1,272 CVEs: 431 Unpatched Critical/High, Authentication Bypass Leads

Mar 16 - Mar 23, 2026
Total CVEs
1272
Critical + High
553
KEV
1
Public Exploits
147

Executive Summary

Overview

For the reporting period 2026-03-16 to 2026-03-23, vuln.today data recorded 1,272 published CVEs: 105 CRITICAL, 448 HIGH, 573 MEDIUM, 89 LOW, and 57 UNKNOWN severity. One CISA KEV entry was present. Public exploits or proof-of-concept code were identified for 147 CVEs. Patches were available for 227 CVEs, leaving 431 CRITICAL or HIGH severity vulnerabilities unpatched at time of analysis. Week-over-week CVE volume decreased 9% from 1,400 in the prior period.

Critical Threats

  • CVE-2026-33017 (CRITICAL, CVSS 9.3, Priority 97): Python endpoint /api/v1/build_public_tmp/{flow_id}/flow allows unauthenticated remote code execution via attacker-controlled flow data passed to exec() with zero sandboxing; confirmed actively exploited (CISA KEV); EPSS 0.5%. No vendor-released patch identified at time of analysis. Action: Within 24 hours: Disable or restrict network access to the /api/v1/build_public_tmp/{flow_id}/flow endpoint via WAF/firewall rules and disable public flow functionality if not business-critical.
  • CVE-2026-33309 (CRITICAL, CVSS 9.9, Priority 70): Canonical Docker, Python path traversal in Langflow file upload allows authenticated attackers to write arbitrary files for remote code execution; public exploit code available; EPSS 0.1%. No vendor-released patch identified at time of analysis. Action: Within 24 hours: Disable the POST /api/v2/files/ endpoint or restrict access to trusted administrators only; audit recent file uploads for suspicious activity. Within 7 days: Implement WAF rules to block file upload attempts.
  • CVE-2026-4252 (CRITICAL, CVSS 9.8, Priority 69): Tenda AC8 firmware 16.03.50.11 authentication bypass in IPv6 handler function check_is_ipv6 allows remote attackers unauthorized access via IP address reliance; public exploit code available; EPSS 0.1%. No vendor-released patch identified at time of analysis. Action: Within 24 hours: Identify and inventory all Tenda AC8 16.03.50.11 devices in production and isolate them from critical network segments; disable remote management if enabled.
  • CVE-2026-25873 (CRITICAL, CVSS 9.8, Priority 69): Deserialization vulnerability in OmniGen2-RL reward server permits unauthenticated remote code execution via malicious HTTP POST exploiting insecure pickle deserialization; public exploit code available; EPSS 0.1%. Upstream fix available (PR/commit); released patched version not independently confirmed. Action: Within 24 hours: Identify all OmniGen2-RL instances in your environment and isolate any exposed reward servers from untrusted networks; assess whether affected systems process sensitive data.
  • CVE-2017-20223 (CRITICAL, CVSS 9.8, Priority 69): Telesquare SKT LTE Router SDT-CS3B1 firmware 1.2.0 insecure direct object reference allows remote attackers to bypass authentication and access sensitive resources by manipulating input parameters; public exploit code available; EPSS 0.1%. No vendor-released patch identified at time of analysis. Action: Within 24 hours: Inventory all Telesquare SKT LTE Router SDT-CS3B1 devices in production and isolate affected units from critical network segments; disable remote management access if enabled.
  • CVE-2026-21992 (CRITICAL, CVSS 9.8, Priority 69): Oracle Identity Manager and Web Services Manager authentication bypass in REST WebServices and Web Services Security components (versions 12.2.1.4.0 and 14.1.2.1.0) allows remote attackers complete system compromise without credentials; public exploit code available; EPSS 0.0%. No vendor-released patch identified at time of analysis. Action: Within 24 hours: Identify all instances of Oracle Identity Manager and Web Services Manager in your environment; isolate affected systems from public network access and document current user activity.
  • CVE-2026-32760 (CRITICAL, CVSS 9.8, Priority 69): Docker filebrowser privilege escalation allows unauthenticated visitors to register full administrator accounts when self-registration is enabled and default permissions include perm.admin = true; public exploit code available; EPSS 0.0%. No vendor-released patch identified at time of analysis. Action: Within 24 hours: disable self-registration (signup = false) immediately and audit all user accounts created since deployment for unauthorized administrators. Within 7 days: review and remove perm.admin from default user permissions.
  • CVE-2026-25769 (CRITICAL, CVSS 9.1, Priority 66): Wazuh deserialization vulnerability in cluster mode allows attackers with worker node access to achieve remote code execution with root privileges on master node; affects versions 4.0.0 through 4.14.2; public exploit code available; EPSS 0.4%. No vendor-released patch identified at time of analysis. Action: Within 24 hours: Audit all Wazuh worker nodes for unauthorized access and isolate any showing signs of compromise; document current Wazuh version and cluster topology. Within 7 days: Implement network segmentation to restrict worker-to-master communication.
  • CVE-2026-4558 (HIGH, CVSS 8.8, Priority 64): Linksys MR9600 router firmware 2.0.6.206937 remote OS command injection in SmartConnect.lua allows authenticated attackers to inject commands via configApSsid, configApPassphrase, srpLogin, or srpPassword parameters; public exploit code available; EPSS 0.2%. No vendor-released patch identified at time of analysis. Action: Within 24 hours: Inventory all Linksys MR9600 devices in production and restrict administrative access to trusted personnel only. Within 7 days: Implement network segmentation to isolate affected routers.
  • CVE-2026-32042 (HIGH, CVSS 8.8, Priority 64): OpenClaw versions 2026.2.22 through 2026.2.24 privilege escalation allows authenticated attackers to bypass device pairing and self-assign operator.admin scopes via self-signed unpaired device identities; public exploit code available; EPSS 0.1%. Upstream fix available (PR/commit); released patched version not independently confirmed. Action: Within 24 hours: Identify all systems running OpenClaw 2026.2.22-2026.2.24 and assess exposure scope; notify relevant teams and restrict administrative access where possible. Within 7 days: Review and apply the upstream fix after validation.

Threat Landscape

WordPress led vendor distribution with 135 CVEs, followed by Debian (105), Google (54), Linux (45), and Microsoft (43). D-Link, Apple, Tenda, Nginx, and IBM each contributed 10-21 CVEs. Attack technique distribution was led by Authentication Bypass (268 instances), Information Disclosure (259), and XSS (175), followed by Denial Of Service (160), Buffer Overflow (119), and RCE (116). SQLi, Path Traversal, SSRF, and Privilege Escalation collectively accounted for 253 instances. Patches were available for 227 of 1,272 CVEs (17.8% patch coverage), with 431 CRITICAL or HIGH severity issues remaining unpatched. Two CVEs exhibited EPSS scores at 10.0%: CVE-2026-33352 (CRITICAL) and CVE-2026-33354 (HIGH). Five CVEs were associated with threat intelligence from MISP Galaxies, MITRE ATT&CK, or CISA: CVE-2026-25192, CVE-2026-29796, CVE-2026-24060 (all CRITICAL); CVE-2026-25086 and CVE-2026-31904 (both HIGH).

Key Trends

CVE publication volume decreased 9% week-over-week from 1,400 to 1,272. Vendor concentration remained high, with WordPress and Debian accounting for 18.9% of total CVEs. Authentication Bypass was the most prevalent attack technique at 21.1% of all CVEs, with Information Disclosure close behind at 20.4%. The patch availability ratio of 17.8% left 77.9% of CRITICAL and HIGH severity issues (431 of 553) unpatched at time of analysis. Public exploits or proof-of-concept code were available for 11.6% of all CVEs (147 of 1,272), while only one CVE appeared in CISA KEV data.

Recommendations

  • CVE-2026-33017: Within 24 hours: Disable or restrict network access to the /api/v1/build_public_tmp/{flow_id}/flow endpoint via WAF/firewall rules and disable public flow functionality if not business-critical.
  • CVE-2026-33309: Within 24 hours: Disable the POST /api/v2/files/ endpoint or restrict access to trusted administrators only; audit recent file uploads for suspicious activity. Within 7 days: Implement WAF rules to block file upload attempts.
  • CVE-2026-4252: Within 24 hours: Identify and inventory all Tenda AC8 16.03.50.11 devices in production and isolate them from critical network segments; disable remote management if enabled.
  • CVE-2026-25873: Within 24 hours: Identify all OmniGen2-RL instances in your environment and isolate any exposed reward servers from untrusted networks; assess whether affected systems process sensitive data.
  • CVE-2017-20223: Within 24 hours: Inventory all Telesquare SKT LTE Router SDT-CS3B1 devices in production and isolate affected units from critical network segments; disable remote management access if enabled.
  • CVE-2026-21992: Within 24 hours: Identify all instances of Oracle Identity Manager and Web Services Manager in your environment; isolate affected systems from public network access and document current user activity.
  • CVE-2026-32760: Within 24 hours: disable self-registration (signup = false) immediately and audit all user accounts created since deployment for unauthorized administrators. Within 7 days: review and remove perm.admin from default user permissions.
  • CVE-2026-25769: Within 24 hours: Audit all Wazuh worker nodes for unauthorized access and isolate any showing signs of compromise; document current Wazuh version and cluster topology. Within 7 days: Implement network segmentation to restrict worker-to-master communication.
  • CVE-2026-4558: Within 24 hours: Inventory all Linksys MR9600 devices in production and restrict administrative access to trusted personnel only. Within 7 days: Implement network segmentation to isolate affected routers.
  • CVE-2026-32042: Within 24 hours: Identify all systems running OpenClaw 2026.2.22-2026.2.24 and assess exposure scope; notify relevant teams and restrict administrative access where possible. Within 7 days: Review and apply the upstream fix after validation.
  • Prioritize remediation for the one CISA KEV entry and the 147 CVEs with public exploit code available.
  • Address the 431 unpatched CRITICAL or HIGH severity vulnerabilities through compensating controls, vendor engagement, or decommissioning where patches are unavailable.

Top 10 Priority CVEs

117
CVE-2026-33017 CRITICAL KEV POC

Langflow (a visual LLM pipeline builder) contains a critical unauthenticated code execution vulnerability (CVE-2026-33017, CVSS 9.3) in the public flow build API that allows attackers to execute arbitrary Python code by supplying malicious flow data. KEV-listed with public PoC, this vulnerability enables anyone with network access to a Langflow instance to achieve server compromise through the API that builds public flows without authentication.
70
CVE-2026-33309 CRITICAL POC

An authenticated path traversal vulnerability in Langflow's file upload functionality allows attackers to write arbitrary files anywhere on the host system, leading to remote code execution. The vulnerability affects Langflow version 1.7.3 and earlier, where the multipart upload filename bypasses security checks due to missing boundary containment in the LocalStorageService layer. A proof-of-concept exploit is publicly available demonstrating successful arbitrary file write outside the intended user directory.
65
CVE-2026-4252 HIGH POC

A critical authentication bypass vulnerability exists in Tenda AC8 router firmware version 16.03.50.11 where the IPv6 handler function check_is_ipv6 relies on IP address for authentication, allowing remote attackers to gain unauthorized access. The vulnerability has a publicly available proof-of-concept exploit on GitHub and scores 9.8 CVSS, enabling complete compromise of the affected device with no authentication required. While not currently listed in CISA KEV, the combination of public exploit availability and ease of exploitation makes this a high-priority vulnerability for organizations using affected Tenda routers.
69
CVE-2026-25873 CRITICAL POC

OmniGen2-RL reward server component contains an unauthenticated remote code execution vulnerability allowing attackers to execute arbitrary commands through malicious HTTP POST requests exploiting insecure pickle deserialization. The vulnerability affects Beijing Academy of Artificial Intelligence (BAAI)'s OmniGen2-RL software with a critical CVSS score of 9.8. A public proof-of-concept exploit is available and a patch has been released by the vendor, making this an immediate priority for organizations running exposed instances.
69
CVE-2017-20223 CRITICAL POC

An insecure direct object reference vulnerability in Telesquare SKT LTE Router SDT-CS3B1 firmware version 1.2.0 allows remote attackers to bypass authentication and directly access sensitive resources by manipulating input parameters. With a publicly available proof-of-concept exploit and a critical CVSS score of 9.8, attackers can gain unauthorized access to sensitive information and system functionalities without any authentication or user interaction required.
69
CVE-2026-21992 CRITICAL POC

A critical authentication bypass vulnerability in Oracle Identity Manager and Oracle Web Services Manager allows remote attackers to completely compromise affected systems without any credentials. The vulnerability resides in the REST WebServices and Web Services Security components, affecting versions 12.2.1.4.0 and 14.1.2.1.0 of both products. With a CVSS score of 9.8 and no authentication required, this represents a severe risk to identity management infrastructure, though no current KEV listing or public POC has been documented in available sources.
69
CVE-2026-32760 CRITICAL POC

Unauthenticated attackers can register administrator accounts in Docker when self-registration is enabled and default user permissions include admin privileges, as the signup handler fails to strip admin permissions from self-registered accounts. Public exploit code exists for this vulnerability. No patch is currently available.
66
CVE-2026-25769 CRITICAL POC

A critical deserialization vulnerability in Wazuh's cluster mode allows attackers with access to any worker node to achieve remote code execution with root privileges on the master node. The vulnerability affects Wazuh versions 4.0.0 through 4.14.2 and poses severe risk to organizations using Wazuh in distributed deployments, as compromise of any single worker node can lead to full cluster takeover. While no active exploitation has been reported (not in KEV), proof-of-concept materials are publicly available via the Google Drive link in the advisory.
64
CVE-2026-4558 HIGH POC

Unauthenticated attackers can inject arbitrary operating system commands through manipulated parameters in the SmartConnect configuration function of Linksys MR9600 firmware version 2.0.6.206937, achieving remote code execution with high privileges. Public exploit code is available for this vulnerability, and no patch has been released despite vendor notification. The attack requires only network access and low complexity, making it immediately exploitable in affected deployments.
64
CVE-2026-32042 HIGH POC

OpenClaw versions 2026.2.22 through 2026.2.24 contain a privilege escalation vulnerability that allows authenticated attackers to bypass device pairing requirements and self-assign elevated operator.admin scopes. Attackers with valid shared gateway authentication credentials can present self-signed unpaired device identities to obtain administrator privileges before pairing approval is granted. This is a high-severity vulnerability (CVSS 8.8) with a patch available from the vendor.
Previous Week Next Week

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy