Critical vulnerabilities, curated daily for security professionals
π― SSCV Profile
See how vulnerabilities affect your specific environment
CRS uses the System Security Context Vector (SSCV) Framework v1.0 to adjust CVSS scores based on your system's exposure level, network position, and business criticality. Learn more about SSCV Framework
Risk scores will be adjusted based on your selected environment
π
Today's Security Brief
Sunday's disclosure activity centers on Microsoft Windows and Office products, with six actively exploited vulnerabilities targeting core enterprise infrastructure. The brief includes 3 critical CVEs (down 40% from Saturday) and 27 high-priority vulnerabilities (down 62%), reflecting typical weekend reduction in disclosure volume. Three WordPress critical vulnerabilities (CVE-2026-1490, CVE-2026-1306, CVE-2025-8572) each scored CVSS 9.8, while SmarterTools SmarterMail accounts for three separate actively exploited flaws. Attack patterns span remote code execution, privilege escalation, and authentication bypass across diverse targets including BeyondTrust, Linux kernel, GitLab, and Sangoma FreePBX. No patches are currently available for disclosed vulnerabilities, requiring organizations to prioritize compensating controls and network segmentation.
Microsoft dominates active exploitation with 7 vulnerabilities across Windows (5) and Office (2), all scored CVSS 9.5
3 critical CVEs disclosed (down 40% from prior day), all WordPress vulnerabilities at CVSS 9.8
27 high-priority CVEs disclosed (down 62% from prior day), consistent with weekend volume patterns
SmarterTools SmarterMail has 3 actively exploited flaws; BeyondTrust Remote Support and GNU InetUtils also under active exploitation
0% patch availability across all 30 disclosed CVEs β compensating controls and monitoring are essential
20 vulnerabilities confirmed actively exploited, including legacy CVEs from 2018, 2019, 2021, and 2024
Immediate action: Prioritize Microsoft Windows and Office systems for compensating controls given five actively exploited Windows vulnerabilities and two Office flaws with no patches yet available. Review SmarterMail, BeyondTrust, and FreePBX deployments for indicators of compromise, and apply network segmentation to WordPress installations pending patch release.
π‘ Tip: Swipe CVE cards left to β star, right to β remove
Section Navigation
β οΈ
CISA Known Exploited Vulnerabilities
β οΈ CISA KEVURGENT
CVE-2026-1731
9.5
BeyondTrustRemote Support (RS) and Privileged Remote Access (PRA)
β° Federal Deadline:February 15, 2026(1 days remaining)
BeyondTrust Remote Support (RS) and Privileged Remote Access (PRA) OS Command Injection Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
β
CRSSelect profile
β οΈ CISA KEVURGENT
CVE-2018-14634
9.5π Late Disclosure
LinuxKernal
β° Federal Deadline:February 15, 2026(1 days remaining)
Linux Kernel Integer Overflow Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
β
CRSSelect profile
β οΈ CISA KEVURGENT
CVE-2025-52691
9.5π
SmarterToolsSmarterMail
β° Federal Deadline:February 15, 2026(1 days remaining)
SmarterTools SmarterMail Unrestricted Upload of File with Dangerous Type Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
β
CRSSelect profile
β οΈ CISA KEVURGENT
CVE-2026-23760
9.5
SmarterToolsSmarterMail
β° Federal Deadline:February 15, 2026(1 days remaining)
SmarterTools SmarterMail Authentication Bypass Using an Alternate Path or Channel Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
β
CRSSelect profile
β οΈ CISA KEVURGENT
CVE-2026-24061
9.5π
GNUInetUtils
β° Federal Deadline:February 15, 2026(1 days remaining)
GNU InetUtils Argument Injection Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
β
CRSSelect profile
β οΈ CISA KEVURGENT
CVE-2026-21509
9.5π
MicrosoftOffice
β° Federal Deadline:February 15, 2026(1 days remaining)
Microsoft Office Security Feature Bypass Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
β
CRSSelect profile
β οΈ CISA KEV
CVE-2021-39935
9.5π Late Disclosure
GitLabCommunity and Enterprise Editions
β° Federal Deadline:February 23, 2026(9 days remaining)
GitLab Community and Enterprise Editions Server-Side Request Forgery (SSRF) Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
β
CRSSelect profile
β οΈ CISA KEV
CVE-2025-64328
9.5
SangomaFreePBX
β° Federal Deadline:February 23, 2026(9 days remaining)
Sangoma FreePBX OS Command Injection Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
β
CRSSelect profile
β οΈ CISA KEV
CVE-2019-19006
9.5π Late Disclosure
SangomaFreePBX
β° Federal Deadline:February 23, 2026(9 days remaining)
Sangoma FreePBX Improper Authentication Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
β
CRSSelect profile
β οΈ CISA KEV
CVE-2025-11953
9.5π
React Native CommunityCLI
β° Federal Deadline:February 25, 2026(11 days remaining)
React Native Community CLI OS Command Injection Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
β
CRSSelect profile
β οΈ CISA KEV
CVE-2026-24423
9.5
SmarterToolsSmarterMail
β° Federal Deadline:February 25, 2026(11 days remaining)
SmarterTools SmarterMail Missing Authentication for Critical Function Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
β
CRSSelect profile
β οΈ CISA KEV
CVE-2026-21513
9.5π
MicrosoftWindows
β° Federal Deadline:March 2, 2026(16 days remaining)
A protection mechanism failure in the MSHTML Framework allows an unauthenticated attacker to bypass security features over a network, potentially leading to unauthorized system access.
CVSS Base9.5
β
CRSSelect profile
β οΈ CISA KEV
CVE-2026-21525
9.5
MicrosoftWindows
β° Federal Deadline:March 2, 2026(16 days remaining)
Microsoft Windows NULL Pointer Dereference Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
β
CRSSelect profile
β οΈ CISA KEV
CVE-2026-21510
9.5π
MicrosoftWindows
β° Federal Deadline:March 2, 2026(16 days remaining)
A protection mechanism failure in the Windows Shell allows an unauthenticated attacker to bypass security features over a network connection.
CVSS Base9.5
β
CRSSelect profile
β οΈ CISA KEV
CVE-2026-21533
9.5π
MicrosoftWindows
β° Federal Deadline:March 2, 2026(16 days remaining)
Improper privilege management in Windows Remote Desktop allows an authorized attacker to elevate their privileges locally on the affected system.
CVSS Base9.5
β
CRSSelect profile
β οΈ CISA KEV
CVE-2026-21519
9.5π
MicrosoftWindows
β° Federal Deadline:March 2, 2026(16 days remaining)
A type confusion vulnerability in the Desktop Window Manager (DWM) allows an authorized local attacker to elevate their privileges to a higher level.
CVSS Base9.5
β
CRSSelect profile
β οΈ CISA KEV
CVE-2026-21514
9.5π
MicrosoftOffice
β° Federal Deadline:March 2, 2026(16 days remaining)
A security feature bypass vulnerability in Microsoft Office Word exists due to reliance on untrusted inputs, allowing an unauthorized local attacker to circumvent security protections.
CVSS Base9.5
β
CRSSelect profile
β οΈ CISA KEV
CVE-2026-20700
9.5π
AppleApple OS
β° Federal Deadline:March 4, 2026(18 days remaining)
A memory corruption vulnerability in Apple software was addressed through improved state management to prevent potential exploitation.
CVSS Base9.5
β
CRSSelect profile
β οΈ CISA KEV
CVE-2024-43468
9.5π Late Disclosure
MicrosoftConfiguration Manager
β° Federal Deadline:March 4, 2026(18 days remaining)
Microsoft Configuration Manager SQL Injection Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
β
CRSSelect profile
β οΈ CISA KEV
CVE-2025-15556
9.5
Notepad++Notepad++
β° Federal Deadline:March 4, 2026(18 days remaining)
Notepad++ Download of Code Without Integrity Check Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
β
CRSSelect profile
π¨
Critical Vulnerabilities
CVE-2026-1490
9.8π
WordPressis vulnerable
The CleanTalk Anti-Spam plugin for WordPress allows unauthenticated attackers to install arbitrary plugins via PTR record spoofing, potentially leading to remote code execution.
CVSS Base9.8
β
CRSSelect profile
CVE-2026-1306
9.8π
WordPressis vulnerable
The midi-Synth WordPress plugin allows unauthenticated arbitrary file uploads via the 'export' AJAX action, potentially leading to remote code execution through exposed nonces.
CVSS Base9.8
β
CRSSelect profile
CVE-2025-8572
9.8π
WordPressis vulnerable
Truelysell Core plugin for WordPress is vulnerable to unauthenticated privilege escalation, allowing attackers to create administrator accounts by manipulating registration parameters.
CVSS Base9.8
β
CRSSelect profile
β οΈ
High Priority Updates
CVE-2025-33042
7.3
Apache Avro Java SDKAvro Java
Improper Control of Generation of Code ('Code Injection') vulnerability in Apache Avro Java SDK when generating specific records from untrusted Avro schemas
CVSS Base7.3
β
CRSSelect profile
CVE-2026-2441
8.8π
GoogleChrome prior
Google Chrome is vulnerable to a "Use After Free" condition in its CSS engine, which could allow a remote attacker to execute arbitrary code via a crafted webpage.
CVSS Base8.8
β
CRSSelect profile
CVE-2026-0692
7.5π
WordPressis vulnerable
The BlueSnap Payment Gateway for WooCommerce plugin for WordPress is vulnerable to missing authorization, allowing unauthorized users to perform sensitive actions.
CVSS Base7.5
β
CRSSelect profile
CVE-2026-1988
7.5π
WordPressis vulnerable
The Flexi Product Slider and Grid for WooCommerce plugin is vulnerable to Local File Inclusion (LFI), which could allow attackers to read sensitive system files.
CVSS Base7.5
β
CRSSelect profile
CVE-2025-15157
8.8π
WordPressplugin for
The Starfish Review Generation & Marketing plugin for WordPress is vulnerable to privilege escalation due to a missing capability check in the `srm_restore_options_defaults` function.
CVSS Base8.8
β
CRSSelect profile
CVE-2026-1750
8.8π
WordPressis vulnerable
The Ecwid by Lightspeed Ecommerce Shopping Cart plugin for WordPress is vulnerable to privilege escalation, which could allow unauthorized users to gain administrative access.
CVSS Base8.8
β
CRSSelect profile
CVE-2026-1841
7.2π
WordPressis vulnerable
The PixelYourSite plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) via the 'pysTrafficSource' and 'pys_landing_page' parameters.
CVSS Base7.2
β
CRSSelect profile
CVE-2026-2144
8.1π
WordPressis vulnerable
The Magic Login Mail or QR Code plugin for WordPress is vulnerable to privilege escalation, allowing attackers to gain unauthorized administrative access.
CVSS Base8.1
β
CRSSelect profile
CVE-2026-2024
7.5π
WordPressis vulnerable
The PhotoStack Gallery plugin for WordPress is vulnerable to SQL Injection via the 'postid' parameter, allowing for unauthorized database access.
CVSS Base7.5
β
CRSSelect profile
CVE-2026-26208
7.8π
ADB ExplorerADB Explorer
ADB Explorer, a fluent UI for ADB on Windows, contains a high-severity vulnerability that could lead to unauthorized system access or data manipulation.
CVSS Base7.8
β
CRSSelect profile
CVE-2026-1844
7.2π
WordPressis vulnerable
The PixelYourSite PRO plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'pysTrafficSource' and 'pys_landing_page' parameters in versions up to 12.
CVSS Base7.2
β
CRSSelect profile
CVE-2026-0745
7.2π
WordPressis vulnerable
The User Language Switch plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to and including version 1.
CVSS Base7.2
β
CRSSelect profile
CVE-2026-0753
7.2π
WordPressis vulnerable
The Super Simple Contact Form plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'sscf_name' parameter in versions up to 1.
CVSS Base7.2
β
CRSSelect profile
CVE-2026-1843
7.2π
WordPressis vulnerable
The Super Page Cache plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Activity Log in all versions up to and including version 5.
CVSS Base7.2
β
CRSSelect profile
CVE-2026-2469
7.6
HPdue to
Versions of the package directorytree/imapengine before 1
CVSS Base7.6
β
CRSSelect profile
CVE-2026-1618
8.8π
Universal SoftwareMultiple Products
An authentication bypass vulnerability exists in multiple products from Universal Software Inc due to the use of an alternate path or channel.
CVSS Base8.8
β
CRSSelect profile
CVE-2025-70122
7.5
UPF component ofMultiple Products
A heap buffer overflow vulnerability in the UPF component of free5GC v4
CVSS Base7.5
β
CRSSelect profile
CVE-2025-14349
8.8
Universal SoftwareMultiple Products
Privilege Defined With Unsafe Actions, Missing Authentication for Critical Function vulnerability in Universal Software Inc
CVSS Base8.8
β
CRSSelect profile
CVE-2026-1619
8.3
Universal SoftwareMultiple Products
Authorization Bypass Through User-Controlled Key vulnerability in Universal Software Inc
CVSS Base8.3
β
CRSSelect profile
CVE-2026-26187
8.1π
TreeverselakeFS
lakeFS, an open-source data versioning tool for object storage, contains a high-severity vulnerability that may affect repository security.
CVSS Base8.1
β
CRSSelect profile
CVE-2026-24853
8.1π
CaidoCaido
The Caido web security auditing toolkit is affected by a high-severity vulnerability that could compromise the security of the auditing environment.
CVSS Base8.1
β
CRSSelect profile
CVE-2026-26268
8π
AnysphereCursor
The Cursor AI-powered code editor is affected by a high-severity vulnerability that could impact the security of the developer's environment and source code.
CVSS Base8
β
CRSSelect profile
CVE-2026-25991
7.7π
AWSTandoor Recipes
Tandoor Recipes, a meal management application, contains a high-severity vulnerability that could lead to unauthorized access or data compromise.
CVSS Base7.7
β
CRSSelect profile
CVE-2025-70121
7.5
AMF component ofMultiple Products
An array index out of bounds vulnerability in the AMF component of free5GC v4
CVSS Base7.5
β
CRSSelect profile
CVE-2025-70123
7.5
free5GCMultiple Products
An improper input validation and protocol compliance vulnerability in free5GC v4
CVSS Base7.5
β
CRSSelect profile
CVE-2026-21878
7.5π
BACnet StackBACnet Stack C library
The BACnet Stack open-source C library for embedded systems contains a vulnerability that may impact the security and stability of building automation and control networks.
CVSS Base7.5
β
CRSSelect profile
CVE-2025-70093
7.4π
OpenSourcePOSOpenSourcePOS
OpenSourcePOS v3 is affected by a security vulnerability that could compromise the integrity of point-of-sale operations and sensitive retail data.