1,224 CVEs Published: 498 Critical/High, 280 Unpatched, 2 KEV Entries
Executive Summary
Overview
During the reporting period 2026-03-30 to 2026-04-06, vuln.today data recorded 1,224 published CVEs with the following severity distribution: 132 CRITICAL, 366 HIGH, 571 MEDIUM, 67 LOW, and 88 UNKNOWN. The dataset includes 2 CISA KEV entries, 178 CVEs with public exploits or POCs, 427 with patches available, and 280 unpatched CRITICAL/HIGH vulnerabilities. Week-over-week CVE volume decreased 23% from 1,597 CVEs in the previous period.
Critical Threats
- CVE-2026-5281 (HIGH, CVSS 8.8): Remote code execution in Google Chrome prior to version 146.0.7680.178 via use-after-free vulnerability in Dawn graphics component. Confirmed actively exploited (CISA KEV). Public exploit code available. Patch available per vendor advisory.
- CVE-2026-3502 (HIGH, CVSS 7.8): Arbitrary code execution in TrueConf Client allows authenticated attackers on adjacent networks to deliver malicious updates due to missing integrity verification. Confirmed actively exploited (CISA KEV). Public exploit code available. No vendor-released patch identified at time of analysis. Action: Within 24 hours: Inventory all TrueConf Client deployments and document current versions in use. Within 7 days: Disable or restrict auto-update functionality via Group Policy or application settings.
- CVE-2026-2699 (CRITICAL, CVSS 9.8, EPSS 0.4%): Unauthenticated remote code execution in Progress ShareFile Storage Zones Controller allows network attackers to access restricted configuration pages and execute arbitrary code. Public exploit code available. Upstream fix available (PR/commit); released patched version not independently confirmed. Action: Within 24 hours: Inventory all Progress ShareFile Storage Zones Controller instances across your infrastructure and determine deployment type (cloud-hosted vs. customer-managed on-premises).
- CVE-2026-29014 (CRITICAL, CVSS 9.3, EPSS 0.2%): MetInfo CMS 7.9, 8.0, and 8.1 allows unauthenticated remote code execution through PHP code injection. Public exploit code available. No vendor-released patch identified at time of analysis.
- CVE-2026-2701 (CRITICAL, CVSS 9.1, EPSS 0.2%): Remote code execution in Progress ShareFile Storage Zones Controller allows authenticated administrators to upload and execute malicious files. Confirmed actively exploited (CISA KEV). Public exploit code available. No vendor-released patch identified at time of analysis. Action: Within 24 hours: Inventory all Progress ShareFile Storage Zones Controller deployments and document current versions; immediately audit administrative account activity for anomalies and enforce multi-.
- CVE-2026-4896 (HIGH, CVSS 8.1): Insecure Direct Object Reference in WCFM Frontend Manager for WooCommerce (versions ≤6.7.25) allows authenticated vendors to manipulate arbitrary orders and delete WordPress posts. Public exploit code available. No vendor-released patch identified at time of analysis. Action: Within 24 hours: Identify all WordPress instances running WCFM Frontend Manager ≤6.7.25 and document current vendor user accounts with active credentials; restrict vendor role permissions to read-only.
- CVE-2026-5212 (HIGH, CVSS 7.4, EPSS 0.1%): Stack-based buffer overflow in D-Link NAS devices enables authenticated remote attackers to execute arbitrary code affecting 20+ end-of-life D-Link DNS and DNR models through firmware version 20260205. Public exploit code available. No vendor-released patch identified at time of analysis. Action: Within 24 hours: Inventory all D-Link DNS and DNR NAS devices in production; verify firmware versions against 20260205 baseline and identify which models are affected per vendor's published vulnerabil.
- CVE-2026-5204 (HIGH, CVSS 7.4): Stack-based buffer overflow in Tenda CH22 router version 1.0.0.1 allows authenticated remote attackers to achieve arbitrary code execution. Public exploit code available. No vendor-released patch identified at time of analysis. Action: Within 24 hours: Identify all Tenda CH22 v1.0.0.1 devices on your network using asset discovery tools and disable remote administrative access until mitigation is confirmed. Within 7 days: Contact Ten.
Threat Landscape
The top affected vendors were Linux (93 CVEs), Microsoft (55), WordPress (46), Google (38), and Debian (35). Attack techniques were dominated by Information Disclosure (286 CVEs), Authentication Bypass (201), XSS (176), RCE (139), and Denial of Service (117). Of 1,224 total CVEs, 427 have patches available while 280 CRITICAL/HIGH vulnerabilities remain unpatched. Three CVEs (CVE-2026-1579, CVE-2026-3356, CVE-2025-7741) have associated threat intelligence linkages from MISP Galaxies, MITRE ATT&CK, or CISA sources.
Key Trends
CVE volume decreased 23% week-over-week from 1,597 to 1,224. Linux, Microsoft, and WordPress accounted for 194 CVEs (16% of total volume). Information Disclosure, Authentication Bypass, and XSS represented 663 CVEs (54% of attack techniques). The dataset shows 35% patch availability rate (427 patched of 1,224 total), while 56% of CRITICAL/HIGH vulnerabilities (280 of 498) lack vendor-released patches. Public exploit code exists for 178 CVEs (15% of total), with 2 CVEs confirmed in CISA KEV.
Recommendations
- CVE-2026-3502: Within 24 hours: Inventory all TrueConf Client deployments and document current versions in use. Within 7 days: Disable or restrict auto-update functionality via Group Policy or application settings.
- CVE-2026-2699: Within 24 hours: Inventory all Progress ShareFile Storage Zones Controller instances across your infrastructure and determine deployment type (cloud-hosted vs. customer-managed on-premises).
- CVE-2026-2701: Within 24 hours: Inventory all Progress ShareFile Storage Zones Controller deployments and document current versions; immediately audit administrative account activity for anomalies and enforce multi-.
- CVE-2026-4896: Within 24 hours: Identify all WordPress instances running WCFM Frontend Manager ≤6.7.25 and document current vendor user accounts with active credentials; restrict vendor role permissions to read-only.
- CVE-2026-5212: Within 24 hours: Inventory all D-Link DNS and DNR NAS devices in production; verify firmware versions against 20260205 baseline and identify which models are affected per vendor's published vulnerabil.
- CVE-2026-5204: Within 24 hours: Identify all Tenda CH22 v1.0.0.1 devices on your network using asset discovery tools and disable remote administrative access until mitigation is confirmed. Within 7 days: Contact Ten.
- Prioritize remediation of 2 CISA KEV entries and 178 CVEs with public exploit code. Focus patching efforts on 280 unpatched CRITICAL/HIGH vulnerabilities. For end-of-life products with no vendor-released patches (D-Link NAS devices, Tenda CH22 router), implement network-level access restrictions or plan device replacement.
Top 10 Priority CVEs
Remote code execution in Google Chrome prior to version 146.0.7680.178 via a use-after-free vulnerability in the Dawn graphics component allows attackers who have already compromised the renderer process to execute arbitrary code through a crafted HTML page. The vulnerability requires prior renderer compromise but results in full code execution with high severity per Chromium's security classification.
Arbitrary code execution in TrueConf Client allows authenticated attackers on adjacent networks to deliver malicious updates due to missing integrity verification. The auto-update mechanism accepts unsigned or unverified payloads, enabling man-in-the-middle attackers with high privileges to substitute trojanized updates that execute with the application's permissions. EPSS data not available; no confirmed active exploitation (not in CISA KEV); publicly available exploit code not identified at time of analysis. CVSS 7.8 reflects the adjacent network attack vector and user interaction requirement, reducing immediate internet-scale risk.
Unauthenticated remote code execution in Progress ShareFile Storage Zones Controller allows network attackers to access restricted configuration pages and execute arbitrary code with no user interaction required. This critical vulnerability (CVSS 9.8) affects customer-managed SZC deployments and has publicly available exploit code, enabling trivial weaponization. The attack requires no privileges, low complexity, and achieves full system compromise (confidentiality, integrity, availability impact all high), making this an immediate patching priority for organizations running on-premises ShareFile infrastructure.
MetInfo CMS 7.9, 8.0, and 8.1 allows unauthenticated remote code execution through PHP code injection in insufficient input validation mechanisms. Attackers can send crafted requests containing malicious PHP code to execute arbitrary commands and achieve full server compromise without authentication. Publicly available exploit code exists for this vulnerability.
Reflected Cross-Site Scripting (XSS) in SourceCodester Sales and Inventory System 1.0 allows remote attackers to inject arbitrary web script or HTML via the unvalidated 'msg' parameter in add_stock.php. The vulnerability is publicly demonstrated with available proof-of-concept code, enabling attackers to execute malicious scripts in users' browsers without requiring authentication or special privileges.
Remote code execution in Progress ShareFile Storage Zones Controller allows authenticated administrators to upload and execute malicious files on the server. This vulnerability is confirmed actively exploited (CISA KEV) with publicly available exploit code, and carries a 9.1 CVSS score due to scope change enabling post-compromise lateral movement. The attack requires high privileges but no user interaction, making it a priority target for attackers who have compromised admin credentials through phishing or credential theft.
Insecure Direct Object Reference in WCFM Frontend Manager for WooCommerce (versions ≤6.7.25) allows authenticated vendors to manipulate arbitrary orders and delete any WordPress posts, products, or pages beyond their ownership scope. Exploitation requires only vendor-level credentials (PR:L) with no user interaction, enabling privilege escalation through unauthorized access to store-wide content. EPSS data not available; no public exploit identified at time of analysis, though the vulnerability's straightforward IDOR nature increases weaponization risk once details are public.
Pharmacy Product Management System 1.0 accepts negative price and total cost values in sales transactions due to insufficient input validation in add-sales.php, enabling attackers to manipulate financial records, corrupt sales reports, and cause financial loss. The vulnerability allows unauthenticated or low-privilege users to submit arbitrary negative values that bypass business logic controls. Publicly available exploit code exists demonstrating this business logic flaw.
Stack-based buffer overflow in D-Link NAS devices enables authenticated remote attackers to execute arbitrary code with full system privileges. Affecting 20+ end-of-life D-Link DNS and DNR network storage models through firmware version 20260205, the flaw resides in the Webdav_Upload_File function within /cgi-bin/webdav_mgr.cgi. Publicly available exploit code exists, significantly lowering the barrier to exploitation. CVSS 8.8 (High) reflects network-accessible attack requiring only low-privilege authentication with no user interaction. Organizations using these legacy devices face immediate risk of complete confidentiality, integrity, and availability compromise.
Stack-based buffer overflow in Tenda CH22 router version 1.0.0.1 allows authenticated remote attackers to achieve arbitrary code execution via the webSiteId parameter in the formWebTypeLibrary function. Public exploit code exists on GitHub, significantly lowering the barrier to exploitation. While requiring low-privilege authentication (PR:L), the vulnerability enables complete compromise of router confidentiality, integrity, and availability with low attack complexity.