Active-Exploitation
Langflow Hit With Its Second CISA KEV Entry in Four Months: CVE-2026-55255 IDOR Under Active Exploitation
CISA adds Langflow CVE-2026-55255, an IDOR letting authenticated attackers hijack other users' AI workflows, to its KEV catalog after Sysdig caught in-the-wild exploitation chained with secret harvesting.
CVE-2026-11405: Undocumented Admin Backdoor in Tenda Router Firmware, No Patch Available
CERT/CC disclosed a hardcoded backdoor password mechanism in Tenda router firmware that grants full admin access regardless of the real password — Tenda has not responded to coordination attempts since May, and there is no patch.
Gitea CVE-2026-20896: Docker Images Trusted a Spoofable Header for Admin Access, Now Under Active Probing
Gitea's official Docker images shipped with reverse-proxy header trust wide open by default, letting anyone who can reach the port impersonate any user including an admin — Sysdig has now caught the first in-the-wild probing, 13 days after disclosure.
PixelSmash: A 50KB Video File Turns FFmpeg's MagicYUV Decoder into RCE Against Jellyfin, Nextcloud, and OBS
A heap out-of-bounds write in FFmpeg's MagicYUV decoder (CVE-2026-8461, CVSS 8.8) lets a single crafted media file achieve remote code execution against Jellyfin, Nextcloud, and other self-hosted server infrastructure that auto-processes uploaded video.
SimpleHelp OIDC Auth Bypass (CVE-2026-48558) Under Active Exploitation, Deploying Djinn Stealer Against Dev Credentials
A critical unsigned-token flaw in SimpleHelp RMM's OIDC login is being exploited to plant a cross-platform infostealer that hunts for cloud, source-control, and AI-assistant credentials.
Adobe ColdFusion APSB26-68: Six CVSS 10.0 Flaws, and Exploitation Started Within Hours
Adobe's APSB26-68 bulletin patches 11 ColdFusion flaws — six rated CVSS 10.0 — including a Remote Development Services path-traversal bug (CVE-2026-48282) that attackers began probing within hours of disclosure.
CVE-2026-8451: A New CitrixBleed-Pattern Memory Overread Is Already Under Active Exploitation
Citrix patched CVE-2026-8451, a pre-auth memory overread in NetScaler's SAML IdP parser that leaks session tokens — and attackers were already exploiting it within 24 hours of disclosure.
CVE-2026-8037: Pre-Auth Root RCE in Progress Kemp LoadMaster Now Under Active Exploitation
CVE-2026-8037, a CVSS 9.8 uninitialized-heap flaw in Progress Kemp LoadMaster's escape_quotes() function, lets unauthenticated attackers run root commands on the load balancer's management API. eSentire observed exploitation attempts starting June 29.
Oracle E-Business Suite Payments Flaw Under Active Exploitation Before Patch Window Closed
CVE-2026-46817, a CVSS 9.8 unauthenticated takeover flaw in Oracle E-Business Suite's Payments module, is being mass-exploited via the ibytransmit endpoint — patched in May but hit in the wild before any public PoC existed.
Ubiquiti UniFi OS Server Triple-CVE Chain Enables Unauthenticated Root RCE
Three max-severity CVEs (2026-34908/09/10) in UniFi OS Server chain from an Nginx auth bypass to root command injection — CISA added all three to KEV on June 23 amid Mirai/Gaafgyt botnet exploitation.
CVE-2026-12569: PTC Windchill/FlexPLM Deserialization RCE Exploited in Wild, CISA Deadline Today
A critical unauthenticated deserialization RCE in PTC Windchill and FlexPLM (CVE-2026-12569, CVSS 9.3) is being actively exploited with JSP web shells; CISA federal patch deadline is today.
Arista EOS CVE-2026-7473: Tunnel Decap Flaw Bypasses Segmentation — and Arista Won't Patch It
CVE-2026-7473 lets an unauthenticated attacker push arbitrary tunneled traffic through Arista data-center switches that decapsulate it without checking the protocol. Exploited in the wild, on CISA's KEV list with a deadline of today — and Arista has confirmed no patch is coming.
Jenkins CVE-2026-53435: config.xml Deserialization RCE Exploited Five Days After Disclosure
CVE-2026-53435 (CVSS 9.0) is an unsafe-deserialization RCE in Jenkins' config.xml handling. Disclosed June 10, a public PoC is now driving in-the-wild exploitation against internet-exposed CI/CD servers. Patch to weekly 2.568 or LTS 2.555.3.
Cisco Catalyst SD-WAN Manager CVE-2026-20245: Root Command Execution, No Patch Yet
Cisco's seventh SD-WAN zero-day of 2026. CVE-2026-20245 lets a netadmin upload a crafted file and execute commands as root on SD-WAN Manager. Exploited in the wild, no fix at disclosure.
Ghost CMS CVE-2026-26980: Unauthenticated SQL Injection Powers a 700-Site ClickFix Campaign
CVE-2026-26980 is a CVSS 9.4 unauthenticated SQL injection in Ghost's Content API. A patch shipped in February; attackers have since industrialized it into an automated campaign that has hijacked 700+ sites — including Harvard, Oxford, and DuckDuckGo — to serve ClickFix malware.
LiteSpeed cPanel Plugin CVE-2026-48172: Any User Can Run Scripts as Root
A CVSS 10.0 flaw in the LiteSpeed User-End cPanel Plugin lets any logged-in cPanel user execute scripts as root. It is being exploited in the wild — patch or uninstall now.
Cisco Catalyst SD-WAN CVE-2026-20182: Second vdaemon Auth Bypass Lands in CISA KEV
Cisco patched a CVSS 10.0 auth bypass in Catalyst SD-WAN Controller's vdaemon service. UAT-8616 is already exploiting it. CISA added it to KEV May 15 with a May 17 deadline.
Quest KACE SMA CVE-2025-32975: CVSS 10.0 SSO Auth Bypass Added to CISA KEV as Admin Takeover Campaign Continues
CISA added CVE-2025-32975 — a CVSS 10.0 SSO authentication bypass in Quest KACE Systems Management Appliance — to the KEV catalog on April 20, 2026. Federal agencies must patch by May 4. Exploitation has been in progress since March.
CVE-2026-21643: Pre-Auth SQL Injection in FortiClient EMS 7.4.4 Under Active Exploitation — CISA Deadline Tomorrow
Critical pre-authentication SQL injection in Fortinet FortiClient EMS 7.4.4 is being actively exploited. CISA KEV remediation deadline is April 16, 2026.
Marimo CVE-2026-39987: Pre-Auth RCE Exploited Within 10 Hours of Disclosure
A missing authentication check on Marimo's terminal WebSocket endpoint (CVE-2026-39987, CVSS 9.3) gave attackers a root shell with no credentials required — and they were actively exploiting it less than 10 hours after the advisory dropped.