Critical vulnerabilities, curated daily for security professionals
🎯 SSCV Profile
See how vulnerabilities affect your specific environment
CRS uses the System Security Context Vector (SSCV) Framework v1.0 to adjust CVSS scores based on your system's exposure level, network position, and business criticality. Learn more about SSCV Framework
Risk scores will be adjusted based on your selected environment
📊
Today's Security Brief
Sunday's vulnerability landscape centers on 7 critical CVEs affecting Arch Linux packages and Kubernetes orchestration platforms, alongside 46 high-priority issues across enterprise software. Critical disclosures dropped 59% from the prior day's 17, while high-severity CVEs fell 41% from 78. Notable entries include CVE-2026-40484 (CVSS 9.1) in Arch Multiple Products, CVE-2026-40324 (CVSS 9.1) in Kubernetes, and CVE-2026-40493 (CVSS 9.8) impacting multiple products. The disclosure set skews toward remote code execution and privilege escalation patterns affecting container and Linux distribution ecosystems. Patch availability sits at 0% across today's batch, warranting compensating controls and network segmentation until vendor fixes arrive.
Arch Linux and Kubernetes anchor the critical set with CVE-2026-40484 and CVE-2026-40324 (both CVSS 9.1)
Critical CVEs down 59% to 7 from yesterday's 17
High-priority CVEs down 41% to 46 from yesterday's 78
Patch availability at 0% — mitigations and monitoring required while fixes are developed
9 actively exploited CVEs tracked, primarily affecting Microsoft Office, Exchange, SharePoint, and Adobe Acrobat
Immediate action: Prioritize isolation and monitoring of Arch Linux systems and Kubernetes clusters, and audit Microsoft Exchange, SharePoint, and Adobe Acrobat deployments given continued exploitation activity. With 0% patch availability on today's critical disclosures, apply network segmentation, restrict exposed services, and track vendor advisories for upcoming fixes.
💡 Tip: Swipe CVE cards left to ⭐ star, right to ❌ remove
Section Navigation
⚠️
CISA Known Exploited Vulnerabilities
⚠️ CISA KEV
CVE-2012-1854
9.5📜 Late Disclosure
MicrosoftVisual Basic for Applications (VBA)
⏰ Federal Deadline:April 26, 2026(8 days remaining)
Microsoft Visual Basic for Applications Insecure Library Loading Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
→
CRSSelect profile
⚠️ CISA KEV
CVE-2025-60710
9.5
MicrosoftWindows
⏰ Federal Deadline:April 26, 2026(8 days remaining)
Microsoft Windows Link Following Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
→
CRSSelect profile
⚠️ CISA KEV
CVE-2023-21529
9.5📜 Late Disclosure
MicrosoftExchange Server
⏰ Federal Deadline:April 26, 2026(8 days remaining)
Microsoft Exchange Server Deserialization of Untrusted Data Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
→
CRSSelect profile
⚠️ CISA KEV
CVE-2023-36424
9.5📜 Late Disclosure
MicrosoftWindows
⏰ Federal Deadline:April 26, 2026(8 days remaining)
Microsoft Windows Out-of-Bounds Read Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
→
CRSSelect profile
⚠️ CISA KEV
CVE-2020-9715
9.5📜 Late Disclosure
AdobeAcrobat
⏰ Federal Deadline:April 26, 2026(8 days remaining)
Adobe Acrobat Use-After-Free Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
→
CRSSelect profile
⚠️ CISA KEV
CVE-2026-34621
9.5📝
AdobeAcrobat and Reader
⏰ Federal Deadline:April 26, 2026(8 days remaining)
Adobe Acrobat Reader is vulnerable to prototype pollution, which can result in arbitrary code execution when a victim opens a malicious file.
CVSS Base9.5
→
CRSSelect profile
⚠️ CISA KEV
CVE-2009-0238
9.5📜 Late Disclosure
MicrosoftOffice
⏰ Federal Deadline:April 27, 2026(9 days remaining)
Microsoft Office Remote Code Execution - Active in CISA KEV catalog.
CVSS Base9.5
→
CRSSelect profile
⚠️ CISA KEV
CVE-2026-32201
9.5
MicrosoftSharePoint Server
⏰ Federal Deadline:April 27, 2026(9 days remaining)
Microsoft SharePoint Server Improper Input Validation Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
→
CRSSelect profile
⚠️ CISA KEV
CVE-2026-34197
9.5
ApacheActiveMQ
⏰ Federal Deadline:April 29, 2026(11 days remaining)
Apache ActiveMQ Improper Input Validation Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
→
CRSSelect profile
🚨
Critical Vulnerabilities
CVE-2026-40484
9.1
ArchMultiple Products
ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the database backup restore functionality extracts uploaded archive contents and copies files from the Images/ directory into the web-accessible document root using recursiveCopyDirectory(), which performs no file extension filtering. An authenticated administrator can upload a crafted backup archive containing a PHP webshell inside the Images/ directory, which is then written to a publicly accessible path and executable via HTTP requests, resulting in remote code execution as the web server user. The restore endpoint also lacks CSRF token validation, enabling exploitation through cross-site request forgery targeting an authenticated administrator. This issue has been fixed in version 7.2.0.
CVSS Base9.1
→
CRSSelect profile
CVE-2026-40324
9.1
KubernetesMultiple Products
Hot Chocolate is an open-source GraphQL server. Prior to versions 12.22.7, 13.9.16, 14.3.1, and 15.1.14, Hot Chocolate's recursive descent parser `Utf8GraphQLParser` has no recursion depth limit. A crafted GraphQL document with deeply nested selection sets, object values, list values, or list types can trigger a `StackOverflowException` on payloads as small as 40 KB. Because `StackOverflowException` is uncatchable in .NET (since .NET 2.0), the entire worker process is terminated immediately. All in-flight HTTP requests, background `IHostedService` tasks, and open WebSocket subscriptions on that worker are dropped. The orchestrator (Kubernetes, IIS, etc.) must restart the process. This occurs before any validation rules run — `MaxExecutionDepth`, complexity analyzers, persisted query allow-lists, and custom `IDocumentValidatorRule` implementations cannot intercept the crash because `Utf8GraphQLParser.Parse` is invoked before validation. The `MaxAllowedFields=2048` limit does not help because the crashing payloads contain very few fields. The fix in versions 12.22.7, 13.9.16, 14.3.1, and 15.1.14 adds a `MaxAllowedRecursionDepth` option to `ParserOptions` with a safe default, and enforces it across all recursive parser methods (`ParseSelectionSet`, `ParseValueLiteral`, `ParseObject`, `ParseList`, `ParseTypeReference`, etc.). When the limit is exceeded, a catchable `SyntaxException` is thrown instead of overflowing the stack. There is no application-level workaround. `StackOverflowException` cannot be caught in .NET. The only mitigation is to upgrade to a patched version. Operators can reduce (but not eliminate) risk by limiting HTTP request body size at the reverse proxy or load balancer layer, though the smallest crashing payload (40 KB) is well below most default body size limits and is highly compressible (~few hundred bytes via gzip).
CVSS Base9.1
→
CRSSelect profile
CVE-2026-40493
9.8
UnknownMultiple Products
SAIL is a cross-platform library for loading and saving images with support for animation, metadata, and ICC profiles. Prior to commit c930284445ea3ff94451ccd7a57c999eca3bc979, the PSD codec computes bytes-per-pixel (`bpp`) from raw header fields `channels * depth`, but the pixel buffer is allocated based on the resolved pixel format. For LAB mode with `channels=3, depth=16`, `bpp = (3*16+7)/8 = 6`, but the format `BPP40_CIE_LAB` allocates only 5 bytes per pixel. Every pixel write overshoots, causing a deterministic heap buffer overflow on every row. Commit c930284445ea3ff94451ccd7a57c999eca3bc979 contains a patch.
CVSS Base9.8
→
CRSSelect profile
CVE-2026-40317
9.3
UnknownMultiple Products
NovumOS is a custom 32-bit operating system written in Zig and x86 Assembly. In versions prior to 0.24, Syscall 12 (JumpToUser) accepts an arbitrary entry point address from user-space registers without validation, allowing any Ring 3 user-mode process to jump to kernel addresses and execute arbitrary code in Ring 0 context, resulting in local privilege escalation. This issue has been fixed in version 0.24. If developers are unable to immediately update, they should restrict syscall access by running the system in single-user mode without Ring 3, and disable user-mode processes by only running kernel shell with no user processes. This issue has been fixed in version 0.24.
CVSS Base9.3
→
CRSSelect profile
CVE-2026-40572
9
UnknownMultiple Products
NovumOS is a custom 32-bit operating system written in Zig and x86 Assembly. In versions prior to 0.24, Syscall 15 (MemoryMapRange) allows Ring 3 user-mode processes to map arbitrary virtual address ranges into their address space without validating against forbidden regions, including critical kernel structures such as the IDT, GDT, TSS, and page tables. A local attacker can exploit this to modify kernel interrupt handlers, resulting in privilege escalation from user mode to kernel context. This issue has been fixed in version 0.24.
CVSS Base9
→
CRSSelect profile
CVE-2026-40492
9.8
UnknownMultiple Products
SAIL is a cross-platform library for loading and saving images with support for animation, metadata, and ICC profiles. Prior to commit 36aa5c7ec8a2bb35f6fb867a1177a6f141156b02, the XWD codec resolves pixel format based on `pixmap_depth` but the byte-swap code uses `bits_per_pixel` independently. When `pixmap_depth=8` (BPP8_INDEXED, 1 byte/pixel buffer) but `bits_per_pixel=32`, the byte-swap loop accesses memory as `uint32_t*`, reading/writing 4x the allocated buffer size. This is a different vulnerability from the previously reported GHSA-3g38-x2pj-mv55 (CVE-2026-27168), which addressed `bytes_per_line` validation. Commit 36aa5c7ec8a2bb35f6fb867a1177a6f141156b02 contains a patch.
CVSS Base9.8
→
CRSSelect profile
CVE-2026-40494
9.8
UnknownMultiple Products
SAIL is a cross-platform library for loading and saving images with support for animation, metadata, and ICC profiles. Prior to commit 45d48d1f2e8e0d73e80bc1fd5310cb57f4547302, the TGA codec's RLE decoder in `tga.c` has an asymmetric bounds check vulnerability. The run-packet path (line 297) correctly clamps the repeat count to the remaining buffer space, but the raw-packet path (line 305-311) has no equivalent bounds check. This allows writing up to 496 bytes of attacker-controlled data past the end of a heap buffer. Commit 45d48d1f2e8e0d73e80bc1fd5310cb57f4547302 patches the issue.
CVSS Base9.8
→
CRSSelect profile
⚠️
High Priority Updates
CVE-2026-6518
8.8
WordPressis vulnerable
The CMP – Coming Soon & Maintenance Plugin by NiteoThemes plugin for WordPress is vulnerable to arbitrary file upload and remote code execution in all versions up to, and including, 4
CVSS Base8.8
→
CRSSelect profile
CVE-2026-5718
8.1
WordPressis vulnerable
The Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress is vulnerable to arbitrary file upload in versions up to, and including, 1
CVSS Base8.1
→
CRSSelect profile
CVE-2026-40321
8
Microsoftecosystem
DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem
CVSS Base8
→
CRSSelect profile
CVE-2026-5710
7.5
WordPressis vulnerable
The Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress is vulnerable to Path Traversal leading to Arbitrary File Read in versions up to and including 1
CVSS Base7.5
→
CRSSelect profile
CVE-2026-3464
8.8
WordPressis vulnerable
The WP Customer Area plugin for WordPress is vulnerable to arbitrary file read and deletion due to insufficient file path validation in the 'ajax_attach_file' function in all versions up to, and including, 8
CVSS Base8.8
→
CRSSelect profile
CVE-2026-27890
8.2
UnknownMultiple Products
Firebird is an open-source relational database management system
CVSS Base8.2
→
CRSSelect profile
CVE-2026-28224
8.2
UnknownMultiple Products
Firebird is an open-source relational database management system
CVSS Base8.2
→
CRSSelect profile
CVE-2026-40487
8.9
Nginxwith
Postiz is an AI social media scheduling tool
CVSS Base8.9
→
CRSSelect profile
CVE-2025-65104
7.9
InforMultiple Products
Firebird is an open-source relational database management system
CVSS Base7.9
→
CRSSelect profile
CVE-2026-40352
8.8
MongoDBquery operators
FastGPT is an AI Agent building platform
CVSS Base8.8
→
CRSSelect profile
CVE-2026-28212
7.5
UnknownMultiple Products
Firebird is an open-source relational database management system
CVSS Base7.5
→
CRSSelect profile
CVE-2026-33337
7.5
UnknownMultiple Products
Firebird is an open-source relational database management system
CVSS Base7.5
→
CRSSelect profile
CVE-2026-32650
7.5
AnvizMultiple Products
Anviz CrossChex Standard is vulnerable when an attacker manipulates the TDS7 PreLogin to disable
encryption, causing database credentials to be sent in plaintext and
enabling unauthorized database access
CVSS Base7.5
→
CRSSelect profile
CVE-2026-34232
7.5
UnknownMultiple Products
Firebird is an open-source relational database management system
CVSS Base7.5
→
CRSSelect profile
CVE-2026-35215
7.5
UnknownMultiple Products
Firebird is an open-source relational database management system
CVSS Base7.5
→
CRSSelect profile
CVE-2026-2262
7.5
WordPressis vulnerable
The Easy Appointments plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3
CVSS Base7.5
→
CRSSelect profile
CVE-2025-36568
7.8
DellPowerProtect Data
Dell PowerProtect Data Domain BoostFS for client of Feature Release versions 7
CVSS Base7.8
→
CRSSelect profile
CVE-2026-23775
7.6
DellPowerProtect Data
Dell PowerProtect Data Domain appliances with Data Domain Operating System (DD OS) of Feature Release versions 8
CVSS Base7.6
→
CRSSelect profile
CVE-2026-6490
7.3
HPof the
A weakness has been identified in QueryMine sms up to 7ab5a9ea196209611134525ffc18de25c57d9593
CVSS Base7.3
→
CRSSelect profile
CVE-2026-23778
7.2
DellPowerProtect Data
Dell PowerProtect Data Domain with Data Domain Operating System (DD OS) of Feature Release versions 7
CVSS Base7.2
→
CRSSelect profile
CVE-2026-23776
7.2
DellPowerProtect Data
Dell PowerProtect Data Domain with Data Domain Operating System (DD OS) of Feature Release versions 7
CVSS Base7.2
→
CRSSelect profile
CVE-2026-40285
8.8
HPMultiple Products
WeGIA is a web manager for charitable institutions
CVSS Base8.8
→
CRSSelect profile
CVE-2026-40581
8.1
HPMultiple Products
ChurchCRM is an open-source church management system
CVSS Base8.1
→
CRSSelect profile
CVE-2026-6507
7.5
UnknownMultiple Products
A flaw was found in dnsmasq
CVSS Base7.5
→
CRSSelect profile
CVE-2026-40516
8.3
Archtools that
OpenHarness before commit bd4df81 contains a server-side request forgery vulnerability in the web_fetch and web_search tools that allows attackers to access private and localhost HTTP services by manipulating tool parameters without proper validation of target addresses
CVSS Base8.3
→
CRSSelect profile
CVE-2026-40303
7.5
GigabyteMultiple Products
zrok is software for sharing web services, files, and network resources
CVSS Base7.5
→
CRSSelect profile
CVE-2026-32107
8.8
RDPMultiple Products
xrdp is an open source RDP server
CVSS Base8.8
→
CRSSelect profile
CVE-2026-35682
8.8
AnvizMultiple Products
Anviz CX2 Lite is vulnerable to an authenticated command injection via a
filename parameter that enables arbitrary command execution (e
CVSS Base8.8
→
CRSSelect profile
CVE-2026-40066
8.8
AnvizMultiple Products
Anviz CX2 Lite and CX7 are vulnerable to unverified update packages that can be uploaded
CVSS Base8.8
→
CRSSelect profile
CVE-2026-40349
8.8
UnknownMultiple Products
Movary is a self hosted web app to track and rate a user's watched movies
CVSS Base8.8
→
CRSSelect profile
CVE-2026-40350
8.8
UnknownMultiple Products
Movary is a self hosted web app to track and rate a user's watched movies
CVSS Base8.8
→
CRSSelect profile
CVE-2026-35582
8.8
workflowMultiple Products
Emissary is a P2P based data-driven workflow engine
CVSS Base8.8
→
CRSSelect profile
CVE-2026-6560
8.8
UnknownMultiple Products
A security vulnerability has been detected in H3C Magic B0 up to 100R002
CVSS Base8.8
→
CRSSelect profile
CVE-2026-40434
8.1
theMultiple Products
Anviz CrossChex Standard
lacks source verification in the client/server channel, enabling TCP
packet injection by an attacker on the same network to alter or disrupt
application traffic
CVSS Base8.1
→
CRSSelect profile
CVE-2026-40196
8.1
UnknownMultiple Products
HomeBox is a home inventory and organization system
CVSS Base8.1
→
CRSSelect profile
CVE-2026-40527
7.8
radare2Multiple Products
radare2 prior to commit bc5a890 contains a command injection vulnerability in the afsv/afsvj command path where crafted ELF binaries can embed malicious r2 command sequences as DWARF DW_TAG_formal_parameter names
CVSS Base7.8
→
CRSSelect profile
CVE-2026-32324
7.7
AnvizMultiple Products
Anviz CX7 Firmware is
vulnerable because the application embeds reusable certificate/key
material, enabling decryption of MQTT traffic and potential interaction
with device messaging channels at scale
CVSS Base7.7
→
CRSSelect profile
CVE-2026-40348
7.7
UnknownMultiple Products
Movary is a self hosted web app to track and rate a user's watched movies
CVSS Base7.7
→
CRSSelect profile
CVE-2026-40474
7.6
fitnessMultiple Products
wger is a free, open-source workout and fitness manager
CVSS Base7.6
→
CRSSelect profile
CVE-2026-40515
7.5
OpenHarnessMultiple Products
OpenHarness before commit bd4df81 contains a permission bypass vulnerability that allows attackers to read sensitive files by exploiting incomplete path normalization in the permission checker
CVSS Base7.5
→
CRSSelect profile
CVE-2026-40461
7.5
AnvizMultiple Products
Anviz CX2 Lite and CX7 are vulnerable to unauthenticated POST requests that modify debug
settings (e
CVSS Base7.5
→
CRSSelect profile
CVE-2026-40286
7.5
webMultiple Products
WeGIA is a web manager for charitable institutions
CVSS Base7.5
→
CRSSelect profile
CVE-2026-35465
7.5
SecureDropMultiple Products
SecureDrop Client is a desktop app for journalists to securely communicate with sources and handle submissions on the SecureDrop Workstation
CVSS Base7.5
→
CRSSelect profile
CVE-2026-21733
7.3
UnknownMultiple Products
Software installed and run as a non-privileged user may conduct improper GPU system calls to gain write permission to read-only wrapped user-mode memory and files
CVSS Base7.3
→
CRSSelect profile
CVE-2026-6483
7.2
UnknownMultiple Products
A vulnerability was found in Wavlink WL-WN530H4 20220721
CVSS Base7.2
→
CRSSelect profile
CVE-2026-40518
7.1
beforeMultiple Products
ByteDance DeerFlow before commit 2176b2b contains a path traversal and arbitrary file write vulnerability in bootstrap-mode custom-agent creation where the agent name validation is bypassed