Critical vulnerabilities, curated daily for security professionals
๐ฏ SSCV Profile
See how vulnerabilities affect your specific environment
CRS uses the System Security Context Vector (SSCV) Framework v1.0 to adjust CVSS scores based on your system's exposure level, network position, and business criticality. Learn more about SSCV Framework
Risk scores will be adjusted based on your selected environment
๐
Today's Security Brief
Tuesday's vulnerability disclosures reveal 27 CVEs affecting SAP, Microsoft, Apple, and several open-source projects. Critical disclosures dropped 50% from the prior day to 2, while high-priority CVEs surged 150% to 25. A maximum-severity SAP WhatsApp bridge flaw (CVE-2026-2577, CVSS 10.0) and a critical EFM/iptime router vulnerability (CVE-2026-2550, CVSS 9.8) stand out among the new disclosures. Microsoft Windows and Office account for six actively exploited vulnerabilities, alongside confirmed exploitation targeting GitLab, Sangoma FreePBX, and Apple OS. No patches are currently available for the disclosed CVEs, requiring organizations to prioritize compensating controls and monitoring.
SAP WhatsApp bridge CVE-2026-2577 carries a maximum CVSS 10.0 score, representing the most severe disclosure of the day
Critical CVE count decreased to 2 from 4 the prior day (-50%), while high-priority CVEs rose sharply to 25 from 10 (+150%)
Six Microsoft Windows and Office CVEs are confirmed actively exploited, including CVE-2026-21513, CVE-2026-21525, and CVE-2026-21514
Remote code execution and authentication bypass patterns appear across SAP, GitLab, FreePBX, and Notepad++ disclosures
Patch availability stands at 0% across all 27 disclosed CVEs, requiring immediate compensating controls
14 CVEs have confirmed active exploitation, spanning Microsoft, Apple, GitLab, Sangoma, and React Native CLI
Immediate action: Prioritize compensating controls for Microsoft Windows and Office systems, SAP WhatsApp bridge integrations, and Apple OS environments where active exploitation is confirmed. With 0% patch availability across all disclosures, implement network segmentation, enhanced monitoring, and access restrictions for affected products until vendor patches are released.
๐ก Tip: Swipe CVE cards left to โญ star, right to โ remove
Section Navigation
โ ๏ธ
CISA Known Exploited Vulnerabilities
โ ๏ธ CISA KEVURGENT
CVE-2021-39935
9.5๐ Late Disclosure
GitLabCommunity and Enterprise Editions
โฐ Federal Deadline:February 23, 2026(7 days remaining)
GitLab Community and Enterprise Editions Server-Side Request Forgery (SSRF) Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
โ
CRSSelect profile
โ ๏ธ CISA KEVURGENT
CVE-2025-64328
9.5
SangomaFreePBX
โฐ Federal Deadline:February 23, 2026(7 days remaining)
Sangoma FreePBX OS Command Injection Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
โ
CRSSelect profile
โ ๏ธ CISA KEVURGENT
CVE-2019-19006
9.5๐ Late Disclosure
SangomaFreePBX
โฐ Federal Deadline:February 23, 2026(7 days remaining)
Sangoma FreePBX Improper Authentication Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
โ
CRSSelect profile
โ ๏ธ CISA KEV
CVE-2025-11953
9.5๐
React Native CommunityCLI
โฐ Federal Deadline:February 25, 2026(9 days remaining)
React Native Community CLI OS Command Injection Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
โ
CRSSelect profile
โ ๏ธ CISA KEV
CVE-2026-24423
9.5
SmarterToolsSmarterMail
โฐ Federal Deadline:February 25, 2026(9 days remaining)
SmarterTools SmarterMail Missing Authentication for Critical Function Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
โ
CRSSelect profile
โ ๏ธ CISA KEV
CVE-2026-21513
9.5๐
MicrosoftWindows
โฐ Federal Deadline:March 2, 2026(14 days remaining)
A protection mechanism failure in the MSHTML Framework allows an unauthenticated attacker to bypass security features over a network, potentially leading to unauthorized system access.
CVSS Base9.5
โ
CRSSelect profile
โ ๏ธ CISA KEV
CVE-2026-21525
9.5
MicrosoftWindows
โฐ Federal Deadline:March 2, 2026(14 days remaining)
Microsoft Windows NULL Pointer Dereference Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
โ
CRSSelect profile
โ ๏ธ CISA KEV
CVE-2026-21510
9.5๐
MicrosoftWindows
โฐ Federal Deadline:March 2, 2026(14 days remaining)
A protection mechanism failure in the Windows Shell allows an unauthenticated attacker to bypass security features over a network connection.
CVSS Base9.5
โ
CRSSelect profile
โ ๏ธ CISA KEV
CVE-2026-21533
9.5๐
MicrosoftWindows
โฐ Federal Deadline:March 2, 2026(14 days remaining)
Improper privilege management in Windows Remote Desktop allows an authorized attacker to elevate their privileges locally on the affected system.
CVSS Base9.5
โ
CRSSelect profile
โ ๏ธ CISA KEV
CVE-2026-21519
9.5๐
MicrosoftWindows
โฐ Federal Deadline:March 2, 2026(14 days remaining)
A type confusion vulnerability in the Desktop Window Manager (DWM) allows an authorized local attacker to elevate their privileges to a higher level.
CVSS Base9.5
โ
CRSSelect profile
โ ๏ธ CISA KEV
CVE-2026-21514
9.5๐
MicrosoftOffice
โฐ Federal Deadline:March 2, 2026(14 days remaining)
A security feature bypass vulnerability in Microsoft Office Word exists due to reliance on untrusted inputs, allowing an unauthorized local attacker to circumvent security protections.
CVSS Base9.5
โ
CRSSelect profile
โ ๏ธ CISA KEV
CVE-2026-20700
9.5๐
AppleApple OS
โฐ Federal Deadline:March 4, 2026(16 days remaining)
A memory corruption vulnerability in Apple software was addressed through improved state management to prevent potential exploitation.
CVSS Base9.5
โ
CRSSelect profile
โ ๏ธ CISA KEV
CVE-2024-43468
9.5๐ Late Disclosure
MicrosoftConfiguration Manager
โฐ Federal Deadline:March 4, 2026(16 days remaining)
Microsoft Configuration Manager SQL Injection Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
โ
CRSSelect profile
โ ๏ธ CISA KEV
CVE-2025-15556
9.5
Notepad++Notepad++
โฐ Federal Deadline:March 4, 2026(16 days remaining)
Notepad++ Download of Code Without Integrity Check Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
โ
CRSSelect profile
๐จ
Critical Vulnerabilities
CVE-2026-2577
10๐
SAPWhatsApp bridge
The Nanobot WhatsApp bridge component exposes an unauthenticated WebSocket server on all network interfaces, allowing remote attackers to hijack sessions and intercept real-time communications.
CVSS Base10
โ
CRSSelect profile
CVE-2026-2550
9.8๐
EFM (iptime)A6004MX
A critical unrestricted file upload vulnerability in the iptime A6004MX router allows remote attackers to execute arbitrary code via the commit_vpncli_file_upload function.
CVSS Base9.8
โ
CRSSelect profile
โ ๏ธ
High Priority Updates
CVE-2026-2592
7.7๐
WordPressis vulnerable
The Zarinpal Gateway for WooCommerce plugin for WordPress is vulnerable to improper access control, allowing unauthorized modification of payment status updates.
CVSS Base7.7
โ
CRSSelect profile
CVE-2026-2516
7๐
ezPDFpath
A vulnerability has been identified in Unidocs ezPDF DRM Reader and ezPDF Reader 2, which could allow for unauthorized code execution or data access.
CVSS Base7
โ
CRSSelect profile
CVE-2026-2001
8.8๐
WordPressis vulnerable
The WowRevenue plugin for WordPress contains a missing capability check in its installation function, allowing unauthorized users to install and activate arbitrary plugins.
CVSS Base8.8
โ
CRSSelect profile
CVE-2025-12062
8.8๐
GoogleMaps
The WP Maps plugin for WordPress is vulnerable to Local File Inclusion (LFI) in versions up to 4, allowing attackers to access sensitive server-side files.
CVSS Base8.8
โ
CRSSelect profile
CVE-2026-2533
7.3๐
HPSelf-service Washing Machine 4
A security flaw has been identified in the Tosei Self-service Washing Machine 4, which could allow for unauthorized access or manipulation of the device's operational functions.
CVSS Base7.3
โ
CRSSelect profile
CVE-2026-2542
7๐
Totalpath
A security weakness has been identified in Total VPN that could allow an attacker to compromise the confidentiality or integrity of the VPN service.
CVSS Base7
โ
CRSSelect profile
CVE-2026-2538
7๐
Archpath
A security flaw has been discovered in Flos Freeware Notepad2 that could potentially allow for unauthorized code execution or system compromise.
CVSS Base7
โ
CRSSelect profile
CVE-2026-26930
7.2๐
SmarterMailSmarterMail
SmarterTools SmarterMail is vulnerable to Cross-Site Scripting (XSS) via MAPI requests in versions prior to 9526, potentially allowing session hijacking.
CVSS Base7.2
โ
CRSSelect profile
CVE-2025-32059
8.8๐
BoschInfotainment ECU (Alps Alpine Bluetooth stack)
A security flaw exists within the Alps Alpine Bluetooth stack utilized in Bosch Infotainment ECUs, potentially allowing for remote exploitation via Bluetooth.
CVSS Base8.8
โ
CRSSelect profile
CVE-2025-32061
8.8๐
BoschInfotainment ECU (Alps Alpine Bluetooth stack)
A vulnerability in the Alps Alpine Bluetooth stack used in Bosch Infotainment ECUs poses a risk of remote exploitation, affecting the security of the vehicle's infotainment system.
CVSS Base8.8
โ
CRSSelect profile
CVE-2025-32062
8.8๐
BoschInfotainment ECU (Alps Alpine Bluetooth stack)
The Alps Alpine Bluetooth stack in Bosch Infotainment ECUs contains a high-severity flaw that could lead to unauthorized system access or denial of service.
CVSS Base8.8
โ
CRSSelect profile
CVE-2026-26368
8.8๐
HOMESMART HOME server
The eNet SMART HOME server version 2 contains a security flaw that could allow for unauthorized access or system manipulation.
CVSS Base8.8
โ
CRSSelect profile
CVE-2026-2101
8.7๐
ENOVIAvpmENOVIAvpm
A Reflected Cross-Site Scripting (XSS) vulnerability in ENOVIAvpm Web Access allows attackers to execute arbitrary scripts in a user's browser session.
CVSS Base8.7
โ
CRSSelect profile
CVE-2026-2564
8.1๐
IntelVIP 3260 Z IA 2
A high-severity security flaw has been identified in the Intelbras VIP 3260 Z IA 2 camera, which could permit unauthorized access or system interference.
CVSS Base8.1
โ
CRSSelect profile
CVE-2026-1333
7.8๐
SOLIDWORKSeDrawings
A Use of Uninitialized Variable vulnerability in SOLIDWORKS eDrawings allows arbitrary code execution when a user opens a specially crafted EPRT file.
CVSS Base7.8
โ
CRSSelect profile
CVE-2026-1334
7.8๐
SOLIDWORKSeDrawings
An Out-Of-Bounds Read vulnerability in SOLIDWORKS eDrawings can lead to arbitrary code execution when processing a maliciously crafted EPRT file.
CVSS Base7.8
โ
CRSSelect profile
CVE-2026-1335
7.8๐
SOLIDWORKSeDrawings
An Out-Of-Bounds Write vulnerability in the EPRT file reading procedure of SOLIDWORKS eDrawings allows for arbitrary code execution via crafted files.
CVSS Base7.8
โ
CRSSelect profile
CVE-2026-1046
7.6๐
MattermostDesktop App
Mattermost Desktop App versions 6 and earlier are affected by a high-severity vulnerability that could compromise the security of the communication platform.
CVSS Base7.6
โ
CRSSelect profile
CVE-2026-2544
7.3๐
yued-feLuLu UI
A security flaw in yued-fe LuLu UI versions up to 3 allows for potential remote exploitation of the user interface components.
CVSS Base7.3
โ
CRSSelect profile
CVE-2026-2549
7.3๐
InforLibrarySystem
A high-severity vulnerability exists in the zhanghuanhao LibrarySystem through version 1, potentially allowing for unauthorized system access.
CVSS Base7.3
โ
CRSSelect profile
CVE-2019-25379
7.2๐ Late Disclosure
SmoothwallMultiple Products
Smoothwall Express 3
CVSS Base7.2
โ
CRSSelect profile
CVE-2019-25394
7.2๐ Late Disclosure
SmoothwallMultiple Products
Smoothwall Express 3
CVSS Base7.2
โ
CRSSelect profile
CVE-2019-25395
7.2๐ Late Disclosure
SmoothwallMultiple Products
Smoothwall Express 3
CVSS Base7.2
โ
CRSSelect profile
CVE-2026-2566
7.2๐
WavlinkWL-NU516U1
A high-severity security vulnerability has been detected in Wavlink WL-NU516U1 devices, affecting firmware versions up to 130 and 260.
CVSS Base7.2
โ
CRSSelect profile
CVE-2026-2567
7.2๐
WavlinkWL-NU516U1
A security vulnerability has been identified in the Wavlink WL-NU516U1 firmware version 20251208, posing a risk to device integrity.