Exploit-Ready Bugs Outpace Patches in Edge, IoT, and Medical Imaging Gear
Executive Summary
Overview
1919 CVEs were published (218 Critical, 659 High, 798 Medium, 156 Low), 0 in CISA KEV, 235 with public exploit code.
Critical Threats
- CVE-2026-8451 (HIGH, CVSS 8.8) — Citrix NetScaler ADC and NetScaler Gateway memory overread when configured as a SAML identity provider, enabling disclosure of sensitive in-memory data such as tokens and session material. Public exploit code available; vendor-released patch available. Unauthenticated remote attackers.
- CVE-2026-57498 (CRITICAL, CVSS 9.6) — Coolify cross-team authorization bypass allows an authenticated low-privileged user to deploy and manipulate resources belonging to other teams via Livewire web UI components. Public exploit code available; vendor-released patch: 4.0.0-beta.474.
- CVE-2026-58453 (CRITICAL, CVSS 9.3) — Default-credential authentication bypass in JAIOTlink C492A-W6 Wi-Fi IP cameras (firmware 4.8.30.57701411) allows attackers to log in to the anyka_ipc HTTP service on port 80 using the built-in admin username with an empty password, granting full access to snapshots, live video, network configuration, and factory-level API endpoints. Public exploit code available; no vendor-released patch identified.
- CVE-2026-58457 (CRITICAL, CVSS 9.3) — Shenzhen Aitemi M300 Wi-Fi Repeater (MT02) unauthenticated OS command injection via the
smacfilter_confhandler in the commuos web backend, allowing network-adjacent attackers to execute arbitrary shell commands as root. Public exploit code available; no vendor-released patch identified. - CVE-2026-56782 (CRITICAL, CVSS 9.3) — Unauthenticated database exfiltration and overwrite in Gorse before 0.5.10 via unprotected
/api/dumpand/api/restoreendpoints whenadmin_api_keyis unset. Public exploit code available; no vendor-released patch identified. - CVE-2026-58127 (CRITICAL, CVSS 9.3) — Hyland PACSgear MediaWriter 5.2.1 unauthenticated remote code execution as SYSTEM via .NET Remoting TCP service. Public exploit code available; no vendor-released patch identified. Unauthenticated remote attackers.
- CVE-2026-58126 (CRITICAL, CVSS 9.3) — Hyland PACSgear PACS Scan 5.2.1 unauthenticated remote code execution via exposed .NET Remoting TCP service on port 22222, allowing SYSTEM-level control of medical imaging servers through arbitrary file read/write chained with a DLL hijack. Public exploit code available; no vendor-released patch identified.
- CVE-2026-57517 (CRITICAL, CVSS 9.3) — Control Web Panel (CWP) unauthenticated blind SQL injection before 0.9.8.1225 allows remote attackers to inject arbitrary SQL via the
userResPOST parameter, escalating to remote code execution through MySQL root privileges and PHP webshell deployment. Public exploit code available; vendor-released patch: 0.9.8.1225.
Threat Landscape
Most-affected vendors: Google (491), WordPress (131), Microsoft (123), Apple (83), IBM (43).
Most common attack techniques: Information Disclosure (562), Authentication Bypass (357), Denial Of Service (262), RCE (192), XSS (181).
Patch coverage: 1140 of 1919 CVEs have a patch; 361 Critical/High remain unpatched.
Key Trends
- Volume is 11% up week-over-week (1728 → 1919 CVEs).
- 235 CVEs have public exploit code.
Top 8 Priority CVEs
Memory overread in Citrix NetScaler ADC and NetScaler Gateway lets remote attackers read out-of-bounds memory when the appliance is configured as a SAML identity provider (IDP), enabling disclosure of sensitive in-memory data such as tokens, session material, or other process memory. The CVSS 4.0 score of 8.8 reflects network-reachable, unauthenticated exploitation (PR:N) with high confidentiality and availability impact; no public exploit identified at time of analysis and the issue is not listed in CISA KEV. The flaw belongs to the same class of NetScaler appliance vulnerabilities (e.g., Citrix Bleed-style memory disclosure) that have historically drawn aggressive exploitation, making prompt patching advisable.
Cross-team authorization bypass in Coolify (open-source self-hosted PaaS) before 4.0.0-beta.474 allows an authenticated, low-privileged member of one team to deploy and manipulate resources belonging to other teams. While the REST API controllers correctly enforce ownership via Server::whereTeamId($teamId), several Livewire web UI components trust attacker-supplied server_id and destination_uuid URL query parameters with no team-ownership check (CWE-639). No public exploit identified at time of analysis, but the CVSS 9.6 rating and trivially manipulable parameters make this a high-priority fix for any multi-tenant Coolify deployment.
Default-credential authentication bypass in JAIOTlink C492A-W6 Wi-Fi IP cameras (firmware 4.8.30.57701411) lets attackers log in to the anyka_ipc HTTP service on port 80 using the built-in admin username with an empty password, granting full access to snapshots, live video, network configuration, and factory-level API endpoints. Because the same interface exposes a SetMAC command-injection surface, this trivial access can be pivoted toward device-level code execution. Publicly available exploit code exists (published by VulnCheck), though this CVE is not listed in CISA KEV and no active exploitation is confirmed.
Unauthenticated OS command injection in the Shenzhen Aitemi M300 Wi-Fi Repeater (hardware model MT02) lets network-adjacent attackers run arbitrary shell commands as root through the smacfilter_conf handler in the commuos web backend. Publicly available exploit code exists (published by VulnCheck/IEATASICS), and successful exploitation grants full device takeover; the flaw carries a CVSS 4.0 base score of 9.3 but is reachable only by attackers adjacent to the device's network. No public exploit is listed in CISA KEV, so this is proof-of-concept exposure rather than confirmed active exploitation.
Unauthenticated database exfiltration and overwrite in Gorse (the open-source Go recommendation engine) before 0.5.10 lets remote attackers hit the /api/dump and /api/restore endpoints whenever admin_api_key is unset - the out-of-the-box default - bypassing authentication entirely. Attackers can dump the full backing dataset (user records, items, and feedback containing PII) or restore/overwrite it with arbitrary data. No public exploit is identified at time of analysis, but the flaw is trivially reachable on any default deployment, and the vendor (VulnCheck) rates it CVSS 4.0 9.3 (critical).
Unauthenticated remote code execution as SYSTEM affects Hyland PACSgear MediaWriter 5.2.1, which exposes an unauthenticated .NET Remoting TCP service (PacsgearMediaServerEngine.dll) on port 9000. Remote attackers abuse the MarshalByRefObject unmarshalling technique against the default ObjectURIs (RemoteObj/UIRemoteObj) to gain an arbitrary file read/write primitive, then chain it with DLL hijacking to execute code as NT AUTHORITY\SYSTEM. Publicly available exploit code exists (published by VulnCheck), making this a high-priority issue despite no CISA KEV listing at time of analysis.
Unauthenticated remote code execution in Hyland PACSgear PACS Scan 5.2.1 lets remote attackers gain SYSTEM-level control of medical imaging servers by abusing an exposed .NET Remoting TCP service (PGImageExchQueue.exe) on port 22222. The exposed service grants arbitrary file read/write with no authentication, which is chained with a DLL hijack in the PGImageExchangeQueueSvc.exe service to run code as NT AUTHORITY\SYSTEM. Publicly available exploit code exists (published by VulnCheck); there is no public exploit identified as actively exploited, as it is not listed in CISA KEV.
Unauthenticated blind SQL injection in Control Web Panel (CWP) before 0.9.8.1225 lets remote attackers inject arbitrary SQL through the userRes POST parameter of the user endpoint, and because CWP's MySQL connection runs with root privileges the flaw escalates to full remote code execution via INTO DUMPFILE. Attackers write a PHP webshell into the web-accessible roundcube logs directory and execute commands as the cwpsvc account. Publicly available exploit code exists and a vendor patch has been released; this is a network, no-authentication, low-complexity issue (CVSS 4.0 9.3).