Active-Exploitation

vulnerabilities 2026-05-25
Ghost CMS CVE-2026-26980: Unauthenticated SQL Injection Powers a 700-Site ClickFix Campaign
CVE-2026-26980 is a CVSS 9.4 unauthenticated SQL injection in Ghost's Content API. A patch shipped in February; attackers have since industrialized it into an automated campaign that has hijacked 700+ sites — including Harvard, Oxford, and DuckDuckGo — to serve ClickFix malware.
ghost-cms cve-2026-26980 sql-injection clickfix web-security active-exploitation
vulnerabilities 2026-05-24
LiteSpeed cPanel Plugin CVE-2026-48172: Any User Can Run Scripts as Root
A CVSS 10.0 flaw in the LiteSpeed User-End cPanel Plugin lets any logged-in cPanel user execute scripts as root. It is being exploited in the wild — patch or uninstall now.
cpanel litespeed privilege-escalation cve-2026-48172 web-hosting active-exploitation
vulnerability 2026-05-16
Cisco Catalyst SD-WAN CVE-2026-20182: Second vdaemon Auth Bypass Lands in CISA KEV
Cisco patched a CVSS 10.0 auth bypass in Catalyst SD-WAN Controller's vdaemon service. UAT-8616 is already exploiting it. CISA added it to KEV May 15 with a May 17 deadline.
cisco sd-wan uat-8616 cisa-kev auth-bypass active-exploitation cvss-10
vulnerabilities 2026-04-21
Quest KACE SMA CVE-2025-32975: CVSS 10.0 SSO Auth Bypass Added to CISA KEV as Admin Takeover Campaign Continues
CISA added CVE-2025-32975 — a CVSS 10.0 SSO authentication bypass in Quest KACE Systems Management Appliance — to the KEV catalog on April 20, 2026. Federal agencies must patch by May 4. Exploitation has been in progress since March.
quest kace-sma authentication-bypass cisa-kev cve-2025-32975 pre-auth active-exploitation endpoint-management
vulnerabilities 2026-04-15
CVE-2026-21643: Pre-Auth SQL Injection in FortiClient EMS 7.4.4 Under Active Exploitation — CISA Deadline Tomorrow
Critical pre-authentication SQL injection in Fortinet FortiClient EMS 7.4.4 is being actively exploited. CISA KEV remediation deadline is April 16, 2026.
fortinet forticlient-ems sql-injection cisa-kev cve-2026-21643 pre-auth active-exploitation
Vulnerabilities 2026-04-12
Marimo CVE-2026-39987: Pre-Auth RCE Exploited Within 10 Hours of Disclosure
A missing authentication check on Marimo's terminal WebSocket endpoint (CVE-2026-39987, CVSS 9.3) gave attackers a root shell with no credentials required — and they were actively exploiting it less than 10 hours after the advisory dropped.
CVE RCE python AI toolchain websocket credential theft active exploitation
Vulnerability 2026-04-12
Adobe Acrobat Reader Zero-Day CVE-2026-34621: Prototype Pollution RCE Exploited Since December
Adobe patches APSB26-43 after confirming CVE-2026-34621, a CVSS 9.6 prototype pollution flaw in Acrobat Reader actively exploited via malicious PDFs since at least December 2025.
adobe acrobat pdf rce zero-day prototype-pollution cve-2026-34621 active-exploitation

Active-Exploitation

Ghost CMS CVE-2026-26980: Unauthenticated SQL Injection Powers a 700-Site ClickFix Campaign

LiteSpeed cPanel Plugin CVE-2026-48172: Any User Can Run Scripts as Root

Cisco Catalyst SD-WAN CVE-2026-20182: Second vdaemon Auth Bypass Lands in CISA KEV

Quest KACE SMA CVE-2025-32975: CVSS 10.0 SSO Auth Bypass Added to CISA KEV as Admin Takeover Campaign Continues

CVE-2026-21643: Pre-Auth SQL Injection in FortiClient EMS 7.4.4 Under Active Exploitation — CISA Deadline Tomorrow

Marimo CVE-2026-39987: Pre-Auth RCE Exploited Within 10 Hours of Disclosure

Adobe Acrobat Reader Zero-Day CVE-2026-34621: Prototype Pollution RCE Exploited Since December