Vulnerability Desk

CVE-2026-20253 scores CVSS 9.8 and allows network attackers to execute arbitrary code on Splunk Enterprise servers without authentication. No workaround exists—patching is mandatory.

Researchers at Tenet Security discovered Agentjacking, an attack that tricks AI coding assistants like Claude Code and Cursor into executing arbitrary code through malicious Sentry error events.

WatchTowr Labs published technical details and exploit code for CVE-2026-50751, the auth bypass flaw already used by Qilin ransomware. TCP 443 bypass works too.

Check Point researchers chained SQL injection and unsafe deserialization flaws to achieve RCE on AI workflow platforms. Patch langgraph to 1.0.10+ immediately.

CISA orders federal agencies to patch CVSS 10.0 Ivanti Sentry flaw within 3 days—the first application of BOD 26-04. Exploitation is automated and widespread.

Microsoft releases CVE-2026-42897 fix for Exchange Server OWA XSS vulnerability exploited since May. ESU-only updates for 2016/2019 leave many systems exposed.

CVE-2026-7473 lets attackers bypass tunnel security controls on Arista network devices. CISA added it to KEV—but Arista says patching would 'break existing configurations.'

CVE-2026-5027 allows unauthenticated attackers to write arbitrary files on Langflow servers. Patch to version 1.10.0 immediately—attackers are already exploiting exposed instances.

Oracle issues emergency patch for CVE-2026-35273 (CVSS 9.8) as ShinyHunters claims to have stolen data from 300 PeopleSoft instances. Nottingham University among confirmed victims.

Security researcher Nightmare Eclipse releases fourth Microsoft Defender zero-day in months, granting SYSTEM privileges on patched Windows 10 and 11 systems. Here's what defenders need to know.

SAP's June 2026 Security Patch Day addresses 15 vulnerabilities including CVE-2026-44748 (CVSS 9.9) enabling SAML authentication bypass and CVE-2026-27671 (CVSS 9.8) memory corruption RCE.

CVE-2026-44963 in Veeam Backup & Replication enables any authenticated domain user to achieve remote code execution on backup servers. CVSS 9.4 critical severity.

Google patches CVE-2026-11645, the fifth actively exploited Chrome zero-day of 2026. The V8 out-of-bounds memory flaw enables sandbox code execution via malicious web pages.

Microsoft's record-breaking June 2026 Patch Tuesday fixes 206 vulnerabilities including CVE-2026-45657, a CVSS 9.8 wormable kernel flaw allowing remote code execution without authentication.

CVE-2026-23111 exploit code now public. A single misplaced character in nf_tables lets unprivileged users gain root and escape containers. Patch immediately.

CVE-2026-50751 lets attackers bypass VPN authentication without passwords. CISA gives feds 3 days to patch after Qilin ransomware affiliate exploitation confirmed.

CVE-2026-42271 in LiteLLM chains with Starlette bypass for unauthenticated remote code execution. CISA adds to KEV catalog after active exploitation confirmed.

Anthropic patches critical Claude Code GitHub Action vulnerability that let attackers steal tokens and hijack repositories through a single malicious issue. CVSS 7.8 flaw exploited bot actor trust.

CVE-2026-45185 is a use-after-free in Exim affecting GnuTLS builds with BDAT support. Unauthenticated attackers can achieve remote code execution via crafted SMTP traffic.

CVE-2026-28318 lets unauthenticated attackers crash SolarWinds Serv-U servers via malformed POST requests. CISA sets June 19 federal deadline after confirming active exploitation.

IBM discloses CVE-2026-8644, CVE-2026-9311, and CVE-2026-9319 affecting WebSphere 8.5 and 9.0. Attackers can chain identity spoofing with RCE for full server compromise.

CVE-2026-3300 in Everest Forms Pro allows unauthenticated attackers to execute PHP code via eval() injection. Over 29,300 exploit attempts blocked since April despite patch availability.

CVE-2026-20245 lets attackers with netadmin credentials execute arbitrary commands as root on Cisco Catalyst SD-WAN Manager. Active exploitation confirmed, no fix available yet.

CVE-2026-20230 in Cisco Unified Communications Manager enables unauthenticated attackers to gain root privileges via SSRF. Public exploit code raises urgency for patching.

A vulnerability in GitHub.dev allowed attackers to steal GitHub OAuth tokens with full repo access via a single malicious link. Microsoft patched the flaw within 24 hours.

CVE-2026-8206 (CVSS 9.8) in the Kirki WordPress plugin enables unauthenticated account takeover via password reset manipulation. Over 500,000 sites at risk.

CVE-2026-41283 enables unauthenticated remote code execution on OpenStack Mistral through 22.0.0. Trivial exploitation when API is network-accessible.

CVE-2026-49975 combines HPACK compression abuse with Slowloris-style holds to exhaust 32GB of server memory in 10 seconds. nginx and Apache patched; IIS, Envoy remain exposed.

CVE-2026-45247 in Mirasvit Full Page Cache Warmer allows unauthenticated RCE via PHP deserialization. CISA confirms active exploitation targeting e-commerce sites.

Federal agencies face June 5 deadline to remediate CVE-2025-48595 and CVE-2022-0492 after CISA confirms active exploitation. Linux container escapes and Android privilege escalation at risk.

CVE-2024-21182 under active exploitation against Oracle Fusion deployments. CVSS 7.5 unauthenticated takeover—federal deadline is June 4, 2026.

Fortinet confirms large-scale attacks against Citrix NetScaler ADC and Gateway appliances via CVE-2026-3055 SAML IDP flaw. CVSS 9.8—patch immediately.

Google patches actively exploited CVE-2025-48595 affecting Android 14+ alongside 123 additional vulnerabilities. Pixel devices get immediate updates—others must wait.

A SpaceX security engineer discovered a privilege escalation bug hidden in the Linux kernel since 2007. Proof-of-concept exploit published—major distributions now patching.

Critical CVSS 9.4 vulnerability in Gogs self-hosted Git service allows authenticated users to achieve RCE via argument injection. Maintainers unresponsive since March disclosure.

Critical Windows Netlogon vulnerability CVE-2026-41089 enables zero-click RCE on domain controllers. Active exploitation confirmed—patch immediately.

Microsoft Exchange Server zero-day CVE-2026-42897 enables session hijacking via malicious emails. Active exploitation confirmed with no permanent fix available.

Oracle REST Data Services vulnerability CVE-2026-46840 earns maximum CVSS 10.0 score. Unauthenticated attackers can achieve complete system compromise via HTTPS.

CVE-2026-8732 in WP Maps Pro allows unauthenticated attackers to create administrator accounts. Over 3,600 attacks blocked in 24 hours. Patch to 6.1.1 now.

CVE-2026-40933 (CVSS 9.9) allows attackers to compromise self-hosted Flowise AI agent builders by tricking users into importing a malicious chatflow. The payload executes during import without user action.

Researchers discover ChatGPT's Markdown rendering trusts attacker-controlled content from summarized pages, enabling phishing URLs, IP exfiltration, and fake security alerts inside the AI interface.

CVE-2026-0257 lets attackers forge VPN cookies to access internal networks without credentials. CISA adds to KEV after Rapid7 confirms exploitation since May 17. Federal deadline June 19.

CVE-2026-45697 (CVSS 9.8) in the Formie Craft CMS plugin allows unauthenticated attackers to execute arbitrary code via Twig template injection in Hidden fields. Patch to 2.2.20 or 3.1.24 immediately.

CVE-2026-31635 exploits a missing copy-on-write guard in RxGK to corrupt privileged file caches. Fedora, Arch, and openSUSE at risk. Here's who's affected.

CVE-2026-43284 and CVE-2026-43500 chain together for deterministic root access. PoC exploit is public, patches still rolling out. Here's how to detect and mitigate.

CVE-2026-20182 lets unauthenticated attackers gain admin access to Cisco Catalyst SD-WAN controllers. CISA adds to KEV with federal deadline. Here's what you need to know.

CVE-2026-27771 let attackers pull private container images without authentication. Over 30,000 Gitea deployments affected across healthcare, aerospace, and retail. Update to 1.26.2 now.

CVE-2024-12802 lets attackers bypass MFA on SonicWall Gen6 VPNs even after patching. Ransomware operators actively exploiting incomplete fixes. Gen6 reached EOL April 16.

Critical CVE-2026-48172 in LiteSpeed cPanel plugin enables root privilege escalation. CVSS 10.0, actively exploited, CISA KEV deadline May 29. Patch immediately.

CVE-2026-48095 in 7-Zip allows attackers to execute arbitrary code through malicious NTFS images. CVSS 8.8 - update to v26.01 immediately.

Attackers exploit CVE-2026-26980 to steal admin API keys and inject malicious scripts across 700+ Ghost CMS sites, including Harvard and Oxford. Patch now.

CVE-2026-34926 lets attackers inject malicious code into Apex One servers and deploy it to all connected endpoint agents. CISA confirms active exploitation with June 4 federal deadline.

CISA adds CVE-2025-34291 to KEV after Iranian APT MuddyWater weaponizes the CORS/CSRF chain for account takeover and RCE. CVSS 9.4 flaw requires only a malicious link click.

CVE-2026-9082 exploitation began within hours of patch release. Imperva tracked 15,000+ attacks against PostgreSQL-backed Drupal sites across 65 countries in the first two days.

CVE-2026-23918 in Apache HTTP Server 2.4.66 lets attackers crash workers trivially or achieve remote code execution through a double-free in mod_http2. Upgrade to 2.4.67 immediately.

Ubiquiti releases emergency patches for three maximum-severity vulnerabilities in UniFi OS that allow unauthenticated remote attackers to take full control of network appliances. 100,000 devices exposed.

Cisco patches CVE-2026-20223, a maximum-severity REST API vulnerability in Secure Workload enabling unauthenticated attackers to gain Site Admin privileges across tenants.

A Chromium bug reported in 2022 that turns browsers into silent botnets was accidentally exposed on Google's issue tracker. No patch exists despite 'fixed' status.

CISA's May 20 KEV update includes two actively exploited Microsoft Defender vulnerabilities and five legacy flaws from 2008-2010. Federal agencies have until June 3 to patch.

Security researchers disclose nginx-poolslip, an unpatched zero-day in NGINX 1.31.0 that defeats ASLR protection. Millions of servers at risk with no CVE or fix available yet.

Drupal releases patches for a highly critical vulnerability (severity 20/25) affecting all supported versions. Exploits may emerge within hours—administrators should update between 5-9pm UTC today.

Seven vulnerabilities including CVE-2026-2743 (CVSS 10.0) allow unauthenticated attackers to compromise SEPPMail secure email gateways, read all traffic, and establish persistent access. Patch to 15.0.4 immediately.

DEVCORE claims Master of Pwn with $505K across three days. VMware ESXi and SharePoint exploits highlight Day 3 as Pwn2Own Berlin 2026 awards $1.29M total.

Chaotic Eclipse drops working exploit for Windows Cloud Filter driver flaw allegedly patched in 2020. Race condition in cldflt.sys spawns SYSTEM shell on Windows 11.

Critical CVE-2026-7482 vulnerability in Ollama's GGUF model loader lets remote attackers extract API keys, prompts, and conversation data from 300,000+ exposed servers.

Cyera discloses four chainable OpenClaw vulnerabilities (CVE-2026-44112 through 44118) exposing 245,000 servers to credential theft, privilege escalation, and persistent access.

Day two of Pwn2Own Berlin 2026 yields 15 new zero-days worth $385,750. Orange Tsai chains three bugs for SYSTEM-level Exchange RCE, earning the event's largest payout.

Microsoft confirms active exploitation of CVE-2026-42897, an XSS flaw in Exchange OWA that executes JavaScript via malicious emails. No patch available yet.

Google's May 2026 Chrome update addresses 79 security issues with 14 rated critical. Memory corruption bugs dominate—update immediately to version 148.0.7778.167.

CVE-2026-46300 exploits a logic bug in the XFRM ESP-in-TCP subsystem to corrupt page cache and gain root. Kernel patches rolling out now—mitigation available.

CVE-2026-42945 is a critical heap buffer overflow in NGINX's rewrite module that went undetected since 2008. CVSS 9.2 with public PoC available—patch now.

CVE-2026-20182 allows unauthenticated attackers to gain admin access to Cisco Catalyst SD-WAN controllers. CISA added it to the KEV catalog after confirmed exploitation.

Security researchers exploited Windows 11, Microsoft Edge, Red Hat Linux, and multiple AI platforms on the first day of Pwn2Own Berlin 2026, earning $523,000 for 24 unique zero-day vulnerabilities.

SAP's May 2026 security update addresses 15 vulnerabilities, including CVE-2026-34260 SQL injection in S/4HANA and CVE-2026-34263 unauthenticated RCE in Commerce Cloud.

A disgruntled researcher released two unpatched Windows zero-days: YellowKey bypasses BitLocker encryption via USB, while GreenPlasma grants SYSTEM privileges. No patches available yet.

CVE-2026-45185 is a critical use-after-free vulnerability in Exim mail servers using GnuTLS. XBOW researchers call it one of the highest-caliber bugs found in Exim.

Microsoft's May 2026 Patch Tuesday addresses 120 vulnerabilities including 17 critical RCE flaws. No zero-days, but Word preview pane attacks and Netlogon bugs demand immediate attention.

Fortinet discloses CVE-2026-44277 and CVE-2026-26083, unauthenticated RCE flaws affecting FortiSandbox and FortiAuthenticator. Patch now before attackers weaponize these.

CVE-2026-44211 (CVSS 9.7) allowed malicious websites to hijack Cline's Kanban WebSocket server, exfiltrate workspace data, and execute arbitrary commands through the AI agent. Patched in v0.1.66.

CVE-2026-42208, a CVSS 9.3 pre-auth SQL injection in the LiteLLM LLM gateway, was weaponized within 36 hours of disclosure. CISA added it to KEV with a May 11 federal deadline.

cPanel releases emergency fixes for CVE-2026-29201, 29202, and 29203—including file read, code execution, and privilege escalation flaws. Comes days after 44,000 servers were hit by ransomware.

Two vulnerabilities in AzuraCast radio automation software enable authenticated RCE via path traversal and unauthenticated account takeover through password reset poisoning. Upgrade to 0.23.6 now.

CVE-2026-26129, CVE-2026-26164, and CVE-2026-33111 allowed information disclosure via injection attacks in Microsoft 365 Copilot. No admin action required.

CVE-2026-42354 (CVSS 9.1) allows attackers to take over any Sentry user account via malicious SAML IdP. Patch to version 26.4.1 immediately.

A new Linux kernel flaw dubbed Dirty Frag (CVE-2026-43284) enables instant root on all major distros. No patches exist after embargo collapsed.

Security researchers disclosed 12 sandbox escape vulnerabilities in vm2, including three with CVSS 10.0 scores. The popular JavaScript isolation library can no longer be trusted to contain untrusted code.

CVE-2026-6973 lets attackers achieve RCE on Ivanti Endpoint Manager Mobile with admin credentials. CISA added it to KEV with a two-day patch deadline for federal agencies.

CVE-2026-27960 in OpenCTI 6.6.0-6.9.12 allows unauthenticated API access as any user, including admin. Upgrade to 6.9.13 or disable the default admin account.

CVE-2026-23918 in Apache 2.4.66 lets attackers crash servers or achieve code execution with just two HTTP/2 frames. Upgrade to 2.4.67 immediately.

CVE-2026-0300 allows unauthenticated attackers to execute code as root on PA-Series and VM-Series firewalls. Patches coming May 13—here's how to mitigate now.

Progress patches CVE-2026-4670, a critical authentication bypass in MOVEit Automation that could give attackers admin control. No workarounds available.

CVE-2026-31431 lets attackers gain root on every major Linux distro since 2017 with a 732-byte Python script. Here's how it works and what to do.

CVE-2026-3854 allowed authenticated attackers to execute code on GitHub servers via a single git push. 88% of Enterprise Server instances remain unpatched.

CVE-2026-41386 allows attackers to manipulate bootstrap setup codes during device pairing, bypassing role restrictions and gaining elevated privileges in OpenClaw.

Critical CVSS 9.8 flaw in cPanel/WHM allowed attackers to bypass authentication via CRLF injection. Exploits confirmed in the wild before emergency patches.

CVE-2026-42208 lets attackers steal API keys and forge admin sessions in LiteLLM without authentication. Exploitation began within 36 hours of public disclosure.

Russian state hackers weaponize CVE-2026-32202, an incomplete patch for Windows Shell that enables zero-click NTLM hash theft. Microsoft confirms active exploitation after Akamai discovers the bypass.

Silverfort researchers discover Microsoft's AI agent management role could be abused to take over arbitrary service principals in Entra ID tenants. Microsoft patched the privilege escalation flaw on April 9.

Microsoft releases emergency patch for CVE-2026-40372 (CVSS 9.1), a critical ASP.NET Core flaw allowing attackers to forge authentication cookies and gain SYSTEM privileges on Linux and macOS servers.

Kaspersky discloses PhantomRPC, an architectural Windows RPC vulnerability enabling SYSTEM-level privilege escalation across all Windows versions. Microsoft declined to patch despite five exploitation paths.

CVE-2026-42363 exposes admin credentials in GeoVision GV-IP Device Utility 9.0.5 via UDP broadcast packets. CVSS 9.3 critical flaw lets LAN attackers decrypt device passwords.

Security researcher Valentin Lobstein discovers CVSS 9.8 pickle deserialization vulnerabilities in LeRobot, ktransformers, and LightLLM. ML frameworks using pickle for network serialization create widespread attack surface.

Critical CVE-2026-5760 in SGLang enables unauthenticated RCE through poisoned GGUF model files. Attackers can weaponize Hugging Face models to compromise inference servers.

Oracle's April 2026 CPU addresses 450 CVEs across 28 product families. Over 300 flaws are remotely exploitable without authentication, with Communications leading at 139 patches.

Four actively exploited vulnerabilities added to CISA's KEV catalog on April 24. Federal agencies face May 8 deadline—here's what's being targeted.

CVE-2026-41248 in Clerk's JavaScript libraries allows crafted requests to bypass authentication middleware. CVSS 9.1—patch your Next.js, Nuxt, and Astro apps now.

CVE-2026-40050 exposes CrowdStrike LogScale servers to unauthenticated file access via path traversal. CVSS 9.8—here's who's affected and how to patch.

CVE-2026-41651 lets any local user gain root privileges on Ubuntu, Debian, and Fedora via a TOCTOU race in PackageKit. Patch to version 1.3.5 immediately.

CVE-2026-33626 in LMDeploy AI toolkit was weaponized within 12 hours of publication, targeting AWS credentials and internal services. Patch to v0.12.3 immediately.

Huntress confirms hands-on-keyboard exploitation of all three Windows Defender zero-days. Microsoft patched BlueHammer, but RedSun and UnDefend remain unpatched as attackers chain them for SYSTEM access.

CVE-2026-20184 (CVSS 9.8) in Cisco Webex Services allowed unauthenticated attackers to impersonate any user through SSO certificate validation bypass. Cloud service already patched.

CISA added eight vulnerabilities to its KEV catalog including three Cisco Catalyst SD-WAN Manager flaws. Federal agencies face an April 23 deadline for the Cisco patches.

CVE-2026-40575 (CVSS 9.1) allows unauthenticated attackers to bypass OAuth2 Proxy authentication via X-Forwarded-Uri header spoofing. Patch to v7.15.2 immediately.

CVE-2026-5965 in NewSoftOA enables unauthenticated OS command injection with CVSS 9.8. Local attackers can execute arbitrary commands and fully compromise systems.

CVE-2026-41329 lets attackers bypass OpenClaw's sandbox via heartbeat context manipulation, achieving privilege escalation. CVSS 9.9 demands immediate patching.

Critical ISE vulnerabilities let authenticated users escalate to root. Read-only admin accounts can execute arbitrary commands on underlying OS.

CVE-2026-34197 lets attackers execute arbitrary code via ActiveMQ's Jolokia API. CISA mandates federal patching by April 30 as exploitation peaks.

CVE-2026-5387 gives unauthenticated attackers admin access to pipeline simulation environments. CVSS 9.3 - affects oil, gas, and chemical sectors.

Microsoft's KB5082063 causes LSASS crashes on non-Global Catalog domain controllers using PAM. Affected servers stuck in restart loops - no fix yet.

CVE-2026-27681 allows low-privileged users to execute arbitrary SQL commands in SAP Business Planning and Consolidation. CVSS 9.9 - patch immediately.

Critical code injection vulnerability (GHSA-xq3m-2v4x-88gg, CVSS 9.9) in protobuf.js allows arbitrary JavaScript execution via malicious schemas. Patch now.

CVE-2026-40478 bypasses Thymeleaf's expression protections, allowing attackers to execute arbitrary Java code through crafted template input. Upgrade to 3.1.4.RELEASE now.

Fortinet patches two critical FortiSandbox vulnerabilities allowing unauthenticated attackers to bypass authentication and execute code. Upgrade to 4.4.9 or 5.0.6 immediately.

Frustrated researcher 'Chaotic Eclipse' releases RedSun, another Windows Defender privilege escalation exploit granting SYSTEM access. Microsoft has not yet patched this second zero-day.

CVE-2026-33032 lets attackers take full control of nginx-ui servers without credentials. Threat actors are exploiting it now. Upgrade to 2.3.4 immediately.

Microsoft's April 2026 Patch Tuesday fixes 167 vulnerabilities including CVE-2026-32201, an actively exploited SharePoint zero-day. Eight critical RCE flaws patched.

Critical CVSS 9.8 command injection vulnerability in Totolink A7100RU routers enables unauthenticated remote code execution. Public exploit available, no patch released.

CVE-2026-34621 is a prototype pollution flaw in Adobe Acrobat Reader with a CVSS 8.6 score. Active exploitation began in December 2025. Update immediately.

Microsoft found an intent redirection vulnerability in EngageLab's Android SDK affecting 50M+ app installs. Crypto wallets with 30M users were at risk.

CVE-2026-39987 in Marimo Python notebooks allows unauthenticated RCE via terminal WebSocket. Attackers weaponized it within hours. Patch to 0.23.0 now.

CVE-2026-25776 (CVSS 9.8) enables remote code execution through Movable Type's Listing Framework. Affects versions 6.0+. Patches available for MT 9, 8.8, 8.0.

CVE-2026-39888 bypasses PraisonAI's Python sandbox via exception frame traversal. Attackers chain __traceback__ attributes to reach exec(). Patch to 1.5.115.

CVE-2026-34197 exposes Apache ActiveMQ to remote code execution via the Jolokia API. Horizon3 researcher used Claude to uncover the flaw in under 10 minutes. Patch now.

CVE-2026-34040 lets attackers bypass Docker authorization plugins with a single padded HTTP request. CVSS 8.8 flaw patched in Engine 29.3.1.

Critical code injection vulnerability CVE-2025-59528 in Flowise AI agent builder scores maximum CVSS 10.0 and is under active exploitation. Over 12,000 instances are publicly accessible.

Security researcher releases working proof-of-concept for BlueHammer, an unpatched Windows Defender privilege escalation flaw enabling SYSTEM access via TOCTOU and path confusion vulnerabilities.

University of Toronto researchers demonstrate GPUBreach, a GPU rowhammer attack that bypasses IOMMU protections to achieve root access on systems with NVIDIA GPUs. Consumer GPUs remain unmitigated.

CISA adds CVE-2026-35616 to KEV catalog with April 9 deadline for federal agencies. Nearly 2,000 FortiClient EMS instances remain exposed as exploitation continues.

AI-discovered vulnerabilities bypass all security policies including 'secure' mode. Most servers won't receive fixes until 2027 without manual intervention.

CVE-2026-34838 lets authenticated attackers achieve RCE on Group-Office CRM servers via insecure deserialization. Upgrade to patched versions immediately.

CVE-2026-2699 and CVE-2026-2701 combine to let unauthenticated attackers take over ShareFile Storage Zone Controllers. Patches available since March 10.

CVE-2026-20093 and CVE-2026-20160 let unauthenticated attackers take full control of Cisco UCS servers and licensing infrastructure. No workarounds exist.

CVE-2026-35616 lets attackers bypass API authentication in FortiClient EMS 7.4.5-7.4.6 for unauthenticated RCE. Exploitation began March 31. Emergency hotfixes available.

CVE-2026-34938 lets attackers escape PraisonAI's three-layer Python sandbox to execute arbitrary OS commands. CVSS 10 — patch to version 1.5.90 immediately.

Microsoft Azure Kubernetes Service has a critical auth bypass (CVE-2026-33105) with a perfect CVSS 10.0 score. Unauthenticated attackers can escalate to cluster admin—patch now.

Unit 42 exposes how excessive default permissions in Google Cloud's Vertex AI let attackers weaponize AI agents to steal data from customer environments.

CVE-2026-5281 exploited in the wild targets Dawn WebGPU implementation. Google rushes emergency patch as Chrome zero-days accelerate in 2026.

CVE-2026-32746 (CVSS 9.8) in GNU InetUtils telnetd enables unauthenticated root RCE via buffer overflow. FreeBSD, NetBSD, Citrix NetScaler affected.

Trend Micro ZDI disclosed a CVSS 9.8 flaw enabling device takeover via animated stickers. Telegram says the vulnerability doesn't exist. No patch until July 2026.

Check Point Research disclosed a ChatGPT vulnerability that abused DNS tunneling to silently steal conversation data. OpenAI patched the flaw on February 20, 2026.

CVE-2026-21643 exploitation began March 26, six weeks after Fortinet's patch. Around 1,000 internet-exposed EMS instances remain vulnerable to unauthenticated RCE.

CVE-2026-33660 (CVSS 9.4) lets authenticated users escape n8n's AlaSQL sandbox via the Merge node. Over 615,000 public instances potentially vulnerable.

CVE-2026-3055 now actively exploited. CISA adds the CVSS 9.3 memory leak to KEV catalog, giving federal agencies until April 2 to patch SAML IdP configurations.

Critical CVSS 9.8 flaw in OpenClaw AI agent platform lets attackers replay setup codes for privilege escalation. Patch to version 2026.3.13 immediately.

CVE-2026-3098 lets subscribers read wp-config.php and any server file. Amelia Booking Pro also patched for admin password reset bug. Update these WordPress plugins now.

CISA added CVE-2025-53521 to its KEV catalog after F5 reclassified the BIG-IP APM vulnerability from DoS to remote code execution. CVSS 9.8—federal deadline is March 30.

Three vulnerabilities in LangChain and LangGraph expose filesystems, environment secrets, and conversation histories. CVE-2026-34070 enables path traversal. Patches available now.

CVE-2026-22557 lets unauthenticated attackers traverse paths and hijack UniFi Network accounts. CVSS 10.0 severity demands immediate patching to 10.1.89.

Critical CVE-2025-15517 allows attackers to bypass authentication on TP-Link Archer NX routers, upload malicious firmware, and modify configurations without credentials.

Critical deserialization flaw CVE-2026-4681 in PTC Windchill and FlexPLM threatens manufacturing sector. German federal police dispatched to warn companies of imminent exploitation.

n8n patches CVE-2026-27577, CVE-2026-27493, and two more sandbox escapes. One flaw allows unauthenticated attackers to execute commands via public form endpoints.

CVE-2026-3055 (CVSS 9.3) lets unauthenticated attackers read sensitive data from NetScaler memory. Affects appliances configured as SAML Identity Providers—patch now.

Attackers exploiting CVE-2025-32975 authentication bypass in Quest KACE to hijack admin accounts and deploy credential harvesters. Patched in May 2025—many remain exposed.

Three vulnerabilities in AVideo's CloneSite plugin chain together for unauthenticated remote code execution. CVE-2026-33478 has no patch available as attackers can extract admin credentials and inject OS commands.

CVE-2026-3888 exploits timing race between snap-confine and systemd-tmpfiles to grant root access on Ubuntu Desktop 24.04+. Qualys researchers demonstrate full privilege escalation.

Fortinet's March 2026 security advisory addresses 11 vulnerabilities including auth bypass, SQL injection, and buffer overflow flaws affecting enterprise management products.

Unrestricted file upload in Magento and Adobe Commerce REST API allows unauthenticated attackers to upload executable files. No isolated patch available for production versions.

Five vulnerabilities under active exploitation added to CISA's KEV catalog. Federal agencies must patch by April 3, 2026. Includes three Apple kernel flaws and Laravel RCE.

CVE-2026-33017 (CVSS 9.3) lets attackers execute arbitrary Python code on Langflow AI pipelines without authentication. Exploitation began before any PoC existed.

CVE-2026-21992 scores CVSS 9.8 and allows unauthenticated remote code execution on Oracle Identity Manager and Web Services Manager. Patch immediately.

CVE-2026-26144 allows attackers to silently exfiltrate sensitive data through Microsoft Copilot Agent without user interaction. Patch now or disable Copilot.

CVE-2026-3611 exposes Honeywell IQ4x building management controllers with CVSS 10 severity. Default configuration allows anyone to create admin accounts.

CISA confirms active exploitation of VMware Aria Operations CVE-2026-22719, a command injection flaw enabling unauthenticated RCE. Patch by March 24.

CISA added Microsoft SharePoint CVE-2026-20963 to the KEV catalog after confirming active exploitation. Federal agencies must patch by March 21.

LayerX researchers found that custom font rendering can hide malicious prompts from ChatGPT, Claude, Gemini, and other AI assistants while displaying them to users.

CVE-2026-32746 in GNU InetUtils telnetd allows unauthenticated root RCE via buffer overflow. CVSS 9.8, no patch available, over 200K servers exposed.

CISA renews warnings about CVE-2025-47812, a CVSS 10.0 vulnerability in Wing FTP Server that grants attackers root/SYSTEM access. Over 8,000 servers remain exposed.

CVE-2026-23813 allows unauthenticated attackers to reset admin passwords on HPE Aruba AOS-CX switches. No exploitation seen yet, but patch immediately.

Qualys discloses nine confused deputy vulnerabilities in Linux AppArmor that enable local privilege escalation to root. Ubuntu, Debian, and SUSE affected since 2017.

Google patches two actively exploited Chrome zero-days affecting Skia graphics and V8 JavaScript engine. CISA adds both to KEV catalog with March 27 deadline.

CVE-2026-1492 in User Registration & Membership plugin enables unauthenticated admin account creation. CVSS 9.8—over 100,000 sites at risk.

Veeam releases emergency patches for five critical RCE vulnerabilities (CVSS 9.9) affecting Backup & Replication. Domain users can fully compromise backup servers.

CVE-2025-68613 allows authenticated attackers to execute arbitrary code on n8n workflow servers. CISA gives federal agencies until March 25 to patch.

CVE-2026-1603 allows unauthenticated attackers to steal credential vaults from Ivanti Endpoint Manager. CISA added it to KEV catalog after exploitation detected.

Microsoft's March 2026 Patch Tuesday addresses 83 vulnerabilities including two publicly disclosed zero-days in SQL Server and .NET. Eight flaws rated Critical.

CVE-2026-3823 allows unauthenticated attackers to execute code on Atop Technologies industrial switches. Firmware 3.36 patches the critical buffer overflow.

Two critical vulnerabilities in Delta Electronics COMMGR2 enable remote code execution without authentication. ICS operators should patch to v2.11.1 immediately.

CVE-2026-30851 in Caddy's forward_auth module enables identity injection and privilege escalation. Any valid user can impersonate administrators. Update to 2.11.2.

Critical command injection and SQL bypass vulnerabilities in Tencent's WeKnora LLM framework allow unauthenticated RCE. Patch to versions 0.2.10 and 0.2.12 now.

Cisco confirms active exploitation of two more SD-WAN Manager vulnerabilities. Attackers deploying web shells through arbitrary file overwrite and credential exposure flaws.

Cisco confirmed CVE-2026-20122 and CVE-2026-20128 in Catalyst SD-WAN Manager are under active exploitation, with attackers deploying web shells globally.

Federal agencies must patch CVE-2017-7921 and CVE-2021-22681 by March 26. Hikvision cameras face active exploitation; Rockwell PLCs at risk.

CVE-2026-28289 allows unauthenticated attackers to achieve full server compromise by sending a single crafted email. CVSS 10.0—patch to 1.8.207 now.

CVE-2025-20265 in Cisco Secure Firewall Management Center allows unauthenticated attackers to execute commands as root via RADIUS authentication. Patch immediately.

CVE-2026-22886 exposes Eclipse OpenMQ to remote takeover via default admin/admin credentials. CVSS 9.8 critical vulnerability requires immediate attention from Java messaging users.

Google's March 2026 Android security update patches 129 vulnerabilities including CVE-2026-21385, a Qualcomm graphics flaw affecting 234 chipsets under active exploitation.

Critical insecure deserialization vulnerability in U-Office Force allows remote attackers to execute arbitrary code without authentication. CVSS 9.8, no patch available yet.

WordPress plugin wpForo 2.4.14 contains unauthenticated SQL injection, PHP object injection, and multiple authorization bypass flaws. Over 80,000 sites at risk.

Critical CVE-2026-21902 in Junos OS Evolved allows remote attackers to gain root access on PTX routers via exposed anomaly detection service. Patch now.

CVE-2026-28408 and related vulnerabilities allow unauthenticated attackers to bypass security, inject data, and execute code on WeGIA servers. Patch to version 3.6.5 immediately.

CVE-2026-2749 enables unauthenticated attackers to write or delete arbitrary files on Centreon Central Servers. Patches now available for all supported versions.

CVE-2026-27575 combines weak password enforcement with persistent sessions in Vikunja, enabling attackers to retain access even after victims change credentials.

CVE-2026-20781 exposes OCPP WebSocket endpoints to unauthenticated station impersonation, enabling attackers to manipulate EV charging infrastructure and steal energy.

CVE-2026-2251 is a CVSS 9.8 path traversal vulnerability in Xerox FreeFlow Core that enables unauthenticated remote code execution. Upgrade to version 8.1.0 now.

Check Point found CVE-2025-59536 and CVE-2026-21852 in Anthropic's Claude Code. Opening a cloned repo could execute code and leak API credentials.

CVE-2026-27941 (CVSS 9.9) lets attackers execute code via pull requests to OpenLIT, stealing GITHUB_TOKEN and cloud secrets. Patch to 1.37.1 now.

CVE-2026-20127 gives attackers full admin access to Cisco SD-WAN infrastructure. CISA emergency directive requires federal patches by Feb 27.

Microsoft confirms Copilot bug bypassed DLP policies, reading confidential emails without authorization. European Parliament blocked Copilot over concerns.

CISA flags FileZen command injection flaw (CVE-2026-25108, CVSS 8.7) as actively exploited. Federal agencies must patch by March 17, 2026.

Serv-U 15.5.4 fixes four CVSS 9.1 bugs including type confusion and access control flaws. Admin access required, but file transfer platforms remain high-value targets.

CVE-2025-40540 is a critical type confusion vulnerability in SolarWinds Serv-U with CVSS 9.1. Attackers with admin access can execute arbitrary code.

CISA adds CVE-2025-49113 (CVSS 9.9) and CVE-2025-68461 to KEV catalog after attackers weaponized the deserialization flaw within 48 hours. Federal agencies must patch by March 13.

CVE-2026-26119 lets attackers escalate from standard user to domain admin via improper authentication. Microsoft rates exploitation 'more likely.'

CVE-2026-26030 in Microsoft's Semantic Kernel Python SDK enables unauthenticated RCE through InMemoryVectorStore. Upgrade to 1.39.4 immediately.

Federal agencies must patch CVE-2026-22769 by Saturday after CISA confirms Chinese hackers exploited the Dell RecoverPoint vulnerability since 2024.

CVE-2026-2329 (CVSS 9.3) enables unauthenticated RCE on Grandstream GXP1600 VoIP phones. Attackers can intercept calls, steal credentials. Patch to 1.0.7.81.

Critical CVE-2026-1490 (CVSS 9.8) in CleanTalk anti-spam plugin allows unauthenticated attackers to install malicious plugins via DNS spoofing. Update to 6.72 now.

Cisco Talos researcher uses 'good enough' emulation to fuzz Socomec DIRIS M-70 energy gateway, discovering CVE-2025-54848 through CVE-2025-55222 in Modbus protocol handling.

CISA confirms active exploitation of Chrome CVE-2026-2441, Zimbra SSRF, Windows ActiveX CVE-2008-0015, and ThreatSonar flaws. Federal agencies face March 10 deadline.

CVE-2026-2441 is a high-severity CSS use-after-free in Chrome being exploited in the wild. Update to version 145.0.7632.75 immediately.

New n8n RCE flaw bypasses December patch through type confusion. CVSS 9.4 vulnerability enables unauthenticated command execution via malicious workflows.

CVE-2026-20700 memory corruption flaw in dyld exploited against targeted individuals. Google TAG credited with discovery. Patch now for iOS, macOS, watchOS.

GreyNoise traces Ivanti EPMM exploitation to bulletproof hosting on PROSPERO network. Defenders find dormant webshells—signs of initial access broker activity.

CVE-2025-20359 and CVE-2025-20360 affect Cisco FTD, Meraki, and open-source Snort 3. No workarounds exist—patches rolling out through February.

CVE-2026-21643 allows unauthenticated attackers to chain SQL injection with command execution in FortiClient EMS. CVSS 9.8 affects version 7.4.4—upgrade to 7.4.5 immediately.

CVE-2026-1731 allows unauthenticated remote code execution on BeyondTrust Remote Support and Privileged Remote Access products. CVSS 9.9 vulnerability affects 11,000+ exposed instances.

Microsoft's February 2026 Patch Tuesday fixes 59 flaws including six actively exploited zero-days. CrowdStrike confirmed CVE-2026-21533 was used in attacks targeting US and Canada since December.

CVE-2026-22778 chains a heap leak and buffer overflow in vLLM's video processing to achieve full RCE on AI inference servers. Patch to 0.14.1 now.

CVE-2025-22225 sandbox escape now confirmed as a ransomware attack vector. Exploitation toolkit predates Broadcom's patch by a full year.

CVE-2026-24423 lets unauthenticated attackers execute OS commands on SmarterMail servers. CISA confirms active ransomware exploitation and sets a February 26 patch deadline.

CVE-2026-25049 bypasses n8n's previous sandbox fix to enable system command execution. Four additional vulnerabilities disclosed simultaneously.

Federal agencies face an aggressive Friday deadline to patch CVE-2025-40551 in SolarWinds Web Help Desk. The compressed timeline signals serious active exploitation.

CVE-2026-20111 enables stored cross-site scripting attacks against administrators of Cisco Prime Infrastructure network management systems.

Attackers exploiting CVE-2025-5947 in Service Finder Bookings plugin to hijack admin accounts through cookie manipulation. Over 6,000 sites potentially exposed.

GreyNoise reveals CISA silently updated ransomware indicators on 59 vulnerabilities without alerts. New RSS feed tool catches changes within an hour.

Four actively exploited vulnerabilities added to CISA's catalog including SolarWinds Web Help Desk deserialization flaw with CVSS 9.8. Federal agencies have until February 6 to patch.

Tenable discloses 'LookOut' vulnerabilities in Google Looker enabling remote code execution and full database theft. Self-hosted deployments at 60,000+ organizations exposed.

The OWASP Top 10 lists the most critical web application security vulnerabilities. Learn what each risk means, see real-world examples, and understand how to protect your applications.

Researchers disclose zero-click attack vector on Android where adding a user to a group can trigger malware execution through manipulated media files.

Attackers exploited a validation flaw to send spoofed cross-chain messages and unlock tokens across Ethereum, Arbitrum, and six other networks.

CVE-2025-8110 allows authenticated attackers to achieve RCE on self-hosted Git servers via path traversal. Over 700 instances already compromised.

JFrog researchers develop working remote code execution exploit for CVE-2025-62507, a stack buffer overflow in Redis discovered by Google's AI security agent.

CVE-2025-0921 enables privileged file system operations that can disrupt industrial control systems in automotive, energy, and manufacturing environments.

Cisco patches CVE-2026-20029, an XML external entity vulnerability in Identity Services Engine with proof-of-concept exploit code already publicly available.

Deserialization bugs and authentication bypasses enable unauthenticated RCE. Attackers have targeted WHD vulnerabilities before.

Two critical code injection flaws in Ivanti Endpoint Manager Mobile enable unauthenticated RCE. Federal agencies must remediate by February 1.

CVE-2025-15467 allows attackers to crash or compromise systems by sending malicious CMS messages. All AI-discovered in OpenSSL's largest coordinated security release.

JFrog discloses CVE-2026-1470 and CVE-2026-0863 in workflow automation platform. Both vulnerabilities enable authenticated remote code execution.

CVE-2026-23550 in Modular DS plugin scores CVSS 10.0. Active exploitation began January 13, with 40,000+ sites at risk.

CVE-2026-24858 allows attackers with FortiCloud accounts to log into other organizations' FortiGate devices. Patches rolling out now.

CVE-2026-23760 enables unauthenticated admin takeover in SmarterMail. Exploitation began two days after patch release.

CVE-2026-21509 bypasses OLE security protections across Office 2016-2024. CISA adds it to KEV catalog with February 16 deadline.

KB5074109 update causing UNMOUNTABLE_BOOT_VOLUME errors on some Windows 11 devices. Physical machines affected; VMs appear unimpacted.

Mozilla patches six high-severity flaws in Firefox 147 and ESR releases. Multiple sandbox escape vulnerabilities could enable arbitrary code execution.

Five vulnerabilities added to CISA's KEV catalog this week. VMware vCenter RCE bug patched 18 months ago now seeing active exploitation.

CVE-2026-24061 allows remote authentication bypass in GNU InetUtils telnetd. Exploitation activity detected within hours of disclosure.

Arctic Wolf reports automated attacks creating rogue admin accounts on supposedly patched FortiGate devices. Fortinet acknowledges incomplete fix.

Fuzzware.io claims Master of Pwn at Tokyo competition after researchers demonstrate record-breaking exploits against Tesla, EV chargers, and infotainment systems.

Researchers demonstrated 29 new zero-day exploits on Day Two at Pwn2Own Automotive in Tokyo, targeting EV chargers, infotainment systems, and Automotive Grade Linux.

CVE-2026-22844 allowed meeting participants to execute arbitrary code on Zoom's on-premises multimedia routers. No active exploitation reported yet.

CVE-2025-14533 in the ACF Extended plugin allows unauthenticated attackers to register as administrators on 100,000 WordPress sites.

Researchers exploited 37 zero-day vulnerabilities in Tesla systems, EV chargers, and infotainment units during the first day of Pwn2Own Automotive 2026 in Tokyo.

Multiple CVSS 10.0 flaws affect Commerce, Communications, and PeopleSoft. MySQL patches include a critical 9.8-severity bug.

CVE-2025-68493 in the XWork component enables XML External Entity attacks that can leak files, perform SSRF, or crash systems. Patch to version 6.1.1.

CVE-2026-22184 allows attackers to trigger memory corruption via an oversized archive name in zlib's untgz utility. No patch existed at initial disclosure.

Industrial control system vulnerabilities disclosed in Siemens RUGGEDCOM, Industrial Edge devices, Schneider EcoStruxure, AVEVA, and Festo products.

Varonis researchers disclosed a vulnerability chain that let attackers exfiltrate user data through Copilot with a single malicious link click. Microsoft has patched the issue.

AsyncOS fixes released for CVE-2025-20393 after weeks of active exploitation. Compromised appliances require full rebuild to remove persistent backdoors.

Critical Google Fast Pair vulnerability affects millions of wireless audio devices from major manufacturers. Attackers can eavesdrop on calls within Bluetooth range.

Critical authentication bug in popular scheduling platform reduces multi-factor auth to single-factor. Patch available in version 6.0.7.

CVE-2025-68668 bypasses Python code restrictions in workflow automation platform. CVSS 9.9 flaw affects versions 1.0.0 through 1.x.

CVE-2026-0227 allows unauthenticated attackers to crash firewalls via malformed packets. Proof-of-concept code is publicly available.

CVE-2025-64155 in Fortinet's SIEM product enables unauthenticated command injection via phMonitor service. CVSS 9.4, patches now available.

January 2026 Patch Tuesday addresses CVE-2026-20805, an info disclosure bug already under attack. CISA gives feds until February 3 to patch.

January 2026 Patch Day addresses 17 flaws including four HotNews vulnerabilities. CVE-2026-0501 allows authenticated attackers to compromise S/4HANA financial systems.

CVE-2026-20029 lets authenticated admins read restricted system files through XML parsing weakness. Trend Micro ZDI researcher found the bug; no workarounds available.

CVE-2026-22610 lets attackers inject JavaScript through SVG script attributes that Angular's sanitizer fails to recognize. Patches available for versions 19-21.

Five critical vulnerabilities in the self-hosting platform allow authenticated users to execute arbitrary commands as root. Over 52,000 instances are exposed globally.

CVE-2026-20026 and CVE-2026-20027 allow remote attackers to crash Snort or extract sensitive data. No workarounds exist—patches are the only fix.

CVE-2025-68428 enables path traversal in the popular JavaScript PDF library, allowing attackers to read arbitrary files from Node.js servers and exfiltrate them via generated documents.

January 7 KEV update includes CVE-2009-0556 from 2009 alongside recently patched HPE OneView vulnerability. Both are seeing active exploitation.

CVE-2026-21858 scores CVSS 10.0 and requires no credentials to exploit. Attackers can read files, forge admin sessions, and execute commands.

CVE-2026-0628 allowed malicious extensions to inject scripts into privileged pages through insufficient policy enforcement. Update to Chrome 143.0.7499.192.

CVE-2026-0625 allows unauthenticated remote code execution on legacy DSL routers. Affected models reached end-of-life in 2020 and won't receive fixes.

Google patches CVE-2026-0628 in first 2026 update. The high-severity bug affects billions of users across Chrome and Android applications.

Apple issues emergency patches for two WebKit zero-day vulnerabilities being actively exploited in sophisticated attacks linked to NSO Group's Pegasus spyware.

GreyNoise researchers uncover coordinated campaign exploiting 767 CVEs across 47 technology stacks. Hong Kong-based infrastructure generated 98% of attack traffic on Christmas Day.

CVE-2025-14346 allows attackers within Bluetooth range to fully control electric wheelchairs without authentication, earning a CVSS 9.8 severity score.

CVE-2025-69194 is a path traversal bug in Metalink handling that could let remote attackers write arbitrary files. CVSS 8.8.

CVE-2025-66398 lets unauthenticated attackers achieve code execution on boat navigation servers. CVSS 9.6 vulnerability affects all versions before 2.19.0.

CVE-2025-13915 allows remote attackers to bypass authentication without credentials. Affects versions 10.0.8.0 through 10.0.8.5 and 10.0.11.0 used by major banks and airlines.

CVE-2025-54322 enables unauthenticated root RCE on SD-WAN appliances and edge routers. Vendor has ignored seven months of disclosure attempts. No patch available.

Singapore's CSA warns of a critical SmarterMail vulnerability allowing remote code execution through file upload without authentication. Patch immediately.

Federal agencies have until January 19 to patch CVE-2025-14847. Security researchers release open-source detection tool as attackers harvest credentials from exposed servers.

Company admits ChatGPT Atlas remains vulnerable to attacks that hijack AI agents through malicious web content. New defenses deployed, but fundamental risk persists.

CVE-2025-68664 scores CVSS 9.3 and enables secret extraction and prompt injection in LangChain Core. Patch immediately if you're running AI agents.

CVE-2025-14847 allows unauthenticated attackers to read server memory in low-complexity attacks. Multiple MongoDB versions affected.

CVE-2025-14174 and CVE-2025-43529 were exploited in sophisticated attacks before Apple's December 12 emergency patches across iOS, macOS, and Safari.

CISA adds WinRAR path traversal vulnerability to KEV catalog as Gamaredon, Bitter, and GOFFEE deploy it for espionage and wiper attacks across multiple continents.

CVE-2020-12812 allows attackers to bypass two-factor authentication on FortiGate devices by simply changing username case. Fortinet issued fresh advisory on December 25.

CVE-2025-68613 in the workflow automation platform scores CVSS 9.9 with public PoC code now available. Patch to version 1.122.0 immediately.

CVE-2025-40602 privilege escalation flaw combined with earlier vulnerability enables unauthenticated remote code execution on SonicWall appliances.

Critical out-of-bounds write vulnerability in WatchGuard Firebox firewalls under active exploitation with over 125,000 devices exposed online.

CVE-2025-55182 exploitation escalates as Weaxor ransomware operators use critical React Server Components flaw for initial access across 60+ organizations.

CVE-2025-59374 exploits compromised ASUS software distribution to deploy backdoors on consumer and enterprise systems worldwide.

Critical CVE-2025-20393 in Cisco Secure Email Gateway actively exploited by UAT-9686 threat actors deploying AquaShell backdoor since November.

CVE-2025-37164 allows unauthenticated remote code execution against HPE OneView infrastructure management platforms running versions prior to 11.00.

CVE-2025-66516 is a CVSS 10.0 XXE injection vulnerability in Apache Tika affecting Solr, Elasticsearch, and countless document processing systems.

Two critical CVSS 9.8 vulnerabilities in FortiGate devices are being actively exploited just days after patch release. Attackers targeting SSO authentication.