Critical
Ransomware use CVE-2026-35273
2026/06/12
Oracle PeopleSoft Enterprise PeopleTools — the platform under the PeopleSoft ERP (HR, finance) — has a missing-authentication-for-critical-function flaw (CWE-306). A remote, unauthenticated attacker can take over PeopleTools. CISA listed it as known-exploited (KEV) and confirmed ransomware use (CVSS 9.8 Critical, per NVD).
- Missing authentication for a critical function (CWE-306) in PeopleTools, the platform under PeopleSoft
- A remote, unauthenticated attacker can take over PeopleTools
- Listed in CISA KEV = exploitation confirmed; also confirmed used in ransomware
Read more
Critical
Ransomware use CVE-2026-48027
2026/05/27
A malicious version of "Nx Console," a popular IDE extension for the Nx build system, was published; it fetches an obfuscated payload and harvests credentials (tokens and keys) from disk and memory. CISA listed it as known-exploited (KEV) with confirmed ransomware use (CVSS 9.8 Critical).
- A tampered build of Nx Console (an IDE extension for the Nx build system) fetched and ran an obfuscated payload
- It stole credentials from disk and memory (GitHub/npm tokens, SSH keys, cloud credentials, etc.)
- Listed in CISA KEV = exploitation confirmed; ransomware use also confirmed (CVSS 9.8 Critical)
Read more
Critical
Ransomware use CVE-2026-45321
2026/05/27
Malicious versions of the widely used TanStack (a family of React libraries) were published to the npm registry, distributing credential-stealing malware under a trusted publisher identity. CISA listed it as known-exploited (KEV) with confirmed ransomware use (CVSS 9.6 Critical).
- Malicious versions of TanStack (popular React libraries) were published to npm
- A trusted publisher (maintainer identity) was abused to distribute credential-stealing malware
- Listed in CISA KEV = exploitation confirmed; ransomware use also confirmed (CVSS 9.6 Critical)
Read more
Critical
CVE-2026-10520
2026/06/11
Ivanti Sentry (formerly MobileIron Sentry), a mobile-device management gateway, contains an OS command injection flaw that lets a remote, unauthenticated attacker execute code as root. CISA listed it as known-exploited (KEV) (CVSS 10.0 Critical, per NVD).
- OS command injection (CWE-78) in Ivanti Sentry (formerly MobileIron Sentry; a mobile-management gateway)
- In an unmanaged state, a remote, unauthenticated attacker can execute code as root
- Listed in CISA KEV = exploitation confirmed; NVD base score is the maximum 10.0 Critical
Read more
High
CVE-2026-11645
2026/06/09
Google's JavaScript engine "Chromium V8" has an out-of-bounds read and write vulnerability that could let a remote attacker execute arbitrary code inside the sandbox via a crafted HTML page. It can affect multiple Chromium-based browsers, including Chrome, Edge, and Opera. CISA listed it as known-exploited (KEV) (CVSS 8.8 High).
- Out-of-bounds read/write (CWE-787 / CWE-125) in V8, the core Chromium JavaScript engine
- A crafted HTML page could lead to arbitrary code execution inside the sandbox
- Affects multiple Chromium-based browsers (Chrome, Edge, Opera) — a shared engine ripples widely
Read more
Medium
CVE-2026-7473
2026/06/09
Arista EOS, the OS for Arista network switches, has an incomplete-comparison flaw in tunnel decapsulation: the switch can wrongly decapsulate and forward unexpected tunneled packets whose destination matches its configured decapsulation IP. CISA listed it as known-exploited (KEV) (CVSS 5.8 Medium, per NVD).
- Incomplete comparison (CWE-1023) during tunnel decapsulation in Arista EOS (switch OS)
- Unexpected tunneled packets destined to the configured decapsulation IP can be wrongly decapsulated and forwarded
- Can be abused to bypass network segmentation and slip past access controls
Read more
High
CVE-2026-20245
2026/06/09
An output-escaping flaw in Cisco Catalyst SD-WAN Manager (formerly SD-WAN vManage) lets an authenticated local attacker run arbitrary commands as root by supplying a crafted file. CISA listed it as known-exploited (KEV) (CVSS 7.8 High, per NVD).
- Improper output encoding/escaping (CWE-116) in Cisco Catalyst SD-WAN Manager (formerly vManage)
- An authenticated local attacker can run arbitrary commands as root via a crafted file
- Compromise of the central network-management platform risks propagation to many downstream sites
Read more
High
CVE-2026-42271
2026/06/08
BerriAI LiteLLM, an open-source LLM proxy that unifies many LLM providers, has a command-injection vulnerability. Any authenticated user — including holders of low-privilege internal-user keys — can run arbitrary commands on the host. CISA listed it as known-exploited (KEV) (CVSS 8.8 High).
- Command injection (CWE-78 / CWE-77) in BerriAI LiteLLM (a popular OSS LLM proxy)
- Any authenticated user, including low-privilege internal-user keys, can run arbitrary commands on the host
- Host takeover can lead to theft of managed API keys/tokens and further intrusion
Read more
Critical
CVE-2026-50751
2026/06/08
Check Point's Security Gateway products have an improper-authentication vulnerability in IKEv1 key exchange that lets an unauthenticated remote attacker bypass user authentication and establish a remote-access VPN connection without a valid user password. CISA listed it as known-exploited (KEV) (CVSS 9.3 Critical).
- IKEv1 authentication bypass (CWE-287) in Check Point Security Gateway
- An unauthenticated remote attacker establishes a remote-access VPN connection without a valid password
- Compromise of a perimeter VPN/firewall = a foothold for internal intrusion. CVSS 9.3 (Critical)
Read more
High
CVE-2026-28318
2026/06/05
SolarWinds Serv-U, a file-transfer server, has an uncontrolled-resource-consumption (DoS) flaw: without authentication, a crafted POST request using a deflate Content-Encoding header can crash the Serv-U service. CISA listed it as known-exploited (KEV) (CVSS 7.5 High, per NVD).
- Uncontrolled resource consumption (CWE-400) in SolarWinds Serv-U (a file-transfer server)
- Without authentication, a crafted deflate-encoded POST can crash the service (DoS)
- Impact is availability only (not data theft), but it can halt core file exchange
Read more
Critical
Ransomware use CVE-2026-41940
2026/04/30
cPanel & WHM and WP2, a widely used web-hosting control panel, have a missing-authentication flaw in the login flow that lets an unauthenticated remote attacker gain unauthorized access to the control panel. CISA listed it as known-exploited (KEV) with confirmed ransomware use (CVSS 9.8 Critical).
- Missing authentication (CWE-306) in the login flow of cPanel & WHM / WP2
- An unauthenticated remote attacker gains unauthorized access to the control panel
- cPanel/WHM is the most widely used hosting control panel = one compromise ripples to many sites
Read more
High
Ransomware use CVE-2024-1708
2026/04/28
ConnectWise ScreenConnect, a remote-management (RMM) / remote-support tool, has a path-traversal vulnerability that could let an attacker execute remote code or directly impact confidential data and critical systems. CISA listed it as known-exploited (KEV) with confirmed ransomware use (CVSS 8.4 High).
- Path traversal (CWE-22) in ConnectWise ScreenConnect (an RMM tool that remotely manages many endpoints)
- Can lead to remote code execution (RCE) or direct impact on confidential data and critical systems
- RMM compromise = a "lever" to push malware to many managed endpoints at once
Read more
High
CVE-2022-0492
2026/06/02
An improper-authentication vulnerability in the Linux kernel cgroups v1 "release_agent" feature leads to privilege escalation. Depending on configuration it can be abused for container escape. Disclosed in 2022, but CISA listed it as known-exploited (KEV) in 2026 (CVSS 7.8 High).
- Missing privilege check in the cgroups v1 "release_agent" feature (CWE-287 / CWE-862)
- Local privilege escalation; with weak configuration, exploitable for container-to-host escape
- Disclosed in 2022 but entered KEV in 2026 = an old known vulnerability still being exploited
Read more
High
CVE-2025-48595
2026/06/02
An integer-overflow vulnerability in Android's core "Framework" component leads, via code execution, to local privilege escalation. Fixed in the June 2026 Android security update. CISA listed it as known-exploited (KEV) (CVSS 8.4 High).
- Integer overflow (CWE-190) in the Android Framework (the OS foundation layer)
- Leads to local privilege escalation via code execution
- Fixed in the June 2026 Android security bulletin. Listed in CISA KEV (CVSS 8.4 High)
Read more
High
CVE-2024-21182
2026/06/01
In Oracle WebLogic Server, an unauthenticated attacker with network access via the T3/IIOP protocols can compromise the server, leading to unauthorized access to critical data or to all accessible data. CISA listed it as known-exploited (KEV) (CVSS 7.5 High).
- WebLogic Server can be compromised via T3/IIOP without authentication
- Success leads to unauthorized access to critical data (in some cases all data)
- Fixed in Oracle's July 2024 Critical Patch Update. Listed in CISA KEV (CVSS 7.5 High)
Read more
High
CVE-2025-34291
2026/05/21
Langflow, a popular tool for visually building LLM/AI workflows, has an origin-validation error (an overly permissive CORS configuration combined with a refresh-token cookie set to SameSite=None) that lets a malicious webpage make credentialed cross-origin requests, steal tokens, and ultimately achieve code execution and full system compromise. CISA listed it as known-exploited (KEV) (CVSS 8.8 High).
- Origin-validation error (CWE-346) in Langflow (a popular OSS tool for building LLM/AI workflows in a GUI)
- Permissive CORS + a SameSite=None refresh-token cookie let a malicious page steal tokens
- Stolen tokens reach authenticated endpoints → arbitrary code execution / full system compromise
Read more
Medium
CVE-2026-34926
2026/05/21
Trend Micro Apex One (on-premise), an endpoint-protection product, has a directory-traversal vulnerability that could let a pre-authenticated local attacker modify a key table on the server to inject malicious code and deploy it to agents. CISA listed it as known-exploited (KEV) (CVSS 6.7 Medium).
- Directory traversal (CWE-23) in Trend Micro Apex One (on-premise EPP)
- A pre-authenticated local attacker modifies a key table → risk of deploying malicious code to agents
- CVSS is 6.7 (Medium; local/high complexity), but impact is large via management-server-to-endpoints spread
Read more
Critical
CVE-2026-0257
2026/05/29
An authentication-bypass vulnerability in Palo Alto Networks' firewall OS, PAN-OS, lets an attacker bypass security restrictions and establish an unauthorized VPN connection. CISA listed it as known-exploited (KEV) (CVSS 9.1 Critical).
- Authentication-bypass vulnerability in PAN-OS (the OS for Palo Alto firewall products)
- An attacker can bypass security restrictions and establish an unauthorized VPN connection
- Compromise of a perimeter device = a foothold for internal intrusion. Listed in CISA KEV (CVSS 9.1 Critical)
Read more
Critical
CVE-2026-48172
2026/05/26
The cPanel plugin for the LiteSpeed web server has a privilege-escalation flaw: any cPanel user account can run arbitrary scripts as root. CISA listed it as known-exploited (KEV) (CVSS 9.8 Critical, per NVD).
- Privilege escalation (CWE-266) in the LiteSpeed cPanel Plugin (LiteSpeed × cPanel integration)
- Any cPanel user account can execute arbitrary scripts with root privileges
- In shared hosting, one user's compromise leads directly to whole-server compromise
Read more
Critical
CVE-2026-9082
2026/05/22
Drupal, a widely used open-source CMS, has a SQL injection vulnerability in its core via the database abstraction API; specially crafted requests can lead to privilege escalation and remote code execution (RCE). CISA listed it as known-exploited (KEV) (CVSS 9.8 Critical).
- SQL injection (CWE-89) in Drupal Core via the database abstraction API
- Can lead to privilege escalation and remote code execution (RCE)
- A flaw in CMS core functionality = widely deployed, broad blast radius
Read more
High
CVE-2026-42897
2026/05/15
Microsoft Exchange Server, a mail server, has a cross-site scripting (XSS) vulnerability where, during web page generation in Outlook Web Access (OWA) and under certain interaction conditions, arbitrary JavaScript can be executed in the browser context. CISA listed it as known-exploited (KEV) (CVSS 8.1 High).
- Cross-site scripting (CWE-79) in Microsoft Exchange Server's Outlook Web Access (OWA)
- Under certain conditions, arbitrary JavaScript can run in the browser context
- Can lead to session hijacking, email theft, and impersonation
Read more
Critical
CVE-2026-20182
2026/05/14
Cisco's SD-WAN products, Catalyst SD-WAN Controller and Manager, have an authentication-bypass vulnerability that lets an unauthenticated remote attacker bypass authentication and obtain administrative privileges. CVSS is a perfect 10.0 (Critical). CISA listed it as known-exploited (KEV) and issued Emergency Directive 26-03.
- Authentication bypass (CWE-287) in Cisco Catalyst SD-WAN Controller/Manager
- An unauthenticated remote attacker obtains admin privileges = seizing the network control center
- CVSS is a perfect 10.0 (Critical). Listed in CISA KEV = exploitation confirmed
Read more
Critical
CVE-2026-42208
2026/05/08
BerriAI LiteLLM, an open-source LLM proxy/gateway that unifies many LLM providers, has a SQL injection vulnerability. An attacker can read — and potentially modify — the proxy's database, leading to unauthorized access to the proxy and the credentials (API keys, etc.) it manages. CISA listed it as known-exploited (KEV) (CVSS 9.8 Critical).
- SQL injection (CWE-89) in BerriAI LiteLLM (a popular OSS LLM proxy/gateway)
- An attacker can read/modify the proxy's DB, reaching the proxy and the credentials it manages
- An LLM proxy centrally manages many API keys/tokens = the "keyring" is exposed at once
Read more
High
CVE-2026-6973
2026/05/07
Ivanti Endpoint Manager Mobile (EPMM), a mobile-device management product, has an improper-input-validation vulnerability that lets a remotely authenticated user with administrative access achieve remote code execution (RCE). CISA listed it as known-exploited (KEV) (CVSS 7.2 High).
- Improper input validation (CWE-20) in Ivanti EPMM (mobile-device management; formerly MobileIron)
- A remotely authenticated user with admin access can achieve remote code execution (RCE)
- Requires auth/admin so CVSS is 7.2 (High), but impact is large given it is a management platform
Read more
Critical
CVE-2026-0300
2026/05/06
PAN-OS, the OS for Palo Alto Networks firewalls, has an out-of-bounds write flaw in the User-ID Authentication Portal (Captive Portal). A remote, unauthenticated attacker can execute code as root on PA-Series and VM-Series firewalls via crafted packets. CISA listed it as known-exploited (KEV) (CVSS 9.8 Critical, per NVD).
- Out-of-bounds write in the User-ID Authentication Portal (Captive Portal) of PAN-OS
- A remote, unauthenticated attacker can run code as root on PA/VM-Series via crafted packets
- Listed in CISA KEV = exploitation confirmed; NVD base score near-maximum 9.8 Critical
Read more
High
CVE-2026-31431
2026/05/01
The Linux kernel — the core of the Linux OS — has an incorrect-resource-transfer-between-spheres flaw (CWE-669). A local attacker already on the machine can achieve privilege escalation (gaining higher privileges). CISA listed it as known-exploited (KEV) (CVSS 7.8 High, per NVD).
- Privilege escalation via incorrect resource transfer between spheres (CWE-669) in the Linux kernel
- Local escalation (attacker already has some execution), not a standalone remote intrusion
- Listed in CISA KEV = exploitation confirmed; NVD base score 7.8 High
Read more
