1,597 CVEs: 649 Unpatched Critical/High, Trivy Supply Chain Attack

Mar 23 - Mar 30, 2026
Threat Landscape 23/03-30/03/2026: Supply Chain Attacks and Auth Failures Surge
Audio briefing available – Threat landscape analysis for this week
Total CVEs
1597
Critical + High
759
KEV
1
Public Exploits
201

Executive Summary

Overview

During the reporting period (2026-03-23 to 2026-03-30), vuln.today data identified 1,597 CVEs: 154 CRITICAL, 605 HIGH, 631 MEDIUM, 58 LOW, and 149 UNKNOWN severity. The dataset includes 1 CISA KEV entry, 201 public exploits/POCs, and 224 patches available. 649 CRITICAL/HIGH vulnerabilities remain unpatched. CVE volume increased 24% week-over-week (previous week: 1,288 CVEs).

Critical Threats

  • CVE-2026-33634 (CRITICAL, CVSS 9.4, Priority 97, EPSS 0.0%): Trivy security scanner v0.69.4 supply chain attack. Confirmed actively exploited (CISA KEV); public exploit code available. No vendor-released patch identified at time of analysis. Action: Within 24 hours: Identify all affected systems and apply vendor patches immediately. Monitor vendor channels for patch availability.
  • CVE-2026-4585 (CRITICAL, CVSS 9.8, Priority 69, EPSS 0.2%): OS command injection in Tiandy Easy7 Integrated Management Platform versions up to 7.17.0 (ImportSystemConfiguration.jsp). Public exploit code available; exploitation risk is elevated. No vendor-released patch identified at time of analysis. Action: Within 24 hours: Inventory all Tiandy Easy7 installations and versions; isolate affected systems from production networks if possible; enable enhanced logging and monitoring. Within 7 days: Deploy net
  • CVE-2026-4567 (CRITICAL, CVSS 9.8, Priority 69, EPSS 0.1%): Stack-based buffer overflow in Tenda A15 router firmware version 15.13.07.13 (UploadCfg function). Public exploit code available; exploitation risk is elevated. No vendor-released patch identified at time of analysis. Action: Within 24 hours: Inventory all Tenda A15 routers in your environment and identify those running firmware 15.13.07.13; disable internet-facing access to the /cgi-bin/UploadCfg endpoint immediately via
  • CVE-2026-30530 (CRITICAL, CVSS 9.8, Priority 69, EPSS 0.0%): SQL injection in SourceCodester Online Food Ordering System v1.0 (save_customer action's username parameter). Public exploit code available; exploitation risk is elevated. No vendor-released patch identified at time of analysis. Action: Within 24 hours: Identify all affected systems running SourceCodester Online Food Ordering System and apply vendor patches immediately. Validate that input sanitization is in place for all user-contro
  • CVE-2026-30533 (CRITICAL, CVSS 9.8, Priority 69, EPSS 0.0%): SQL injection in SourceCodester Online Food Ordering System v1.0 (admin/manage_product.php 'id' parameter). Public exploit code available; exploitation risk is elevated. No vendor-released patch identified at time of analysis. Action: Within 24 hours: Identify all affected systems running SourceCodester Online Food Ordering System and apply vendor patches immediately. Validate that input sanitization is in place for all user-contro
  • CVE-2026-30532 (CRITICAL, CVSS 9.8, Priority 69, EPSS 0.0%): SQL injection in SourceCodester Online Food Ordering System v1.0 (admin/view_product.php 'id' parameter). Public exploit code available; exploitation risk is elevated. No vendor-released patch identified at time of analysis. Action: Within 24 hours: Identify all affected systems running SourceCodester Online Food Ordering System and apply vendor patches immediately. Validate that input sanitization is in place for all user-contro
  • CVE-2026-33696 (CRITICAL, CVSS 9.4, Priority 67, EPSS 0.5%): Prototype pollution in n8n workflow automation platform (XML and GSuiteAdmin nodes) affecting versions prior to 2.14.1, 2.13.3, and 1.123.27; enables remote code execution. Public exploit code available; exploitation risk is elevated. No vendor-released patch identified at time of analysis. Action: Within 24 hours: Inventory all n8n instances and document current versions; audit user access logs for XML and GSuiteAdmin node usage; restrict workflow creation/modification permissions to essential
  • CVE-2026-33660 (CRITICAL, CVSS 9.4, Priority 67, EPSS 0.1%): n8n workflow automation platform Merge node 'Combine by SQL' mode allows authenticated users to read arbitrary local files and achieve remote code execution; affects versions prior to 2.14.1, 2.13.3, and 1.123.26. Public exploit code available; exploitation risk is elevated. No vendor-released patch identified at time of analysis. Action: Within 24 hours: Inventory all n8n instances and document current versions; restrict workflow creation/modification privileges to essential personnel only; enable audit logging for all workflow change
  • CVE-2025-71275 (CRITICAL, CVSS 9.3, Priority 67, EPSS 0.5%): Remote code execution in Zimbra Collaboration Suite PostJournal service version 8.8.15 via SMTP injection through RCPT TO parameter. Public exploit code available; exploitation risk is elevated. No vendor-released patch identified at time of analysis. Action: Within 24 hours: Inventory all Zimbra installations and identify systems running version 8.8.15; immediately isolate affected servers from untrusted networks or restrict SMTP access to trusted sources
  • CVE-2025-60949 (CRITICAL, CVSS 9.3, Priority 67, EPSS 0.0%): Information disclosure in Census CSWeb 8.0.1 (app/config endpoint reachable without authentication); affects versions prior to 8.1.0 alpha. Public exploit code available; exploitation risk is elevated. No vendor-released patch identified at time of analysis. Action: Within 24 hours: Inventory all Census CSWeb 8.0.1 instances and determine network exposure (internal vs. internet-facing); immediately restrict network access to the app/config endpoint via firewall o
  • CVE-2026-2417 (CRITICAL): Linked threat intelligence present in vuln.today data.
  • CVE-2026-3650 (HIGH): Linked threat intelligence present in vuln.today data.

Threat Landscape

Top affected vendors: Debian (190 CVEs), Suse (163), Apple (108), Linux (106), WordPress (72), Mozilla (49), Microsoft (38), Google (30), IBM (26), and Drupal (25). Top attack techniques: Information Disclosure (378), Authentication Bypass (312), Denial Of Service (245), XSS (200), RCE (143), Buffer Overflow (133), SQLi (108), Privilege Escalation (82), Path Traversal (63), and Code Injection (51). Patch coverage: 224 patches available against 759 CRITICAL/HIGH vulnerabilities (29% coverage); 649 CRITICAL/HIGH remain unpatched.

Key Trends

CVE volume increased 24% week-over-week. 201 CVEs (13% of total) have public exploit code available. Debian and Suse account for 22% of vendor-attributed vulnerabilities. Information Disclosure, Authentication Bypass, and Denial of Service represent 58% of identified attack techniques. 86% of CRITICAL/HIGH severity vulnerabilities remain unpatched.

Recommendations

  • CVE-2026-33634: Within 24 hours: Identify all affected systems and apply vendor patches immediately. Monitor vendor channels for patch availability.
  • CVE-2026-4585: Within 24 hours: Inventory all Tiandy Easy7 installations and versions; isolate affected systems from production networks if possible; enable enhanced logging and monitoring. Within 7 days: Deploy net
  • CVE-2026-4567: Within 24 hours: Inventory all Tenda A15 routers in your environment and identify those running firmware 15.13.07.13; disable internet-facing access to the /cgi-bin/UploadCfg endpoint immediately via
  • CVE-2026-30530, CVE-2026-30533, CVE-2026-30532: Within 24 hours: Identify all affected systems running SourceCodester Online Food Ordering System and apply vendor patches immediately. Validate that input sanitization is in place for all user-contro
  • CVE-2026-33696: Within 24 hours: Inventory all n8n instances and document current versions; audit user access logs for XML and GSuiteAdmin node usage; restrict workflow creation/modification permissions to essential
  • CVE-2026-33660: Within 24 hours: Inventory all n8n instances and document current versions; restrict workflow creation/modification privileges to essential personnel only; enable audit logging for all workflow change
  • CVE-2025-71275: Within 24 hours: Inventory all Zimbra installations and identify systems running version 8.8.15; immediately isolate affected servers from untrusted networks or restrict SMTP access to trusted sources
  • CVE-2025-60949: Within 24 hours: Inventory all Census CSWeb 8.0.1 instances and determine network exposure (internal vs. internet-facing); immediately restrict network access to the app/config endpoint via firewall o
  • Prioritize remediation for the 1 CISA KEV entry and 201 CVEs with public exploit code.
  • Address 649 unpatched CRITICAL/HIGH vulnerabilities through compensating controls, network segmentation, or vendor engagement for patch timelines.

Top 10 Priority CVEs

117
CVE-2026-33634 CRITICAL KEV POC

Trivy security scanner v0.69.4 was compromised in a supply chain attack where a threat actor used stolen credentials to publish malicious releases and force-push credential-stealing malware to GitHub Actions repositories.
69
CVE-2026-4585 CRITICAL POC

A critical OS command injection vulnerability exists in Tiandy Easy7 Integrated Management Platform versions up to 7.17.0, specifically in the ImportSystemConfiguration.jsp file's Configuration Handler. Attackers can remotely execute arbitrary operating system commands without authentication by manipulating the 'File' parameter. A public proof-of-concept exploit has been disclosed and is available, significantly increasing the risk of active exploitation, though the vendor has not responded to disclosure attempts.
65
CVE-2026-4567 HIGH POC

Stack-based buffer overflow in Tenda A15 router firmware version 15.13.07.13 allows unauthenticated remote attackers to achieve complete system compromise through a malicious file upload to the UploadCfg function. Public exploit code exists for this vulnerability, and no patch is currently available. The attack requires no user interaction and can be executed over the network with trivial complexity.
69
CVE-2026-30530 CRITICAL POC

SQL injection in SourceCodester Online Food Ordering System v1.0 allows remote attackers to execute arbitrary SQL commands through unsanitized input in the save_customer action's username parameter. The application fails to implement proper input validation or prepared statements, enabling attackers to manipulate database queries directly. Publicly available exploit code exists, and this vulnerability affects the PHP-based web application with no confirmed patch status at time of analysis.
69
CVE-2026-30533 CRITICAL POC

SQL injection in SourceCodester Online Food Ordering System v1.0 allows unauthenticated remote attackers to execute arbitrary SQL commands through the 'id' parameter in admin/manage_product.php, enabling unauthorized database access and data exfiltration. Publicly available exploit code exists for this vulnerability; however, no CVSS score, EPSS data, or CISA KEV confirmation is available to assess active exploitation at scale.
69
CVE-2026-30532 CRITICAL POC

SQL injection in SourceCodester Online Food Ordering System v1.0 allows remote attackers to execute arbitrary SQL queries through the 'id' parameter in admin/view_product.php, enabling unauthorized database access and potential data exfiltration. The vulnerability affects the administrative interface and publicly available exploit code exists, increasing real-world exploitation risk despite the absence of formal CVSS scoring.
67
CVE-2026-33696 CRITICAL POC

A prototype pollution vulnerability in the XML and GSuiteAdmin nodes of n8n workflow automation platform allows authenticated users with workflow creation or modification permissions to achieve remote code execution. Versions prior to 2.14.1, 2.13.3, and 1.123.27 are affected. The CVSS score of 9.4 (Critical) reflects network-based exploitation with low complexity requiring only low-level authentication, though no current KEV listing or public POC availability is indicated in the provided intelligence.
67
CVE-2026-33660 CRITICAL POC

An authenticated user with workflow creation or modification privileges in n8n workflow automation platform can exploit the Merge node's 'Combine by SQL' mode to read arbitrary local files on the n8n host and achieve remote code execution. n8n versions prior to 2.14.1, 2.13.3, and 1.123.26 are affected. The vulnerability carries a CVSS 4.0 score of 9.4 (Critical) due to insufficient sandbox restrictions in the AlaSQL component, allowing SQL injection-style attacks against the host system. No public proof-of-concept or active exploitation (KEV) status has been reported at this time.
67
CVE-2025-71275 CRITICAL POC

A critical unauthenticated remote code execution vulnerability exists in Zimbra Collaboration Suite PostJournal service version 8.8.15, allowing attackers to execute arbitrary system commands via SMTP injection through improper sanitization of the RCPT TO parameter using shell expansion syntax. A publicly available proof-of-concept exploit exists (PacketStorm), significantly increasing exploitation risk. With a CVSS score of 9.8 and network-accessible attack vector requiring no authentication or user interaction, this represents an immediate threat to exposed Zimbra installations.
67
CVE-2025-60949 CRITICAL POC

Census CSWeb 8.0.1 contains an information disclosure vulnerability where the app/config endpoint is reachable via HTTP without authentication in certain deployments, allowing remote attackers to retrieve sensitive configuration data including secrets. This vulnerability has a CVSS score of 9.1 (Critical) and affects Census CSWeb versions prior to 8.1.0 alpha. A public proof-of-concept exploit is available on GitHub (https://github.com/hx381/cspro-exploits), significantly increasing the risk of active exploitation.
Previous Week Next Week

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy