1,400 CVEs: 612 Unpatched Critical/High, Chrome KEV Exploits, Router RCE

Overview

Vuln.today data for the period March 9-16, 2026 recorded 1,400 published CVEs: 122 CRITICAL, 549 HIGH, 604 MEDIUM, 52 LOW, and 73 UNKNOWN severity. Two CISA KEV entries, 211 public exploits/POCs, and 124 available patches were identified. 612 CRITICAL/HIGH vulnerabilities remained unpatched at time of analysis. Week-over-week CVE volume decreased 2% (previous week: 1,424 CVEs).

Critical Threats

• CVE-2026-3910 (HIGH, CVSS 8.8): Google Chrome V8 engine vulnerability (versions prior to 146.0.7680.75) allowing remote code execution via malicious HTML; confirmed actively exploited (CISA KEV); public exploit code available; EPSS 0.1%. Vendor-released patch: version 146.0.7680.75. Action: Within 24 hours: Communicate patch availability to all users and enable auto-update enforcement in Chrome policies. Within 7 days: Verify 95%+ of Chrome installations are updated to version 146.0.7680.
• CVE-2026-3909 (HIGH, CVSS 8.8): Google Chrome Skia graphics library out-of-bounds write (versions prior to 146.0.7680.75) enabling remote code execution through malicious HTML pages; confirmed actively exploited (CISA KEV); public exploit code available; EPSS 0.1%. Vendor-released patch: version 146.0.7680.75. Action: Within 24 hours: Issue mandatory Chrome update notification to all users and block access to Chrome versions prior to 146.0.7680.75 at the network level if possible. Within 7 days: Verify 100% patchin.
• CVE-2025-14558 (HIGH, CVSS 7.2): FreeBSD rtsol(8)/rtsold(8) router advertisement domain search list validation failure passed unmodified to resolvconf(8); public exploit code available; EPSS 40.0%; no vendor-released patch identified at time of analysis. Action: Within 24 hours: Identify and inventory all systems running rtsol(8)/rtsold(8) and assess exposure to untrusted networks. Within 7 days: Implement network segmentation to restrict router advertisement.
• CVE-2026-30957 (CRITICAL, CVSS 9.9): OneUptime Synthetic Monitors arbitrary command execution for low-privileged authenticated project users on oneuptime-probe server/container (versions prior to 10.0.21); public exploit code available; EPSS 0.3%; no vendor-released patch identified at time of analysis. Action: Within 24 hours: Inventory all OneUptime deployments and identify which versions are in use; disable Synthetic Monitors feature if operationally feasible and restrict access to the OneUptime platform.
• CVE-2026-30887 (CRITICAL, CVSS 9.9): OneUptime custom Playwright/JavaScript code execution via Synthetic Monitors (versions prior to 10.0.18); public exploit code available; EPSS 0.0%; no vendor-released patch identified at time of analysis. Action: Within 24 hours: Audit all OneUptime project members and revoke access for unnecessary accounts; document all Synthetic Monitor configurations currently in use. Within 7 days: Implement network segmen.
• CVE-2026-30956 (CRITICAL, CVSS 9.9): OneUptime authorization and tenant isolation bypass via forged is-multi-tenant-query and projectid headers (versions prior to 10.0.21); public exploit code available; EPSS 0.0%; no vendor-released patch identified at time of analysis. Action: Within 24 hours: Inventory all OneUptime instances and their versions, isolate affected systems from production networks if possible, and contact OneUptime vendor for emergency patch timeline. Within.
• CVE-2026-30921 (CRITICAL, CVSS 9.9): OneUptime Synthetic Monitors custom Playwright code execution on oneuptime-probe service by low-privileged project users (versions prior to 10.0.20); public exploit code available; EPSS 0.0%; no vendor-released patch identified at time of analysis. Action: Within 24 hours: Audit OneUptime user access and synthetic monitor configurations; isolate OneUptime-probe services from sensitive networks; disable synthetic monitor functionality if business-critica.
• CVE-2019-25468 (CRITICAL, CVSS 9.8): NetGain EM Plus 10.1.68 remote code execution via malicious parameters to script_test.jsp endpoint; public exploit code available; EPSS 0.2%; no vendor-released patch identified at time of analysis. Action: Within 24 hours: Identify all NetGain EM Plus 10.1.68 instances in your environment and isolate them from untrusted networks; implement emergency WAF rules to block access to script_test.jsp endpoint.
• CVE-2026-4164 (CRITICAL, CVSS 9.8): Wavlink WL-WN578W2 firmware 221110 command injection in wireless.cgi script; public exploit code available; EPSS 0.2%. Vendor-released patch available. Action: Within 24 hours: Inventory all Wavlink WL-WN578W2 devices across the organization and isolate affected units from production networks if possible. Within 7 days: Apply the available vendor patch to al.
• CVE-2026-4163 (CRITICAL, CVSS 9.8): Wavlink WL-WN579A3 firmware 220323 command injection in /cgi-bin/wireless.cgi SetName/GuestWifi functions; public exploit code available; EPSS 0.2%. Vendor-released patch available. Action: Within 24 hours: Identify and inventory all Wavlink WL-WN579A3 devices in your environment and isolate them from critical network segments if possible. Within 7 days: Apply the available vendor patch.

Threat Landscape

Top affected vendors: Microsoft (71 CVEs), WordPress (68), Adobe (67), Google (35), Fortinet (22), IBM (20), D-Link (18), GitLab (15), SAP (12), Apache (9). Authentication Bypass (271 CVEs) was the most prevalent attack technique, followed by Information Disclosure (211), XSS (190), Buffer Overflow (189), Denial of Service (133), SQLi (108), RCE (99), Privilege Escalation (58), Path Traversal (53), and SSRF (31). Patch availability: 124 patches released against 1,400 CVEs; 612 CRITICAL/HIGH vulnerabilities remained unpatched. Two CVEs (CVE-2025-14558 at 40.0%, CVE-2026-2493 at 10.3%) recorded EPSS scores exceeding 10%. Five CVEs exhibited threat actor associations: CVE-2025-40943 (CRITICAL), CVE-2026-25573 (HIGH), CVE-2026-25569 (HIGH), CVE-2026-25570 (HIGH), CVE-2026-25605 (MEDIUM).

Key Trends

CVE publication volume declined 2% week-over-week (1,400 vs. 1,424). The top three vendors (Microsoft, WordPress, Adobe) accounted for 206 of 1,400 CVEs (14.7%). Authentication Bypass constituted 19.4% of all reported attack techniques. 15.1% of CVEs (211 of 1,400) had public exploit code available; 8.9% of CVEs (124 of 1,400) had vendor-released patches. 91.2% of CRITICAL/HIGH severity vulnerabilities (612 of 671) remained unpatched at time of analysis.

Recommendations

• CVE-2026-3910: Within 24 hours: Communicate patch availability to all users and enable auto-update enforcement in Chrome policies. Within 7 days: Verify 95%+ of Chrome installations are updated to version 146.0.7680.
• CVE-2026-3909: Within 24 hours: Issue mandatory Chrome update notification to all users and block access to Chrome versions prior to 146.0.7680.75 at the network level if possible. Within 7 days: Verify 100% patchin.
• CVE-2025-14558: Within 24 hours: Identify and inventory all systems running rtsol(8)/rtsold(8) and assess exposure to untrusted networks. Within 7 days: Implement network segmentation to restrict router advertisement.
• CVE-2026-30957: Within 24 hours: Inventory all OneUptime deployments and identify which versions are in use; disable Synthetic Monitors feature if operationally feasible and restrict access to the OneUptime platform.
• CVE-2026-30887: Within 24 hours: Audit all OneUptime project members and revoke access for unnecessary accounts; document all Synthetic Monitor configurations currently in use. Within 7 days: Implement network segmen.
• CVE-2026-30956: Within 24 hours: Inventory all OneUptime instances and their versions, isolate affected systems from production networks if possible, and contact OneUptime vendor for emergency patch timeline. Within.
• CVE-2026-30921: Within 24 hours: Audit OneUptime user access and synthetic monitor configurations; isolate OneUptime-probe services from sensitive networks; disable synthetic monitor functionality if business-critica.
• CVE-2019-25468: Within 24 hours: Identify all NetGain EM Plus 10.1.68 instances in your environment and isolate them from untrusted networks; implement emergency WAF rules to block access to script_test.jsp endpoint.
• CVE-2026-4164: Within 24 hours: Inventory all Wavlink WL-WN578W2 devices across the organization and isolate affected units from production networks if possible. Within 7 days: Apply the available vendor patch to al.
• CVE-2026-4163: Within 24 hours: Identify and inventory all Wavlink WL-WN579A3 devices in your environment and isolate them from critical network segments if possible. Within 7 days: Apply the available vendor patch.
• Prioritize the 2 CISA KEV entries for immediate patching and verification.
• Assess organizational exposure to the 211 CVEs with public exploit code; prioritize those intersecting with deployed technologies.
• Monitor vendor advisories for patches addressing the 612 unpatched CRITICAL/HIGH vulnerabilities; implement compensating controls where patches are unavailable.