CVSS 9.9, CVSS 10.0, 1.5M Servers Affected: Why Enterprises Need CVE Monitoring

CVE Monitoring for your infrastructure — WZ-IT monitors your servers, containers and applications for known vulnerabilities. Schedule a consultation

Three numbers from the last four months:

• CVSS 9.9 — Jellyfin: Path Traversal → Remote Code Execution as Root
• CVSS 10.0 — n8n: Unauthenticated RCE in Self-Hosted and Cloud
• 1.5M servers — cPanel: Authentication Bypass, active exploitation since February

Each of these vulnerabilities affects software that enterprises use in production. Each was publicly disclosed before many operators had patched. And each could have been detected early with active CVE monitoring.

Table of Contents

• What happened in 2026 so far
• The pattern behind these vulnerabilities
• Why apt update isn't enough
• CVE monitoring: what it is and how it works
• Tools for enterprises
• How WZ-IT handles CVE monitoring

What happened in 2026 so far

Jellyfin: CVSS 9.9 — Subtitle Upload → Root RCE

In April 2026, CVE-2026-35031 was published. The vulnerability exists in Jellyfin's subtitle upload endpoint (versions before 10.11.7). An authenticated user with "Upload Subtitles" permission — no admin rights required — could write arbitrary files to the server through an unvalidated format parameter.

The attack chain: Path Traversal → Arbitrary File Write → .strm file for Arbitrary File Read → Database Extraction → Admin Token → Root RCE via ld.so.preload.

A single API call, no special privileges, complete system compromise.

n8n: CVSS 10.0 — Unauthenticated RCE

CVE-2026-21858, codenamed "Ni8mare": An unauthenticated attacker could execute arbitrary code on the n8n server through manipulated webhook and form requests. All self-hosted and cloud versions up to and including 1.65.0 were affected.

CVSS 10.0 — the highest possible score. No login required, no user interaction, remote exploitation.

Weeks later came CVE-2026-21877 — also CVSS 10.0, this time authenticated RCE. And in March 2026, two more critical n8n vulnerabilities were published.

cPanel: CVSS 9.8 — 1.5M Servers Affected

CVE-2026-41940 is an authentication bypass flaw in cPanel & WHM. Through a CRLF injection in the login process, attackers could authenticate as root — without a password, without 2FA.

The vulnerability was publicly disclosed in late April 2026. But: evidence of targeted exploitation exists since February 2026. At least 1.5 million cPanel instances were internet-facing and potentially affected.

Apache HTTP Server: CVE-2026-23918 — Double Free → RCE

Even foundational technology is affected: Apache HTTP Server had a double-free vulnerability in all versions through 2.4.66 that could lead to remote code execution. Millions of web servers worldwide.

The pattern behind these vulnerabilities

All four cases share common traits:

1. Widely deployed software — not niche products, but tools used by hundreds of thousands to millions
2. Critical severity — CVSS 9.0+ means: remote exploitation, low or no effort for the attacker
3. Patches were available — in every case, an update was released within days
4. Many still didn't patch — because they didn't know about the vulnerability

Point 4 is the actual problem. The vulnerability exists, the patch exists, but the operator knows about neither.

Why apt update isn't enough

Those who believe a weekly apt update && apt upgrade protects their infrastructure underestimate reality:

What apt doesn't cover:

• Docker containers (the majority of modern self-hosted software)
• Helm charts and Kubernetes deployments
• Self-compiled software
• Applications deployed via git pull + docker-compose up
• npm/pip/composer dependencies inside containers

What apt can't do:

• Prioritize by CVSS score
• Alert on critical vulnerabilities
• Scan dependencies inside container images
• Determine if a CVE actually applies to your specific configuration

An enterprise running n8n via Docker Compose doesn't learn about CVE-2026-21858 through apt. They learn about it through Hacker News, Twitter — or through the attacker.

CVE monitoring: what it is and how it works

CVE monitoring is the continuous tracking of all deployed software versions against public vulnerability databases (NVD, MITRE, Greenbone Feed, GitHub Security Advisories).

Comprehensive CVE monitoring covers:

The goal: know within 24 hours of a CVE publication whether your infrastructure is affected.

Tools for enterprises

Greenbone OpenVAS — Network Vulnerability Scanning

OpenVAS scans infrastructure from the outside and inside for known vulnerabilities. The largest freely available vulnerability database on the market. Detects outdated software, open ports, misconfigurations.

For enterprises: regular automated scans with reporting, not just one-time audits.

Learn more about OpenVAS →

OpenCVE — CVE Intelligence Platform

OpenCVE is an open-source vulnerability intelligence platform that aggregates CVEs from five authoritative sources (MITRE, NVD, RedHat, Vulnrichment and more) and updates hourly. The critical difference to pure scanners: OpenCVE doesn't monitor your servers — it monitors CVE databases and proactively notifies you when a new vulnerability appears for software you use.

Why OpenCVE matters for enterprises:

• Vendor/Product Subscriptions — Subscribe to the software you deploy (Proxmox, Nextcloud, n8n, nginx, PostgreSQL...) and only receive relevant CVEs
• Projects & Organizations — Organize CVEs by team, client or infrastructure area
• Custom Tags & Status Tracking — Mark CVEs as "Under Analysis", "Risk Accepted", "Patched" and assign a responsible person
• Filters & Views — Filter by CVSS score, EPSS (exploitation probability), KEV (Known Exploited Vulnerabilities) and CWE. Save complex filters as reusable views
• Alerting — Notifications via email, webhook or Slack as soon as a relevant CVE is published or updated
• Self-Hosted — Fully self-hostable via Docker. Your CVE data stays on your infrastructure

Had an enterprise set up OpenCVE with subscriptions for Jellyfin, n8n and cPanel, they would have been notified within hours of CVE publication — not days later via tech news.

OpenCVE doesn't replace scanners like OpenVAS or Trivy. It complements them: scanners find what's running on your servers, OpenCVE tells you what's happening in the world.

Trivy — Container Security

Trivy scans container images, filesystems and Git repositories for CVEs in OS packages and application dependencies. Integrates into CI/CD pipelines (GitHub Actions, GitLab CI, Jenkins).

Ideal for enterprises deploying applications via Docker/Kubernetes.

DefectDojo — Central Vulnerability Platform

DefectDojo aggregates findings from over 200 security tools, deduplicates them and maps them to compliance frameworks. For enterprises running multiple scanners that need a unified overview.

How the tools work together

These tools don't compete — they complement each other:

OpenCVE          →  "There's a new CVE for n8n" (proactive)
Trivy            →  "Your n8n container has the affected version" (scan)
OpenVAS          →  "The n8n port is reachable from the internet" (network)
DefectDojo       →  Aggregate everything, prioritize, report

For most SMEs, OpenCVE + Trivy is a solid starting point. OpenVAS and DefectDojo come in as infrastructure grows.

How WZ-IT handles CVE monitoring

We offer CVE monitoring as part of our Managed Operations:

1. Inventory — Which software runs in which version on which server?
2. Monitoring Setup — OpenVAS for network scans, Trivy for containers, automated alerting
3. Triage — For new CVEs: Does it affect our clients? How critical? Is it being actively exploited?
4. Patching — Coordinated updates with maintenance windows, rollback strategy, verification
5. Reporting — Monthly security report with all found and resolved vulnerabilities

No enterprise should learn about a CVSS 10.0 vulnerability from the news.

CVE monitoring for your infrastructure? We monitor your servers, containers and applications — and patch before it's too late. Schedule a consultation | CVE Monitoring Service

Related Guides

• Vulnerability Management with OpenVAS & Greenbone CE — Installation and configuration
• Managed Operations: CVE Monitoring — Our service in detail
• SLA & Service Levels — Standard, Professional, Enterprise
• Security Audit — One-time security analysis of your infrastructure