Weekly Digests

Overview 1053 CVE records were published in the reporting window -110 Critical, 361 High, 433 Medium, and 81 Low severity. This is 30% down compared to last week (1510 CVEs). 4 CVEs are listed in CISA's Known Exploited Vulnerabilities catalog. 75 CVEs have public exploit code available. 230 Critical/High CVEs remain unpatched. Critical Threats - CVE-2026-41091 (HIGH, CVSS 7.8) -KEV, POC, Patch available, EPSS 12%: Local privilege escalation in Microsoft Defender (Malware Protection Engine) enables an authenticated low-privileged attacker to elevate to SYSTEM by - CVE-2026-9082 (MEDIUM, CVSS 6.5) -KEV, POC, Patch available: SQL injection in Drupal Core across six major version branches (8.9.0 through 11.3.x) enables remote unauthenticated attackers to manipulate database - CVE-2026-45498 (MEDIUM, CVSS 4.0) -KEV, POC, Patch available: Denial of service in Microsoft Defender Antimalware Platform allows a local, unprivileged attacker to partially degrade availability with low attack c - CVE-2026-34926 (MEDIUM, CVSS 6.7) -KEV, Patch available: Directory traversal in Trend Micro Apex One on-premise server (versions before 14.0.0.17079) enables a highly privileged local attacker to manipulate - CVE-2026-31072 (CRITICAL, CVSS 9.8) -POC, Unpatched: Remote code execution in APScheduler (all versions through 3.10.x and 4.0.0a5) is achievable when applications deserialize attacker-controlled data vi Threat Landscape Top affected vendors: WordPress (86), Microsoft (46), Mozilla (32), Google (29), Apache (26), Nvidia (16), Apple (13) Most common attack types: Information Disclosure (255), Authentication Bypass (199), Denial Of Service (132), RCE (118), XSS (118), Buffer Overflow (87), Privilege Escalation (58) - CVE-2026-8603: linked threat intelligence - CVE-2026-8602: linked threat intelligence - CVE-2026-8604: linked threat intelligence Recommendations 1. Review and patch all Critical and High severity CVEs immediately 2. Prioritize the 4 KEV-listed CVEs -confirmed active exploitation 3. Implement compensating controls for the 230 unpatched Critical/High CVEs 4. Assess exposure to the 75 CVEs with public exploit code 5. Monitor vendor advisories for updates and additional patches...

Overview Per vuln.today data for 2026-05-11 to 2026-05-18, 1510 CVEs were published, representing a -14% week-over-week change from the previous week's 1760 CVEs. Severity distribution: 128 CRITICAL, 689 HIGH, 548 MEDIUM, 117 LOW, and 28 UNKNOWN. The dataset includes 2 CISA KEV entries, 82 public exploits/POCs, 898 patches available, and 285 unpatched CRITICAL/HIGH vulnerabilities. Critical Threats - CVE-2026-42897 (HIGH, CVSS 8.1) - Microsoft Exchange Server. Confirmed actively exploited (CISA KEV); public exploit code available; EPSS 0.2%. Patch available per vendor advisory. Action: Within 24 hours: Identify all Microsoft Exchange Server instances (2016 CU23, 2019 CU14/CU15, and Subscription Edition) and document web-facing deployments. Within 7 days: Apply vendor-released patch. - CVE-2026-20182 (CRITICAL, CVSS 10.0) - Cisco Catalyst SD-WAN Controller (vSmart) and SD-WAN Manager (vManage). Confirmed actively exploited (CISA KEV); public exploit code available; EPSS 1.6%. No vendor-released patch identified at time of analysis. Action: Within 24 hours: Identify and inventory all Cisco Catalyst vSmart Controllers and vManage instances in production. Within 7 days: Implement network-level access controls to restrict NETCONF traffic. - CVE-2026-45185 (CRITICAL, CVSS 9.8) - Exim before 4.99.3 (Use After Free, Memory Corruption). Public exploit code available; EPSS 0.1%. No vendor-released patch identified at time of analysis. - CVE-2026-44643 (CRITICAL, CVSS 9.3) - angular-expressions ≤1.5.1. Public exploit code available; EPSS 0.1%. Patch available per vendor advisory. Action: Within 24 hours: Inventory all applications and dependencies using angular-expressions ≤1.5.1 and restrict network access to affected systems. Within 7 days: Upgrade angular-expressions to version 1.5.2. - CVE-2026-45091 (CRITICAL, CVSS 9.1) - sealed-env (Java, Node.js). Public exploit code available; EPSS 0.0%. Patch available per vendor advisory. Action: Within 24 hours: Identify all sealed-env deployments and audit version numbers to determine exposure scope; immediately isolate or quarantine affected systems. Within 7 days: Upgrade to sealed-env. - CVE-2026-43639 (HIGH, CVSS 8.9) - Bitwarden Server Cloud. Public exploit code available; EPSS 0.0%. Upstream fix available (PR/commit); released patched version not independently confirmed. Action: Within 24 hours: Identify all Bitwarden Cloud provider service users and audit recent API activity to the POST /providers/{providerId}/clients/existing endpoint for unauthorized organization additions. - CVE-2026-43640 (HIGH, CVSS 8.6) - Bitwarden Server versions prior to 2026.4.1. Public exploit code available; EPSS 0.1%. Upstream fix available (PR/commit); released patched version not independently confirmed. Action: Within 24 hours: Inventory all Bitwarden Server deployments and identify current versions; disable or restrict SCIM provisioning integrations if version <2026.4.1 is confirmed. Within 7 days: Apply vendor fix. - CVE-2026-43983 (HIGH, CVSS 8.5) - Pocket ID OIDC provider, all versions prior to 2.6.0. Public exploit code available; EPSS 0.0%. Patch available per vendor advisory. Action: Within 24 hours: Inventory all Pocket ID OIDC provider deployments and document current versions; alert security and application teams of the authorization bypass risk. Within 7 days: Upgrade all Pocket ID. - CVE-2026-45369 (HIGH, CVSS 8.3) - python-utcp (Microsoft, Python). Public exploit code available; EPSS 0.0%. Patch available per vendor advisory. Action: Within 24 hours: Identify all systems and applications using python-utcp and document current versions in use. Within 7 days: Upgrade python-utcp to version 1.1.2 or later across all affected systems. - CVE-2026-46300 (HIGH, CVSS 7.8) - Linux kernel XFRM ESP-in-TCP subsystem. Public exploit code available. No vendor-released patch identified at time of analysis. Action: Within 24 hours: Identify all Linux systems running XFRM-enabled kernels (check: cat /boot/config-* | grep CONFIG_XFRM) and document current kernel versions. Within 7 days: Implement access controls. Threat intelligence linkage (MISP Galaxies, MITRE ATT&CK, CISA) is recorded for CVE-2026-26289 (HIGH), CVE-2026-8108 (HIGH), CVE-2026-41551 (CRITICAL), CVE-2026-25787 (CRITICAL), and CVE-2026-25786 (CRITICAL). Threat Landscape Top vendors affected this period: Microsoft (165), Google (102), Apple (95), WordPress (84), Intel (23), AMD (21), Linux (20), Adobe (17), SUSE (17), and SAP (14). Top attack techniques observed: Information Disclosure (363), Authentication Bypass (280), Denial of Service (213), RCE (207), Buffer Overflow (184), XSS (141), Command Injection (82), Privilege Escalation (77), Path Traversal (66), and Code Injection (58). Of 1510 published CVEs, 898 have patches available and 285 CRITICAL/HIGH remain unpatched. Key Trends - Publication volume declined -14% week-over-week (1510 vs. 1760 prior week). - Vendor concentration is led by Microsoft (165), with Google (102) and Apple (95) rounding out the top tier. - Information Disclosure (363) and Authentication Bypass (280) dominate the attack technique distribution. - Patch coverage stands at 898 of 1510 CVEs; 285 CRITICAL/HIGH entries remain without a patch. - 2 CISA KEV entries and 82 public exploit/POC entries are present in this period's dataset. Recommendations - CVE-2026-42897: Within 24 hours: Identify all Microsoft Exchange Server instances (2016 CU23, 2019 CU14/CU15, and Subscription Edition) and document web-facing deployments. Within 7 days: Apply vendor-released patch. - CVE-2026-20182: Within 24 hours: Identify and inventory all Cisco Catalyst vSmart Controllers and vManage instances in production. Within 7 days: Implement network-level access controls to restrict NETCONF traffic. - CVE-2026-44643: Within 24 hours: Inventory all applications and dependencies using angular-expressions ≤1.5.1 and restrict network access to affected systems. Within 7 days: Upgrade angular-expressions to version 1.5.2. - CVE-2026-45091: Within 24 hours: Identify all sealed-env deployments and audit version numbers to determine exposure scope; immediately isolate or quarantine affected systems. Within 7 days: Upgrade to sealed-env. - CVE-2026-43639: Within 24 hours: Identify all Bitwarden Cloud provider service users and audit recent API activity to the POST /providers/{providerId}/clients/existing endpoint for unauthorized organization additions. Review and apply the upstream fix after validation. - CVE-2026-43640: Within 24 hours: Inventory all Bitwarden Server deployments and identify current versions; disable or restrict SCIM provisioning integrations if version <2026.4.1 is confirmed. Within 7 days: Apply vendor fix. Review and apply the upstream fix after validation. - CVE-2026-43983: Within 24 hours: Inventory all Pocket ID OIDC provider deployments and document current versions; alert security and application teams of the authorization bypass risk. Within 7 days: Upgrade all Pocket ID. - CVE-2026-45369: Within 24 hours: Identify all systems and applications using python-utcp and document current versions in use. Within 7 days: Upgrade python-utcp to version 1.1.2 or later across all affected systems. - CVE-2026-46300: Within 24 hours: Identify all Linux systems running XFRM-enabled kernels (check: cat /boot/config-* | grep CONFIG_XFRM) and document current kernel versions. Within 7 days: Implement access controls. As no vendor-released patch is identified, monitor for vendor fix availability. - CVE-2026-45185: No vendor-released patch identified at time of analysis; monitor for vendor fix availability and restrict exposure of affected Exim instances. - Dataset-level: Prioritize the 2 CISA KEV entries and the 82 CVEs with public exploit/POC code. Address the 285 unpatched CRITICAL/HIGH entries through mitigations or compensating controls while monitoring for vendor fixes; apply the 898 available patches according to internal change management....

Overview During the reporting period 2026-05-04 to 2026-05-11, vuln.today data identified 1,796 published CVEs, representing a +60% increase from the previous week (1,125 CVEs). Severity breakdown: 183 CRITICAL, 559 HIGH, 542 MEDIUM, 163 LOW, and 349 UNKNOWN. The dataset includes 3 CISA KEV entries, 160 vulnerabilities with public exploits/POCs, 1,277 with patches available, and 204 unpatched CRITICAL/HIGH severity vulnerabilities. Critical Threats - CVE-2026-0300 (CRITICAL, CVSS 9.3): Remote code execution in Palo Alto Networks PAN-OS User-ID Authentication Portal (Captive Portal) affecting PA-Series and VM-Series firewalls. Confirmed actively exploited (CISA KEV), public exploit code available, EPSS 14.9%. Vendor-released patch available. Action: WITHIN 24 HOURS: (1) Identify all PA-Series and VM-Series firewalls in your environment running PAN-OS versions vulnerable to CVE-2026-0300-contact Palo Alto Networks for affected version list if not. - CVE-2026-6973 (HIGH, CVSS 7.2): Remote code execution in Ivanti Endpoint Manager Mobile (EPMM) allowing authenticated administrators to execute arbitrary code on the server. Affects EPMM versions prior to 12.6.1.1, 12.7.0.1, and 12.8.0.1. Confirmed actively exploited (CISA KEV), public exploit code available, EPSS 5.0%. No vendor-released patch identified at time of analysis. Action: Within 24 hours: Inventory all EPMM deployments and document current versions; audit and restrict EPMM administrator account access to principle of least privilege. Within 7 days: Upgrade all EPMM ins. - CVE-2026-42208 (CRITICAL, CVSS 9.3): SQL injection in LiteLLM proxy server versions 1.81.16 through 1.83.6 allows unauthenticated remote attackers to read and modify database contents, gaining unauthorized access to managed LLM API credentials. Confirmed actively exploited (CISA KEV), public exploit code available, EPSS 0.1%. Vendor-released patch: version 1.83.7. Action: Within 24 hours: Identify all LiteLLM proxy instances running versions 1.81.16 through 1.83.6 using asset inventory and network scans. Within 7 days: Upgrade all affected instances to version 1.83.7 o. - CVE-2026-24118 (CRITICAL, CVSS 9.8): Remote code execution in VM2 sandbox (npm package) versions ≤3.10.4 allows attackers to escape the JavaScript isolation boundary and execute arbitrary system commands on the host. Public exploit code available, EPSS 0.1%. Upstream fix available (PR/commit); released patched version not independently confirmed. Action: Within 24 hours: Audit all systems and applications using VM2 ≤3.10.4 (check package-lock.json and npm ls vm2). Immediately isolate or restrict network access to systems running vulnerable versions. W. - CVE-2026-26956 (CRITICAL, CVSS 9.8): Full sandbox escape with arbitrary code execution in vm2's Node.js sandbox environment (version 3.10.4) allows remote attackers to break out and execute commands on the host system. Public exploit code available, EPSS 0.1%. Vendor-released patch: version 3.10.5. Action: Within 24 hours: Identify all systems running vm2 versions ≤3.10.4 using dependency scanning (npm audit, SBOM tools). Within 7 days: Upgrade all instances to vm2 version 3.10.5 or later and validate i. - CVE-2026-24120 (CRITICAL, CVSS 9.8): Sandbox escape in vm2 for Node.js allows remote unauthenticated attackers to execute arbitrary commands on the host system. Represents an insufficient fix for CVE-2023-37466. Public exploit code available, EPSS 0.1%. Vendor-released patch: version 3.10.5. Action: Within 24 hours: Identify all applications and services using vm2 across your infrastructure and assess exposure scope. Within 7 days: Upgrade vm2 to version 3.10.5 or later on all affected systems; i. - CVE-2026-41922 (CRITICAL, CVSS 9.3): Remote code execution in WDR201A WiFi Extender (HW V2.1, FW LFMZX28040922V1.02) allows unauthenticated network attackers to execute arbitrary shell commands via OS command injection. Public exploit code available, EPSS 0.9%. No vendor-released patch identified at time of analysis. Action: Within 24 hours: Inventory all WDR201A devices in your environment and isolate affected units from production networks if firmware update is unavailable. Within 7 days: Contact the device manufacturer. - CVE-2026-41923 (CRITICAL, CVSS 9.3): OS command injection in WDR201A WiFi Extender firmware v1.02 allows unauthenticated remote attackers to execute arbitrary shell commands via the gateway parameter in internet.cgi. Public exploit code available, EPSS 0.5%. No vendor-released patch identified at time of analysis. Action: Within 24 hours: Inventory all WDR201A WiFi Extender devices on network; identify those with internet-facing gateway parameter access; isolate or air-gap affected units immediately. Within 7 days: Rem. - CVE-2026-41925 (CRITICAL, CVSS 9.3): Remote code execution in WDR201A WiFi Extender (HW V2.1, FW ≤1.02) allows unauthenticated attackers to execute arbitrary OS commands via the adm.cgi binary's reboot_time parameter. Public exploit code available, EPSS 0.5%. No vendor-released patch identified at time of analysis. Action: Within 24 hours: Inventory all WDR201A devices running firmware version 1.02 or earlier and isolate affected units from production networks. Within 7 days: Contact vendor for firmware updates or end-o. - CVE-2026-41926 (CRITICAL, CVSS 9.3): Remote unauthenticated command injection in WDR201A WiFi Extender (HW V2.1, FW ≤1.02) allows attackers to execute arbitrary OS commands via five vulnerable firewall.cgi handlers. Injected commands persist in NVRAM and automatically re-execute, creating a self-sustaining backdoor. Public exploit code available, EPSS 0.4%. No vendor-released patch identified at time of analysis. Action: Within 24 hours: Identify all WDR201A devices on network inventory and isolate any with firmware ≤1.02 from internet-facing network segments; verify management interfaces are not remotely accessible. Threat Landscape Linux products represent the largest vendor exposure with 441 CVEs, followed by Google (158), Microsoft (90), WordPress (59), and Apache (39). Attack technique distribution shows Information Disclosure as the most prevalent (634 occurrences), followed by Denial Of Service (284), Authentication Bypass (251), RCE (181), and Buffer Overflow (162). The dataset shows 1,277 CVEs with patches available versus 204 unpatched CRITICAL/HIGH severity vulnerabilities. One CVE (CVE-2026-0300) exhibits elevated EPSS probability of 14.9%. Two CVEs (CVE-2026-6411, CVE-2026-21661) have linked threat intelligence associations per MISP Galaxies, MITRE ATT&CK, or CISA data. Key Trends Week-over-week CVE publication volume increased 60% from 1,125 to 1,796 CVEs. Vendor concentration remains high with Linux (441 CVEs) representing approximately 25% of total volume. Information Disclosure (634 CVEs, 35% of total) dominates attack technique prevalence, exceeding Denial Of Service (284) by more than 2:1. Patch availability covers 71% of published CVEs (1,277 of 1,796), while 204 CRITICAL/HIGH severity vulnerabilities remain unpatched. Public exploits/POCs exist for 160 CVEs (9% of total dataset), with 3 CVEs confirmed in CISA KEV. Recommendations - WITHIN 24 HOURS: Identify all PA-Series and VM-Series firewalls in your environment running PAN-OS versions vulnerable to CVE-2026-0300-contact Palo Alto Networks for affected version list if not. - Within 24 hours: Inventory all EPMM deployments and document current versions; audit and restrict EPMM administrator account access to principle of least privilege. Within 7 days: Upgrade all EPMM ins. (Note: CVE-2026-6973 remains unpatched; isolate affected systems and monitor for exploitation until vendor fix becomes available). - Within 24 hours: Identify all LiteLLM proxy instances running versions 1.81.16 through 1.83.6 using asset inventory and network scans. Within 7 days: Upgrade all affected instances to version 1.83.7 o. - Within 24 hours: Audit all systems and applications using VM2 ≤3.10.4 (check package-lock.json and npm ls vm2). Immediately isolate or restrict network access to systems running vulnerable versions. W. Review and apply the upstream fix after validation or wait for an official tagged release. - Within 24 hours: Identify all systems running vm2 versions ≤3.10.4 using dependency scanning (npm audit, SBOM tools). Within 7 days: Upgrade all instances to vm2 version 3.10.5 or later and validate i. - Within 24 hours: Identify all applications and services using vm2 across your infrastructure and assess exposure scope. Within 7 days: Upgrade vm2 to version 3.10.5 or later on all affected systems; i. - Within 24 hours: Inventory all WDR201A devices in your environment and isolate affected units from production networks if firmware update is unavailable. Within 7 days: Contact the device manufacturer. (Note: CVE-2026-41922 remains unpatched; decommission if end-of-life or maintain network isolation until vendor fix becomes available). - Within 24 hours: Inventory all WDR201A WiFi Extender devices on network; identify those with internet-facing gateway parameter access; isolate or air-gap affected units immediately. Within 7 days: Rem. (Note: CVE-2026-41923 remains unpatched; maintain isolation and monitor for vendor security advisories). - Within 24 hours: Inventory all WDR201A devices running firmware version 1.02 or earlier and isolate affected units from production networks. Within 7 days: Contact vendor for firmware updates or end-o. (Note: CVE-2026-41925 remains unpatched; decommission if end-of-life or maintain network isolation). - Within 24 hours: Identify all WDR201A devices on network inventory and isolate any with firmware ≤1.02 from internet-facing network segments; verify management interfaces are not remotely accessible. (Note: CVE-2026-41926 remains unpatched; maintain strict network segmentation and monitor for vendor advisories). - Prioritize remediation for the 3 CISA KEV entries confirmed as actively exploited in production environments. - Address the 160 CVEs with public exploit code available, as exploitation risk is elevated for these vulnerabilities. - Focus patching efforts on the 204 unpatched CRITICAL/HIGH severity vulnerabilities, implementing compensating controls where vendor fixes are unavailable. - Review vendor security advisories for Linux (441 CVEs), Google (158 CVEs), and Microsoft (90 CVEs) products to ensure comprehensive coverage of organizational exposure....

Overview During the reporting period of April 27 to May 4, 2026, vuln.today data recorded 1,125 published CVEs, representing a 21% decrease from the previous week's total of 1,427 CVEs. Severity distribution: 65 CRITICAL, 395 HIGH, 392 MEDIUM, 168 LOW, and 105 UNKNOWN. The dataset includes 1 CISA KEV entry, 219 CVEs with public exploit code or proof-of-concept availability, and 467 CVEs with available patches. A total of 274 CRITICAL or HIGH severity vulnerabilities remain unpatched. Critical Threats - CVE-2026-41940 (CRITICAL, CVSS 9.3): Authentication bypass vulnerability in cPanel and WHM versions prior to 11.110.0.97, 11.118.0.63, 11.126.0.54, 11.132.0.29, 11.134.0.20, and 11.136.0.5, confirmed actively exploited (CISA KEV). Public exploit code available. EPSS score of 16.5% indicates elevated probability of exploitation. Patch available per vendor advisory. Action: Patch: https://support.cpanel.net/hc/en-us/articles/40073787579671-cPanel-WHM-Security-Update-04-28-2026 - CVE-2026-41462 (CRITICAL, CVSS 9.3): Unauthenticated SQL injection vulnerability in ProjeQtor versions 7.0 through 12.4.3, affecting the login functionality. Public exploit code available. No vendor-released patch identified at time of analysis. - CVE-2025-71284 (CRITICAL, CVSS 9.3): Remote code execution in Synway SMG Gateway Management Software via command injection in the RADIUS configuration endpoint at /en/9-2radius.php. Public exploit code available. No vendor-released patch identified at time of analysis. Action: Within 24 hours: Identify all instances of Synway SMG Gateway Management Software in your environment and isolate affected systems from production networks if possible; block internet-facing access to - CVE-2026-27760 (CRITICAL, CVSS 9.2): Remote code execution in OpenCATS installer via PHP code injection in the AJAX endpoint's databaseConnectivity action parameter. Public exploit code available. Upstream fix available (PR/commit); released patched version not independently confirmed. Action: Within 24 hours: identify all OpenCATS instances in your environment and verify installation status (prioritize any incomplete installations). Within 7 days: apply vendor patch (GitHub commit 3002a29 - CVE-2026-7155 (HIGH, CVSS 8.9): OS command injection in Totolink A8000RU firmware 7.1cu.643_b20200521 affecting the setLoginPasswordCfg function in /cgi-bin/cstecgi.cgi. Public exploit code available. No vendor-released patch identified at time of analysis. - CVE-2026-7538 (HIGH, CVSS 8.9): OS command injection in Totolink A8000RU firmware 7.1cu.643_b20200521 via the 'proto' parameter in /cgi-bin/cstecgi.cgi. Public exploit code available. No vendor-released patch identified at time of analysis. Action: Within 24 hours: Identify and inventory all Totolik A8000RU devices running firmware version 7.1cu.643_b20200521 using network scanning tools; immediately isolate affected devices from internet-facing - CVE-2026-7240 (HIGH, CVSS 8.9): OS command injection in Totolink A8000RU firmware 7.1cu.643_b20200521 via the User parameter in the setVpnAccountCfg function of /cgi-bin/cstecgi.cgi. Public exploit code available. No vendor-released patch identified at time of analysis. Action: Within 24 hours: Identify all Totolik A8000RU devices on your network and document firmware versions; immediately isolate any running 7.1cu.643_b20200521 from production networks or internet access. W - CVE-2026-32644 (CRITICAL): Linked threat intelligence present in vuln.today data. - CVE-2026-20766 (HIGH): Linked threat intelligence present in vuln.today data. - CVE-2026-27785 (HIGH): Linked threat intelligence present in vuln.today data. - CVE-2026-3893 (CRITICAL): Linked threat intelligence present in vuln.today data. - CVE-2026-32649 (HIGH): Linked threat intelligence present in vuln.today data. Threat Landscape The top affected vendors include Linux (157 CVEs), WordPress (58), Google (45), Microsoft (36), and Apache (27). Tenda and IBM follow with 18 and 16 CVEs respectively. Attack technique distribution shows Information Disclosure as the most prevalent (250 occurrences), followed by Denial of Service (192), Buffer Overflow (153), and Authentication Bypass (151). Remote Code Execution, SQL Injection, and Cross-Site Scripting techniques each appear in 91, 88, and 84 CVEs respectively. Of the 1,125 total CVEs, 467 have patches available, representing approximately 42% patch coverage. The 274 unpatched CRITICAL or HIGH severity vulnerabilities constitute 60% of the combined 460 CRITICAL and HIGH severity CVEs. Key Trends Total CVE publication volume decreased 21% week-over-week, from 1,427 to 1,125 CVEs. Linux accounts for 14% of all vendor-attributed CVEs in the dataset, followed by WordPress at 5%. Information Disclosure and Denial of Service techniques together represent 39% of all attack techniques observed. Public exploit code or proof-of-concept availability affects 219 CVEs (19% of total volume). The single CISA KEV entry represents 1.5% of the 65 CRITICAL severity CVEs published during the period. Recommendations - CVE-2026-41940: Apply patch from https://support.cpanel.net/hc/en-us/articles/40073787579671-cPanel-WHM-Security-Update-04-28-2026 - CVE-2025-71284: Within 24 hours: Identify all instances of Synway SMG Gateway Management Software in your environment and isolate affected systems from production networks if possible; block internet-facing access to - CVE-2026-27760: Within 24 hours: identify all OpenCATS instances in your environment and verify installation status (prioritize any incomplete installations). Within 7 days: apply vendor patch (GitHub commit 3002a29 - CVE-2026-7538: Within 24 hours: Identify and inventory all Totolik A8000RU devices running firmware version 7.1cu.643_b20200521 using network scanning tools; immediately isolate affected devices from internet-facing - CVE-2026-7240: Within 24 hours: Identify all Totolik A8000RU devices on your network and document firmware versions; immediately isolate any running 7.1cu.643_b20200521 from production networks or internet access. W - Prioritize remediation for the 1 CISA KEV entry and the 219 CVEs with public exploit code. - Address the 274 unpatched CRITICAL or HIGH severity vulnerabilities through compensating controls such as network segmentation, access restrictions, and enhanced monitoring until vendor patches become available. - Review the 5 CVEs with linked threat intelligence (CVE-2026-32644, CVE-2026-20766, CVE-2026-27785, CVE-2026-3893, CVE-2026-32649) for additional context on attacker methods and indicators of compromise....

Overview Vuln.today data for 2026-04-20 to 2026-04-27 reports 1,427 CVEs published, representing a 21% increase from the previous week (1,180 CVEs). Severity distribution: 123 CRITICAL, 369 HIGH, 597 MEDIUM, 71 LOW, and 267 UNKNOWN. Public exploit code is available for 146 CVEs. Patches are available for 795 CVEs, leaving 237 CRITICAL or HIGH severity vulnerabilities unpatched. Zero CISA KEV entries are present in the dataset for this period. Critical Threats - CVE-2026-6942 (CRITICAL, CVSS 9.3): radare2-mcp version 1.6.0 and earlier OS command injection vulnerability enables remote attackers to execute arbitrary commands via shell metacharacters in jsonrpc interface parameters. Public exploit code available. Patch available per vendor advisory. - CVE-2026-23751 (CRITICAL, CVSS 9.3): Kofax Capture (Tungsten Capture) version 6.0.0.0 exposes unauthenticated .NET Remoting HTTP channel on port 2424, enabling remote attackers to exploit object unmarshalling for code execution. Public exploit code available. No vendor-released patch identified at time of analysis. - CVE-2026-26210 (CRITICAL, CVSS 9.3): KTransformers through 0.5.3 unsafe deserialization in balance_serve backend allows remote attackers to execute arbitrary code via crafted pickle payload to exposed ZMQ socket. Public exploit code available. Upstream fix available (PR/commit); released patched version not independently confirmed. - CVE-2026-41468 (CRITICAL, CVSS 9.3): Beghelli Sicuro24 SicuroWeb template injection with AngularJS 1.5.2 sandbox escape enables arbitrary JavaScript execution in operator browsers, leading to session hijacking. Public exploit code available. No vendor-released patch identified at time of analysis. Action: Within 24 hours: Identify all Beghelli Sicuro24 SicuroWeb deployments and verify TLS enforcement-disable HTTP access entirely and enforce HTTPS-only communication; audit logs for suspicious JavaScript. - CVE-2026-39920 (CRITICAL, CVSS 9.3): BridgeHead FileStore pre-24A remote code execution via Apache Axis2 default credentials allows unauthenticated attackers to deploy malicious web services and execute arbitrary OS commands. Public exploit code available. Patch available per vendor advisory. Action: Within 24 hours: Identify all BridgeHead FileStore instances running versions before 24A; isolate affected systems from production networks or restrict network access to the Axis2 admin console. - CVE-2026-41179 (CRITICAL, CVSS 9.2): rclone remote control API command injection allows remote attackers to execute arbitrary commands through unprotected operations endpoint when RC API is enabled without global HTTP authentication. Public exploit code available. Patch available per vendor advisory. Action: Within 24 hours: Identify all rclone instances with RC API enabled using port scanning and configuration audits; immediately disable --rc or rclone rcd if not operationally critical, or restrict network access. - CVE-2026-41176 (CRITICAL, CVSS 9.2): rclone RC API authentication bypass allows remote attackers to disable authorization checks via unauthenticated configuration mutation through the options/set endpoint. Public exploit code available. Patch available per vendor advisory. Action: Within 24 hours: Audit all rclone deployments to identify instances with RC endpoints exposed to untrusted networks and verify HTTP authentication status via rclone rc options/get and network exposure. - CVE-2026-33656 (CRITICAL, CVSS 9.1): EspoCRM path traversal in formula scripting engine allows authenticated administrators to achieve arbitrary file read/write on the web server via attachment sourceId field manipulation. Public exploit code available. Patch available per vendor advisory. Action: Within 24 hours: Identify all EspoCRM instances in use and verify current versions; restrict administrative access to formula scripting features where possible and audit recent admin activities. - CVE-2026-7037 (HIGH, CVSS 8.9, EPSS 0.9%): Totolink A8000RU firmware 7.1cu.643_b20200521 OS command injection via pptpPassThru parameter enables remote unauthenticated attackers to execute arbitrary system commands. Public exploit code available. No vendor-released patch identified at time of analysis. Action: Within 24 hours: Identify all Totolik A8000RU devices in your environment using network scanning tools and asset management systems, prioritize internet-facing instances for immediate isolation. - CVE-2026-41473 (HIGH, CVSS 8.8, EPSS 0.2%): CyberPanel prior to 2.4.4 authentication bypass in AI Scanner worker API endpoints allows unauthenticated remote attackers to write arbitrary data to the database. Public exploit code available. Upstream fix available (PR/commit); released patched version not independently confirmed. Threat Landscape Linux products represent the largest vendor share with 259 CVEs, followed by Oracle (103), WordPress (70), Mozilla (44), and Microsoft (26). Information Disclosure is the most prevalent attack technique (393 CVEs), followed by Authentication Bypass (274), Denial of Service (168), XSS (125), and Buffer Overflow (109). RCE affects 101 CVEs. Patch coverage is 55.7% across all severities (795 patched of 1,427 total). Five CRITICAL vulnerabilities have linked threat intelligence per MISP Galaxies, MITRE ATT&CK, or CISA attribution: CVE-2026-6074, CVE-2026-40630, CVE-2026-25775, CVE-2026-40620, and CVE-2026-35503. Key Trends Week-over-week CVE publication volume increased 21% from 1,180 to 1,427. CRITICAL and HIGH severity vulnerabilities total 492 (34.5% of all CVEs), with 237 remaining unpatched. Public exploit code is available for 146 CVEs (10.2% of the dataset), elevating exploitation risk for these vulnerabilities. Vendor concentration is notable, with the top 10 vendors accounting for 586 CVEs (41% of total volume). Authentication Bypass ranks as the second-most prevalent attack technique (274 CVEs), indicating continued focus on credential and access control weaknesses. Recommendations - Within 24 hours: Identify all Beghelli Sicuro24 SicuroWeb deployments and verify TLS enforcement-disable HTTP access entirely and enforce HTTPS-only communication; audit logs for suspicious JavaScript. - Within 24 hours: Identify all BridgeHead FileStore instances running versions before 24A; isolate affected systems from production networks or restrict network access to the Axis2 admin console. - Within 24 hours: Identify all rclone instances with RC API enabled using port scanning and configuration audits; immediately disable --rc or rclone rcd if not operationally critical, or restrict network access. - Within 24 hours: Audit all rclone deployments to identify instances with RC endpoints exposed to untrusted networks and verify HTTP authentication status via rclone rc options/get and network exposure. - Within 24 hours: Identify all EspoCRM instances in use and verify current versions; restrict administrative access to formula scripting features where possible and audit recent admin activities. - Within 24 hours: Identify all Totolik A8000RU devices in your environment using network scanning tools and asset management systems, prioritize internet-facing instances for immediate isolation. - Prioritize remediation for the 237 unpatched CRITICAL and HIGH severity vulnerabilities, focusing on network-accessible systems and those with public exploit code. - Review the 146 CVEs with public exploit code for presence in the environment, as exploitation risk is elevated for these vulnerabilities. - For CVE-2026-26210 and CVE-2026-41473, review and apply the upstream fixes after validation in non-production environments, or wait for an official tagged release if operational risk permits delay....

Overview Vuln.today data for the reporting period 2026-04-13 to 2026-04-20 identifies 1,180 published CVEs: 108 CRITICAL, 482 HIGH, 498 MEDIUM, 66 LOW, and 26 UNKNOWN severity. One CISA KEV entry is present. Public exploit code exists for 96 CVEs. Vendor-released patches are available for 606 CVEs, leaving 230 CRITICAL and HIGH severity vulnerabilities unpatched. CVE publication volume decreased 22% week-over-week (previous week: 1,516 CVEs). Critical Threats - CVE-2026-32201 (MEDIUM, CVSS 6.5): Improper input validation in Microsoft SharePoint Server enables network-based spoofing attacks without authentication. Affects SharePoint Enterprise Server 2016, SharePoint Server 2019, and SharePoint Server Subscription Edition. Confirmed actively exploited (CISA KEV) with public exploit code available. Patch available per vendor advisory. - CVE-2026-6155 (HIGH, CVSS 8.9): OS command injection in Totolink A7100RU router firmware 7.4cu.2313 allows unauthenticated remote attackers to execute arbitrary system commands via the pppoeServiceName parameter in the setWanCfg function of /cgi-bin/cstecgi.cgi. Public exploit code available (GitHub POC). No vendor-released patch identified at time of analysis. Within 24 hours: Identify and inventory all Totolik A7100RU devices in production using network scanning or device management systems; isolate affected devices from critical network segments if firmware update is unavailable. - CVE-2026-6154 (HIGH, CVSS 8.9): OS command injection in Totolink A7100RU router firmware 7.4cu.2313_b20191024 allows unauthenticated remote attackers to execute arbitrary system commands via crafted wizard parameters to the setWizardCfg CGI function. Public exploit code available (GitHub POC). No vendor-released patch identified at time of analysis. Within 24 hours: Identify and inventory all Totolik A7100RU routers in your environment using network scanning tools and confirm firmware version via device administration interfaces. Within 7 days: Isolate affected devices from untrusted networks. - CVE-2026-6156 (HIGH, CVSS 8.9): OS command injection in Totolink A7100RU router firmware 7.4cu.2313_b20191024 allows unauthenticated remote attackers to execute arbitrary system commands via the Comment parameter in the setIpQosRules function exposed through /cgi-bin/cstecgi.cgi. Public exploit code available (GitHub POC). No vendor-released patch identified at time of analysis. Within 24 hours: Identify all Totolik A7100RU devices in production using network scanning and firmware inventory tools; isolate affected units from production networks if possible. Within 7 days: Contact Totolink for available firmware updates. - CVE-2026-6139 (HIGH, CVSS 8.9): OS command injection in Totolink A7100RU firmware 7.4cu.2313_b20191024 allows unauthenticated remote attackers to execute arbitrary system commands via the FileName parameter in UploadOpenVpnCert function of /cgi-bin/cstecgi.cgi. Public exploit code available (GitHub POC). No vendor-released patch identified at time of analysis. Within 24 hours: Identify all Totolik A7100RU devices in your network and verify firmware version (7.4cu.2313_b20191024). Within 7 days: Contact Totolink for available firmware updates and test in a non-production environment. - CVE-2026-6138 (HIGH, CVSS 8.9): OS command injection in Totolink A7100RU router firmware 7.4cu.2313_b20191024 allows unauthenticated remote attackers to execute arbitrary system commands via a crafted MAC address parameter to the setAccessDeviceCfg function in /cgi-bin/cstecgi.cgi. Public exploit code available (GitHub). No vendor-released patch identified at time of analysis. Within 24 hours: identify and inventory all Totolik A7100RU routers in production, especially those accessible from the internet; isolate affected devices from management networks if firmware update is unavailable. - CVE-2026-6140 (HIGH, CVSS 8.9): OS command injection in Totolink A7100RU router firmware 7.4cu.2313_b20191024 allows unauthenticated remote attackers to execute arbitrary system commands via crafted FileName parameter to the UploadFirmwareFile function in /cgi-bin/cstecgi.cgi. Public exploit code available (GitHub). No vendor-released patch identified at time of analysis. Within 24 hours: Identify and inventory all Totolik A7100RU devices running firmware 7.4cu.2313_b20191024 in your network using asset discovery tools; isolate affected devices from production networks. - CVE-2026-6195 (HIGH, CVSS 8.9): Command injection in Totolink A7100RU router firmware 7.4cu.2313_b20191024 allows unauthenticated remote attackers to execute arbitrary operating system commands via the admpass parameter in the setPasswordCfg function of /cgi-bin/cstecgi.cgi. Public exploit code available. No vendor-released patch identified at time of analysis. Within 24 hours: Identify all Totolik A7100RU devices in production and document current firmware versions. Within 7 days: Isolate affected devices (firmware 7.4cu.2313_b20191024) from untrusted networks. - CVE-2026-3830 (HIGH, CVSS 8.6): SQL injection in Product Filter for WooCommerce by WBW plugin versions below 3.1.3 allows unauthenticated remote attackers to extract sensitive database contents including user credentials, customer data, and order information. Public exploit code available. Patch available per vendor advisory. Within 24 hours: Identify all WooCommerce installations using Product Filter for WooCommerce by WBW and document current plugin version. Within 7 days: Update Product Filter for WooCommerce by WBW to version 3.1.3 or higher. - CVE-2026-6204 (HIGH, CVSS 8.5): Remote code execution in LibreNMS network monitoring platform (versions prior to 26.3.0) allows authenticated administrators to execute arbitrary commands on the underlying web server by manipulating Binary Locations configuration settings combined with the Netcommand feature. Public exploit code available. Patch available per vendor advisory. Within 24 hours: Inventory all LibreNMS deployments and document current versions; restrict administrative access to LibreNMS to only essential personnel pending remediation. Within 7 days: Upgrade all LibreNMS instances to version 26.3.0 or later. Threat Landscape Microsoft leads vendor exposure with 177 CVEs, followed by Redhat (114), Suse (109), and WordPress (100). Google, Fortinet, Adobe, Dell, SAP, and Linux each account for 16-38 CVEs. Information Disclosure (272 CVEs) and Authentication Bypass (204 CVEs) dominate attack techniques, followed by RCE (145), Denial of Service (138), Buffer Overflow (136), XSS (132), and SQLi (113). Of 590 CRITICAL and HIGH severity CVEs, 230 (39%) remain unpatched. Five CVEs (CVE-2026-35546, CVE-2026-5387, CVE-2026-6284, CVE-2026-40066, CVE-2026-35682) have linked threat intelligence from MISP Galaxies, MITRE ATT&CK, or CISA sources. Key Trends CVE publication volume declined 22% week-over-week, from 1,516 to 1,180. Microsoft alone accounts for 15% of the week's total CVE count. Information Disclosure and Authentication Bypass techniques represent 40% of all categorized attack vectors. The dataset shows 51% patch availability (606 of 1,180 CVEs), leaving nearly half of all published vulnerabilities without vendor-released fixes. Public exploit code exists for 96 CVEs (8.1% of total), while only one CVE appears in CISA's Known Exploited Vulnerabilities catalog. Recommendations - Within 24 hours: Identify and inventory all Totolik A7100RU devices in production using network scanning or device management systems; isolate affected devices from critical network segments if firmware update is unavailable (CVE-2026-6155). - Within 24 hours: Identify and inventory all Totolik A7100RU routers in your environment using network scanning tools and confirm firmware version via device administration interfaces. Within 7 days: Isolate affected devices from untrusted networks (CVE-2026-6154). - Within 24 hours: Identify all Totolik A7100RU devices in production using network scanning and firmware inventory tools; isolate affected units from production networks if possible. Within 7 days: Contact Totolink for available firmware updates (CVE-2026-6156). - Within 24 hours: Identify all Totolik A7100RU devices in your network and verify firmware version (7.4cu.2313_b20191024). Within 7 days: Contact Totolink for available firmware updates and test in a non-production environment (CVE-2026-6139). - Within 24 hours: identify and inventory all Totolik A7100RU routers in production, especially those accessible from the internet; isolate affected devices from management networks if firmware update is unavailable (CVE-2026-6138). - Within 24 hours: Identify and inventory all Totolik A7100RU devices running firmware 7.4cu.2313_b20191024 in your network using asset discovery tools; isolate affected devices from production networks (CVE-2026-6140). - Within 24 hours: Identify all Totolik A7100RU devices in production and document current firmware versions. Within 7 days: Isolate affected devices (firmware 7.4cu.2313_b20191024) from untrusted networks (CVE-2026-6195). - Within 24 hours: Identify all WooCommerce installations using Product Filter for WooCommerce by WBW and document current plugin version. Within 7 days: Update Product Filter for WooCommerce by WBW to version 3.1.3 or higher (CVE-2026-3830). - Within 24 hours: Inventory all LibreNMS deployments and document current versions; restrict administrative access to LibreNMS to only essential personnel pending remediation. Within 7 days: Upgrade all LibreNMS instances to version 26.3.0 or later (CVE-2026-6204). - Address the one CISA KEV entry (CVE-2026-32201) according to federal binding operational directive timelines. - Prioritize remediation of 230 unpatched CRITICAL and HIGH severity vulnerabilities, focusing on assets with network exposure or those handling sensitive data. - Review the 96 CVEs with public exploit code for presence in your environment, prioritizing those rated HIGH or CRITICAL severity....

Overview During the reporting period of April 6-13, 2026, vuln.today data recorded 1,516 published CVEs, representing a 24% increase from the previous week (1,224 CVEs). Severity distribution: 111 CRITICAL, 512 HIGH, 656 MEDIUM, 46 LOW, and 191 UNKNOWN. Public exploits or proof-of-concept code exist for 184 vulnerabilities. Patches are available for 423 CVEs, while 441 CRITICAL or HIGH severity vulnerabilities remain unpatched. No CISA KEV entries were present in the dataset for this period. Critical Threats - CVE-2026-23696 (CRITICAL, CVSS 9.4): SQL injection in Windmill workflow orchestration platform versions 1.276.0 through 1.603.2 enables authenticated attackers to escalate privileges to administrator and achieve remote code execution. Public exploit code available. No vendor-released patch identified at time of analysis. Action: Within 24 hours: Identify all Windmill deployments and document current versions in use. Within 7 days: Upgrade all affected instances to version 1.603.3 or later immediately-this is a mandatory secur - CVE-2026-22679 (CRITICAL, CVSS 9.3): Remote code execution in Weaver E-cology 10.0 (pre-20260312) allows remote attackers to execute arbitrary system commands via exposed debug functionality at /papi/esearch/data/devops/dubboApi/debug/method. Public exploit code available. Confirmed actively exploited (CISA KEV). Action: Within 24 hours: Identify all Weaver E-cology 10.0 instances with versions prior to 20260312 in your environment; disable or firewall-restrict access to /papi/esearch/data/devops/dubboApi/debug/method - CVE-2026-35022 (CRITICAL, CVSS 9.3): OS command injection in Anthropic Claude Code CLI and Agent SDK for Python allows remote attackers to execute arbitrary commands through unsanitized authentication helper parameters processed with shell=true. Public exploit code available. No vendor-released patch identified at time of analysis. Action: Within 24 hours: Identify all systems running Claude Code CLI or Agent SDK for Python by scanning CI/CD configurations, deployment manifests, and development environments; isolate affected runners fro - CVE-2026-39912 (CRITICAL, CVSS 9.1): Authentication bypass in V2Board 1.6.1-1.7.4 and Xboard ≤0.1.9 enables account takeover including admin privileges. When login_with_mail_link_enable is active, remote attackers POST known email addresses to the loginWithMailLink endpoint, receiving full authentication URLs in HTTP responses. Public exploit code available. Upstream fix available (PR/commit); released patched version not independently confirmed. Action: Within 24 hours: Identify all V2Board and Xboard instances in production and verify affected versions. Within 7 days: Apply vendor-released patch to V2Board ≥1.7.5 and Xboard ≥0.2.0, or immediately di - CVE-2026-6029 (HIGH, CVSS 8.9): OS command injection in Totolink A7100RU router firmware 7.4cu.2313_b20191024 allows remote attackers to execute arbitrary system commands via the User parameter in setVpnAccountCfg function at /cgi-bin/cstecgi.cgi endpoint. Public exploit code available. No vendor-released patch identified at time of analysis. Action: Within 24 hours: Identify all Totolink A7100RU routers in your environment and isolate firmware version 7.4cu.2313_b20191024 devices from untrusted networks; check vendor (Totolik) security advisory fo - CVE-2026-6026 (HIGH, CVSS 8.9): Remote OS command injection in Totolink A7100RU router firmware 7.4cu.2313_b20191024 allows remote attackers to execute arbitrary system commands via the setPortalConfWeChat function within /cgi-bin/cstecgi.cgi, exploitable by manipulating the 'enable' parameter. Public exploit code available. No vendor-released patch identified at time of analysis. Action: Within 24 hours: Inventory all Totolik A7100RU deployments and identify current firmware versions. Within 7 days: Contact Totolik support to determine patch availability timeline; if no patch is immin - CVE-2026-6025 (HIGH, CVSS 8.9): Remote OS command injection in Totolink A7100RU router version 7.4cu.2313_b20191024 allows arbitrary command execution via the setSyslogCfg function in /cgi-bin/cstecgi.cgi. Remote attackers exploit the 'enable' parameter to achieve full system compromise. Public exploit code available. No vendor-released patch identified at time of analysis. Action: Within 24 hours: Identify all Totolik A7100RU devices on corporate networks and VPNs using network discovery tools; document current firmware versions. Within 7 days: Contact affected users and isolat - CVE-2026-6116 (HIGH, CVSS 8.9): OS command injection in Totolink A7100RU router firmware 7.4cu.2313_b20191024 allows remote attackers to execute arbitrary system commands via crafted requests to the /cgi-bin/cstecgi.cgi endpoint. The vulnerability resides in the setDiagnosisCfg function's insufficient validation of the 'ip' parameter. Public exploit code available. No vendor-released patch identified at time of analysis. Action: Within 24 hours: Identify all Totolink A7100RU devices on your network using firmware 7.4cu.2313_b20191024 via asset inventory or network scanning; isolate affected devices from production networks if - CVE-2026-5995 (HIGH, CVSS 8.9): OS command injection in Totolink A7100RU 7.4cu.2313_b20191024 allows remote attackers to execute arbitrary system commands via malicious lan_info parameter to setMiniuiHomeInfoShow function in /cgi-bin/cstecgi.cgi. Public exploit code available. No vendor-released patch identified at time of analysis. - CVE-2026-6027 (HIGH, CVSS 8.9): OS command injection in Totolink A7100RU router firmware 7.4cu.2313_b20191024 enables remote attackers to execute arbitrary system commands via the 'enable' parameter in the setUrlFilterRules function of /cgi-bin/cstecgi.cgi. Public exploit code available. No vendor-released patch identified at time of analysis. Action: Within 24 hours: Identify all Totolik A7100RU devices in inventory and isolate affected units from production networks if running firmware 7.4cu.2313_b20191024 or earlier; document current firmware ve Threat Landscape WordPress leads affected vendors with 200 CVEs, followed by Google (76), D-Link (43), Apache (32), and Tenda (28). Authentication Bypass is the most prevalent attack technique (329 occurrences), followed by Information Disclosure (266), Buffer Overflow (198), XSS (180), and RCE (172). Of 1,516 total CVEs, 423 have patches available, leaving 441 CRITICAL or HIGH severity vulnerabilities unpatched. Four CVEs have linked threat intelligence: CVE-2025-13926, CVE-2025-14815, CVE-2025-14816 (all CRITICAL), and CVE-2026-4436 (HIGH). Key Trends The 24% week-over-week increase in CVE volume (from 1,224 to 1,516) reflects sustained disclosure activity. WordPress accounts for 13% of all published CVEs, indicating concentration in content management platforms. Authentication Bypass and Information Disclosure together represent 39% of documented attack techniques (595 of 1,516 CVEs). The patch availability rate of 28% (423 of 1,516) leaves 70% of the dataset without confirmed vendor fixes. Public exploit code exists for 12% of published CVEs (184 of 1,516), while 29% of CRITICAL/HIGH severity issues remain unpatched (441 of 1,516). Recommendations - Within 24 hours: Identify all Windmill deployments and document current versions in use. Within 7 days: Upgrade all affected instances to version 1.603.3 or later immediately-this is a mandatory secur - Within 24 hours: Identify all Weaver E-cology 10.0 instances with versions prior to 20260312 in your environment; disable or firewall-restrict access to /papi/esearch/data/devops/dubboApi/debug/method - Within 24 hours: Identify all systems running Claude Code CLI or Agent SDK for Python by scanning CI/CD configurations, deployment manifests, and development environments; isolate affected runners fro - Within 24 hours: Identify all V2Board and Xboard instances in production and verify affected versions. Within 7 days: Review and apply the upstream fix after validation, or wait for vendor to release an official tagged version - Within 24 hours: Identify all Totolink A7100RU routers in your environment and isolate firmware version 7.4cu.2313_b20191024 devices from untrusted networks; restrict WAN access or decommission affected units if end-of-life - Prioritize the 184 CVEs with public exploit code for immediate risk assessment, particularly the 111 CRITICAL severity vulnerabilities. - For the 441 unpatched CRITICAL/HIGH severity vulnerabilities, implement compensating controls including network segmentation, access restrictions, and enhanced monitoring until vendor patches become available....

Overview During the reporting period 2026-03-30 to 2026-04-06, vuln.today data recorded 1,224 published CVEs with the following severity distribution: 132 CRITICAL, 366 HIGH, 571 MEDIUM, 67 LOW, and 88 UNKNOWN. The dataset includes 2 CISA KEV entries, 178 CVEs with public exploits or POCs, 427 with patches available, and 280 unpatched CRITICAL/HIGH vulnerabilities. Week-over-week CVE volume decreased 23% from 1,597 CVEs in the previous period. Critical Threats - CVE-2026-5281 (HIGH, CVSS 8.8): Remote code execution in Google Chrome prior to version 146.0.7680.178 via use-after-free vulnerability in Dawn graphics component. Confirmed actively exploited (CISA KEV). Public exploit code available. Patch available per vendor advisory. - CVE-2026-3502 (HIGH, CVSS 7.8): Arbitrary code execution in TrueConf Client allows authenticated attackers on adjacent networks to deliver malicious updates due to missing integrity verification. Confirmed actively exploited (CISA KEV). Public exploit code available. No vendor-released patch identified at time of analysis. Action: Within 24 hours: Inventory all TrueConf Client deployments and document current versions in use. Within 7 days: Disable or restrict auto-update functionality via Group Policy or application settings. - CVE-2026-2699 (CRITICAL, CVSS 9.8, EPSS 0.4%): Unauthenticated remote code execution in Progress ShareFile Storage Zones Controller allows network attackers to access restricted configuration pages and execute arbitrary code. Public exploit code available. Upstream fix available (PR/commit); released patched version not independently confirmed. Action: Within 24 hours: Inventory all Progress ShareFile Storage Zones Controller instances across your infrastructure and determine deployment type (cloud-hosted vs. customer-managed on-premises). - CVE-2026-29014 (CRITICAL, CVSS 9.3, EPSS 0.2%): MetInfo CMS 7.9, 8.0, and 8.1 allows unauthenticated remote code execution through PHP code injection. Public exploit code available. No vendor-released patch identified at time of analysis. - CVE-2026-2701 (CRITICAL, CVSS 9.1, EPSS 0.2%): Remote code execution in Progress ShareFile Storage Zones Controller allows authenticated administrators to upload and execute malicious files. Confirmed actively exploited (CISA KEV). Public exploit code available. No vendor-released patch identified at time of analysis. Action: Within 24 hours: Inventory all Progress ShareFile Storage Zones Controller deployments and document current versions; immediately audit administrative account activity for anomalies and enforce multi-. - CVE-2026-4896 (HIGH, CVSS 8.1): Insecure Direct Object Reference in WCFM Frontend Manager for WooCommerce (versions ≤6.7.25) allows authenticated vendors to manipulate arbitrary orders and delete WordPress posts. Public exploit code available. No vendor-released patch identified at time of analysis. Action: Within 24 hours: Identify all WordPress instances running WCFM Frontend Manager ≤6.7.25 and document current vendor user accounts with active credentials; restrict vendor role permissions to read-only. - CVE-2026-5212 (HIGH, CVSS 7.4, EPSS 0.1%): Stack-based buffer overflow in D-Link NAS devices enables authenticated remote attackers to execute arbitrary code affecting 20+ end-of-life D-Link DNS and DNR models through firmware version 20260205. Public exploit code available. No vendor-released patch identified at time of analysis. Action: Within 24 hours: Inventory all D-Link DNS and DNR NAS devices in production; verify firmware versions against 20260205 baseline and identify which models are affected per vendor's published vulnerabil. - CVE-2026-5204 (HIGH, CVSS 7.4): Stack-based buffer overflow in Tenda CH22 router version 1.0.0.1 allows authenticated remote attackers to achieve arbitrary code execution. Public exploit code available. No vendor-released patch identified at time of analysis. Action: Within 24 hours: Identify all Tenda CH22 v1.0.0.1 devices on your network using asset discovery tools and disable remote administrative access until mitigation is confirmed. Within 7 days: Contact Ten. Threat Landscape The top affected vendors were Linux (93 CVEs), Microsoft (55), WordPress (46), Google (38), and Debian (35). Attack techniques were dominated by Information Disclosure (286 CVEs), Authentication Bypass (201), XSS (176), RCE (139), and Denial of Service (117). Of 1,224 total CVEs, 427 have patches available while 280 CRITICAL/HIGH vulnerabilities remain unpatched. Three CVEs (CVE-2026-1579, CVE-2026-3356, CVE-2025-7741) have associated threat intelligence linkages from MISP Galaxies, MITRE ATT&CK, or CISA sources. Key Trends CVE volume decreased 23% week-over-week from 1,597 to 1,224. Linux, Microsoft, and WordPress accounted for 194 CVEs (16% of total volume). Information Disclosure, Authentication Bypass, and XSS represented 663 CVEs (54% of attack techniques). The dataset shows 35% patch availability rate (427 patched of 1,224 total), while 56% of CRITICAL/HIGH vulnerabilities (280 of 498) lack vendor-released patches. Public exploit code exists for 178 CVEs (15% of total), with 2 CVEs confirmed in CISA KEV. Recommendations - CVE-2026-3502: Within 24 hours: Inventory all TrueConf Client deployments and document current versions in use. Within 7 days: Disable or restrict auto-update functionality via Group Policy or application settings. - CVE-2026-2699: Within 24 hours: Inventory all Progress ShareFile Storage Zones Controller instances across your infrastructure and determine deployment type (cloud-hosted vs. customer-managed on-premises). - CVE-2026-2701: Within 24 hours: Inventory all Progress ShareFile Storage Zones Controller deployments and document current versions; immediately audit administrative account activity for anomalies and enforce multi-. - CVE-2026-4896: Within 24 hours: Identify all WordPress instances running WCFM Frontend Manager ≤6.7.25 and document current vendor user accounts with active credentials; restrict vendor role permissions to read-only. - CVE-2026-5212: Within 24 hours: Inventory all D-Link DNS and DNR NAS devices in production; verify firmware versions against 20260205 baseline and identify which models are affected per vendor's published vulnerabil. - CVE-2026-5204: Within 24 hours: Identify all Tenda CH22 v1.0.0.1 devices on your network using asset discovery tools and disable remote administrative access until mitigation is confirmed. Within 7 days: Contact Ten. - Prioritize remediation of 2 CISA KEV entries and 178 CVEs with public exploit code. Focus patching efforts on 280 unpatched CRITICAL/HIGH vulnerabilities. For end-of-life products with no vendor-released patches (D-Link NAS devices, Tenda CH22 router), implement network-level access restrictions or plan device replacement....

Overview During the reporting period (2026-03-23 to 2026-03-30), vuln.today data identified 1,597 CVEs: 154 CRITICAL, 605 HIGH, 631 MEDIUM, 58 LOW, and 149 UNKNOWN severity. The dataset includes 1 CISA KEV entry, 201 public exploits/POCs, and 224 patches available. 649 CRITICAL/HIGH vulnerabilities remain unpatched. CVE volume increased 24% week-over-week (previous week: 1,288 CVEs). Critical Threats - CVE-2026-33634 (CRITICAL, CVSS 9.4, Priority 97, EPSS 0.0%): Trivy security scanner v0.69.4 supply chain attack. Confirmed actively exploited (CISA KEV); public exploit code available. No vendor-released patch identified at time of analysis. Action: Within 24 hours: Identify all affected systems and apply vendor patches immediately. Monitor vendor channels for patch availability. - CVE-2026-4585 (CRITICAL, CVSS 9.8, Priority 69, EPSS 0.2%): OS command injection in Tiandy Easy7 Integrated Management Platform versions up to 7.17.0 (ImportSystemConfiguration.jsp). Public exploit code available; exploitation risk is elevated. No vendor-released patch identified at time of analysis. Action: Within 24 hours: Inventory all Tiandy Easy7 installations and versions; isolate affected systems from production networks if possible; enable enhanced logging and monitoring. Within 7 days: Deploy net - CVE-2026-4567 (CRITICAL, CVSS 9.8, Priority 69, EPSS 0.1%): Stack-based buffer overflow in Tenda A15 router firmware version 15.13.07.13 (UploadCfg function). Public exploit code available; exploitation risk is elevated. No vendor-released patch identified at time of analysis. Action: Within 24 hours: Inventory all Tenda A15 routers in your environment and identify those running firmware 15.13.07.13; disable internet-facing access to the /cgi-bin/UploadCfg endpoint immediately via - CVE-2026-30530 (CRITICAL, CVSS 9.8, Priority 69, EPSS 0.0%): SQL injection in SourceCodester Online Food Ordering System v1.0 (save_customer action's username parameter). Public exploit code available; exploitation risk is elevated. No vendor-released patch identified at time of analysis. Action: Within 24 hours: Identify all affected systems running SourceCodester Online Food Ordering System and apply vendor patches immediately. Validate that input sanitization is in place for all user-contro - CVE-2026-30533 (CRITICAL, CVSS 9.8, Priority 69, EPSS 0.0%): SQL injection in SourceCodester Online Food Ordering System v1.0 (admin/manage_product.php 'id' parameter). Public exploit code available; exploitation risk is elevated. No vendor-released patch identified at time of analysis. Action: Within 24 hours: Identify all affected systems running SourceCodester Online Food Ordering System and apply vendor patches immediately. Validate that input sanitization is in place for all user-contro - CVE-2026-30532 (CRITICAL, CVSS 9.8, Priority 69, EPSS 0.0%): SQL injection in SourceCodester Online Food Ordering System v1.0 (admin/view_product.php 'id' parameter). Public exploit code available; exploitation risk is elevated. No vendor-released patch identified at time of analysis. Action: Within 24 hours: Identify all affected systems running SourceCodester Online Food Ordering System and apply vendor patches immediately. Validate that input sanitization is in place for all user-contro - CVE-2026-33696 (CRITICAL, CVSS 9.4, Priority 67, EPSS 0.5%): Prototype pollution in n8n workflow automation platform (XML and GSuiteAdmin nodes) affecting versions prior to 2.14.1, 2.13.3, and 1.123.27; enables remote code execution. Public exploit code available; exploitation risk is elevated. No vendor-released patch identified at time of analysis. Action: Within 24 hours: Inventory all n8n instances and document current versions; audit user access logs for XML and GSuiteAdmin node usage; restrict workflow creation/modification permissions to essential - CVE-2026-33660 (CRITICAL, CVSS 9.4, Priority 67, EPSS 0.1%): n8n workflow automation platform Merge node 'Combine by SQL' mode allows authenticated users to read arbitrary local files and achieve remote code execution; affects versions prior to 2.14.1, 2.13.3, and 1.123.26. Public exploit code available; exploitation risk is elevated. No vendor-released patch identified at time of analysis. Action: Within 24 hours: Inventory all n8n instances and document current versions; restrict workflow creation/modification privileges to essential personnel only; enable audit logging for all workflow change - CVE-2025-71275 (CRITICAL, CVSS 9.3, Priority 67, EPSS 0.5%): Remote code execution in Zimbra Collaboration Suite PostJournal service version 8.8.15 via SMTP injection through RCPT TO parameter. Public exploit code available; exploitation risk is elevated. No vendor-released patch identified at time of analysis. Action: Within 24 hours: Inventory all Zimbra installations and identify systems running version 8.8.15; immediately isolate affected servers from untrusted networks or restrict SMTP access to trusted sources - CVE-2025-60949 (CRITICAL, CVSS 9.3, Priority 67, EPSS 0.0%): Information disclosure in Census CSWeb 8.0.1 (app/config endpoint reachable without authentication); affects versions prior to 8.1.0 alpha. Public exploit code available; exploitation risk is elevated. No vendor-released patch identified at time of analysis. Action: Within 24 hours: Inventory all Census CSWeb 8.0.1 instances and determine network exposure (internal vs. internet-facing); immediately restrict network access to the app/config endpoint via firewall o - CVE-2026-2417 (CRITICAL): Linked threat intelligence present in vuln.today data. - CVE-2026-3650 (HIGH): Linked threat intelligence present in vuln.today data. Threat Landscape Top affected vendors: Debian (190 CVEs), Suse (163), Apple (108), Linux (106), WordPress (72), Mozilla (49), Microsoft (38), Google (30), IBM (26), and Drupal (25). Top attack techniques: Information Disclosure (378), Authentication Bypass (312), Denial Of Service (245), XSS (200), RCE (143), Buffer Overflow (133), SQLi (108), Privilege Escalation (82), Path Traversal (63), and Code Injection (51). Patch coverage: 224 patches available against 759 CRITICAL/HIGH vulnerabilities (29% coverage); 649 CRITICAL/HIGH remain unpatched. Key Trends CVE volume increased 24% week-over-week. 201 CVEs (13% of total) have public exploit code available. Debian and Suse account for 22% of vendor-attributed vulnerabilities. Information Disclosure, Authentication Bypass, and Denial of Service represent 58% of identified attack techniques. 86% of CRITICAL/HIGH severity vulnerabilities remain unpatched. Recommendations - CVE-2026-33634: Within 24 hours: Identify all affected systems and apply vendor patches immediately. Monitor vendor channels for patch availability. - CVE-2026-4585: Within 24 hours: Inventory all Tiandy Easy7 installations and versions; isolate affected systems from production networks if possible; enable enhanced logging and monitoring. Within 7 days: Deploy net - CVE-2026-4567: Within 24 hours: Inventory all Tenda A15 routers in your environment and identify those running firmware 15.13.07.13; disable internet-facing access to the /cgi-bin/UploadCfg endpoint immediately via - CVE-2026-30530, CVE-2026-30533, CVE-2026-30532: Within 24 hours: Identify all affected systems running SourceCodester Online Food Ordering System and apply vendor patches immediately. Validate that input sanitization is in place for all user-contro - CVE-2026-33696: Within 24 hours: Inventory all n8n instances and document current versions; audit user access logs for XML and GSuiteAdmin node usage; restrict workflow creation/modification permissions to essential - CVE-2026-33660: Within 24 hours: Inventory all n8n instances and document current versions; restrict workflow creation/modification privileges to essential personnel only; enable audit logging for all workflow change - CVE-2025-71275: Within 24 hours: Inventory all Zimbra installations and identify systems running version 8.8.15; immediately isolate affected servers from untrusted networks or restrict SMTP access to trusted sources - CVE-2025-60949: Within 24 hours: Inventory all Census CSWeb 8.0.1 instances and determine network exposure (internal vs. internet-facing); immediately restrict network access to the app/config endpoint via firewall o - Prioritize remediation for the 1 CISA KEV entry and 201 CVEs with public exploit code. - Address 649 unpatched CRITICAL/HIGH vulnerabilities through compensating controls, network segmentation, or vendor engagement for patch timelines....

Overview For the reporting period 2026-03-16 to 2026-03-23, vuln.today data recorded 1,272 published CVEs: 105 CRITICAL, 448 HIGH, 573 MEDIUM, 89 LOW, and 57 UNKNOWN severity. One CISA KEV entry was present. Public exploits or proof-of-concept code were identified for 147 CVEs. Patches were available for 227 CVEs, leaving 431 CRITICAL or HIGH severity vulnerabilities unpatched at time of analysis. Week-over-week CVE volume decreased 9% from 1,400 in the prior period. Critical Threats - CVE-2026-33017 (CRITICAL, CVSS 9.3, Priority 97): Python endpoint `/api/v1/build_public_tmp/{flow_id}/flow` allows unauthenticated remote code execution via attacker-controlled flow data passed to `exec()` with zero sandboxing; confirmed actively exploited (CISA KEV); EPSS 0.5%. No vendor-released patch identified at time of analysis. Action: Within 24 hours: Disable or restrict network access to the `/api/v1/build_public_tmp/{flow_id}/flow` endpoint via WAF/firewall rules and disable public flow functionality if not business-critical. - CVE-2026-33309 (CRITICAL, CVSS 9.9, Priority 70): Canonical Docker, Python path traversal in Langflow file upload allows authenticated attackers to write arbitrary files for remote code execution; public exploit code available; EPSS 0.1%. No vendor-released patch identified at time of analysis. Action: Within 24 hours: Disable the POST /api/v2/files/ endpoint or restrict access to trusted administrators only; audit recent file uploads for suspicious activity. Within 7 days: Implement WAF rules to block file upload attempts. - CVE-2026-4252 (CRITICAL, CVSS 9.8, Priority 69): Tenda AC8 firmware 16.03.50.11 authentication bypass in IPv6 handler function `check_is_ipv6` allows remote attackers unauthorized access via IP address reliance; public exploit code available; EPSS 0.1%. No vendor-released patch identified at time of analysis. Action: Within 24 hours: Identify and inventory all Tenda AC8 16.03.50.11 devices in production and isolate them from critical network segments; disable remote management if enabled. - CVE-2026-25873 (CRITICAL, CVSS 9.8, Priority 69): Deserialization vulnerability in OmniGen2-RL reward server permits unauthenticated remote code execution via malicious HTTP POST exploiting insecure pickle deserialization; public exploit code available; EPSS 0.1%. Upstream fix available (PR/commit); released patched version not independently confirmed. Action: Within 24 hours: Identify all OmniGen2-RL instances in your environment and isolate any exposed reward servers from untrusted networks; assess whether affected systems process sensitive data. - CVE-2017-20223 (CRITICAL, CVSS 9.8, Priority 69): Telesquare SKT LTE Router SDT-CS3B1 firmware 1.2.0 insecure direct object reference allows remote attackers to bypass authentication and access sensitive resources by manipulating input parameters; public exploit code available; EPSS 0.1%. No vendor-released patch identified at time of analysis. Action: Within 24 hours: Inventory all Telesquare SKT LTE Router SDT-CS3B1 devices in production and isolate affected units from critical network segments; disable remote management access if enabled. - CVE-2026-21992 (CRITICAL, CVSS 9.8, Priority 69): Oracle Identity Manager and Web Services Manager authentication bypass in REST WebServices and Web Services Security components (versions 12.2.1.4.0 and 14.1.2.1.0) allows remote attackers complete system compromise without credentials; public exploit code available; EPSS 0.0%. No vendor-released patch identified at time of analysis. Action: Within 24 hours: Identify all instances of Oracle Identity Manager and Web Services Manager in your environment; isolate affected systems from public network access and document current user activity. - CVE-2026-32760 (CRITICAL, CVSS 9.8, Priority 69): Docker filebrowser privilege escalation allows unauthenticated visitors to register full administrator accounts when self-registration is enabled and default permissions include `perm.admin = true`; public exploit code available; EPSS 0.0%. No vendor-released patch identified at time of analysis. Action: Within 24 hours: disable self-registration (`signup = false`) immediately and audit all user accounts created since deployment for unauthorized administrators. Within 7 days: review and remove `perm.admin` from default user permissions. - CVE-2026-25769 (CRITICAL, CVSS 9.1, Priority 66): Wazuh deserialization vulnerability in cluster mode allows attackers with worker node access to achieve remote code execution with root privileges on master node; affects versions 4.0.0 through 4.14.2; public exploit code available; EPSS 0.4%. No vendor-released patch identified at time of analysis. Action: Within 24 hours: Audit all Wazuh worker nodes for unauthorized access and isolate any showing signs of compromise; document current Wazuh version and cluster topology. Within 7 days: Implement network segmentation to restrict worker-to-master communication. - CVE-2026-4558 (HIGH, CVSS 8.8, Priority 64): Linksys MR9600 router firmware 2.0.6.206937 remote OS command injection in SmartConnect.lua allows authenticated attackers to inject commands via configApSsid, configApPassphrase, srpLogin, or srpPassword parameters; public exploit code available; EPSS 0.2%. No vendor-released patch identified at time of analysis. Action: Within 24 hours: Inventory all Linksys MR9600 devices in production and restrict administrative access to trusted personnel only. Within 7 days: Implement network segmentation to isolate affected routers. - CVE-2026-32042 (HIGH, CVSS 8.8, Priority 64): OpenClaw versions 2026.2.22 through 2026.2.24 privilege escalation allows authenticated attackers to bypass device pairing and self-assign operator.admin scopes via self-signed unpaired device identities; public exploit code available; EPSS 0.1%. Upstream fix available (PR/commit); released patched version not independently confirmed. Action: Within 24 hours: Identify all systems running OpenClaw 2026.2.22-2026.2.24 and assess exposure scope; notify relevant teams and restrict administrative access where possible. Within 7 days: Review and apply the upstream fix after validation. Threat Landscape WordPress led vendor distribution with 135 CVEs, followed by Debian (105), Google (54), Linux (45), and Microsoft (43). D-Link, Apple, Tenda, Nginx, and IBM each contributed 10-21 CVEs. Attack technique distribution was led by Authentication Bypass (268 instances), Information Disclosure (259), and XSS (175), followed by Denial Of Service (160), Buffer Overflow (119), and RCE (116). SQLi, Path Traversal, SSRF, and Privilege Escalation collectively accounted for 253 instances. Patches were available for 227 of 1,272 CVEs (17.8% patch coverage), with 431 CRITICAL or HIGH severity issues remaining unpatched. Two CVEs exhibited EPSS scores at 10.0%: CVE-2026-33352 (CRITICAL) and CVE-2026-33354 (HIGH). Five CVEs were associated with threat intelligence from MISP Galaxies, MITRE ATT&CK, or CISA: CVE-2026-25192, CVE-2026-29796, CVE-2026-24060 (all CRITICAL); CVE-2026-25086 and CVE-2026-31904 (both HIGH). Key Trends CVE publication volume decreased 9% week-over-week from 1,400 to 1,272. Vendor concentration remained high, with WordPress and Debian accounting for 18.9% of total CVEs. Authentication Bypass was the most prevalent attack technique at 21.1% of all CVEs, with Information Disclosure close behind at 20.4%. The patch availability ratio of 17.8% left 77.9% of CRITICAL and HIGH severity issues (431 of 553) unpatched at time of analysis. Public exploits or proof-of-concept code were available for 11.6% of all CVEs (147 of 1,272), while only one CVE appeared in CISA KEV data. Recommendations - CVE-2026-33017: Within 24 hours: Disable or restrict network access to the `/api/v1/build_public_tmp/{flow_id}/flow` endpoint via WAF/firewall rules and disable public flow functionality if not business-critical. - CVE-2026-33309: Within 24 hours: Disable the POST /api/v2/files/ endpoint or restrict access to trusted administrators only; audit recent file uploads for suspicious activity. Within 7 days: Implement WAF rules to block file upload attempts. - CVE-2026-4252: Within 24 hours: Identify and inventory all Tenda AC8 16.03.50.11 devices in production and isolate them from critical network segments; disable remote management if enabled. - CVE-2026-25873: Within 24 hours: Identify all OmniGen2-RL instances in your environment and isolate any exposed reward servers from untrusted networks; assess whether affected systems process sensitive data. - CVE-2017-20223: Within 24 hours: Inventory all Telesquare SKT LTE Router SDT-CS3B1 devices in production and isolate affected units from critical network segments; disable remote management access if enabled. - CVE-2026-21992: Within 24 hours: Identify all instances of Oracle Identity Manager and Web Services Manager in your environment; isolate affected systems from public network access and document current user activity. - CVE-2026-32760: Within 24 hours: disable self-registration (`signup = false`) immediately and audit all user accounts created since deployment for unauthorized administrators. Within 7 days: review and remove `perm.admin` from default user permissions. - CVE-2026-25769: Within 24 hours: Audit all Wazuh worker nodes for unauthorized access and isolate any showing signs of compromise; document current Wazuh version and cluster topology. Within 7 days: Implement network segmentation to restrict worker-to-master communication. - CVE-2026-4558: Within 24 hours: Inventory all Linksys MR9600 devices in production and restrict administrative access to trusted personnel only. Within 7 days: Implement network segmentation to isolate affected routers. - CVE-2026-32042: Within 24 hours: Identify all systems running OpenClaw 2026.2.22-2026.2.24 and assess exposure scope; notify relevant teams and restrict administrative access where possible. Within 7 days: Review and apply the upstream fix after validation. - Prioritize remediation for the one CISA KEV entry and the 147 CVEs with public exploit code available. - Address the 431 unpatched CRITICAL or HIGH severity vulnerabilities through compensating controls, vendor engagement, or decommissioning where patches are unavailable....

Overview Vuln.today data for the period March 9-16, 2026 recorded 1,400 published CVEs: 122 CRITICAL, 549 HIGH, 604 MEDIUM, 52 LOW, and 73 UNKNOWN severity. Two CISA KEV entries, 211 public exploits/POCs, and 124 available patches were identified. 612 CRITICAL/HIGH vulnerabilities remained unpatched at time of analysis. Week-over-week CVE volume decreased 2% (previous week: 1,424 CVEs). Critical Threats - CVE-2026-3910 (HIGH, CVSS 8.8): Google Chrome V8 engine vulnerability (versions prior to 146.0.7680.75) allowing remote code execution via malicious HTML; confirmed actively exploited (CISA KEV); public exploit code available; EPSS 0.1%. Vendor-released patch: version 146.0.7680.75. Action: Within 24 hours: Communicate patch availability to all users and enable auto-update enforcement in Chrome policies. Within 7 days: Verify 95%+ of Chrome installations are updated to version 146.0.7680. - CVE-2026-3909 (HIGH, CVSS 8.8): Google Chrome Skia graphics library out-of-bounds write (versions prior to 146.0.7680.75) enabling remote code execution through malicious HTML pages; confirmed actively exploited (CISA KEV); public exploit code available; EPSS 0.1%. Vendor-released patch: version 146.0.7680.75. Action: Within 24 hours: Issue mandatory Chrome update notification to all users and block access to Chrome versions prior to 146.0.7680.75 at the network level if possible. Within 7 days: Verify 100% patchin. - CVE-2025-14558 (HIGH, CVSS 7.2): FreeBSD rtsol(8)/rtsold(8) router advertisement domain search list validation failure passed unmodified to resolvconf(8); public exploit code available; EPSS 40.0%; no vendor-released patch identified at time of analysis. Action: Within 24 hours: Identify and inventory all systems running rtsol(8)/rtsold(8) and assess exposure to untrusted networks. Within 7 days: Implement network segmentation to restrict router advertisement. - CVE-2026-30957 (CRITICAL, CVSS 9.9): OneUptime Synthetic Monitors arbitrary command execution for low-privileged authenticated project users on oneuptime-probe server/container (versions prior to 10.0.21); public exploit code available; EPSS 0.3%; no vendor-released patch identified at time of analysis. Action: Within 24 hours: Inventory all OneUptime deployments and identify which versions are in use; disable Synthetic Monitors feature if operationally feasible and restrict access to the OneUptime platform. - CVE-2026-30887 (CRITICAL, CVSS 9.9): OneUptime custom Playwright/JavaScript code execution via Synthetic Monitors (versions prior to 10.0.18); public exploit code available; EPSS 0.0%; no vendor-released patch identified at time of analysis. Action: Within 24 hours: Audit all OneUptime project members and revoke access for unnecessary accounts; document all Synthetic Monitor configurations currently in use. Within 7 days: Implement network segmen. - CVE-2026-30956 (CRITICAL, CVSS 9.9): OneUptime authorization and tenant isolation bypass via forged is-multi-tenant-query and projectid headers (versions prior to 10.0.21); public exploit code available; EPSS 0.0%; no vendor-released patch identified at time of analysis. Action: Within 24 hours: Inventory all OneUptime instances and their versions, isolate affected systems from production networks if possible, and contact OneUptime vendor for emergency patch timeline. Within. - CVE-2026-30921 (CRITICAL, CVSS 9.9): OneUptime Synthetic Monitors custom Playwright code execution on oneuptime-probe service by low-privileged project users (versions prior to 10.0.20); public exploit code available; EPSS 0.0%; no vendor-released patch identified at time of analysis. Action: Within 24 hours: Audit OneUptime user access and synthetic monitor configurations; isolate OneUptime-probe services from sensitive networks; disable synthetic monitor functionality if business-critica. - CVE-2019-25468 (CRITICAL, CVSS 9.8): NetGain EM Plus 10.1.68 remote code execution via malicious parameters to script_test.jsp endpoint; public exploit code available; EPSS 0.2%; no vendor-released patch identified at time of analysis. Action: Within 24 hours: Identify all NetGain EM Plus 10.1.68 instances in your environment and isolate them from untrusted networks; implement emergency WAF rules to block access to script_test.jsp endpoint. - CVE-2026-4164 (CRITICAL, CVSS 9.8): Wavlink WL-WN578W2 firmware 221110 command injection in wireless.cgi script; public exploit code available; EPSS 0.2%. Vendor-released patch available. Action: Within 24 hours: Inventory all Wavlink WL-WN578W2 devices across the organization and isolate affected units from production networks if possible. Within 7 days: Apply the available vendor patch to al. - CVE-2026-4163 (CRITICAL, CVSS 9.8): Wavlink WL-WN579A3 firmware 220323 command injection in /cgi-bin/wireless.cgi SetName/GuestWifi functions; public exploit code available; EPSS 0.2%. Vendor-released patch available. Action: Within 24 hours: Identify and inventory all Wavlink WL-WN579A3 devices in your environment and isolate them from critical network segments if possible. Within 7 days: Apply the available vendor patch. Threat Landscape Top affected vendors: Microsoft (71 CVEs), WordPress (68), Adobe (67), Google (35), Fortinet (22), IBM (20), D-Link (18), GitLab (15), SAP (12), Apache (9). Authentication Bypass (271 CVEs) was the most prevalent attack technique, followed by Information Disclosure (211), XSS (190), Buffer Overflow (189), Denial of Service (133), SQLi (108), RCE (99), Privilege Escalation (58), Path Traversal (53), and SSRF (31). Patch availability: 124 patches released against 1,400 CVEs; 612 CRITICAL/HIGH vulnerabilities remained unpatched. Two CVEs (CVE-2025-14558 at 40.0%, CVE-2026-2493 at 10.3%) recorded EPSS scores exceeding 10%. Five CVEs exhibited threat actor associations: CVE-2025-40943 (CRITICAL), CVE-2026-25573 (HIGH), CVE-2026-25569 (HIGH), CVE-2026-25570 (HIGH), CVE-2026-25605 (MEDIUM). Key Trends CVE publication volume declined 2% week-over-week (1,400 vs. 1,424). The top three vendors (Microsoft, WordPress, Adobe) accounted for 206 of 1,400 CVEs (14.7%). Authentication Bypass constituted 19.4% of all reported attack techniques. 15.1% of CVEs (211 of 1,400) had public exploit code available; 8.9% of CVEs (124 of 1,400) had vendor-released patches. 91.2% of CRITICAL/HIGH severity vulnerabilities (612 of 671) remained unpatched at time of analysis. Recommendations - CVE-2026-3910: Within 24 hours: Communicate patch availability to all users and enable auto-update enforcement in Chrome policies. Within 7 days: Verify 95%+ of Chrome installations are updated to version 146.0.7680. - CVE-2026-3909: Within 24 hours: Issue mandatory Chrome update notification to all users and block access to Chrome versions prior to 146.0.7680.75 at the network level if possible. Within 7 days: Verify 100% patchin. - CVE-2025-14558: Within 24 hours: Identify and inventory all systems running rtsol(8)/rtsold(8) and assess exposure to untrusted networks. Within 7 days: Implement network segmentation to restrict router advertisement. - CVE-2026-30957: Within 24 hours: Inventory all OneUptime deployments and identify which versions are in use; disable Synthetic Monitors feature if operationally feasible and restrict access to the OneUptime platform. - CVE-2026-30887: Within 24 hours: Audit all OneUptime project members and revoke access for unnecessary accounts; document all Synthetic Monitor configurations currently in use. Within 7 days: Implement network segmen. - CVE-2026-30956: Within 24 hours: Inventory all OneUptime instances and their versions, isolate affected systems from production networks if possible, and contact OneUptime vendor for emergency patch timeline. Within. - CVE-2026-30921: Within 24 hours: Audit OneUptime user access and synthetic monitor configurations; isolate OneUptime-probe services from sensitive networks; disable synthetic monitor functionality if business-critica. - CVE-2019-25468: Within 24 hours: Identify all NetGain EM Plus 10.1.68 instances in your environment and isolate them from untrusted networks; implement emergency WAF rules to block access to script_test.jsp endpoint. - CVE-2026-4164: Within 24 hours: Inventory all Wavlink WL-WN578W2 devices across the organization and isolate affected units from production networks if possible. Within 7 days: Apply the available vendor patch to al. - CVE-2026-4163: Within 24 hours: Identify and inventory all Wavlink WL-WN579A3 devices in your environment and isolate them from critical network segments if possible. Within 7 days: Apply the available vendor patch. - Prioritize the 2 CISA KEV entries for immediate patching and verification. - Assess organizational exposure to the 211 CVEs with public exploit code; prioritize those intersecting with deployed technologies. - Monitor vendor advisories for patches addressing the 612 unpatched CRITICAL/HIGH vulnerabilities; implement compensating controls where patches are unavailable....