10.0	1	Physical sabotage (cyber-physical attack)
1181	Previously unidentified vulnerability	critical	10.0	1	Ransomware Attack
1182	CVE-2024-11120	critical	10.0	1	Cyberattack
1183	Race Conditions in Object Destruction	critical	10.0	1	Memory Corruption Vulnerability
1184	Microsoft SharePoint ToolShell vulnerabilities (zero-day, patched post-exploitation)	critical	10.0	1	Ransomware
1185	Lack of Syslog Forwarding to External Systems	critical	10.0	1	Ransomware Prevention Guide
1186	Lack of Centralized Logging/Monitoring	critical	10.0	1	Cyber Espionage
1187	TerraMaster NAS Vulnerability	critical	10.0	1	Vulnerability Exploitation
1188	Lack of IP Restrictions on Tokens	critical	10.0	1	Supply Chain Attack
1189	Cyber-Illiterate Student Population	critical	10.0	1	Data Breach
1190	Shadow AI, IdentityMesh, Infostealers	critical	10.0	1	Data Breach
1191	CVE-2026-24061	critical	10.0	1	Remote Code Execution (RCE)
1192	Improper access controls in Capital One's cloud-based firewall (AWS S3 bucket misconfiguration)	critical	10.0	1	Data Breach
1193	CVE-2024-21410 (Privilege Escalation), CVE-2024-21413	critical	10.0	1	Zero-Day Exploit
1194	Default Authentication Bypasses	critical	10.0	1	Vulnerability Exploitation
1195	Insufficient anti-jam technology	critical	10.0	1	GPS spoofing
1196	cloud security weaknesses	critical	10.0	1	ransomware
1197	Data Sharing with Third-Party	critical	10.0	1	Data Breach
1198	BlueHammer	critical	10.0	1	Zero-Day Exploitation
1199	enterprise software vulnerabilities	critical	10.0	1	ransomware
1200	IT-OT convergence risks	critical	10.0	1	Ransomware
1201	Hardware Vulnerabilities	critical	10.0	1	Hardware Vulnerability Exploitation
1202	High-severity software flaws (Mythos AI)	critical	10.0	1	AI-driven vulnerability exploitation
1203	CVE-2026-41940	critical	10.0	1	Ransomware
1204	Inadequate Backup Protection	critical	10.0	1	Ransomware Attack
1205	Trust in .gov/.police Domain Emails (Bypassing Technical Filters)	critical	10.0	1	Account Compromise
1206	GreenPlasma (Windows zero-day)	critical	10.0	1	Zero-day Exploit
1207	Oracle E-Business Suite vulnerability	critical	10.0	1	Ransomware
1208	Legitimate Tools Abuse (Bitsadmin, PowerShell, curl)	critical	10.0	1	Targeted Cyberattack
1209	Lack of Granular Network Segmentation	critical	10.0	1	EDR/XDR Evasion
1210	Claude Code Model Safeguard Bypass	critical	10.0	1	Espionage
1211	Single-character coding error	critical	10.0	1	Cryptocurrency Theft
1212	CVE-2026-20093	critical	10.0	1	Authentication Bypass
1213	Abuse of Device Admin and Accessibility Services permissions	critical	10.0	1	Ransomware
1214	Insufficient endpoint detection and response (EDR)	critical	10.0	1	Ransomware
1215	CVE-2026-10520	critical	10.0	1	OS Command Injection
1216	Weaknesses in detection-focused security tools like EDR/XDR	critical	10.0	1	Ransomware
1217	Remote Code Execution (RCE) zero-day in Oracle E-Business Suite (versions 12.2.3-12.2.14)	critical	10.0	1	ransomware
1218	Trojanized Software Supply Chain	critical	10.0	1	Targeted Attack
1219	Compromised private key controlling minting approvals	critical	10.0	1	Stablecoin Exploit
1220	poor network segmentation (IT/OT convergence)	critical	10.0	1	ransomware
1221	zero-day vulnerabilities in PDF readers	critical	10.0	1	ransomware
1222	Unmonitored Devices	critical	10.0	1	Domain Hijacking
1223	Lack of In-House Cybersecurity Expertise (17% of shipyards)	critical	10.0	1	Ransomware
1224	Inadequately tested code in Token Bridge smart contracts, lack of secure coding practices, and absence of automated fraud monitoring	critical	10.0	1	Data Breach, Cryptocurrency Theft
1225	Public-Key Cryptography (e.g., RSA, ECC)	critical	10.0	1	Emerging Threat
1226	Coding vulnerability in the 'DNA Relatives' feature	critical	10.0	1	Data Breach
1227	CVE-2026-41089	critical	10.0	1	Remote Code Execution (RCE)
1228	CVE-2023-3519 (Citrix NetScaler)	critical	10.0	1	cyberespionage
1229	Unsecured Data Storage	critical	10.0	1	Data Breach
1230	Pulse Secure CVE-2019-11510	critical	10.0	1	Cybercrime Forum Seizure
1231	Lack of domestic rare earth processing capacity	critical	10.0	1	Geopolitical Risk
1232	Legacy system vulnerabilities (some dating back to 2013)	critical	10.0	1	Ransomware
1233	Weak password policy (single compromised password)	critical	10.0	1	Ransomware
1234	Improper input validation in USER environment variable handling	critical	10.0	1	Authentication Bypass
1235	CitrixBleed2 (CVE not explicitly mentioned but inferred as Citrix NetScaler vulnerability)	critical	10.0	1	data breach
1236	Incorrect host/guest network separation (allowed privilege escalation from guest to host)	critical	10.0	1	Ransomware
1237	Legacy network	critical	10.0	1	Data Breach
1238	npm supply chain compromise (Nx platform)	critical	10.0	1	Supply Chain Attack
1239	DeFi infrastructure weaknesses (historical)	critical	10.0	1	cyber theft
1240	Router vulnerabilities	critical	10.0	1	Cyber Espionage
1241	Vulnerability in Cleo's file transfer products	critical	10.0	1	Ransomware
1242	23 exploits across five attack chains (iOS 13-17.2.1)	critical	10.0	1	Espionage
1243	Dirty Frag (CVE-2026-31431)	critical	10.0	1	Privilege Escalation
1244	poor segmentation of payment systems	critical	10.0	1	ransomware
1245	Ungoverned AI Systems	critical	10.0	1	Data Breach
1246	lack of 2FA for publisher accounts	critical	10.0	1	supply chain attack
1247	Outdated legacy systems	critical	10.0	1	Cyberattack
1248	Lax network security	critical	10.0	1	Data Breach
1249	Trust in Employee	critical	10.0	1	Insider Threat
1250	CVE-2026-23918 (double free memory corruption)	critical	10.0	1	Remote Code Execution (RCE)
1251	CVE-2020-3259 (Cisco)	critical	10.0	1	ransomware
1252	Lack of multifactor authentication (MFA) on administrator accounts	critical	10.0	1	Data Breach
1253	Potential zero-day in F5 products	critical	10.0	1	Data Breach
1254	unpatched/end-of-life devices	critical	10.0	1	unauthorized access
1255	Vulnerabilities in Accellion file transfer platform	critical	10.0	1	Data Breach
1256	CVE-2024-24919	critical	10.0	1	Ransomware
1257	weak encryption key management practices	critical	10.0	1	ransomware
1258	EternalBlue (WannaCry, 2017)	critical	10.0	1	ransomware
1259	CVE-2024-7694	critical	10.0	1	Supply Chain Attack
1260	SynologyPhotos application on BeeStation and DiskStation systems	critical	10.0	1	Zero-Click Vulnerability
1261	Vulnerabilities in AI development platforms	critical	10.0	1	AI-driven cyber threats
1262	npm package hijacking	critical	10.0	1	supply chain attack
1263	WhatsApp Artifact Exfiltration	critical	10.0	1	APT (Advanced Persistent Threat)
1264	CVE-2024-21182	critical	10.0	1	Remote Code Execution (RCE)
1265	Cloud Security Gaps	critical	10.0	1	Cyberattack Surge
1266	Remote-file-transfer vulnerabilities	critical	10.0	1	Ransomware
1267	Human error (opening malicious email attachment)	critical	10.0	1	Phishing Attack
1268	CVE-2026-20160	critical	10.0	1	Remote Code Execution (RCE)
1269	CVE-2022-42475	critical	10.0	1	Advanced Persistent Threat (APT)
1270	CVE-2024-11859	critical	10.0	1	Malware Delivery
1271	Lack of Multi-Factor Authentication (MFA) for high-value targets	critical	10.0	1	Cyber Theft
1272	Human Error (Phishing Susceptibility) & Weak Remote Access Controls	critical	10.0	1	Data Breach (Phishing & Unauthorized Access)
1273	PROMISQROUTE (Prompt-based Router Open-Mode Manipulation Induced via SSRF-like Queries, Reconfiguring Operations Using Trust Evasion)	critical	10.0	1	AI System Vulnerability
1274	CWE-285 (Polkit Authorization Bypass)	critical	10.0	1	Privilege Escalation
1275	OWASSRF	critical	10.0	1	Ransomware Attack
1276	Known vulnerability in the network	critical	10.0	1	Ransomware Attack
1277	Weak Security Controls at Third-Party Contractor	critical	10.0	1	Data Breach
1278	CVE-2023-22527	critical	10.0	1	Cryptomining Campaign
1279	outdated IT infrastructure	critical	10.0	1	data breach
1280	Lack of Real-Time Monitoring for Undersea Infrastructure	critical	10.0	1	Physical Sabotage
1281	GDPR compliance leverage (ransom coercion)	critical	10.0	1	ransomware
1282	Undocumented Warbird framework	critical	10.0	1	Supply Chain Attack
1283	CVE-2025-1727	critical	10.0	1	Vulnerability Exploitation
1284	GPS signal weakness	critical	10.0	1	spoofing
1285	Improper Use of Collaboration Tools (WhatsApp, Microsoft Forms)	critical	10.0	1	Data Breach
1286	Third-party Salesforce CRM integration	critical	10.0	1	Data Breach
1287	Inadequate security controls in femtocell management system, disabled end-to-end encryption	critical	10.0	1	Malware
1288	Kickidler employee monitoring tool	critical	10.0	1	Ransomware
1289	Virtual Office portal public access	critical	10.0	1	ransomware
1290	Malicious code injection	critical	10.0	1	Data Breach
1291	systemic weaknesses in data protection	critical	10.0	1	data breach
1292	Lack of anti-jamming measures in ferry's GPS system	critical	10.0	1	GPS jamming
1293	Ivanti Cloud Service Appliances	critical	10.0	1	Supply Chain Attack
1294	CVE-2025-20333 (Authentication bypass in Cisco ASA Software)	critical	10.0	1	Zero-day exploitation
1295	Predictable defense patterns	critical	10.0	1	AI-driven cyberattack
1296	Malicious TestFlight app	critical	10.0	1	Financial Theft
1297	CVE-2023-34048	critical	10.0	1	Advanced Persistent Threat (APT)
1298	Vect Ransomware Bug	critical	10.0	1	Data Breach
1299	Lack of Cybersecurity Preparedness	critical	10.0	1	Ransomware Attack
1300	Legacy Authentication Protocols (e.g., SAMLjacking)	critical	10.0	1	Phishing (Non-Email)
1301	Data integrity	critical	10.0	1	Security Concerns
1302	Internet-facing OT devices, project files in PLCs	critical	10.0	1	Cyberattack
1303	underfunded IT security	critical	10.0	1	ransomware
1304	help-desk protocol vulnerabilities	critical	10.0	1	ransomware
1305	Insecure Backups	critical	10.0	1	Compliance Failure
1306	Internal Login	critical	10.0	1	Data Breach
1307	Weak or Outdated Cryptographic Standards	critical	10.0	1	Emerging Threat
1308	MOVEit file-transfer software zero-day vulnerability	critical	10.0	1	Data Breach
1309	CVE-2026-1492 (Privilege Management Flaw in User Registration & Membership Plugin)	critical	10.0	1	Privilege Escalation
1310	Lack of Compliance Oversight	critical	10.0	1	Data Breach
1311	Funnel Builder vulnerability	critical	10.0	1	Zero-day Exploit
1312	Microsoft Entra ID Self-Service Password Reset Process	critical	10.0	1	Cloud Data Theft
1313	lack of email security by design	critical	10.0	1	phishing
1314	Identity and Access Control Weaknesses	critical	10.0	1	Data Breach
1315	Overprivileged identities	critical	10.0	1	Cloud Infrastructure Compromise
1316	Azure RBAC Misconfiguration	critical	10.0	1	Data Exfiltration
1317	Inadequate access controls for sensitive spreadsheets	critical	10.0	1	Data Breach
1318	lack of centralized patching for consulting deliverables	critical	10.0	1	supply chain attack
1319	Known security gaps in domestic agencies	critical	10.0	1	Data Breach
1320	Security Oversight	critical	10.0	1	Data Breach
1321	Supply chain compromise (malicious Axios update)	critical	10.0	1	Data Breach
1322	lack_of_verified_security_controls	critical	10.0	1	data_at_risk
1323	CVE-2025-53770 (ToolShell, patch bypass for CVE-2025-49704/CVE-2025-49706)	critical	10.0	1	Cyber Espionage
1324	Shadow AI (unauthorized generative AI tools)	critical	10.0	1	Ransomware
1325	Stolen secret code for cookie generation	critical	10.0	1	Data Breach
1326	CVE-2025-68615 (Buffer Overflow in snmptrapd)	critical	10.0	1	Vulnerability Exploitation
1327	Misconfigured firewalls	critical	10.0	1	APT Attack
1328	Endpoint Detection Gaps (EDR Limitations)	critical	10.0	1	Social Engineering
1329	CVE-2025-52163	critical	10.0	1	Vulnerability Disclosure
1330	weaknesses in AIS protocol	critical	10.0	1	spoofing
1331	Unsecured Self-Service Password Reset	critical	10.0	1	Cyber Espionage
1332	Microsoft Phone Link (formerly 'Your Phone') SQLite database access	critical	10.0	1	Cyberattack
1333	CVE-2026-33784	critical	10.0	1	Vulnerability Exploitation
1334	Interconnexion entre datacenter et réseau internet	critical	10.0	1	DDoS
1335	Compromised LiteLLM library	critical	10.0	1	Supply Chain Attack
1336	Undisclosed zero-day vulnerability	critical	10.0	1	Zero-day exploitation
1337	Public Internet Exposure	critical	10.0	1	Exposure of Vulnerable Systems
1338	CVE-2026-5174	critical	10.0	1	Vulnerability Exploitation
1339	CVE-2022-29499	critical	10.0	1	Ransomware
1340	weak RDP credentials	critical	10.0	1	ransomware
1341	Microsoft Entra ID Enterprise Applications (mail.read, full_access_as_app scopes)	critical	10.0	1	Espionage
1342	Internet-exposed databases	critical	10.0	1	Ransomware
1343	Weak/reused passwords, coding flaw in 'DNA Relatives' feature	critical	10.0	1	Data Breach
1344	Backup compromise	critical	10.0	1	Ransomware
1345	Decentralized App Ecosystem (Shadow IT, Unmanaged SaaS)	critical	10.0	1	Browser-Based Attack
1346	BootROM keys extraction	critical	10.0	1	Data Breach / Unauthorized Access
1347	Weak Authentication for Publish Access (npm, PyPI)	critical	10.0	1	Supply Chain Attack
1348	Lack of access controls on an API used in customer onboarding	critical	10.0	1	Data Breach
1349	Outdated versions of Windows	critical	10.0	1	Data Breach, Ransomware
1350	CVE-2026-45247 (PHP object injection, CWE-502)	critical	10.0	1	Remote Code Execution (RCE)
1351	CVE-2026-3502 (CVSS 7.8)	critical	10.0	1	Zero-Day Exploitation
1352	lack of cyber-physical resilience in maritime navigation systems	critical	10.0	1	cyber deception
1353	CVE-2024-12297 (Frontend Authorization Logic Disclosure)	critical	10.0	1	Authentication Bypass
1354	Human vulnerabilities (compromised adviser accounts)	critical	10.0	1	Data Breach
1355	Implicit TLS	critical	10.0	1	Cross-protocol Application Layer Desynchronization
1356	CVE-2024-12912	critical	10.0	1	botnet
1357	Legacy protocols misconfigurations	critical	10.0	1	Exposed Servers
1358	Self-propagating payload in NPM packages	critical	10.0	1	Supply Chain Attack
1359	lack of package cooldown periods	critical	10.0	1	supply chain attack
1360	Microsoft Silverlight plugin flaw	critical	10.0	1	Ransomware
1361	Weaknesses in maritime navigation security protocols	critical	10.0	1	GPS spoofing
1362	Unpatched vulnerability in appointment system software	critical	10.0	1	Data Breach
1363	CVE-2024-36904	critical	10.0	1	Vulnerability Exploitation
1364	Enterprise hardware vulnerabilities (Fortinet, SonicWall, Cisco)	critical	10.0	1	Ransomware
1365	Lack of Anomaly Detection	critical	10.0	1	Data Breach Risk
1366	Improper Handling of Sensitive Material	critical	10.0	1	Data Breach
1367	Inadequate backup testing policy	critical	10.0	1	Policy Deficiency
1368	Misconfiguration of the project’s main smart contract	critical	10.0	1	Cryptocurrency Heist
1369	Unauthenticated SQL injection in Lilli’s API, publicly exposed endpoints	critical	10.0	1	AI-driven cyberattack
1370	Undisclosed Vulnerabilities in BIG-IP (details not public)	critical	10.0	1	Data Breach
1371	Default-enabled remote user account, unprotected superuser accounts, user enumeration, and lack of password protection	critical	10.0	1	Misconfiguration
1372	Lack of Data Handling Training	critical	10.0	1	Data Breach
1373	Symlink (junction) attack in Nessus Agent for Windows	critical	10.0	1	Privilege Escalation
1374	Stored Credentials in Veeam Backup Infrastructure	critical	10.0	1	Social Engineering
1375	Weak Employee Credentials	critical	10.0	1	Cyberattack Surge
1376	Irregular software patching	critical	10.0	1	Ransomware
1377	GitHub Workflows Misconfiguration	critical	10.0	1	Supply Chain Attack
1378	Legitimate account compromise	critical	10.0	1	Ransomware
1379	Stale Accounts (Former Employees with Retained Access)	critical	10.0	1	Data Breach
1380	Poor Vendor Security Practices	critical	10.0	1	Third-Party Breach
1381	Human Vulnerability (Bribery/Extortion)	critical	10.0	1	Insider Threat
1382	Undisclosed BIG-IP Vulnerabilities (under investigation)	critical	10.0	1	Supply Chain Attack
1383	Over-Reliance on Reactive Detection (EDR/XDR)	critical	10.0	1	EDR/XDR Evasion
1384	Insecure ICS Protocols (Plaintext Traffic)	critical	10.0	1	Exposure of Vulnerable Systems
1385	Unpatched flaw in a popular enterprise software platform	critical	10.0	1	Cyberattack
1386	CVE-2025-21042 (CVSS 8.8) - Out-of-Bounds Write in libimagecodec.quram.so	critical	10.0	1	Espionage
1387	Trusted third-party SDK distribution (websdk.appsflyer.com)	critical	10.0	1	Supply-Chain Attack
1388	Stolen Employee Tokens	critical	10.0	1	Data Breach
1389	human error (employee downloading malware-laced tool)	critical	10.0	1	ransomware
1390	CVE-2025-52665 (Improper Input Validation in Backup API Endpoint)	critical	10.0	1	Remote Code Execution (RCE)
1391	Improper handling of the `--exec` flag in `git rebase` during 'Rebase before merging' operations	critical	10.0	1	Remote Code Execution (RCE)
1392	Unpatched Systems (Software/Hardware)	critical	10.0	1	Data Breach
1393	Lack of Visibility into Privileged Account Usage	critical	10.0	1	Data Breach
1394	Internet-connected cameras	critical	10.0	1	Ransomware, Cyber Espionage, Industrial Sabotage
1395	Passive Storage Component Treatment (Missing Threat Signals)	critical	10.0	1	Data Breach (AI Models/Applications)
1396	Compliance Blind Spots in Cross-Border AI Data Flows	critical	10.0	1	Data Breach (AI Models/Applications)
1397	Browser Sandbox Exploitation (Clipboard Access)	critical	10.0	1	Social Engineering
1398	Exposed API endpoints returning call metadata/recordings without authentication	critical	10.0	1	Data Breach
1399	Misconfigured permissions, weak access controls, over-privileged identities	critical	10.0	1	Misconfiguration, Privilege Escalation, Data Exfiltration, AI Security
1400	unsecured legacy data storage	critical	10.0	1	fraud
1401	Lack of cybersecurity investment	critical	10.0	1	Cyberattack
1402	CVE-2026-20045 (Improper input validation in HTTP requests)	critical	10.0	1	Zero-Day Exploitation
1403	Partial Logging of Data Access	critical	10.0	1	Insider Threat
1404	CVE-2025-69264 (CVSS 8.8)	critical	10.0	1	Supply Chain Attack
1405	Weak Insider Controls	critical	10.0	1	Data Breach
1406	Impersonation of legitimate SDK, hidden credential exfiltration logic	critical	10.0	1	Supply Chain Attack
1407	Internet-exposed systems	critical	10.0	1	Cyber Threat Alert
1408	Lack of adequate security measures for USIM data (SK Telecom)	critical	10.0	1	Data Breach
1409	DNS infrastructure	critical	10.0	1	Cyberattack
1410	Unsecured communication channels (WhatsApp)	critical	10.0	1	Data Breach
1411	CVE-2026-2256 (Inadequate input sanitization in MS-Agent's 'Shell tool')	critical	10.0	1	Remote Code Execution (RCE)
1412	Kernel driver update	critical	10.0	1	Software Malfunction
1413	Inadequate input validation and output encoding in Jira’s custom priority settings	critical	10.0	1	Stored Cross-Site Scripting (XSS)
1414	Lack of two-factor authentication (2FA)	critical	10.0	1	Supply Chain Attack
1415	inadequate endpoint protection (Symantec Endpoint Protection failed to fully remediate backdoor)	critical	10.0	1	ransomware
1416	Procedural errors by Special Agent Aaron Spivack; unsecured server in child exploitation forensic lab	critical	10.0	1	Data Breach
1417	Windows Defender Disabling	critical	10.0	1	Ransomware
1418	Roundcube and SquirrelMail webmail vulnerabilities	critical	10.0	1	Cyber Espionage
1419	Over-Permissive API Access	critical	10.0	1	Supply Chain Attack
1420	API Key Exposure	critical	10.0	1	Supply Chain Attack
1421	CVE-2025-32432 (CWE-94: Improper Control of Code Generation)	critical	10.0	1	Code Injection
1422	Disabled HMAC Authentication	critical	10.0	1	Vulnerability Disclosure
1423	weak Wi-Fi security	critical	10.0	1	cyber-espionage
1424	Compromised Software Development Tools	critical	10.0	1	Malware
1425	Poor Credential Hygiene (GitHub Repository)	critical	10.0	1	Data Breach
1426	Off-by-one error in encryption process	critical	10.0	1	Ransomware
1427	CVE-2025-32975	critical	10.0	1	Authentication Bypass
1428	Compromised AWS API key via supply-chain attack on Trivy	critical	10.0	1	Data Breach
1429	SonicWall VPN flaws	critical	10.0	1	ransomware
1430	Lack of Timely Detection (6-month delay)	critical	10.0	1	Supply Chain Attack
1431	Inadequate cybersecurity training for non-IT staff	critical	10.0	1	Ransomware
1432	CVE-2026-25874 (Unsafe deserialization via Python's `pickle.loads()` in LeRobot's gRPC PolicyServer)	critical	10.0	1	Remote Code Execution (RCE)
1433	CVE-2025-9491 (Windows Shortcut (LNK) file user interface misinterpretation)	critical	10.0	1	Remote Code Execution
1434	Dangling DNS records	critical	10.0	1	Subdomain Hijacking
1435	CVE-2025-61882 (Critical Authentication Bypass in Oracle E-Business Suite)	critical	10.0	1	Data Breach
1436	inadequate monitoring of employee activity	critical	10.0	1	data breach
1437	outdated business continuity plans	critical	10.0	1	ransomware
1438	Unaddressed software vulnerabilities in CM/ECF system (identified in 2019 after a prior 2020 breach)	critical	10.0	1	Data Breach
1439	Malware in plug-ins	critical	10.0	1	Data Privacy and Cybersecurity Advisory
1440	AI Chatbot Feature	critical	10.0	1	Copyright Infringement
1441	Human trust exploitation	critical	10.0	1	Data Breach
1442	Poor Training on Data Protection Protocols	critical	10.0	1	Data Breach
1443	Weak or Compromised RDP Credentials	critical	10.0	1	Malware
1444	CVE-2025-27520	critical	10.0	1	Vulnerability Exploitation
1445	visibility gap in EDR/SIEM logs	critical	10.0	1	ransomware
1446	Microsoft Office Vulnerabilities	critical	10.0	1	Cyber Espionage
1447	Unidentified network vulnerability	critical	10.0	1	Ransomware Attack
1448	third-party tokens	critical	10.0	1	ransomware
1449	Overly permissive IAM policies	critical	10.0	1	Supply-Chain Attack
1450	Outdated Cryptographic Protocols	critical	10.0	1	Data Breach
1451	Unauthorized transaction approvals	critical	10.0	1	Security Breach
1452	Insecure Remote Work Tools	critical	10.0	1	Data Breach (General Discussion)
1453	Unspecified Adobe ColdFusion Vulnerabilities	critical	10.0	1	Cyber Espionage
1454	Improper input sanitization in virtuser_query plugin (preg_replace backslash escape bypass)	critical	10.0	1	SQL Injection
1455	ManageSieve misconfigurations	critical	10.0	1	Cyber Espionage
1456	Security flaw in Neighbors app	critical	10.0	1	Data Breach
1457	Exposed Credentials in Repositories	critical	10.0	1	Data Breach
1458	Lack of oversight in outsourcing, contractual violations	critical	10.0	1	Data Breach
1459	CVE-2026-3055	critical	10.0	1	Vulnerability Disclosure
1460	CVE-2026-1354	critical	10.0	1	Firmware Vulnerability
1461	Oracle E-Business Suite vulnerability (patched post-incident)	critical	10.0	1	Ransomware
1462	CVE-2026-34908	critical	10.0	1	Remote Code Execution (RCE)
1463	delayed maintenance response	critical	10.0	1	physical security breach
1464	Improper authorization/callback handling in V2 vaults	critical	10.0	1	Exploit
1465	Known vulnerabilities in backbone routers	critical	10.0	1	Cyber Espionage
1466	PackageGate Vulnerabilities	critical	10.0	1	Supply Chain Attack
1467	insecure communication protocols	critical	10.0	1	unauthorized access
1468	Misconfigured Azure RBAC permissions	critical	10.0	1	Data Exfiltration
1469	Trust in technical support specialists	critical	10.0	1	Data Breach
1470	Software Infrastructure Vulnerability	critical	10.0	1	Ransomware Attack
1471	Single Point of Failure in Critical Workflows	critical	10.0	1	Supply Chain Attack
1472	Poor Data Residency Enforcement	critical	10.0	1	Data Breach Risk
1473	Unspecified (32% of attacks involved exploited vulnerabilities)	critical	10.0	1	ransomware
1474	Lack of Content Security Policy (CSP) enforcement	critical	10.0	1	Data Breach
1475	File transfer software vulnerability	critical	10.0	1	Data Breach
1476	Unmanaged BYOD Devices	critical	10.0	1	Social Engineering
1477	20+ Vulnerabilities	critical	10.0	1	AI-Powered Cyberattack
1478	Implicit trust in supply chains	critical	10.0	1	Supply Chain Attack, Extortion Campaign
1479	Mobile Device Management (MDM) system	critical	10.0	1	Espionage, Data Breach
1480	Improperly exposed backend function (Convex framework's `downloads: increment` configured as public mutation)	critical	10.0	1	Supply-Chain Attack
1481	Vulnerabilities in Change Healthcare’s IT infrastructure	critical	10.0	1	Ransomware
1482	Funding constraints	critical	10.0	1	Data Breach
1483	Adobe Flash Vulnerability	critical	10.0	1	Vulnerability Exploitation
1484	Human Trust Vulnerability	critical	10.0	1	Data Breach
1485	lack of managed GenAI tools	critical	10.0	1	ransomware
1486	Unsecured Health Declaration Portal	critical	10.0	1	Data Breach
1487	Poorly secured networks, MFA vulnerabilities	critical	10.0	1	Cyberattack, Initial Access Brokerage, Ransomware
1488	CVE-2026-50751	critical	10.0	1	Zero-Day Exploitation
1489	interconnected manufacturing systems	critical	10.0	1	cyberattack
1490	Insufficient cybersecurity training	critical	10.0	1	Data Breach
1491	Microsoft Exchange (unspecified CVEs)	critical	10.0	1	ransomware
1492	Insecure Default Settings	critical	10.0	1	Vulnerability Exploitation
1493	Undocumented n-day vulnerability	critical	10.0	1	APT Attack
1494	CrushFTP servers	critical	10.0	1	Supply Chain Attack
1495	CVE-2024-7014	critical	10.0	1	Vulnerability Exploit
1496	Remote Code Execution in Imunify360 AV deobfuscation logic (versions before v32.7.4.0)	critical	10.0	1	Vulnerability
1497	known vulnerabilities	critical	10.0	1	ransomware
1498	Misconfigured or unprotected cloud logging mechanisms (AWS CloudTrail, Google Cloud Logging)	critical	10.0	1	Cloud Security Incident
1499	Publicly Indexed 'Recent Links' Pages	critical	10.0	1	Data Leak
1500	Insufficient Log Retention/Preservation	critical	10.0	1	APT (Advanced Persistent Threat)
1501	File transfer tool vulnerability	critical	10.0	1	Ransomware
1502	Authentication bypasses	critical	10.0	1	Cyber Attack
1503	Prompt Injection (indirect)	critical	10.0	1	Vulnerability Exploitation
1504	Stolen Private Key	critical	10.0	1	Cryptocurrency Theft
1505	CVE-2020-12641	critical	10.0	1	Cyberespionage
1506	Malicious Word documents	critical	10.0	1	Security Breach
1507	Lack of Zero-Trust for Non-Human Identities (AI agents)	critical	10.0	1	Predictive Analysis
1508	Access to sensitive infrastructure data	critical	10.0	1	Insider Threat
1509	Known flaws in outdated software	critical	10.0	1	Ransomware
1510	Unauthorized access via compromised civil servant credentials	critical	10.0	1	Data Breach
1511	Fortinet systems	critical	10.0	1	Ransomware
1512	Unrotated Factory-Default Logins	critical	10.0	1	Cyber Espionage
1513	Inadequate validation of `gatewayUrl` parameter in ClawDBot Control UI (GHSA-g8p2-7wf7-98mq)	critical	10.0	1	Authentication Bypass, Remote Code Execution (RCE)
1514	Missing Alerts	critical	10.0	1	Data Exposure
1515	Publicly exposed Ollama AI servers without authentication or monitoring	critical	10.0	1	Remote Code Execution (RCE)
1516	publicly available data misrepresented as 'secret' (hallucination exploit)	critical	10.0	1	cyberespionage
1517	Outdated EnCase driver (EnPortv.sys) with revoked certificate, Windows signature validation loophole for pre-2015 certificates	critical	10.0	1	BYOVD (Bring Your Own Vulnerable Driver)
1518	Over-Reliance on Email-Based Security Controls	critical	10.0	1	Social Engineering
1519	Unspecified SQL Server Vulnerabilities	critical	10.0	1	Cyber Espionage
1520	CVE-2026-25084	critical	10.0	1	Vulnerability Exploitation
1521	Stolen Passwords	critical	10.0	1	Data Breach
1522	CVE-2024-8300	critical	10.0	1	Vulnerabilities in SCADA Systems
1523	Unpatched Systems (Historical)	critical	10.0	1	Data Breach
1524	Slow Detection Capabilities	critical	10.0	1	Data Breach
1525	Windows Safe Mode vulnerabilities	critical	10.0	1	Ransomware
1526	Lack of Third-Party Supplier Accountability	critical	10.0	1	Cybersecurity Vulnerability Assessment
1527	Delayed Threat Response	critical	10.0	1	Operational Risk
1528	Employee Theft	critical	10.0	1	Data Breach
1529	Provider Edge (PE) routers	critical	10.0	1	Cyber Espionage
1530	SQL Injection Vulnerability	critical	10.0	1	Data Breach
1531	SonicWall VPN RCE	critical	10.0	1	Cybercrime Forum Seizure
1532	Follina	critical	10.0	1	Zero-Day Vulnerability
1533	Previously Patched Vulnerabilities (Exploited Post-Patch)	critical	10.0	1	Data Breach
1534	Abuse of Legitimate Tools (BITSAdmin)	critical	10.0	1	Targeted Attack
1535	Customer Edge (CE) routers	critical	10.0	1	Cyber Espionage
1536	Cryptographic Implementation Flaws	critical	10.0	1	Security Vulnerability
1537	Third-party software (Famly) used by Kido nursery chain	critical	10.0	1	ransomware
1538	CVE-2025-49156	critical	10.0	1	Vulnerability Exploitation
1539	Microsoft Hyper-V virtualization	critical	10.0	1	Cyber Espionage
1540	weak security in satellite communication systems	critical	10.0	1	cyberattack
1541	CVE-2026-0740	critical	10.0	1	Vulnerability Exploitation
1542	CVE-2025-30232	critical	10.0	1	Vulnerability Exploitation
1543	Human Error (Credential Sharing/System Access Granted via Deception)	critical	10.0	1	Data Breach
1544	CVE-2022-37055	critical	10.0	1	Vulnerability Exploitation
1545	CVE-2025-47962 (Windows SDK EoP)	critical	10.0	1	Patch Release
1546	Lack of identity controls	critical	10.0	1	AI-driven breach
1547	CVE-2025-20362 (Cisco ASA/Firepower - Privilege Escalation)	critical	10.0	1	Vulnerability Exploitation
1548	Unpatched VPN Devices	critical	10.0	1	Supply Chain Attack
1549	Unauthorized access to security credentials	critical	10.0	1	Financial Fraud, Insider Threat
1550	Third-Party Supply Chain Weaknesses	critical	10.0	1	Data Breach
1551	default weak password policies (privileged accounts <14 characters)	critical	10.0	1	ransomware
1552	Lack of Browser-Specific Security Controls	critical	10.0	1	Browser-Based Attack
1553	CEA-852 Standard Weaknesses	critical	10.0	1	Vulnerability Disclosure
1554	Accessibility Services Permission, Device Admin Permission	critical	10.0	1	Malware (Ransomware-like)
1555	insufficient AI governance	critical	10.0	1	ransomware
1556	misuse of scientific research cover	critical	10.0	1	espionage
1557	Unpatched vulnerability in TP-Link Archer routers	critical	10.0	1	Botnet
1558	Human behavior	critical	10.0	1	Illegal intrusion
1559	CVE-2024-43468	critical	10.0	1	SQL Injection
1560	Visual Redaction Without Data Removal	critical	10.0	1	Data Leak
1561	Velociraptor CVE-2025-6264 (privilege escalation to arbitrary command execution)	critical	10.0	1	Ransomware
1562	dependency trust model	critical	10.0	1	supply chain attack
1563	Excessive user permissions	critical	10.0	1	Ransomware
1564	Third-party breaches	critical	10.0	1	Supply Chain Attack, Extortion Campaign
1565	Zimbra Server vulnerabilities	critical	10.0	1	Ransomware
1566	Disguised Malicious Commands as Benign Requests	critical	10.0	1	Espionage
1567	Insider access to classified systems, Lack of real-time monitoring for data exfiltration	critical	10.0	1	Insider Threat, Espionage
1568	Known vulnerability in remote-access software, lack of multi-factor authentication (MFA)	critical	10.0	1	Ransomware
1569	weak credential management (golden ticket risk)	critical	10.0	1	ransomware
1570	CVE-2026-42945 (Heap Buffer Overflow in ngx_http_rewrite_module)	critical	10.0	1	Vulnerability Exploitation
1571	Self-Service Password Reset (SSPR)	critical	10.0	1	Data Exfiltration
1572	Authentication key theft	critical	10.0	1	Data Breach
1573	CVE-2026-29000	critical	10.0	1	Authentication Bypass
1574	CVE-2026-8711 (Heap Buffer Overflow in NGINX JavaScript)	critical	10.0	1	Vulnerability Exploitation
1575	CVE-2017-7921 (CWE-287: Improper Authentication)	critical	10.0	1	Vulnerability Exploitation
1576	CVE-2025-47164 (Microsoft Office Use-After-Free)	critical	10.0	1	Patch Release
1577	preventable software vulnerabilities	critical	10.0	1	ransomware
1578	CVE-2025-4428	critical	10.0	1	Cyber Espionage
1579	AnyDesk Remote Access Application	critical	10.0	1	Data Exfiltration
1580	Unauthorized disclosure of SL2000 and SL3000 certificates	critical	10.0	1	Data Breach
1581	Lack of Standardized Controls	critical	10.0	1	Collaborative Initiative
1582	Neterbit routers	critical	10.0	1	DDoS Attack
1583	CVE-2024-0132, Docker DoS flaw on Linux	critical	10.0	1	Vulnerability Exploitation, DoS Attack
1584	Compromised Okta SSO account	critical	10.0	1	Data Breach
1585	Kernel compromise	critical	10.0	1	Espionage
1586	Outdated Factory Digital Systems	critical	10.0	1	Cyberattack Surge
1587	Insufficient Input Validation (CWE-20)	critical	10.0	1	Unauthorized Access
1588	Oracle software vulnerability (identified in September 2023 by NCSC)	critical	10.0	1	Data Breach, Ransomware
1589	remote management tool abuse	critical	10.0	1	ransomware
1590	Insecure RDP configurations	critical	10.0	1	Ransomware
1591	Unsalted Password Hashes (pre-remediation)	critical	10.0	1	Data Breach
1592	Default passwords, Outdated software, Lack of manual updates	critical	10.0	1	Data Breach, Voyeurism, Illegal Content Distribution
1593	BDU-2025-10116 (CVSS 9.8) - Command injection	critical	10.0	1	Cyber Espionage
1594	Human Trust (Fake CAPTCHA Social Engineering)	critical	10.0	1	Social Engineering
1595	Unpatched Software (e.g., Equifax)	critical	10.0	1	Data Breach
1596	Weak multi-factor authentication (MFA)	critical	10.0	1	AI-driven vulnerability exploitation
1597	Lack of Password or Encryption	critical	10.0	1	Data Exposure
1598	misconfigured AWS S3 bucket permissions	critical	10.0	1	ransomware
1599	CVE-2025-52562	critical	10.0	1	Remote Code Execution (RCE)
1600	Permanent URL Accessibility	critical	10.0	1	Data Leak
1601	Public-facing file-sharing folder	critical	10.0	1	Ransomware
1602	At least 20 exploited vulnerabilities	critical	10.0	1	Data Breach, Cyberattack, AI-Enabled Attack
1603	CVE-2025-68613	critical	10.0	1	Botnet Campaign
1604	Volume Shadow Copy Service	critical	10.0	1	Ransomware
1605	Flaw in CI/CD pipeline	critical	10.0	1	Supply-Chain Attack
1606	Unmanaged machine identities	critical	10.0	1	Ransomware
1607	Improper validation of profile image uploads (SVG files with embedded JavaScript)	critical	10.0	1	Stored Cross-Site Scripting (XSS)
1608	Weak Subcontractor Security Postures	critical	10.0	1	Supply Chain Attack
1609	Overprivileged service accounts	critical	10.0	1	Ransomware
1610	CVE-2025-6000	critical	10.0	1	Vulnerability
1611	weaknesses in distributed enforcement synchronization	critical	10.0	1	data breach
1612	Unspecified Cisco ASA Vulnerabilities (ArcaneDoor Campaign)	critical	10.0	1	Espionage
1613	CVE-2021-Log4j (Remote Code Execution)	critical	10.0	1	Ransomware
1614	Excessive Access Privileges	critical	10.0	1	Insider Threat
1615	Unsupported Firmware/OS (EOL Systems)	critical	10.0	1	Cybersecurity Vulnerability Exposure
1616	Security gap in MOVEit Transfer	critical	10.0	1	Data Breach
1617	Weak vendor security controls	critical	10.0	1	Ransomware
1618	unauthorized remote access	critical	10.0	1	cyber-physical attack
1619	lack of network segmentation (allowed lateral movement)	critical	10.0	1	ransomware
1620	Default credentials, weak cybersecurity oversight, legacy systems	critical	10.0	1	Cyber Espionage, Supply Chain Attack
1621	flat network architectures	critical	10.0	1	ransomware
1622	OAuth Token Misconfiguration	critical	10.0	1	Data Breach
1623	Jira	critical	10.0	1	Data Leak
1624	CVE-2024-13804	critical	10.0	1	Vulnerability Exploit
1625	CVE-2026-27684 (SQL injection in SAP NetWeaver Feedback Notification)	critical	10.0	1	Remote Code Execution (RCE)
1626	Poor OAuth Protections	critical	10.0	1	Data Breach
1627	Insecure support ticketing platform (bulk data export without rate-limiting or access controls)	critical	10.0	1	Data Breach
1628	Progress Software MOVEit Transfer SQL Injection Vulnerability (CVE-2023-34362)	critical	10.0	1	Data Breach
1629	Path traversal (CVE-2025-64712)	critical	10.0	1	Remote Code Execution (RCE)
1630	lack of up-to-date incident response plans	critical	10.0	1	cyber attack
1631	Entra ID application registration secrets	critical	10.0	1	cyberespionage
1632	LogoFAIL flaws (CVE-2023-40238)	critical	10.0	1	UEFI Bootkit
1633	Insecure systems	critical	10.0	1	Ransomware Attack
1634	Trust model in open-source ecosystems, self-replicating worm propagation	critical	10.0	1	Supply Chain Attack
1635	Saved Credentials in Browsers/Email Clients	critical	10.0	1	Account Compromise
1636	CVE-2025-64446	critical	10.0	1	Ransomware
1637	lack of physical safeguards	critical	10.0	1	infrastructure vulnerability
1638	Human operational error	critical	10.0	1	GPS spoofing (disputed)
1639	CVEs in Cisco's routers	critical	10.0	1	Data Breach
1640	CVE-2025-7029	critical	10.0	1	Firmware Vulnerability
1641	Insufficient Asset Discovery (IIoT Device Proliferation)	critical	10.0	1	Cyber-Physical Attack
1642	CVE-2023-20867	critical	10.0	1	Advanced Persistent Threat (APT)
1643	Fragmented security in third-party hardware	critical	10.0	1	Privacy Breach
1644	Oracle’s E-Business Suite flaw	critical	10.0	1	Ransomware Attack
1645	human error (accidental download of malware-laced system administration tool)	critical	10.0	1	ransomware
1646	Zero-day vulnerability in enterprise software	critical	10.0	1	Data Breach, Ransomware
1647	Aging hardware	critical	10.0	1	Hardware Malfunction
1648	Unpatched vulnerability in the email system	critical	10.0	1	Ransomware
1649	Network segmentation flaws or disabled/unmonitored logs	critical	10.0	1	Data Breach
1650	CVE-2025-47171 (Windows Netlogon Use of Uninitialized Resources)	critical	10.0	1	Patch Release
1651	CVE-2025-22225	critical	10.0	1	Ransomware
1652	CVE-2025-61882 (Oracle E-Business Suite Zero-Day)	critical	10.0	1	Data Breach
1653	unsecured AWS memory dump	critical	10.0	1	ransomware
1654	Automated execution during `npm install`, GitHub Actions environment targeting	critical	10.0	1	Supply Chain Attack
1655	Interconnexion non sécurisée entre IT et OT	critical	10.0	1	Cyberattaque ciblée
1656	Website Security	critical	10.0	1	Data Breach
1657	Insufficient Anomaly Detection	critical	10.0	1	Data Breach
1658	Error by a third-party contractor	critical	10.0	1	Data Breach
1659	Human Trust in Browser Update Prompts	critical	10.0	1	Malware Infection
1660	Overwhelmed network infrastructure, misconfigurations, unused ports	critical	10.0	1	DDoS
1661	End-of-life (EOL) and end-of-support (EOS) Microsoft IIS servers	critical	10.0	1	Vulnerability Exposure
1662	Insufficient Access Controls (Assumed)	critical	10.0	1	Ransomware
1663	CVE-2024-37079	critical	10.0	1	Remote Code Execution (RCE)
1664	Weak Endpoint Detection	critical	10.0	1	Targeted Cyberattack
1665	lack of system isolation capabilities	critical	10.0	1	cyberattack
1666	Undocumented backdoors in the Go1 quadruped	critical	10.0	1	Privacy Breach
1667	Cybersecurity Staffing Shortages	critical	10.0	1	Collaborative Initiative
1668	Weak Identity Management (Lack of Privileged Account Separation)	critical	10.0	1	Cyber Espionage
1669	LOLDrivers (Living Off The Land Drivers) - 'truesight.sys' from RogueKiller AntiRootkit	critical	10.0	1	ransomware
1670	Unpatched IoMT devices	critical	10.0	1	Data Breach
1671	CVE-2025-10035	critical	10.0	1	Ransomware Attack
1672	CVE-2025-10035 (GoAnywhere MFT)	critical	10.0	1	ransomware
1673	Lack of Employee Cybersecurity Training	critical	10.0	1	Ransomware
1674	Human Vulnerability (Insider Threat)	critical	10.0	1	Insider Threat (Attempted)
1675	weak/recycled passwords	critical	10.0	1	general cybersecurity awareness
1676	Exposed Web-Accessible Operational Technology (OT) System	critical	10.0	1	Cyberattack
1677	Zero-Day in Oracle E-Business Suite	critical	10.0	1	Data Breach
1678	CVE-2025-4427	critical	10.0	1	Cyber Espionage
1679	Microsoft Outlook vulnerability	critical	10.0	1	Data Breach
1680	Weak Password in Remote-Control System	critical	10.0	1	Cyberattack
1681	Lack of Out-of-Band Authentication	critical	10.0	1	Social Engineering
1682	Insufficient MFA Enforcement (Ghost Logins, SSO Gaps)	critical	10.0	1	Browser-Based Attack
1683	CVE-2023-46805 (Ivanti Connect Secure/Policy Secure)	critical	10.0	1	Ransomware
1684	Loose Sharing Permissions	critical	10.0	1	Data Breach Risk
1685	Thousands of zero-day vulnerabilities	critical	10.0	1	AI-driven cyber attack
1686	Inadequate Risk Management Exercises	critical	10.0	1	Data Breach
1687	LNK file execution	critical	10.0	1	spear-phishing
1688	Exposed network devices and vulnerabilities in OT systems	critical	10.0	1	Cyberattack on Critical Infrastructure
1689	Impersonation of trusted contact (reporter)	critical	10.0	1	Cyber Espionage
1690	ProxyNotShell (Microsoft Exchange)	critical	10.0	1	Cyber Espionage
1691	161 distinct CVEs in H1 2025 (up from 136 in H1 2024)	critical	10.0	1	Vulnerability Exploitation
1692	CVE-2025-61882 (Oracle E-Business Suite BI Publisher Integration Component)	critical	10.0	1	Data Theft
1693	Potential vulnerability in screen monitoring software	critical	10.0	1	Ransomware
1694	CVE-2024-7587	critical	10.0	1	Vulnerabilities in SCADA Systems
1695	Lack of Robust Backup Systems	critical	10.0	1	Supply Chain Attack
1696	CitrixBleed2 (CVE unknown, related to Citrix Netscaler)	critical	10.0	1	ransomware
1697	Software Issue	critical	10.0	1	Data Breach
1698	subdomain vulnerabilities	critical	10.0	1	data breach
1699	Unauthorized access to video lessons	critical	10.0	1	Data Breach
1700	Blind Spots in Monitoring	critical	10.0	1	Ransomware
1701	unpatched or misconfigured endpoints	critical	10.0	1	ransomware
1702	Information Disclosure Vulnerability	critical	10.0	1	Information Disclosure
1703	Lack of multi-factor authentication, Lack of encryption	critical	10.0	1	Data Breach, Ransomware
1704	CVE-2023-23397 (Microsoft Outlook Elevation of Privilege Vulnerability)	critical	10.0	1	Cyber Espionage
1705	Trust in AI Model Updates	critical	10.0	1	Malware
1706	Lack of Real-Time Identity Data Sync	critical	10.0	1	Identity Security Crisis
1707	human error (clicking suspicious links)	critical	10.0	1	general cybersecurity awareness
1708	Human trust in perceived secure platforms	critical	10.0	1	Social Engineering
1709	Lack of Segmentation	critical	10.0	1	Data Exposure
1710	Avast Anti-Rootkit driver	critical	10.0	1	Malware Campaign
1711	Microsoft IIS	critical	10.0	1	Supply Chain Attack
1712	Lateral Movement from Contractor to MoD Systems	critical	10.0	1	Data Breach
1713	Unsupported hardware	critical	10.0	1	Cyberattack
1714	CVE-2025-23334	critical	10.0	1	Vulnerability Exploitation
1715	CVE-2024-55591 (FortiOS/FortiProxy Race Condition Authentication Bypass)	critical	10.0	1	Unauthorized Access
1716	RedSun	critical	10.0	1	Zero-Day Exploitation
1717	Unsecured Infrastructure Controls	critical	10.0	1	Cyber Attack
1718	CVE-2024-57727 (SimpleHelp remote code execution)	critical	10.0	1	ransomware
1719	CVE-2026-4368	critical	10.0	1	Vulnerability Disclosure
1720	Malicious code injection in legitimate packages	critical	10.0	1	Supply Chain Attack
1721	High-risk extension permissions	critical	10.0	1	Session Hijacking
1722	CVE-2026-3497 (OpenSSH GSSAPI Key Exchange)	critical	10.0	1	Vulnerability Exploitation
1723	Improper Data Handling Practices	critical	10.0	1	Data Breach
1724	Weaknesses in third-party integrations, lack of real-time monitoring	critical	10.0	1	Third-Party Breach
1725	Persistent IT/OT silos	critical	10.0	1	Cyber Espionage
1726	Absence of Privacy-Enhancing Technologies (PETs)	critical	10.0	1	Data Breach
1727	Banking security systems	critical	10.0	1	Malware
1728	React2Shell (CVE not specified)	critical	10.0	1	Vulnerability Exploitation
1729	Veeam Backup & Replication (VBR) servers	critical	10.0	1	Ransomware
1730	unknown (zero-day)	critical	10.0	1	cyberattack
1731	Unpatched Domain Controllers (Privilege Escalation Flaw, April 2025)	critical	10.0	1	Data Breach
1732	CVE-2021-39935 (CWE-918)	critical	10.0	1	Server-Side Request Forgery (SSRF)
1733	CVE-2026-1492	critical	10.0	1	Privilege Escalation
1734	Poorly protected and vulnerable government websites	critical	10.0	1	Cyberattack, Website Defacement, Data Compromise
1735	CVE-2025-20393	critical	10.0	1	Cyberattack
1736	PCI DSS 4.0.1 compliance gaps in client-side data protection	critical	10.0	1	Data Breach
1737	CVE-2026-0489 (DOM-based XSS in SAP Business One Job Service)	critical	10.0	1	Remote Code Execution (RCE)
1738	Supply-chain vulnerabilities	critical	10.0	1	Ransomware
1739	Incorrect access permissions and configuration settings	critical	10.0	1	Data Breach
1740	weak token security	critical	10.0	1	third-party breach
1741	network security issues	critical	10.0	1	third-party breach
1742	CVE-2026-35273	critical	10.0	1	Remote Code Execution (RCE)
1743	Microsoft 365 authorization flows	critical	10.0	1	Phishing
1744	Default Pre-Shared Keys	critical	10.0	1	Vulnerability Disclosure
1745	Weak default passwords, unpatched vulnerabilities	critical	10.0	1	Cyberattack
1746	CVE-2025-64328	critical	10.0	1	Webshell Deployment
1747	Legitimate signed drivers	critical	10.0	1	Ransomware
1748	Lack of Advanced DNS Monitoring	critical	10.0	1	Domain Hijacking
1749	Weak Authentication for Third-Party Access	critical	10.0	1	Cyberattack
1750	Stolen Credentials (Infostealer Malware)	critical	10.0	1	Supply Chain Attack
1751	CVE-2024-20399	critical	10.0	1	Advanced Persistent Threat (APT)
1752	Geopolitical protections for cybercriminals	critical	10.0	1	Ransomware
1753	CVE-2025-26512	critical	10.0	1	Privilege Escalation
1754	Over-Permissive API/OAuth Token Access	critical	10.0	1	Data Breach
1755	Incorrect mailing of care management letters	critical	10.0	1	Data Breach
1756	Unpatched VPN services	critical	10.0	1	Ransomware
1757	publicly available personal data (e.g., photos, job titles)	critical	10.0	1	social engineering
1758	CVE-2026-22755	critical	10.0	1	Remote Code Execution (RCE)
1759	CVE-2023-4966 (Citrix Bleed)	critical	10.0	1	Ransomware
1760	CVE-2026-20079	critical	10.0	1	Vulnerability Exploitation
1761	Infected Barcode Scanners	critical	10.0	1	Data Breach
1762	Improper access control in WDS (CVE-2026-0386)	critical	10.0	1	Remote Code Execution (RCE)
1763	CVE-2026-2005 (Heap-based buffer overflow in PGP session key parsing)	critical	10.0	1	Remote Code Execution (RCE)
1764	End-to-End Encryption	critical	10.0	1	Government Order
1765	Opportunistic targeting	critical	10.0	1	Data Breach
1766	Cultural Gap Between IT/OT Teams	critical	10.0	1	Cyber-Physical Attack
1767	excessive email/mailbox permissions (shared read access)	critical	10.0	1	cyberespionage
1768	Videoconference Invitation	critical	10.0	1	Data Breach
1769	Zero-Day Vulnerability in Fortra's GoAnywhere MFT	critical	10.0	1	Data Breach
1770	Coding error in liquidity pools	critical	10.0	1	Cryptocurrency Heist
1771	Security software vulnerability	critical	10.0	1	Ransomware
1772	Caching Error	critical	10.0	1	Data Breach
1773	Unknown vulnerability in the Safe Smart Port (PIS) platform	critical	10.0	1	Data Breach
1774	CVE-2026-21643	critical	10.0	1	SQL Injection
1775	authentication_bypass_flaw	critical	10.0	1	ransomware
1776	Insufficient Vetting of Remote IT Workers	critical	10.0	1	Cyber Theft
1777	lack of formal AI-use/data privacy policies	critical	10.0	1	ransomware
1778	CVE-2026-27685 (Insecure deserialization in SAP NetWeaver Enterprise Portal Administration)	critical	10.0	1	Remote Code Execution (RCE)
1779	CVE-2026-42880	critical	10.0	1	Vulnerability Exploitation
1780	AI integrations with applications (e.g., Google Calendar, Zoom)	critical	10.0	1	AI Exploitation
1781	Lack of a business associate agreement	critical	10.0	1	Ransomware Attack
1782	unrestricted access to GitHub Actions environment variables	critical	10.0	1	supply chain attack
1783	CVE-2026-25108	critical	10.0	1	OS Command Injection
1784	Remote Control Software Vulnerability	critical	10.0	1	Phishing Attack
1785	Misconfigured WAF	critical	10.0	1	Data Breach
1786	Unauthorized access due to offshoring of IT and cybersecurity functions, bypassed consent protocols	critical	10.0	1	Data Breach
1787	Insufficient Disaster Recovery Plans	critical	10.0	1	Supply Chain Attack
1788	Publicly Exposed MCP Servers	critical	10.0	1	Data Exposure
1789	Telnyx SDK	critical	10.0	1	Ransomware
1790	Obfuscation Techniques	critical	10.0	1	Malware Infection
1791	Improper oversight and mismanagement of data protection protocols	critical	10.0	1	Data Breach
1792	ADRecon for Active Directory mapping	critical	10.0	1	ransomware
1793	unencrypted data transmission	critical	10.0	1	ransomware
1794	CVE-2021-36380	critical	10.0	1	Cyber Attack
1795	Misconfiguration or compromise in Okta SSO and Salesforce Marketing Cloud	critical	10.0	1	Phishing / Scam
1796	prolonged lapses in security oversight	critical	10.0	1	data breach
1797	Compromised logistics systems and load boards	critical	10.0	1	Cyber-Enabled Cargo Theft
1798	CVE-2025-0282 (Ivanti Pulse Connect VPN)	critical	10.0	1	cyberespionage
1799	Infostealer logs	critical	10.0	1	Extortion / Data Leak Threat
1800	arbitrary code execution in CI/CD pipeline	critical	10.0	1	supply chain attack
1801	Insecure Data Storage Practices	critical	10.0	1	Vulnerability Exploitation
1802	Lack of IP restrictions	critical	10.0	1	Data Breach
1803	Poorly Secured OT Systems (e.g., MV Dali electrical blackout)	critical	10.0	1	Ransomware
1804	Over-Privileged Accounts	critical	10.0	1	Data Breach
1805	Faulty access control mechanisms in Balancer's DeFi protocol	critical	10.0	1	Cryptocurrency Theft
1806	Authentication tokens harvested from Anodot, bypassing multi-factor authentication	critical	10.0	1	Data Breach
1807	CVE-2026-5140	critical	10.0	1	Privilege Escalation
1808	Broken Authentication (CWE-287)	critical	10.0	1	Unauthorized Access
1809	User Trust in Popular Repositories	critical	10.0	1	Malware Distribution and Phishing
1810	Known vulnerability in legacy IT infrastructure (unpatched)	critical	10.0	1	Ransomware, Data Breach
1811	user trust in search engine ads	critical	10.0	1	ransomware
1812	Legitimate cloud administrative tools	critical	10.0	1	Data Exfiltration
1813	Unsegmented Networks	critical	10.0	1	Data Breach
1814	Dependence on GPS/GNSS signals for navigation; lack of spoofing-resistant safeguards	critical	10.0	1	GNSS spoofing
1815	Previously unknown vulnerability in firewall software	critical	10.0	1	Ransomware Attack
1816	Legacy System Exploits	critical	10.0	1	Ransomware
1817	CVE-2024-1182	critical	10.0	1	Vulnerabilities in SCADA Systems
1818	Separate vulnerability in login pages	critical	10.0	1	Ransomware
1819	CVE-2026-33032	critical	10.0	1	Authentication Bypass
1820	Stolen username and password of a UN employee purchased off the dark web	critical	10.0	1	Data Breach
1821	Compromised Deloitte employee credentials	critical	10.0	1	data breach
1822	Drupal core security flaw (unspecified)	critical	10.0	1	Vulnerability
1823	Unknown vulnerability in the company's network	critical	10.0	1	Data Breach
1824	SonicWall SSLVPN misconfigurations	critical	10.0	1	ransomware
1825	Lack of Access Controls for Sensitive Data Aggregation	critical	10.0	1	Data Breach
1826	Internal mechanism for helping password-forgetting users reclaim their accounts	critical	10.0	1	Data Privacy Breach
1827	outsourcing risks	critical	10.0	1	data breach
1828	Human Trust in Help-Desk Processes	critical	10.0	1	Cyberattack
1829	Weak governance mechanisms	critical	10.0	1	DeFi Exploit
1830	Well-known attack vector (unspecified)	critical	10.0	1	Data Breach
1831	Adreno GPU Driver Vulnerabilities	critical	10.0	1	Vulnerability
1832	Stale IAM Accounts in AI Environments	critical	10.0	1	Data Breach (AI Models/Applications)
1833	Lack of real-time threat-sharing incentives	critical	10.0	1	Policy/Regulatory Failure
1834	undersea cable physical exposure	critical	10.0	1	sabotage
1835	Google Play Store Security	critical	10.0	1	Malware
1836	Improper input sanitization in telnetd authentication mechanism (CWE-20)	critical	10.0	1	Authentication Bypass
1837	Lack of MFA on FortiGate VPN devices	critical	10.0	1	Destructive Cyberattack
1838	CVE-2026-4372	critical	10.0	1	Remote Code Execution (RCE)
1839	CWE-426 (Untrusted APT Source Path)	critical	10.0	1	Privilege Escalation
1840	CVE-2025-32433	critical	10.0	1	Ransomware
1841	CVE-2025-10035 (Critical vulnerability in Fortra's GoAnywhere MFT)	critical	10.0	1	Ransomware
1842	AppArmor vulnerabilities (no CVE assigned yet)	critical	10.0	1	Vulnerability Exploitation
1843	Cross-Site Scripting (XSS) in Free-for-Teacher environment	critical	10.0	1	Data Breach, Extortion
1844	Physical Infrastructure	critical	10.0	1	Sabotage
1845	Absence of Automated Data Loss Prevention (DLP) Tools	critical	10.0	1	Data Breach
1846	GitLab Server Misconfiguration (Red Hat)	critical	10.0	1	Data Breach
1847	CVE-2025-27816	critical	10.0	1	Vulnerability Exploitation
1848	CVE-2023-48788 (Fortinet EMS SQL injection)	critical	10.0	1	Ransomware
1849	Compromised contractor credentials (specific vulnerability undisclosed)	critical	10.0	1	Data Breach
1850	CVE-2026-31431 (Incorrect resource transfer between spheres, CWE-699)	critical	10.0	1	Privilege Escalation
1851	Excessive Privileges (God-level access)	critical	10.0	1	Data Breach
1852	Operational Security	critical	10.0	1	Operational Security Breach
1853	Sonatype Nexus	critical	10.0	1	Cyberattack (Reconnaissance Campaign)
1854	xfrm-ESP Page-Cache Write	critical	10.0	1	Local Privilege Escalation (LPE)
1855	Legacy Authentication Methods (Password-Only Logins)	critical	10.0	1	Browser-Based Attack
1856	CVE-2024-40766 (SonicWall improper access control, CVSS 9.8)	critical	10.0	1	ransomware
1857	Oracle zero-day (Clop gang)	critical	10.0	1	ransomware
1858	package registries	critical	10.0	1	ransomware
1859	Technical Security Configuration Issue	critical	10.0	1	Data Breach
1860	Shadow AI	critical	10.0	1	Data Breach
1861	CVE-2025-2502	critical	10.0	1	Outage and Vulnerability
1862	CVE-2025-53770 (ToolShell SharePoint Flaw)	critical	10.0	1	Cyber Espionage
1863	CVE-2026-24135	critical	10.0	1	Remote Code Execution (RCE)
1864	Systemic weaknesses in U.S. federal cybersecurity posture	critical	10.0	1	Cyber Espionage
1865	CVE-2025-36535 (Missing Authentication in MB-Gateway Devices)	critical	10.0	1	Vulnerability Exploitation
1866	Lack of Endpoint Detection and Response (EDR) in Some Systems	critical	10.0	1	Malware Infection
1867	Cryptographic flaw in ChaCha20-IETF cipher implementation (nonce overwriting)	critical	10.0	1	Ransomware (Data Wiper)
1868	CVE-2017-0144 (EternalBlue)	critical	10.0	1	Ransomware
1869	CVE-2025-5086 (Deserialization of Untrusted Data)	critical	10.0	1	Vulnerability Exploitation
1870	Unpatched Microsoft SharePoint Vulnerabilities	critical	10.0	1	Cyber Espionage
1871	Memory Injection (persistent threat mechanism)	critical	10.0	1	Vulnerability Exploitation
1872	CVE-2025-20333	critical	10.0	1	Vulnerability Exploitation
1873	Salesforce OAuth Misconfiguration (via Vishing)	critical	10.0	1	Data Breach
1874	Unpatched linked servers	critical	10.0	1	Ransomware
1875	CVE-2026-5757 (Out-of-bounds memory vulnerability in model quantization engine)	critical	10.0	1	Vulnerability Exploitation
1876	Vimar smart home devices	critical	10.0	1	DDoS Attack
1877	Misconfigured Elasticsearch Cluster	critical	10.0	1	Data Breach
1878	CVE-2017-9805 (Apache Struts)	critical	10.0	1	cyberespionage
1879	Zero-day vulnerability in Oracle E-Business Suite	critical	10.0	1	Ransomware
1880	Log4Shell vulnerability in an unpatched VMware Horizon server	critical	10.0	1	Hacking
1881	Misconfigured MongoDB instances lacking authentication, typically listening on port 27017	critical	10.0	1	Ransomware
1882	SimpleHelp	critical	10.0	1	Ransomware
1883	Overcollection of Personal Data	critical	10.0	1	Data Privacy Violation
1884	CVE-2026-0542	critical	10.0	1	Remote Code Execution (RCE)
1885	CVE-2024-XXXX	critical	10.0	1	Vulnerability Exploitation
1886	CVE-2026-25177	critical	10.0	1	Privilege Escalation
1887	CVE-2024-21887 (Ivanti Connect Secure)	critical	10.0	1	ransomware
1888	legacy systems in healthcare and critical infrastructure	critical	10.0	1	ransomware
1889	Poor Access Management	critical	10.0	1	Data Breach
1890	Outdated remote access policies	critical	10.0	1	Ransomware
1891	Unauthorized Access by Employee	critical	10.0	1	Data Breach
1892	VPN weaknesses	critical	10.0	1	ransomware
1893	Fake Job Offers	critical	10.0	1	Cryptocurrency Scam
1894	Lack of OT Asset Management	critical	10.0	1	Ransomware
1895	Data blind spots	critical	10.0	1	Ransomware Prediction
1896	Infection via official website	critical	10.0	1	Ransomware
1897	CVE-2025-52691 (SmarterMail)	critical	10.0	1	ransomware
1898	Alleged zero-day vulnerability in MyBB or misconfiguration	critical	10.0	1	Data Breach
1899	CVE-2026-41050	critical	10.0	1	Privilege Escalation
1900	Unspecified vulnerability in third-party call center platform (linked to Salesforce customer management instances)	critical	10.0	1	Data Breach
1901	CVE-2025-31324 (unspecified CRM/DBMS/SaaS target)	critical	10.0	1	Cybercriminal Alliance Formation
1902	Lack of regular security reviews	critical	10.0	1	Data Breach
1903	CVE-2026-48172 (CWE-266: Improper Privilege Management)	critical	10.0	1	Privilege Escalation
1904	Customer misconfigurations (not AWS vulnerabilities)	critical	10.0	1	Cyber Espionage, Lateral Movement, Credential Harvesting
1905	Linux Kernel bug (Fragnesia)	critical	10.0	1	Zero-day Exploit
1906	Human Trust, Lack of Investment Verification	critical	10.0	1	Investment Scam, Money Laundering, Cryptocurrency Fraud
1907	Exposed management ports, weak authentication	critical	10.0	1	Cyber Attack
1908	Poor Endpoint Security	critical	10.0	1	Data Breach (General Discussion)
1909	human error (e.g., clicking malicious links)	critical	10.0	1	phishing
1910	CVE-2021-35587	critical	10.0	1	Data Breach
1911	Unprotected 'Recent Links' feature with predictable URL format, enabling unauthorized data scraping via crawlers	critical	10.0	1	Data Exposure
1912	CVE-2023-46805 (Ivanti Connect Secure)	critical	10.0	1	ransomware
1913	Exposed credentials in public repository	critical	10.0	1	Data Exposure
1914	Cloud management tools	critical	10.0	1	Ransomware
1915	Overwhelming a server or website with excessive fake traffic	critical	10.0	1	DDoS Attack
1916	Embedded credentials/API keys in source code	critical	10.0	1	Supply Chain Compromise
1917	Lack of Code Integrity Checks	critical	10.0	1	Supply Chain Attack
1918	Abuse of legitimate software (BitDefender, VLC Media Player, Sangfor)	critical	10.0	1	Cyber Espionage
1919	Default password in Unitronics programmable logic controllers (PLCs)	critical	10.0	1	Cyberattack
1920	Misconfigured public repository	critical	10.0	1	Data Leak
1921	gaps in patching	critical	10.0	1	Ransomware
1922	Database Injection	critical	10.0	1	Website Defacement
1923	CVE-2026-0826 (Stack-based buffer overflow in SDP attribute parsing)	critical	10.0	1	Remote Code Execution (RCE)
1924	181 Firefox exploits	critical	10.0	1	AI-driven cyber attack
1925	Insider Threat, Social Engineering	critical	10.0	1	Espionage, Data Breach
1926	CVE-2025-47950	critical	10.0	1	Vulnerability
1927	Software Bug in MCP Server	critical	10.0	1	Data Exposure
1928	Complacency in High-Turnover Workforces	critical	10.0	1	Data Breach
1929	inconsistent security standards across geographies	critical	10.0	1	supply chain attack
1930	VIB Acceptance Level Tampering	critical	10.0	1	Ransomware Prevention Guide
1931	VMware ESXi infrastructure (Linux ransomware)	critical	10.0	1	ransomware
1932	Vulnerabilities in interconnected operational systems	critical	10.0	1	Cyberattack
1933	Unpatched Teams Clients	critical	10.0	1	Social Engineering
1934	Lack of HIPAA-compliant risk analysis	critical	10.0	1	Ransomware
1935	Weak Enforcement of ISO SAE 21434 (Pre-Release Security)	critical	10.0	1	Cybersecurity Vulnerability Assessment
1936	Content-Type confusion flaw in n8n's webhook and file handling mechanism (CVE-2026-21858)	critical	10.0	1	Remote Code Execution (RCE)
1937	Lack of validation check in ReceiverAxelar contract	critical	10.0	1	Smart Contract Exploit
1938	Mismanagement of sensitive data, lack of secure cloud storage	critical	10.0	1	Data Breach
1939	Protection insuffisante des terminaux	critical	10.0	1	Cyberattaque ciblée
1940	Vulnerability in Canvas’s 'Free for Teacher' accounts	critical	10.0	1	Data Breach, Ransomware
1941	Open-source LD_PRELOAD rootkit (Medusa) repurposed for malicious use	critical	10.0	1	Rootkit
1942	Inadequate Contractual Security Provisions	critical	10.0	1	Data Breach
1943	Spear-phishing campaigns	critical	10.0	1	Data Breach
1944	Ineffective DMARC Protection	critical	10.0	1	Data Breach
1945	lack of multi-factor authentication for downloads	critical	10.0	1	ransomware
1946	Lack of Access Controls During Layoffs	critical	10.0	1	Data Breach
1947	Manual Redaction Errors	critical	10.0	1	Data Leak
1948	Insufficient ESXi Logging Configurations	critical	10.0	1	Ransomware Prevention Guide
1949	Delayed Response to Security Alerts	critical	10.0	1	Data Breach
1950	CVE-2023-28252 (Cisco)	critical	10.0	1	ransomware
1951	Zero-day vulnerability in Oracle E-Business Suite (EBS) financial application	critical	10.0	1	Data Breach
1952	CVE-2026-20965	critical	10.0	1	Unauthorized Access
1953	CVE-2024-40766 (SonicWall)	critical	10.0	1	ransomware
1954	CVE-2026-1358 (Unrestricted File Upload)	critical	10.0	1	Vulnerability Disclosure
1955	CVE-2025-0921, CVE-2024-7587	critical	10.0	1	Denial-of-Service (DoS)
1956	abuse of legitimate code-signing certificates	critical	10.0	1	ransomware
1957	Lack of Regular Penetration Testing	critical	10.0	1	Data Breach
1958	Unpatched Solaris servers	critical	10.0	1	APT Attack
1959	Insufficient Network Segmentation (implied)	critical	10.0	1	Ransomware Attack
1960	Potential Weak MFA Implementation (2FA Prompt Bombing)	critical	10.0	1	Insider Threat (Attempted)
1961	Weak administrator access controls	critical	10.0	1	Data Breach
1962	Output Messenger	critical	10.0	1	Cyberespionage
1963	Unpatched bugs in internet-connected cameras	critical	10.0	1	Espionage
1964	Insufficient Integration Lifecycle Management	critical	10.0	1	Supply Chain Attack
1965	Outdated software (EOL Windows versions)	critical	10.0	1	Exposed Servers
1966	improper cloud storage configuration	critical	10.0	1	ransomware
1967	upstream services	critical	10.0	1	ransomware
1968	Manipulation of AmountWithBonus variable	critical	10.0	1	Cryptocurrency Theft
1969	CVE not specified (algif_aead module in Linux kernel’s AF_ALG cryptographic subsystem)	critical	10.0	1	Privilege Escalation
1970	missing security patches	critical	10.0	1	data breach
1971	Fortinet FortiGate appliances	critical	10.0	1	AI-driven cyberattack tool
1972	Broad systemic vulnerabilities including reliance on foreign manufacturing for supply chains, dependency on cyber-vulnerable space systems (GPS, satellite communications), and weaknesses in infrastructure resilience against climate events.	critical	10.0	1	Ransomware Attack
1973	Exposed Boot Guard private keys	critical	10.0	1	Security Breach
1974	Unencrypted AI Training Datasets/Model Checkpoints	critical	10.0	1	Data Breach (AI Models/Applications)
1975	Social engineering (MFA bypass via Teams screen-sharing)	critical	10.0	1	Espionage
1976	Zero-day vulnerabilities (42% weaponized before public disclosure)	critical	10.0	1	AI-driven cyber threats
1977	Non-password-protected database	critical	10.0	1	Data Breach
1978	BlueKeep flaw	critical	10.0	1	Exposed Servers
1979	Publicly exposed cloud buckets with critical vulnerabilities and highly privileged data	critical	10.0	1	Data Exposure
1980	CVE-2025-49844 (RediShell - Use-after-free in Lua sandbox)	critical	10.0	1	Vulnerability
1981	Azure Key Vault Compromise	critical	10.0	1	Data Exfiltration
1982	Fortinet security devices	critical	10.0	1	Cyberespionage
1983	Inconsistent AI Safety Controls Across Languages	critical	10.0	1	Influence Operation
1984	Outdated Android versions	critical	10.0	1	Malware
1985	Limited control over shipping and air cargo spaces	critical	10.0	1	Economic Vulnerability
1986	CVE-2015-2291	critical	10.0	1	Cyberattack
1987	Zero-day vulnerability in a third-party application (unspecified)	critical	10.0	1	Ransomware Attack
1988	remote access security	critical	10.0	1	Ransomware
1989	Mobile device and app security weaknesses	critical	10.0	1	Cyber Espionage
1990	XAML deserialization	critical	10.0	1	Cyber Espionage
1991	CVE-2025-53690 (ViewState Deserialization in Sitecore XM/XP/XC/Managed Cloud)	critical	10.0	1	Vulnerability Exploitation
1992	CVE-2025-61882 (Critical, CVSS 9.8)	critical	10.0	1	Ransomware
1993	Shared Accounts	critical	10.0	1	Data Breach
1994	Windows OS vulnerability (unspecified programming bug)	critical	10.0	1	malware
1995	weak_or_reused_passwords	critical	10.0	1	ransomware
1996	outdated property assessment funding	critical	10.0	1	physical security breach
1997	SonicWall SSL VPN endpoints	critical	10.0	1	Ransomware
1998	CVE-2018-5999	critical	10.0	1	Botnet Exploitation
1999	Fragmented security standards across subcontractors	critical	10.0	1	Ransomware
2000	Weak Data Integrity Checks	critical	10.0	1	Supply Chain Attack
2001	CVE-2020-12812	critical	10.0	1	Ransomware
2002	CVE-2025-61882 (CVSS 9.8) - Oracle E-Business Suite Concurrent Processing Component	critical	10.0	1	Data Breach
2003	Unicode Private Use Area characters (0xFE00–0xFE0F, 0xE0100–0xE01EF)	critical	10.0	1	Supply Chain Attack
2004	Phishing, Malicious Software Deployment	critical	10.0	1	Data Breach, Ransomware
2005	Insecure helpdesk protocols	critical	10.0	1	AI-driven vulnerability exploitation
2006	Unencrypted and unprotected data accessible on the network	critical	10.0	1	Data Breach, Ransomware
2007	GenAI data exfiltration	critical	10.0	1	Session Hijacking
2008	Cisco VPN vulnerabilities	critical	10.0	1	Cybercrime Forum Seizure
2009	Compromised credentials, unsegmented networks, unlogged firewall activity, administrative credentials stored in plain text, insecure remote access tools	critical	10.0	1	Data Breach, Potential Ransomware
2010	CVE-2024-1709 (ScreenConnect)	critical	10.0	1	Ransomware
2011	CVE-2025-27920 (directory traversal in Output Messenger)	critical	10.0	1	cyberespionage
2012	Insecure External Storage Device	critical	10.0	1	Data Breach
2013	Improper Whitelisting of Microsoft CDB	critical	10.0	1	APT (Advanced Persistent Threat)
2014	Poor Access Controls for Sensitive Data	critical	10.0	1	Data Breach
2015	CVE-2026-42945	critical	10.0	1	Vulnerability Exploitation
2016	unpatched VPN appliances	critical	10.0	1	ransomware
2017	Absence of Subresource Integrity (SRI) checks	critical	10.0	1	Data Breach
2018	zero-day vulnerabilities in SaaS provider cloud environments	critical	10.0	1	cyberespionage
2019	Previously unknown software vulnerability in network infrastructure	critical	10.0	1	Data Breach
2020	Security Incident During Server Setup	critical	10.0	1	Ransomware
2021	CVE-2026-21962	critical	10.0	1	Vulnerability Exploitation
2022	Exposed VPN concentrators	critical	10.0	1	Destructive Cyberattack
2023	Stolen Credentials/API Tokens	critical	10.0	1	Data Breach
2024	IT-OT Boundary Erosion	critical	10.0	1	Cyber Espionage
2025	Microsoft Defender Race Condition	critical	10.0	1	AI Cybersecurity Risk
2026	CVE-2026-5194	critical	10.0	1	Vulnerability Exploitation
2027	Limited incident response capabilities in SMEs	critical	10.0	1	Extortion
2028	CVE-2024-27199 (JetBrains TeamCity)	critical	10.0	1	ransomware
2029	Poor key management and access controls	critical	10.0	1	Data Breach
2030	SonicWall	critical	10.0	1	Supply Chain Attack
2031	Potential CVE-2023-29357 (SharePoint RCE, linked to summer 2023 exploits)	critical	10.0	1	Data Breach
2032	CVE-2026-20963 (Microsoft SharePoint Server)	critical	10.0	1	ransomware
2033	Impersonation of a colleague	critical	10.0	1	Cyberattack
2034	CVE-2026-42945 (NGINX)	critical	10.0	1	Zero-day Exploit
2035	CVE-2024-12356	critical	10.0	1	Breach
2036	Unpatched Third-Party Integrations (Salesloft Drift)	critical	10.0	1	Data Breach
2037	Use-After-Free (UAF)	critical	10.0	1	Memory Corruption Vulnerability
2038	CVE-2025-49154	critical	10.0	1	Vulnerability Exploitation
2039	weak account/access controls (reactivation of default accounts, new privileged users)	critical	10.0	1	ransomware
2040	Lack of Email Filtering	critical	10.0	1	Targeted Cyberattack
2041	SAP Netweaver (specific details undisclosed)	critical	10.0	1	Cyberattack
2042	Newly disclosed global software vulnerabilities	critical	10.0	1	Ransomware
2043	CVE-2026-1490 (Authorization Bypass via Reverse DNS Spoofing)	critical	10.0	1	Vulnerability Exploitation
2044	Citrix NetScaler Gateway Appliance (unspecified CVE)	critical	10.0	1	Cyber Espionage
2045	Obfuscated .NET Reactor-protected infostealer, JIT compilation hooking (clrjit.dll!getJit)	critical	10.0	1	Supply Chain Attack
2046	Lack of multi-factor authentication (MFA) on a critical server	critical	10.0	1	ransomware
2047	Unspecified CVEs identified via Shodan/Censys scans	critical	10.0	1	Research Study
2048	CVE-2025-20333 (Cisco ASA VPN)	critical	10.0	1	Ransomware
2049	Lack of encryption or authentication in GPS signals	critical	10.0	1	GPS spoofing
2050	Weak or Missing End-to-End Encryption	critical	10.0	1	Data Breach
2051	Roundcube webmail XSS vulnerability, twofactorgauthenticator plugin misconfiguration	critical	10.0	1	Cyberespionage
2052	Oracle E-Business Suite (EBS) exploit (unspecified)	critical	10.0	1	potential data breach
2053	CrushFTP	critical	10.0	1	Ransomware
2054	CVE-2025-48057	critical	10.0	1	Vulnerability Exploitation
2055	Actively exploited CVEs	critical	10.0	1	Ransomware
2056	200+ vulnerabilities in CISA’s KEV catalog (2024–2025)	critical	10.0	1	ransomware
2057	CVE-2024-20353	critical	10.0	1	Zero-Day Exploit
2058	Account-specific vulnerability	critical	10.0	1	Data Breach
2059	CVE-2025-3052	critical	10.0	1	Secure Boot Bypass
2060	publicly exposed personal data (e.g., YouTube videos)	critical	10.0	1	cyber espionage
2061	Oracle E-Business Suite	critical	10.0	1	Ransomware
2062	Compromised OAuth token for a Heroku machine account	critical	10.0	1	Security Breach
2063	Azure Automation Service Vulnerability	critical	10.0	1	Vulnerability Exploitation
2064	Unmonitored ESXCLI Command Usage	critical	10.0	1	Ransomware Prevention Guide
2065	Poor Access Controls (Lack of Tiered Admin Account Model)	critical	10.0	1	Data Breach
2066	Missing Function-Level Access Control (CWE-639)	critical	10.0	1	Unauthorized Access
2067	Lack of multi-factor authentication (MFA) on an outsourced partner’s administrator account	critical	10.0	1	Ransomware
2068	Human-Machine Interfaces (HMIs)	critical	10.0	1	Cyber Sabotage
2069	Classified information mishandling	critical	10.0	1	Cyber Attack, Data Leak
2070	Outdated Juniper Networks Junos OS MX routers	critical	10.0	1	Cyber Espionage
2071	Lack of Multi-Factor Authentication (2FA) for OAuth Apps	critical	10.0	1	Data Breach
2072	CVE-2026-3854 (GitHub Enterprise Server RCE)	critical	10.0	1	Data Breach
2073	Lack of OIDC verification, unmatched GitHub commits	critical	10.0	1	Supply Chain Attack
2074	Network infiltration	critical	10.0	1	Security Concerns
2075	AI System Autonomy (unsupervised decision-making)	critical	10.0	1	Predictive Analysis
2076	Newly discovered vulnerability	critical	10.0	1	Ransomware
2077	Funding Pressures in State Schools	critical	10.0	1	Data Breach
2078	Hijacked maintainer accounts and automated dependency updates	critical	10.0	1	Supply Chain Attack
2079	SQL injection vulnerability in Navy-SWM database	critical	10.0	1	data breach
2080	Failure to randomize hostnames in VMmanager, KMS-enabled unlicensed operation	critical	10.0	1	ransomware
2081	metadata retention in files	critical	10.0	1	data breach
2082	unchanged default passwords in VSAT terminals	critical	10.0	1	cyberattack
2083	Previously unknown software flaw (zero-day)	critical	10.0	1	Cyber Espionage
2084	End-of-Life (EoL) Hardware with No Security Updates	critical	10.0	1	Cyber Espionage
2085	unpatched Veeam backup servers	critical	10.0	1	ransomware
2086	Default credentials (e.g., Hitachi RTU admin account 'Default')	critical	10.0	1	Cyberattack (Wiper Malware, Firmware Tampering)
2087	Lack of continuous vendor monitoring	critical	10.0	1	Ransomware
2088	MSP software flaws	critical	10.0	1	ransomware
2089	CVE-2026-34976 (Missing authorization check in restoreTenant command)	critical	10.0	1	Zero-Day Vulnerability
2090	Weak Caller Verification Processes	critical	10.0	1	Social Engineering
2091	Weak Authentication (68% of breaches involve credentials)	critical	10.0	1	Ransomware
2092	Insecure Build Process	critical	10.0	1	Supply Chain Attack
2093	Salesloft’s Drift AI Chat Integration (OAuth Token Theft)	critical	10.0	1	Data Breach
2094	compromised laptop (physical or logical access)	critical	10.0	1	data breach
2095	CVE-2023-41348	critical	10.0	1	botnet
2096	CVE-2019-5786 (Google Chrome FileReader)	critical	10.0	1	Memory Corruption Vulnerability
2097	Software flaw in Tesla's systems	critical	10.0	1	Hacking
2098	SonicWall SSL VPN Vulnerability (Credentials in Backup Files)	critical	10.0	1	Unauthorized Access
2099	hijacked_maintainer_account	critical	10.0	1	ransomware
2100	supply chain trust abuse	critical	10.0	1	supply chain attack
2101	CVE-2026-22719 (CWE-77 - Command Injection)	critical	10.0	1	Vulnerability Exploitation
2102	Inadequate identity verification processes	critical	10.0	1	Espionage
2103	Abuse of trusted domain (bubble.io) to bypass email security filters	critical	10.0	1	Phishing
2104	CVE-2025-14894	critical	10.0	1	Remote Code Execution (RCE)
2105	Cybersecurity vulnerabilities in Hikvision products	critical	10.0	1	Ransomware
2106	Authenticated Reflected XSS	critical	10.0	1	Vulnerability Exploitation
2107	limited transparency in global supply chains	critical	10.0	1	supply chain attack
2108	HTML/CSS injection in draft restore dialog’s subject field	critical	10.0	1	SQL Injection
2109	CVE-2026-8206 (CVSS 9.8)	critical	10.0	1	Vulnerability Exploitation
2110	Weak Authentication in Third-Party Platforms	critical	10.0	1	Data Breach
2111	Unprotected Fax Server	critical	10.0	1	Data Breach
2112	CVE-2025-34158 (Improper Input Validation)	critical	10.0	1	Vulnerability Exposure
2113	CVE-2025-27507	critical	10.0	1	Vulnerability Exploitation
2114	Software Development and Distribution Processes	critical	10.0	1	Supply Chain Attack
2115	NPM package dependency trust model	critical	10.0	1	supply chain attack
2116	Exposed Presence/Status Data	critical	10.0	1	Social Engineering
2117	No Backup Strategy	critical	10.0	1	Ransomware
2118	Generative AI applications	critical	10.0	1	ransomware
2119	Cisco-related exploits	critical	10.0	1	Ransomware
2120	weak supply chain security	critical	10.0	1	data breach
2121	Previously undetected vulnerability	critical	10.0	1	Ransomware Attack
2122	Inadequate Data Anonymization in AI Features (e.g., Grok AI)	critical	10.0	1	Data Breach
2123	CVE-2025-20281	critical	10.0	1	Remote Code Execution
2124	SAP software vulnerability	critical	10.0	1	Cyberattack
2125	BDU:2025-10115 (CVSS 7.5) - Arbitrary file read	critical	10.0	1	Cyber Espionage
2126	zero-day vulnerability in Oracle EBusiness Suite	critical	10.0	1	data breach
2127	Unencrypted Linux Partition in Dual-Boot Configuration	critical	10.0	1	Vulnerability Exploitation
2128	public cloud	critical	10.0	1	ransomware
2129	Weak IoT Device Security (e.g., default credentials, unpatched firmware)	critical	10.0	1	Distributed Denial of Service (DDoS)
2130	CVE-2025-20337	critical	10.0	1	Remote Code Execution
2131	CVE-2025-27821 (Out-of-bounds write in HDFS native client)	critical	10.0	1	Vulnerability
2132	OpenClaw WebSocket-based AI agent framework vulnerability	critical	10.0	1	Zero-Click Exploit
2133	Vulnerability in data exchange platform	critical	10.0	1	Data Breach
2134	AIS protocol lack of authentication	critical	10.0	1	spoofing
2135	Influence of Radical Literature	critical	10.0	1	Domestic Terrorism
2136	Insufficient Privileged Access Controls (e.g., standing admin roles)	critical	10.0	1	Social Engineering
2137	Lack of IT Oversight	critical	10.0	1	Unauthorized AI Deployment
2138	Outdated RTU firmware	critical	10.0	1	Cyberattack (Wiper Malware, Firmware Tampering)
2139	MOVEit software	critical	10.0	1	Data Breach
2140	CVE-2024-12345	critical	10.0	1	Cyber Espionage
2141	Unpatched Software in Data Centers	critical	10.0	1	Cyber Espionage
2142	CVE-2025-49158	critical	10.0	1	Vulnerability Exploitation
2143	unencrypted storage of sensitive data in an internet-accessible environment	critical	10.0	1	ransomware
2144	CVE-2026-27771	critical	10.0	1	Data Exposure
2145	Social Media Account Compromise	critical	10.0	1	Phishing, Social Engineering
2146	Service Accounts with Non-Expiring Passwords & Excessive Permissions	critical	10.0	1	Data Breach
2147	Previously exposed data breach (Gmail account)	critical	10.0	1	Cyber Espionage
2148	Unmanaged OAuth App Permissions (Salesforce, Other SaaS)	critical	10.0	1	Browser-Based Attack
2149	vendor distribution pipelines	critical	10.0	1	ransomware
2150	Zero-day flaw in Oracle E-Business Suite	critical	10.0	1	Data Breach
2151	Cloud storage platform	critical	10.0	1	Data Breach
2152	CVE-2020-35730	critical	10.0	1	Cyberespionage
2153	Cryptographic Protocols	critical	10.0	1	Cryptographic Risk
2154	Exposed NAS devices	critical	10.0	1	Ransomware
2155	RC4 encryption (obsolete since 1980s)	critical	10.0	1	ransomware
2156	Hidden registration form, JSESSIONID manipulation, and lack of server-side token validation	critical	10.0	1	Privilege Escalation, Remote Code Execution
2157	Human Error (Phishing/Vishing)	critical	10.0	1	Data Breach
2158	inadequate administrative/physical/technical safeguards (HIPAA)	critical	10.0	1	data breach
2159	Unrestricted Remote Access ('Always-On' Feature)	critical	10.0	1	Data Breach
2160	Inadequate Incident Response Plans	critical	10.0	1	Ransomware
2161	Publicly shared GPS data from fitness app	critical	10.0	1	Data Exposure
2162	poor staff training	critical	10.0	1	data breach
2163	maritime domain awareness gaps	critical	10.0	1	espionage
2164	Authentication Mechanisms	critical	10.0	1	Data Breach
2165	Incomplete Patch (CVE-2026-21510)	critical	10.0	1	Data Breach
2166	CVE-2025-70994	critical	10.0	1	Firmware Vulnerability
2167	Social engineering, ClickFix-style prompts, PowerShell exploitation, Windows Defender exclusion manipulation	critical	10.0	1	Malware Deployment, Social Engineering, Data Exfiltration
2168	Unsecured RDP	critical	10.0	1	Ransomware
2169	PhantomRPC (CVE not specified)	critical	10.0	1	Privilege Escalation
2170	Privilege Escalation	critical	10.0	1	Vulnerability Exploitation
2171	Vulnerability in the online payment system	critical	10.0	1	Data Breach
2172	CVE-2026-50752	critical	10.0	1	Zero-Day Exploitation
2173	End-of-support (EoS) devices (ASA 5500-X Series)	critical	10.0	1	Zero-day exploitation
2174	Data encryption software vulnerability	critical	10.0	1	Data Breach
2175	Mobile carrier verification processes, SMS-based authentication	critical	10.0	1	SIM Swap Attack
2176	Unlimited token allowances	critical	10.0	1	Security Breach
2177	CVE-2021-33044 (Dahua - authentication bypass)	critical	10.0	1	Cyber Espionage, Reconnaissance
2178	Optional MFA (to be phased out)	critical	10.0	1	Predictive Analysis
2179	custom network architectures in CERs	critical	10.0	1	supply chain attack
2180	Lack of Zero-Trust Architecture	critical	10.0	1	Cyber Espionage
2181	Lack of browser-layer visibility	critical	10.0	1	Session Hijacking
2182	Unpatched or zero-day flaws in technology platforms	critical	10.0	1	Ransomware
2183	Weak password (no MFA) on internet-facing system	critical	10.0	1	Ransomware Attack
2184	Opportunistic TLS	critical	10.0	1	Cross-protocol Application Layer Desynchronization
2185	weak intranet security	critical	10.0	1	data breach
2186	On Device Fraud (ODF) techniques	critical	10.0	1	Malware
2187	Open academic networks	critical	10.0	1	Data Breach
2188	Compromised software update mechanism	critical	10.0	1	Supply Chain Attack
2189	CVE-2026-35194	critical	10.0	1	Remote Code Execution (RCE)
2190	Inadequate Reporting Processes	critical	10.0	1	Data Breach
2191	Check Point gateway devices	critical	10.0	1	Supply Chain Attack
2192	Over-Permissioned IAM Roles	critical	10.0	1	Predictive Analysis
2193	Misconfigured OIDC trust relationships	critical	10.0	1	Supply-Chain Attack
2194	Limited Budget/Resources	critical	10.0	1	Collaborative Initiative
2195	CVE-2025-59689 (Command injection in Libraesva ESG)	critical	10.0	1	Zero-day exploitation
2196	Rewards system manipulation	critical	10.0	1	Cryptocurrency Heist
2197	Flaw in SentinelOne's agent upgrade process	critical	10.0	1	Ransomware
2198	Weak Helpdesk Authentication	critical	10.0	1	Cyber Extortion
2199	Poisoned machine-learning models	critical	10.0	1	Malware Framework
2200	CVE-2025-3935	critical	10.0	1	Cyberattack
2201	unrestricted RDP/remote tool access	critical	10.0	1	ransomware
2202	Systemic vulnerabilities in critical infrastructure	critical	10.0	1	Data Breach
2203	Trusted partner relationships, fake Okta login pages, clipboard data theft	critical	10.0	1	Data Theft Extortion
2204	Unpatched ICS/OT Systems	critical	10.0	1	Ransomware
2205	GHSA-7xvx-8pf2-pv5g (CVSS 9.1)	critical	10.0	1	Sandbox Escape Vulnerability
2206	AI-Generated Deepfakes	critical	10.0	1	Data Breach
2207	Kaseya VSA platform	critical	10.0	1	Ransomware Attack
2208	aging IT systems	critical	10.0	1	data breach
2209	Legitimate drivers	critical	10.0	1	Ransomware
2210	Undocumented WordPress Installation	critical	10.0	1	Data Breach
2211	Exposure management adoption	critical	10.0	1	Ransomware Prediction
2212	CVE-2026-35616 (CWE-284: Improper Access Control)	critical	10.0	1	Zero-Day Exploitation
2213	Improper Public Access Configuration	critical	10.0	1	Data Exposure
2214	Canvas Free for Teacher service vulnerability	critical	10.0	1	Data Breach
2215	Insecure Protocols (e.g., Telnet)	critical	10.0	1	Cyber Espionage
2216	Browser-Based Credential Storage (Syncing Across Devices)	critical	10.0	1	Phishing (Non-Email)
2217	Security flaw in MOVEit software	critical	10.0	1	Data Breach
2218	Remote login vulnerability exacerbated by increased remote work during the pandemic	critical	10.0	1	Ransomware
2219	Known vulnerabilities dating back to 2018	critical	10.0	1	Espionage
2220	Insecure Database Configuration	critical	10.0	1	Data Exposure
2221	Unpatched vulnerability in the network defenses	critical	10.0	1	Ransomware
2222	Unsecured Database Accessible Without Authentication	critical	10.0	1	Data Breach
2223	Improper Access Controls / Platform Misconfiguration	critical	10.0	1	Data Exposure
2224	Oracle WebLogic (unidentified flaw)	critical	10.0	1	Ransomware Attack
2225	CVE-2026-24747	critical	10.0	1	Vulnerability Exploitation
2226	Policy Non-Compliance	critical	10.0	1	Data Breach (Alleged)
2227	CVE-2025-49157	critical	10.0	1	Vulnerability Exploitation
2228	Lack of Security Layers	critical	10.0	1	Ransomware
2229	Human Weakness	critical	10.0	1	Data Breach
2230	Insecure SOHO routers with default or weak configurations	critical	10.0	1	Espionage
2231	Code block display bug (hiding malicious instructions)	critical	10.0	1	Vulnerability Exploitation
2232	CVE-2026-2329 (Stack-based buffer overflow in /cgi-bin/api.values.Get endpoint)	critical	10.0	1	Zero-Day Vulnerability
2233	CVE-2026-34197	critical	10.0	1	Remote Code Execution (RCE)
2234	Insufficient multi-factor authentication (MFA) protections	critical	10.0	1	Ransomware
2235	CVE-2026-8711 (Heap-based buffer overflow in ngx_http_js_module)	critical	10.0	1	Vulnerability
2236	Microsoft Word 2010 vulnerability	critical	10.0	1	Cyber Espionage
2237	Integer underflow in IPv6 extension header parser (Inspect.sys)	critical	10.0	1	Zero-Day Vulnerability
2238	CVE-2026-43284	critical	10.0	1	Privilege Escalation
2239	Cisco Catalyst SD-WAN vulnerability	critical	10.0	1	Zero-day Exploit
2240	Log4Shell (CVE-2021-44228)	critical	10.0	1	Ransomware Attack
2241	Java Vulnerability	critical	10.0	1	Data Breach
2242	poor cyber defenses in supplier systems	critical	10.0	1	supply chain attack
2243	Insufficient regex anchoring in AWS CodeBuild webhook filters	critical	10.0	1	Supply Chain Attack
2244	Immutable Log Gaps in AI Pipelines	critical	10.0	1	Data Breach (AI Models/Applications)
2245	YellowKey (BitLocker bypass)	critical	10.0	1	Zero-day vulnerability
2246	Command Execution as Root	critical	10.0	1	Vulnerability Exploitation
2247	Spoofable Workflow Notifications	critical	10.0	1	Social Engineering
2248	Manque de sauvegardes régulières	critical	10.0	1	Cyberattaque ciblée
2249	Potential Weak Authentication (if credentials were shared)	critical	10.0	1	Insider Threat
2250	Excessive Privileges in Connected Applications	critical	10.0	1	Data Breach
2251	Credential harvesting via malicious links/impersonation	critical	10.0	1	Cyber Espionage
2252	unpatched flaw in a popular file-transfer tool	critical	10.0	1	ransomware
2253	Remote Code Execution (RCE)	critical	10.0	1	Security Vulnerabilities
2254	27-year-old OpenBSD flaw	critical	10.0	1	AI-driven cyber attack
2255	Exposed SMB ports with weak or compromised credentials	critical	10.0	1	Ransomware
2256	CVE-2023-46604 (Apache ActiveMQ)	critical	10.0	1	Ransomware
2257	Undisclosed Zero-Day in Oracle E-Business Suite	critical	10.0	1	Data Breach
2258	CVE-2025-30401	critical	10.0	1	Vulnerability Exploitation
2259	CVE-2026-33017 (Langflow AI)	critical	10.0	1	ransomware
2260	Weakness in GPS navigation systems (susceptibility to spoofing)	critical	10.0	1	GPS spoofing
2261	operational lapses in rule propagation	critical	10.0	1	data breach
2262	CVE-2021-26828	critical	10.0	1	Remote Code Execution (RCE)
2263	Authentication keys	critical	10.0	1	Cyberattack
2264	Type confusion vulnerabilities in Java Card	critical	10.0	1	Vulnerability Exploitation
2265	Technical Debt in Legacy OT Systems (15-20 year lifecycles)	critical	10.0	1	Cyber-Physical Attack
2266	Outdated IT infrastructure, obsolete software (Lotus Notes), aging hardware	critical	10.0	1	Infrastructure Vulnerability
2267	Inadequate HR and Compliance Monitoring	critical	10.0	1	Data Breach
2268	failures in basic cyber hygiene	critical	10.0	1	ransomware
2269	token-based publishing model	critical	10.0	1	supply chain attack
2270	CVE-2025-10035 (Critical, CVSS 10.0) - Deserialization in License Servlet of GoAnywhere MFT	critical	10.0	1	Vulnerability Exploitation
2271	Cleo software vulnerabilities	critical	10.0	1	ransomware
2272	Weak vendor compliance enforcement	critical	10.0	1	Ransomware
2273	Unlocked AWS S3 bucket	critical	10.0	1	Data Breach
2274	Unauthorized Admin Role Assignments	critical	10.0	1	Ransomware Prevention Guide
2275	Shallow Depth of Baltic Sea (Ease of Anchor Damage)	critical	10.0	1	Physical Sabotage
2276	Weak internal security segmentation	critical	10.0	1	Data Breach
2277	CVE-2026-9739 (CWE-942 - Permissive Cross-domain Policy with Untrusted Domains)	critical	10.0	1	Vulnerability Exploitation
2278	Microsoft Artifact Signing service abuse	critical	10.0	1	Cybercrime Operation Disruption
2279	Inadequate Data Redaction Procedures	critical	10.0	1	Data Breach
2280	Weak Password Security (hypothetical, based on context)	critical	10.0	1	Ransomware Attack
2281	CAN bus vulnerabilities in Tesla Model S	critical	10.0	1	Remote Code Execution
2282	Social Engineering, Excessive Permissions	critical	10.0	1	Data Breach, Extortion, Harassment
2283	Four-Faith industrial routers	critical	10.0	1	DDoS Attack
2284	Unspecified vulnerability in MOVEit file transfer platform (known to CL0P)	critical	10.0	1	Data Breach
2285	Flaw in smart contract calls	critical	10.0	1	DeFi Exploit
2286	Inadequate Redaction	critical	10.0	1	Data Breach
2287	CVE-2026-3300 (CVSS 9.8)	critical	10.0	1	Remote Code Execution (RCE)
2288	Over-Permissive Guest/External User Access	critical	10.0	1	Social Engineering
2289	MiniPlasma (Windows zero-day)	critical	10.0	1	Zero-day Exploit
2290	Unsecured RDP access, absence of MFA	critical	10.0	1	Ransomware
2291	Satellite Communication Systems	critical	10.0	1	Cyber Attack
2292	Lack of AI Agent Safeguards	critical	10.0	1	Espionage
2293	inadequate third-party access controls	critical	10.0	1	data breach
2294	Inadequate Email Security Protocols	critical	10.0	1	Data Breach
2295	AI-Enabled Attacks (industrial scale)	critical	10.0	1	Cyberattack
2296	CVE-2024-21410	critical	10.0	1	Zero-Day Exploit
2297	inadequate data loss prevention controls	critical	10.0	1	ransomware
2298	CVE-2026-33017	critical	10.0	1	Code Injection
2299	Exploit Kit	critical	10.0	1	Malvertising
2300	Malfunction at AWS data center (likely a configuration error)	critical	10.0	1	Service Disruption
2301	developer mistyped dependency installation	critical	10.0	1	supply chain attack
2302	Zero-day vulnerability in Oracle E-Business Suite (advisory issued 2025-10-04)	critical	10.0	1	Data Breach
2303	Lack of file type limitations	critical	10.0	1	Data Breach
2304	Container escape vulnerabilities (e.g., CVE-2025-23266)	critical	10.0	1	Malware Framework
2305	Critical SharePoint Vulnerabilities (July 2025)	critical	10.0	1	Ransomware Attack
2306	Vehicle Tracking Systems (VTS), Immobilizer systems, Security systems	critical	10.0	1	Cyber Attack, Satellite Interference, Vehicle Immobilization
2307	CVE-2025-10035 (Critical deserialization flaw in GoAnywhere MFT)	critical	10.0	1	Zero-day exploitation
2308	Zero-Day Vulnerabilities (1 new CVE every 17 minutes)	critical	10.0	1	Ransomware
2309	human vulnerabilities (vishing, native-language social engineering)	critical	10.0	1	ransomware
2310	Maintenance errors	critical	10.0	1	Physical Incident
2311	CVE-2025-20333 (Cisco ASA/Firepower - RCE)	critical	10.0	1	Vulnerability Exploitation
2312	Weak Token Management in Drift Integration	critical	10.0	1	Supply Chain Attack
2313	React2Shell (CVE-2025-55182)	critical	10.0	1	Remote Code Execution (RCE)
2314	Lack of modern defenses	critical	10.0	1	GPS spoofing
2315	Inadequate privileged access management	critical	10.0	1	Ransomware
2316	Unmonitored AI Data Flows	critical	10.0	1	Data Breach
2317	Active Directory vulnerabilities	critical	10.0	1	Ransomware
2318	Social engineering (malicious link disguised as system error)	critical	10.0	1	Data Breach
2319	Employee Use of Unvetted AI Tools	critical	10.0	1	Unauthorized AI Deployment
2320	Tool disparities	critical	10.0	1	Ransomware Prediction
2321	Vulnerabilities in decentralized energy infrastructure and OT/ICS systems	critical	10.0	1	Cyberattack on Critical Infrastructure
2322	Gaps in GDPR Data Protection for Vehicle-Generated Data	critical	10.0	1	Cybersecurity Vulnerability Assessment
2323	CVE-2025-47577	critical	10.0	1	Software Vulnerability
2324	Weak/Reused Passwords (88% of breaches per Verizon DBIR)	critical	10.0	1	Data Breach
2325	Typosquatted Zoom links	critical	10.0	1	Phishing
2326	Microsoft products (17% of exploitations)	critical	10.0	1	Vulnerability Exploitation
2327	Absence of MFA on Congruity’s virtual machines	critical	10.0	1	Ransomware
2328	MFA bypass techniques	critical	10.0	1	phishing
2329	CVE-2025-48595 (Integer Overflow - CWE-190)	critical	10.0	1	Vulnerability Exploitation
2330	Design Flaw in 'SAVE' Feature	critical	10.0	1	Data Leak
2331	CVE-2025-40551 (CWE-502: Unsafe Deserialization)	critical	10.0	1	Remote Code Execution (RCE)
2332	CVE-2025-8943	critical	10.0	1	Remote Code Execution (RCE)
2333	Previously unknown vulnerability in file transfer software	critical	10.0	1	Data Breach
2334	Technical vulnerabilities	critical	10.0	1	Illegal intrusion
2335	exposed SMB services	critical	10.0	1	ransomware
2336	Poor visibility in cloud/hybrid environments	critical	10.0	1	Ransomware
2337	Legacy Infrastructure Weaknesses	critical	10.0	1	Data Breach
2338	lack of continuous verification	critical	10.0	1	phishing
2339	SAP Solution Manager	critical	10.0	1	Cyber Espionage
2340	AI system weaknesses	critical	10.0	1	ransomware
2341	Vulnerability in Huawei routers' VRP network operating system	critical	10.0	1	Cyberattack
2342	Disabled Logging	critical	10.0	1	Data Exposure
2343	Undetected intrusion due to oversight lapses	critical	10.0	1	Data Breach
2344	Unsafe `pull_request_target` trigger	critical	10.0	1	Supply Chain Attack
2345	CVE-2025-2857	critical	10.0	1	Zero-day Vulnerability
2346	Human Error (lack of skepticism toward unsolicited interactions)	critical	10.0	1	Cyber Theft
2347	Vulnerabilities in aviation’s digital infrastructure	critical	10.0	1	Cyberattack
2348	unsecured internet-facing devices	critical	10.0	1	espionage
2349	CVE-2021-36942 (PetitPotam - Windows LSA Spoofing)	critical	10.0	1	Cyber Espionage
2350	Cross-Site Scripting (XSS) flaws	critical	10.0	1	Cyber Espionage
2351	Poor password hygiene, lack of multi-factor authentication, unsecured third-party services	critical	10.0	1	Credential Compromise
2352	over-reliance on technological defenses	critical	10.0	1	phishing
2353	Compromised Microsoft Entra account	critical	10.0	1	Data Breach
2354	Open Redirect	critical	10.0	1	Redirect Attack
2355	Lack of API Key Monitoring	critical	10.0	1	Influence Operation
2356	Lack of Rate-Limiting	critical	10.0	1	Data Breach
2357	Human vulnerability (tricking employees into divulging credentials)	critical	10.0	1	Data Breach / Ransomware Attack
2358	Improper input validation in Gogs codebase	critical	10.0	1	Zero-Day Exploitation
2359	Juniper Networks routers	critical	10.0	1	Cyberespionage
2360	Insufficient sanitization in serialize and compileMDX functions (CVE-2026-0969)	critical	10.0	1	Remote Code Execution (RCE)
2361	CVE-2021-36260 (Hikvision - command injection)	critical	10.0	1	Cyber Espionage, Reconnaissance
2362	Recently discovered vulnerability	critical	10.0	1	Ransomware Attack
2363	Unique validation node	critical	10.0	1	Cryptocurrency Theft
2364	Driver Vulnerability (eskle.sys for Anti-AV Bypass)	critical	10.0	1	Social Engineering
2365	Abandoned Vercel-hosted URL takeover	critical	10.0	1	Phishing
2366	Unauthorized data transfer to private cloud storage	critical	10.0	1	Data Breach
2367	Windows Driver Signature Enforcement bypass via signed driver abuse	critical	10.0	1	Ransomware
2368	Unpatched Self-Managed GitLab Community Edition	critical	10.0	1	Data Breach
2369	default LDAP group configurations	critical	10.0	1	ransomware
2370	CVE-2025-10035 (GoAnywhere MFT, CVSS 10.0)	critical	10.0	1	data breach
2371	Previously unknown vulnerability in data transfer software	critical	10.0	1	Data Breach
2372	CVE-2023-41346	critical	10.0	1	botnet
2373	CVE-2024-56336	critical	10.0	1	Vulnerability
2374	Inadequate monitoring for suspicious activity	critical	10.0	1	Data Breach
2375	CVE-2024-56325	critical	10.0	1	Vulnerability Exploit
2376	Unpatched vulnerabilities in internet-facing applications	critical	10.0	1	Data Breach
2377	third-party ecosystem vulnerabilities	critical	10.0	1	ransomware
2378	Insufficient data access controls	critical	10.0	1	Data Exfiltration
2379	CVE-2026-25108 (OS command injection)	critical	10.0	1	Vulnerability Exploitation
2380	CVE-2025-7544	critical	10.0	1	Botnet Campaign
2381	Understaffed Security Operations Center (SOC)	critical	10.0	1	Data Breach
2382	Supply chain compromise (Trivy), credential theft	critical	10.0	1	Supply Chain Attack, Data Breach
2383	outdated web forms	critical	10.0	1	ransomware
2384	third-party compromises (35.5% of breaches in 2024)	critical	10.0	1	ransomware
2385	DLL sideloading	critical	10.0	1	Supply Chain Attack
2386	mismanaged certificates	critical	10.0	1	third-party breach
2387	CVE-2026-27689 (DoS in SAP Supply Chain Management)	critical	10.0	1	Remote Code Execution (RCE)
2388	Known flaw in a widely used healthcare IT management platform	critical	10.0	1	Ransomware
2389	Unpatched Cisco ASA device (last patched in 2024)	critical	10.0	1	Cyberwarfare
2390	Legitimate SaaS platforms for command-and-control	critical	10.0	1	Data Theft
2391	Weak Cybersecurity Safeguards in Government Systems	critical	10.0	1	Data Privacy Violation
2392	CVE-2025-52691	critical	10.0	1	Remote Code Execution (RCE)
2393	weak insider threat detection	critical	10.0	1	data breach
2394	CVE-2026-20230 (Improper input validation in HTTP requests, CWE-918)	critical	10.0	1	SSRF (Server-Side Request Forgery)
2395	supply-chain weakness	critical	10.0	1	data breach
2396	Legitimate Identity Abuse	critical	10.0	1	Data Breach
2397	Unspecified Salesforce vulnerability (likely API or authentication flaw)	critical	10.0	1	Data Breach
2398	CVE-2024-32114	critical	10.0	1	Remote Code Execution (RCE)
2399	Poorly configured firewalls	critical	10.0	1	Ransomware
2400	Human error (help desk staff tricked into resetting credentials)	critical	10.0	1	Cyberattack
2401	Authenticated Local File Inclusion	critical	10.0	1	Vulnerability Exploitation
2402	Compromised administrative accounts (26 user accounts, including admin-level)	critical	10.0	1	Ransomware Attack
2403	CVE-2025-55182 (CVSS 9.8)	critical	10.0	1	Vulnerability Exploitation
2404	CVE-2025-24893 (Critical RCE in XWiki)	critical	10.0	1	Vulnerability Exploitation
2405	CVE-2026-3564 (CWE-347: Improper Verification of Cryptographic Signature)	critical	10.0	1	Cryptographic Vulnerability
2406	CVE-2025-21590	critical	10.0	1	Advanced Persistent Threat (APT)
2407	AI guardrail bypass	critical	10.0	1	AI-powered cyberattack
2408	Unsafe code evaluation in LDAP autovalues option	critical	10.0	1	SQL Injection
2409	Credential leaks (reused passwords)	critical	10.0	1	Extortion
2410	Unsecured Elasticsearch Server	critical	10.0	1	Data Breach
2411	Microsoft Exchange Server vulnerabilities (e.g., ProxyLogon)	critical	10.0	1	Cyber Espionage
2412	SVG animate elements in HTML sanitizer	critical	10.0	1	SQL Injection
2413	insufficient user education on phishing/social engineering	critical	10.0	1	cyber espionage
2414	CVE-2026-21509 (RTF parsing flaw)	critical	10.0	1	Cyber Espionage
2415	Vulnerable IoT hardware (digital video recorders, web cameras, home Wi-Fi routers)	critical	10.0	1	DDoS Attack
2416	high_risk_assessment_ignored	critical	10.0	1	data_at_risk
2417	Lack of global standards for D2D services	critical	10.0	1	Cyber-Physical Threat
2418	Previously unknown RCE vulnerability in Max Messenger’s media processing engine, existing since the beta phase in early 2025	critical	10.0	1	Data Breach
2419	Human Vulnerability (Phishing/Social Engineering Susceptibility)	critical	10.0	1	Account Compromise
2420	Poor Data Management	critical	10.0	1	Data Breach
2421	Lack of proactive threat detection and centralized incident response	critical	10.0	1	Cyber Espionage
2422	Weak perimeter defenses, inadequate network segmentation	critical	10.0	1	Ransomware
2423	No AI-Enabled Identity Threat Detection	critical	10.0	1	Identity Security Crisis
2424	CVE-2024-38178	critical	10.0	1	Cyber Espionage
2425	Weak or default credentials ('Password123', 'Austal123') purchased on the dark web	critical	10.0	1	ransomware
2426	CVE-2023-3595	critical	10.0	1	Cyber Espionage
2427	Zero-day vulnerability in GoAnywhere MFT (Managed File Transfer) software	critical	10.0	1	Data Breach
2428	Non-public information disclosure	critical	10.0	1	Bribery and Fraud
2429	CVE-2024-42057	critical	10.0	1	Ransomware Attack
2430	Lack of Multi-Factor Authentication (MFA) for remote hires	critical	10.0	1	Espionage
2431	CVE-2024-40766 (SonicWall SSLVPN improper access control)	critical	10.0	1	ransomware
2432	CVE-2026-20131 (Insecure Deserialization - CWE-502)	critical	10.0	1	Vulnerability Exploitation
2433	Social Engineering (Impersonation of IT support)	critical	10.0	1	Ransomware
2434	Internet-facing edge devices (40% targeted by China-nexus actors)	critical	10.0	1	AI-driven cyber threats
2435	Cloud Misconfigurations (23% of cloud incidents)	critical	10.0	1	Ransomware
2436	CVE-2025-3835	critical	10.0	1	Remote Code Execution (RCE)
2437	Unauthorized Access by Ex-Employee	critical	10.0	1	Data Breach
2438	Web server vulnerability	critical	10.0	1	Data Breach
2439	Legacy System Risks	critical	10.0	1	Data Breach
2440	Critical API security vulnerabilities	critical	10.0	1	Data Breach
2441	Unpatched Firmware/Software in Network Perimeter Devices	critical	10.0	1	Cyber Espionage
2442	CVE-2019-17571 (Apache Log4j 1.2 deserialization issue)	critical	10.0	1	Remote Code Execution (RCE)
2443	CVE-2026-22844 (Command Injection)	critical	10.0	1	Vulnerability Exploitation
2444	abuse of Velociraptor tool	critical	10.0	1	ransomware
2445	Unsecured IoT/Peripheral Devices	critical	10.0	1	Ransomware
2446	Confluence Server Webwork OGNL injection	critical	10.0	1	Vulnerability Exploitation
2447	vulnerable computer systems	critical	10.0	1	data breach
2448	Inadequate Data Redaction in Spreadsheets	critical	10.0	1	Data Breach
2449	CVE-2025-0289 in BioNTdrv.sys driver	critical	10.0	1	Ransomware
2450	Inadequate penetration testing	critical	10.0	1	Data Breach
2451	CVE-2026-40175	critical	10.0	1	Remote Code Execution (RCE)
2452	Lack of proper security policies post-migration due to human error (single employee responsible for manual compilation without second-layer checks)	critical	10.0	1	data breach
2453	Insufficient Backup Protocols	critical	10.0	1	Ransomware
2454	overlooked software vulnerabilities	critical	10.0	1	ransomware
2455	outdated configurations	critical	10.0	1	ransomware
2456	Vulnerabilities in Synology Network-Attached Storage (NAS) devices	critical	10.0	1	Ransomware
2457	Publicly Accessible Industrial Control Systems	critical	10.0	1	Ransomware
2458	Lack of strict removable media controls, insufficient monitoring of privileged users	critical	10.0	1	Insider Threat, Data Exfiltration
2459	Lack of MFA on FortiGate VPN firewalls	critical	10.0	1	Cyberattack (Wiper Malware, Firmware Tampering)
2460	Inadequate Sandboxing for AI/ML Environments	critical	10.0	1	Supply Chain Attack
2461	CVE-2026-24512 (Improper handling of `rules.http.paths.path` field in Ingress resources)	critical	10.0	1	Code Execution Vulnerability
2462	Outdated Industrial Control Systems (ICS)	critical	10.0	1	Cyber Espionage
2463	CVE-2026-7482 (Memory Overread in GGUF Model File Processing)	critical	10.0	1	Data Breach
2464	SHA-1	critical	10.0	1	Data Breach
2465	Outsourced IT support vendor	critical	10.0	1	Social Engineering
2466	Weak vendor credentials	critical	10.0	1	Data Breach
2467	CVE-2026-20127	critical	10.0	1	Authentication Bypass
2468	MOVEit file transfer software zero-day vulnerability	critical	10.0	1	Ransomware
2469	GPS signal manipulation	critical	10.0	1	cyber deception
2470	unmanaged devices	critical	10.0	1	ransomware
2471	SharePoint Permissions Issue	critical	10.0	1	Data Breach
2472	CVE-2025-7028	critical	10.0	1	Firmware Vulnerability
2473	Over-reliance on server-side WAFs/IDS for client-side threats	critical	10.0	1	Data Breach
2474	CVE-2019-7192	critical	10.0	1	Cyber Intrusion
2475	Insufficient Employee Training on Vishing	critical	10.0	1	Data Breach
2476	Geopolitical Tensions (NATO Expansion, Ukraine War)	critical	10.0	1	Physical Sabotage
2477	Flawed ChaCha20-IETF encryption routine (discarding nonces)	critical	10.0	1	Ransomware (Data Wiper)
2478	Incorrect configuration	critical	10.0	1	Data Breach
2479	Publicly accessible links to call recordings/transcripts	critical	10.0	1	Data Breach
2480	CVE-2026-33660 (Improper input validation, CWE-94: Code Injection)	critical	10.0	1	Remote Code Execution (RCE)
2481	UnDefend	critical	10.0	1	Zero-Day Exploitation
2482	CVE-2025-21042 (Samsung Android image processing library)	critical	10.0	1	spyware
2483	Public-facing nodes and databases with inadequate security controls	critical	10.0	1	Research Study
2484	CVE-2025-49155	critical	10.0	1	Vulnerability Exploitation
2485	Security protocol bypass, weak access controls, anti-virus circumvention, secret key exposure in source code	critical	10.0	1	Insider Threat / AI Exploitation
2486	weak SCADA system security	critical	10.0	1	cyber-physical attack
2487	Misaligned agent workflows	critical	10.0	1	AI-driven breach
2488	User Trust in App Store and Social Media Ads	critical	10.0	1	Data Breach
2489	Azure Data Factory service certificate vulnerability	critical	10.0	1	Security Flaw
2490	Compromised Apple ID logins and LinkedIn data	critical	10.0	1	Data Breach
2491	Security issue with Haltdos	critical	10.0	1	Data Breach
2492	Unsecured Kibana Dashboard	critical	10.0	1	Data Leak
2493	Poorly Secured ICS Components (PLCs, SCADA, HMIs, Industrial IoTs)	critical	10.0	1	Cyber-Physical Attack
2494	emotional manipulation	critical	10.0	1	phishing
2495	BACnet/Modbus Protocol Flaws (No Encryption/Authentication)	critical	10.0	1	Cybersecurity Vulnerability Exposure
2496	OAuth Token Misuse	critical	10.0	1	Supply Chain Attack
2497	Lack of Data Processing Agreements (DPAs/DSAs)	critical	10.0	1	Data Privacy Violation
2498	Invalid cast vulnerability in .NET Framework serialization processes	critical	10.0	1	Vulnerability Exploitation
2499	critical and zero-day vulnerabilities in internet-facing network equipment	critical	10.0	1	ransomware
2500	CVE-2024-12686	critical	10.0	1	Breach
2501	Dormant Service Accounts	critical	10.0	1	Data Breach
2502	Security gaps in industrial networks	critical	10.0	1	Cyber Espionage
2503	WinRAR RCE	critical	10.0	1	Cybercrime Forum Seizure
2504	Insecure webcam	critical	10.0	1	Ransomware
2505	Absence of Visibility/Monitoring for Non-Email Channels	critical	10.0	1	Phishing (Non-Email)
2506	CVE-2026-9256 (nginx-poolslip)	critical	10.0	1	Vulnerability Exploitation
2507	CVE-2024-48248	critical	10.0	1	Vulnerability Exploitation
2508	Inadequate cybersecurity frameworks for space-based infrastructure	critical	10.0	1	Cyber-Physical Threat
2509	Precision rounding error in swap calculations	critical	10.0	1	Exploit
2510	Known vulnerability in the email system	critical	10.0	1	Data Breach
2511	npm auto-update mechanisms, lifecycle hooks in package installation	critical	10.0	1	Supply Chain Attack
2512	exploitation of maritime regulatory gaps	critical	10.0	1	AIS spoofing
2513	CVE-2026-22898 (Missing authentication check in QVR Pro)	critical	10.0	1	Vulnerability Exploitation
2514	Fragmented accountability among OEMs, MNOs, and satellite operators	critical	10.0	1	Cyber-Physical Threat
2515	CVE-2024-37085 (Cisco)	critical	10.0	1	ransomware
2516	Employee credentials via spoofed websites	critical	10.0	1	Cryptocurrency Theft, Phishing, Identity Theft
2517	Phishing Domains	critical	10.0	1	Cryptocurrency Scam
2518	CVE-2025-59470	critical	10.0	1	Vulnerability Exploitation
2519	MOVEit Transfer zero-day (Clop gang, 2023)	critical	10.0	1	ransomware
2520	Flaws in Tesla’s Mothership server	critical	10.0	1	Remote Code Execution
2521	CVE-2025-32714 (Windows Installer EoP)	critical	10.0	1	Patch Release
2522	Exposed Firewall Configuration Backups (Encrypted but Sensitive)	critical	10.0	1	Unauthorized Access
2523	RxRPC Page-Cache Write	critical	10.0	1	Local Privilege Escalation (LPE)
2524	CVE-2025-33053 (WebDAV External Control of File Name or Path)	critical	10.0	1	Patch Release
2525	Budget Constraints	critical	10.0	1	Operational Risk
2526	CVE-2025-8875 (Insecure Deserialization Leading to Command Execution)	critical	10.0	1	Vulnerability Exposure
2527	Misconfigured cloud infrastructure	critical	10.0	1	Cloud Exploitation Campaign
2528	CVE-2025-23320	critical	10.0	1	Vulnerability Exploitation
2529	Improper access controls and lack of technical safeguards	critical	10.0	1	Data Breach
2530	Custom IoT malware, IOCONTROL	critical	10.0	1	Cyberattack
2531	Third-party systems (Famly platform and one other unnamed system)	critical	10.0	1	data breach
2532	legitimate platform abuse (e.g., Google Calendar, Azure domains)	critical	10.0	1	ransomware
2533	CVE-2017-7921 (Hikvision - authentication bypass)	critical	10.0	1	Cyber Espionage, Reconnaissance
2534	Supply Chain Weaknesses	critical	10.0	1	Domain Hijacking
2535	Publicly Accessible Executive Profiles (for AI Phishing)	critical	10.0	1	Supply Chain Attack
2536	human error (weakness in operational security)	critical	10.0	1	cyber theft
2537	Gaps in anomaly detection for behavioral baselines	critical	10.0	1	Ransomware
2538	Adversarial AI Tactics Against Defensive Models (ENISA 2025)	critical	10.0	1	Cyber-Physical Attack
2539	Bypassed consent protocols, vulnerabilities in offshored data-management tools	critical	10.0	1	Data Breach
2540	SQL Injection vulnerabilities in WordPress-powered website	critical	10.0	1	Data Breach
2541	Unpatched or end-of-life networking equipment (TP-Link routers)	critical	10.0	1	Cyberespionage, DNS Hijacking, Adversary-in-the-Middle (AiTM) Attack
2542	SmarterMail	critical	10.0	1	Ransomware
2543	Architectural flaws in perimeter defenses, lack of segmentation and monitoring	critical	10.0	1	Data Breach
2544	Lack of Cybersecurity Protocols	critical	10.0	1	Cybercrime
2545	CVE-2025-59287 (Windows Server Update Services - WSUS)	critical	10.0	1	Remote Code Execution (RCE)
2546	Diversité des systèmes OT rendant difficile une protection standardisée	critical	10.0	1	Cyberattaque ciblée
2547	Confluence Server Zero-Day Vulnerability	critical	10.0	1	Zero-Day Exploit
2548	Internal system vulnerabilities	critical	10.0	1	Data Breach
2549	Unsafe dynamic code generation in `Type.generateConstructor` (CVE not assigned, GHSA-xq3m-2v4x-88gg)	critical	10.0	1	Remote Code Execution (RCE)
2550	External content blocking bypass via CSS var() manipulation	critical	10.0	1	SQL Injection
2551	Stale Identity Tokens	critical	10.0	1	Data Breach
2552	GPS-based navigation and landing systems	critical	10.0	1	cyber attack
2553	Indirect prompt injection	critical	10.0	1	Data Privacy and Cybersecurity Advisory
2554	CVE-2026-4670	critical	10.0	1	Vulnerability Exploitation
2555	Payment processing system vulnerability	critical	10.0	1	Data Breach
2556	Outdated Security Software	critical	10.0	1	Awareness Campaign
2557	CVE-2022-41082	critical	10.0	1	Ransomware
2558	GreenPlasma (Local privilege escalation)	critical	10.0	1	Zero-day vulnerability
2559	Unburied or Lightly Buried Cables in Steep Terrain	critical	10.0	1	Physical Sabotage
2560	Untrusted App Sources	critical	10.0	1	Awareness Campaign
2561	Web application stack	critical	10.0	1	Data Breach
2562	Modified Files on Server	critical	10.0	1	Data Breach
2563	Expiration of State and Local Cybersecurity Grant Program	critical	10.0	1	Policy/Regulatory Failure
2564	CVE-2025-30247 (OS Command Injection in Firmware UI)	critical	10.0	1	Vulnerability
2565	CVE-2023-MoveIt (Critical File Transfer Vulnerability)	critical	10.0	1	Ransomware
2566	weak identity management	critical	10.0	1	identity-related breach
2567	Programming Issue	critical	10.0	1	Data Exposure
2568	Deteriorating cyber defenses	critical	10.0	1	Cyberattack
2569	Protection relays	critical	10.0	1	Cyber Sabotage
2570	Misuse of authorized access to medical records under false pretenses	critical	10.0	1	Data Breach
2571	Crafted local address URLs for SSRF bypass	critical	10.0	1	SQL Injection
2572	Unauthorized Cloud Storage	critical	10.0	1	Data Breach (Alleged)
2573	End-of-life and end-of-service network devices, outdated infrastructure	critical	10.0	1	Ransomware
2574	insufficient physical security for network devices	critical	10.0	1	cyber-espionage
2575	CVE-2024-21887 (Ivanti Connect Secure/Policy Secure)	critical	10.0	1	Ransomware
2576	Open USB ports	critical	10.0	1	APT Attack
2577	Malicious macros in a document titled 'Act.doc'	critical	10.0	1	Cyberattack
2578	Known vulnerability in data storage systems	critical	10.0	1	Ransomware Attack
2579	Endpoint Detection and Response (EDR) and antivirus process termination	critical	10.0	1	Malware, Ransomware
2580	CVE-2024-50603	critical	10.0	1	Cryptojacking and Backdoor Exploitation
2581	Architectural weakness in LLM input processing and trust boundaries	critical	10.0	1	Zero-Click Remote Code Execution (RCE)
2582	Hidden dependency with postinstall script execution	critical	10.0	1	Supply Chain Attack
2583	Unauthenticated File Read	critical	10.0	1	Vulnerability Exploitation
2584	Steganography	critical	10.0	1	Malware Infection
2585	Over-reliance on remote desktop tools without geofencing	critical	10.0	1	Espionage
2586	Digitized supply chains	critical	10.0	1	Cyberattack
2587	CVE-2024-57968	critical	10.0	1	Security Breach
2588	AI voice cloning limitations	critical	10.0	1	social engineering
2589	Misconfigurations in operational technology (OT) systems	critical	10.0	1	Exposure of Critical Infrastructure
2590	Trust in Professional Networking Platforms	critical	10.0	1	Phishing (Non-Email)
2591	Student cybersecurity illiteracy	critical	10.0	1	Data Breach
2592	GPS signal susceptibility to jamming	critical	10.0	1	GPS jamming
2593	CVE-2025-33073	critical	10.0	1	Ransomware
2594	Previously unknown vulnerability in file-sharing system	critical	10.0	1	Ransomware Attack
2595	Misconfigured RDP ports	critical	10.0	1	Espionage
2596	CVE-2026-32746 (Buffer Overflow in GNU InetUtils telnetd)	critical	10.0	1	Vulnerability Exploitation
2597	limited financial resources for cybersecurity investments	critical	10.0	1	ransomware
2598	Legitimate features of Signal	critical	10.0	1	Phishing
2599	Previously unknown vulnerability in the payment processing system	critical	10.0	1	Data Breach
2600	20 security vulnerabilities identified by Claude LLM	critical	10.0	1	Data Breach, Cyber Espionage
2601	CVE-2026-34910	critical	10.0	1	Remote Code Execution (RCE)
2602	Static Zero Trust Policies (Lack of Dynamic Guardrails)	critical	10.0	1	Data Breach (AI Models/Applications)
2603	Misconfigured or stolen OAuth tokens, insufficient monitoring of API access logs	critical	10.0	1	Supply Chain Attack
2604	Unencrypted Satellite Backhaul	critical	10.0	1	Data Interception
2605	Trust in open-source maintainers, Fake meeting infrastructure	critical	10.0	1	Supply Chain Attack
2606	Stale service accounts	critical	10.0	1	Ransomware
2607	Lack of encryption and authentication in Modbus protocol	critical	10.0	1	Vulnerability Exploitation
2608	Poor IoT device oversight/management	critical	10.0	1	Ransomware
2609	CVE-2025-26319	critical	10.0	1	Remote Code Execution (RCE)
2610	Trivy	critical	10.0	1	Ransomware
2611	CVE-2025-15576	critical	10.0	1	Vulnerability Exploitation
2612	CVE-2026-33725	critical	10.0	1	Remote Code Execution (RCE)
2613	SaaS supply chain blind spots	critical	10.0	1	Ransomware
2614	CVE-2025-53521 (F5 BIG-IP APM)	critical	10.0	1	ransomware
2615	CVE-2025-2783	critical	10.0	1	Zero-Day Vulnerability
2616	CVE-2026-33634 (CWE-506)	critical	10.0	1	Supply Chain Attack
2617	Mutable version tags	critical	10.0	1	Supply Chain Attack, Extortion Campaign
2618	Insufficient Vendor Oversight	critical	10.0	1	Supply Chain Attack
2619	Critical vulnerability in SAP NetWeaver Visual Composer development server	critical	10.0	1	Zero-day attack
2620	outdated cybersecurity protocols	critical	10.0	1	cyber attack
2621	Lack of anti-jamming protection for GPS systems	critical	10.0	1	GPS jamming
2622	CVE-2026-24789	critical	10.0	1	Vulnerability Exploitation
2623	Critical vulnerabilities within the ESXi platform	critical	10.0	1	Ransomware
2624	Automatic execution of malicious code during package installation or project builds	critical	10.0	1	Supply Chain Attack
2625	CVE-2026-46316 (ITScape)	critical	10.0	1	Vulnerability Exploitation
2626	Unauthorized Disclosure of Sensitive Information	critical	10.0	1	Security Vulnerabilities
2627	Weak/Reused Passwords	critical	10.0	1	Account Compromise
2628	CVE-2025-2171	critical	10.0	1	Vulnerability Exploitation
2629	Zero-day	critical	10.0	1	Ransomware
2630	accidental exposure of regional blacklist data	critical	10.0	1	data breach
2631	Gaps in Endpoint Detection and Response (EDR)	critical	10.0	1	Domain Hijacking
2632	User Registration & Membership WordPress plugin vulnerability	critical	10.0	1	Authentication Bypass
2633	Trust in fraudulent bank certificates	critical	10.0	1	Identity Fraud
2634	lack of actionable alerting	critical	10.0	1	ransomware
2635	Unpatched zero-day vulnerability in Oracle E-Business Suite (arbitrary code execution)	critical	10.0	1	ransomware
2636	File Transfer Service Provider	critical	9.0	1	Data Breach
2637	Weak or Stolen Login Credentials	critical	9.0	1	Data Breach
2638	Misplaced Portable Flash Drive	critical	9.0	1	Data Breach
2639	Accellion FTA server vulnerability	critical	9.0	1	Data Breach
2640	Unauthorized Access by Terminated Employee	critical	9.0	1	Data Breach
2641	Past Data Breach	critical	9.0	1	Phishing Campaign
2642	Lack of authentication controls	critical	9.0	1	Data Exposure
2643	Customer Accounts	critical	9.0	1	Credential Stuffing
2644	Multiple vulnerabilities in Cisco Small Business RV Series routers	critical	9.0	1	Vulnerability Exploitation
2645	Sophos Firewall versions 18.5 MR3 (18.5.3)	critical	9.0	1	Vulnerability Exploitation
2646	Charting software	critical	9.0	1	Ransomware
2647	Default Data Retention Policies in LLMs (e.g., OpenAI’s 30-day deletion lag)	critical	8.5	1	Data Leakage
2648	Failure to mask sensitive contact details during password reset requests	critical	8.5	1	Data Exposure
2649	Instagram API (alleged)	critical	8.5	1	Data Scrape / Alleged Breach
2650	Memory address mapping manipulation via DDR4 interposer	critical	8.5	1	Supply Chain Attack
2651	Unverified execution of README instructions by AI coding agents	critical	8.5	1	Semantic Injection
2652	Static XOR encryption key	critical	8.5	1	Data Breach
2653	Weak cybersecurity defenses, lack of dedicated cybersecurity staff, reliance on ed-tech tools	critical	8.5	1	Ransomware
2654	lack of multi-signature validation for critical operations	critical	8.5	1	blockchain exploit
2655	Unsecured legacy server	critical	8.5	1	Data Exposure
2656	Insider access to patient records	critical	8.5	1	Data Breach
2657	Three separate flaws in Automotive Grade Linux	critical	8.5	1	Zero-Day Vulnerabilities
2658	Legislative gap in privacy protections for political parties	critical	8.5	1	Data Breach
2659	Inadequate User Data Protection	critical	8.5	1	Data Breach
2660	Lack of Access Controls / Unencrypted Data Storage	critical	8.5	1	Data Exposure
2661	Remote Access to Car Functions	critical	8.5	1	Vulnerability Exploit
2662	Lack of separation between instructions and data in large language models	critical	8.5	1	AI Vulnerability Misunderstanding
2663	Vulnerability in Progress Software Corporation's MOVEit Transfer product	critical	8.5	1	Data Breach
2664	CVE-2026-21513 (Security Feature Bypass - CWE-693)	critical	8.5	1	Zero-Day Exploit
2665	Generic Out-of-Bounds Read/Write in C/C++ (e.g., unchecked array indexing, `strcpy` overflows)	critical	8.5	1	Memory Corruption
2666	CVE-2026-2275	critical	8.5	1	Remote Code Execution
2667	CVE-2025-54106 (Windows RRAS RCE)	critical	8.5	1	Malware (Infostealer)
2668	Inadequate cybersecurity protocols, weak security controls	critical	8.5	1	Data Breach
2669	Human Weakness in Customer Service	critical	8.5	1	Data Breach
2670	CVE-2025-54253 (Misconfiguration in AEM Forms - Apache Struts 'devMode' enabled + Authentication Bypass)	critical	8.5	1	Vulnerability Exploitation
2671	Credentials exploitation	critical	8.5	1	Data Breach
2672	AI Supply Chain Weaknesses	critical	8.5	1	Supply Chain Attack
2673	CVE-2026-25750 (Insecure `baseUrl` parameter in LangSmith Studio)	critical	8.5	1	API Misconfiguration
2674	Incomplete cross-origin controls (Ollama Desktop)	critical	8.5	1	Arbitrary Code Execution
2675	CVE-2025-4123	critical	8.5	1	Vulnerability Exploitation
2676	Starlink network access control	critical	8.5	1	Data Breach
2677	Weak Authentication in AI Platforms	critical	8.5	1	Data Leakage
2678	Third-party Salesforce tenant misconfiguration/access controls	critical	8.5	1	Data Breach
2679	Vulnerabilities in a property information-sharing system used exclusively by real estate companies	critical	8.5	1	Data Breach
2680	SQLi in Postgres MCP (bypassing read-only restrictions)	critical	8.5	1	Arbitrary Code Execution
2681	Improper FOIA Redaction Procedures	critical	8.5	1	Data Breach
2682	Compromised company account on GitHub	critical	8.5	1	Data Breach
2683	Human Error / Social Engineering	critical	8.5	1	Phishing Attack
2684	CVE-2021-47960	critical	8.5	1	Vulnerability Exploitation
2685	Insecure Data Storage	critical	8.5	1	Data Collection
2686	Human access points, Infected endpoints	critical	8.5	1	Data Breach, Financial Theft, Ransomware (Suspected)
2687	Weaknesses in vendor credential management	critical	8.5	1	Data Breach
2688	Authorization control bypass in Google Gemini	critical	8.5	1	Indirect Prompt Injection
2689	Unpatched Cloud Services	critical	8.5	1	Cloud Security Breach
2690	Misconfigured Storage Buckets	critical	8.5	1	Data Leak
2691	Lack of reasonable cyber security measures	critical	8.5	1	Data Breach
2692	Windows automatic DLL loading	critical	8.5	1	Malware Campaign
2693	unsecured APIs	critical	8.5	1	ransomware
2694	Missing role checks during user onboarding	critical	8.5	1	Autonomous AI-driven cyber attack
2695	Unrestricted internet access to real-time surveillance data without authentication	critical	8.5	1	Data Breach
2696	CVE-2024-13496	critical	8.5	1	SQL Injection
2697	CVE-2018-25270 (ThinkPHP)	critical	8.5	1	Exploit Trends
2698	CVE-2026-2287	critical	8.5	1	Remote Code Execution
2699	user trust in legitimate cryptocurrency wallet applications	critical	8.5	1	malware
2700	Ivanti Endpoint Manager Mobile flaw	critical	8.5	1	Data Breach
2701	lack of encryption and authentication (non-password-protected database)	critical	8.5	1	data exposure
2702	Unauthorized access to third-party system storing customer data	critical	8.5	1	Data Breach
2703	lack of data access controls	critical	8.5	1	data breach
2704	Human Error (Misconfigured Email Distribution List)	critical	8.5	1	Data Breach (Unintentional Disclosure)
2705	CWE-352: Cross-Site Request Forgery (CSRF) (via API manipulation)	critical	8.5	1	Data Breach
2706	CVE-2026-1603	critical	8.5	1	Authentication Bypass
2707	Improper disposal of hardware containing sensitive data	critical	8.5	1	Data Breach (Physical/Improper Disposal)
2708	Compromised maintainer account (atiertant)	critical	8.5	1	Supply Chain Attack
2709	Improper third-party access to confidential records	critical	8.5	1	Data Breach
2710	Microsoft’s legitimate device code authentication flow	critical	8.5	1	Phishing
2711	Insufficient credential security	critical	8.5	1	Data Breach
2712	Lack of AI Governance Frameworks	critical	8.5	1	Data Leakage
2713	Weak Password ('123456')	critical	8.5	1	Data Breach
2714	CVE-2025-67644 (SQL Injection)	critical	8.5	1	Remote Code Execution (RCE)
2715	Potential Weak Email Security Controls	critical	8.5	1	Phishing
2716	Unspecified vulnerability in Salesloft Drift's OAuth token management	critical	8.5	1	Supply Chain Attack
2717	CVE-2026-2835	critical	8.5	1	HTTP Request Smuggling
2718	CVE-2026-33826 (Improper Input Validation - CWE-20)	critical	8.5	1	Vulnerability Disclosure
2719	Insecure facial recognition databases, Lack of encryption, Third-party vulnerabilities	critical	8.5	1	Data Breach
2720	CVE-2026-31635 (Missing COW guard in rxgk_decrypt_skb() function)	critical	8.5	1	Local Privilege Escalation (LPE)
2721	Shared Inbox Access	critical	8.5	1	Data Breach
2722	Publicly Accessible .env Files	critical	8.5	1	Data Exposure
2723	Improper TLS Certificate Validation (CWE-295)	critical	8.5	1	Vulnerability
2724	Stolen credentials (PIN and government-issued ID)	critical	8.5	1	Fraud Scheme
2725	CVE-2025-59449 (Incorrect Authorization)	critical	8.5	1	Denial-of-Service
2726	E-commerce web platform	critical	8.5	1	Data Breach
2727	Unauthorized access due to unverified data-sharing requests	critical	8.5	1	Data Breach
2728	CVE-2025-7399 (Unauthenticated RCE in Samsung MagicINFO 9 Server)	critical	8.5	1	Vulnerability Exploitation
2729	Weak BYOD Policies	critical	8.5	1	Insider Threat
2730	Unauthorized administrative access	critical	8.5	1	Data Leak
2731	Absence of Visibility/Monitoring Tools	critical	8.5	1	Data Leakage
2732	Absence of vendor security assessments for AI tools	critical	8.5	1	Data Leakage
2733	Broken object-level authorization (BOLA) (40%)	critical	8.5	1	API Security Breach
2734	Insufficient de-identification	critical	8.5	1	Data Breach
2735	Client-side vulnerabilities	critical	8.5	1	Data Breach/Vulnerability Exposure
2736	Unpatched 'n-day' vulnerability in end-of-life software	critical	8.5	1	Data Breach
2737	Policy/Procedural Failure	critical	8.5	1	Data Breach
2738	One-click IP leak via MTProxy	critical	8.5	1	Data Leak
2739	Weak or Stolen Employee Credentials	critical	8.5	1	Data Breach
2740	Weak authentication measures in Fast Pair protocol	critical	8.5	1	Vulnerability Exploitation
2741	Excessive guest user permissions, misconfigured guest access to public APIs	critical	8.5	1	Data Theft
2742	CWE-200: Exposure of Sensitive Information	critical	8.5	1	Data Exposure
2743	Human Error (Misaddressed Email)	critical	8.5	1	Data Breach (Phishing / Unauthorized Disclosure)
2744	CVE-2026-32647 (Out-of-bounds read in ngx_http_mp4_module)	critical	8.5	1	Vulnerability Exploitation
2745	Publicly accessible sensitive data	critical	8.5	1	Data Exposure
2746	Technical failure in recognizing court updates	critical	8.5	1	Data Leak
2747	Infostealer malware distributed via compromised npm package (TanStack)	critical	8.5	1	Data Breach
2748	Account verification procedure	critical	8.5	1	Data Breach
2749	CVE-2014-6271 (Shellshock)	critical	8.5	1	Exploit Trends
2750	Inadequate cloud storage security	critical	8.5	1	Data Breach
2751	Insufficient sanitization of user input in XML processing	critical	8.5	1	XML External Entity (XXE) Injection
2752	user susceptibility to phishing	critical	8.5	1	phishing
2753	CVE-2026-31790	critical	8.5	1	Data Leak
2754	Patched security vulnerability	critical	8.5	1	Data Breach
2755	Indirect prompt injection in AI agents	critical	8.5	1	Indirect Prompt Injection Attack
2756	CVE-2026-0958	critical	8.5	1	Vulnerability Exploitation
2757	Unauthorized internal access to law enforcement databases	critical	8.5	1	Data Breach
2758	CVE-2025-4366	critical	8.5	1	HTTP Request Smuggling
2759	CVE-2026-42253	critical	8.5	1	Vulnerability Disclosure
2760	MOVEit Transfer Critical Vulnerability (CVE-2023-34362)	critical	8.5	1	Data Breach
2761	Aeries Software	critical	8.5	1	Data Breach
2762	Vulnerabilities in online quote tools	critical	8.5	1	data breach
2763	Obscured opt-out tools, 'no index' instructions, and dark patterns	critical	8.5	1	Data Breach
2764	Lack of authentication controls, Aftermarket modifications, Unrestricted AI-driven data collection, Subcontractor access to sensitive data	critical	8.5	1	Data Breach, Compliance Violation, Privacy Violation
2765	Public URLs for client-worker communications instead of secured, expiring links	critical	8.5	1	Data Exposure
2766	Citrix Software Vulnerability (unspecified)	critical	8.5	1	Data Breach
2767	Human error in file-sharing settings (Google Workspace for Education/Microsoft Education)	critical	8.5	1	Data Exposure
2768	Improper data handling during system restoration	critical	8.5	1	Data Breach
2769	CVE-2026-21519	critical	8.5	1	Privilege Escalation
2770	CVE-2024-3177	critical	8.5	1	Vulnerability Exploitation
2771	Visual Studio Code tasks.json	critical	8.5	1	Supply Chain Attack
2772	Backend API endpoint lacking proper authentication checks	critical	8.5	1	Data Breach
2773	CVE-2026-3888	critical	8.5	1	Local Privilege Escalation (LPE)
2774	Human error (phishing attack on staff)	critical	8.5	1	Data Breach
2775	Weak Password Reset Mechanisms	critical	8.5	1	Cyberattack
2776	Intermediate Data Leakage (Predictions, Losses)	critical	8.5	1	Privacy Breach
2777	CVE-2024-23222 (WebKit RCE - cassowary)	critical	8.5	1	Exploit Kit / Malware Campaign
2778	Software vulnerabilities in AI tools (e.g., backdoors, bugs)	critical	8.5	1	Data Leakage
2779	Lack of robust identity verification during hiring process	critical	8.5	1	Data Breach (Insider Threat / Identity Misuse)
2780	Improper Disposal of Sensitive Data	critical	8.5	1	Data Breach
2781	Weak Authentication Mechanisms (e.g., no 2FA)	critical	8.5	1	Privacy Violation
2782	Lack of Authentication (No Password Protection)	critical	8.5	1	Data Exposure / Unsecured Database
2783	Insufficient Monitoring of EHR Access	critical	8.5	1	Data Breach
2784	VMware Aria Operations	critical	8.5	1	APT Activity
2785	Long-Term Data Retention	critical	8.5	1	Data Breach
2786	Insecure APIs	critical	8.5	1	Data Breach
2787	Human Trust and Error (Bypassed Security Awareness Training)	critical	8.5	1	Data Breach
2788	Security flaw in third-party software	critical	8.5	1	Data Breach
2789	ClawJacked (CVE not specified)	critical	8.5	1	Vulnerability Exploitation
2790	Unauthorized data collection via embedded tracking tool	critical	8.5	1	Data Harvesting
2791	User trust in AI-themed extensions, lack of stringent Chrome Web Store security checks	critical	8.5	1	Malicious Browser Extensions
2792	Missing Reporting Mechanisms for Objectionable Content	critical	8.5	1	Data Breach
2793	Prolonged Email Retention (6+ years)	critical	8.5	1	Data Breach
2794	policy gaps	critical	8.5	1	data breach
2795	Phishing or Credential Compromise	critical	8.5	1	Data Breach
2796	Misconfigured Docker Setups	critical	8.5	1	Misconfiguration
2797	CVE-2025-54136 (MCPoison) - Trust Model Flaw in MCP Configuration Handling	critical	8.5	1	Vulnerability
2798	Unsecured AWS bucket	critical	8.5	1	Data Breach
2799	Automated link preview generation in AI agents	critical	8.5	1	Data Exfiltration
2800	Unauthorized access to shared network drive	critical	8.5	1	Data Breach
2801	Weaknesses in lock systems	critical	8.5	1	Hardware vulnerability
2802	Over-Permissive Third-Party Access	critical	8.5	1	Data Breach
2803	Third-party shopping cart software	critical	8.5	1	Data Breach
2804	Data Exposure	critical	8.5	1	Data Leak
2805	Security flaw	critical	8.5	1	Data Breach
2806	Unauthenticated vulnerabilities (56% of tracked vulnerabilities in 2025)	critical	8.5	1	Supply Chain Attack
2807	Weak encryption (unsalted MD5 password hashes)	critical	8.5	1	Data Breach
2808	Glitch in License Express website	critical	8.5	1	Data Exposure
2809	Unauthorized Software Installation	critical	8.5	1	Data Breach
2810	CVE-2025-54236 (Improper Input Validation in Adobe Commerce/Magento)	critical	8.5	1	Vulnerability Exploitation
2811	MOVEit Transfer application vulnerabilities	critical	8.5	1	Data Breach
2812	CVE-2024-55591 (FortiOS/FortiProxy)	critical	8.5	1	ransomware
2813	Poor credential management	critical	8.5	1	Unauthorized Access
2814	CVE-2026-22153 (FG-IR-25-1052), CWE-305 (Authentication Bypass by Primary Weakness)	critical	8.5	1	Authentication Bypass
2815	Unsanitized parameters in database queries leading to SQL injection	critical	8.5	1	SQL Injection
2816	lack of multi-factor authentication (MFA) enforcement on phishing sites	critical	8.5	1	phishing
2817	First Party Authentication (FPA) v2 Exploitation	critical	8.5	1	API Vulnerability
2818	Unauthorized Access to Personal Information	critical	8.5	1	Data Theft
2819	CVE-2026-1591	critical	8.5	1	Supply Chain Attack
2820	Unverified JWT payload	critical	8.5	1	Vulnerability Exploit
2821	Unknown vulnerability in Oracle E-Business Suite (CVE not specified)	critical	8.5	1	Data Breach / Ransomware Attack
2822	Out-of-bounds write flaw in Alpitronic HYC50 EV charger	critical	8.5	1	Zero-Day Vulnerabilities
2823	CVE-2025-43300 (Image I/O framework - out-of-bounds write)	critical	8.5	1	Zero-day vulnerability
2824	Lack of segmentation between IT and operational systems	critical	8.5	1	Data Breach
2825	Salesforce Environments	critical	8.5	1	Data Breach
2826	unprotected storage bucket	critical	8.5	1	data breach
2827	Human error (tricked employees into handing over login credentials for internal Salesforce software)	critical	8.5	1	Data Breach
2828	Incorrect data validation protocols	critical	8.5	1	Data Exposure
2829	CVE-2025-20352 (SNMP RCE in Cisco IOS/IOS XE)	critical	8.5	1	unauthorized access
2830	CVE-2026-7201 (CVSS 8.8)	critical	8.5	1	Vulnerability Exploitation
2831	Coding Transmission Error	critical	8.5	1	Data Breach
2832	Lack of Security Reviews	critical	8.5	1	Security Oversight
2833	CVE-2025-59145 (Invisible Markdown Comment Syntax Abuse)	critical	8.5	1	Data Exfiltration
2834	Oracle WebLogic Server vulnerability	critical	8.5	1	Data Breach
2835	Progress Software's MOVEit File Transfer solution	critical	8.5	1	Data Breach
2836	CVE-2026-5281 (Use-after-free in Dawn GPU abstraction layer)	critical	8.5	1	Zero-Day Exploitation
2837	Vulnerability in third-party contractor’s software	critical	8.5	1	Data Breach
2838	Unauthorized data sharing via embedded trackers	critical	8.5	1	Data Privacy Violation
2839	Social engineering (PIN disclosure)	critical	8.5	1	Phishing
2840	MOVEit file transfer tool (global exploit)	critical	8.5	1	Data Breach
2841	configuration gap in Amazon S3 server	critical	8.5	1	data breach
2842	Human error (social engineering of third-party employee)	critical	8.5	1	Data Breach
2843	Model Context Protocol (MCP) flaws	critical	8.5	1	Vulnerability Exploitation
2844	Unique Identification Number Guessing	critical	8.5	1	Data Breach
2845	Unspecified vulnerability in Oracle EBS	critical	8.5	1	Data Breach
2846	Cisco Unified Communications Manager (CM) bug	critical	8.5	1	Vulnerability Exploitation
2847	CVE-2020-17103	critical	8.5	1	Privilege Escalation
2848	Unsecured Elasticsearch cluster	critical	8.5	1	Data Breach
2849	Google Analytics and Google Ads misconfiguration	critical	8.5	1	Data Breach
2850	malicious CI/CD pipeline injection	critical	8.5	1	supply-chain attack
2851	Social Engineering (Fake Windows Update)	critical	8.5	1	Session Hijacking
2852	Free for Teacher environment vulnerability in Canvas LMS	critical	8.5	1	Data Breach
2853	Default Password on Code Repository	critical	8.5	1	Data Exposure
2854	hardcoded secrets in code	critical	8.5	1	data exposure
2855	unsecured backup databases co-located with active databases	critical	8.5	1	data breach
2856	Unapplied security patches to its software	critical	8.5	1	Data Breach
2857	previously_compromised_data	critical	8.5	1	data_breach
2858	Improper data handling and lack of safeguards	critical	8.5	1	Data Breach
2859	Accellion FTA (specific CVE not mentioned)	critical	8.5	1	Data Breach
2860	Legitimate Telegram API authentication mechanisms	critical	8.5	1	Phishing
2861	Misconfigured Stravito Access (Internal Documents)	critical	8.5	1	Data Exposure
2862	Server Vulnerabilities	critical	8.5	1	Smishing Scam
2863	CVE-2026-21262 (Improper Access Control - CWE-284)	critical	8.5	1	Privilege Escalation
2864	automated CI/CD pipeline execution	critical	8.5	1	supply-chain attack
2865	Unpatched flaw (addressed in July 2023 update, additional vulnerabilities patched in October 2023)	critical	8.5	1	Data Breach
2866	CVE-2026-26144	critical	8.5	1	Vulnerability
2867	Third-Party Tracking Tools	critical	8.5	1	Data Collection
2868	lack of sandboxing for physical GPU-equipped machines	critical	8.5	1	malware
2869	CVE-2026-22219 (CVSS 8.3)	critical	8.5	1	Data Breach
2870	absence of suspicious login alerts	critical	8.5	1	data breach
2871	CVE-2026-7313 (CVSS 8.7)	critical	8.5	1	Vulnerability Exploitation
2872	Resource Constraints in DHS	critical	8.5	1	Security Oversight
2873	Session token hijacking	critical	8.5	1	Phishing-as-a-Service (PhaaS)
2874	RxGK subsystem flaw in `rxgk_decrypt_skb()` function (Linux kernel)	critical	8.5	1	Local Privilege Escalation (LPE)
2875	Google Tag Manager	critical	8.5	1	Data Breach
2876	Lack of Input Validation	critical	8.5	1	Data Breach
2877	Lack of security audits for employee-facing ecommerce platforms	critical	8.5	1	Keylogger Attack
2878	Excessive permissions, hidden app functionality, cloud service abuse (Firebase, Google Apps Script, Telegram, Google Drive)	critical	8.5	1	Malware (Remote Access Trojan - RAT)
2879	Weak Authentication (SSO)	critical	8.5	1	Data Breach
2880	Employee deception, potential weak passwords or third-party vulnerabilities (Okta identity management service)	critical	8.5	1	Data Breach
2881	SQL injection (20.0%)	critical	8.5	1	API Security Breach
2882	CVE-2026-39808	critical	8.5	1	OS command injection
2883	Compromised package versions (2.6.0, 2.6.1, 2.6.2)	critical	8.5	1	Supply Chain Attack
2884	Weak or Stolen OAuth Token Management (External App Connection to Salesforce)	critical	8.5	1	Data Breach
2885	Zero-day vulnerability in third-party software platform	critical	8.5	1	Data Breach
2886	Lack of multi-factor authentication (MFA), Third-party vendor compromise	critical	8.5	1	Data Breach
2887	Lack of clear user consent	critical	8.5	1	Privacy Violation
2888	Access control failures	critical	8.5	1	Data Breach
2889	Human error in CMS settings (defaulted to public URLs unless manually restricted)	critical	8.5	1	Data Leak
2890	Mobile Application Vulnerability	critical	8.5	1	Data Breach
2891	Vulnerability in GoAnywhere file transfer platform	critical	8.5	1	Data Breach
2892	CVE-2026-20204	critical	8.5	1	Remote Code Execution (RCE)
2893	Misconfigured Database Access Controls	critical	8.5	1	Data Exposure
2894	CVE-2026-34486	critical	8.5	1	Vulnerability Exploitation
2895	Network-connected systems	critical	8.5	1	Business Email Compromise (BEC)
2896	Insecure Direct Object Reference (Sapphos API)	critical	8.5	1	Malware (Infostealer)
2897	CVE-2026-9560 (OS Command Injection - CWE-78)	critical	8.5	1	Privilege Escalation
2898	CVE-2025-53652	critical	8.5	1	Command Injection
2899	Human error (deception of individuals into disclosing confidential information)	critical	8.5	1	Data Breach
2900	Ray on Vertex AI Insecure Default Access	critical	8.5	1	Privilege Escalation
2901	Improper handling of branch names during task execution	critical	8.5	1	Command Injection
2902	Lack of input sanitization in AI agents parsing GitHub content	critical	8.5	1	Indirect Prompt-Injection Vulnerability
2903	Publicly accessible profile information	critical	8.5	1	Data Scraping
2904	Insufficient Access Controls / Lack of Monitoring	critical	8.5	1	Unauthorized Access / Data Breach
2905	CVE-2026-3337	critical	8.5	1	Cryptographic Vulnerability
2906	AI-driven systems and expanded attack surfaces	critical	8.5	1	Data Breach
2907	mDNS Misconfiguration	critical	8.5	1	Misconfiguration
2908	MOVEit secure file transfer tool vulnerability	critical	8.5	1	Data Breach
2909	Unencrypted data stored in an internet-accessible environment	critical	8.5	1	Data Breach
2910	Authentication Bypass	critical	8.5	1	Authentication Bypass
2911	internal API vulnerability (details undisclosed)	critical	8.5	1	data breach
2912	Parser differential between JavaScript and libc (getaddrinfo())	critical	8.5	1	Sandbox Bypass
2913	weak MFA implementations	critical	8.5	1	phishing
2914	CVE-2026-41100, CVE-2026-41101, CVE-2026-41102, CVE-2026-41099 (CWE-284: Improper Access Control)	critical	8.5	1	Vulnerability Exploitation
2915	CVE-2026-20046	critical	8.5	1	Privilege Escalation
2916	API key and access token theft	critical	8.5	1	Vulnerability Exploitation
2917	Cisco SD-WAN flaws	critical	8.5	1	APT Activity
2918	CVE-2025-33206 (Improper Input Validation - CWE-78)	critical	8.5	1	Vulnerability Exploitation
2919	CVE-2026-20131	critical	8.5	1	Cyberespionage
2920	CVE-2023-50224 (TP-Link WR841N routers)	critical	8.5	1	Cyberespionage
2921	CVE-2026-4798 (CVSS 7.5)	critical	8.5	1	SQL Injection
2922	Branch Predictor Race Conditions (BPRC) in Intel Processors (Speculative Execution Side Channel)	critical	8.5	1	Hardware Vulnerability
2923	Weak point in the network	critical	8.5	1	Data Breach
2924	Personal devices infected with malware	critical	8.5	1	Credential Leak
2925	manque de protection des terminaux personnels	critical	8.5	1	cyberattaque
2926	Inadequate internal monitoring and access controls	critical	8.5	1	Data Breach
2927	Irreversible Identity Linking in NFT Ownership	critical	8.5	1	Privacy Violation
2928	lack of code signing verification for replaced applications	critical	8.5	1	malware
2929	Third-party oversight failures	critical	8.5	1	Data Breach
2930	Insufficient Authentication/Authorization Controls for Reimbursement Account Access	critical	8.5	1	Data Breach / Unauthorized Access
2931	NPM Dependencies	critical	8.5	1	Malware Deployment
2932	Side API compromise	critical	8.5	1	Supply Chain Attack
2933	CVE-2025-54897 (SharePoint RCE)	critical	8.5	1	Malware (Infostealer)
2934	Compromised GitHub Tokens	critical	8.5	1	Identity Compromise
2935	Third-Party CRM Security Weaknesses	critical	8.5	1	Data Breach
2936	Human Error (Improper Document Upload)	critical	8.5	1	Data Breach (Inadvertent Disclosure)
2937	Android and Linux Kernel vulnerabilities	critical	8.5	1	Vulnerability Exploitation
2938	Zcash’s privacy layer vulnerability (4-year-old)	critical	8.5	1	Vulnerability Exploitation
2939	CVE-2025-13328	critical	8.5	1	Information Leak
2940	Inherited permissions from privileged users	critical	8.5	1	Data Breach
2941	Windows Shell Spoofing (CVE-2026-32202)	critical	8.5	1	Data Breach
2942	CVE-2021-44228 (Log4Shell)	critical	8.5	1	Exploit Trends
2943	weak validator key security	critical	8.5	1	blockchain exploit
2944	improper access controls (configuration gap in S3 bucket permissions)	critical	8.5	1	data breach
2945	Misconfigured database lacking proper authentication controls	critical	8.5	1	Data Breach
2946	VMware Vulnerabilities	critical	8.5	1	Ransomware
2947	CVE-2025-30248 (CWE-427: Uncontrolled Search Path Element)	critical	8.5	1	DLL Hijacking
2948	CVE-2025-43510	critical	8.5	1	Exploit Kit
2949	Insufficient access controls and monitoring	critical	8.5	1	Insider Threat
2950	SOHO devices	critical	8.5	1	Credential Theft
2951	Employee targeted via vishing	critical	8.5	1	Data Breach
2952	Weak MFA	critical	8.5	1	Data Breach
2953	Claude Code flaws	critical	8.5	1	APT Activity
2954	Inadequate access controls, lack of data encryption	critical	8.5	1	Data Breach
2955	Unencrypted data on decommissioned equipment	critical	8.5	1	Data Breach
2956	CVE-2017-7921	critical	8.5	1	Espionage
2957	Overly permissive guest user settings in Salesforce Experience Cloud	critical	8.5	1	Data Harvesting
2958	CVE-2024-38200 (MSHTML/Trident engine RCE)	critical	8.5	1	Zero-Day Exploit
2959	Trust in the platform's review system and verification processes	critical	8.5	1	Disinformation and Scams
2960	MOVEit file-transfer vulnerability	critical	8.5	1	Data Breach
2961	CVE-2025-14847 (Improper handling of length parameter inconsistency, CWE-130)	critical	8.5	1	Memory-Read Vulnerability
2962	UAC bypass via COM auto-elevation (ICMLuaUtil through cmlua.dll)	critical	8.5	1	Trojan
2963	CVE-2025-13915 (CWE-305: Authentication Bypass by Primary Weakness)	critical	8.5	1	Authentication Bypass
2964	Mishandled private keys in AI-generated JavaScript	critical	8.5	1	Data Breach
2965	CVE pending (related to 'node-forge' cryptographic signature verification flaw)	critical	8.5	1	Vulnerability
2966	Trivial vulnerability	critical	8.5	1	Data Breach
2967	Trusted Hiring Pipelines	critical	8.5	1	Malware Deployment
2968	Unpatched vulnerabilities, Unintentional installation of malware by IT personnel with admin privileges	critical	8.5	1	Supply Chain Attack, Data Breach
2969	Publicly Accessible Files	critical	8.5	1	Data Leak
2970	Deceptive imposter commit via attacker-controlled fork	critical	8.5	1	Supply Chain Attack
2971	Weak KYC processes, Fast account opening, SEPA transfer infrastructure	critical	8.5	1	Fraud, Money Laundering
2972	Architectural weakness in Google Gemini Enterprise and Vertex AI Search (RAG-based trust boundary exploitation)	critical	8.5	1	Zero-Click Vulnerability, Indirect Prompt Injection
2973	Health Information Exchange (HIE) platform misconfiguration	critical	8.5	1	Data Breach
2974	Unauthorized access to cloud system	critical	8.5	1	Data Exposure
2975	compromised user devices (suspected)	critical	8.5	1	data breach (unverified)
2976	Improper Token Management (Unrotated API Tokens)	critical	8.5	1	Data Breach
2977	CVE-2026-0234 (Improper Verification of Cryptographic Signature - CWE-347)	critical	8.5	1	Vulnerability Exploitation
2978	Software Misconfiguration in Online Grant System	critical	8.5	1	Data Breach
2979	Unspecified zero-day in FreePBX (versions 16 and 17 with endpoint module installed)	critical	8.5	1	Zero-day exploitation
2980	Improper Firebase security rules (publicly accessible database)	critical	8.5	1	Data Breach
2981	Unsecured AWS bucket with direct file access via backend bug	critical	8.5	1	Data Exposure
2982	CVE-2026-0257	critical	8.5	1	Authentication Bypass
2983	Human Error (Credential Theft via Smishing)	critical	8.5	1	Data Breach / Unauthorized Access
2984	Unpatched VPN endpoint	critical	8.5	1	Ransomware Attack
2985	Gemini Browsing Tool (Web Page Summarization Data Exfiltration)	critical	8.5	1	Vulnerability Exploitation
2986	Now-patched vulnerability in Instructure’s systems	critical	8.5	1	Data Breach
2987	Lack of multi-factor authentication, Human error (victims sharing access codes)	critical	8.5	1	Phishing, Social Engineering, Identity Theft, Data Theft
2988	Stack-based buffer overflow (JVN#35567473)	critical	8.5	1	Remote Code Execution (RCE)
2989	Weaknesses in university authentication processes	critical	8.5	1	Data Breach
2990	Broken Object Level Authorization (BOLA)	critical	8.5	1	Data Breach
2991	CVE-2025-54910 (Office RCE)	critical	8.5	1	Malware (Infostealer)
2992	No Rate Limiting	critical	8.5	1	Data Breach
2993	Insufficient monitoring and control over non-human credentials	critical	8.5	1	Data Breach / Lateral Movement
2994	Insufficient Third-Party Vendor Security	critical	8.5	1	Data Breach
2995	CVE-2026-1235	critical	8.5	1	Cross-Site Scripting (XSS)
2996	Ease of onboarding and business-grade tools in fintech platforms, hybrid account functionality	critical	8.5	1	Financial Fraud, Money Laundering, Phishing
2997	Unauthorized code in third-party vendor's application	critical	8.5	1	Data Breach
2998	Insufficient Identity Management	critical	8.5	1	Data Breach
2999	third-party vendor (Salesforce) security flaw	critical	8.5	1	data breach
3000	Reliance on phone numbers for multi-factor authentication (SMS-based), weak email security, reused passwords, exposed personal data from breaches	critical	8.5	1	Mobile Fraud (SIM Swapping/Account Takeover)
3001	Stolen Usernames and Passwords	critical	8.5	1	Data Breach
3002	Predictable passwords (e.g., team names with numbers or capital letters)	critical	8.5	1	Data Breach
3003	misconfigured Azure Blob storage permissions	critical	8.5	1	data exposure
3004	Path traversal in Microsoft NLWeb (reading `/etc/passwd`, `.env`)	critical	8.5	1	Arbitrary Code Execution
3005	Security access codes obtained through deception	critical	8.5	1	Hacking, Identity Theft, Data Breach, Cyberstalking
3006	CVE-2026-1237	critical	8.5	1	Cross-Site Scripting (XSS)
3007	Major Security Flaw in Website	critical	8.5	1	Data Exposure
3008	Third-party data breaches	critical	8.5	1	Identity Theft
3009	Context Poisoning in AI Conversation History	critical	8.5	1	Data Breach
3010	Lack of Input Sanitization for Hidden Commands	critical	8.5	1	Data Breach
3011	Inadequate protection of sensitive data	critical	8.5	1	Data Breach
3012	Arbitrary Order Data Injection (CosMc’s App)	critical	8.5	1	Data Exposure
3013	Weak/Reused Passwords (from third-party sources)	critical	8.5	1	Account Takeover
3014	CVE-2025-3648	critical	8.5	1	Vulnerability Exploitation
3015	CVE-2025-68428	critical	8.5	1	Local File Inclusion / Path Traversal
3016	Misconfigured Ollama endpoints (port 11434)	critical	8.5	1	LLMjacking
3017	OpenClaw WebSocket API Authentication Bypass	critical	8.5	1	Supply Chain Attack
3018	Redis code execution	critical	8.5	1	Supply Chain Attack
3019	Lack of Physical Security for Development Device	critical	8.5	1	Trade Secret Theft
3020	Vulnerability in MOBO subscriber management tool	critical	8.5	1	Data Breach
3021	CVE-2025-22231	critical	8.5	1	Vulnerability
3022	Improper CSV processing allowing unauthenticated file reads	critical	8.5	1	SQL Injection
3023	Login and Sign-up Service	critical	8.5	1	Data Breach
3024	Lack of visibility into employee AI tool usage	critical	8.5	1	Data Leakage
3025	Publicly Available Code Repository	critical	8.5	1	Data Breach
3026	CVE-2026-4387	critical	8.5	1	Authentication Flaw
3027	WebSocket auth bypass (CVE-2025-52882, CVSS: 8.8)	critical	8.5	1	Arbitrary Code Execution
3028	Coding error in PayPal Working Capital (PPWC) loan application	critical	8.5	1	Data Breach
3029	Net-NTLMv1 Authentication Protocol	critical	8.5	1	Vulnerability Disclosure
3030	SharePoint and Defender Zero-Days (Microsoft)	critical	8.5	1	Data Breach
3031	Impersonation Feature in Employee Portals	critical	8.5	1	Data Exposure
3032	Bias and Unverified Data Propagation	critical	8.5	1	Data Privacy Issue
3033	Lack of user awareness, Apple Activation Lock bypass tools (e.g., FMI OFF), iCloud Webkit phishing kits	critical	8.5	1	Phishing, Unauthorized Unlocking, Black Market Operations
3034	lack of credential rotation	critical	8.5	1	data breach
3035	Signal’s 'linked devices' feature	critical	8.5	1	Cyber Espionage
3036	Tracking code sharing data with third-party advertisers	critical	8.5	1	Data Breach
3037	Abuse of Microsoft 365 mailbox rules and Outlook features	critical	8.5	1	Business Email Compromise (BEC)
3038	CWE-319: Cleartext Transmission of Sensitive Information (weak AES encryption)	critical	8.5	1	Data Breach
3039	Stolen Personal Data from External Sources	critical	8.5	1	Data Breach
3040	CVE-2025-54136 (MCPoison - MCP Trust Bypass)	critical	8.5	1	Vulnerability Exploitation
3041	CVE-2026-23598	critical	8.5	1	Privilege Escalation
3042	Sanctioned Platform Persistence	critical	8.5	1	Surveillance
3043	Undisclosed flaws (Smallstep step-ca)	critical	8.5	1	Vulnerability Disclosure
3044	MOVEit Server	critical	8.5	1	Data Breach
3045	CVE-2025-51683 (Blind SQL Injection)	critical	8.5	1	SQL Injection
3046	Compromised LiteLLM AI API tool versions	critical	8.5	1	Data Breach
3047	Insecure Third-Party Integration (Drift-Salesforce/Google Workspace)	critical	8.5	1	Data Breach
3048	BlueHammer (Windows zero-day)	critical	8.5	1	Zero-Day Vulnerability Disclosure
3049	Lack of input validation controls	critical	8.5	1	Data Security Audit
3050	CVE-2025-61882 (Zero-day in Oracle E-Business Suite)	critical	8.5	1	Data Breach
3051	Vendor's security shortcomings (unspecified)	critical	8.5	1	Data Breach (Third-Party Vendor)
3052	Prompt Injection (AI agent misinterprets embedded commands in untrusted data as legitimate instructions)	critical	8.5	1	Vulnerability Exploitation
3053	Citrix Software Vulnerability (specific CVE unidentified)	critical	8.5	1	Data Breach
3054	CVE-2026-3063 (Improper implementation in DevTools)	critical	8.5	1	Vulnerability Patch
3055	Oracle E-Business Suite (Zero-Day)	critical	8.5	1	Cyberattack (Data Breach)
3056	CVE-2025-0994	critical	8.5	1	Cyber Attack
3057	Time-of-Check to Time-of-Use vulnerability in Alpitronic HYC50 EV charger	critical	8.5	1	Zero-Day Vulnerabilities
3058	Authentication disabled by default in Flask-based API server	critical	8.5	1	Misconfiguration
3059	CVE-2026-28277 (Unsafe msgpack deserialization)	critical	8.5	1	Remote Code Execution (RCE)
3060	Third-party platforms used for marketing and operations	critical	8.5	1	Data Breach
3061	Unpatched vulnerabilities in third-party applications	critical	8.5	1	Third-party data exploitation
3062	Unauthorized Access to API Key	critical	8.5	1	Data Breach
3063	CVE-2025-41244 (VMware Aria Operations and VMware Tools Privilege Escalation)	critical	8.5	1	Privilege Escalation
3064	Postinstall hook abuse, self-dependency trick	critical	8.5	1	Supply Chain Attack
3065	CVE-2025-49596	critical	8.5	1	Remote Code Execution (RCE)
3066	CVE-2026-3055 (Citrix NetScaler)	critical	8.5	1	data_breach
3067	MOVEit file transfer platform vulnerability	critical	8.5	1	Data Breach
3068	AI-Specific Attack Vectors (Prompt Injection, Model Poisoning)	critical	8.5	1	Supply Chain Attack
3069	Unverified third-party package installation	critical	8.5	1	Supply Chain Attack
3070	failure to deactivate former employee accounts	critical	8.5	1	data breach
3071	Weak security practices	critical	8.5	1	Fraud/Scam
3072	Authentication vulnerabilities in Coupang's servers	critical	8.5	1	Data Breach
3073	Software vulnerability in the online shop portal	critical	8.5	1	Data Breach
3074	Bug in secondary code path failing to confirm email address match during password reset	critical	8.5	1	Account Takeover
3075	Unencrypted HTTP update mechanism in FireAnt MetaKit	critical	8.5	1	Supply-chain attack
3076	Info-stealing malware infections, lack of multi-factor authentication	critical	8.5	1	Credential Stuffing
3077	potential Oracle E-Business Suite vulnerability	critical	8.5	1	data breach
3078	Poor credential hygiene (hard-coded/exposed credentials)	critical	8.5	1	Data Breach
3079	Inadequate monitoring of low-volume, time-distributed unauthorized access	critical	8.5	1	Data Breach
3080	Credential theft via Microsoft Entra account	critical	8.5	1	Phishing Attack
3081	Inadequate cybersecurity measures (alleged)	critical	8.5	1	Data Breach
3082	CWE-20: Improper Input Validation (lack of server-side checks)	critical	8.5	1	Data Breach
3083	Technical Issue with Third-Party Service Provider	critical	8.5	1	Data Breach
3084	account takeover (ATO)	critical	8.5	1	supply-chain attack
3085	CVE-2016-5817 (Critical SQL injection in Navis WebAccess)	critical	8.5	1	cyberattack
3086	Hard-coded passwords in HTML/APIs	critical	8.5	1	Unauthorized Access
3087	Improper data retention (post-contract)	critical	8.5	1	Data Breach
3088	MOVEit® Transfer application	critical	8.5	1	Data Breach
3089	CVE-2026-22219 (SSRF)	critical	8.5	1	Vulnerability Exploitation
3090	social engineering targeting IT helpdesks	critical	8.5	1	data breach
3091	Progress Software's MOVEit secure file transfer tool	critical	8.5	1	Data Breach
3092	CVE (3 high-severity with publicly available exploit code)	critical	8.5	1	Misconfiguration
3093	Weak identity verification	critical	8.5	1	Identity Theft
3094	Credential harvesting via fake Zimbra login portal	critical	8.5	1	Phishing
3095	CVE-2025-7775	critical	8.5	1	Vulnerability Exploitation
3096	Improperly secured file on public-facing website	critical	8.5	1	Data Breach
3097	publicly accessible repositories	critical	8.5	1	data exposure
3098	Inconsistent DLP Policy Application	critical	8.5	1	Data Breach
3099	SSO Credentials (Okta)	critical	8.5	1	Data Breach
3100	CWE-506: Embedded Malicious Code	critical	8.5	1	Dependency Confusion
3101	GHSA-wpqr-6v78-jr5g (workspace trust bypass, tool allowlisting bypass, improper input validation, OS command injection)	critical	8.5	1	Remote Code Execution (RCE)
3102	Insecure 'super admin' APIs allowing unauthenticated high-privilege account creation	critical	8.5	1	Data Exposure
3103	CVE-2026-26123	critical	8.5	1	Vulnerability Exploitation
3104	Cross-border data storage without GDPR-equivalent protections	critical	8.5	1	Data Breach Risk
3105	Lack of Encryption on Laptop	critical	8.5	1	Data Breach (Physical Theft)
3106	Improper data handling via third-party tracking tools (e.g., Google Analytics, Meta Pixel)	critical	8.5	1	Data Privacy Breach
3107	Email Misdirection	critical	8.5	1	Data Breach
3108	passkey storage in password managers	critical	8.5	1	phishing
3109	Unconstrained CI/CD Service Accounts	critical	8.5	1	Identity Compromise
3110	Biometric authentication exploitation	critical	8.5	1	Data Breach
3111	Insufficient identity verification in remote hiring processes, reliance on AI-assisted deception	critical	8.5	1	Employment Fraud / Identity Theft / Cyber Espionage
3112	CVE-2026-23818 (Open Redirect in GUI Login Workflow)	critical	8.5	1	Phishing-Style Exploit
3113	limited_cybersecurity_resources	critical	8.5	1	data_breach
3114	Unencrypted data storage on DJI servers	critical	8.5	1	Data Exposure
3115	Misconfigured or repurposed API keys (e.g., Google Maps keys used for Gemini access)	critical	8.5	1	API Key Exploitation
3116	Improper handling of technical identifiers	critical	8.5	1	Data Exposure
3117	Lack of Network Segmentation in Cloud	critical	8.5	1	Cloud Security Breach
3118	Lack of Data Minimization in Blockchain Transactions	critical	8.5	1	Privacy Violation
3119	CVE-2025-43300 (Apple Zero-Day)	critical	8.5	1	Vulnerability Exploitation
3120	Third-party system vulnerability	critical	8.5	1	Data Breach
3121	CVE-2026-3519	critical	8.5	1	vulnerability
3122	CVE-2026-31431	critical	8.5	1	Local Privilege Escalation (LPE)
3123	Insufficient data filtering in AI screenshot feature	critical	8.5	1	Data Breach
3124	Delayed breach detection	critical	8.5	1	Data Breach
3125	CVE-2026-1357	critical	8.5	1	Remote Code Execution (RCE)
3126	VS Code zero-day	critical	8.5	1	Vulnerability Exploitation
3127	Overprivileged OAuth Tokens	critical	8.5	1	Data Breach (OAuth Token Compromise)
3128	CVE-2026-34621 (Prototype pollution vulnerability)	critical	8.5	1	Zero-day Exploitation
3129	Previously unknown vulnerability in Oracle E-Business Suite	critical	8.5	1	Data Breach
3130	Static Credentials in Setup Files	critical	8.5	1	Misconfiguration
3131	Compromised third-party OAuth integration	critical	8.5	1	Data Breach
3132	Bypass of tool allowlisting under --yolo mode	critical	8.5	1	Remote Code Execution (RCE)
3133	CVE-2026-23631 (DarkReplica)	critical	8.5	1	Remote Code Execution (RCE)
3134	Progress MOVEit Transfer tool	critical	8.5	1	Data Breach
3135	LLM safety guardrails bypass via iterative dialogue	critical	8.5	1	Vulnerability Exploitation
3136	UAC bypass	critical	8.5	1	Malware (RAT)
3137	Unsecured digital identities for AI agents	critical	8.5	1	Data Leakage
3138	Limited-access function in internal support portal (proxy access to customer accounts)	critical	8.5	1	Cyberattack
3139	MOVEit Secure File Transfer server	critical	8.5	1	Data Breach
3140	CVE-2025-10184 (Improper Permission Handling in OxygenOS Telephony Package)	critical	8.5	1	Vulnerability
3141	improper data retention practices (government IDs)	critical	8.5	1	data breach
3142	CVE-2025-33230	critical	8.5	1	Vulnerability
3143	Support Credentials	critical	8.5	1	Data Breach
3144	Network Access Feature in Claude (Sandbox Environment)	critical	8.5	1	Data Exfiltration
3145	Internal system flaw exposing plain text passwords	critical	8.5	1	Data Breach
3146	Critical security flaw allowing unauthorized 'super admin' account creation	critical	8.5	1	Data Breach
3147	EngageLab SDK Vulnerability (Android)	critical	8.5	1	Data Breach
3148	Zero-click indirect prompt injection (PleaseFix)	critical	8.5	1	AI Prompt Injection
3149	Abandoned domain takeover, lack of runtime URL validation in Microsoft add-ins	critical	8.5	1	Phishing
3150	Weak hiring verification, lack of device authenticity checks	critical	8.5	1	Insider Threat
3151	Stolen authentication tokens	critical	8.5	1	Data Breach
3152	Undisclosed vulnerabilities	critical	8.5	1	Zero-day exploitation
3153	Open Registration Endpoint (Design Hub)	critical	8.5	1	Data Exposure
3154	Server Security Issue	critical	8.5	1	Data Breach
3155	CVE-2026-20817 (CWE-280: Improper Handling of Insufficient Permissions)	critical	8.5	1	Privilege Escalation
3156	Human Trust (Job Seekers)	critical	8.5	1	APT (Advanced Persistent Threat)
3157	Auto-execution of URL parameters in Microsoft Copilot Personal sessions	critical	8.5	1	Prompt Injection Attack
3158	FG-IR-26-060 (CWE-288: Authentication Bypass Using an Alternate Path or Channel)	critical	8.5	1	Authentication Bypass
3159	CW1226324 (Copilot DLP bypass)	critical	8.5	1	AI Integration Bug
3160	Flaw in 'Image ID' parameter allowing URL manipulation	critical	8.5	1	Data Breach
3161	ZombieAgent (prompt injection in ChatGPT Connectors/Apps feature)	critical	8.5	1	Prompt Injection
3162	Website Setup Error	critical	8.5	1	Credential Leak
3163	Improper Authentication (MongoDB instance left unsecured)	critical	8.5	1	Data Leak
3164	CVE-2025-1724	critical	8.5	1	Authentication Vulnerability
3165	Automatic execution of npm preinstall scripts	critical	8.5	1	Supply Chain Attack
3166	CVE-2025-23121	critical	8.5	1	Vulnerability
3167	Clickjacking (CWE-1021)	critical	8.5	1	Vulnerability Disclosure
3168	Lack of Second-Layer Security Checks in API Configurations	critical	8.5	1	Data Breach
3169	Improper handling of ACME HTTP-01 challenge paths in Cloudflare WAF	critical	8.5	1	Zero-Day Vulnerability
3170	Lack of Monitoring for Existing Threats	critical	8.5	1	Data Breach
3171	Unsecured System	critical	8.5	1	Data Breach
3172	CVE-2025-33228	critical	8.5	1	Vulnerability
3173	CVE-2026-39813	critical	8.5	1	OS command injection
3174	Hardcoded LDAP credentials	critical	8.5	1	Data Breach
3175	Weak Authentication in AI Hiring System (Password '123456')	critical	8.5	1	Data Exposure
3176	Publicly Accessible Cloud Database	critical	8.5	1	Data Exposure
3177	Weak IT Help Desk Authentication Protocols	critical	8.5	1	Data Breach
3178	Lack of domain verification during account creation	critical	8.5	1	Autonomous AI-driven cyber attack
3179	GrafanaGhost (flaw in URL validation for AI components)	critical	8.5	1	Data Exfiltration
3180	Lack of person-of-interest threat profiling, limited protective measures for non-executive employees, absence of automated defenses against AI agents	critical	8.5	1	AI-driven impersonation attack
3181	CVE-2023-33538	critical	8.5	1	Botnet Deployment
3182	Unauthenticated access via installed apps on streaming devices	critical	8.5	1	Unauthorized Proxy Network
3183	Unsecured database, malware infection via phishing emails/malicious websites/cracked software	critical	8.5	1	Data Exposure
3184	CVE-2026-27739	critical	8.5	1	SSRF (Server-Side Request Forgery)
3185	Expired domain takeover, lack of ongoing security validation for Office add-ins	critical	8.5	1	Phishing, Credential Theft, Data Exfiltration
3186	Insufficient Bot Detection/Prevention	critical	8.5	1	Cyberattack
3187	Insufficient input sanitization in Drupal’s database API	critical	8.5	1	SQL Injection
3188	Chrome’s App-Bound Encryption	critical	8.5	1	Malware
3189	Missing row-level security (RLS), role-based access controls, and logic flaws in authentication	critical	8.5	1	Data Breach
3190	Docker container escape	critical	8.5	1	Supply Chain Attack
3191	Open-access data sharing model and inadvertent exposure of raw data through published code	critical	8.5	1	Data Breach
3192	Inadequate safeguards for personal information	critical	8.5	1	Data Breach
3193	Inadequate safeguards	critical	8.5	1	Data Breach
3194	CVE-2025-33229	critical	8.5	1	Vulnerability
3195	CVE-2026-25049	critical	8.5	1	Supply Chain Attack
3196	Insufficient internal access controls	critical	8.5	1	Data Breach
3197	Software Vulnerabilities	critical	8.5	1	Data Breach
3198	Android Accessibility Services	critical	8.5	1	Malware (Banking Trojan)
3199	Unpatched CMS vulnerability	critical	8.5	1	Supply-Chain Attack
3200	Lack of user vigilance, Newly registered malicious domains	critical	8.5	1	Spoofing, Phishing, Brand Impersonation
3201	Misconfigured Remote Access Systems	critical	8.5	1	Data Breach
3202	Unregulated AI Tool Integration	critical	8.5	1	Data Privacy Fragmentation
3203	Unauthorized access to Microsoft Office 365 email account	critical	8.5	1	Data Breach
3204	Inadequate encryption, insufficient vendor security vetting	critical	8.5	1	Data Breach
3205	Lack of default sandboxing, Ineffective filtering of untrusted content, Plaintext storage of API keys and session tokens, Reliance on language models for critical security decisions, Execution of tool calls without explicit user approval	critical	8.5	1	Malware Distribution, Data Exfiltration, Prompt Injection, Backdoor Installation
3206	Misconfiguration in Trivy vulnerability scanner	critical	8.5	1	Supply Chain Attack
3207	Weak Third-party Security	critical	8.5	1	Data Breach
3208	Misconfiguration in Salesforce environment, lack of least privilege principle, absence of Zero Trust architecture, inadequate behavioral monitoring	critical	8.5	1	Data Breach
3209	Incorrectly configured database	critical	8.5	1	Data Leak
3210	CVE-2025-61884 (CVSS 7.5 - Information Disclosure in Runtime UI)	critical	8.5	1	Vulnerability Exploitation
3211	CWE-284: Improper Access Control	critical	8.5	1	Data Exposure
3212	Plaintext Password Transmission (Design Hub)	critical	8.5	1	Data Exposure
3213	CWE-862 (Missing Authorization)	critical	8.5	1	Vulnerability Exploitation
3214	FortiGate VPN vulnerabilities	critical	8.5	1	Ransomware
3215	Vulnerabilities in Salesforce-hosted databases	critical	8.5	1	Data Breach
3216	Insecure processing of untrusted input by AI agents in GitHub Actions	critical	8.5	1	Prompt Injection Attack
3217	Insecure Amazon S3 databases	critical	8.5	1	Data Exposure
3218	Lack of cybersecurity hygiene, insufficient vendor expertise	critical	8.5	1	Security Probe
3219	Mistake that exposed personal and financial information	critical	8.5	1	Data Breach
3220	Unauthenticated Access	critical	8.5	1	Data Breach
3221	Potential unauthorized access to LDLC's customer database (timing suggests link to LDLC's server breach)	critical	8.5	1	phishing
3222	Apple Notarization Bypass (ChillyHell)	critical	8.5	1	Malware (Infostealer)
3223	CVE-2026-39987 (CVSS 9.3)	critical	8.5	1	Remote Code Execution (RCE)
3224	Improper key management, lack of automated key rotation	critical	8.5	1	Data Leak
3225	Employee Bypass of Sanctioned Tools	critical	8.5	1	Data Leakage
3226	Open-source web administration tool (undisclosed)	critical	8.5	1	Zero-Day Exploit
3227	Publicly accessible database without proper security measures	critical	8.5	1	Data Exposure
3228	CVE-2026-34926 (Directory Traversal - CWE-23)	critical	8.5	1	Vulnerability Exploitation
3229	Progress Software’s MOVEit Transfer solution	critical	8.5	1	Data Breach
3230	Flawed auto-populate feature in online quote platform	critical	8.5	1	Data Exposure
3231	CVE-2026-23111 (Use-after-free in nftables subsystem)	critical	8.5	1	Vulnerability Exploitation
3232	MOVEit Transfer programme zero-day vulnerability	critical	8.5	1	Data Breach
3233	Decentralized data movement systems	critical	8.5	1	Data Governance Blind Spot
3234	Social Engineering (Fake App Update)	critical	8.5	1	Cyberespionage
3235	Lack of End-to-End Encryption	critical	8.5	1	Data Collection
3236	CVE-2026-25172	critical	8.5	1	Remote Code Execution (RCE)
3237	CVE-2025-3102	critical	8.5	1	Vulnerability Exploitation
3238	Abuse of Microsoft Phone Link synchronization feature, living-off-the-land binaries (LOLBins)	critical	8.5	1	Cyberespionage, Malware Attack
3239	Vulnerability in SonicWall firewall	critical	8.5	1	Data Breach
3240	CVE-2026-34040	critical	8.5	1	Vulnerability Exploitation
3241	Double-free flaw in `rds_message_zcopy_from_user()` function (CVE pending)	critical	8.5	1	Local Privilege Escalation (LPE)
3242	Lack of Secure Document Destruction Procedures	critical	8.5	1	Data Breach (Improper Disposal / Physical Security Failure)
3243	Lack of software updates for gear shifters	critical	8.5	1	Vulnerability Exploitation
3244	Security hole in MOVEit Transfer software	critical	8.5	1	Ransomware
3245	CVE-2025-67601	critical	8.5	1	Vulnerability Exploitation
3246	Phishing-susceptible MFA methods	critical	8.5	1	Data Breach
3247	Zero-day vulnerability in MOVEit Transfer application	critical	8.5	1	Data Breach
3248	Unauthorized Plugin	critical	8.5	1	Data Breach
3249	Weak security measures in credit card terminals	critical	8.5	1	Cyber Crime
3250	Transaction Front-running	critical	8.5	1	Security Breach
3251	CVE-2026-20700 (Memory-corruption in dyld component)	critical	8.5	1	Zero-Day Exploit
3252	Improper Access Controls, Undisclosed System Features	critical	8.5	1	Unauthorized Data Access
3253	Unauthenticated Access to TRT Tool (Employee Data)	critical	8.5	1	Data Exposure
3254	CVE-2026-24512	critical	8.5	1	Supply Chain Attack
3255	Lack of Cybersecurity Leadership	critical	8.5	1	Potential Data Breach
3256	Reused passwords from data leaks	critical	8.5	1	Fraud/Scam
3257	Weak User Authentication	critical	8.5	1	Data Breach
3258	Internal Glitch	critical	8.5	1	Data Exposure
3259	CVE-2025-30247 (OS Command Injection in My Cloud UI)	critical	8.5	1	Vulnerability
3260	Lack of Authentication on Cloud Storage	critical	8.5	1	Data Exposure
3261	Identity and Access Management (IAM) Failures	critical	8.5	1	Data Breach
3262	CVE-2026-49157	critical	8.5	1	Vulnerability Disclosure
3263	CVE-2025-9242 (Out-of-bounds write in Fireware OS ‘iked’ process)	critical	8.5	1	Vulnerability Exposure
3264	Perimeter security measures	critical	8.5	1	Data Breach
3265	Misconfigured Amazon Web Services S3 buckets	critical	8.5	1	Data Leak
3266	Inadequate safeguards for international data transfers	critical	8.5	1	Data Breach
3267	CVE-2025-32896	critical	8.5	1	Remote Code Execution (RCE)
3268	Unencrypted data at rest in shared app containers, macOS sandbox bypass (CVE-2026-28910)	critical	8.5	1	Data Exposure
3269	CVE-2026-9614 (CWE-284: Improper Access Control)	critical	8.5	1	Privilege Escalation
3270	Unauthorized access to INEC portal and improper data handling protocols	critical	8.5	1	Data Breach
3271	Poor Cybersecurity Practices	critical	8.5	1	Data Breach
3272	Unmonitored Data Exfiltration via AI Prompts	critical	8.5	1	Data Leakage
3273	Software vulnerabilities (AI-accelerated identification)	critical	8.5	1	Cyber Espionage, Critical Infrastructure Attack, Data Breach
3274	Unencrypted student data	critical	8.5	1	Data Breach
3275	CVE-2025-67644	critical	8.5	1	Data Exfiltration
3276	Authentication bypass in Passwordstate Emergency Access (CVE pending)	critical	8.5	1	Authentication Bypass Vulnerability
3277	weaknesses in backend systems	critical	8.5	1	data breach
3278	CVE-2026-21514 (CWE-807)	critical	8.5	1	Security Feature Bypass
3279	Mirasvit Full Page Cache Warmer flaw	critical	8.5	1	Vulnerability Exploitation
3280	Third-party authentication (Okta SSO)	critical	8.5	1	Data Breach
3281	CVE-2023-6895	critical	8.5	1	Espionage
3282	compromised signed access token	critical	8.5	1	data breach
3283	Limited IT Infrastructure	critical	8.5	1	Data Privacy Fragmentation
3284	Legitimate third-party cloud systems bypass	critical	8.5	1	Data Breach
3285	Cloud Vendor Compromise	critical	8.5	1	Data Breach
3286	Logic error in NextAuth JWT callback (GHSA-7hg4-x4pr-3hrg)	critical	8.5	1	Authentication Bypass
3287	Social engineering (impersonation of Signal Support)	critical	8.5	1	Phishing
3288	CVE-2026-27970	critical	8.5	1	Cross-Site Scripting (XSS)
3289	Social Engineering, macOS TCC Bypass (SQL Injection into Privacy Database)	critical	8.5	1	Phishing, Malware
3290	SS7/Diameter Protocol Flaws	critical	8.5	1	Data Breach
3291	Exposed Elasticsearch Database without Password	critical	8.5	1	Data Breach
3292	CVE-2026-34070	critical	8.5	1	Data Exfiltration
3293	Third-Party Application Misconfiguration	critical	8.5	1	Data Breach
3294	MOVEit Transfer Server Vulnerability	critical	8.5	1	Data Breach
3295	weak access controls at third-party vendor	critical	8.5	1	data breach
3296	Vulnerability with technology vendor	critical	8.5	1	Data Breach
3297	Weaknesses in IVR System Authentication	critical	8.5	1	Cyberattack
3298	Inadequate security awareness training	critical	8.5	1	Phishing
3299	Lack of Multi-Layered Authentication for Integrations	critical	8.5	1	Data Breach
3300	FortiGate Misconfiguration	critical	8.5	1	Zero-day Exploitation
3301	Debug Log File	critical	8.5	1	Data Breach
3302	unauthorized data upload to external platform	critical	8.5	1	data breach
3303	Fragmented Token Extraction via Optical/Transcription Methods	critical	8.5	1	Prompt Extraction
3304	Zero-day vulnerability in third-party software (patched post-incident)	critical	8.5	1	Data Breach
3305	Known security flaw (back door) in License Express system	critical	8.5	1	Data Exposure
3306	CVE-2026-2836	critical	8.5	1	HTTP Request Smuggling
3307	Malware deployment on third-party vendor employee device	critical	8.5	1	Data Breach
3308	CVE-2025-49844	critical	8.5	1	Botnet Infection
3309	AI-Generated Convincing Impersonations	critical	8.5	1	Data Breach
3310	Social engineering, in-memory execution, process hollowing, AMSI/ETW bypass	critical	8.5	1	Spear-Phishing, Malware (Keylogger), Credential Theft
3311	Third-party secure file transfer tool vulnerability	critical	8.5	1	Data Breach
3312	Adobe Reader	critical	8.5	1	Cyber Attack
3313	delayed breach notifications	critical	8.5	1	ransomware
3314	Inconsistent DLP controls	critical	8.5	1	Data Breach
3315	Unsecured server, weak account security	critical	8.5	1	Data Breach
3316	Gemini Cloud Assist (Log Summarization Flaw)	critical	8.5	1	Vulnerability Exploitation
3317	CVE-2026-1220 (Race Condition in V8 JavaScript Engine)	critical	8.5	1	Vulnerability Exploitation
3318	CVE-2026-21509 (Microsoft Office Security Feature Bypass)	critical	8.5	1	Cyber-Espionage
3319	Exposed API Keys	critical	8.5	1	Cloud Security Breach
3320	Insecure Age-Verification System	critical	8.5	1	Surveillance
3321	WinRAR vulnerability	critical	8.5	1	Vulnerability Exploitation
3322	Chrome’s App-Bound Encryption (ABE) Bypass	critical	8.5	1	Infostealer Attack
3323	GraphQL API Misconfiguration	critical	8.5	1	Data Leak
3324	Lack of access controls and encryption	critical	8.5	1	Data Breach
3325	Use of Unlicensed Software	critical	8.5	1	Malware
3326	DOM-Based UI Manipulation	critical	8.5	1	Vulnerability Disclosure
3327	Click2Gov Payment System	critical	8.5	1	Data Breach
3328	third-party integrations (speculated)	critical	8.5	1	data breach
3329	SWIFT system vulnerability	critical	8.5	1	ATM cash-out fraud
3330	Customer Contract Search Tool	critical	8.5	1	Data Breach
3331	AcroForms, FlateDecode (PDF features), abuse of legitimate cloud services (Vercel Blob storage)	critical	8.5	1	Phishing
3332	Multi-Factor Authentication (MFA) bypass, Session token hijacking, Credential theft via phishing kits	critical	8.5	1	Phishing/Vishing, Credential Theft, Data Breach, Session Hijacking
3333	Unverified Update Mechanism (Lack of Code Signing)	critical	8.5	1	Vulnerability
3334	CVE-2024-38197	critical	8.5	1	Identity Spoofing
3335	Over-permissioned OAuth scopes	critical	8.5	1	Data Breach
3336	CVE-2026-46333 (Race condition in __ptrace_may_access())	critical	8.5	1	Privilege Escalation
3337	Unmonitored mass data downloads/email exfiltration	critical	8.5	1	Data Breach
3338	Incorrect access settings	critical	8.5	1	Data Breach
3339	Unmaintained VPN remote access server, inadequate network monitoring, ambiguous division of responsibilities, accumulation of unmanaged data on network drives	critical	8.5	1	Data Breach
3340	Exposed Elasticsearch Database	critical	8.5	1	Data Leak
3341	Obfuscated Payloads	critical	8.5	1	Phishing
3342	Unsecured cloud storage, inadequate access controls, insufficient monitoring	critical	8.5	1	Data Exposure
3343	Remote Work Vulnerabilities (COVID-19 Exploitation)	critical	8.5	1	Data Breach
3344	Lack of Multi-Factor Authentication (MFA) (inferred)	critical	8.5	1	Data Breach
3345	Outdated SCADA systems, integrated IT/OT environment	critical	8.5	1	Ransomware
3346	Contact-importing features	critical	8.5	1	Data Leak
3347	Misuse of legitimate access credentials post-employment	critical	8.5	1	Data Breach
3348	Remote code execution vulnerability in Secure Mobile Access (SMA) appliances	critical	8.5	1	Remote Code Execution
3349	Lack of Physical Security / Unencrypted Device	critical	8.5	1	Data Breach (Physical Theft)
3350	compromised Booking.com accounts	critical	8.5	1	phishing
3351	Impersonation of legitimate Go module (golang.org/x/crypto)	critical	8.5	1	Supply-Chain Attack
3352	Single Sign-On (SSO) accounts (Okta and other identity platforms), MFA manipulation	critical	8.5	1	Phishing (Vishing), Data Breach, Credential Theft
3353	Docker MCP Gateway RCE	critical	8.5	1	Supply Chain Attack
3354	Stack-based buffer overflow (Libbiosig)	critical	8.5	1	Vulnerability Disclosure
3355	Reused usernames, weak security questions, password reuse	critical	8.5	1	Data Breach
3356	lack of secret scanning	critical	8.5	1	data exposure
3357	Credential-based attack	critical	8.5	1	Data Breach
3358	Meraki API keys, unsecured surveillance systems	critical	8.5	1	Data Breach
3359	Failure to Enforce 'Minimum Necessary' HIPAA Requirements	critical	8.5	1	Data Breach
3360	Improper sanitization of authorization URLs in n8n	critical	8.5	1	Stored Cross-Site Scripting (XSS)
3361	Frontend Access Control	critical	8.5	1	DNS Hijacking
3362	Unsafe workspace trust handling	critical	8.5	1	Remote Code Execution (RCE)
3363	weak threat-detection system	critical	8.5	1	data breach
3364	Insufficient URL Security	critical	8.5	1	Data Breach
3365	lack of monitoring	critical	8.5	1	data breach
3366	Valid Log-in Credentials	critical	8.5	1	Data Breach
3367	Human vulnerability (bribery of overseas support agents)	critical	8.5	1	Data Breach
3368	46 vulnerabilities in inverters from Sungrow, Growatt, and SMA	critical	8.5	1	Firmware-level attack
3369	hardcoded credentials in source code	critical	8.5	1	data breach
3370	CVE-2026-22218 (CVSS 7.1)	critical	8.5	1	Data Breach
3371	CVE-2026-46376 (Use of Hard-coded Credentials - CWE-798)	critical	8.5	1	Vulnerability Exploitation
3372	Misconfigured Salesforce instances	critical	8.5	1	Data Breach
3373	Social engineering, lack of multi-factor authentication	critical	8.5	1	Phishing Campaign
3374	Improper validation of key descriptions in the CIFs.Spnego key type (logic flaw between Linux kernel’s CIFS client and cifs-utils package)	critical	8.5	1	Local Privilege Escalation (LPE)
3375	inadequate cloud security measures	critical	8.5	1	data breach
3376	Login Page Bug	critical	8.5	1	Data Breach
3377	Lack of encryption in radio communications used by public health systems	critical	8.5	1	Data Breach
3378	CVE-2026-2447 (Heap buffer overflow in libvpx video codec)	critical	8.5	1	Vulnerability Exploitation
3379	CVE-2026-3062 (Out-of-bounds read/write in Tint shader engine)	critical	8.5	1	Vulnerability Patch
3380	Human Error (Compromised Employee Email Account)	critical	8.5	1	Data Breach
3381	Publicly accessible production chatbots	critical	8.5	1	LLMjacking
3382	Client-Side Reward Points Validation (Mobile App)	critical	8.5	1	Data Exposure
3383	Lack of access controls and monitoring	critical	8.5	1	Unauthorized Data Access
3384	Unprotected personal data in financial/healthcare systems	critical	8.5	1	Identity Theft
3385	Hardcoded Supabase API key in client-side JavaScript with no Row Level Security (RLS) policies	critical	8.5	1	Data Breach
3386	ConnectWise software vulnerability	critical	8.5	1	Data Breach
3387	zero-day_vulnerabilities	critical	8.5	1	data_breach
3388	Email and SharePoint account access	critical	8.5	1	Data Breach
3389	Legitimate API traffic for command-and-control (C2) communications	critical	8.5	1	Cyber Espionage
3390	Lack of user consent for data sharing with third-party ad platforms	critical	8.5	1	Privacy Violation
3391	Account Compromise	critical	8.5	1	Data Breach
3392	Bypassed multi-factor authentication (MFA)	critical	8.5	1	Data Breach
3393	no encryption	critical	8.5	1	data breach
3394	human error (employee tricked into clicking malicious link)	critical	8.5	1	phishing
3395	Exposed NPM token from misconfigured CircleCI job (suspected)	critical	8.5	1	Supply-Chain Attack
3396	ProxyLogon/ProxyShell/ProxyNotShell (Microsoft Exchange)	critical	8.5	1	Exploit Trends
3397	Misconfigured access control, lack of IP whitelisting	critical	8.5	1	Data Leak
3398	CSRF Protection Mechanism in Ruby on Rails	critical	8.5	1	Vulnerability
3399	High-severity vulnerability in ADSelfService Plus software	critical	8.5	1	Vulnerability Exploit
3400	MOVEit Transfer Vulnerability (CVE-2023-34362)	critical	8.5	1	Data Breach
3401	CVE-2025-54236 (SessionReaper)	critical	8.5	1	Vulnerability Exploitation
3402	MOVEit file transfer platform	critical	8.5	1	Data Breach
3403	CVE-2025-40778 (Logic Flaw in BIND 9’s Resolver - Bailiwick Principle Violation)	critical	8.5	1	Vulnerability
3404	Lack of Multi-Factor Authentication (implied)	critical	8.5	1	Data Breach
3405	Incorrect System Settings	critical	8.5	1	Data Leak
3406	Human Error (Employee Compromise)	critical	8.5	1	Data Breach
3407	Name-squatting and postinstall script execution	critical	8.5	1	Supply Chain Attack
3408	CVE-2025-0520 (ShowDoc)	critical	8.5	1	Vulnerability Exploitation
3409	Improper Access by Employee	critical	8.5	1	Data Breach
3410	Session hijacking	critical	8.5	1	Malware (RAT)
3411	Inadequate acceptable use policies for AI	critical	8.5	1	Data Leakage
3412	Trusted domain abuse (googletagmanager.com, api.stripe.com), lack of strict content security policies (CSP)	critical	8.5	1	Magecart (Digital Skimming)
3413	Lack of Data Encryption in University Advancement Database	critical	8.5	1	Data Breach
3414	Insufficient data encryption	critical	8.5	1	Data Breach
3415	third-party_file_transfer_solutions	critical	8.5	1	data_breach
3416	Shared Access Protocols with Weak Authentication	critical	8.5	1	Data Breach
3417	Spree IDOR Flaws (CVE-2026-22588/22589)	critical	8.5	1	Supply Chain Attack
3418	Compromised financial advisors' devices	critical	8.5	1	Cybersecurity Breach
3419	Poor Internal Access Controls	critical	8.5	1	Data Breach
3420	CVE-2025-1080	critical	8.5	1	Remote Code Execution
3421	Fail-open design in security scanning system (CWE-636: Not Failing Securely)	critical	8.5	1	Supply Chain Attack
3422	CVE-2025-0520 (CVSS 9.4)	critical	8.5	1	Remote Code Execution (RCE)
3423	CVE-2026-21876	critical	8.5	1	vulnerability
3424	Plain text credential storage in memory	critical	8.5	1	Vulnerability Exploitation
3425	Inadequate Audit Logs	critical	8.5	1	Data Breach
3426	Unauthorized access by staff	critical	8.5	1	Data Breach
3427	Weak authentication in verification APIs	critical	8.5	1	Data Breach Risk
3428	CWE-269: Improper Privilege Management	critical	8.5	1	Data Exposure
3429	CVE-2026-20098	critical	8.5	1	Vulnerability Exploitation
3430	Unfixed JavaScript execution flaw in Chromium Service Worker	critical	8.5	1	Remote Code Execution (RCE)
3431	Over-Permissive Access to CRM/Donor Data	critical	8.5	1	Data Breach
3432	Software misconfiguration exposing files to the internet	critical	8.5	1	Data Breach
3433	F5 BIG-IP AMP vulnerability	critical	8.5	1	data_breach
3434	CVE-2026-3338	critical	8.5	1	Cryptographic Vulnerability
3435	CVE-2025-14756	critical	8.5	1	Command Injection
3436	Absence of phishing-resistant MFA	critical	8.5	1	Data Breach
3437	open-source_software_vulnerabilities	critical	8.5	1	data_breach
3438	Human Trust and Psychological Manipulation	critical	8.5	1	Cryptocurrency Investment Fraud
3439	Centralized biometric databases, Lack of robust safeguards, Third-party vendor vulnerabilities	critical	8.5	1	Data Breach
3440	Use of Pirated Corporate Software	critical	8.5	1	Info-Stealing
3441	Known system vulnerability	critical	8.5	1	Data Breach
3442	CVE-2026-1281	critical	8.5	1	Vulnerability Exploitation
3443	Account recovery workflows (password resets, MFA re-enrollment, help-desk recovery requests)	critical	8.5	1	Identity Breach
3444	Insufficient DLP and behavioral analytics	critical	8.5	1	Data Breach
3445	Lack of organization-wide two-factor authentication	critical	8.5	1	Data Breach
3446	CVE-2026-3098	critical	8.5	1	Vulnerability Exploitation
3447	Auto-execution of `runOptions.runOn: 'folderOpen'` in tasks	critical	8.5	1	Arbitrary Code Execution
3448	CVE-2026-23595	critical	8.5	1	Privilege Escalation
3449	Unprotected publicly accessible database	critical	8.5	1	Data Leak
3450	Lack of least-privilege access controls	critical	8.5	1	Data Breach
3451	Human (Employee Susceptibility to Phishing)	critical	8.5	1	Data Breach
3452	third-party security gaps	critical	8.5	1	data breach
3453	Inactive user accounts not deactivated	critical	8.5	1	Data Breach
3454	Lack of transparency in AI decision-making	critical	8.5	1	Cybersecurity Risk Assessment
3455	Coruna (23 distinct security flaws)	critical	8.5	1	Vulnerability Exploitation
3456	Hardcoded secrets in AI-generated code, MCP configurations, overprivileged access	critical	8.5	1	Data Leak
3457	Incorrect privacy settings on public maps	critical	8.5	1	Data Exposure
3458	shadow_AI	critical	8.5	1	data_breach
3459	inadequate validation of third-party services (Cloudflare Pages)	critical	8.5	1	phishing
3460	Insufficient Conditional Access Controls	critical	8.5	1	Cloud Security Breach
3461	Improperly configured AWS S3 storage	critical	8.5	1	Data Breach
3462	lack of enterprise-grade security for AI tools	critical	8.5	1	ransomware
3463	Centralized Points of Failure in Hybrid Platforms	critical	8.5	1	Privacy Violation
3464	CVE-not-yet-assigned (as of description) – RCE via `new Function()` in `expr-eval` < 2.0.2	critical	8.5	1	Vulnerability
3465	MOVEit file transfer service vulnerability	critical	8.5	1	Data Breach
3466	SMS phishing (smishing) attack	critical	8.5	1	Data Breach
3467	lack of access controls and encryption for cloud-hosted databases	critical	8.5	1	data breach
3468	Path traversal (27.3%)	critical	8.5	1	API Security Breach
3469	CVE-2023-32409 (WebKit Sandbox Escape - IronLoader)	critical	8.5	1	Exploit Kit / Malware Campaign
3470	System misconfiguration reactivating disabled feature	critical	8.5	1	Data Breach
3471	Unusual access to GitHub repositories	critical	8.5	1	Hacking/Unauthorized Access
3472	Lack of end-to-end encryption for ID uploads	critical	8.5	1	Data Breach Risk
3473	Inadequate physical access controls	critical	8.5	1	Data Breach
3474	Unsecured Data Transfer Methods	critical	8.5	1	Insider Threat
3475	Computer Virus	critical	8.5	1	Data Breach
3476	Vulnerability management failures	critical	8.5	1	Data Breach
3477	Misconfigured Google Firebase database	critical	8.5	1	Data Breach
3478	Timing Attack via Rendering Pipeline	critical	8.5	1	Data Theft
3479	improper access controls / misconfigured portal	critical	8.5	1	data breach
3480	Flawed eagerParseCliFlag function in main.tsx, improper CLI flag parsing, and workspace trust dialog bypass	critical	8.5	1	Remote Code Execution (RCE)
3481	Zero-day vulnerabilities in Microsoft Exchange Server	critical	8.5	1	Cyberespionage
3482	AMPScript/SSJS template injection	critical	8.5	1	Data Breach
3483	Lack of Command-Line Execution Awareness	critical	8.5	1	APT (Advanced Persistent Threat)
3484	CVE-2025-43520	critical	8.5	1	Exploit Kit
3485	Undisclosed zero-day vulnerability in WhatsApp calling feature	critical	8.5	1	Zero-Day Exploit
3486	Unencrypted Computers	critical	8.5	1	Data Breach
3487	Unspecified coding error in SchoolMessenger application	critical	8.5	1	Data Breach
3488	Lack of user verification for extension authenticity and over-permissioned access	critical	8.5	1	Malware (Malicious Browser Extension)
3489	E-commerce System	critical	8.5	1	Data Breach
3490	Unencrypted data storage in an internet-accessible environment	critical	8.5	1	Data Breach
3491	CVE (not specified)	critical	8.5	1	Vulnerability Exploitation
3492	Inadequate internal controls and monitoring mechanisms	critical	8.5	1	Unauthorized Data Access
3493	CVE-2026-45447 (heap use-after-free in PKCS#7 signature verification)	critical	8.5	1	Vulnerability Disclosure
3494	Multi-factor Authentication (MFA) Bypass, Credential Theft	critical	8.5	1	Vishing (Voice Phishing)
3495	npm run dev execution	critical	8.5	1	Supply Chain Attack
3496	CVE-2026-20163 (Improper Neutralization of Special Elements used in a Command - CWE-77)	critical	8.5	1	Remote Command Execution (RCE)
3497	Accellion File Transfer Appliance vulnerability	critical	8.5	1	Data Breach
3498	CVE-2025-59489 (Unity Editor Command-Line Argument Injection)	critical	8.5	1	Vulnerability
3499	Secure file transfer software	critical	8.5	1	Data Breach
3500	Shared contractor accounts, API key exposure, URL convention deduction	critical	8.5	1	Unauthorized Access
3501	Typosquatting, impersonation, and automatic execution of post-install scripts	critical	8.5	1	Supply Chain Attack
3502	Unpatched React frontend application	critical	8.5	1	Data Breach
3503	Expired email domain allowing credential reset	critical	8.5	1	Supply Chain Attack
3504	Weak encryption	critical	8.5	1	Data Breach
3505	Human Error (Failure to Redact Sensitive Data)	critical	8.5	1	Data Breach (Unintentional Disclosure)
3506	Lack of monitoring for suspicious activity	critical	8.5	1	Data Breach
3507	Privilege Escalation Flaw in FIA Driver Categorisation Website	critical	8.5	1	Data Breach
3508	Hardcoded file path in OpenSSL integration (CVE-2026-3991)	critical	8.5	1	Local Privilege Escalation (LPE)
3509	Improper Handling of Sensitive Data	critical	8.5	1	Data Breach
3510	Lack of Privacy-Preserving Mechanisms in QML	critical	8.5	1	Privacy Breach
3511	Human error, lack of centralized IT control, decentralized IT departments	critical	8.5	1	Data Breach
3512	Inadequate security measures (unspecified)	critical	8.5	1	Data Breach
3513	unpatched_systems	critical	8.5	1	data_breach
3514	Windows’ Restart Manager (RstrtMgr.dll) exploitation for disabling security processes	critical	8.5	1	Potentially Unwanted Application (PUA)
3515	Verbose error messages exposing OAuth 2.0 bearer tokens	critical	8.5	1	Phishing, Data Theft, Persistent Access
3516	Use-After-Free	critical	8.5	1	Privilege Escalation
3517	Lack of DNS query monitoring in ChatGPT's execution environment	critical	8.5	1	Data Exfiltration
3518	Lack of prompt injection detection	critical	8.5	1	Data Breach
3519	Kademlia-based P2P Network	critical	8.5	1	Zero-day Exploitation
3520	Insufficient user identification and authentication (UIA) controls	critical	8.5	1	Data Security Audit
3521	CVE-2026-2285	critical	8.5	1	Remote Code Execution
3522	CVE-2025-12807 (SQL Injection)	critical	8.5	1	Denial-of-Service
3523	Inadequate security on WordPress-hosted infrastructure	critical	8.5	1	Data Breach
3524	Bypassing Google’s App-Bound Encryption and endpoint security tools via remote decryption	critical	8.5	1	Infostealer Malware
3525	Inadequate cybersecurity measures	critical	8.5	1	Data Breach
3526	AVrecon Malware	critical	8.5	1	Zero-day Exploitation
3527	CVE-2025-55227 (SQL Server Privilege Escalation)	critical	8.5	1	Malware (Infostealer)
3528	Sequentially numbered and guessable URLs	critical	8.5	1	Data Exposure
3529	CVE-2025-47934	critical	8.5	1	Vulnerability Exploitation
3530	Improper pinning of user pages in `rds_message_zcopy_from_user()` function (RDS zerocopy send path)	critical	8.5	1	Local Privilege Escalation (LPE)
3531	Unencrypted and non-password-protected database	critical	8.5	1	Data Leak
3532	CVE-2017-3881 (Cluster Management Protocol RCE in Cisco IOS/IOS XE)	critical	8.5	1	unauthorized access
3533	untested incident response plans	critical	8.5	1	ransomware
3534	Default public settings in low-code/AI tools	critical	8.5	1	Data Exposure
3535	Network Segmentation Protocols	critical	8.5	1	Data Breach
3536	CVE-2024-3210	critical	8.5	1	Data Breach
3537	Improper deployment of third-party tracking technologies on public website leading to unauthorized data transfer	critical	8.5	1	Data Privacy Violation
3538	CVE-2025-14847 (MongoBleed) - unverified	critical	8.5	1	In-game abuse
3539	Static default password in remote desktop software	critical	8.5	1	Data Breach
3540	Data security lapse	critical	8.5	1	Data Breach
3541	Broad permissions granted to browser extensions	critical	8.5	1	Data Theft
3542	CVE-2026-23594	critical	8.5	1	Privilege Escalation
3543	Decentralized Security Coordination	critical	8.5	1	Data Breach
3544	Cloaking	critical	8.5	1	Phishing
3545	Unsecured APIs, shared keys	critical	8.5	1	Data Breach
3546	Lack of regulatory compliance and proper data handling procedures	critical	8.5	1	Data Breach
3547	Insider Threat / Unauthorized Access	critical	8.5	1	Data Breach
3548	Inadequately secured network (Salesloft)	critical	8.5	1	Data Breach (Third-Party Vendor Compromise)
3549	Lack of API Key Ownership Validation	critical	8.5	1	Data Exfiltration
3550	Partner system compromise leading to unauthorized API access	critical	8.5	1	Data Exposure
3551	CVE-2015-2051 (D-Link Dir-645)	critical	8.5	1	Exploit Trends
3552	Human Error (Social Engineering via Phone Calls)	critical	8.5	1	Data Breach
3553	Human Error (Employee Susceptibility to Social Engineering)	critical	8.5	1	Data Breach (Social Engineering)
3554	CVE-2025-8088 (WinRAR path traversal flaw in Windows versions < 7.13)	critical	8.5	1	Zero-day exploit
3555	Critical CVEs	critical	8.5	1	Identity Compromise
3556	CVE-2026-26980 (SQL Injection in Ghost CMS)	critical	8.5	1	SQL Injection, Malware Campaign
3557	Legal loophole exempting political parties from provincial privacy regulations	critical	8.5	1	Data Breach
3558	Human Error (Improper Handling of Public Records Request)	critical	8.5	1	Data Breach (Unintentional Disclosure)
3559	Unlimited Coupon Redemptions (CosMc’s App)	critical	8.5	1	Data Exposure
3560	Human Error (Employee Susceptibility to Phishing)	critical	8.5	1	Data Breach
3561	Lack of authentication and access controls in Firebase instances	critical	8.5	1	Data Breach
3562	inadequate staff training	critical	8.5	1	data breach
3563	CVE-2026-20040	critical	8.5	1	Privilege Escalation
3564	Lack of AI-Specific Security Controls	critical	8.5	1	Supply Chain Attack
3565	human trust in legacy inheritance process	critical	8.5	1	phishing
3566	Lack of Encryption on Portable Device	critical	8.5	1	Data Breach (Physical Theft)
3567	High-severity flaws	critical	8.5	1	Zero-day exploitation
3568	User Trust in Signature Requests	critical	8.5	1	DNS Hijacking
3569	A setting within one of Petco's software applications that inadvertently allowed certain files to be accessible online	critical	8.5	1	Data Breach
3570	Pointer authentication (PAC) bypasses	critical	8.5	1	Exploit Kit
3571	Public chat rooms unencrypted and accessible to any user, hardcoded LDAP credentials in shared scripts	critical	8.5	1	Data Breach
3572	AutoConsent JS bridge in DuckDuckGo Android browser (UXSS)	critical	8.5	1	Vulnerability Exploitation
3573	Lack of proper access controls or oversight during training	critical	8.5	1	Data Breach / Espionage
3574	CVE-2025-5775	critical	8.5	1	Reconnaissance
3575	CVE-2025-54135	critical	8.5	1	Vulnerability Exploitation
3576	CVE-2026-XXXXX (Local WebSocket Gateway Authentication Bypass)	critical	8.5	1	Vulnerability Exploitation
3577	Unauthenticated DNS modification	critical	8.5	1	DNS Hijacking
3578	CVE-2026-4782 (CVSS 6.5)	critical	8.5	1	SQL Injection
3579	Confidential Virtual Machine (CVM) exploitation	critical	8.5	1	Zero-day vulnerability
3580	Previously unknown security vulnerability in Oracle E-Business Suite	critical	8.5	1	Data Breach
3581	Website Migration	critical	8.5	1	Data Breach
3582	CVE-2026-41651 (PackageKit authorization bypass)	critical	8.5	1	Privilege Escalation
3583	persistent background execution via detached screen sessions	critical	8.5	1	malware
3584	CVE-2026-21513	critical	8.5	1	Zero-Day Vulnerability
3585	unsecured teacher credentials	critical	8.5	1	unauthorized access
3586	CVE-2021-39935	critical	8.5	1	Server-Side Request Forgery (SSRF)
3587	GoAnywhere MFT (specific CVE not mentioned)	critical	8.5	1	Data Breach
3588	Employee Access Abuse	critical	8.5	1	Data Leak
3589	CVE-2026-25108 (OS Command Injection - CWE-78)	critical	8.5	1	Command Injection
3590	CVE-2025-23120	critical	8.5	1	Vulnerability
3591	Abuse of Shared Access Signature (SAS) tokens and trusted cloud tools	critical	8.5	1	Ransomware
3592	Multi-tenant SaaS identity platform vulnerabilities	critical	8.5	1	AI-related identity breach
3593	Inadequate logging	critical	8.5	1	Data Breach
3594	Social Engineering (Fake VPN Software), Lack of User Awareness	critical	8.5	1	Credential Theft
3595	CVE-2025-27889	critical	8.5	1	Vulnerability Exploitation
3596	improper access controls in the Texas Integrated Grant Reporting system	critical	8.5	1	data breach
3597	Outdated cryptographic practices	critical	8.5	1	Data Breach/Vulnerability Exposure
3598	Oracle WebLogic Vulnerability (CVE not specified)	critical	8.5	1	Vulnerability Exploitation
3599	Unsecured LLM infrastructure	critical	8.5	1	Security Vulnerability
3600	Clerical Error	critical	8.5	1	Data Breach
3601	Human error (employee susceptibility to scams), lack of robust multi-factor authentication (MFA) enforcement	critical	8.5	1	Data Breach
3602	Abuse of Bubble’s no-code platform infrastructure, complex JavaScript bundles, Shadow DOM structures	critical	8.5	1	Phishing
3603	Undocumented API endpoints, CORS misconfigurations, pagination bypasses	critical	8.5	1	Data Exposure / Alleged Breach
3604	Progress MOVEit platform	critical	8.5	1	Data Breach
3605	Human error, Social engineering, Internal leaks	critical	8.5	1	Data Breach
3606	improper data retention by third-party vendor	critical	8.5	1	data breach
3607	Reused credentials from older data breaches	critical	8.5	1	Data Breach
3608	Inadequate Technology and Agency Understaffing	critical	8.5	1	Data Exposure
3609	Vertex AI Agent Engine Service Agent Hijacking	critical	8.5	1	Privilege Escalation
3610	Supply-chain risks	critical	8.5	1	Third-party data exploitation
3611	Improper Token Management	critical	8.5	1	Data Breach
3612	Incomplete redaction of sensitive documents	critical	8.5	1	Data Exposure
3613	Unknown vulnerability (zero-day)	critical	8.5	1	Zero-Day Exploit
3614	CVE-2026-44930	critical	8.5	1	LDAP Injection
3615	Improper input sanitization (CWE-74)	critical	8.5	1	Information Disclosure
3616	Failure to implement and maintain reasonable security measures	critical	8.5	1	Data Breach
3617	Abuse of High-Reputation Domains (sites.google.com, docs.google.com)	critical	8.5	1	Phishing
3618	Compromise of private keys	critical	8.5	1	Security Breach
3619	CWE-601: URL Redirection to Untrusted Site (Open Redirect) (via token manipulation)	critical	8.5	1	Data Breach
3620	Account Credentials	critical	8.5	1	Data Breach
3621	Unauthenticated access flaw in API endpoint `/api/now/related_list_edit/create` with `requires_authentication=false`	critical	8.5	1	Unauthorized Data Access
3622	Debug flag (`setIsDebugMode(true)`) left in production builds	critical	8.5	1	Vulnerability Exploitation
3623	CVE-2026-21519 (Type Confusion - CWE-843)	critical	8.5	1	Elevation of Privilege
3624	Outdated or poorly secured API interfaces	critical	8.5	1	Data Breach
3625	Publicly exposed RPC endpoint lacking authentication, rate limiting, or permission checks	critical	8.5	1	Supply Chain Attack
3626	Malicious package versions (PyTorch Lightning 2.6.2, 2.6.3; intercom-client 7.0.4)	critical	8.5	1	Supply Chain Attack
3627	Inadequate access controls in AI system for privileged actions	critical	8.5	1	Account Hijacking
3628	CVE-2026-22218 (Arbitrary File Read)	critical	8.5	1	Vulnerability Exploitation
3629	Human vulnerability (bribery of customer support agents)	critical	8.5	1	Data Breach
3630	Trusted domain chaining, search engine trust exploitation	critical	8.5	1	Phishing
3631	Unverified dependencies in development pipelines	critical	8.5	1	Supply-Chain Attack
3632	CVE-2026-41241	critical	8.5	1	Stored Cross-Site Scripting (XSS)
3633	Over-Permissive Third-Party App Access (Gmail, Google Drive, Dropbox)	critical	8.5	1	Data Breach
3634	Vendor Error	critical	8.5	1	Data Breach
3635	Broken Access Control (OWASP Top 10)	critical	8.5	1	Data Exposure
3636	RoguePilot (GitHub Codespaces/Copilot)	critical	8.5	1	Vulnerability Exploitation
3637	Six low-severity flaws	critical	8.5	1	Data Leak
3638	CVE-2026-32202 (Windows Shell Protection Mechanism Failure - CWE-693)	critical	8.5	1	Zero-Day Vulnerability Exploitation
3639	Weak authentication checks, lack of rate-limiting controls in AI-driven password reset process	critical	8.5	1	Account Takeover
3640	CVE-2024-40766 (SonicWall Improper Access Control)	critical	8.5	1	Malware (Infostealer)
3641	Server Message Block (SMB)	critical	8.5	1	phishing
3642	Improper handling and sharing of restricted voter data	critical	8.5	1	Data Breach
3643	Unpatched Smart Contract Bugs	critical	8.5	1	Privacy Violation
3644	Weak DMARC/SPF policies, Missing MTA-STS, Unvalidated/Expired Server Certificates, Misconfigured Microsoft 365 Security Tools	critical	8.5	1	Data Breach
3645	Weak MD5 hashing	critical	8.5	1	Data Exposure
3646	CVE-2025-54113 (Windows RRAS RCE)	critical	8.5	1	Malware (Infostealer)
3647	Insider Access Abuse	critical	8.5	1	Data Breach
3648	IDOR	critical	8.5	1	Data Breach
3649	CVE-2025-31191	critical	8.5	1	Sandbox Escape Vulnerability
3650	lack of phishing-resistant authentication	critical	8.5	1	phishing
3651	Two-Factor Authentication (2FA) Bypass	critical	8.5	1	Phishing-as-a-Service (PhaaS)
3652	Insufficient validation process for third-party API access	critical	8.5	1	Data Breach
3653	CVE-2025-54820 (Stack-based buffer overflow in fgtupdates service)	critical	8.5	1	Vulnerability
3654	Lack of encryption and intrusion detection systems	critical	8.5	1	Data Breach
3655	CVE-2026-11645 (Out-of-bounds read and write in V8 JavaScript engine)	critical	8.5	1	Zero-Day Vulnerability
3656	fragmented infrastructure	critical	8.5	1	ransomware
3657	CVE-2026-21385	critical	8.5	1	Zero-Day Vulnerability
3658	Click2Gov online payment system	critical	8.5	1	Data Breach
3659	Weaknesses in third-party integrations with Salesforce-connected applications (not Salesforce itself)	critical	8.5	1	Data Breach
3660	CVE-2026-20700	critical	8.5	1	Exploit Kit
3661	Improper handling of sensitive credentials in web assets	critical	8.5	1	Data Exposure
3662	ClickFix technique	critical	8.5	1	phishing
3663	Lack of runtime risk controls	critical	8.5	1	AI-related identity breach
3664	Unauthorized access due to exposed credentials	critical	8.5	1	Data Breach
3665	Amazon S3 Storage Account	critical	8.5	1	Data Breach
3666	CVE-2026-26111	critical	8.5	1	Remote Code Execution (RCE)
3667	CVE-2026-3517	critical	8.5	1	vulnerability
3668	Lack of access controls / improper employee oversight	critical	8.5	1	Unauthorized Access / Insider Threat
3669	Leak of User Emails	critical	8.5	1	Data Breach
3670	Compromised OAuth tokens in Gainsight-published applications (no vulnerability in Salesforce platform itself)	critical	8.5	1	Data Breach
3671	Lack of account management (inactive accounts not decommissioned)	critical	8.5	1	Data Breach
3672	Integer Overflow	critical	8.5	1	Privilege Escalation
3673	Poor M365 configurations	critical	8.5	1	Data Breach
3674	Composer’s regex validation failure due to GitHub’s new token format	critical	8.5	1	Data Exposure
3675	System Setup Error	critical	8.5	1	Data Exposure
3676	Inadequate safeguards in government online portals	critical	8.5	1	Credential Stuffing
3677	AirSnitch (exploits gaps in MAC address, encryption key, and IP address linking across network layers)	critical	8.5	1	Vulnerability Exploitation
3678	Unprotected Cloud Repository	critical	8.5	1	Data Leak
3679	Web application vulnerability (Click2Gov online payment system)	critical	8.5	1	Data Breach
3680	CVE-2026-0073	critical	8.5	1	Vulnerability Exploitation
3681	User account compromise	critical	8.5	1	Data Breach
3682	CVE-2026-24281	critical	8.5	1	Data Exposure
3683	OpenAI-compatible APIs (port 8000)	critical	8.5	1	LLMjacking
3684	Inadequate audit logging	critical	8.5	1	Data Breach
3685	Progress Software’s MOVEit Transfer application	critical	8.5	1	Data Breach
3686	Cryptographic Flaw in Infineon Microcontroller	critical	8.5	1	Cryptographic Vulnerability
3687	Stolen credentials (Okta SSO account of a support agent)	critical	8.5	1	Data Breach
3688	CVE-2025-20333 & CVE-2025-20363 (Cisco ASA VPN)	critical	8.5	1	Ransomware
3689	CVE-2026-29146	critical	8.5	1	Vulnerability Exploitation
3690	Unknown vulnerability in warehouse management system	critical	8.5	1	Data Breach
3691	Unprotected Elasticsearch instance	critical	8.5	1	Data Exposure
3692	No Authentication by Default	critical	8.5	1	Misconfiguration
3693	CVE-2026-0709	critical	8.5	1	Supply Chain Attack
3694	Improper IAM Policies	critical	8.5	1	Cloud Security Breach
3695	improper decommissioning of legacy cloud storage	critical	8.5	1	data breach
3696	Weak authentication (Dior Instagram)	critical	8.5	1	Data Breach
3697	Lack of Content Verification Mechanisms	critical	8.5	1	Content Theft and Fraud
3698	Log4Shell	critical	8.5	1	Ransomware
3699	Lack of Email Spoofing Protections	critical	8.5	1	Data Breach
3700	Insider Knowledge (Ethan Lipnik's Willingness to Share)	critical	8.5	1	Trade Secret Theft
3701	OAuth 2.0 protocol behavior (RFC 6749/9700)	critical	8.5	1	Phishing
3702	Weak Authentication Credentials / Use of Non-Corporate Devices	critical	8.5	1	Data Breach / Unauthorized Access
3703	Improper use of tracking technologies on authenticated pages (patient portals) without HIPAA-compliant authorizations or business associate agreements	critical	8.5	1	Data Breach
3704	Weak encryption in data-sharing mandates	critical	8.5	1	Cybersecurity Risk Assessment
3705	CVE-2026-39987 (Marimo RCE)	critical	8.5	1	Vulnerability Exploitation
3706	CVE-2026-26030	critical	8.5	1	Remote Code Execution (RCE)
3707	CVE-2026-5509	critical	8.5	1	Command Injection
3708	Lack of Data Loss Prevention (DLP) Controls	critical	8.5	1	Data Breach
3709	Private Code Repositories (GitLab, Visual Studio Code)	critical	8.5	1	Malware Deployment
3710	Setting turned on by Patient Portal vendor	critical	8.5	1	Data Breach
3711	Lack of disclosure and user consent for data collection	critical	8.5	1	Data Exfiltration
3712	insufficient workforce training	critical	8.5	1	ransomware
3713	Misconfigured AWS Storage Bucket	critical	8.5	1	Data Exposure
3714	Security vulnerability in pre-order process	critical	8.5	1	Data Breach
3715	Phase-locked loops (PLLs) compromise	critical	8.5	1	Firmware-level attack
3716	Unsecured Amazon cloud storage without password protection	critical	8.5	1	Data Breach
3717	Excessive data access privileges	critical	8.5	1	Data Breach
3718	Weak encryption configurations (e.g., BitLocker), cached authentication tokens, lack of hardware-rooted security	critical	8.5	1	Device Theft / Data Breach
3719	Human error (tricked customer support employees into granting access)	critical	8.5	1	Data Breach
3720	Insufficient Agent Permission Controls	critical	8.5	1	AI Security Vulnerabilities
3721	Unprotected 'unlink()' call enabling unauthenticated file deletion	critical	8.5	1	SQL Injection
3722	CVE-2026-0629	critical	8.5	1	Authentication Bypass
3723	DockerDash	critical	8.5	1	Vulnerability Exploitation
3724	Lack of Physical Security for Devices Containing Sensitive Data	critical	8.5	1	Data Breach (Physical Theft)
3725	Key Reuse Vulnerability (Android)	critical	8.5	1	Privacy Violation
3726	Cisco Unified CM exploit	critical	8.5	1	Third-Party Risk Management Failure
3727	Unauthorized use of Stripe API key	critical	8.5	1	Data Breach
3728	Lack of Policy Enforcement for AI Tool Usage	critical	8.5	1	Data Breach
3729	Out-of-bounds read (Grassroot DICOM)	critical	8.5	1	Vulnerability Disclosure
3730	Trust in community integrations, lack of sandboxing in n8n community nodes	critical	8.5	1	Supply Chain Attack
3731	Oracle’s eBusiness Suite software vulnerability	critical	8.5	1	Data Breach
3732	CVE-2025-53770 (Microsoft SharePoint 'ToolShell')	critical	8.5	1	Ransomware
3733	Online customer service system vulnerability	critical	8.5	1	Data Breach
3734	improper data retention	critical	8.5	1	data breach
3735	Improper Privilege Management (CWE-269)	critical	8.5	1	Privilege Escalation
3736	Human Vulnerability (Insider Recruitment)	critical	8.5	1	Insider Threat, Extortion
3737	CVE-2025-64496	critical	8.5	1	Code Injection
3738	Website Bug	critical	8.5	1	Data Exposure
3739	human trust in search engine ads	critical	8.5	1	phishing
3740	gaps in business associate oversight	critical	8.5	1	ransomware
3741	inadequate contractor oversight	critical	8.5	1	data breach
3742	Social engineering, exploitation of legitimate communication channels	critical	8.5	1	Phishing Scam
3743	Poor security practices, shared credentials or third-party tool managing access	critical	8.5	1	Account Takeover
3744	Automatic Opt-Ins	critical	8.5	1	Data Privacy Issue
3745	Malicious postinstall scripts	critical	8.5	1	Supply Chain Attack
3746	Remote Code Execution Vulnerability in DS-2105 Pro DVRs	critical	8.5	1	Botnet
3747	Social Engineering, Fake Authentication Screens	critical	8.5	1	Phishing
3748	Improperly secured database	critical	8.5	1	Data Exposure
3749	Unsecured Internet-Connected Database	critical	8.5	1	Data Exposure
3750	Hardcoded Google API keys with expanded authentication capabilities	critical	8.5	1	Data Exposure
3751	Lack of Data Minimization	critical	8.5	1	Data Breach
3752	Critical vulnerability in VIGI camera series	critical	8.5	1	Vulnerability Exploitation
3753	Progress MOVEit Transfer	critical	8.5	1	Data Breach
3754	Weaknesses in Almaviva’s infrastructure	critical	8.5	1	Data Breach
3755	weak cybersecurity safeguards in third-party vendor (Salesforce)	critical	8.5	1	data breach
3756	Human Error (Inadvertent Publication of Sensitive Data)	critical	8.5	1	Data Breach (Inadvertent Disclosure)
3757	Over-collection of sensitive PII (e.g., full ID scans vs. minimal verification)	critical	8.5	1	Data Breach Risk
3758	Confused Deputy (CWE-441)	critical	8.5	1	Privilege Escalation
3759	ShadowLeak (CVE pending)	critical	8.5	1	Data Exfiltration
3760	Unspecified vulnerability in OT security solutions	critical	8.5	1	Data Breach
3761	Employee interaction with fraudulent link	critical	8.5	1	Data Breach
3762	Disabled Workspace Trust in Cursor (VS Code fork)	critical	8.5	1	Arbitrary Code Execution
3763	PTC Windchill and FlexPLM flaw	critical	8.5	1	data_breach
3764	Design flaw in metadata handling for public pages	critical	8.5	1	Privacy Leak
3765	Implicit trust in AI-generated summaries, unchecked trust in retrieved data by AI tools	critical	8.5	1	Phishing
3766	Inadequate security protections	critical	8.5	1	Data Breach / Cybersecurity Failure
3767	CVE-2025-7776	critical	8.5	1	Vulnerability Exploitation
3768	User trust in online platforms	critical	8.5	1	Phishing
3769	Fractured auditability across communication channels	critical	8.5	1	Data Governance Blind Spot
3770	Mishandling of sensitive data by workers	critical	8.5	1	Data Breach
3771	MOVEit application by IBM	critical	8.5	1	Data Breach
3772	CVE-2025-9142 (JWT manipulation and directory traversal in Perimeter81 service component)	critical	8.5	1	Privilege Escalation
3773	CVE-2025-59451 (Predictable Identifiers)	critical	8.5	1	Denial-of-Service
3774	User trust and lack of awareness	critical	8.5	1	Phishing
3775	Contact Discovery Mechanism Flaw	critical	8.5	1	Privacy Violation
3776	Mali GPU Data Compression	critical	8.5	1	Data Theft
3777	Cardinality-Based Rate Limiting Bypass	critical	8.5	1	Privacy Violation
3778	Malicious npm packages impersonating legitimate libraries	critical	8.5	1	Supply Chain Attack
3779	Unsecured Kafka Broker instance	critical	8.5	1	Data Exposure
3780	Lack of input validation in web configuration interfaces	critical	8.5	1	DNS Hijacking
3781	Public web server misconfiguration	critical	8.5	1	Data Breach
3782	Improper Access Controls (Publicly Accessible Folder)	critical	8.5	1	Data Breach
3783	Social Engineering, Lack of Multi-Factor Authentication (MFA) awareness	critical	8.5	1	Phishing, Credential Harvesting
3784	Third-party Cloud Service	critical	8.5	1	Data Breach
3785	Outdated security protocols	critical	8.5	1	Data Breach
3786	Social Engineering (ClickFix technique)	critical	8.5	1	Malware Campaign
3787	Exploitation of accessibility permissions, fake overlays	critical	8.5	1	Trojan
3788	Unrotated Service Account Token	critical	8.5	1	Data Breach (OAuth Token Compromise)
3789	Unknown vulnerability in the spam quarantine server software	critical	8.5	1	Data Breach
3790	Stolen Login Information	critical	8.5	1	Data Breach
3791	DNS Infrastructure Weakness (Box Domains)	critical	8.5	1	DNS Hijacking
3792	human trust in AI-generated content	critical	8.5	1	fraud
3793	Publicly Exposed API Token	critical	8.5	1	Data Breach (OAuth Token Compromise)
3794	Programming Errors	critical	8.5	1	Data Breach
3795	Password recovery and sharing features	critical	8.5	1	Data Breach/Vulnerability Exposure
3796	PHP Backdoor in WordPress Plugins	critical	8.5	1	Data Breach
3797	Insufficient input sanitization and double-parsing bug in 'Dispatch Search' feature	critical	8.5	1	Data Breach
3798	Inadequate Data Handling Controls	critical	8.5	1	Data Breach
3799	ATM switch server compromise	critical	8.5	1	ATM cash-out fraud
3800	Abandoned software in trusted repository	critical	8.5	1	Phishing
3801	Delayed Incident Reporting	critical	8.5	1	Data Breach
3802	Remote Dynamic Dependencies (RDD)	critical	8.5	1	Supply Chain Attack
3803	Gateway between the airline and a payment processor	critical	8.5	1	Data Breach
3804	CVE-2026-11645 (Out-of-bounds memory access in V8 JavaScript engine)	critical	8.5	1	Zero-Day Vulnerability
3805	CVE-2025-31277	critical	8.5	1	Exploit Kit
3806	Human error, lack of phishing awareness	critical	8.5	1	Data Breach
3807	CVE-2023-28771	critical	8.5	1	Remote Code Execution
3808	CWE-798: Hard-coded Credentials	critical	8.5	1	Data Exposure
3809	Failure to remediate known vulnerabilities	critical	8.5	1	Data Breach
3810	CVE-2026-0628 (declarativeNetRequest API misconfiguration in Gemini AI panel)	critical	8.5	1	Privilege Escalation
3811	Ineffective Security Configurations	critical	8.5	1	Data Breach
3812	Lack of centralized oversight, inadequate vendor vetting, uncoordinated technology adoption	critical	8.5	1	Data Breach
3813	15 security flaws in graphics drivers, including nine high-severity vulnerabilities	critical	8.5	1	Vulnerability Disclosure
3814	vBulletin security hole	critical	8.5	1	Data Breach
3815	Blender’s 'Auto Run Python Scripts' feature	critical	8.5	1	malware
3816	Weak incident response policies and procedures	critical	8.5	1	Data Breach
3817	CVE-2026-1592	critical	8.5	1	Supply Chain Attack
3818	Mirasvit flaw in Magento servers	critical	8.5	1	Third-Party Risk Management Failure
3819	Inadequate data security controls / unauthorized access by insider	critical	8.5	1	Data Breach
3820	Inadequate data retention/deletion policies	critical	8.5	1	Data Breach Risk
3821	E-commerce Site Vulnerability	critical	8.5	1	Data Breach
3822	Internal Authentication API bug	critical	8.5	1	Authentication Vulnerability
3823	Unauthenticated Admin Functions (GRS Panel, HTML Injection)	critical	8.5	1	Data Exposure
3824	ProxyNotShell (Microsoft Exchange Server vulnerability)	critical	8.5	1	Cyber Espionage
3825	Inadequate Data Security Measures	critical	8.5	1	Data Breach
3826	Stolen credentials from 2025 Salesloft breach	critical	8.5	1	Data Breach
3827	Compromised OAuth app linked to Google Workspace	critical	8.5	1	Data Breach
3828	CVE-2021-24917 (GiveWP)	critical	8.5	1	ransomware
3829	Social Engineering (Tax-Season Lures), Spoofed Login Pages, Trusted RMM Tools Abuse	critical	8.5	1	Phishing, Credential Harvesting, Malware Deployment
3830	CVE-2026-3336	critical	8.5	1	Cryptographic Vulnerability
3831	CVE-2026-44413	critical	8.5	1	Privilege Escalation
3832	Poor Staff Awareness of Insider Threats	critical	8.5	1	Unauthorized Access
3833	WebKit memory-related errors	critical	8.5	1	Vulnerability Exploitation
3834	Notification data retention flaw in iOS	critical	8.5	1	Privacy Flaw / Data Retention Vulnerability
3835	lack of security risk analysis	critical	8.5	1	ransomware
3836	CVE-2025-33231	critical	8.5	1	Vulnerability
3837	Misconfiguration in Electron framework	critical	8.5	1	Security Vulnerability
3838	Excessive Data Access Permissions	critical	8.5	1	Data Breach
3839	AI-generated_deepfakes	critical	8.5	1	data_breach
3840	Argument injection in MicrositeURL and CloudPages	critical	8.5	1	Data Breach
3841	Compromised Salesforce integrations, Zendesk customer support system	critical	8.5	1	Data Breach
3842	Insufficient access controls and monitoring for employee data handling	critical	8.5	1	Unauthorized Data Transfer
3843	Full takeover of Tesla’s infotainment system	critical	8.5	1	Zero-Day Vulnerabilities
3844	Compromised Administrator Account	critical	8.5	1	Ransomware
3845	unencrypted patient records	critical	8.5	1	ransomware
3846	CVE-2026-25921 (CWE-345: Insufficient Verification of Data Authenticity)	critical	8.5	1	Supply-Chain Attack
3847	Unauthenticated file upload flaw in Magento Open Source, Magento Enterprise, Adobe Commerce, and Adobe Commerce with the B2B module	critical	8.5	1	Defacement, Unauthorized File Upload
3848	Lack of Privacy Controls	critical	8.5	1	Surveillance
3849	weak password practices	critical	8.5	1	data breach
3850	Quantum Model Memorization of Training Data	critical	8.5	1	Privacy Breach
3851	CVE-2024-12847 (Netgear DGN1000/DGN2000)	critical	8.5	1	Exploit Trends
3852	Insufficient Mass Email Controls	critical	8.5	1	Data Breach
3853	Unauthorized access to Salesforce	critical	8.5	1	Data Breach
3854	misconfigured AWS S3 bucket (lack of access controls)	critical	8.5	1	data exposure
3855	CVE-2025-14560	critical	8.5	1	Vulnerability Exploitation
3856	Lack of Access Controls / Insider Threat	critical	8.5	1	Data Breach
3857	CVE-2025-5806	critical	8.5	1	Cross-Site Scripting (XSS)
3858	Password reset flaw via AI chatbot instructions	critical	8.5	1	Data Breach
3859	CVE-2026-20643 (WebKit Navigation API improper input validation)	critical	8.5	1	Vulnerability Exploitation
3860	Architectural flaw in GitHub MCP server allowing AI agents to access and exfiltrate data from private repositories	critical	8.5	1	Prompt Injection
3861	CVE-2026-34500	critical	8.5	1	Vulnerability Exploitation
3862	Checkout page code issue	critical	8.5	1	Data Breach
3863	CVE-2026-4048	critical	8.5	1	vulnerability
3864	Insufficient data security policies and controls	critical	8.5	1	Data Leak
3865	Weak password storage (base64 hashes or unhashed passwords)	critical	8.5	1	Data Breach
3866	Service Account Credential	critical	8.5	1	Data Breach
3867	CVE-2023-43000 (WebKit RCE - terrorbird)	critical	8.5	1	Exploit Kit / Malware Campaign
3868	inadequate segmentation between Discord and vendor systems	critical	8.5	1	data breach
3869	Exploitation of health information exchange systems, fake NPI numbers, and shell companies	critical	8.5	1	Data Breach
3870	Critical vulnerability	critical	8.5	1	Data Breach, Account Hijacking
3871	Vulnerability in Gladinet CentreStack	critical	8.5	1	Data Breach
3872	Unauthorized access via subcontractor credentials	critical	8.5	1	Data Breach
3873	CVE-2026-21533	critical	8.5	1	Elevation of Privilege
3874	Unencrypted backup media, unlocked storage cabinet	critical	8.5	1	Data Breach
3875	Unpatched RCE vulnerabilities	critical	8.5	1	Botnet
3876	Potential Configuration Flaws in Shared Platforms (e.g., Salesforce-like systems)	critical	8.5	1	Data Breach
3877	Hardcoded credentials in web code	critical	8.5	1	Data Breach
3878	Sensor false data injection	critical	8.5	1	Firmware-level attack
3879	Overly permissive guest user configurations in Salesforce Experience Cloud	critical	8.5	1	Data Theft
3880	Improper access control in cloud storage	critical	8.5	1	Data Breach
3881	Over-reliance on mutable version tags in CI/CD pipelines, stolen credentials	critical	8.5	1	Supply Chain Attack
3882	Human Error (Telecommunications Employee Deception)	critical	8.5	1	Data Breach
3883	Lack of Authentication or Access Restrictions	critical	8.5	1	Data Leak
3884	compromised personal data	critical	8.5	1	fraud
3885	Reuse of leaked personal data, Lack of user awareness	critical	8.5	1	Phishing / Social Engineering
3886	WebOTP API, Clipboard Access, Notification Control, PWA Installation Permissions, Android Permissions Abuse	critical	8.5	1	Phishing
3887	CVE-2026-24308	critical	8.5	1	Data Exposure
3888	CVE-2026-20435 (MediaTek chipset boot chain weakness)	critical	8.5	1	Vulnerability Exploitation
3889	CVE-2026-25173	critical	8.5	1	Remote Code Execution (RCE)
3890	Feature flag misconfiguration (Split.io-based system)	critical	8.5	1	Data Exposure
3891	Back-end system vulnerability	critical	8.5	1	Data Breach
3892	Oracle PeopleSoft vulnerability	critical	8.5	1	Ransomware
3893	CVE-2026-39987	critical	8.5	1	Remote Code Execution (RCE)
3894	CVE-2026-26268 (CVSS 8.1)	critical	8.5	1	Vulnerability Exploitation
3895	SolarWinds Serv-U flaw	critical	8.5	1	Vulnerability Exploitation
3896	CVE-2026-7195 (CVSS 8.8)	critical	8.5	1	Vulnerability Exploitation
3897	misconfiguration in HR/finance team servers	critical	8.5	1	ransomware
3898	Shadow AI usage	critical	8.5	1	AI-related identity breach
3899	CVE-2026-21992	critical	8.5	1	Remote Code Execution (RCE)
3900	CVE-2025-5777 (CitrixBleed 2)	critical	8.5	1	Reconnaissance
3901	Salesforce environment access	critical	8.5	1	Data Breach
3902	Inadequate data handling and publication controls	critical	8.5	1	Data Exposure
3903	CVE-2026-42897	critical	8.5	1	Spoofing Vulnerability
3904	Fragmented policies for data in motion	critical	8.5	1	Data Governance Blind Spot
3905	GoAnywhere MFT SaaS	critical	8.5	1	Data Breach
3906	Compromised contributor credentials, orphan commit in GitHub repository, Sigstore OIDC token abuse	critical	8.5	1	Supply Chain Attack
3907	Compromised employees	critical	8.5	1	Extortion
3908	unpatched vulnerabilities in network devices	critical	8.5	1	ransomware
3909	Skimming	critical	8.5	1	Data Breach
3910	URL Vulnerability	critical	8.5	1	Data Breach
3911	Software Flaw	critical	8.5	1	Ransomware
3912	CVE-2026-5281 (Use-After-Free in Google Dawn/WebGPU)	critical	8.5	1	Zero-Day Vulnerability Exploitation
3913	Absence of web application firewall (WAF)	critical	8.5	1	Data Security Audit
3914	CVE-2026-21570	critical	8.5	1	Remote Code Execution (RCE)
3915	unsecured Azure Blob Storage	critical	8.5	1	data breach
3916	Session management vulnerability in cookie-based authentication	critical	8.5	1	Authentication Bypass
3917	Hardcoded login credentials in the source code	critical	8.5	1	Data Breach
3918	Human Factor (Social Engineering)	critical	8.5	1	Data Breach
3919	Theft of banking credentials and sensitive financial data	critical	8.5	1	Malware
3920	AWS Bedrock’s AgentCore Code Interpreter Sandbox Bypass	critical	8.5	1	Data Exfiltration
3921	Improper scoping of OAuth permissions in Salesloft Drift (Salesforce-integrated tool)	critical	8.5	1	Data Breach
3922	User Privacy	critical	8.5	1	Privacy Breach
3923	Improper data storage practices	critical	8.5	1	Data Breach
3924	Exposed SSH services	critical	8.5	1	Malware
3925	CVE-2025-7659	critical	8.5	1	Vulnerability Exploitation
3926	Light-touch KYC, Instant SEPA transfers, Gaps in point-in-time checks	critical	8.5	1	Money Laundering, Fraud, Account Takeover
3927	Trust boundary violation in externally_connectable setting, lack of sender verification, DOM manipulation, approval looping	critical	8.5	1	Vulnerability Exploitation
3928	Lack of authentication, unsecured admin portals, weak club passwords, hardcoded Stripe API keys	critical	8.5	1	Data Exposure
3929	Lack of Monitoring for Unauthorized Data Exfiltration	critical	8.5	1	Data Breach
3930	Flash Player	critical	8.5	1	Cyber Attack
3931	CVE-2025-27920 (Directory Traversal), CVE-2025-27921 (Reflected XSS - unused)	critical	8.5	1	Cyber Espionage
3932	Intent redirection vulnerability in EngageLab SDK (version 4.5.4)	critical	8.5	1	Supply Chain Vulnerability
3933	Sophisticated hacking attempts	critical	8.5	1	Data Breach
3934	Systemic weaknesses in cybersecurity infrastructure	critical	8.5	1	Data Breach
3935	Improper access controls on PDF-generating page	critical	8.5	1	Data Exposure
3936	Oracle E-Business Suite vulnerabilities	critical	8.5	1	Cyberattack
3937	Critical vulnerabilities from CISA’s Known Exploited Vulnerabilities (KEV) catalog	critical	8.5	1	Insider Threat
3938	Insecure data transmission by browser extensions	critical	8.5	1	Data Leakage
3939	Cloud Database Platform	critical	8.5	1	Data Breach
3940	CVE-2026-23596	critical	8.5	1	Privilege Escalation
3941	Lack of Visibility into AI Data Flows	critical	8.5	1	AI Security Vulnerabilities
3942	User Email Accounts	critical	8.5	1	Data Breach
3943	Preventable authorization flaw, path manipulation in web address	critical	8.5	1	Data Breach
3944	CVE-2025-55232 (Microsoft HPC Pack RCE)	critical	8.5	1	Malware (Infostealer)
3945	Unsecured Amazon Web Services (AWS) S3 bucket lacking proper access controls	critical	8.5	1	Data Breach
3946	CVE-2026-48710 (BadHost)	critical	8.5	1	Vulnerability Exploitation
3947	Trusted developer workflows, npm package installation (no user interaction required)	critical	8.5	1	Supply-Chain Attack, Malware Campaign
3948	No lockout after repeated failed login attempts, weak encryption algorithms, unlawful data collection and storage, retention of outdated records	critical	8.5	1	Data Breach
3949	missing server-side encryption	critical	8.5	1	data breach
3950	AWS Trusted Advisor Bypass via S3 Bucket Policy Misconfiguration (Deny Rules for `s3:GetBucketPolicyStatus`, `s3:GetBucketPublicAccessBlock`, `s3:GetBucketAcl`)	critical	8.5	1	Misconfiguration
3951	Insufficient identity verification in hiring processes, reliance on social media badges	critical	8.5	1	Identity Fraud, Insider Threat, Cyber Espionage
3952	Employee email account compromise	critical	8.5	1	Phishing Attack
3953	CVE-2026-45659 (Improper deserialization of untrusted data)	critical	8.5	1	Remote Code Execution (RCE)
3954	Prior data exposures	critical	8.5	1	Data Breach
3955	CVE-2026-50507 (CWE-306: Missing Authentication for Critical Function)	critical	8.5	1	Security Feature Bypass
3956	Unsecured Public LLM Interactions	critical	8.5	1	Data Leakage
3957	CVE-2025-47813 (CWE-209)	critical	8.5	1	Information Disclosure
3958	Inconsistent Compliance Practices	critical	8.5	1	Data Privacy Fragmentation
3959	Unauthorized access by authorized user	critical	8.5	1	Data Breach
3960	Unauthorized access to business email account	critical	8.5	1	Data Breach
3961	Inadequate security measures, potential internal mismanagement	critical	8.5	1	Data Breach
3962	Overbroad OAuth Token Permissions	critical	8.5	1	Data Breach
3963	CVE-2025-54236 (SessionReaper - Session Data Storage on File System)	critical	8.5	1	Vulnerability Disclosure
3964	CVE-2025-54820 (Stack-based buffer overflow, CWE-121)	critical	8.5	1	Remote Code Execution (RCE)
3965	Absence of defensible deletion policies	critical	8.5	1	Data Breach
3966	Legacy email protocols (IMAP/POP3)	critical	8.5	1	Data Breach
3967	CVE-2025-37899 (Use-After-Free in ksmbd SMB2 LOGOFF handler)	critical	8.5	1	Zero-Day Vulnerability
3968	CVE-2025-XXXX (WebKit Zero-Day 2)	critical	8.5	1	Zero-Day Exploit
3969	Salesforce integration flaw (Drift-Salesloft)	critical	8.5	1	data breach
3970	Remote-viewing software	critical	8.5	1	Data Breach
3971	Storage and transmission of device-specific data (e.g., precise geolocation, browsing history, search queries)	critical	8.5	1	Data Exposure
3972	Fragmented Data Access Controls	critical	8.5	1	Data Privacy Fragmentation
3973	Lack of AI Governance Policies	critical	8.5	1	Data Leakage
3974	Social Engineering (Urgent KYC/Billing Alerts)	critical	8.5	1	Phishing Scam
3975	DLL Sideloading via YY platform's updat.exe	critical	8.5	1	Malware Campaign
3976	Authentication failures	critical	8.5	1	API Security Breach
3977	Steganography (hidden JavaScript in PNG files), lack of strict extension vetting	critical	8.5	1	Malware Campaign
3978	CVE-2026-3061 (Out-of-bounds read in Media component)	critical	8.5	1	Vulnerability Patch
3979	CVE-2025-54254 (Improper Restriction of XML External Entity Reference)	critical	8.5	1	Vulnerability Exploitation
3980	Governance gap in data access controls	critical	8.5	1	Third-party data exploitation
3981	Excessive permissions in AI agents	critical	8.5	1	Data Breach
3982	Lack of sandboxing in AI-generated test cases (Claude Code)	critical	8.5	1	Arbitrary Code Execution
3983	Insider access, malware backdoor	critical	8.5	1	Cyber-enabled drug trafficking
3984	Unsecured personal information handling	critical	8.5	1	Data Breach
3985	CVE-2026-26133	critical	8.5	1	Cross-Prompt Injection Attack (XPIA)
3986	CVE-2024-5806	critical	8.5	1	Supply Chain Attack, Data Breach, Ransomware
3987	URL fetcher failing to block internal domains	critical	8.5	1	Autonomous AI-driven cyber attack
3988	Inability to Distinguish Content from Directives in Prompts	critical	8.5	1	Data Exfiltration
3989	Stolen web cookies (session IDs, personal data)	critical	8.5	1	Data Exposure
3990	Listable Algolia Search Indexes (PII Exposure)	critical	8.5	1	Data Exposure
3991	Insecure defaults in Google Cloud Platform (GCP) API key architecture	critical	8.5	1	Data Exposure
3992	unpatched cloud tools (speculated)	critical	8.5	1	data breach
3993	Leaked Passwords	critical	8.5	1	Data Breach
3994	SIM swapping	critical	8.5	1	wire fraud
3995	Soliton Systems K.K FileZen	critical	8.5	1	APT Activity
3996	CVE-2026-23597	critical	8.5	1	Privilege Escalation
3997	Fake Kubernetes tools	critical	8.5	1	Supply Chain Attack
3998	CVE-2026-40372	critical	8.5	1	Privilege Escalation
3999	CVE-2025-43300 (Apple OS-level vulnerability)	critical	8.5	1	Zero-day vulnerability
4000	Website Vulnerabilities	critical	8.5	1	Data Leak
4001	CVE-2026-0073 (Android Debug Bridge daemon - adbd)	critical	8.5	1	Remote Code Execution (RCE)
4002	CVE-2026-7312 (CVSS 10.0)	critical	8.5	1	Vulnerability Exploitation
4003	CVE-2026-42208	critical	8.5	1	SQL Injection
4004	Silverlight	critical	8.5	1	Cyber Attack
4005	CVE-2026-20184 (CWE-295)	critical	8.5	1	Vulnerability Exploitation
4006	CVE-2025-10547 (Uninitialized Stack Value Leading to Arbitrary Free)	critical	8.5	1	Vulnerability
4007	MOVEit Transfer zero-day vulnerability (CVE-2023-34362)	critical	8.5	1	Data Breach
4008	CVE-2026-2286	critical	8.5	1	Remote Code Execution
4009	Improper Access Control in SharePoint	critical	8.5	1	Data Exposure
4010	Server-side request forgery (SSRF) (14.5%)	critical	8.5	1	API Security Breach
4011	CVE-2025-59452 (Cleartext Transmission)	critical	8.5	1	Denial-of-Service
4012	Default remote user account, no-password accounts, unsecured 'superuser' account	critical	8.5	1	Misconfiguration
4013	Plain text storage of login details	critical	8.5	1	Data Breach
4014	Weak Access Controls (Absent MFA, Insufficient Lockout Policies) in SonicWall SSLVPN	critical	8.5	1	Ransomware
4015	MOVEit secure file transfer solution vulnerability	critical	8.5	1	Data Breach
4016	Missile defense system vulnerability	critical	8.5	1	Data Breach
4017	SonicWall SSL VPN vulnerabilities	critical	8.5	1	ransomware
4018	Microsoft Teams default external messaging settings	critical	8.5	1	Phishing
4019	Stolen credentials (password reuse, leaked credentials)	critical	8.5	1	Credential Theft
4020	Parking Permit System Flaw (since 2017)	critical	8.5	1	Data Breach
4021	trust in open-source dependencies	critical	8.5	1	supply-chain attack
4022	Technical error in user data retrieval/logic (likely session or caching misconfiguration)	critical	8.5	1	Data Exposure (Unintentional Disclosure)
4023	Bias in AI algorithms (e.g., loan approvals, credit scoring)	critical	8.5	1	Cybersecurity Risk Assessment
4024	Java	critical	8.5	1	Cyber Attack
4025	Error in server configuration change	critical	8.5	1	Data Breach
4026	CVE-2025-52436 (Improper Neutralization of Input During Web Page Generation - CWE-79)	critical	8.5	1	Cross-Site Scripting (XSS)
4027	Training gaps	critical	8.5	1	Data Breach
4028	TOCTOU (Time-of-Check Time-of-Use) race condition in a SETUID binary	critical	8.5	1	Privilege Escalation
4029	macOS Script Editor (applescript:// links), Refined ClickFix Technique	critical	8.5	1	Malware Campaign
4030	CVE-2026-3518	critical	8.5	1	vulnerability
4031	CVE-2025-13834	critical	8.5	1	Information Leak
4032	Reused passwords across multiple accounts	critical	8.5	1	Credential Stuffing
4033	MOVEit Transfer Zero-Day (CVE-2023-34362)	critical	8.5	1	Data Breach
4034	Notepad++ WinGUp Update Verification Flaw	critical	8.5	1	Supply Chain Attack
4035	Prompt Injection Vulnerabilities	critical	8.5	1	AI Security Vulnerabilities
4036	Browser Blob URL APIs	critical	8.5	1	Phishing
4037	Unauthorized data sharing via embedded tracking tools	critical	8.5	1	Data Breach
4038	CVE-2026-45585 (Windows BitLocker Zero-Day in WinRE)	critical	8.5	1	Security Feature Bypass
4039	Several vulnerabilities in the Likud app	critical	8.5	1	Data Breach
4040	CVE-2025-48561	critical	8.5	1	Data Theft
4041	Incomplete containment of earlier breach (hackerbot-claw), non-atomic token rotation, mutable version tags	critical	8.5	1	Supply Chain Attack
4042	Unrestricted failed authentication attempts, weak encryption for passwords and resident registration numbers	critical	8.5	1	Data Breach
4043	Disabled Workspace Trust (Cursor Editor)	critical	8.5	1	Malware (Infostealer)
4044	improper access controls / lack of authentication for cloud storage	critical	8.5	1	data breach
4045	BeyondTrust (CVE-2026-1731)	critical	8.5	1	APT Activity
4046	Excessive Discord SDK logging writing private data to local log files in plaintext	critical	8.5	1	Data Exposure
4047	Fake Office 365 login pages	critical	8.5	1	Business Email Compromise (BEC)
4048	unpatched vulnerabilities in enterprise software	critical	8.5	1	ransomware
4049	Vendor Software	critical	8.5	1	Data Breach
4050	Human Error (Tricked Call Center Worker)	critical	8.5	1	Data Breach
4051	Abandoned email domains of financial administrators	critical	8.5	1	Data Breach
4052	Lateral Movement within Internal Systems	critical	8.5	1	Data Breach
4053	Token Sprawl	critical	8.5	1	Data Breach
4054	No Technical Vulnerability (Human Factor)	critical	8.5	1	Trade Secret Theft
4055	faiblesse des mots de passe utilisateurs	critical	8.5	1	cyberattaque
4056	CVE-2026-27728	critical	8.5	1	Command Injection
4057	Lack of encryption for sensitive data	critical	8.5	1	Data Breach
4058	Inadequate IT security measures	critical	8.5	1	Data Breach
4059	CVE-2025-14174	critical	8.5	1	Exploit Kit
4060	Exposed Magicbell API Keys and Secrets	critical	8.5	1	Data Exposure
4061	Recently patched vulnerability in Oracle E-Business Suite (for Cl0p ransomware incident)	critical	8.5	1	Data Breach
4062	Hard-coded API Key	critical	8.5	1	Data Breach
4063	SIM-swapping	critical	8.5	1	SIM-swapping
4064	VPN appliances	critical	8.5	1	Credential Theft
4065	inadequate data retention policies	critical	8.5	1	data breach
4066	Weak verification processes for new user accounts on online gambling platforms	critical	8.5	1	Fraud Scheme
4067	Third-party vendor vulnerabilities (historical reference: Target 2013 breach)	critical	8.5	1	Data Breach
4068	Unsecured storage of sensitive data	critical	8.5	1	Data Breach
4069	Improper use of private email account	critical	8.5	1	Data Breach
4070	Abuse of Microsoft’s Artifact Signing system	critical	8.5	1	Malware-Signing-as-a-Service (MSaaS) Disruption
4071	Weak or Compromised Employee Credentials	critical	8.5	1	Data Breach
4072	CVE-2025-41115 (Improper Mapping of SCIM 'externalId' to Internal 'user.uid')	critical	8.5	1	Vulnerability
4073	Juniper PTX router RCE flaw	critical	8.5	1	APT Activity
4074	Legacy email protections	critical	8.5	1	Phishing
4075	Disabled security tools, outdated cyber hygiene practices	critical	8.5	1	Cyber Intrusion
4076	Operational security lapse (SSH authentication key reuse across servers)	critical	8.5	1	phishing
4077	Test mode left enabled allowing OTP login via email keyword	critical	8.5	1	Autonomous AI-driven cyber attack
4078	Improper Input/Output Sanitization in AI Chatbot (XSS)	critical	8.5	1	Vulnerability Exploitation
4079	Unauthorized data transmission via third-party integrations	critical	8.5	1	Data Breach
4080	Employee Impersonation	critical	8.5	1	Data Breach
4081	Unspecified security flaw	critical	8.5	1	Data Leak
4082	Autofill Functionality Abuse	critical	8.5	1	Vulnerability Disclosure
4083	Accidental source code leak (Claude Code)	critical	8.5	1	Malware Distribution
4084	API scraping via automated harvesting of user profiles	critical	8.5	1	Data Breach
4085	Trust in enterprise software (Microsoft Teams), SaaS vulnerabilities	critical	8.5	1	Phishing/Social Engineering, Malware Deployment
4086	CVE-2026-40050 (Path-Traversal)	critical	8.5	1	Vulnerability Exploitation
4087	Supply chain compromise in CI/CD dependencies	critical	8.5	1	Supply Chain Attack
4088	CVE-2025-55177 (WhatsApp Zero-Click)	critical	8.5	1	Vulnerability Exploitation
4089	GitHub Account Security Weakness	critical	8.5	1	Data Breach
4090	Blockchain immutability (append-only ledger), Lack of takedown mechanisms for decentralized infrastructure	critical	8.5	1	Info-Stealer / Malware
4091	Lack of user awareness, 2FA bypass via fake prompts	critical	8.5	1	Phishing (AiTM - Adversary-in-the-Middle)
4092	CVE-2026-32635	critical	8.5	1	Cross-Site Scripting (XSS)
4093	Vulnerabilities in Google’s Salesforce environment	critical	8.5	1	Data Breach
4094	CVE-2025-3155	critical	8.5	1	Vulnerability Exploit
4095	CVE-pending (Overly Permissive Origin Allowlist, DOM-Based XSS in Arkose Labs CAPTCHA component)	critical	8.5	1	Zero-Click Vulnerability, Prompt-Injection Attack
4096	CVE-2026-32996	critical	8.5	1	Privilege Escalation
4097	Insufficient MFA	critical	8.5	1	Phishing
4098	CVE-2025-9368 (Resource Allocation Without Limits)	critical	8.5	1	Denial-of-Service
4099	CVE-2025-61882 (CVSS 9.8 - Remote Code Execution in BI Publisher Integration/Concurrent Processing)	critical	8.5	1	Vulnerability Exploitation
4100	Improper Access Control (Publicly Exposed Sensitive Data)	critical	8.5	1	Data Breach
4101	GitHub Actions pull_request_target trigger	critical	8.5	1	Supply Chain Attack
4102	Lack of Robust Encryption/Monitoring in Data Flows	critical	8.5	1	Data Breach
4103	MOVEit Transfer environment vulnerability	critical	8.5	1	Data Breach
4104	CVE-2025-43509, Plaintext Token Storage, Lack of Token Validation, Weak Keychain Access Controls	critical	8.5	1	Data Breach, Privilege Escalation, Denial-of-Service (DoS)
4105	Weakness in OAuth token security for Salesloft Drift integrations	critical	8.5	1	Data Breach
4106	Publicly Accessible Firebase Storage Bucket	critical	8.5	1	Data Breach
4107	active former employee credentials	critical	8.5	1	data breach
4108	Legacy encryption	critical	8.5	1	Data Breach/Vulnerability Exposure
4109	Lack of password encryption	critical	8.5	1	Unauthorized Access
4110	Supply chain weakness in analytics data handling	critical	8.5	1	Data Breach
4111	Unsecured Amazon S3 bucket with backend bug allowing unauthorized access to file directory	critical	8.5	1	Data Exposure
4112	CVE-2026-1236	critical	8.5	1	Cross-Site Scripting (XSS)
4113	legitimate credentials misuse	critical	8.5	1	phishing
4114	CVE-2014-0160 (Heartbleed - Out-of-Bounds Read in OpenSSL)	critical	8.5	1	Memory Corruption
4115	Inadequate employee training on cybersecurity risks	critical	8.5	1	Data Breach
4116	Semantic Drift in Multimodal AI	critical	8.5	1	Prompt Extraction
4117	MongoDB database vulnerability	critical	8.5	1	Data Breach
4118	CVE-2026-1234	critical	8.5	1	Cross-Site Scripting (XSS)
4119	MOVEit file transfer tool	critical	8.5	1	Data Breach
4120	CVE-2026-27022 (Query Injection)	critical	8.5	1	Remote Code Execution (RCE)
4121	Insufficient sanitization in the `serialize` function (CVE-2026-0969)	critical	8.5	1	Remote Code Execution (RCE)
4122	Temporary unsecured storage of user data and PGP keys	critical	8.5	1	Data Breach
4123	Oracle EBS zero-day flaw	critical	8.5	1	Data Breach
4124	CVE-2025-XXXX (WebKit Zero-Day 1)	critical	8.5	1	Zero-Day Exploit
4125	Unverified Assessment Domains	critical	8.5	1	APT (Advanced Persistent Threat)
4126	Discord's API	critical	8.5	1	Phishing
4127	Opportunistic scanning for sensitive file extensions (e.g., `.openclaw`)	critical	8.5	1	Infostealer Attack
4128	nx npm Package Compromise	critical	8.5	1	Zero-day Exploitation
4129	Malicious code in online store	critical	8.5	1	Data Breach
4130	Endpoint Detection and Response (EDR) Services	critical	8.5	1	Ransomware Attack
4131	Weak multi-factor authentication (MFA) enforcement, password reuse, exposed network edge devices (e.g., Fortinet FortiGate-60E with open ports)	critical	8.5	1	Credential Stuffing
4132	outdated software (13 months without updates)	critical	8.5	1	data breach
4133	CVE-2026-7198 (CVSS 9.8)	critical	8.5	1	Vulnerability Exploitation
4134	Unauthorized access to Salesforce instance	critical	8.5	1	Data Breach
4135	Android Activity Layering	critical	8.5	1	Data Theft
4136	Lack of MFA resilience, Human susceptibility to social engineering	critical	8.5	1	Phishing/Social Engineering
4137	Abuse of Android’s Accessibility Service	critical	8.5	1	Malware (Remote Access Trojan - RAT)
4138	Zero-day flaw in Oracle E-Business Suite (EBS)	critical	8.5	1	Data Breach
4139	Plug-in on e-commerce platform	critical	8.5	1	Data Breach
4140	Lack of Timely Incident Reporting	critical	8.5	1	Data Breach
4141	Improper Database Security	critical	8.5	1	Data Leak
4142	Phone signal interception	critical	8.5	1	Surveillance
4143	CVE-2025-8088	critical	8.5	1	Zero-day exploitation, Phishing, Malware installation
4144	Debug flag (`setIsDebugMode(true)`) left active in production code	critical	8.5	1	Account Takeover
4145	Misuse of partner-managed repository credentials	critical	8.5	1	Data Breach
4146	Data Migration Error	critical	8.5	1	Data Breach
4147	Hard-coded encryption keys	critical	8.5	1	Data Breach
4148	Unauthenticated AI services	critical	8.5	1	LLMjacking
4149	CVE-2025-32711 (CVSS 9.3)	critical	8.5	1	AI Command Injection
4150	Unrestricted access to AWS buckets	critical	8.5	1	Data Exposure
4151	CVE-2026-42167	critical	8.5	1	SQL Injection
4152	Unknown (zero-day) vulnerability in Oracle E-Business Suite (EBS)	critical	8.5	1	Data Breach
4153	Social Engineering, Impersonation of Legitimate Services	critical	8.5	1	Phishing
4154	SureTriggers Vulnerability	critical	8.5	1	Vulnerability Exploitation
4155	Unpatched Security Gaps	critical	8.5	1	Security Oversight
4156	Lack of multi-factor authentication (MFA) on file-transfer services (ShareFile, OwnCloud, Nextcloud)	critical	8.5	1	Data Breach
4157	Lack of Robust Guardrails for Non-Text Modalities	critical	8.5	1	Prompt Extraction
4158	WebKit remote code execution (RCE)	critical	8.5	1	Exploit Kit
4159	Over-Permissioned OAuth Applications, Exposed Credentials, Weak Monitoring of Environment Variables	critical	8.5	1	OAuth Abuse, Credential Theft, Lateral Movement
4160	shared CDN resources	critical	8.5	1	ransomware
4161	Improper handling of IPv6 extension headers in Comodo Internet Security	critical	8.5	1	Zero-Day Vulnerability
4162	CVE-2026-23550 (CVSS 10.0)	critical	8.5	1	Privilege Escalation
4163	user trust in legitimate-looking emails/websites	critical	8.5	1	spear-phishing
4164	Insufficient Behavioral Monitoring for Authorized Users	critical	8.5	1	Data Breach
4165	CVE-2025-4632 (Improper Pathname Limitation Leading to Arbitrary File Write)	critical	8.5	1	Vulnerability Exploitation
4166	Internal Collaboration Tool	critical	8.5	1	Data Breach
4167	Sending sensitive data in unencrypted emails	critical	8.5	1	Data Breach
4168	Human error, limited cybersecurity resources	critical	8.5	1	Data Breach
4169	CVE-2026-48019 (CWE-93 - CRLF Injection)	critical	8.5	1	Vulnerability Exploitation
4170	CVE-2025-59367 (Authentication Bypass in DSL-series routers)	critical	8.5	1	Vulnerability
4171	Authentication bypass via insecure API	critical	8.5	1	Data Breach
4172	E-commerce Website	critical	8.5	1	Data Breach
4173	CVE-2026-25903	critical	8.5	1	Authorization Bypass
4174	System update flaw (October 2023)	critical	8.5	1	Data Exposure
4175	Inadequate safeguards for 'Image ID' verification systems	critical	8.5	1	Data Breach
4176	CVE-2025-61984 (Inadequate filtering of control characters in usernames for ProxyCommand in OpenSSH)	critical	8.5	1	Vulnerability
4177	Insufficient Monitoring	critical	8.5	1	Data Breach
4178	abuse of LaunchAgents for persistence	critical	8.5	1	malware
4179	CVE-2025-0033 (Race Condition in AMD SEV-SNP RMP Initialization)	critical	8.5	1	Vulnerability
4180	Social engineering (verification code sharing)	critical	8.5	1	Phishing, Account Takeover
4181	CVE-2024-34102 (CosmicSting)	critical	8.5	1	Vulnerability Exploitation
4182	Unknown system flaws in retail/luxury brand infrastructure	critical	8.5	1	Data Breach
4183	Improper permission handling in Windows Error Reporting Service (wersvc.dll)	critical	8.5	1	Privilege Escalation
4184	Incorrect authorization (Lovable, CVE-2025-48757)	critical	8.5	1	Arbitrary Code Execution
4185	CVE-2026-33829	critical	8.5	1	Information Disclosure
4186	Node.js workflows	critical	8.5	1	Supply Chain Attack
4187	Misconfigured integrations, exposed credentials, authentication tokens	critical	8.5	1	Data Breach, Extortion
4188	Progress Software	critical	8.5	1	Data Breach
4189	Microsoft Windows Vulnerabilities	critical	8.5	1	Vulnerability Exploitation
4190	Application misconfiguration	critical	8.5	1	Data Breach
4191	Unsecured VPN	critical	8.5	1	Data Breach
4192	Inadequate governance for AI systems	critical	8.5	1	Cybersecurity Risk Assessment
4193	Download of malicious apps	critical	8.5	1	Malware
4194	CVE-2025-59448 (Session Token Lifetimes)	critical	8.5	1	Denial-of-Service
4195	Hardcoded API Keys in Public Repositories and Websites	critical	8.5	1	Data Exposure
4196	WooCommerce website vulnerabilities, third-party script injection	critical	8.5	1	Magecart (Digital Skimming)
4197	Lack of encryption/authentication in SunSpec Modbus	critical	8.5	1	Firmware-level attack
4198	Outdated TEE image reuse	critical	8.5	1	Zero-day vulnerability
4199	CVE-2026-25592	critical	8.5	1	Remote Code Execution (RCE)
4200	Vulnerable pull request target pattern in GitHub Actions, malicious optionalDependencies in package.json, prepare lifecycle hook execution	critical	8.5	1	Supply Chain Attack
4201	CVE-2025-31334	critical	8.5	1	Vulnerability Exploitation
4202	Excessive account permissions	critical	8.5	1	Data Breach
4203	CVE-2026-21514 (CWE-807 - Improper security decision-making based on untrusted inputs)	critical	8.5	1	Zero-Day Vulnerability Exploitation
4204	Customer inadvertent disclosure of credentials	critical	8.5	1	Data Breach
4205	Unsecured email API endpoints with improper input validation	critical	8.5	1	Phishing, Data Theft, Persistent Access
4206	lack of encryption for stored data	critical	8.5	1	data breach
4207	Lack of organizational safeguards for AI chatbot usage	critical	8.5	1	Data Breach
4208	CVE-2025-68664	critical	8.5	1	Data Exfiltration
4209	Microsoft Entra SSO Code	critical	8.5	1	Data Breach
4210	Flaw in online portal allowing unauthorized access to personal annual benefit statements (ABS)	critical	8.5	1	Data Breach
4211	Design bug in the FOIA request search feature	critical	8.5	1	Data Exposure
4212	Inadequate AI governance and security oversight	critical	8.5	1	Data Breach
4213	Improper packaging oversight	critical	8.5	1	Source Code Leak
4214	Sleeping Beauty	critical	8.5	1	Vulnerability Exploitation
4215	Progress Software MOVEit file transfer application vulnerability	critical	8.5	1	Data Breach
4216	CVE-2026-0709 (Insufficient Input Validation)	critical	8.5	1	Command Execution Vulnerability
4217	Security misconfiguration in a non-production environment	critical	8.5	1	Data Leakage
4218	Improperly configured Amazon S3 bucket	critical	8.5	1	Data Exposure
4219	misconfigured third-party integrations	critical	8.5	1	ransomware
4220	Hardcoded AES Encryption Key	critical	8.5	1	Vulnerability Exploitation
4221	Zero-Click Prompt Injection in ChatGPT's Deep Research Tool	critical	8.5	1	Data Breach
4222	Cloud Infrastructure Security	critical	8.5	1	Cyberattack
4223	CVE-2025-49870 (Unauthenticated SQL Injection in PayPal IPN handling)	critical	8.5	1	Vulnerability
4224	Data Corruption	critical	8.5	1	Data Leak
4225	CVE-2026-3298	critical	8.5	1	Memory Corruption
4226	CVE-2025-48927	critical	8.5	1	Vulnerability Exploitation
4227	Compromised remote access credentials from third-party service providers	critical	8.5	1	Data Breach
4228	Progress Software's MOVEit Transfer application	critical	8.5	1	Data Breach
4229	identity weaknesses	critical	8.5	1	credential compromise
4230	Lack of multi-factor authentication (MFA), Basic security lapses (MMH)	critical	8.5	1	Data Breach
4231	GitHub Actions OIDC tokens, trusted publishing subversion	critical	8.5	1	Supply Chain Attack
4232	NULL Pointer Dereference	critical	8.5	1	Privilege Escalation
4233	Third-party mail service provider	critical	8.5	1	Business Email Compromise (BEC)
4234	Lack of Multi-Factor Authentication (MFA) for Call-In Access	critical	8.5	1	Cyberattack
4235	Poor security practices for remote logins	critical	8.5	1	Data Breach
4236	Backup Database Access	critical	8.5	1	Data Breach
4237	Human Error (Employee fell for phishing scam)	critical	8.5	1	Data Breach
4238	Inconsistent security measures	critical	8.5	1	Phishing
4239	Access Control Mechanisms	critical	8.5	1	Data Breach
4240	resource constraints	critical	8.5	1	data breach
4241	Unauthorized data transmission via third-party trackers	critical	8.5	1	Data Breach
4242	CVE-2025-43529	critical	8.5	1	Exploit Kit
4243	CVE-2026-3102	critical	8.5	1	Vulnerability Exploitation
4244	CVE-Pending (CamoLeak: Copilot Chat's parsing of invisible markdown + Camo image-proxy exfiltration)	critical	8.5	1	Data Exfiltration
4245	CVE-2025-8099	critical	8.5	1	Vulnerability Exploitation
4246	CWE-287: Improper Authentication (Authentication Bypass)	critical	8.5	1	Data Breach
4247	Weak third-party credential management	critical	8.5	1	Data Breach
4248	CVE-2026-40361 (Use-after-free bug in Outlook’s email rendering engine)	critical	8.5	1	Zero-Click Remote Code Execution (RCE)
4249	Insufficient access controls, disabled security measures	critical	8.5	1	Data Breach, Election Security Tampering
4250	Lack of access controls, default admin permissions, unmanaged AI-driven applications	critical	8.5	1	Data Exposure
4251	Excessive OAuth permissions (Mail.Read, offline_access, profile/openid)	critical	8.5	1	OAuth Abuse
4252	Inadequate Third-Party Vetting	critical	8.5	1	Data Breach
4253	Social engineering (fake software downloads)	critical	8.5	1	Infostealer Campaign
4254	CBC encryption padding oracle	critical	8.5	1	Data Breach
4255	Access Control Weakness	critical	8.5	1	Data Exposure
4256	Illicit tactics to bypass digital rights management (DRM)	critical	8.5	1	Data Breach
4257	CVE-2024-28989	critical	8.5	1	Vulnerability Exploit
4258	CWE-798: Use of Hard-coded Credentials	critical	8.5	1	Data Breach
4259	Incremental features and customizations accumulating risk, lack of proper access controls	critical	8.5	1	Misconfiguration
4260	TrueConf Client Flaw	critical	8.5	1	Vulnerability Exploitation
4261	App cloning, Reverse engineering, Bypassing App Store security (iOS), JavaScript bundle interception, RSA-encrypted payload exfiltration	critical	8.5	1	Backdoor Attack, Cryptocurrency Wallet Hack
4262	Misunderstandings over Data Ownership	critical	8.5	1	Insider Threat
4263	CVE-2026-29191	critical	8.5	1	Cross-Site Scripting (XSS)
4264	COM-elevation technique	critical	8.5	1	Malware (RAT)
4265	Persistent refresh_token in OpenAI Codex authentication	critical	8.5	1	Supply Chain Attack
4266	misconfigured cloud environments	critical	8.5	1	ransomware
4267	Unsecured admin panel, IDOR vulnerability	critical	8.5	1	Data Exposure
4268	CVE-2026-1340	critical	8.5	1	Vulnerability Exploitation
4269	Default Network Access Settings (Pro/Max accounts)	critical	8.5	1	Data Exfiltration
4270	Unauthorized access to internal systems	critical	8.5	1	Data Breach, Extortion
4271	Unsecured third-party server	critical	8.5	1	Data Breach
4272	Gemini Search Personalization Model (Prompt Injection via Browsing History)	critical	8.5	1	Vulnerability Exploitation
4273	Shopping cart portions of the company's websites	critical	8.5	1	Data Breach
4274	Failure to Follow Standard Operating Procedures	critical	8.5	1	Data Breach
4275	Ability to self-apply for admin privileges on the FIA Driver Categorisation portal	critical	8.5	1	data breach
4276	Deceptive chats impersonating Signal Support chatbot	critical	8.5	1	Cyber Espionage
4277	CVE-2025-8424	critical	8.5	1	Vulnerability Exploitation
4278	Failure to follow internal procedures and licensing obligations	critical	8.5	1	SIM Swap Attack
4279	Insufficient VPN authentication, ineffective abnormal behavior detection	critical	8.5	1	Data Breach
4280	Insufficient network monitoring for suspicious activity	critical	8.5	1	Data Breach
4281	Social Engineering (Employee Compromise)	critical	8.5	1	Data Breach
4282	Web vulnerabilities in Subaru's Starlink service	critical	8.5	1	Web Vulnerabilities
4283	SQL Injection vulnerability in MOVEit Transfer	critical	8.5	1	Ransomware
4284	MOVEit® Secure File Transfer software	critical	8.5	1	Data Breach
4285	CVE-2026-1602	critical	8.5	1	Authentication Bypass
4286	Improper handling of inter-app data access in EngageLab SDK	critical	8.5	1	Vulnerability Exploitation
4287	CVE-2021-47961	critical	8.5	1	Vulnerability Exploitation
4288	Vulnerability in e-commerce portal	critical	8.5	1	Data Breach
4289	improper access controls / misconfigured storage	critical	8.5	1	data exposure
4290	Inadequate protection of sensitive consumer data	critical	8.5	1	Data Breach
4291	Outdated Security Protocols (vendor)	critical	8.5	1	Data Breach
4292	Third-Party Platform Security (Salesforce)	critical	8.5	1	Data Breach
4293	Employee Access	critical	8.5	1	Data Breach
4294	CVE-2026-27913 (Improper Input Validation - CWE-20)	critical	8.5	1	Vulnerability Exploitation
4295	Third-party tracking and data sharing	critical	8.5	1	Data Breach
4296	Unprotected checkout endpoint in Funnel Builder WordPress plugin (versions prior to 3.15.0.3)	critical	8.5	1	Payment Card Skimming
4297	Unauthorized Access to Customer Account Information	critical	8.5	1	Data Exposure
4298	Lack of Robust Security Controls on Third-Party Platforms	critical	8.5	1	Data Breach
4299	Misconfigured Salesforce Experience Cloud guest user access controls	critical	8.5	1	Data Breach
4300	Oracle E-Business Suite (versions 12.2.3 to 12.2.14)	critical	8.5	1	Data Breach
4301	eCompli application vulnerability	critical	8.5	1	Data Breach
4302	Morris Worm (1988 - Buffer Overflow in `fingerd`/`sendmail`)	critical	8.5	1	Memory Corruption
4303	eForms System Vulnerability	critical	8.5	1	Data Breach
4304	misconfigured data visualization tool	critical	8.5	1	data exposure
4305	Weak or default SSH credentials	critical	8.5	1	Botnet
4306	Legacy accounts	critical	8.5	1	Phishing
4307	Fingerprinting	critical	8.5	1	Phishing
4308	Vulnerability identified and patched	critical	8.5	1	Data Breach
4309	Misconfigured Redis Services	critical	8.5	1	Botnet Infection
4310	Vulnerability in Accellion FTA system	critical	8.5	1	Data Breach
4311	Human Manipulation (Social Engineering)	critical	8.5	1	Phishing (Vishing)
4312	Points of Sale	critical	8.0	1	Data Breach
4313	Improper Data Redaction	critical	8.0	1	Data Breach
4314	Radio Communications Disruption	critical	8.0	1	Vulnerability Exploitation
4315	Misconfigured Server	critical	8.0	1	Data Breach
4316	Database Access	critical	8.0	1	Data Breach
4317	Impersonation of law enforcement officials	critical	8.0	1	Data Leak
4318	Human Resources Information Access	critical	8.0	1	Data Breach
4319	CWE Exposure of Resource to Wrong Sphere	critical	8.0	1	Vulnerability
4320	Third-party Vendor Access	critical	8.0	1	Data Breach
4321	Misconfiguration in computer system	critical	8.0	1	Data Breach
4322	Accellion file-sharing system	critical	8.0	1	Data Breach
4323	Employee Sharing Sensitive Information	critical	8.0	1	Data Breach
4324	Lack of security safeguards in the contract	critical	8.0	1	Data Breach
4325	Various vulnerabilities scanned by the Angler exploit kit	critical	8.0	1	Malvertising
4326	Sequential User ID Bug	critical	8.0	1	Data Breach
4327	Physical Loss of Device	critical	8.0	1	Data Breach
4328	System Bug	critical	8.0	1	Data Disclosure
4329	Accellion’s FTA	critical	8.0	1	Data Breach
4330	Application Vulnerability	critical	8.0	1	Data Breach
4331	Insufficient security protections in cloud-based storage container	critical	8.0	1	Data Breach
4332	Unauthorized Access by Insider	critical	8.0	1	Data Breach
4333	Compromised Administrative Staff Account	critical	8.0	1	Data Breach
4334	Authentication process for My Account login details	critical	8.0	1	Data Breach
4335	Software Update	critical	8.0	1	Data Breach
4336	Keyboard Software Bug	critical	8.0	1	Software Vulnerability
4337	RCE vulnerability in Dynamicweb software	critical	8.0	1	Remote Code Execution (RCE)
4338	Security flaw in the patient portal	critical	8.0	1	Data Breach
4339	Misconfigured GitHub repository	critical	8.0	1	Data Leak
4340	Unsecured Data Storage Device	critical	8.0	1	Data Breach
4341	outdated software, overworked staff, limited holiday response times	high	7.5	1	phishing
4342	CVE-2025-61884 (potential, not yet confirmed as exploited)	high	7.5	1	ransomware
4343	POS Systems	high	7.5	1	Data Breach
4344	Payment system vulnerability	high	7.5	1	Data Breach
4345	IT System Glitch	high	7.5	1	Data Breach
4346	Internet-accessible flaws	high	7.5	1	Ransomware
4347	CVE-2023-34362 (MOVEit)	high	7.5	1	ransomware
4348	Compromised Update Server	high	7.5	1	Malware Distribution
4349	Firewall Vulnerability	high	7.5	1	Ransomware Attack
4350	Improper handling of sensitive information	high	7.5	1	Data Breach
4351	Lack of multi-factor authentication (MFA) on domain accounts	high	7.5	1	Ransomware Attempt
4352	Obfuscated Code in Extensions	high	7.5	1	Malicious Software
4353	Fragmented security tools, insufficient email security coverage	high	7.5	1	Ransomware
4354	CVE-2025-61884	high	7.5	1	Cyberattack
4355	Stack space exhaustion in user code with async_hooks enabled	high	7.5	1	Denial-of-Service (DoS)
4356	Employee login credentials	high	7.5	1	Ransomware Attack
4357	Oracle E-Business Suite Zero-Day (Unauthenticated, Low Complexity)	high	7.5	1	Cyberattack
4358	Zero-day vulnerability in third-party software (Oracle E-Business Suite)	high	7.5	1	Data Breach
4359	security systems vulnerability	high	7.5	1	data breach
4360	legacy perimeter firewall	high	7.5	1	Ransomware
4361	Review Process Bypass	high	7.5	1	Ransomware
4362	Vulnerabilities in global digital infrastructure	high	7.5	1	Ransomware
4363	Weak Password Policy	high	6.5	1	Hacking Incident
4364	Lack of robust security measures	high	6.0	1	Hacking
4365	Use of Non-Official Communication Channels	high	6.0	1	Phishing
4366	Browser-Stored Credentials	high	6.0	1	Credential Theft
4367	Generic Design of Legitimate Settlement Sites	high	6.0	1	Phishing
4368	Mandatory login gate on social media platform	high	6.0	1	Notification System Failure
4369	Misplaced Thumb Drive	high	6.0	1	Data Breach
4370	Unsecured Email Account	high	6.0	1	Data Breach
4371	Lack of Data Governance Policies	high	6.0	1	Data Leakage
4372	GoAnywhere MFT zero-day vulnerability	high	6.0	1	Data Breach
4373	Fault in the code of EOSBet's smart contracts	high	6.0	1	Cryptocurrency Theft
4374	Unsecured Endpoints	high	6.0	1	Data Security Incident
4375	Human Trust in Official-Looking Communications	high	6.0	1	Phishing
4376	Unknown Oracle E-Business System Vulnerability	high	6.0	1	Cyber Attack
4377	Default password ('1234') on wireless crosswalk buttons	high	6.0	1	Hacking
4378	Vulnerable Laravel version or misconfiguration	high	6.0	1	Data Exposure
4379	Improperly secured MongoDB database	high	6.0	1	Data Breach
4380	Weak Multi-Factor Authentication (MFA) on Twitter Employee Accounts	high	6.0	1	Account Takeover
4381	Lack of Access Controls (No Password Protection)	high	6.0	1	Data Breach (Unintentional Exposure)
4382	Human Vulnerability (Blackmail)	high	6.0	1	Extortion, Insider Threat, Retail Theft
4383	Lack of Email Gateway HTML Attachment Blocking	high	6.0	1	Phishing
4384	Folio/IIN Integration Flaws	high	6.0	1	Data Breach
4385	Vendor Misconfiguration	high	6.0	1	Data Breach
4386	Data mismatch error in system logic	high	6.0	1	Data Breach (Unauthorized Access/Disclosure)
4387	Student Access to Staff Devices	high	6.0	1	Insider Threat
4388	Potential SharePoint vulnerability (unconfirmed)	high	6.0	1	Cyberattack
4389	MIME type and filename extension mismatches	high	6.0	1	Vulnerability Exploit
4390	Compromised Employee Mailbox	high	6.0	1	Data Breach
4391	Insufficient network segmentation between office and operational systems	high	6.0	1	Cyber Intrusion
4392	Lack of proactive domain monitoring and registration of brand variations	high	6.0	1	Cybersquatting, Phishing, Malware Distribution, Fraud
4393	Location tracking vulnerabilities	high	6.0	1	Data Collection Incident
4394	Rapid Response to Urgent Requests from Seniors	high	6.0	1	Social Engineering
4395	Insufficient Monitoring of Third-Party Integrations	high	6.0	1	Unauthorized Access
4396	improper authentication	high	6.0	1	unauthorized access
4397	Delayed Detection of Coordinated Trading Patterns	high	6.0	1	Financial Fraud
4398	Browsealoud Plugin	high	6.0	1	Cryptojacking
4399	Inadequate Vetting Procedures	high	6.0	1	Data Exposure
4400	weak monitoring of east-west traffic	high	6.0	1	phishing
4401	insufficient security protections	high	6.0	1	cyber intrusion
4402	TOCTOU Vulnerability	high	6.0	1	Vulnerability Exploitation
4403	Lack of Automated Secrets Rotation	high	6.0	1	Credential Theft
4404	Human error (successful phishing attack)	high	6.0	1	Data Breach
4405	exploitation of job application platforms	high	6.0	1	social engineering
4406	Employee email account credentials	high	6.0	1	Data Breach
4407	Stolen Google Gemini API Keys	high	6.0	1	Fraud
4408	Bypass of Time-Limited MFA Windows	high	6.0	1	Financial Fraud
4409	Internal Employee Access	high	6.0	1	Data Breach
4410	lack of bulk email security measures	high	6.0	1	data breach
4411	multilingual social engineering gaps	high	6.0	1	phishing
4412	Microsoft OAuth 2.0 Device Authorization Flow	high	6.0	1	Credential Theft
4413	Apache HTTP server vulnerability	high	6.0	1	Cyber Espionage
4414	gaps in visibility	high	6.0	1	phishing
4415	Lack of Real-Time Verification for High-Risk Transactions	high	6.0	1	Social Engineering
4416	Social engineering, lack of verification for financial transactions	high	6.0	1	Fraud
4417	Error in resetting network settings	high	6.0	1	Data Breach
4418	Vulnerable version of Trust Wallet browser extension (v2.68)	high	6.0	1	Supply Chain Attack
4419	Neglected to fix vulnerabilities	high	6.0	1	Data Breach
4420	CVE-2025-33206 (CWE-78: Improper Neutralization of Special Elements in OS Commands)	high	6.0	1	Vulnerability
4421	Sitting Ducks (DNS misconfiguration)	high	6.0	1	Scam / Fraudulent Push Notifications
4422	Employee Self Service system	high	6.0	1	Data Breach
4423	Lack of vetting for third-party game demos (Valve/Steam)	high	6.0	1	Distributed Denial of Service (DDoS)
4424	Backend Update Bug	high	6.0	1	Bug/Exploit
4425	Click2Gov	high	6.0	1	Data Breach
4426	human trust/urgency bias	high	6.0	1	social engineering
4427	Payment Card Network	high	6.0	1	Data Breach
4428	Trust in official app marketplaces, deceptive email outreach	high	6.0	1	Phishing
4429	Payment .php file vulnerability	high	6.0	1	Data Breach
4430	Employee Portal Accounts	high	6.0	1	Data Breach
4431	Alert System Failure	high	6.0	1	Data Breach
4432	Developer oversight leading to token exposure in public repositories	high	6.0	1	credential compromise
4433	DeFi Vulnerabilities	high	6.0	1	Market Manipulation
4434	improper use of email fields (To/CC instead of BCC)	high	6.0	1	data breach
4435	Weak Password Hashing (MD5 without salt)	high	6.0	1	Data Breach
4436	Lack of Device Encryption/Tracking	high	6.0	1	Data Security Incident
4437	Unpatched flaw in a commercial MDM system	high	6.0	1	Data Breach
4438	Unauthorized access to WiFi management system	high	6.0	1	Cyber Attack
4439	Unspecified vulnerability in 2Keys MFA system (Interac-owned)	high	6.0	1	Data Breach
4440	Malware installation via phishing	high	6.0	1	Data Breach
4441	Payment card processing system	high	6.0	1	Data Breach
4442	Lack of Public Awareness	high	6.0	1	Phishing
4443	File Decompression in Kernel	high	6.0	1	Vulnerability Exploit
4444	Employee's Microsoft 365 Account	high	6.0	1	Data Breach
4445	Human (phishing)	high	6.0	1	Phishing
4446	Lack of Visibility in Rapid Development Cycles	high	6.0	1	DDoS Attack
4447	Publicly accessible Elasticsearch instance	high	6.0	1	Data Breach
4448	Absence of Document Automation/Redaction Tools	high	6.0	1	Data Leakage
4449	Outdated Technology Infrastructure	high	6.0	1	Data Leakage
4450	Third-party application vulnerability	high	6.0	1	Data Breach
4451	Human Error (Incorrect Address Usage)	high	6.0	1	Data Breach
4452	Fake pop-up window	high	6.0	1	Data Breach
4453	Weak Security Questions	high	6.0	1	Data Breach
4454	Hardcoded Credentials in Internal Portals	high	6.0	1	Data Breach
4455	Exploitation of GitHub's Discussions feature and perceived trustworthiness of security advisories	high	6.0	1	Phishing
4456	Static Filtering in SEGs	high	6.0	1	Operational Risk
4457	Open Elastic Search Instances	high	6.0	1	Data Exposure
4458	Third-Party Integration (Drift Email/Salesloft)	high	6.0	1	Data Breach
4459	Employee System Credentials	high	6.0	1	Data Breach
4460	Weak Password Policy (Password: 'Louvre', 'Thales')	high	6.0	1	Physical Theft
4461	Unpatched firmware and default credentials in IoT devices	high	6.0	1	DDoS-for-hire
4462	Weak Authentication in Mobile Wallet Onboarding	high	6.0	1	Financial Fraud
4463	Internal Access Controls	high	6.0	1	Data Breach
4464	Unauthorized access from outside of Europe	high	6.0	1	DDoS Attack
4465	Fortra's GoAnywhere MFT platform's zero-day vulnerability	high	6.0	1	Data Breach
4466	CVE-2025-53770 (SharePoint Server, 'ToolShell')	high	6.0	1	Data Breach
4467	Exposed Data on Website	high	6.0	1	Data Leak
4468	Human Error (Unauthorized Information Disclosure)	high	6.0	1	Data Breach
4469	CVE-2025-61882, Oracle E-Business Suite (EBS) security flaws	high	6.0	1	Data Breach
4470	Muted Fake Context Alignment	high	6.0	1	Indirect Prompt Injection (IPI) Attack
4471	Security weaknesses in NHS websites	high	6.0	1	Cyberattack
4472	Human Error/Employee Misconduct	high	6.0	1	Unauthorized Access and Data Breach
4473	Installation management process in Mobile VPN with IPSec client for Windows	high	6.0	1	Privilege Escalation
4474	Failure to Protect Sensitive Location Data	high	6.0	1	Physical Security Breach
4475	Insufficient oversight of contractor personnel with privileged access	high	6.0	1	Insider Threat
4476	Human trust in fake USPS parcel delivery messages	high	6.0	1	Smishing Campaign
4477	Drift’s OAuth integration flow vulnerability	high	6.0	1	Data Breach
4478	Unauthorized access to Microsoft 365 account	high	6.0	1	Data Breach
4479	Weak Third-Party Compliance Standards	high	6.0	1	Data Leakage
4480	Physical Sensor Feeds	high	6.0	1	Market Manipulation
4481	Employee Malpractice	high	6.0	1	Data Breach
4482	Employee Credentials and Laptop	high	6.0	1	Data Breach
4483	CVE-2025-53770 (Microsoft SharePoint, CVSS 9.8)	high	6.0	1	Data Breach
4484	API security flaw in Kiln’s infrastructure (used for Solana staking operations)	high	6.0	1	cyberattack
4485	Phishing/Email Compromise	high	6.0	1	Cyber Attack
4486	Weak authentication mechanism (Phone Number/PIN model)	high	6.0	1	Unauthorized Access
4487	Suspicious WordPress plugin	high	6.0	1	Cyberattack
4488	Human Trust in Branded Communications	high	6.0	1	Phishing
4489	Realtek chips	high	6.0	1	DDoS Attack
4490	Human Error (Fatigue/Jetlag)	high	6.0	1	Phishing
4491	Retired Internet Application	high	6.0	1	Data Breach
4492	psychological manipulation (e.g., fear of missing out on high returns)	high	6.0	1	fraud
4493	Website Payment Page	high	6.0	1	Data Breach
4494	Email Account and Tax Preparation Software	high	6.0	1	Data Breach
4495	human trust in FIFA branding	high	6.0	1	phishing
4496	Human factor (phishing)	high	6.0	1	Phishing
4497	Social engineering, user trust exploitation	high	6.0	1	Malware Campaign
4498	Weak DDoS mitigation (gaming platforms)	high	6.0	1	Distributed Denial of Service (DDoS)
4499	Stolen Laptop	high	6.0	1	Data Breach
4500	Sabre Hospitality Solutions' system	high	6.0	1	Data Breach
4501	MOVEit zero-day vulnerability	high	6.0	1	Data Breach
4502	Human Error / Lack of Authentication Protocols	high	6.0	1	Data Breach
4503	Unencrypted USB Flash Drive	high	6.0	1	Data Breach
4504	human trust in authoritative messages (e.g., toll agencies)	high	6.0	1	phishing
4505	E-Verify's inability to verify the authenticity of presented documents	high	6.0	1	Identity Theft
4506	Improper data management practices	high	6.0	1	Data Leak
4507	Human Trust in Authority Figures	high	6.0	1	Social Engineering
4508	Internal Employee Privileges	high	6.0	1	Data Breach
4509	Insider Tool Abuse	high	6.0	1	Account Takeover
4510	Online Store Vulnerability	high	6.0	1	Data Breach
4511	Improper access to email account	high	6.0	1	Data Breach
4512	Exposure of Install Action Tokens	high	6.0	1	Data Breach
4513	Player trust in unofficial marketplaces	high	6.0	1	Distributed Denial of Service (DDoS)
4514	Unspecified vulnerability	high	6.0	1	Cyber Attack
4515	Abuse of Google Tag Manager (GTM)	high	6.0	1	Credit Card Skimming
4516	Unsecured Active Directory	high	6.0	1	Data Breach
4517	CitrixBleed	high	6.0	1	Data Breach
4518	trust in automated AI-driven code analysis	high	6.0	1	supply chain attack
4519	Weak credential security (IT vendor account compromise)	high	6.0	1	unauthorized access
4520	Accès non autorisé aux données clients	high	6.0	1	Cyberattaque
4521	CVE-2025-59789 (Uncontrolled Recursion / Stack Overflow in json2pb component)	high	6.0	1	Denial-of-Service (DoS)
4522	Bypass of macOS Gatekeeper via direct Terminal input	high	6.0	1	Social Engineering, Malware
4523	System-generated error	high	6.0	1	Data Breach
4524	lack of package registry enforcement	high	6.0	1	supply chain attack
4525	Misconfigured Docker Daemon (Exposed to Internet)	high	6.0	1	DDoS Attack
4526	human error (lack of training)	high	6.0	1	phishing
4527	Package look-up capabilities	high	6.0	1	Data Breach
4528	Human error (opening malicious attachment)	high	6.0	1	Phishing
4529	holiday distraction	high	6.0	1	phishing
4530	Misconfigured database backup access	high	6.0	1	Data Breach
4531	unsecured QR code access	high	6.0	1	fraud
4532	AI Agent Memory Access	high	6.0	1	Prompt Injection
4533	Inadequate credential monitoring and reliance on unmanaged devices for SaaS access	high	6.0	1	Credential Theft
4534	Cloud Storage System	high	6.0	1	Data Breach
4535	Website platform configuration error (password-protected documents made publicly accessible via search)	high	6.0	1	data breach
4536	NEXTEP self-service kiosks	high	6.0	1	Data Breach
4537	Abuse of trusted cloud services (Firebase, Google Translate)	high	6.0	1	Phishing
4538	Suspicious code on online payment portal	high	6.0	1	Data Breach
4539	Human error leading to unauthorized access	high	6.0	1	Phishing
4540	Psychological manipulation (urgency, authority impersonation)	high	6.0	1	Phishing (AI-enhanced)
4541	Obfuscated Fake Context Alignment	high	6.0	1	Indirect Prompt Injection (IPI) Attack
4542	Unsecured Deleted Cloud Storage Buckets	high	6.0	1	Data Breach
4543	Computer Infection	high	6.0	1	Financial Theft
4544	Three additional undisclosed vulnerabilities (details not specified)	high	6.0	1	Spoofing
4545	low cybersecurity awareness	high	6.0	1	phishing
4546	Weak password encryption (unsalted MD5 and SHA-1)	high	6.0	1	Data Breach
4547	CVE-2025-32432 (Craft CMS)	high	6.0	1	cyberattack
4548	Weak Cloud Security (Nintendo)	high	6.0	1	DDoS Attack
4549	Weak or compromised email account security	high	6.0	1	Data Breach
4550	Inadequate User Consent Mechanisms	high	6.0	1	Data Breach
4551	Unrelated software bugs in vendor’s trading software	high	6.0	1	Hacking, Software Bug
4552	Citrix Remote Desktop Software Vulnerability	high	6.0	1	Unauthorized Access
4553	ADT Pulse Software Vulnerabilities	high	6.0	1	Unauthorized Access
4554	CVE-2025-24061	high	6.0	1	Vulnerability Disclosure
4555	Family Member Trust Exploitation	high	6.0	1	Fraud
4556	Lack of user awareness, trust in government services, and reusable phishing infrastructure	high	6.0	1	Phishing
4557	security risk analysis violations	high	6.0	1	regulatory_enforcement
4558	Weak Login Verification	high	6.0	1	Data Breach
4559	Dangerous React Patterns (dangerouslySetInnerHTML near iframes)	high	6.0	1	Data Breach
4560	Credential Stuffing	high	6.0	1	Authentication Security Improvement
4561	Lax controls	high	6.0	1	Insider Threat
4562	AI-generated content	high	6.0	1	Phishing
4563	CSP frame-src Bypass (Compromised Allowed Domains)	high	6.0	1	Data Breach
4564	Default/Lack of Credentials	high	6.0	1	DDoS Attack
4565	Compromised official Belgian Grand Prix email account	high	6.0	1	Multi-vector attack
4566	Security Misconfiguration	high	6.0	1	Data Leak
4567	Lack of end-to-end encryption in standard email protocols, Absence of proper email authentication mechanisms	high	6.0	1	Business Email Compromise (BEC)
4568	Unsecured Remote Work Environments	high	6.0	1	Human Error
4569	AI-related blind spots	high	6.0	1	Data Breach
4570	user typographical errors	high	6.0	1	phishing
4571	Compromised email account credentials	high	6.0	1	Phishing
4572	Web-based payroll program	high	6.0	1	Data Breach
4573	Security vulnerabilities in IP cameras	high	6.0	1	DDoS Attack
4574	Weakness in GPS Navigation System Authentication/Encryption	high	6.0	1	GPS Spoofing / Maritime Cyber Incident
4575	Improper Client Segregation	high	6.0	1	Data Breach
4576	Over-reliance on email/text-based communication without secondary validation	high	6.0	1	Phishing (AI-enhanced)
4577	Lack of insider threat detection and prevention measures	high	6.0	1	Insider Threat
4578	Improper Data Handling / Public-Facing Website Misconfiguration	high	6.0	1	Data Breach
4579	Inadequate Remote Work Policies	high	6.0	1	Data Leak
4580	No Device Encryption	high	6.0	1	Data Breach Risk
4581	CVE-2026-21525 (NULL pointer dereference, CWE-476)	high	6.0	1	Zero-Day Vulnerability
4582	Lack of U2F/Physical Security Key Enforcement	high	6.0	1	Financial Fraud
4583	Software Update Issue	high	6.0	1	Data Breach
4584	Unauthorized Change to Website	high	6.0	1	Data Breach
4585	Permission Misconfiguration	high	6.0	1	Data Exposure
4586	Programming Update Error	high	6.0	1	Data Breach
4587	Insufficiently Secure Settings	high	6.0	1	Data Breach
4588	Unauthorized Access due to Program Glitch	high	6.0	1	Data Breach
4589	Data Privacy Policy	high	6.0	1	Data Disclosure
4590	Unsecured Zoom Classroom	high	6.0	1	Cyber Attack
4591	Default Weak Passwords	high	6.0	1	Unauthorized Access
4592	Brokerage Platforms Allowing MFA via Text/Call	high	6.0	1	Financial Fraud
4593	Same-Origin Policy Gaps (postMessage Wildcards, CORS Misconfigurations)	high	6.0	1	Data Breach
4594	publicly available personal data (for voice cloning)	high	6.0	1	phishing
4595	Employee Mailboxes	high	6.0	1	Data Breach
4596	Password Reset Token Leak	high	6.0	1	Account Hijacking
4597	Hardcoded Secrets in Code Repositories	high	6.0	1	Credential Theft
4598	Use of Personal Device for Corporate Access	high	6.0	1	Data Breach
4599	Security flaw in Progress' MOVEit data transfer programme	high	6.0	1	Data Breach
4600	Weak Internal Controls (Prior Embezzlement)	high	6.0	1	Fraud
4601	Decentralized Voting/Oracle Mechanisms	high	6.0	1	Market Manipulation
4602	Weak Password/Credential Management	high	6.0	1	Data Breach
4603	Poor Employee Training	high	6.0	1	Data Leak
4604	Outdated Website	high	6.0	1	Data Breach
4605	CVE-2025-2848	high	6.0	1	Vulnerability Exploitation
4606	alleged exploitation of parking permit system to gain unauthorized access	high	6.0	1	phishing
4607	System Vulnerability	high	6.0	1	Data Breach
4608	Weak Administrator Password	high	6.0	1	Data Breach
4609	Stolen authentication cookie	high	6.0	1	Cyber Espionage
4610	Human Trust in Email Communication	high	6.0	1	Phishing
4611	Internal SharePoint Site	high	6.0	1	Data Breach
4612	Absence of Passkey Support	high	6.0	1	Phishing
4613	Employee Misconfiguration	high	6.0	1	Data Breach
4614	Automated Attack	high	6.0	1	Security Breach
4615	Human (Social Engineering)	high	6.0	1	Phishing
4616	Trust in unsolicited communications	high	6.0	1	Scam
4617	Exposure of Customer Data	high	6.0	1	Data Exposure
4618	Four zero-day vulnerabilities in IBM Data Risk Manager	high	6.0	1	Zero-Day Exploit
4619	Weak passwords (e.g., 'LOUVRE', 'THALES')	high	6.0	1	Security Audit Findings
4620	Insufficient Access Controls for High-Risk Secrets	high	6.0	1	Credential Theft
4621	Loss of Physical Hard Drives	high	6.0	1	Data Breach
4622	inadequate contractor monitoring	high	6.0	1	insider threat
4623	Lack of Security Clearance Enforcement	high	6.0	1	Data Exposure
4624	Loneliness	high	6.0	1	Scam
4625	Paycor's MOVEit Transfer software	high	6.0	1	Data Breach
4626	Unsecured Physical Device (Password-protected laptop)	high	6.0	1	Data Breach (Physical Theft)
4627	CVE-2025-12779	high	6.0	1	Vulnerability
4628	Unauthorized Disclosure of Surveillance Footage	high	6.0	1	Physical Security Breach
4629	unrestricted access to student email accounts	high	6.0	1	election fraud
4630	DVRs/NVRs	high	6.0	1	DDoS Attack
4631	Lack of Regulatory Oversight in Cryptocurrency Operations	high	6.0	1	Cybercrime Network Dismantling
4632	Human factor - employees providing login credentials	high	6.0	1	Data Breach
4633	lack of real-time maritime tracking safeguards	high	6.0	1	physical cyber convergence
4634	Unguarded Physical Access Points	high	6.0	1	Physical Theft
4635	URL Parameter Manipulation (collection)	high	6.0	1	Prompt Injection
4636	Basic Security Vulnerability	high	6.0	1	Data Breach
4637	Inadequate Coordination of Security Escort	high	6.0	1	Physical Security Breach
4638	Misconfiguration of AWS Application Load Balancer Authentication	high	6.0	1	Misconfiguration
4639	insufficient monitoring of collaboration platforms	high	6.0	1	data breach
4640	Fortra GoAnywhere secure file transfer platform	high	6.0	1	Data Breach
4641	Compromised e-mail account	high	6.0	1	Data Breach
4642	Configuration Mistake	high	6.0	1	Data Leak
4643	Phishing/Malware	high	6.0	1	Data Breach
4644	privileged access controls	high	6.0	1	insider threat
4645	Administrative Error	high	6.0	1	Data Breach
4646	Microsoft Exchange email servers	high	6.0	1	Data Breach
4647	Improper storage of personal information	high	6.0	1	Data Breach
4648	unauthorized data access/exfiltration by terminated employee	high	6.0	1	data breach
4649	End-of-life (EOL) software (Apache/2.4.52, Apache/2.4.6 with OpenSSL/1.0.2k-fips, etc.)	high	6.0	1	Phishing
4650	Non-secure data storage location	high	6.0	1	Data Breach
4651	DNS misconfiguration (abandoned domains with improper nameserver delegation)	high	6.0	1	DNS Misconfiguration Exploitation
4652	Compromised Office 365 Account	high	6.0	1	Data Breach
4653	Over-reliance on Limited Public Nodes (Centralization Risk)	high	6.0	1	Blockchain Security Breach
4654	Lack of rate-limiting or size restrictions on contact list uploads, enabling mass verification of phone numbers associated with WhatsApp accounts.	high	6.0	1	Privacy Vulnerability
4655	Unencrypted Email	high	6.0	1	Data Breach
4656	Improper backup file storage	high	6.0	1	Data Breach
4657	Unmanaged Secrets in CI/CD Pipelines	high	6.0	1	Credential Theft
4658	Lack of Real-Time Email Authentication	high	6.0	1	Phishing
4659	Business Email Accounts	high	6.0	1	Data Breach
4660	Unspecified vulnerability in a development server	high	6.0	1	Data Breach
4661	Unauthorized access to Workday payroll accounts	high	6.0	1	Data Breach
4662	PCI DSS 4.0.1 Non-Compliance (Unmanaged Scripts on Payment Pages)	high	6.0	1	Data Breach
4663	Website Configuration Error	high	6.0	1	Data Breach
4664	Social Engineering (Trust Exploitation, Urgency Tactics)	high	6.0	1	Phishing
4665	Unvalidated PostMessage Origins	high	6.0	1	Data Breach
4666	Automated attack tools	high	6.0	1	DDoS
4667	Fortinet VPN vulnerability	high	6.0	1	Data Breach
4668	Payment gateway manipulation	high	6.0	1	Payment System Exploitation
4669	lack of multi-factor authentication (MFA) on crypto accounts	high	6.0	1	cyber theft
4670	Inadvertent transfer of control of the account to a malicious actor	high	6.0	1	Hacking
4671	Faiblesse dans les procédures de vérification d'identité	high	6.0	1	Cyberattaque
4672	Human Trust in Branded Communications / Lack of Multi-Channel Verification	high	6.0	1	Phishing / Social Engineering
4673	weak governance	high	6.0	1	phishing
4674	ARC processor flaws	high	6.0	1	DDoS Attack
4675	Lack of cybersecurity awareness	high	6.0	1	Scam
4676	CVE-2025-66168	high	6.0	1	Denial-of-Service (DoS)
4677	weaknesses in social media platform moderation	high	6.0	1	fraud
4678	Weak Data Access Controls	high	6.0	1	Data Exposure
4679	Outdated Antivirus/Anti-Malware Tools	high	6.0	1	Data Breach Risk
4680	Poor Data Protection Practices	high	6.0	1	Insider Threat
4681	shared/default credentials	high	6.0	1	election fraud
4682	Weak password hashing (SHA-256)	high	6.0	1	Data Breach
4683	Critical Infrastructure Vulnerabilities (e.g., Power Grid Exploitation)	high	6.0	1	Cybercrime Network Dismantling
4684	Compromised Email Credentials	high	6.0	1	Data Breach
4685	Human Error (Misplaced Trust in Email Communication)	high	6.0	1	Business Email Compromise (BEC)
4686	Fake Context Alignment	high	6.0	1	Indirect Prompt Injection (IPI) Attack
4687	Absence of Endpoint Monitoring	high	6.0	1	Data Breach Risk
4688	Potentially CVE-2025-53779 (Windows Kerberos)	high	6.0	1	Data Breach
4689	Lack of Physical Security Measures at ATM	high	6.0	1	Data Breach (Card Skimming)
4690	WhatsApp screen-sharing feature (misuse)	high	6.0	1	social engineering
4691	Weak WordPress Administrator Credentials	high	6.0	1	Fraud
4692	Unpatched external web servers (Nintendo)	high	6.0	1	Distributed Denial of Service (DDoS)
4693	Unpatched systems in video surveillance and access control	high	6.0	1	Security Audit Findings
4694	Human Error (IT Support Tricked)	high	6.0	1	Data Breach
4695	Exposed Private Data	high	6.0	1	Data Leak
4696	Email Privacy Misconfigurations	high	6.0	1	Data Breach
4697	Disconnected Security Tools	high	6.0	1	DDoS Attack
4698	misconfigured database	high	6.0	1	data exposure
4699	Insecure use of pull_request_target in GitHub Actions workflows	high	6.0	1	Supply Chain Attack
4700	Malicious activity in open-source code repository	high	6.0	1	Supply Chain Attack
4701	Authentication protocol vulnerabilities	high	6.0	1	Cyberattack
4702	Human error (email misdelivery)	high	6.0	1	Data Breach (Human Error / Misdelivery)
4703	Improper data storage	high	6.0	1	Data Breach
4704	Unpatched Public-Facing Servers	high	6.0	1	DDoS Attack
4705	Flaw in Ivanti Endpoint Manager Mobile (EPMM)	high	6.0	1	Data Breach
4706	Physical ATM Security	high	6.0	1	Data Breach
4707	Human (Email Compromise)	high	6.0	1	Data Breach
4708	Policy workarounds	high	6.0	1	Insider Threat
4709	Gaps in cybersecurity	high	6.0	1	Cyberattack (Hacking)
4710	Improper Access Controls on AWS EC2	high	6.0	1	DDoS Attack
4711	Zero-day exploit (2FA bypass)	high	6.0	1	AI-generated exploits
4712	Legacy IT systems and outdated infrastructure	high	6.0	1	Cybersecurity Awareness and Infrastructure Vulnerability
4713	poor email filtering	high	6.0	1	phishing
4714	Data server configuration error	high	6.0	1	Data Breach
4715	unprotected storage	high	6.0	1	data exposure
4716	Zero-Day Vulnerability in Fortran GoAnywhere MFT	high	6.0	1	Data Breach
4717	Public Visibility of Venmo Transactions and Contacts	high	6.0	1	Data Leak
4718	Routers from T-Mobile, Zyxel, D-Link, Linksys	high	6.0	1	DDoS Attack
4719	Coding techniques to enter the Naviance student site	high	6.0	1	Data Breach
4720	On-board ports containing vehicle data	high	6.0	1	Vehicle Theft
4721	Same password for multiple accounts	high	6.0	1	Cyber Attack
4722	Email Encryption	high	6.0	1	Data Breach
4723	Phishable OTP Tokens for Mobile Wallet Provisioning	high	6.0	1	Financial Fraud
4724	Business Continuity Dependencies	high	6.0	1	Third-Party Risk
4725	Email Access	high	6.0	1	Business Email Compromise
4726	Insecure IoT devices	high	6.0	1	DDoS
4727	Point-of-sale terminals	high	6.0	1	Data Breach
4728	Employee Mistake	high	6.0	1	Data Breach
4729	Exploitable Gaps in Contactless Payment Tokenization	high	6.0	1	Financial Fraud
4730	Server vulnerability of a former IT service provider	high	6.0	1	Data Breach
4731	Unsecured Personal Laptop	high	6.0	1	Data Breach
4732	Insecure Direct Object Reference (IDOR) in media access endpoints (/media/{ID})	high	6.0	1	Data Breach
4733	Unsecured Wi-Fi network	high	6.0	1	Malware
4734	Unencrypted device with sensitive data (despite password protection)	high	6.0	1	Data Breach (Physical Theft)
4735	Unauthorized access due to call center employee negligence	high	6.0	1	Data Breach
4736	CVE-2026-26127 (Out-of-bounds read, CWE-125)	high	6.0	1	Denial-of-Service (DoS)
4737	Unsecured Employee Roster	high	6.0	1	Data Breach
4738	weakness in AIS tampering detection	high	6.0	1	physical cyber convergence
4739	Unspecified software vulnerability in 2Keys MFA system	high	6.0	1	Data Breach
4740	Data Collection Practices	high	6.0	1	Data Privacy Issue
4741	misconfigured slot machine software	high	6.0	1	fraud
4742	Weak PIN reset security	high	6.0	1	Data Breach
4743	Reused/Weak Passwords (Phishing)	high	6.0	1	DDoS Attack
4744	Human Error (Improper Data Handling)	high	6.0	1	Data Breach (Accidental Disclosure)
4745	Human Trust in Known Contacts	high	6.0	1	Phishing
4746	Lack of authentication on Kubernetes console	high	6.0	1	Cloud Security Breach
4747	Unpatched/Outdated Systems (Windows Server 2003)	high	6.0	1	Physical Theft
4748	Compromise at a third party vendor's file servers	high	6.0	1	Data Breach
4749	Browser and plugin vulnerabilities	high	6.0	1	Malvertising
4750	Email Account Security	high	6.0	1	Email Hijacking
4751	Privacy Controls	high	6.0	1	Data Breach
4752	TotoLink router firmware update server	high	6.0	1	DDoS Attack
4753	Weak/Leaked Credentials	high	6.0	1	Data Breach
4754	lack of authentication for mobile device pairing	high	6.0	1	fraud
4755	Human vulnerability through social engineering	high	6.0	1	Social Engineering Attack
4756	NFC Protocol Abuse (Legitimate Traffic Relay)	high	6.0	1	Financial Fraud
4757	Unsupported OS (Windows 2000, XP, Server 2003)	high	6.0	1	Security Audit Findings
4758	Shadow IT	high	6.0	1	Security Control Bypass
4759	Employee Account	high	6.0	1	Data Breach
4760	Poor password hygiene (weak, reused, or easily guessable passwords)	high	6.0	1	data breach
4761	Potential compromise of routers by Chinese state-sponsored hackers	high	6.0	1	Security Concerns and Investigations
4762	System Malfunction	high	6.0	1	Data Leak
4763	Lack of Email Encryption / Employee Negligence	high	6.0	1	Data Breach
4764	CVE-2024-38197 (CVSS 6.5: Medium)	high	6.0	1	Spoofing
4765	Unauthorized tools	high	6.0	1	Insider Threat
4766	Insufficient Contextual Risk Awareness	high	6.0	1	Social Engineering
4767	Weak Authentication (Slack Cookies)	high	6.0	1	Data Breach
4768	Cached Credentials	high	6.0	1	Data Security Incident
4769	Accellion's File Transfer Appliance software	high	6.0	1	Data Breach
4770	Poor Data Handling Protocols	high	6.0	1	Data Breach
4771	Lack of Continuous Credential Monitoring	high	6.0	1	Credential Theft
4772	Legacy X-Frame-Options Ineffectiveness	high	6.0	1	Data Breach
4773	Legal Access via Emergency Order	high	6.0	1	Data Breach
4774	Over-Permissive Ticket Transfer Features	high	6.0	1	Account Takeover (ATO)
4775	Lack of Secure Document Disposal Procedures	high	6.0	1	Data Breach (Physical)
4776	Unprotected RSYNC Server	high	6.0	1	Data Leak
4777	Gmail accounts	high	6.0	1	Data Breach
4778	Test server misconfiguration	high	6.0	1	Data Breach
4779	External Access to Validator Keys	high	6.0	1	Blockchain Security Breach
4780	Weak PIN reset security questions	high	6.0	1	Data Breach
4781	Improper folder permissions on file servers	high	6.0	1	Data Breach
4782	Unencrypted Device	high	6.0	1	Data Breach
4783	Lack of API-Centric Threat Intelligence Sharing	high	6.0	1	Operational Risk
4784	Incorrectly Configured AWS Bucket	high	6.0	1	Data Exposure
4785	Flaw in the online application	high	6.0	1	Data Breach
4786	Unauthorized access to payment card data	high	6.0	1	Data Breach
4787	Rapid development cycles outpacing security reviews	high	6.0	1	Distributed Denial of Service (DDoS)
4788	Weak SMS-based Multi-Factor Authentication (MFA)	high	6.0	1	Financial Fraud
4789	Email login credentials	high	6.0	1	Data Breach
4790	External System Breach (Hacking)	high	6.0	1	Data Breach
4791	Lack of Strict Marketplace Vetting	high	6.0	1	Malware Distribution
4792	Default Configurations in Security Tools	high	6.0	1	Operational Risk
4793	CVE-2026-0231 (CWE-497)	high	6.0	1	Vulnerability
4794	lack of domain registration oversight	high	6.0	1	phishing
4795	Lack of data-sharing protocols in pilot programs	high	6.0	1	Data Breach / Unauthorized Data Sharing
4796	Lack of Physical Security / Unencrypted Laptops	high	6.0	1	Data Breach (Physical Theft)
4797	Lack of Oversight/Enforcement of Access Controls	high	6.0	1	Data Breach
4798	Backup Device Misconfiguration	high	6.0	1	Data Breach
4799	Software used by a third-party service provider	high	6.0	1	Data Breach
4800	Insertion of malicious script	high	6.0	1	Data Breach
4801	Data processing error	high	6.0	1	Data Breach
4802	Business Email Compromise	high	6.0	1	Data Breach
4803	Mistaken Disclosure	high	6.0	1	Data Breach
4804	Lack of verification for payment changes (e.g., routing/banking number updates)	high	6.0	1	Fraud/Scam
4805	Software vulnerability at vendor Infosys McCamish Systems LLC	high	6.0	1	Data Breach
4806	AI Platform Misconfiguration	high	6.0	1	Data Breach
4807	Third-party software (TanStack)	high	6.0	1	AI-generated exploits
4808	CVE-2025-0128	high	6.0	1	Denial of Service (DoS)
4809	Public Venmo Account	high	6.0	1	Data Exposure
4810	Human Trust in IT Support Impersonation	high	6.0	1	Data Breach
4811	Insufficient Staff Training	high	6.0	1	Data Breach
4812	Unattended Property	high	6.0	1	Data Theft
4813	Database vulnerability	high	6.0	1	Data Breach
4814	Regulatory Filing Systems (e.g., EDGAR, PACER)	high	6.0	1	Market Manipulation
4815	Human (Insider Trust)	high	6.0	1	Unauthorized Disclosure
4816	Post-termination access to company passwords	high	6.0	1	Unauthorized Access
4817	JavaScript File Modification	high	6.0	1	Malware
4818	Password Manager Bypass	high	6.0	1	Phishing
4819	potential weaknesses in email system security	high	6.0	1	phishing
4820	lack of verification by job seekers	high	6.0	1	social engineering
4821	Exposed ADB ports on internet-facing devices	high	6.0	1	DDoS-for-hire
4822	Setup Configuration	high	6.0	1	Data Leak
4823	Low-and-slow request rate evasion of rate-limiting defenses	high	6.0	1	DDoS
4824	Lax privacy settings	high	6.0	1	Data Breach
4825	Medium and high severity vulnerabilities in Ivanti EPMM software	high	6.0	1	Cyber Attack
4826	Insufficient User Awareness Training	high	6.0	1	Phishing
4827	Third-party file sharing product	high	6.0	1	Data Breach
4828	Excessive OAuth Token Scopes	high	6.0	1	Unauthorized Access
4829	Zero-Day Vulnerability in ESG Equipment	high	6.0	1	Data Theft
4830	Unencrypted and Unprotected Data Storage	high	6.0	1	Data Breach
4831	Third-party AI tools	high	6.0	1	DDoS
4832	Base64 Obfuscation Bypass	high	6.0	1	Prompt Injection
4833	Unquoted Search Path Weakness in Plantronics Hub	high	6.0	1	Privilege Escalation
4834	Surveillance software	high	6.0	1	Surveillance
4835	human error (successful phishing)	high	6.0	1	data breach
4836	IT vendor vulnerability confirmed by the Ministry of Health	high	6.0	1	Data Breach
4837	Bug in open-source library	high	6.0	1	Data Leak
4838	CVE-2025-27610	high	6.0	1	Vulnerability Exploitation
4839	Hardcoded GitHub Token	high	6.0	1	Supply Chain Attack
4840	Unsecured Audio Files	high	6.0	1	Data Exposure
4841	misconfigured public-facing storage/exposure of sensitive backup file	high	6.0	1	data exposure
4842	Unmonitored DOM Changes (Lack of MutationObserver)	high	6.0	1	Data Breach
4843	Misconfigured third-party service	high	6.0	1	Data Exposure
4844	Compromised Emails	high	6.0	1	Cyber Fraud
4845	Automatic processing of iCalendar files, Trust in calendar notifications, Device code phishing (ConsentFix)	high	6.0	1	Phishing
4846	Undisclosed Data Breaches	high	6.0	1	Market Manipulation
4847	Overly Permissive Sandbox Attributes (allow-same-origin + allow-scripts)	high	6.0	1	Data Breach
4848	Compromised software via phishing	high	6.0	1	Phishing Attack
4849	unsecured email systems	high	6.0	1	phishing
4850	Accela Software Error	high	6.0	1	Data Breach
4851	Unencrypted Storage Devices	high	6.0	1	Data Breach
4852	CVE-2024-36347	high	6.0	1	Vulnerability
4853	Skill Gaps in Workforce	high	6.0	1	Data Breach
4854	Weak Cybersecurity Standards in Financial and E-Commerce Sectors	high	6.0	1	Cybercrime Network Dismantling
4855	Lack of multi-factor authentication (MFA) in some cases	high	6.0	1	Phishing (AI-enhanced)
4856	Complexity in visibility and control	high	6.0	1	Data Breach
4857	Human Trust in Legitimate Breach Alerts	high	6.0	1	Phishing / Social Engineering
4858	Weak URL validation in RecursiveUrlLoader (String.startsWith() check) and lack of private IP range validation	high	6.0	1	Server-Side Request Forgery (SSRF)
4859	Unauthorized access to an employee email account	high	6.0	1	Data Breach
4860	Inadvertent Permissions	high	6.0	1	Cyber Attack
4861	Loss of Physical Control (Stolen Laptop)	high	6.0	1	Data Breach (Theft of Device)
4862	Reused/Weak Passwords	high	6.0	1	Data Breach
4863	Absence of Technical Safeguards (Encryption/De-identification)	high	6.0	1	Data Breach
4864	Android system permissions bypass	high	6.0	1	Vulnerability
4865	Unsecured MongoDB Server	high	6.0	1	Data Exposure
4866	Browser hijacking via malicious script	high	6.0	1	DDoS Attack, Content Tampering, Malicious JavaScript Injection
4867	Security Setting Error	high	6.0	1	Data Breach
4868	Backup Payment Card Readers	high	6.0	1	Data Breach
4869	CVE-2026-20188 (Uncontrolled Resource Consumption - CWE-400)	high	6.0	1	Denial-of-Service (DoS)
4870	Weak Authentication (SMS-based 2FA)	high	6.0	1	Social Engineering
4871	URL Spoofing	high	6.0	1	Phishing
4872	Lack of Data Redaction/Validation in FOI Process	high	6.0	1	Data Breach (Unintentional Disclosure)
4873	User Trust in Legitimate Software Repositories	high	6.0	1	Malware Distribution
4874	Human vulnerability (phishing)	high	6.0	1	Phishing
4875	Legacy banking systems	high	6.0	1	AI-generated exploits
4876	Delay introduction via VPN	high	6.0	1	Cheating via VPN
4877	Weak ATM Security	high	6.0	1	Financial Fraud
4878	Reused passwords across multiple services	high	6.0	1	Credential Stuffing
4879	MOVEit Transfer platform vulnerability (likely CVE-2023-34362)	high	6.0	1	Data Breach
4880	Donation Page	high	6.0	1	Data Breach
4881	Data breach via third-party vendor	high	6.0	1	Phishing
4882	Exploitation of Apple’s account creation process (excessive character acceptance in name fields) and security alert email system	high	6.0	1	Phishing (Callback Phishing)
4883	lack of anomaly detection for screenshot activities	high	6.0	1	insider threat
4884	Unknown Zero-Day Exploit (mentioned in Telegram chats)	high	6.0	1	Distributed Denial-of-Service (DDoS) Attack
4885	Lack of oversight/guidance for opioid settlement fund allocation; flexible spending rules	high	6.0	1	Financial Misappropriation / Regulatory Non-Compliance
4886	Lack of Device Encryption	high	6.0	1	Data Breach (Physical Theft)
4887	MOVEit file transfer program	high	6.0	1	Data Breach
4888	Fragmented Security Tool Integration	high	6.0	1	Operational Risk
4889	Misconfigured AWS S3 storage	high	6.0	1	Data Leak
4890	lapses in cybersecurity measures	high	6.0	1	cyber intrusion
4891	CMS vulnerability	high	6.0	1	Data Breach
4892	Improper handling of sensitive documents	high	6.0	1	Data Breach
4893	Malicious Software Installation	high	6.0	1	Data Breach
4894	Delayed Tool Invocation	high	6.0	1	Indirect Prompt Injection (IPI) Attack
4895	Social Engineering of Mobile Carriers	high	6.0	1	Account Takeover
4896	Human Error (Falling for Spoofed Email)	high	6.0	1	Data Breach
4897	Compromised user credentials	high	6.0	1	Data Breach
4898	CVE-2025-24071	high	6.0	1	Vulnerability Disclosure
4899	Google Business Profile verification loophole	high	6.0	1	defacement
4900	lack of multi-factor verification	high	6.0	1	phishing
4901	Improper Access	high	6.0	1	Data Breach
4902	developer reliance on third-party dependencies	high	6.0	1	supply chain attack
4903	Backdoor in the system	high	6.0	1	Fraud
4904	Unpatched Endpoints	high	6.0	1	Credential Theft
4905	Jailbroken AI (Google Gemini)	high	6.0	1	Fraud
4906	Abuse of Legitimate Services	high	6.0	1	Phishing
4907	Unsecured Collaborative Tools	high	6.0	1	Data Breach Risk
4908	Inadequate Multi-Factor Authentication (MFA)	high	6.0	1	Human Error
4909	Discord’s expired vanity URL reuse policy	high	6.0	1	Distributed Denial of Service (DDoS)
4910	Weak Authentication for OAuth Tokens	high	6.0	1	Data Breach
4911	Human Error / Policy Violation (Email Mismanagement)	high	6.0	1	Data Breach / Unauthorized Disclosure
4912	Inherited extension reputation, Unicode spoofing, remote phishing page	high	6.0	1	Phishing
4913	SSRF	high	6.0	1	SSRF Vulnerability
4914	Unencrypted CouchDB installation	high	6.0	1	Data Leak
4915	Credential theft, Stolen payment tokens	high	6.0	1	Fraud
4916	Lack of Cross-Border Data Transfer Compliance	high	6.0	1	Data Breach
4917	weak identity verification for wallet transfers	high	6.0	1	cyber theft
4918	Human Carelessness	high	6.0	1	Human Error
4919	Third-Party CRM Integration Vulnerabilities	high	6.0	1	Data Breach
4920	Lack of Token Rotation	high	6.0	1	Unauthorized Access
4921	Abuse of trusted .arpa domain for reverse DNS lookups	high	6.0	1	Phishing
4922	Inadequate Training Programs	high	6.0	1	Data Breach
4923	Lack of Data Wiping and Encryption	high	6.0	1	Data Breach
4924	Lack of endpoint security for attendee devices	high	6.0	1	Malware
4925	Exposed Google API key	high	6.0	1	Data Exposure
4926	DNS misconfiguration	high	6.0	1	DNS Hijacking
4927	CVE-2025-57714 (Unquoted Search Path in NetBak Replicator 4.5.x)	high	6.0	1	Vulnerability
4928	Weak Access Controls in Citrix Systems	high	6.0	1	Data Breach
4929	GitHub Credentials	high	6.0	1	Data Breach
4930	Public fear	high	6.0	1	Phishing
4931	Lack of Geofencing for Transaction Validation	high	6.0	1	Financial Fraud
4932	Unsecured IoT Devices (DVRs, WiFi Routers)	high	6.0	1	DDoS Attack
4933	Public exposure of environment configuration file	high	6.0	1	Data Breach
4934	Public Access to Amazon S3 Bucket	high	6.0	1	Data Exposure
4935	Insufficient verification protocols for payment changes	high	6.0	1	Phishing (AI-enhanced)
4936	Insufficient Email Security Protocols	high	6.0	1	Phishing
4937	Lack of secondary verification in AI-driven DeFi systems, Insufficient security filters for obfuscated commands	high	6.0	1	AI Exploitation, Prompt Injection, Unauthorized Token Transfer
4938	CVE-2025-43300 (Apple OS-level zero-day)	high	6.0	1	Zero-day exploit
4939	Accidental Exposure	high	6.0	1	Data Breach
4940	AI-assisted coding error (unauthenticated open web directory)	high	6.0	1	Data Breach
4941	Standard employee account credentials	high	6.0	1	Cyberattack
4942	Incorrect Address Usage	high	6.0	1	Data Breach
4943	Unsecured PHI on Laptop	high	6.0	1	Data Breach (Theft of Physical Device)
4944	Human Error (Inadvertent Disclosure in Public Documents)	high	6.0	1	Data Breach
4945	CVE-2025-37735 (Improper Preservation of Permissions)	high	6.0	1	Vulnerability / Privilege Escalation
4946	Human error, Credential harvesting	high	6.0	1	Data Breach
4947	Unauthorized access to an employee's email account	high	6.0	1	Data Breach
4948	Human trust in authentic-looking communications	high	6.0	1	Phishing (AI-enhanced)
4949	Weak password ('solarwinds123')	high	6.0	1	Cyberattack
4950	Legacy Access Controls, Identity Vulnerabilities	high	6.0	1	Data Breach
4951	Changes introduced in the 2026 roadmap update, including sharding and execution environment enhancements	high	6.0	1	Security Breach
4952	lack of verification for online investments	high	6.0	1	fraud
4953	Misconfiguration in talent management software	high	6.0	1	Data Breach
4954	Context Poisoning	high	6.0	1	Indirect Prompt Injection (IPI) Attack
4955	Inadvertent Technical Error	high	6.0	1	Data Breach
4956	User Trust in Discounted/Rare Item Offers	high	6.0	1	DDoS Attack
4957	Publicly Available Environment Files	high	6.0	1	Data Exposure
4958	User trust in brand communications; exploitation of psychological urgency and fear tactics. No technical vulnerabilities in LastPass, Bitwarden, or 1Password systems were exploited.	high	6.0	1	Phishing
4959	Session Cookie Theft	medium	5.0	1	Security Breach
4960	MOVEit file transfer tool vulnerability	medium	5.0	1	Data Breach
4961	Outdated Routers with Remote Administration Enabled	medium	5.0	1	Cyber Attack
4962	Incorrect Privacy Settings	medium	5.0	1	Data Breach
4963	Insecure transmission of payment card data	medium	5.0	1	Payment Card Breach
4964	Microsoft Exchange vulnerability	medium	5.0	1	Ransomware
4965	Improper Data Disposal	medium	5.0	1	Data Breach
4966	Third-Party Vendor Security Gaps	medium	5.0	1	Data Breach
4967	Gmail 'dot trick' combined with unsanitized HTML input in Robinhood's signup flow	medium	5.0	1	Phishing Attack
4968	CVE-2025-0520	medium	5.0	1	Policy & Defense Initiatives
4969	Stored HTML Injection via Budget Name Input Field	medium	5.0	1	Email Spoofing
4970	Microsoft Power Apps portal configuration error	medium	5.0	1	Data Breach
4971	CVE-2025-27915	medium	5.0	1	Vulnerability Exploitation
4972	Third-party software library vulnerability	medium	5.0	1	Data Breach
4973	Firewall bypass	medium	5.0	1	Penetration Test Exceeding Scope
4974	Progress Software's MOVEit software vulnerability	medium	5.0	1	Data Breach
4975	Flaw in proxy link handling	medium	5.0	1	Information Disclosure
4976	Outdated Windows software (including video surveillance systems)	medium	5.0	1	Physical Burglary
4977	Compromised email login credentials	medium	5.0	1	Data Breach
4978	Lack of access controls, Unauthorized third-party server usage	medium	5.0	1	Data Misuse, Election Interference, Unauthorized Data Access
4979	Exposed backup firewall preference files in MySonicWall cloud service	medium	5.0	1	Data Exposure
4980	CVE-2025-59489 (Unity Engine Arbitrary Code Execution)	medium	5.0	1	Vulnerability Disclosure
4981	Bug in the GMX platform	medium	5.0	1	Cryptocurrency Theft
4982	Email Security	medium	5.0	1	Data Breach
4983	Improper Access Control (Publicly Accessible File)	medium	5.0	1	Data Exposure / Unauthorized Access
4984	Accellion file sharing platform	medium	5.0	1	Data Breach
4985	Technical Setting in Tracking Technology	medium	5.0	1	Data Breach
4986	Improper output encoding	medium	5.0	1	Cross-Site Scripting (XSS)
4987	Data Mishandling	medium	5.0	1	Data Breach
4988	Inadequate data erasure protocols	medium	5.0	1	Data Handling Incident
4989	CVE-2025-11002	medium	5.0	1	Vulnerability Exploitation
4990	Denial of Service (DoS)	medium	5.0	1	Data Breach, Denial of Service (DoS)
4991	Compromised npm maintainer account	medium	5.0	1	Supply Chain Attack
4992	Remote Code Execution (RCE) in misconfigured Jenkins servers	medium	5.0	1	DDoS Botnet
4993	Remote Access through Third-Party POS Vendor	medium	5.0	1	Payment Card Breach
4994	CVE-2025-61882 (critical zero-day in Oracle E-Business Suite allowing remote system control without authentication)	medium	5.0	1	ransomware
4995	Credentials left on GitHub	medium	5.0	1	Data Breach
4996	Improper OAuth Token Security	medium	5.0	1	Data Breach
4997	Security hole in the in-house web application	medium	5.0	1	Data Breach
4998	CVE-2026-5708	medium	5.0	1	Policy & Defense Initiatives
4999	Samsung.com	medium	5.0	1	Data Breach
5000	User Account	medium	5.0	1	Data Breach
5001	Trust in Urgent Requests	medium	5.0	1	Awareness Campaign
5002	Online appointment functionality failure	medium	5.0	1	Data Leak
5003	CVE-2025-22244: Stored XSS in Gateway Firewall Response Pages	medium	5.0	1	Vulnerability
5004	Ignoring Robots Exclusion Protocol	medium	5.0	1	Data Scraping
5005	Improper website data handling	medium	5.0	1	Data Breach (Accidental Disclosure)
5006	Weak SaaS Integration Controls	medium	5.0	1	Data Breach
5007	CVE-2025-52891	medium	5.0	1	Denial-of-Service
5008	Email Indexing and Unsubscribe Vulnerability	medium	5.0	1	Data Exposure
5009	CVE-2025-46176	medium	5.0	1	Vulnerability Exploitation
5010	CVE-2025-22243: Stored XSS Vulnerability in NSX Manager UI	medium	5.0	1	Vulnerability
5011	Improper Handling of Physical Records	medium	5.0	1	Data Breach
5012	Insufficient access controls and monitoring in office suites	medium	5.0	1	Physical Security Breach, Theft
5013	Point-of-Sale (POS) Systems	medium	5.0	1	Data Breach
5014	Public-facing website	medium	5.0	1	Data Breach
5015	Archived website hosted by a now-former third-party vendor	medium	5.0	1	Data Breach
5016	CVE-2025-48384	medium	5.0	1	Vulnerability Exploitation
5017	Byte Pair Encoding (BPE) or WordPiece tokenization weaknesses in LLMs	medium	5.0	1	AI/ML Vulnerability Exploitation
5018	Improper truncation of payment card information on receipts	medium	5.0	1	Data Exposure
5019	Misconfigured security protocols or automated password reset systems	medium	5.0	1	Potential Data Exposure
5020	Online quote system	medium	5.0	1	Data Breach
5021	Insufficient Email Client-Side Sanitization	medium	5.0	1	Email Spoofing
5022	Improper Access Restrictions	medium	5.0	1	Data Breach
5023	GiveWP WordPress Plugin Flaw	medium	5.0	1	Data Breach
5024	Lack of verification of driver credentials and shipping paperwork	medium	5.0	1	Cyber Cargo Theft (Fictitious Pickup)
5025	CVE-2025-11001	medium	5.0	1	Vulnerability Exploitation
5026	Printing Error	medium	5.0	1	Data Breach
5027	Improper disposal of electronic devices	medium	5.0	1	Data Breach
5028	Improper Account Use	medium	5.0	1	Data Breach
5029	Human error (password/authentication process manipulation)	medium	5.0	1	Cyberattack
5030	CVE-2025-61884 (potential, patched later)	medium	5.0	1	Data Breach
5031	Improper third-party data sharing	medium	5.0	1	Data Breach
5032	Weak Username and Password Combinations	medium	5.0	1	Data Breach
5033	Unprotected Excel Spreadsheet	medium	5.0	1	Data Breach
5034	Software Glitch	medium	5.0	1	Data Breach
5035	Data Handling Error	medium	5.0	1	Data Breach
5036	User Credentials from an Unrelated Site	medium	5.0	1	Data Breach
5037	Unauthorized access to secrets during pull request process	medium	5.0	1	Unauthorized Access
5038	Open Database Platform	medium	5.0	1	Data Exposure
5039	Third-party contractor’s laptop	medium	5.0	1	Data Breach
5040	Incorrect fax number	medium	5.0	1	Data Breach
5041	Human Factor (Insider Access Abuse)	medium	5.0	1	Insider Threat
5042	Sorting Error	medium	5.0	1	Data Breach
5043	Unsecured Browser-Stored Passwords/Cookies	medium	5.0	1	Data Breach
5044	CVE-2025-48989 (HTTP/2 'Made You Reset' Memory Exhaustion)	medium	5.0	1	Vulnerability
5045	Human error (misconfigured download link)	medium	5.0	1	Extortion
5046	Weakness in Drift-Salesforce integration security	medium	5.0	1	data breach
5047	Policy Violation	medium	5.0	1	Data Breach
5048	URL Redirection	medium	5.0	1	Vulnerability Exploit
5049	CVE-2026-6296	medium	5.0	1	Policy & Defense Initiatives
5050	CVE-2024-41710	medium	5.0	1	DDoS Botnet
5051	Unknown Third Party Credential Leak	medium	5.0	1	Credential Stuffing
5052	Database Misconfiguration	medium	5.0	1	Data Breach
5053	Exposed credentials from earlier data breaches	medium	5.0	1	Credential Stuffing
5054	initramfs debug shell access during boot failures	medium	5.0	1	Vulnerability Exploitation
5055	Snowflake data warehouse misconfiguration/weakness	medium	5.0	1	Data Breach
5056	Metadata Harvesting in Salesforce	medium	5.0	1	Data Breach
5057	CVE-2026-5709	medium	5.0	1	Policy & Defense Initiatives
5058	Unchecked third-party access, improper configurations, over-permissioned tools	medium	5.0	1	Data Exposure
5059	Compromised Python SDK versions (4.87.1, 4.87.2)	medium	5.0	1	Supply Chain Attack
5060	Supply-chain attack via npm ecosystem	medium	5.0	1	Infostealer
5061	CVE-2026-5707	medium	5.0	1	Policy & Defense Initiatives
5062	Privileged credentials	medium	5.0	1	Data Breach
5063	OAuth Tokens	medium	5.0	1	Data Breach
5064	Poor access controls	medium	5.0	1	Data Breach
5065	CVE-2025-22245: Stored XSS in Router Port Configurations	medium	5.0	1	Vulnerability
5066	Internal Logging Mechanism	medium	5.0	1	Data Exposure
5067	Inappropriate email handling	medium	5.0	1	Data Breach
5068	Information Sharing Program	medium	5.0	1	Data Breach
5069	Typeform Vulnerability	medium	5.0	1	Data Breach
5070	Bug	medium	5.0	1	Data Leak
5071	Instant Quote Platform	medium	5.0	1	Data Breach
5072	Human Error (Inadvertent Disclosure)	medium	5.0	1	Data Breach
5073	Typosquatting (Visual Deception)	medium	5.0	1	Phishing
5074	Reused Usernames and Passwords	medium	5.0	1	Account Compromise
5075	Customer service software misconfiguration	medium	5.0	1	Data Breach
5076	Older servers	medium	5.0	1	Data Breach
5077	Click2Gov System	medium	5.0	1	Data Breach, Fraud
5078	Human Error (Mistaken Disclosure)	medium	5.0	1	Data Breach (Unauthorized Disclosure)
5079	Accidental Sharing of Data	medium	5.0	1	Data Breach
5080	Lateral Movement via Stolen Credentials	medium	5.0	1	Supply Chain Attack
5081	Microsoft 365 Email Account	medium	5.0	1	Data Breach
5082	Outdated security measures, vulnerable CMS, weak authentication, inadequate monitoring	medium	5.0	1	SEO Poisoning
5083	Physical Loss of Storage Device	medium	5.0	1	Data Breach
5084	Insecure Transport	medium	5.0	1	Data Leak
5085	CVE-2025-13223 (V8 JavaScript engine flaw)	medium	5.0	1	Zero-day vulnerability
5086	Unsecured Public Trello Boards	medium	5.0	1	Data Leak
5087	Unauthorized Biometric Data Collection	medium	5.0	1	Privacy Breach
5088	Weak administrator password, lack of Multi-Factor Authentication, exposed remote access	medium	5.0	1	Ransomware
5089	Inadequate data security program	medium	5.0	1	Data Breach
5090	Third-party vendor misconfiguration	medium	5.0	1	Data Breach
5091	CVE-2019-9621	medium	5.0	1	Vulnerability Exploitation
5092	Malicious JavaScript injection through API call	medium	5.0	1	Supply Chain Attack
5093	Browser Cache Storage	medium	5.0	1	Data Breach
5094	CVE-2025-9242 (Out-of-bounds Write in 'iked' process)	medium	5.0	1	Vulnerability
5095	Slack's link-rendering logic flaw (misinterpreting text as domains when missing spaces after punctuation)	medium	5.0	1	Vulnerability Exploitation
5096	Vbulletin CMS Flaw	medium	5.0	1	Data Breach
5097	Failure to redact information properly	medium	5.0	1	Data Breach
5098	CVE-2024-6914	medium	5.0	1	Vulnerability Exploitation
5099	Home internet connection access via VPN	medium	5.0	1	Security Breach
5100	Design flaw in chat feature	medium	5.0	1	Data Exposure
5101	Data Entry Error	medium	5.0	1	Data Breach
5102	Website Programming Change	medium	5.0	1	Data Breach
5103	Progress Software's MOVEit file transfer software	medium	5.0	1	Data Breach
5104	Trust in AI-assisted development tools	medium	5.0	1	Supply Chain Attack
5105	Patient Billing System	medium	5.0	1	Data Breach
5106	Unsecured Vehicle	medium	5.0	1	Physical Theft
5107	Shared infrastructure flaw	medium	5.0	1	Data Breach
5108	Open database without authentication	medium	5.0	1	Data Breach
5109	Insufficient Data Protection Measures	medium	5.0	1	Data Breach
5110	Bug in Vine	medium	5.0	1	Data Breach
5111	Out-of-Bounds Write (CWE-787)	medium	5.0	1	Denial-of-Service (DoS)
5112	Insufficient input validation	medium	5.0	1	Cross-Site Scripting (XSS)
5113	Open Server	medium	5.0	1	Data Exposure
5114	Computer Error	medium	5.0	1	Data Breach
5115	Weak cybersecurity measures	medium	5.0	1	Data Breach
5116	Unsecured Paper Files	medium	5.0	1	Data Breach
5117	Lack of Output Encoding in Email Templates	medium	5.0	1	Email Spoofing
5118	CVE-2025-45080	medium	5.0	1	Vulnerability
5119	Vulnerability in Drift application’s Salesforce integration	medium	5.0	1	third-party breach
5120	Computer Programming Error	medium	5.0	1	Data Breach
5121	Indirect prompt injection (IPI)	medium	5.0	1	Vulnerability Exploit
5122	Progress Software's MOVEit Transfer	medium	5.0	1	Data Breach
5123	Misconfigured or unpatched hosting infrastructure	medium	5.0	1	Data Breach
5124	CVE-2023-2533	medium	5.0	1	Vulnerability Exploitation
5125	Weak IAM credential security, lack of multifactor authentication (MFA)	medium	5.0	1	Cryptocurrency Mining
5126	Mistakenly attached sensitive information to email	medium	5.0	1	Data Breach
5127	Inconsistent data retention policy enforcement	medium	5.0	1	Data Breach
5128	Public Exposure of Sensitive Information	medium	5.0	1	Data Breach
5129	Service request lookup tool flaw allowing unauthorized access via bot	medium	5.0	1	Data Breach
5130	Web Page Configuration	medium	5.0	1	Data Breach
5131	Improper configuration of the website	medium	5.0	1	Data Breach
5132	Poor governance, lack of controls in records management, and inadequate note-taking practices	medium	5.0	1	Data Breach (Unauthorized Disclosure)
5133	AI Algorithm Inefficiency	medium	5.0	1	System Malfunction
5134	CVE-2026-24489	medium	5.0	1	Vulnerability Exploitation
5135	Poor physical installation of hardware	medium	5.0	1	Hardware Security Oversight
5136	Improper Disclosure of Research Funding	medium	5.0	1	Data Privacy Incident
5137	Mobile app API	low	2.5	1	Data Breach
5138	Improper link resolution in Windows Update Stack (CVE-2025-21204)	low	2.5	1	Privilege Escalation
5139	SSH password capture	low	2.5	1	Data Breach
5140	CVE-2026-7344 (Accessibility)	low	2.5	1	Vulnerability Patch
5141	Critical Telnet vulnerability allowing unauthorized access	low	2.5	1	Vulnerability Exploitation
5142	Insufficient file authentication in the updater mechanism	low	2.5	1	Software Vulnerability
5143	Exposed RDP server	low	2.5	1	Ransomware
5144	CVE-2026-7322	low	2.5	1	Vulnerability Patch
5145	CVE-2025-2761	low	2.5	1	Software Vulnerability
5146	CVE-2026-48778	low	2.5	1	Arbitrary Code Execution
5147	Accidental Disclosure	low	2.5	1	Data Breach
5148	CVE-2025-4230	low	2.5	1	Command Injection
5149	CVE-2025-12420	low	2.5	1	Privilege Escalation
5150	CVE-2026-40261	low	2.5	1	Vulnerability Exploitation
5151	Hard-coded secret values	low	2.5	1	Vulnerability Exploitation
5152	Human psychology (trust in job applications), abuse of trusted cloud infrastructure (AWS EC2/S3)	low	2.5	1	Phishing/Social Engineering, Malware Delivery
5153	Insecure remote administration access	low	2.5	1	Security Breach
5154	CVE-2026-2441 (use-after-free in CSS component)	low	2.5	1	Zero-Day Vulnerability
5155	CVE-2024-22774 (Uncontrolled search path element)	low	2.5	1	Privilege Escalation
5156	Temporary API code misconfiguration	low	2.5	1	Data Breach
5157	Memory leak in embedded JavaScript engine	low	2.5	1	Resource Exhaustion
5158	Exploit in Trinity wallet app	low	2.5	1	Cryptocurrency Wallet Exploit
5159	Exposed phone numbers from data breaches or leaked marketing databases	low	2.5	1	Phishing (SMS-based)
5160	CVE-2025-7724	low	2.5	1	Vulnerability Exploitation
5161	Data Security Vulnerabilities	low	2.5	1	Data Security Vulnerability
5162	Social engineering, malware-laced coding assignments	low	2.5	1	Cryptocurrency Theft
5163	CVE-2025-53506	low	2.5	1	Denial of Service (DoS)
5164	Admin password bypass	low	2.5	1	Authentication Bypass
5165	Unpatched IoT/ARC processor vulnerabilities	low	2.5	1	DDoS Attack
5166	Identical authentication certificates, prolonged certificate validity (10 years), inadequate network access controls	low	2.5	1	Data Breach, Unauthorised Transactions, Malware Infection
5167	CVE-2025-3699	low	2.5	1	Vulnerability
5168	Remote Code Execution (RCE) in auto-updater software	low	2.5	1	Vulnerability Exploitation
5169	CVE-2026-7323	low	2.5	1	Vulnerability Patch
5170	Database Configuration Error	low	2.5	1	Data Breach
5171	Faulty fuel injector	low	2.5	1	Product Recall
5172	CVE-2026-20805	low	2.5	1	Information Disclosure
5173	CVE-2026-2636 (Improper flag validation in CLFS.sys)	low	2.5	1	Denial-of-Service (DoS)
5174	CVE-2025-37103	low	2.5	1	Vulnerability Exploitation
5175	Unmonitored networks	low	2.5	1	Ransomware
5176	Misprinting of personal information	low	2.5	1	Data Breach
5177	Unauthorized network access	low	2.5	1	Physical and Logical Security Breach
5178	Unpatched vulnerabilities (31% of breaches)	low	2.5	1	data_breach
5179	MOVEit Transfer tool vulnerability	low	2.5	1	Data Breach
5180	Authentication Flaw in cPanel Login Mechanisms	low	2.5	1	Authentication Vulnerability
5181	CVE-2025-13348	low	2.5	1	Vulnerability
5182	CVE-2025-5678	low	2.5	1	DDoS
5183	CVE-2026-45494	low	2.5	1	Vulnerability
5184	Unmonitored lateral movement	low	2.5	1	Cyber Breach
5185	CVE-2026-0227	low	2.5	1	Denial-of-Service (DoS)
5186	Server setup error	low	2.5	1	Data Breach
5187	Writable MFGSTAT.zip file with incorrect permissions	low	2.5	1	Vulnerability Exploitation
5188	CVE-2025-65606	low	2.5	1	Vulnerability Exploitation
5189	CVE-2025-9101	low	2.5	1	DDoS
5190	CWE-400	low	2.5	1	Uncontrolled Resource Consumption
5191	Malformed ZIP archives evading security tools, native Windows unarchiving utility exploitation	low	2.5	1	Malware Campaign
5192	CVE-2026-3008 (String injection in FindInFiles functionality)	low	2.5	1	Vulnerability
5193	Vendor's Software Flaw	low	2.5	1	Data Breach
5194	CVE-2026-7361 (iOS)	low	2.5	1	Vulnerability Patch
5195	CVE-2025-34143	low	2.5	1	Vulnerability Exploitation
5196	CVE-2025-6029	low	2.5	1	Vulnerability Exploitation
5197	Debug code in production builds causing routing failure	low	2.5	1	Vulnerability
5198	Improper Storage of Sensitive Information	low	2.5	1	Data Breach
5199	CVE-2026-7343 (Views)	low	2.5	1	Vulnerability Patch
5200	Unpatched firmware in home routers/cameras	low	2.5	1	Distributed Denial of Service (DDoS)
5201	CVE-2026-40176	low	2.5	1	Vulnerability Exploitation
5202	MOVEit server vulnerability	low	2.5	1	Data Breach
5203	Unauthorized access to source code repository	low	2.5	1	Data Breach
5204	Credentials obtained from another website	low	2.5	1	Data Breach
5205	Obsolete servers exposed to the internet	low	2.5	1	Cyberattack
5206	Poor password practices	low	2.5	1	Ransomware
5207	CVE-2026-23869 (Deserialization of untrusted data - CWE-502, Uncontrolled resource consumption - CWE-400)	low	2.5	1	Denial of Service (DoS)
5208	Improperly secured GitHub secrets (long-lived PyPI tokens stored in workflows)	low	2.5	1	supply chain attack
5209	Mailing Label Printing Error	low	2.5	1	Data Breach
5210	Insufficient policy enforcement in the WebView tag	low	2.5	1	Security Bypass
5211	GeminiJack	low	2.5	1	Zero-Click Exploit
5212	MOVEit secure file transfer application	low	2.5	1	Data Breach
5213	CVE-2025-32756	low	2.5	1	Vulnerability Exploitation
5214	Improper error handling	low	2.5	1	Misconfiguration
5215	Heap-based buffer overflows	low	2.5	1	Data Breach
5216	CVE-2025-34142	low	2.5	1	Vulnerability Exploitation
5217	Unauthorized physical access	low	2.5	1	Physical and Logical Security Breach
5218	DMARC authentication bypass, trusted infrastructure abuse	low	2.5	1	Phishing
5219	Stack-based buffer overflow	low	2.5	1	Vulnerability Exploitation
5220	Counterfeit Hardware	low	2.5	1	Supply Chain Attack
5221	Fortinet EMS (CVE-2023-48788)	low	2.5	1	Ransomware
5222	zero-click vulnerabilities	low	2.5	1	vulnerability_exploitation
5223	Reflected cross site scripting (XSS)	low	2.5	1	Vulnerability Exploitation
5224	CVE-2026-32185	low	2.5	1	Spoofing
5225	MOVEit Transfer tool vulnerabilities	low	2.5	1	Data Breach
5226	CVE-2025-24016 (Unsafe Deserialization)	low	2.5	1	Botnet Exploitation
5227	CVE-2025-1087	low	2.5	1	Template Injection
5228	CVE-2025-24091	low	2.5	1	Denial of Service (DoS)
5229	Shared authentication systems, privileged access management gaps	low	2.5	1	Credential Exposure
5230	Lack of email authentication for Google AppSheet, social engineering (credential harvesting, 2FA bypass)	low	2.5	1	Phishing
5231	Unsecured attic access, potential food attractants	low	2.5	1	Physical Intrusion (Non-Cyber)
5232	Web Server	low	2.5	1	Data Breach
5233	MOVEit file transfer program vulnerability	low	2.5	1	Data Breach
5234	Known loopholes in SonicWall VPN	low	2.5	1	Exploitation of Vulnerability
5235	CVE-Unassigned (ASLR Bypass via NSKeyedArchiver Serialization Pointer Leak)	low	2.5	1	Vulnerability Disclosure
5236	CVE-2024-45432	low	2.5	1	Vulnerability Exploitation
5237	Bug introduced during an update of the email system	low	2.5	1	Data Leak
5238	Software Error	low	2.5	1	Data Breach
5239	Unsecured Computer Server	low	2.5	1	Data Breach
5240	CVE-2025-27387	low	2.5	1	Vulnerability Exploitation
5241	Unsecured Storage of Usernames and Passwords	low	2.5	1	Data Breach
5242	Device Tracking Vulnerabilities	low	2.5	1	Surveillance Investigation
5243	Improper fax transmission	low	2.5	1	Data Breach
5244	CVE-2026-7324	low	2.5	1	Vulnerability Patch
5245	Trust in employment process	low	2.5	1	Insider Threat
5246	X11 clipboard functionality	low	2.5	1	Malware
5247	Lack of Awareness (pre-training)	low	2.5	1	Security Awareness
5248	Serial number extraction	low	2.5	1	Authentication Bypass
5249	Unprotected IoT Devices	low	2.5	1	IoT Device Hack
5250	Unencrypted Hard Drive	low	2.5	1	Data Breach
5251	CVE-2025-49825	low	2.5	1	Vulnerability Exploit
5252	CVE-2026-20803	low	2.5	1	Elevation of Privilege
5253	Exposed .env file with database credentials	low	2.5	1	Data Exposure, Potential DoS Attack
5254	Compromised internal operations wallet	low	2.5	1	Security Breach
5255	unpatched_software	low	2.5	1	data_breach
5256	CVE-2025-7206	low	2.5	1	Vulnerability
5257	CVE-2026-45492	low	2.5	1	Vulnerability
5258	Lack of authentication on C2 panel, weak SSH credentials, exposed services (RDP, SMB, WinRM)	low	2.5	1	Credential Stuffing
5259	CVE-2024-11857	low	2.5	1	Vulnerability
5260	Cloned Phishing Site	low	2.5	1	Supply Chain Attack
5261	CVE-2025-5601	low	2.5	1	Vulnerability Exploitation
5262	CVE-2025-13878	low	2.5	1	Denial-of-Service (DoS)
5263	Printing Software Vulnerability	low	2.5	1	Data Breach
5264	Unsecured FTP Server	low	2.5	1	Data Breach
5265	Rowhammer	low	2.5	1	Vulnerability Exploitation
5266	USBAnywhere	low	2.5	1	Remote Attack Vector
5267	CVE-2024-45434	low	2.5	1	Vulnerability Exploitation
5268	Phishing Susceptibility	low	2.5	1	Security Awareness
5269	Remote access to car's specialized computers	low	2.5	1	Cyberattack
5270	CVE-2026-45495	low	2.5	1	Vulnerability
5271	CVE-2025-26147	low	2.5	1	Vulnerability Exploitation
5272	Hiring Process	low	2.5	1	State-Sponsored Hacker Infiltration
5273	CVE-2026-45586 (Improper Link Resolution - CWE-59)	low	2.5	1	Privilege Escalation
5274	Incompatible resource access	low	2.5	1	Data Breach
5275	CVE-2025-46789	low	2.5	1	Vulnerability Exploitation
5276	Barracuda Networks email application vulnerability	low	2.5	1	Data Breach
5277	Low entropy in database metadata retrieval	low	2.5	1	Privacy Vulnerability
5278	CVE-2026-20824	low	2.5	1	Security Feature Bypass
5279	Unauthorized access to historical emails	low	2.5	1	Data Breach
5280	CVE-2024-45433	low	2.5	1	Vulnerability Exploitation
5281	CVE-2025-59718	low	2.5	1	Authentication Bypass
5282	Lack of contextual awareness in AI systems	low	2.5	1	AI-related data exposure
5283	CVE-2025-22234	low	2.5	1	Vulnerability Exploitation
5284	Misconfigured PAM (pam_exec module)	low	2.5	1	Backdoor
5285	CVE-2025-34028	low	2.5	1	Path Traversal Vulnerability
5286	Cloud Storage Misconfiguration	low	2.5	1	Misconfiguration
5287	Unspecified	low	2.5	1	Phishing
5288	PHP Exploit in MyBB Codebase	low	2.5	1	Infrastructure Disruption
5289	Public-facing website misconfiguration	low	2.5	1	Data Breach
5290	Vulnerability in data storage system	low	2.5	1	Data Breach
5291	ConnectWise ScreenConnect (CVE-2024-1709)	low	2.5	1	Ransomware
5292	CVE-2025-2760	low	2.5	1	Software Vulnerability
5293	Hardcoded trust exception in authentication flow (2FA bypass)	low	2.5	1	Zero-Day Exploit
5294	Malicious QR Code	low	2.5	1	Supply Chain Attack
5295	Out-of-bounds reads	low	2.5	1	Data Breach
5296	Vulnerability in a third-party application	low	2.5	1	Unauthorized Access
5297	CVE-2025-5138	low	2.5	1	Vulnerability Exploitation
5298	CVE-2026-48770	low	2.5	1	Arbitrary Code Execution
5299	Automatic execution of tasks.json in VS Code/Cursor, lack of user interaction requirement in Cursor	low	2.5	1	Phishing, Malware, Credential Theft, Cryptocurrency Theft
5300	Vulnerabilities in Cleo's platform	low	2.5	1	Data Breach
5301	CVE-2025-24813	low	2.5	1	Vulnerability Exploitation
5302	Android APK vulnerabilities	low	2.5	1	DDoS Attack
5303	Easily Exploitable Vulnerabilities	low	2.5	1	Vulnerability Exploitation
5304	CVE-2025-34140	low	2.5	1	Vulnerability Exploitation
5305	Vulnerability in the outage app	low	2.5	1	Data Breach
5306	CVE-2026-3483 (CWE-749 - Exposed Dangerous Method)	low	2.5	1	Privilege Escalation
5307	human_error	low	2.5	1	data_breach
5308	CVE-2026-7320 (Audio/Video)	low	2.5	1	Vulnerability Patch
5309	Misconfigured permissions	low	2.5	1	Cyber Breach
5310	External control of file paths	low	2.5	1	Data Breach
5311	Mailing Processes	low	2.5	1	Data Breach
5312	vBulletin’s reliance on PHP’s Reflection API for its custom Model-View-Controller (MVC) framework and API system	low	2.5	1	Remote Code Execution (RCE)
5313	Third-party software vendor (MOVEit)	low	2.5	1	Data Breach
5314	Data Transfer Error	low	2.5	1	Data Breach
5315	CVE-2026-48800	low	2.5	1	Arbitrary Code Execution
5316	Programming Code Error	low	2.5	1	Data Breach
5317	CVE-2025-54957	low	2.5	1	Vulnerability Exploitation
5318	Weak credentials/default passwords in IoT devices	low	2.5	1	Distributed Denial of Service (DDoS)
5319	Social Engineering (Legitimate Appearance), Dynamic Payload Updates, Stolen AI Infrastructure	low	2.5	1	Malicious Package / Data Exfiltration
5320	Critical Issues	low	2.5	1	Vulnerability Exploitation
5321	Unattended Vehicle	low	2.5	1	Data Breach
5322	Publicly Accessible S3 Bucket	low	2.5	1	Data Breach
5323	CVE-2025-36537	low	2.5	1	Vulnerability
5324	Website Search Function	low	2.5	1	Data Breach
5325	Improper Access Control in fepblue Mobile App	low	2.5	1	Data Breach (Unauthorized Access)
5326	Vendor Service (Accellion)	low	2.5	1	Data Breach
5327	CVE-2025-1234	low	2.5	1	DDoS
5328	CVE-2026-7363 (Canvas)	low	2.5	1	Vulnerability Patch
5329	CVE-2026-26127 (Out-of-bounds read weakness, CWE-125)	low	2.5	1	Denial-of-Service (DoS)
5330	Weak message validation	low	2.5	1	Vulnerability Exploitation
5331	CVE-2025-7723	low	2.5	1	Vulnerability Exploitation
5332	12 new exploits targeting D-Link, Huawei, NETGEAR, TP-Link, and other devices	low	2.5	1	DDoS-for-Hire Botnet
5333	CVE-2026-20029	low	2.5	1	Information Disclosure
5334	CVE-2025-59719	low	2.5	1	Authentication Bypass
5335	Compromised developer account, abuse of npm publishing mechanism	low	2.5	1	Supply-Chain Attack
5336	CVE-2024-45431	low	2.5	1	Vulnerability Exploitation
5337	Missing portable data storage device	low	2.5	1	Data Breach
5338	Stolen GitHub credentials	low	2.5	1	Source Code Theft
5339	Insufficient intrusion detection	low	2.5	1	Ransomware
5340	CVE-2026-20841 (CWE-77: Command Injection)	low	2.5	1	Remote Code Execution (RCE)
5341	Vulnerability on older game websites	low	2.5	1	Data Breach
5342	Arbitrary File Upload (CVE-2025-64374)	low	2.5	1	Vulnerability Exploitation
5343	Third-party file transfer software	low	2.5	1	Data Breach
5344	CVE-2026-23600	low	2.5	1	Authentication Bypass
5345	XSS in Software Acquisition Guide: Supplier Response Web Tool	low	2.5	1	Vulnerability
5346	Lack of Backup Procedure	low	2.5	1	Data Loss
5347	Realtek routers via port 52869	low	2.5	1	DDoS-for-Hire Botnet
5348	Weaknesses in cloud security, insufficient encryption, inadequate identity management, lack of network segmentation	low	2.5	1	AI System Targeting, Cloud Infrastructure Exploitation
5349	Improper conversation/message ID verification	low	2.5	1	Vulnerability Exploitation
5350	Shared File Location	low	2.5	1	Data Breach
5351	DNS misconfiguration (lame delegation), browser notification permissions	low	2.5	1	Push-Notification Scam
5352	CVE-2025-50165 (Uninitialized function pointer dereference in WindowsCodecs.dll)	low	2.5	1	Remote Code Execution (RCE)
5353	OS command injection	low	2.5	1	vulnerability_exploitation
5354	CVE-2026-33825 (Insufficient access-control granularity - CWE-1220)	low	2.5	1	Privilege Escalation
5355	Damaged mailing	low	2.5	1	Data Breach
5356	Imperfect Process	low	2.5	1	Data Breach
5357	Logic error in handling Authorization objects in ACME service, allowing improper reuse of domain validation data	low	2.5	1	Certificate Misissuance
5358	Fake Firmware	low	2.5	1	Supply Chain Attack
5359	Use-after-free flaws	low	2.5	1	Data Breach
5360	Lack of phishing controls, Unrestricted RMM tool usage, Insufficient EDR monitoring	low	2.5	1	Phishing, Social Engineering, RMM Abuse
5361	CVE-2025-48651	low	2.5	1	Vulnerability
5362	Secure Email Account	low	2.5	1	Data Breach
5363	Lack of proper access controls and oversight in AI systems	low	2.5	1	Data Breach
5364	High Volume Access Requests	low	2.5	1	Misconfiguration
5365	Weak cybersecurity defenses and high AI-driven automation in attacks	low	2.5	1	botnets
5366	CVE-2025-34141	low	2.5	1	Vulnerability Exploitation
5367	CVE-2025-50054	low	2.5	1	Vulnerability Exploitation
5368	CVE-2025-55188	low	2.5	1	Vulnerability Exploitation
5369	CVE-2025-49464	low	2.5	1	Vulnerability Exploitation
5370	Zero-day vulnerability in Oracle’s eBusiness Suite	low	2.5	1	Data Breach
5371	Flaw in HTML sanitizer (rcube_washtml) failing to block <feImage> SVG element	low	2.5	1	Privacy Bypass
5372	Flaw in ASUS DriverHub	low	2.5	1	Vulnerability Exploit
5373	CVE-2025-4563	low	2.5	1	Vulnerability
5374	Vulnerability in third-party firewall software	low	2.5	1	Data Breach
5375	Psychological manipulation (urgency, stress, perceived authority)	low	2.5	1	Phishing/Scam
5376	Evasion of rate-limiting defenses via 'low and slow' fragmentation	low	2.5	1	DDoS
5377	Compromised IoT devices (routers, IP cameras, digital video recorders)	low	2.5	1	DDoS Attack