Skip to main content

Exploit-Ready Bugs Outpace Patches in Edge, IoT, and Medical Imaging Gear

Jun 29 - Jul 06, 2026
Total CVEs
1919
Critical + High
877
KEV
0
Public Exploits
235

Executive Summary

Overview

1919 CVEs were published (218 Critical, 659 High, 798 Medium, 156 Low), 0 in CISA KEV, 235 with public exploit code.

Critical Threats

  • CVE-2026-8451 (HIGH, CVSS 8.8) — Citrix NetScaler ADC and NetScaler Gateway memory overread when configured as a SAML identity provider, enabling disclosure of sensitive in-memory data such as tokens and session material. Public exploit code available; vendor-released patch available. Unauthenticated remote attackers.
  • CVE-2026-57498 (CRITICAL, CVSS 9.6) — Coolify cross-team authorization bypass allows an authenticated low-privileged user to deploy and manipulate resources belonging to other teams via Livewire web UI components. Public exploit code available; vendor-released patch: 4.0.0-beta.474.
  • CVE-2026-58453 (CRITICAL, CVSS 9.3) — Default-credential authentication bypass in JAIOTlink C492A-W6 Wi-Fi IP cameras (firmware 4.8.30.57701411) allows attackers to log in to the anyka_ipc HTTP service on port 80 using the built-in admin username with an empty password, granting full access to snapshots, live video, network configuration, and factory-level API endpoints. Public exploit code available; no vendor-released patch identified.
  • CVE-2026-58457 (CRITICAL, CVSS 9.3) — Shenzhen Aitemi M300 Wi-Fi Repeater (MT02) unauthenticated OS command injection via the smacfilter_conf handler in the commuos web backend, allowing network-adjacent attackers to execute arbitrary shell commands as root. Public exploit code available; no vendor-released patch identified.
  • CVE-2026-56782 (CRITICAL, CVSS 9.3) — Unauthenticated database exfiltration and overwrite in Gorse before 0.5.10 via unprotected /api/dump and /api/restore endpoints when admin_api_key is unset. Public exploit code available; no vendor-released patch identified.
  • CVE-2026-58127 (CRITICAL, CVSS 9.3) — Hyland PACSgear MediaWriter 5.2.1 unauthenticated remote code execution as SYSTEM via .NET Remoting TCP service. Public exploit code available; no vendor-released patch identified. Unauthenticated remote attackers.
  • CVE-2026-58126 (CRITICAL, CVSS 9.3) — Hyland PACSgear PACS Scan 5.2.1 unauthenticated remote code execution via exposed .NET Remoting TCP service on port 22222, allowing SYSTEM-level control of medical imaging servers through arbitrary file read/write chained with a DLL hijack. Public exploit code available; no vendor-released patch identified.
  • CVE-2026-57517 (CRITICAL, CVSS 9.3) — Control Web Panel (CWP) unauthenticated blind SQL injection before 0.9.8.1225 allows remote attackers to inject arbitrary SQL via the userRes POST parameter, escalating to remote code execution through MySQL root privileges and PHP webshell deployment. Public exploit code available; vendor-released patch: 0.9.8.1225.

Threat Landscape

Most-affected vendors: Google (491), WordPress (131), Microsoft (123), Apple (83), IBM (43).

Most common attack techniques: Information Disclosure (562), Authentication Bypass (357), Denial Of Service (262), RCE (192), XSS (181).

Patch coverage: 1140 of 1919 CVEs have a patch; 361 Critical/High remain unpatched.

Key Trends

  • Volume is 11% up week-over-week (1728 → 1919 CVEs).
  • 235 CVEs have public exploit code.

Top 8 Priority CVEs

70
CVE-2026-8451 HIGH POC

Memory overread in Citrix NetScaler ADC and NetScaler Gateway lets remote attackers read out-of-bounds memory when the appliance is configured as a SAML identity provider (IDP), enabling disclosure of sensitive in-memory data such as tokens, session material, or other process memory. The CVSS 4.0 score of 8.8 reflects network-reachable, unauthenticated exploitation (PR:N) with high confidentiality and availability impact; no public exploit identified at time of analysis and the issue is not listed in CISA KEV. The flaw belongs to the same class of NetScaler appliance vulnerabilities (e.g., Citrix Bleed-style memory disclosure) that have historically drawn aggressive exploitation, making prompt patching advisable.

68
CVE-2026-57498 CRITICAL POC

Cross-team authorization bypass in Coolify (open-source self-hosted PaaS) before 4.0.0-beta.474 allows an authenticated, low-privileged member of one team to deploy and manipulate resources belonging to other teams. While the REST API controllers correctly enforce ownership via Server::whereTeamId($teamId), several Livewire web UI components trust attacker-supplied server_id and destination_uuid URL query parameters with no team-ownership check (CWE-639). No public exploit identified at time of analysis, but the CVSS 9.6 rating and trivially manipulable parameters make this a high-priority fix for any multi-tenant Coolify deployment.

68
CVE-2026-58453 CRITICAL POC

Default-credential authentication bypass in JAIOTlink C492A-W6 Wi-Fi IP cameras (firmware 4.8.30.57701411) lets attackers log in to the anyka_ipc HTTP service on port 80 using the built-in admin username with an empty password, granting full access to snapshots, live video, network configuration, and factory-level API endpoints. Because the same interface exposes a SetMAC command-injection surface, this trivial access can be pivoted toward device-level code execution. Publicly available exploit code exists (published by VulnCheck), though this CVE is not listed in CISA KEV and no active exploitation is confirmed.

68
CVE-2026-58457 CRITICAL POC

Unauthenticated OS command injection in the Shenzhen Aitemi M300 Wi-Fi Repeater (hardware model MT02) lets network-adjacent attackers run arbitrary shell commands as root through the smacfilter_conf handler in the commuos web backend. Publicly available exploit code exists (published by VulnCheck/IEATASICS), and successful exploitation grants full device takeover; the flaw carries a CVSS 4.0 base score of 9.3 but is reachable only by attackers adjacent to the device's network. No public exploit is listed in CISA KEV, so this is proof-of-concept exposure rather than confirmed active exploitation.

67
CVE-2026-56782 CRITICAL POC

Unauthenticated database exfiltration and overwrite in Gorse (the open-source Go recommendation engine) before 0.5.10 lets remote attackers hit the /api/dump and /api/restore endpoints whenever admin_api_key is unset - the out-of-the-box default - bypassing authentication entirely. Attackers can dump the full backing dataset (user records, items, and feedback containing PII) or restore/overwrite it with arbitrary data. No public exploit is identified at time of analysis, but the flaw is trivially reachable on any default deployment, and the vendor (VulnCheck) rates it CVSS 4.0 9.3 (critical).

67
CVE-2026-58127 CRITICAL POC

Unauthenticated remote code execution as SYSTEM affects Hyland PACSgear MediaWriter 5.2.1, which exposes an unauthenticated .NET Remoting TCP service (PacsgearMediaServerEngine.dll) on port 9000. Remote attackers abuse the MarshalByRefObject unmarshalling technique against the default ObjectURIs (RemoteObj/UIRemoteObj) to gain an arbitrary file read/write primitive, then chain it with DLL hijacking to execute code as NT AUTHORITY\SYSTEM. Publicly available exploit code exists (published by VulnCheck), making this a high-priority issue despite no CISA KEV listing at time of analysis.

67
CVE-2026-58126 CRITICAL POC

Unauthenticated remote code execution in Hyland PACSgear PACS Scan 5.2.1 lets remote attackers gain SYSTEM-level control of medical imaging servers by abusing an exposed .NET Remoting TCP service (PGImageExchQueue.exe) on port 22222. The exposed service grants arbitrary file read/write with no authentication, which is chained with a DLL hijack in the PGImageExchangeQueueSvc.exe service to run code as NT AUTHORITY\SYSTEM. Publicly available exploit code exists (published by VulnCheck); there is no public exploit identified as actively exploited, as it is not listed in CISA KEV.

67
CVE-2026-57517 CRITICAL POC

Unauthenticated blind SQL injection in Control Web Panel (CWP) before 0.9.8.1225 lets remote attackers inject arbitrary SQL through the userRes POST parameter of the user endpoint, and because CWP's MySQL connection runs with root privileges the flaw escalates to full remote code execution via INTO DUMPFILE. Attackers write a PHP webshell into the web-accessible roundcube logs directory and execute commands as the cwpsvc account. Publicly available exploit code exists and a vendor patch has been released; this is a network, no-authentication, low-complexity issue (CVSS 4.0 9.3).

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy