Critical vulnerabilities, curated daily for security professionals
π― SSCV Profile
See how vulnerabilities affect your specific environment
CRS uses the System Security Context Vector (SSCV) Framework v1.0 to adjust CVSS scores based on your system's exposure level, network position, and business criticality. Learn more about SSCV Framework
Risk scores will be adjusted based on your selected environment
π
Today's Security Brief
Monday's disclosures concentrate on WordPress plugin code, GitBucket developer tooling, and ACL Analytics, with three critical CVEs at CVSS 9.8 enabling remote compromise of web-facing and developer-adjacent systems. Critical volume held steady at 3 (0% change) while high-priority disclosures dropped to 23, a 60% decline from the prior day's 57. CVE-2018-25335 affects a WordPress Peugeot plugin, CVE-2018-25332 targets GitBucket, and CVE-2018-25320 impacts ACL Analytics, all rated CVSS 9.8 with remote attack vectors. Two actively exploited vulnerabilities were observed in Cisco Catalyst SD-WAN (CVE-2026-20182) and Microsoft (CVE-2026-42897), both at CVSS 9.5, indicating continued attacker focus on edge networking and enterprise platforms. No patches are currently available across the 26 disclosed CVEs, requiring defenders to rely on compensating controls, network segmentation, and exposure reduction until vendor fixes ship.
WordPress plugin, GitBucket, and ACL Analytics carry the day's three critical CVEs, all CVSS 9.8 with remote attack vectors
Critical CVEs held steady at 3 (0% change from prior day)
High-priority CVEs dropped to 23, a 60% decline from the prior day's 57
Remote code execution dominates the critical tier across web plugin, source control, and analytics platforms
Patch availability sits at 0% across all 26 disclosures, leaving mitigation as the primary defensive option
Two actively exploited CVEs affect Cisco Catalyst SD-WAN and Microsoft platforms at CVSS 9.5
Immediate action: Prioritize exposure review for WordPress installations running the affected Peugeot plugin, GitBucket developer instances, and ACL Analytics deployments, alongside Cisco Catalyst SD-WAN edge devices where active exploitation is confirmed. With no patches available for today's disclosures, apply network segmentation, restrict administrative access, and monitor for indicators of compromise on the affected products until vendor updates are released.
π‘ Tip: Swipe CVE cards left to β star, right to β remove
Section Navigation
β οΈ
CISA Known Exploited Vulnerabilities
β οΈ CISA KEVURGENT
CVE-2026-20182
9.5
CiscoCatalyst SD-WAN
β° Federal Deadline:May 16, 2026(EXPIRED)
Cisco Catalyst SD-WAN Controller Authentication Bypass Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
β
CRSSelect profile
β οΈ CISA KEV
CVE-2026-42897
9.5π
MicrosoftMicrosoft
β° Federal Deadline:May 28, 2026(11 days remaining)
A cross-site scripting (XSS) vulnerability in Microsoft Exchange Server allows unauthenticated attackers to perform spoofing over a network.
CVSS Base9.5
β
CRSSelect profile
π¨
Critical Vulnerabilities
CVE-2018-25335
9.8ππ Late Disclosure
WordPressPlugin Peugeot
WordPress Plugin Peugeot Music 1.0 contains an arbitrary file upload vulnerability allowing unauthenticated remote code execution via the upload.php endpoint.
CVSS Base9.8
β
CRSSelect profile
CVE-2018-25332
9.8ππ Late Disclosure
GitBucketGitBucket
GitBucket 4.23.1 is vulnerable to unauthenticated remote code execution due to weak secret token generation and insecure file upload handling.
CVSS Base9.8
β
CRSSelect profile
CVE-2018-25320
9.8ππ Late Disclosure
ACL AnalyticsACL Analytics
ACL Analytics versions 11.x through 13.0.0.579 contain a command execution vulnerability allowing attackers to run arbitrary system commands via the EXECUTE function.
CVSS Base9.8
β
CRSSelect profile
β οΈ
High Priority Updates
CVE-2018-25326
7.5ππ Late Disclosure
GoogleDrive for
Google Drive for WordPress contains an unspecified security vulnerability that requires immediate attention from system administrators.
CVSS Base7.5
β
CRSSelect profile
CVE-2026-8785
7.3
HPof the
A flaw has been found in projectworlds hospital-management-system-in-php 1
CVSS Base7.3
β
CRSSelect profile
CVE-2018-25329
7.5ππ Late Disclosure
WordPressPlugin WP
A security vulnerability has been identified in the WordPress plugin "WP with Spritz." The vulnerability requires immediate review and mitigation by site administrators.
CVSS Base7.5
β
CRSSelect profile
CVE-2026-8771
7.3π
linlinjavalitemall
A security flaw has been discovered in linlinjava litemall up to version 1.
CVSS Base7.3
β
CRSSelect profile
CVE-2018-25325
7.5π Late Disclosure
HPoutside the
Woocommerce CSV Importer 3
CVSS Base7.5
β
CRSSelect profile
CVE-2018-25319
7.1π Late Disclosure
HPpage with
Redaxo CMS Addon MyEvents 2
CVSS Base7.1
β
CRSSelect profile
CVE-2018-25333
8.2π Late Disclosure
HPMultiple Products
Nordex N149/4
CVSS Base8.2
β
CRSSelect profile
CVE-2026-8775
8.8π
EdimaxBR-6428NS
A security flaw has been identified in the Edimax BR-6428NS router that could potentially be exploited by remote attackers.
CVSS Base8.8
β
CRSSelect profile
CVE-2026-8776
8.8π
EdimaxBR-6428NS
A vulnerability has been identified in the Edimax BR-6428NS router that could potentially lead to unauthorized access.
CVSS Base8.8
β
CRSSelect profile
CVE-2018-25322
8.4π Late Disclosure
MPEGMultiple Products
Allok Fast AVI MPEG Splitter 1
CVSS Base8.4
β
CRSSelect profile
CVE-2018-25323
8.4π Late Disclosure
DVDMultiple Products
Allok AVI DivX MPEG to DVD Converter 2
CVSS Base8.4
β
CRSSelect profile
CVE-2018-25328
8.4π Late Disclosure
ArchMultiple Products
VX Search 10
CVSS Base8.4
β
CRSSelect profile
CVE-2018-25330
8.2ππ Late Disclosure
JoomlaEkRishta
A vulnerability exists in the Joomla extension EkRishta, potentially allowing unauthorized access or control over the affected site.
CVSS Base8.2
β
CRSSelect profile
CVE-2018-25338
8.2π Late Disclosure
InforMultiple Products
Zechat 1
CVSS Base8.2
β
CRSSelect profile
CVE-2018-25339
8.2π Late Disclosure
InforMultiple Products
Zechat 1
CVSS Base8.2
β
CRSSelect profile
CVE-2026-8751
7.3π
h2oaih2o-3
A security flaw has been discovered in h2oai h2o-3, impacting versions up to 7402.
CVSS Base7.3
β
CRSSelect profile
CVE-2026-8755
7.3π
fishaudioBert-VITS2
A flaw has been found in fishaudio Bert-VITS2, which requires prompt attention from security administrators.
CVSS Base7.3
β
CRSSelect profile
CVE-2026-8756
7.3
InforMultiple Products
A vulnerability has been found in fishaudio Bert-VITS2 up to 8f7fbd8c4770965225d258db548da27dc8dd934c
CVSS Base7.3
β
CRSSelect profile
CVE-2026-8757
7.3π
AdenHQHive
A security vulnerability has been identified in the AdenHQ Hive platform. The specific technical details regarding the flaw are currently limited pending further vendor disclosure.
CVSS Base7.3
β
CRSSelect profile
CVE-2026-8758
7.3π
MetasoftMetaCRM
A security vulnerability has been identified in the Metasoft MetaCRM platform. The exact nature of the vulnerability is currently under investigation by the vendor.
CVSS Base7.3
β
CRSSelect profile
CVE-2026-8759
7.3
InforMultiple Products
A vulnerability was identified in xiandafu beetl up to 3
CVSS Base7.3
β
CRSSelect profile
CVE-2026-8768
7.3π
VercelAI
A security vulnerability has been identified in the Vercel AI platform. Technical details are currently limited, requiring users to await further guidance from the vendor.
CVSS Base7.3
β
CRSSelect profile
CVE-2026-8764
7.2π
H3CMagic B3
A security vulnerability has been identified in the H3C Magic B3 networking hardware. Further technical details remain under investigation by the manufacturer.