Articles & Writeups
Submit ArticleCommunity-curated external articles, writeups, and technical analysis about CVE vulnerabilities.
Actively Exploited File-Upload RCE Leads Critical Findings Amid Broad Backlog
Overview This week's scan surfaced 1509 findings, including 139 critical and 562 high-severity issues, with 246 critical/high vulnerabilities remaining unpatched. One vulnerability (CVE-2026-56291, an unauthenticated file-upload RCE in Joomla's Balbooa Forms) is confirmed actively exploited in the KEV catalog and has no vendor patch, while 142 findings have public proof-of-concept code available. Several critical file-manager and command-injection flaws affecting WordPress plugins, 9Router, and Kubernetes MCP tooling carry public exploits, though most have vendor or upstream fixes available. Critical Threats - CVE-2026-56291 (CRITICAL, CVSS 10.0) — Unauthenticated arbitrary file upload in the Balbooa Forms extension for Joomla allows remote attackers to upload executable server-side scripts and achieve remote code execution. Confirmed actively exploited (CISA KEV); no vendor-released patch identified. - CVE-2026-59800 (CRITICAL, CVSS 9.2) — 9Router remote unauthenticated OS command injection via POST /api/tunnel/tailscale-install endpoint, allowing arbitrary command execution as root. Public exploit code available; vendor-released patch: 0.4.44. Unauthenticated remote attackers. - CVE-2026-58473 (CRITICAL, CVSS 9.3) — Cognee instance-wide LLM configuration hijacking via unauthenticated `/api/v1/settings` endpoint. Public exploit code available; upstream fix available (PR/commit). Any remote attacker with a self-registered account can overwrite global LLM provider settings affecting all users. - CVE-2026-60104 (CRITICAL, CVSS 9.3) — Hashicorp Server account takeover via broken object-level authorization (CWE-639) in the Trusted Device Encryption admin-approval handler, allowing a low-privileged organization member to steal any other member's vault key and a victim-scoped access token. Public exploit code available; upstream fix available (PR/commit). - CVE-2026-61459 (CRITICAL, CVSS 9.3) — Argument injection in Flux159 MCP Server Kubernetes before 3.9.0 allows remote attackers to redirect kubectl operations to an attacker-controlled API server by smuggling a `--server` flag through the resourceType and name parameters. Public exploit code available; upstream fix available (PR/commit). - CVE-2026-6382 (CRITICAL, CVSS 9.1) — WordPress plugins FileOrganizer (before 1.1.9), Advanced File Manager (before 5.4.12), File Manager Pro (before 2.1.1), and File Manager (before 8.0.4) OS command injection via improper escaping of a parameter passed to a shell command during image operations. Public exploit code available; vendor-released patch: 1.1.9 / 5.4.12 / 2.1.1 / 8.0.4. Authenticated attackers. - CVE-2026-23697 (HIGH, CVSS 8.7) — Remote code execution in Vtiger CRM before 8.4.0 via malicious .phar file upload through the Documents module by an authenticated low-privileged user. Public exploit code available; no vendor-released patch identified. - CVE-2026-11962 (HIGH, CVSS 8.8) — Authenticated remote code execution in the FileOrganizer WordPress plugin before 1.2.0 allows users with file-manager role access to upload arbitrary PHP files due to missing file-type validation on multiple file-management endpoints. Public exploit code available; vendor-released patch: 1.2.0. Threat Landscape Most-affected vendors: WordPress (196), Microsoft (54), Google (51), Apache (47), Juniper (22). Most common attack techniques: Authentication Bypass (375), Information Disclosure (334), Denial Of Service (194), XSS (165), RCE (122). Patch coverage: 903 of 1509 CVEs have a patch; 246 Critical/High remain unpatched. Key Trends - Volume is 21% down week-over-week (1919 → 1509 CVEs). - 1 CVE is in CISA's KEV catalog. - 142 CVEs have public exploit code.
Exploit-Ready Bugs Outpace Patches in Edge, IoT, and Medical Imaging Gear
Overview 1919 CVEs were published (218 Critical, 659 High, 798 Medium, 156 Low), 0 in CISA KEV, 235 with public exploit code. Critical Threats - CVE-2026-8451 (HIGH, CVSS 8.8) — Citrix NetScaler ADC and NetScaler Gateway memory overread when configured as a SAML identity provider, enabling disclosure of sensitive in-memory data such as tokens and session material. Public exploit code available; vendor-released patch available. Unauthenticated remote attackers. - CVE-2026-57498 (CRITICAL, CVSS 9.6) — Coolify cross-team authorization bypass allows an authenticated low-privileged user to deploy and manipulate resources belonging to other teams via Livewire web UI components. Public exploit code available; vendor-released patch: 4.0.0-beta.474. - CVE-2026-58453 (CRITICAL, CVSS 9.3) — Default-credential authentication bypass in JAIOTlink C492A-W6 Wi-Fi IP cameras (firmware 4.8.30.57701411) allows attackers to log in to the anyka_ipc HTTP service on port 80 using the built-in admin username with an empty password, granting full access to snapshots, live video, network configuration, and factory-level API endpoints. Public exploit code available; no vendor-released patch identified. - CVE-2026-58457 (CRITICAL, CVSS 9.3) — Shenzhen Aitemi M300 Wi-Fi Repeater (MT02) unauthenticated OS command injection via the `smacfilter_conf` handler in the commuos web backend, allowing network-adjacent attackers to execute arbitrary shell commands as root. Public exploit code available; no vendor-released patch identified. - CVE-2026-56782 (CRITICAL, CVSS 9.3) — Unauthenticated database exfiltration and overwrite in Gorse before 0.5.10 via unprotected `/api/dump` and `/api/restore` endpoints when `admin_api_key` is unset. Public exploit code available; no vendor-released patch identified. - CVE-2026-58127 (CRITICAL, CVSS 9.3) — Hyland PACSgear MediaWriter 5.2.1 unauthenticated remote code execution as SYSTEM via .NET Remoting TCP service. Public exploit code available; no vendor-released patch identified. Unauthenticated remote attackers. - CVE-2026-58126 (CRITICAL, CVSS 9.3) — Hyland PACSgear PACS Scan 5.2.1 unauthenticated remote code execution via exposed .NET Remoting TCP service on port 22222, allowing SYSTEM-level control of medical imaging servers through arbitrary file read/write chained with a DLL hijack. Public exploit code available; no vendor-released patch identified. - CVE-2026-57517 (CRITICAL, CVSS 9.3) — Control Web Panel (CWP) unauthenticated blind SQL injection before 0.9.8.1225 allows remote attackers to inject arbitrary SQL via the `userRes` POST parameter, escalating to remote code execution through MySQL root privileges and PHP webshell deployment. Public exploit code available; vendor-released patch: 0.9.8.1225. Threat Landscape Most-affected vendors: Google (491), WordPress (131), Microsoft (123), Apple (83), IBM (43). Most common attack techniques: Information Disclosure (562), Authentication Bypass (357), Denial Of Service (262), RCE (192), XSS (181). Patch coverage: 1140 of 1919 CVEs have a patch; 361 Critical/High remain unpatched. Key Trends - Volume is 11% up week-over-week (1728 → 1919 CVEs). - 235 CVEs have public exploit code.
Mass unauthenticated account takeover in WordPress plugins leads critical week
Overview This week's feed logged 1728 vulnerabilities, including 190 critical and 668 high-severity issues, with no entries on CISA's Known Exploited Vulnerabilities catalog. Public proof-of-concept code exists for 131 of these flaws, while 308 critical- and high-severity vulnerabilities remain unpatched. The top findings are dominated by unauthenticated account takeover in two WordPress plugins (CVE-2026-12417, CVE-2026-12416) and remote code execution across Feast, Gitea act_runner, Flowise, and FOSSBilling, several with available exploit code and no vendor patch. Critical Threats - CVE-2026-12417 (CRITICAL, CVSS 9.8) — Unauthenticated account takeover in the WordPress SignUp & SignIn plugin (versions ≤ 1.0.0) allows remote attackers to reset any user's password, including administrators, via the unauthenticated `pravel_change_password` AJAX action. Public exploit code available; no vendor-released patch identified. - CVE-2026-12416 (CRITICAL, CVSS 9.8) — WordPress Invoice Generator plugin (versions through 1.0.0) account takeover via unauthenticated password reset. Public exploit code available; no vendor-released patch identified. Unauthenticated remote attackers can reset any user's password, including administrators. - CVE-2026-58053 (CRITICAL, CVSS 9.4) — Gitea act_runner container escape via Docker backend (through act 0.262.0) allows an authenticated user with workflow-execution rights to break out to the host as root even when privileged mode is disabled. Public exploit code available. - CVE-2026-56121 (CRITICAL, CVSS 9.3) — Remote code execution in Python/Feast (open-source ML feature store) before 0.63.0; unauthenticated remote attackers can execute OS commands as the feast service account via a crafted ApplyFeatureView gRPC request to the registry server. Public exploit code available; upstream fix available (PR/commit). - CVE-2026-28496 (CRITICAL, CVSS 9.4) — FOSSBilling server-side template injection allowing authenticated administrators to execute arbitrary code via Twig expressions in template-rendering features. Public exploit code available; no vendor-released patch identified. - CVE-2026-56786 (CRITICAL, CVSS 9.3) — RTKLIB out-of-bounds write in `decode_type1033` affecting all versions through 2.4.3, where unclamped length counters allow overflow into fixed descriptor fields when parsing RTCM3 type-1033 messages. Public exploit code available; no vendor-released patch identified. - CVE-2026-54069 (CRITICAL, CVSS 9.2) — Google/SiYuan Note origin-validation bypass allows any installed Chrome/Chromium browser extension to obtain administrator access to the local kernel HTTP server. Public exploit code available; vendor-released patch: 3.7.0. - CVE-2026-56274 (HIGH, CVSS 8.7) — Flowise remote code execution via incomplete command validation in the Custom MCP Server feature allows any authenticated user with chatflow view/update permissions to run arbitrary OS commands on the host. Public exploit code available; vendor-released patch: 3.1.2. Threat Landscape Most-affected vendors: Linux (414), WordPress (115), Suse (54), Microsoft (53), Google (46). Most common attack techniques: Information Disclosure (585), Authentication Bypass (312), Denial Of Service (229), XSS (149), Buffer Overflow (137). Patch coverage: 1114 of 1728 CVEs have a patch; 308 Critical/High remain unpatched. Key Trends - Volume is 12% down week-over-week (1968 → 1728 CVEs). - 131 CVEs have public exploit code.
Active exploitation hits Cisco SD-WAN as critical auth-bypass and RCE flaws surge
Overview This week's monitoring covered 1968 vulnerabilities, including 406 critical and 845 high-severity findings, with 861 critical and high-severity issues remaining unpatched. One vulnerability is confirmed on CISA's Known Exploited Vulnerabilities catalog (CVE-2026-20262, a Cisco Catalyst SD-WAN Manager path-traversal file write with no identified vendor patch), and 99 findings have public proof-of-concept or exploit code available. The top findings are dominated by critical authentication bypasses and remote code execution flaws—including WP Maps Pro, Discuz! X5.0, Network-AI, and LobeHub—several of which lack a vendor-released patch. Critical Threats - CVE-2026-20262 (MEDIUM, CVSS 6.5) — Cisco Catalyst SD-WAN Manager arbitrary file write via path traversal. Confirmed actively exploited (CISA KEV); no vendor-released patch identified. Authenticated low-privileged attackers can create or overwrite any file on the underlying operating system via crafted HTTP requests to affected API endpoints. - CVE-2026-8935 (CRITICAL, CVSS 9.8) — WordPress WP Maps Pro plugin unauthenticated administrator account creation before version 6.1.1; a valid nonce publicly emitted on any frontend page allows creation of an admin account and retrieval of a magic-login URL. Public exploit code available; vendor-released patch: 6.1.1. - CVE-2026-49952 (CRITICAL, CVSS 9.3) — Discuz! X5.0 authentication bypass (releases 20260320 through 20260501) allows unauthenticated remote attackers to access database backup and restore functionality via a shared cryptographic key flaw. Public exploit code available; upstream fix available (PR/commit). - CVE-2026-48814 (CRITICAL, CVSS 9.1) — Authentication bypass in Network-AI versions 5.7.1 and earlier allows unauthenticated remote attackers to invoke all 22 MCP tools on the SSE server because the default secret is empty and `_isAuthorized()` returns true when no secret is configured. Public exploit code available; no vendor-released patch identified. - CVE-2026-54157 (CRITICAL, CVSS 9.0) — Unauthenticated server-side request forgery in LobeHub's `/webapi/proxy` endpoint (versions <= 2.1.56) allows remote attackers to proxy arbitrary HTTP requests through LobeHub's infrastructure and inject attacker-controlled `Set-Cookie` headers onto the `lobehub.com` domain. Public exploit code available. - CVE-2025-66391 (HIGH, CVSS 8.8) — Citrix Cloud privilege abuse allowing a read-only account to trigger write operation workflows, including sending a one-time password to an attacker-controlled email address during password reset attempts. Public exploit code available; no vendor-released patch identified. - CVE-2026-49954 (HIGH, CVSS 8.6) — Authenticated remote code execution in Discuz! X5.0 (versions 20260320 through 20260501) via chained path traversal and file upload in the plugin import routine. Public exploit code available; no vendor-released patch identified. - CVE-2025-71326 (HIGH, CVSS 8.5) — Local privilege escalation in Avast Antivirus 25.11 allows non-privileged Windows users to execute arbitrary code as SYSTEM via an unquoted service path in the SecureLine service. Public exploit code available; no vendor-released patch identified. Threat Landscape Most-affected vendors: Oracle (251), WordPress (115), Suse (76), Red Hat (75), Microsoft (68). Most common attack techniques: Authentication Bypass (544), Information Disclosure (458), Denial Of Service (185), XSS (184), Buffer Overflow (156). Patch coverage: 800 of 1968 CVEs have a patch; 861 Critical/High remain unpatched. Key Trends - Volume is 16% up week-over-week (1691 → 1968 CVEs). - 1 CVE is in CISA's KEV catalog. - 99 CVEs have public exploit code.
Weekly Vulnerability Briefing: 1678 CVEs, 4 KEV Entries, 267 Unpatched CRITICAL/HIGH
Overview Per vuln.today data for the reporting period 2026-06-08 to 2026-06-15, 1678 CVEs were published, representing a +7% week-over-week change from the previous week's 1565 CVEs. Severity breakdown: 134 CRITICAL, 753 HIGH, 643 MEDIUM, 104 LOW, and 44 UNKNOWN. The dataset includes 4 CISA KEV entries, 114 public exploits/POCs, 1067 patches available, and 267 unpatched CRITICAL/HIGH vulnerabilities. Critical Threats - CVE-2026-10520 (CRITICAL, CVSS 10.0) - Ivanti Sentry. Confirmed actively exploited (CISA KEV); public exploit code available; EPSS 0.2%. No vendor-released patch identified at time of analysis. Action: Within 24 hours: Identify all Ivanti Sentry deployments and immediately isolate or disconnect any internet-facing instances from public networks. Within 7 days: Implement strict network segmentation l - CVE-2026-50751 (CRITICAL, CVSS 9.3) - Microsoft. Confirmed actively exploited (CISA KEV); public exploit code available; EPSS 0.0%. No vendor-released patch identified at time of analysis. Action: Within 24 hours: Identify all Quantum (R80.40-R82.10) and Spark (R80.20.X-R82.00.X) appliances and verify affected firmware versions; disable IKEv1 protocol if operationally feasible; begin monitoring - CVE-2026-35273 (CRITICAL, CVSS 9.8) - Oracle Peoplesoft Enterprise Peopletools. Confirmed actively exploited (CISA KEV); public exploit code available; EPSS 0.0%. No vendor-released patch identified at time of analysis. Action: Within 24 hours: Identify and inventory all Oracle PeopleSoft PeopleTools 8.61 and 8.62 instances across production and non-production environments. Within 7 days: Apply compensating controls (restric - CVE-2026-11645 (HIGH, CVSS 8.8) - Google. Confirmed actively exploited (CISA KEV); public exploit code available; EPSS 0.1%. Patch available per vendor advisory. Action: 24 hours: Identify Chrome deployment scope and inventory across endpoints. 7 days: Deploy Chrome 149.0.7827.103 or later to all systems; prioritize endpoints with access to business-critical applicati - CVE-2026-10523 (CRITICAL, CVSS 9.9) - Ivanti. Public exploit code available; EPSS 0.3%; exploitation risk is elevated. No vendor-released patch identified at time of analysis. Action: Within 24 hours: Identify and inventory all Ivanti Sentry deployments; assess network exposure; enable enhanced logging for administrative account creation activity. Within 7 days: Restrict network ac - CVE-2026-42647 (CRITICAL, CVSS 9.3) - Joomsport. Public exploit code available; EPSS 5.2%; exploitation risk is elevated. No vendor-released patch identified at time of analysis. Action: Within 24 hours: Inventory all WordPress installations using Beardev JoomSport plugin and identify instances running version 5.7.7 or earlier; assess criticality of plugin to business operations. With - CVE-2026-42904 (CRITICAL, CVSS 9.6) - Microsoft. EPSS 0.1%. Patch available per vendor advisory. Action: Within 24 hours: Identify and catalog all Windows systems and determine which are on networks exposed to untrusted adjacent systems. Within 7 days: Deploy network segmentation and access controls limi - CVE-2026-48558 (CRITICAL, CVSS 9.5) - Jwt Attack, Simplehelp. Public exploit code available; EPSS 0.2%; exploitation risk is elevated. Patch available per vendor advisory. Action: 24 hours: Audit all SimpleHelp instances to identify versions 5.5.15 and prior or 6.0 pre-release builds. 7 days: Implement firewall-level network segmentation restricting SimpleHelp access; enforce I - CVE-2026-25555 (CRITICAL, CVSS 9.3) - Openbullet2. Public exploit code available; EPSS 0.1%; exploitation risk is elevated. No vendor-released patch identified at time of analysis. Action: 24 hours: Identify all OpenBullet2 instances running version 0.3.2 or earlier; immediately remove internet-facing access and isolate from external networks; begin comprehensive monitoring of admin con - CVE-2026-9067 (CRITICAL, CVSS 9.1) - WordPress. Public exploit code available; EPSS 0.1%; exploitation risk is elevated. Patch available per vendor advisory. Action: Within 24 hours: Inventory all WordPress installations to identify those running Schema & Structured Data for WP & AMP plugin and document current versions. Within 7 days: Upgrade all affected instanc Threat Landscape Top affected vendors are Microsoft (241), Google (125), Adobe (84), Linux (63), WordPress (60), Tenda (52), Apache (49), Apple (47), Red Hat (24), and Suse (18). The most prevalent attack techniques in the dataset are Information Disclosure (402), Denial Of Service (310), Authentication Bypass (305), Buffer Overflow (244), XSS (199), RCE (146), Memory Corruption (143), Use After Free (106), Path Traversal (67), and SQLi (58). Of 1678 published CVEs, 1067 have patches available while 267 CRITICAL/HIGH remain unpatched. Threat intelligence linkage is recorded for CVE-2026-10557 (CRITICAL), CVE-2026-7368 (HIGH), CVE-2026-50245 (HIGH), CVE-2026-50005 (HIGH), and CVE-2026-50101 (CRITICAL). Key Trends - CVE volume rose +7% week-over-week (1678 vs. 1565 the prior week). - Vendor concentration is led by Microsoft (241) and Google (125), with Adobe (84), Linux (63), and WordPress (60) rounding out the top five. - Attack technique distribution is dominated by Information Disclosure (402), Denial Of Service (310), and Authentication Bypass (305). - Patch coverage stands at 1067 of 1678 CVEs, while 267 CRITICAL/HIGH remain unpatched. - The dataset includes 4 CISA KEV entries and 114 public exploits/POCs. Recommendations - CVE-2026-10520: Within 24 hours: Identify all Ivanti Sentry deployments and immediately isolate or disconnect any internet-facing instances from public networks. Within 7 days: Implement strict network segmentation l - CVE-2026-50751: Within 24 hours: Identify all Quantum (R80.40-R82.10) and Spark (R80.20.X-R82.00.X) appliances and verify affected firmware versions; disable IKEv1 protocol if operationally feasible; begin monitoring - CVE-2026-35273: Within 24 hours: Identify and inventory all Oracle PeopleSoft PeopleTools 8.61 and 8.62 instances across production and non-production environments. Within 7 days: Apply compensating controls (restric - CVE-2026-11645: 24 hours: Identify Chrome deployment scope and inventory across endpoints. 7 days: Deploy Chrome 149.0.7827.103 or later to all systems; prioritize endpoints with access to business-critical applicati - CVE-2026-10523: Within 24 hours: Identify and inventory all Ivanti Sentry deployments; assess network exposure; enable enhanced logging for administrative account creation activity. Within 7 days: Restrict network ac - CVE-2026-42647: Within 24 hours: Inventory all WordPress installations using Beardev JoomSport plugin and identify instances running version 5.7.7 or earlier; assess criticality of plugin to business operations. With - CVE-2026-42904: Within 24 hours: Identify and catalog all Windows systems and determine which are on networks exposed to untrusted adjacent systems. Within 7 days: Deploy network segmentation and access controls limi - CVE-2026-48558: 24 hours: Audit all SimpleHelp instances to identify versions 5.5.15 and prior or 6.0 pre-release builds. 7 days: Implement firewall-level network segmentation restricting SimpleHelp access; enforce I - CVE-2026-25555: 24 hours: Identify all OpenBullet2 instances running version 0.3.2 or earlier; immediately remove internet-facing access and isolate from external networks; begin comprehensive monitoring of admin con - CVE-2026-9067: Within 24 hours: Inventory all WordPress installations to identify those running Schema & Structured Data for WP & AMP plugin and document current versions. Within 7 days: Upgrade all affected instanc - Dataset-level: Prioritize the 4 CISA KEV entries and the 114 CVEs with public exploits/POCs for triage. Address the 267 unpatched CRITICAL/HIGH items through compensating controls until vendor fixes are released.
Weekly Vulnerability Briefing: 1567 CVEs, 2 KEV Entries, 276 Unpatched Critical/High
Overview For the reporting period 2026-06-01 to 2026-06-08, vuln.today data shows 1567 total CVEs published, broken down as 138 CRITICAL, 570 HIGH, 615 MEDIUM, 184 LOW, and 60 UNKNOWN. The dataset includes 2 CISA KEV entries, 183 CVEs with public exploits/POCs, 864 with patches available, and 276 unpatched CRITICAL/HIGH issues. Week-over-week volume decreased 5% from the previous week's 1648 CVEs. Critical Threats - CVE-2025-48595 (HIGH, CVSS 8.4) - Google Android (versions 14, 15, 16, and 16-qpr2) local privilege escalation via integer overflow (CWE-190). Confirmed actively exploited (CISA KEV); public exploit code available; EPSS 0.0%. No vendor-released patch identified at time of analysis. Action: "Within 24 hours: Audit enterprise inventory to identify all devices running Android 14, 15, 16, or 16-qpr2; assess exposure of identified devices in high-risk contexts (administrative access, corporat". - CVE-2026-28318 (HIGH, CVSS 7.5, AV:N/AC:L/PR:N/UI:N) - SolarWinds Serv-U remote denial-of-service via crafted POST requests using Content-Encoding: deflate (CWE-400). Unauthenticated. Confirmed actively exploited (CISA KEV); public exploit code available; EPSS 0.1%. No vendor-released patch identified at time of analysis. Action: "Within 24 hours: inventory all SolarWinds Serv-U deployments and assess network exposure; restrict inbound access to Serv-U to authorized IP ranges only. Within 7 days: deploy WAF or network filtering". - CVE-2025-71318 (CRITICAL, CVSS 9.3) - Riello UPS NetMan 204 unauthenticated administrative access enabling read of sensitive configuration and privileged power-control commands. Public exploit code available (Exploit-DB 52183); EPSS 0.2%. No vendor-released patch identified at time of analysis. Action: "24 hours: Inventory all NetMan 204 units in your environment; implement network-level access restrictions to management interfaces using firewalls or VLANs; change any default credentials. 7 days: Dep". - CVE-2025-71317 (CRITICAL, CVSS 9.3) - Riello UPS NetMan 204 hard-coded backdoor account ('eurek'/'eurek') exposed through cgi-bin/login.cgi (CWE-798). Public exploit code available (Exploit-DB 52183); EPSS 0.1%. No vendor-released patch identified at time of analysis. Action: "24 HOURS: Inventory all Riello UPS NetMan 204 devices; immediately network-isolate or disconnect non-critical units; disable or reset the hard-coded 'eurek' account to a unique credential via the devi". - CVE-2025-71316 (CRITICAL, CVSS 9.2) - Microsoft SQLite sqldiff.exe arbitrary DLL loading on Windows via Best-Fit Unicode-to-ANSI conversion abuse. Public exploit code available; EPSS 0.0%. Upstream fix available (PR/commit); released patched version not independently confirmed. Action: "Within 24 hours: Inventory all Windows systems running SQLite, sqldiff.exe, and applications that invoke this utility. Within 7 days: Apply available vendor patch from SQLite to all identified systems". - CVE-2026-43624 (HIGH, CVSS 8.8) - F5-TTS (through 1.1.20) arbitrary file write via unsanitized project_name parameter passed to os.path.join() in the finetune Gradio interface. Public exploit code available; EPSS 0.1%. Upstream fix available (PR/commit); released patched version not independently confirmed. Action: "Within 24 hours: Identify all F5-TTS instances running version 1.1.20 or earlier and restrict network access to trusted networks only. Within 7 days: Apply the vendor patch released via PR #1294 (conf". - CVE-2026-49491 (HIGH, CVSS 8.8) - Pixa Bank 2.0 SQL injection via UNION-based payloads in the 'rib' parameter of agence-ajax.php (PHP). Public exploit code available (Packet Storm); EPSS 0.1%. No vendor-released patch identified at time of analysis. Action: "24 hours: Inventory all Pixa Bank 2.0 deployments; restrict internet access to agence-ajax.php or take systems offline. 7 days: Monitor vendor advisory for security patch release; establish testing en". - CVE-2026-49143 (HIGH, CVSS 8.7) - BrowserStack Runner (through 0.9.5) remote code execution via crafted JSON to /_log handler abusing vm.runInNewContext() and eval() (Node.js). Public exploit code available; EPSS 0.2%. No vendor-released patch identified at time of analysis. Action: "Within 24 hours: Inventory all systems running BrowserStack Runner 0.9.5 and earlier; assess criticality of test workflows dependent on this tool. Within 7 days: Implement network segmentation to isol". - CVE-2026-49136 (HIGH, CVSS 8.7) - Banana Slides (through 0.4.0) path traversal in generate_image() via incomplete os.path.startswith() prefix check enabling arbitrary image-format file reads. Public exploit code available; EPSS 0.1%. Upstream fix available (PR/commit); released patched version not independently confirmed. Action: "Within 24 hours: Identify all Banana Slides deployments running version 0.4.0 and apply the patch available per vendor advisory (commit e8bc490 or later) or disable image generation functionality imme". - CVE-2026-43623 (HIGH, CVSS 8.7) - microtar (through 0.1.0) stack-based buffer overflow in raw_to_header() via strcpy() on non-null-terminated 100-byte ustar fields, writing up to 355 bytes into a 100-byte buffer. Public exploit code available; EPSS 0.0%. No vendor-released patch identified at time of analysis. Action: "Within 24 hours: Inventory all applications and services using microtar; isolate affected systems from sensitive networks and external file inputs. Within 7 days: Implement strict input validation (re". Threat Landscape Top affected vendors by CVE count: Google (452), Suse (417), Red Hat (388), WordPress (74), Microsoft (61), Linux (36), Apple (25), Apache (18), Samsung (14), and D-Link (5). Top attack techniques observed: Information Disclosure (432), Authentication Bypass (284), Denial Of Service (246), RCE (173), Memory Corruption (162), Buffer Overflow (153), XSS (122), Use After Free (121), Privilege Escalation (105), and SQLi (71). Patches are available for 864 of 1567 CVEs, while 276 CRITICAL/HIGH entries remain unpatched. One CVE in the dataset (CVE-2026-21404, MEDIUM) carries linked threat intelligence (MISP Galaxies, MITRE ATT&CK, CISA). Key Trends - Volume decreased 5% week-over-week (1567 vs. previous 1648). - Vendor concentration is heavy in the top three (Google 452, Suse 417, Red Hat 388), which together account for the majority of the top-vendor list. - Information Disclosure (432) and Authentication Bypass (284) lead the attack-technique distribution. - Patches are available for 864 of 1567 CVEs (~55%), with 276 CRITICAL/HIGH entries unpatched. - KEV entries account for 2 of 1567 CVEs; public exploits/POCs account for 183 of 1567. Recommendations Per-CVE actions (reproduced from input): - CVE-2025-48595: "Within 24 hours: Audit enterprise inventory to identify all devices running Android 14, 15, 16, or 16-qpr2; assess exposure of identified devices in high-risk contexts (administrative access, corporat". - CVE-2026-28318: "Within 24 hours: inventory all SolarWinds Serv-U deployments and assess network exposure; restrict inbound access to Serv-U to authorized IP ranges only. Within 7 days: deploy WAF or network filtering". - CVE-2025-71318: "24 hours: Inventory all NetMan 204 units in your environment; implement network-level access restrictions to management interfaces using firewalls or VLANs; change any default credentials. 7 days: Dep". - CVE-2025-71317: "24 HOURS: Inventory all Riello UPS NetMan 204 devices; immediately network-isolate or disconnect non-critical units; disable or reset the hard-coded 'eurek' account to a unique credential via the devi". - CVE-2025-71316: "Within 24 hours: Inventory all Windows systems running SQLite, sqldiff.exe, and applications that invoke this utility. Within 7 days: Apply available vendor patch from SQLite to all identified systems". - CVE-2026-43624: "Within 24 hours: Identify all F5-TTS instances running version 1.1.20 or earlier and restrict network access to trusted networks only. Within 7 days: Apply the vendor patch released via PR #1294 (conf". - CVE-2026-49491: "24 hours: Inventory all Pixa Bank 2.0 deployments; restrict internet access to agence-ajax.php or take systems offline. 7 days: Monitor vendor advisory for security patch release; establish testing en". - CVE-2026-49143: "Within 24 hours: Inventory all systems running BrowserStack Runner 0.9.5 and earlier; assess criticality of test workflows dependent on this tool. Within 7 days: Implement network segmentation to isol". - CVE-2026-49136: "Within 24 hours: Identify all Banana Slides deployments running version 0.4.0 and apply the patch available per vendor advisory (commit e8bc490 or later) or disable image generation functionality imme". - CVE-2026-43623: "Within 24 hours: Inventory all applications and services using microtar; isolate affected systems from sensitive networks and external file inputs. Within 7 days: Implement strict input validation (re". Dataset-level guidance: prioritize remediation for the 2 CISA KEV entries and the 183 CVEs with public exploit code; review the 276 unpatched CRITICAL/HIGH CVEs for compensating controls where vendor fixes are not yet available; and schedule deployment of available patches across the 864 CVEs with vendor-released fixes.
Weekly CVE Briefing: 1648 Disclosures, +57% WoW, 1 KEV, 87 POCs
Overview Per vuln.today data for the period 2026-05-25 to 2026-06-01, 1648 CVEs were published, comprising 144 CRITICAL, 613 HIGH, 457 MEDIUM, 91 LOW, and 343 UNKNOWN severity entries. The dataset includes 1 CISA KEV entry, 87 public exploits/POCs, 1026 patches available, and 291 unpatched CRITICAL/HIGH CVEs. Volume rose 57% week-over-week from 1049 CVEs the prior week. Critical Threats - CVE-2026-48027 (CRITICAL, CVSS 9.3) - Nx Console editor extension for Nx and Lerna, version 18.95.0; confirmed actively exploited (CISA KEV); public exploit code available; EPSS 26.8%; linked threat intelligence. No vendor-released patch identified at time of analysis. - CVE-2026-24444 (CRITICAL, CVSS 9.3) - SDMC NE6037 cable modem routers running firmware 7.1.6.0.25 and 7.1.6.1.9_B9; public exploit code available; EPSS 0.1%. No vendor-released patch identified at time of analysis. Action: Within 24 hours: Scan all networks to identify SDMC NE6037 devices running firmware 7.1.6.0.25 or 7.1.6.1.9_B9; document inventory and network placement. Within 7 days: Restrict access to mgmt.php and - CVE-2026-10187 (HIGH, CVSS 8.9) - Totolink N300RH router, firmware 6.1c.1353_B20190305; public exploit code available. No vendor-released patch identified at time of analysis. Action: Within 24 hours: Conduct inventory of all Totolink N300RH routers in operation and identify firmware versions. Within 7 days: Disable public internet access to the web management interface and impleme - CVE-2026-32847 (HIGH, CVSS 8.7) - new_ui/backend/main.py component; public exploit code available; EPSS 0.1%. No vendor-released patch identified at time of analysis. Action: Within 24 hours: Audit and restrict external network access to new_ui/backend services via firewall rules or security groups. Within 7 days: Deploy WAF signatures to block exploitation attempts using - CVE-2026-7862 (HIGH, CVSS 8.6) - Eupago Gateway for WooCommerce WordPress plugin before 4.7.2; public exploit code available; EPSS 0.0%. Vendor-released patch: 4.7.2. Action: Within 24 hours: Immediately update Eupago Gateway for WooCommerce to version 4.7.2 or later; if immediate patching is not possible, disable the plugin and switch to an alternative payment processor. - CVE-2026-49489 (HIGH, CVSS 8.4) - OpenCATS through version 0.9.7.4; public exploit code available. No vendor-released patch identified at time of analysis. Action: 24 hours: Inventory all OpenCATS deployments and identify installations running version 0.9.7.4 or earlier; restrict creation of new low-privilege user accounts; enable database transaction and query - CVE-2026-10044 (HIGH, CVSS 8.2) - affected application endpoint referenced via ai-goofish-monitor PR #489; public exploit code available; EPSS 0.0%. Upstream fix available (PR/commit); released patched version not independently confirmed. Action: Within 24 hours: Identify all systems running the affected application endpoint and review security logs for exploitation attempts. Within 7 days: Apply vendor patch to all affected systems following - CVE-2026-10160 (HIGH, CVSS 7.4) - TRENDnet TEW-432BRP wireless router, firmware 3.10B20 (vendor-confirmed end-of-life since 2009); public exploit code available; EPSS 0.0%. No vendor-released patch identified at time of analysis. Action: 24 hours: Conduct network inventory to identify any deployed TRENDnet TEW-432BRP units (v3.10B20 or earlier). 7 days: Initiate procurement and deployment plan for replacement access points and schedul - CVE-2026-10161 (HIGH, CVSS 7.4) - TRENDnet TEW-432BRP router, firmware 3.10B20 (vendor-confirmed end-of-life since 2009); public exploit code available; EPSS 0.0%. No vendor-released patch identified at time of analysis. Action: Within 24 hours: Identify all TRENDnet TEW-432BRP routers on your network and restrict administrative access to trusted networks only; disable remote management capabilities. Within 7 days: Implement - CVE-2026-10162 (HIGH, CVSS 7.4) - TRENDnet TEW-432BRP router, firmware 3.10B20 (vendor-confirmed end-of-life since 2009); public exploit code available; EPSS 0.0%. No vendor-released patch identified at time of analysis. Action: 24 hours: Inventory all TRENDnet TEW-432BRP 3.10B20 instances and restrict administrative access to trusted networks only. 7 days: Procure replacement routers from actively supported vendors and initi Threat Landscape Top affected vendors per vuln.today: Linux (420), Suse (304), Red Hat (282), Google (161), WordPress (128), Microsoft (48), Apache (32), IBM (30), Oracle (29), Apple (23). Top attack techniques observed: Information Disclosure (537), Authentication Bypass (267), Denial Of Service (223), Buffer Overflow (157), RCE (140), XSS (129), Memory Corruption (86), SQLi (85), Use After Free (66), Privilege Escalation (59). Patch coverage stands at 1026 of 1648 CVEs, with 291 CRITICAL/HIGH entries reported as unpatched. Threat-intelligence linkage was provided for CVE-2026-48027, CVE-2026-9037, CVE-2026-9038, CVE-2026-9039, and CVE-2026-7786. Key Trends - Week-over-week CVE volume rose 57% (1049 → 1648). - Vendor concentration in the top-10 list is dominated by Linux-ecosystem entries: Linux (420), Suse (304), and Red Hat (282). - Information Disclosure (537) leads attack technique counts, followed by Authentication Bypass (267) and Denial Of Service (223). - Patched entries account for 1026 of 1648 CVEs (approximately 62%); 291 CRITICAL/HIGH remain unpatched. - KEV proportion is 1 of 1648 entries; public exploits/POCs cover 87 of 1648 entries. Recommendations Per-CVE actions (reproduced verbatim from vuln.today input): - CVE-2026-24444: Within 24 hours: Scan all networks to identify SDMC NE6037 devices running firmware 7.1.6.0.25 or 7.1.6.1.9_B9; document inventory and network placement. Within 7 days: Restrict access to mgmt.php and - CVE-2026-10187: Within 24 hours: Conduct inventory of all Totolink N300RH routers in operation and identify firmware versions. Within 7 days: Disable public internet access to the web management interface and impleme - CVE-2026-32847: Within 24 hours: Audit and restrict external network access to new_ui/backend services via firewall rules or security groups. Within 7 days: Deploy WAF signatures to block exploitation attempts using - CVE-2026-7862: Within 24 hours: Immediately update Eupago Gateway for WooCommerce to version 4.7.2 or later; if immediate patching is not possible, disable the plugin and switch to an alternative payment processor. - CVE-2026-49489: 24 hours: Inventory all OpenCATS deployments and identify installations running version 0.9.7.4 or earlier; restrict creation of new low-privilege user accounts; enable database transaction and query - CVE-2026-10044: Within 24 hours: Identify all systems running the affected application endpoint and review security logs for exploitation attempts. Within 7 days: Apply vendor patch to all affected systems following - CVE-2026-10160: 24 hours: Conduct network inventory to identify any deployed TRENDnet TEW-432BRP units (v3.10B20 or earlier). 7 days: Initiate procurement and deployment plan for replacement access points and schedul - CVE-2026-10161: Within 24 hours: Identify all TRENDnet TEW-432BRP routers on your network and restrict administrative access to trusted networks only; disable remote management capabilities. Within 7 days: Implement - CVE-2026-10162: 24 hours: Inventory all TRENDnet TEW-432BRP 3.10B20 instances and restrict administrative access to trusted networks only. 7 days: Procure replacement routers from actively supported vendors and initi Dataset-level guidance: - Prioritize the 1 CISA KEV entry (CVE-2026-48027), which also carries the highest EPSS score (26.8%) and linked threat intelligence; given UNPATCHED status, rely on compensating controls until a vendor fix is published. - Triage the 87 entries with public exploits/POCs ahead of routine patching cycles. - For the 291 unpatched CRITICAL/HIGH CVEs, apply network-access restrictions, monitoring, or decommissioning where vendors have declined to issue a fix, pending vendor remediation. - For CVE-2026-10044, review and apply the upstream fix after validation, or wait for an official tagged release.
1053 CVE Records Published This Week
Overview 1053 CVE records were published in the reporting window -110 Critical, 361 High, 433 Medium, and 81 Low severity. This is 30% down compared to last week (1510 CVEs). 4 CVEs are listed in CISA's Known Exploited Vulnerabilities catalog. 75 CVEs have public exploit code available. 230 Critical/High CVEs remain unpatched. Critical Threats - CVE-2026-41091 (HIGH, CVSS 7.8) -KEV, POC, Patch available, EPSS 12%: Local privilege escalation in Microsoft Defender (Malware Protection Engine) enables an authenticated low-privileged attacker to elevate to SYSTEM by - CVE-2026-9082 (MEDIUM, CVSS 6.5) -KEV, POC, Patch available: SQL injection in Drupal Core across six major version branches (8.9.0 through 11.3.x) enables remote unauthenticated attackers to manipulate database - CVE-2026-45498 (MEDIUM, CVSS 4.0) -KEV, POC, Patch available: Denial of service in Microsoft Defender Antimalware Platform allows a local, unprivileged attacker to partially degrade availability with low attack c - CVE-2026-34926 (MEDIUM, CVSS 6.7) -KEV, Patch available: Directory traversal in Trend Micro Apex One on-premise server (versions before 14.0.0.17079) enables a highly privileged local attacker to manipulate - CVE-2026-31072 (CRITICAL, CVSS 9.8) -POC, Unpatched: Remote code execution in APScheduler (all versions through 3.10.x and 4.0.0a5) is achievable when applications deserialize attacker-controlled data vi Threat Landscape Top affected vendors: WordPress (86), Microsoft (46), Mozilla (32), Google (29), Apache (26), Nvidia (16), Apple (13) Most common attack types: Information Disclosure (255), Authentication Bypass (199), Denial Of Service (132), RCE (118), XSS (118), Buffer Overflow (87), Privilege Escalation (58) - CVE-2026-8603: linked threat intelligence - CVE-2026-8602: linked threat intelligence - CVE-2026-8604: linked threat intelligence Recommendations 1. Review and patch all Critical and High severity CVEs immediately 2. Prioritize the 4 KEV-listed CVEs -confirmed active exploitation 3. Implement compensating controls for the 230 unpatched Critical/High CVEs 4. Assess exposure to the 75 CVEs with public exploit code 5. Monitor vendor advisories for updates and additional patches