Weekly Digests

Overview During the reporting period 2026-03-30 to 2026-04-06, vuln.today data recorded 1,224 published CVEs with the following severity distribution: 132 CRITICAL, 366 HIGH, 571 MEDIUM, 67 LOW, and 88 UNKNOWN. The dataset includes 2 CISA KEV entries, 178 CVEs with public exploits or POCs, 427 with patches available, and 280 unpatched CRITICAL/HIGH vulnerabilities. Week-over-week CVE volume decreased 23% from 1,597 CVEs in the previous period. Critical Threats - CVE-2026-5281 (HIGH, CVSS 8.8): Remote code execution in Google Chrome prior to version 146.0.7680.178 via use-after-free vulnerability in Dawn graphics component. Confirmed actively exploited (CISA KEV). Public exploit code available. Patch available per vendor advisory. - CVE-2026-3502 (HIGH, CVSS 7.8): Arbitrary code execution in TrueConf Client allows authenticated attackers on adjacent networks to deliver malicious updates due to missing integrity verification. Confirmed actively exploited (CISA KEV). Public exploit code available. No vendor-released patch identified at time of analysis. Action: Within 24 hours: Inventory all TrueConf Client deployments and document current versions in use. Within 7 days: Disable or restrict auto-update functionality via Group Policy or application settings. - CVE-2026-2699 (CRITICAL, CVSS 9.8, EPSS 0.4%): Unauthenticated remote code execution in Progress ShareFile Storage Zones Controller allows network attackers to access restricted configuration pages and execute arbitrary code. Public exploit code available. Upstream fix available (PR/commit); released patched version not independently confirmed. Action: Within 24 hours: Inventory all Progress ShareFile Storage Zones Controller instances across your infrastructure and determine deployment type (cloud-hosted vs. customer-managed on-premises). - CVE-2026-29014 (CRITICAL, CVSS 9.3, EPSS 0.2%): MetInfo CMS 7.9, 8.0, and 8.1 allows unauthenticated remote code execution through PHP code injection. Public exploit code available. No vendor-released patch identified at time of analysis. - CVE-2026-2701 (CRITICAL, CVSS 9.1, EPSS 0.2%): Remote code execution in Progress ShareFile Storage Zones Controller allows authenticated administrators to upload and execute malicious files. Confirmed actively exploited (CISA KEV). Public exploit code available. No vendor-released patch identified at time of analysis. Action: Within 24 hours: Inventory all Progress ShareFile Storage Zones Controller deployments and document current versions; immediately audit administrative account activity for anomalies and enforce multi-. - CVE-2026-4896 (HIGH, CVSS 8.1): Insecure Direct Object Reference in WCFM Frontend Manager for WooCommerce (versions ≤6.7.25) allows authenticated vendors to manipulate arbitrary orders and delete WordPress posts. Public exploit code available. No vendor-released patch identified at time of analysis. Action: Within 24 hours: Identify all WordPress instances running WCFM Frontend Manager ≤6.7.25 and document current vendor user accounts with active credentials; restrict vendor role permissions to read-only. - CVE-2026-5212 (HIGH, CVSS 7.4, EPSS 0.1%): Stack-based buffer overflow in D-Link NAS devices enables authenticated remote attackers to execute arbitrary code affecting 20+ end-of-life D-Link DNS and DNR models through firmware version 20260205. Public exploit code available. No vendor-released patch identified at time of analysis. Action: Within 24 hours: Inventory all D-Link DNS and DNR NAS devices in production; verify firmware versions against 20260205 baseline and identify which models are affected per vendor's published vulnerabil. - CVE-2026-5204 (HIGH, CVSS 7.4): Stack-based buffer overflow in Tenda CH22 router version 1.0.0.1 allows authenticated remote attackers to achieve arbitrary code execution. Public exploit code available. No vendor-released patch identified at time of analysis. Action: Within 24 hours: Identify all Tenda CH22 v1.0.0.1 devices on your network using asset discovery tools and disable remote administrative access until mitigation is confirmed. Within 7 days: Contact Ten. Threat Landscape The top affected vendors were Linux (93 CVEs), Microsoft (55), WordPress (46), Google (38), and Debian (35). Attack techniques were dominated by Information Disclosure (286 CVEs), Authentication Bypass (201), XSS (176), RCE (139), and Denial of Service (117). Of 1,224 total CVEs, 427 have patches available while 280 CRITICAL/HIGH vulnerabilities remain unpatched. Three CVEs (CVE-2026-1579, CVE-2026-3356, CVE-2025-7741) have associated threat intelligence linkages from MISP Galaxies, MITRE ATT&CK, or CISA sources. Key Trends CVE volume decreased 23% week-over-week from 1,597 to 1,224. Linux, Microsoft, and WordPress accounted for 194 CVEs (16% of total volume). Information Disclosure, Authentication Bypass, and XSS represented 663 CVEs (54% of attack techniques). The dataset shows 35% patch availability rate (427 patched of 1,224 total), while 56% of CRITICAL/HIGH vulnerabilities (280 of 498) lack vendor-released patches. Public exploit code exists for 178 CVEs (15% of total), with 2 CVEs confirmed in CISA KEV. Recommendations - CVE-2026-3502: Within 24 hours: Inventory all TrueConf Client deployments and document current versions in use. Within 7 days: Disable or restrict auto-update functionality via Group Policy or application settings. - CVE-2026-2699: Within 24 hours: Inventory all Progress ShareFile Storage Zones Controller instances across your infrastructure and determine deployment type (cloud-hosted vs. customer-managed on-premises). - CVE-2026-2701: Within 24 hours: Inventory all Progress ShareFile Storage Zones Controller deployments and document current versions; immediately audit administrative account activity for anomalies and enforce multi-. - CVE-2026-4896: Within 24 hours: Identify all WordPress instances running WCFM Frontend Manager ≤6.7.25 and document current vendor user accounts with active credentials; restrict vendor role permissions to read-only. - CVE-2026-5212: Within 24 hours: Inventory all D-Link DNS and DNR NAS devices in production; verify firmware versions against 20260205 baseline and identify which models are affected per vendor's published vulnerabil. - CVE-2026-5204: Within 24 hours: Identify all Tenda CH22 v1.0.0.1 devices on your network using asset discovery tools and disable remote administrative access until mitigation is confirmed. Within 7 days: Contact Ten. - Prioritize remediation of 2 CISA KEV entries and 178 CVEs with public exploit code. Focus patching efforts on 280 unpatched CRITICAL/HIGH vulnerabilities. For end-of-life products with no vendor-released patches (D-Link NAS devices, Tenda CH22 router), implement network-level access restrictions or plan device replacement....

Overview During the reporting period (2026-03-23 to 2026-03-30), vuln.today data identified 1,597 CVEs: 154 CRITICAL, 605 HIGH, 631 MEDIUM, 58 LOW, and 149 UNKNOWN severity. The dataset includes 1 CISA KEV entry, 201 public exploits/POCs, and 224 patches available. 649 CRITICAL/HIGH vulnerabilities remain unpatched. CVE volume increased 24% week-over-week (previous week: 1,288 CVEs). Critical Threats - CVE-2026-33634 (CRITICAL, CVSS 9.4, Priority 97, EPSS 0.0%): Trivy security scanner v0.69.4 supply chain attack. Confirmed actively exploited (CISA KEV); public exploit code available. No vendor-released patch identified at time of analysis. Action: Within 24 hours: Identify all affected systems and apply vendor patches immediately. Monitor vendor channels for patch availability. - CVE-2026-4585 (CRITICAL, CVSS 9.8, Priority 69, EPSS 0.2%): OS command injection in Tiandy Easy7 Integrated Management Platform versions up to 7.17.0 (ImportSystemConfiguration.jsp). Public exploit code available; exploitation risk is elevated. No vendor-released patch identified at time of analysis. Action: Within 24 hours: Inventory all Tiandy Easy7 installations and versions; isolate affected systems from production networks if possible; enable enhanced logging and monitoring. Within 7 days: Deploy net - CVE-2026-4567 (CRITICAL, CVSS 9.8, Priority 69, EPSS 0.1%): Stack-based buffer overflow in Tenda A15 router firmware version 15.13.07.13 (UploadCfg function). Public exploit code available; exploitation risk is elevated. No vendor-released patch identified at time of analysis. Action: Within 24 hours: Inventory all Tenda A15 routers in your environment and identify those running firmware 15.13.07.13; disable internet-facing access to the /cgi-bin/UploadCfg endpoint immediately via - CVE-2026-30530 (CRITICAL, CVSS 9.8, Priority 69, EPSS 0.0%): SQL injection in SourceCodester Online Food Ordering System v1.0 (save_customer action's username parameter). Public exploit code available; exploitation risk is elevated. No vendor-released patch identified at time of analysis. Action: Within 24 hours: Identify all affected systems running SourceCodester Online Food Ordering System and apply vendor patches immediately. Validate that input sanitization is in place for all user-contro - CVE-2026-30533 (CRITICAL, CVSS 9.8, Priority 69, EPSS 0.0%): SQL injection in SourceCodester Online Food Ordering System v1.0 (admin/manage_product.php 'id' parameter). Public exploit code available; exploitation risk is elevated. No vendor-released patch identified at time of analysis. Action: Within 24 hours: Identify all affected systems running SourceCodester Online Food Ordering System and apply vendor patches immediately. Validate that input sanitization is in place for all user-contro - CVE-2026-30532 (CRITICAL, CVSS 9.8, Priority 69, EPSS 0.0%): SQL injection in SourceCodester Online Food Ordering System v1.0 (admin/view_product.php 'id' parameter). Public exploit code available; exploitation risk is elevated. No vendor-released patch identified at time of analysis. Action: Within 24 hours: Identify all affected systems running SourceCodester Online Food Ordering System and apply vendor patches immediately. Validate that input sanitization is in place for all user-contro - CVE-2026-33696 (CRITICAL, CVSS 9.4, Priority 67, EPSS 0.5%): Prototype pollution in n8n workflow automation platform (XML and GSuiteAdmin nodes) affecting versions prior to 2.14.1, 2.13.3, and 1.123.27; enables remote code execution. Public exploit code available; exploitation risk is elevated. No vendor-released patch identified at time of analysis. Action: Within 24 hours: Inventory all n8n instances and document current versions; audit user access logs for XML and GSuiteAdmin node usage; restrict workflow creation/modification permissions to essential - CVE-2026-33660 (CRITICAL, CVSS 9.4, Priority 67, EPSS 0.1%): n8n workflow automation platform Merge node 'Combine by SQL' mode allows authenticated users to read arbitrary local files and achieve remote code execution; affects versions prior to 2.14.1, 2.13.3, and 1.123.26. Public exploit code available; exploitation risk is elevated. No vendor-released patch identified at time of analysis. Action: Within 24 hours: Inventory all n8n instances and document current versions; restrict workflow creation/modification privileges to essential personnel only; enable audit logging for all workflow change - CVE-2025-71275 (CRITICAL, CVSS 9.3, Priority 67, EPSS 0.5%): Remote code execution in Zimbra Collaboration Suite PostJournal service version 8.8.15 via SMTP injection through RCPT TO parameter. Public exploit code available; exploitation risk is elevated. No vendor-released patch identified at time of analysis. Action: Within 24 hours: Inventory all Zimbra installations and identify systems running version 8.8.15; immediately isolate affected servers from untrusted networks or restrict SMTP access to trusted sources - CVE-2025-60949 (CRITICAL, CVSS 9.3, Priority 67, EPSS 0.0%): Information disclosure in Census CSWeb 8.0.1 (app/config endpoint reachable without authentication); affects versions prior to 8.1.0 alpha. Public exploit code available; exploitation risk is elevated. No vendor-released patch identified at time of analysis. Action: Within 24 hours: Inventory all Census CSWeb 8.0.1 instances and determine network exposure (internal vs. internet-facing); immediately restrict network access to the app/config endpoint via firewall o - CVE-2026-2417 (CRITICAL): Linked threat intelligence present in vuln.today data. - CVE-2026-3650 (HIGH): Linked threat intelligence present in vuln.today data. Threat Landscape Top affected vendors: Debian (190 CVEs), Suse (163), Apple (108), Linux (106), WordPress (72), Mozilla (49), Microsoft (38), Google (30), IBM (26), and Drupal (25). Top attack techniques: Information Disclosure (378), Authentication Bypass (312), Denial Of Service (245), XSS (200), RCE (143), Buffer Overflow (133), SQLi (108), Privilege Escalation (82), Path Traversal (63), and Code Injection (51). Patch coverage: 224 patches available against 759 CRITICAL/HIGH vulnerabilities (29% coverage); 649 CRITICAL/HIGH remain unpatched. Key Trends CVE volume increased 24% week-over-week. 201 CVEs (13% of total) have public exploit code available. Debian and Suse account for 22% of vendor-attributed vulnerabilities. Information Disclosure, Authentication Bypass, and Denial of Service represent 58% of identified attack techniques. 86% of CRITICAL/HIGH severity vulnerabilities remain unpatched. Recommendations - CVE-2026-33634: Within 24 hours: Identify all affected systems and apply vendor patches immediately. Monitor vendor channels for patch availability. - CVE-2026-4585: Within 24 hours: Inventory all Tiandy Easy7 installations and versions; isolate affected systems from production networks if possible; enable enhanced logging and monitoring. Within 7 days: Deploy net - CVE-2026-4567: Within 24 hours: Inventory all Tenda A15 routers in your environment and identify those running firmware 15.13.07.13; disable internet-facing access to the /cgi-bin/UploadCfg endpoint immediately via - CVE-2026-30530, CVE-2026-30533, CVE-2026-30532: Within 24 hours: Identify all affected systems running SourceCodester Online Food Ordering System and apply vendor patches immediately. Validate that input sanitization is in place for all user-contro - CVE-2026-33696: Within 24 hours: Inventory all n8n instances and document current versions; audit user access logs for XML and GSuiteAdmin node usage; restrict workflow creation/modification permissions to essential - CVE-2026-33660: Within 24 hours: Inventory all n8n instances and document current versions; restrict workflow creation/modification privileges to essential personnel only; enable audit logging for all workflow change - CVE-2025-71275: Within 24 hours: Inventory all Zimbra installations and identify systems running version 8.8.15; immediately isolate affected servers from untrusted networks or restrict SMTP access to trusted sources - CVE-2025-60949: Within 24 hours: Inventory all Census CSWeb 8.0.1 instances and determine network exposure (internal vs. internet-facing); immediately restrict network access to the app/config endpoint via firewall o - Prioritize remediation for the 1 CISA KEV entry and 201 CVEs with public exploit code. - Address 649 unpatched CRITICAL/HIGH vulnerabilities through compensating controls, network segmentation, or vendor engagement for patch timelines....

Overview For the reporting period 2026-03-16 to 2026-03-23, vuln.today data recorded 1,272 published CVEs: 105 CRITICAL, 448 HIGH, 573 MEDIUM, 89 LOW, and 57 UNKNOWN severity. One CISA KEV entry was present. Public exploits or proof-of-concept code were identified for 147 CVEs. Patches were available for 227 CVEs, leaving 431 CRITICAL or HIGH severity vulnerabilities unpatched at time of analysis. Week-over-week CVE volume decreased 9% from 1,400 in the prior period. Critical Threats - CVE-2026-33017 (CRITICAL, CVSS 9.3, Priority 97): Python endpoint `/api/v1/build_public_tmp/{flow_id}/flow` allows unauthenticated remote code execution via attacker-controlled flow data passed to `exec()` with zero sandboxing; confirmed actively exploited (CISA KEV); EPSS 0.5%. No vendor-released patch identified at time of analysis. Action: Within 24 hours: Disable or restrict network access to the `/api/v1/build_public_tmp/{flow_id}/flow` endpoint via WAF/firewall rules and disable public flow functionality if not business-critical. - CVE-2026-33309 (CRITICAL, CVSS 9.9, Priority 70): Canonical Docker, Python path traversal in Langflow file upload allows authenticated attackers to write arbitrary files for remote code execution; public exploit code available; EPSS 0.1%. No vendor-released patch identified at time of analysis. Action: Within 24 hours: Disable the POST /api/v2/files/ endpoint or restrict access to trusted administrators only; audit recent file uploads for suspicious activity. Within 7 days: Implement WAF rules to block file upload attempts. - CVE-2026-4252 (CRITICAL, CVSS 9.8, Priority 69): Tenda AC8 firmware 16.03.50.11 authentication bypass in IPv6 handler function `check_is_ipv6` allows remote attackers unauthorized access via IP address reliance; public exploit code available; EPSS 0.1%. No vendor-released patch identified at time of analysis. Action: Within 24 hours: Identify and inventory all Tenda AC8 16.03.50.11 devices in production and isolate them from critical network segments; disable remote management if enabled. - CVE-2026-25873 (CRITICAL, CVSS 9.8, Priority 69): Deserialization vulnerability in OmniGen2-RL reward server permits unauthenticated remote code execution via malicious HTTP POST exploiting insecure pickle deserialization; public exploit code available; EPSS 0.1%. Upstream fix available (PR/commit); released patched version not independently confirmed. Action: Within 24 hours: Identify all OmniGen2-RL instances in your environment and isolate any exposed reward servers from untrusted networks; assess whether affected systems process sensitive data. - CVE-2017-20223 (CRITICAL, CVSS 9.8, Priority 69): Telesquare SKT LTE Router SDT-CS3B1 firmware 1.2.0 insecure direct object reference allows remote attackers to bypass authentication and access sensitive resources by manipulating input parameters; public exploit code available; EPSS 0.1%. No vendor-released patch identified at time of analysis. Action: Within 24 hours: Inventory all Telesquare SKT LTE Router SDT-CS3B1 devices in production and isolate affected units from critical network segments; disable remote management access if enabled. - CVE-2026-21992 (CRITICAL, CVSS 9.8, Priority 69): Oracle Identity Manager and Web Services Manager authentication bypass in REST WebServices and Web Services Security components (versions 12.2.1.4.0 and 14.1.2.1.0) allows remote attackers complete system compromise without credentials; public exploit code available; EPSS 0.0%. No vendor-released patch identified at time of analysis. Action: Within 24 hours: Identify all instances of Oracle Identity Manager and Web Services Manager in your environment; isolate affected systems from public network access and document current user activity. - CVE-2026-32760 (CRITICAL, CVSS 9.8, Priority 69): Docker filebrowser privilege escalation allows unauthenticated visitors to register full administrator accounts when self-registration is enabled and default permissions include `perm.admin = true`; public exploit code available; EPSS 0.0%. No vendor-released patch identified at time of analysis. Action: Within 24 hours: disable self-registration (`signup = false`) immediately and audit all user accounts created since deployment for unauthorized administrators. Within 7 days: review and remove `perm.admin` from default user permissions. - CVE-2026-25769 (CRITICAL, CVSS 9.1, Priority 66): Wazuh deserialization vulnerability in cluster mode allows attackers with worker node access to achieve remote code execution with root privileges on master node; affects versions 4.0.0 through 4.14.2; public exploit code available; EPSS 0.4%. No vendor-released patch identified at time of analysis. Action: Within 24 hours: Audit all Wazuh worker nodes for unauthorized access and isolate any showing signs of compromise; document current Wazuh version and cluster topology. Within 7 days: Implement network segmentation to restrict worker-to-master communication. - CVE-2026-4558 (HIGH, CVSS 8.8, Priority 64): Linksys MR9600 router firmware 2.0.6.206937 remote OS command injection in SmartConnect.lua allows authenticated attackers to inject commands via configApSsid, configApPassphrase, srpLogin, or srpPassword parameters; public exploit code available; EPSS 0.2%. No vendor-released patch identified at time of analysis. Action: Within 24 hours: Inventory all Linksys MR9600 devices in production and restrict administrative access to trusted personnel only. Within 7 days: Implement network segmentation to isolate affected routers. - CVE-2026-32042 (HIGH, CVSS 8.8, Priority 64): OpenClaw versions 2026.2.22 through 2026.2.24 privilege escalation allows authenticated attackers to bypass device pairing and self-assign operator.admin scopes via self-signed unpaired device identities; public exploit code available; EPSS 0.1%. Upstream fix available (PR/commit); released patched version not independently confirmed. Action: Within 24 hours: Identify all systems running OpenClaw 2026.2.22-2026.2.24 and assess exposure scope; notify relevant teams and restrict administrative access where possible. Within 7 days: Review and apply the upstream fix after validation. Threat Landscape WordPress led vendor distribution with 135 CVEs, followed by Debian (105), Google (54), Linux (45), and Microsoft (43). D-Link, Apple, Tenda, Nginx, and IBM each contributed 10-21 CVEs. Attack technique distribution was led by Authentication Bypass (268 instances), Information Disclosure (259), and XSS (175), followed by Denial Of Service (160), Buffer Overflow (119), and RCE (116). SQLi, Path Traversal, SSRF, and Privilege Escalation collectively accounted for 253 instances. Patches were available for 227 of 1,272 CVEs (17.8% patch coverage), with 431 CRITICAL or HIGH severity issues remaining unpatched. Two CVEs exhibited EPSS scores at 10.0%: CVE-2026-33352 (CRITICAL) and CVE-2026-33354 (HIGH). Five CVEs were associated with threat intelligence from MISP Galaxies, MITRE ATT&CK, or CISA: CVE-2026-25192, CVE-2026-29796, CVE-2026-24060 (all CRITICAL); CVE-2026-25086 and CVE-2026-31904 (both HIGH). Key Trends CVE publication volume decreased 9% week-over-week from 1,400 to 1,272. Vendor concentration remained high, with WordPress and Debian accounting for 18.9% of total CVEs. Authentication Bypass was the most prevalent attack technique at 21.1% of all CVEs, with Information Disclosure close behind at 20.4%. The patch availability ratio of 17.8% left 77.9% of CRITICAL and HIGH severity issues (431 of 553) unpatched at time of analysis. Public exploits or proof-of-concept code were available for 11.6% of all CVEs (147 of 1,272), while only one CVE appeared in CISA KEV data. Recommendations - CVE-2026-33017: Within 24 hours: Disable or restrict network access to the `/api/v1/build_public_tmp/{flow_id}/flow` endpoint via WAF/firewall rules and disable public flow functionality if not business-critical. - CVE-2026-33309: Within 24 hours: Disable the POST /api/v2/files/ endpoint or restrict access to trusted administrators only; audit recent file uploads for suspicious activity. Within 7 days: Implement WAF rules to block file upload attempts. - CVE-2026-4252: Within 24 hours: Identify and inventory all Tenda AC8 16.03.50.11 devices in production and isolate them from critical network segments; disable remote management if enabled. - CVE-2026-25873: Within 24 hours: Identify all OmniGen2-RL instances in your environment and isolate any exposed reward servers from untrusted networks; assess whether affected systems process sensitive data. - CVE-2017-20223: Within 24 hours: Inventory all Telesquare SKT LTE Router SDT-CS3B1 devices in production and isolate affected units from critical network segments; disable remote management access if enabled. - CVE-2026-21992: Within 24 hours: Identify all instances of Oracle Identity Manager and Web Services Manager in your environment; isolate affected systems from public network access and document current user activity. - CVE-2026-32760: Within 24 hours: disable self-registration (`signup = false`) immediately and audit all user accounts created since deployment for unauthorized administrators. Within 7 days: review and remove `perm.admin` from default user permissions. - CVE-2026-25769: Within 24 hours: Audit all Wazuh worker nodes for unauthorized access and isolate any showing signs of compromise; document current Wazuh version and cluster topology. Within 7 days: Implement network segmentation to restrict worker-to-master communication. - CVE-2026-4558: Within 24 hours: Inventory all Linksys MR9600 devices in production and restrict administrative access to trusted personnel only. Within 7 days: Implement network segmentation to isolate affected routers. - CVE-2026-32042: Within 24 hours: Identify all systems running OpenClaw 2026.2.22-2026.2.24 and assess exposure scope; notify relevant teams and restrict administrative access where possible. Within 7 days: Review and apply the upstream fix after validation. - Prioritize remediation for the one CISA KEV entry and the 147 CVEs with public exploit code available. - Address the 431 unpatched CRITICAL or HIGH severity vulnerabilities through compensating controls, vendor engagement, or decommissioning where patches are unavailable....

Overview Vuln.today data for the period March 9-16, 2026 recorded 1,400 published CVEs: 122 CRITICAL, 549 HIGH, 604 MEDIUM, 52 LOW, and 73 UNKNOWN severity. Two CISA KEV entries, 211 public exploits/POCs, and 124 available patches were identified. 612 CRITICAL/HIGH vulnerabilities remained unpatched at time of analysis. Week-over-week CVE volume decreased 2% (previous week: 1,424 CVEs). Critical Threats - CVE-2026-3910 (HIGH, CVSS 8.8): Google Chrome V8 engine vulnerability (versions prior to 146.0.7680.75) allowing remote code execution via malicious HTML; confirmed actively exploited (CISA KEV); public exploit code available; EPSS 0.1%. Vendor-released patch: version 146.0.7680.75. Action: Within 24 hours: Communicate patch availability to all users and enable auto-update enforcement in Chrome policies. Within 7 days: Verify 95%+ of Chrome installations are updated to version 146.0.7680. - CVE-2026-3909 (HIGH, CVSS 8.8): Google Chrome Skia graphics library out-of-bounds write (versions prior to 146.0.7680.75) enabling remote code execution through malicious HTML pages; confirmed actively exploited (CISA KEV); public exploit code available; EPSS 0.1%. Vendor-released patch: version 146.0.7680.75. Action: Within 24 hours: Issue mandatory Chrome update notification to all users and block access to Chrome versions prior to 146.0.7680.75 at the network level if possible. Within 7 days: Verify 100% patchin. - CVE-2025-14558 (HIGH, CVSS 7.2): FreeBSD rtsol(8)/rtsold(8) router advertisement domain search list validation failure passed unmodified to resolvconf(8); public exploit code available; EPSS 40.0%; no vendor-released patch identified at time of analysis. Action: Within 24 hours: Identify and inventory all systems running rtsol(8)/rtsold(8) and assess exposure to untrusted networks. Within 7 days: Implement network segmentation to restrict router advertisement. - CVE-2026-30957 (CRITICAL, CVSS 9.9): OneUptime Synthetic Monitors arbitrary command execution for low-privileged authenticated project users on oneuptime-probe server/container (versions prior to 10.0.21); public exploit code available; EPSS 0.3%; no vendor-released patch identified at time of analysis. Action: Within 24 hours: Inventory all OneUptime deployments and identify which versions are in use; disable Synthetic Monitors feature if operationally feasible and restrict access to the OneUptime platform. - CVE-2026-30887 (CRITICAL, CVSS 9.9): OneUptime custom Playwright/JavaScript code execution via Synthetic Monitors (versions prior to 10.0.18); public exploit code available; EPSS 0.0%; no vendor-released patch identified at time of analysis. Action: Within 24 hours: Audit all OneUptime project members and revoke access for unnecessary accounts; document all Synthetic Monitor configurations currently in use. Within 7 days: Implement network segmen. - CVE-2026-30956 (CRITICAL, CVSS 9.9): OneUptime authorization and tenant isolation bypass via forged is-multi-tenant-query and projectid headers (versions prior to 10.0.21); public exploit code available; EPSS 0.0%; no vendor-released patch identified at time of analysis. Action: Within 24 hours: Inventory all OneUptime instances and their versions, isolate affected systems from production networks if possible, and contact OneUptime vendor for emergency patch timeline. Within. - CVE-2026-30921 (CRITICAL, CVSS 9.9): OneUptime Synthetic Monitors custom Playwright code execution on oneuptime-probe service by low-privileged project users (versions prior to 10.0.20); public exploit code available; EPSS 0.0%; no vendor-released patch identified at time of analysis. Action: Within 24 hours: Audit OneUptime user access and synthetic monitor configurations; isolate OneUptime-probe services from sensitive networks; disable synthetic monitor functionality if business-critica. - CVE-2019-25468 (CRITICAL, CVSS 9.8): NetGain EM Plus 10.1.68 remote code execution via malicious parameters to script_test.jsp endpoint; public exploit code available; EPSS 0.2%; no vendor-released patch identified at time of analysis. Action: Within 24 hours: Identify all NetGain EM Plus 10.1.68 instances in your environment and isolate them from untrusted networks; implement emergency WAF rules to block access to script_test.jsp endpoint. - CVE-2026-4164 (CRITICAL, CVSS 9.8): Wavlink WL-WN578W2 firmware 221110 command injection in wireless.cgi script; public exploit code available; EPSS 0.2%. Vendor-released patch available. Action: Within 24 hours: Inventory all Wavlink WL-WN578W2 devices across the organization and isolate affected units from production networks if possible. Within 7 days: Apply the available vendor patch to al. - CVE-2026-4163 (CRITICAL, CVSS 9.8): Wavlink WL-WN579A3 firmware 220323 command injection in /cgi-bin/wireless.cgi SetName/GuestWifi functions; public exploit code available; EPSS 0.2%. Vendor-released patch available. Action: Within 24 hours: Identify and inventory all Wavlink WL-WN579A3 devices in your environment and isolate them from critical network segments if possible. Within 7 days: Apply the available vendor patch. Threat Landscape Top affected vendors: Microsoft (71 CVEs), WordPress (68), Adobe (67), Google (35), Fortinet (22), IBM (20), D-Link (18), GitLab (15), SAP (12), Apache (9). Authentication Bypass (271 CVEs) was the most prevalent attack technique, followed by Information Disclosure (211), XSS (190), Buffer Overflow (189), Denial of Service (133), SQLi (108), RCE (99), Privilege Escalation (58), Path Traversal (53), and SSRF (31). Patch availability: 124 patches released against 1,400 CVEs; 612 CRITICAL/HIGH vulnerabilities remained unpatched. Two CVEs (CVE-2025-14558 at 40.0%, CVE-2026-2493 at 10.3%) recorded EPSS scores exceeding 10%. Five CVEs exhibited threat actor associations: CVE-2025-40943 (CRITICAL), CVE-2026-25573 (HIGH), CVE-2026-25569 (HIGH), CVE-2026-25570 (HIGH), CVE-2026-25605 (MEDIUM). Key Trends CVE publication volume declined 2% week-over-week (1,400 vs. 1,424). The top three vendors (Microsoft, WordPress, Adobe) accounted for 206 of 1,400 CVEs (14.7%). Authentication Bypass constituted 19.4% of all reported attack techniques. 15.1% of CVEs (211 of 1,400) had public exploit code available; 8.9% of CVEs (124 of 1,400) had vendor-released patches. 91.2% of CRITICAL/HIGH severity vulnerabilities (612 of 671) remained unpatched at time of analysis. Recommendations - CVE-2026-3910: Within 24 hours: Communicate patch availability to all users and enable auto-update enforcement in Chrome policies. Within 7 days: Verify 95%+ of Chrome installations are updated to version 146.0.7680. - CVE-2026-3909: Within 24 hours: Issue mandatory Chrome update notification to all users and block access to Chrome versions prior to 146.0.7680.75 at the network level if possible. Within 7 days: Verify 100% patchin. - CVE-2025-14558: Within 24 hours: Identify and inventory all systems running rtsol(8)/rtsold(8) and assess exposure to untrusted networks. Within 7 days: Implement network segmentation to restrict router advertisement. - CVE-2026-30957: Within 24 hours: Inventory all OneUptime deployments and identify which versions are in use; disable Synthetic Monitors feature if operationally feasible and restrict access to the OneUptime platform. - CVE-2026-30887: Within 24 hours: Audit all OneUptime project members and revoke access for unnecessary accounts; document all Synthetic Monitor configurations currently in use. Within 7 days: Implement network segmen. - CVE-2026-30956: Within 24 hours: Inventory all OneUptime instances and their versions, isolate affected systems from production networks if possible, and contact OneUptime vendor for emergency patch timeline. Within. - CVE-2026-30921: Within 24 hours: Audit OneUptime user access and synthetic monitor configurations; isolate OneUptime-probe services from sensitive networks; disable synthetic monitor functionality if business-critica. - CVE-2019-25468: Within 24 hours: Identify all NetGain EM Plus 10.1.68 instances in your environment and isolate them from untrusted networks; implement emergency WAF rules to block access to script_test.jsp endpoint. - CVE-2026-4164: Within 24 hours: Inventory all Wavlink WL-WN578W2 devices across the organization and isolate affected units from production networks if possible. Within 7 days: Apply the available vendor patch to al. - CVE-2026-4163: Within 24 hours: Identify and inventory all Wavlink WL-WN579A3 devices in your environment and isolate them from critical network segments if possible. Within 7 days: Apply the available vendor patch. - Prioritize the 2 CISA KEV entries for immediate patching and verification. - Assess organizational exposure to the 211 CVEs with public exploit code; prioritize those intersecting with deployed technologies. - Monitor vendor advisories for patches addressing the 612 unpatched CRITICAL/HIGH vulnerabilities; implement compensating controls where patches are unavailable....