Critical vulnerabilities, curated daily for security professionals
๐ฏ SSCV Profile
See how vulnerabilities affect your specific environment
CRS uses the System Security Context Vector (SSCV) Framework v1.0 to adjust CVSS scores based on your system's exposure level, network position, and business criticality. Learn more about SSCV Framework
Risk scores will be adjusted based on your selected environment
๐
Today's Security Brief
Monday's vulnerability disclosures center on multiple Microsoft Windows and Office flaws alongside critical smart home infrastructure weaknesses in eNet SMART HOME servers. The brief includes 4 critical-severity CVEs (up 33% from Sunday) and 10 high-priority issues (down 63%), reflecting a lighter but more concentrated disclosure day. Notable critical entries include CVE-2026-26369 and CVE-2026-26366, both CVSS 9.8 remote code execution flaws in eNet SMART HOME servers, alongside CVE-2026-1490 (CVSS 9.8) targeting WordPress installations. Microsoft dominates the actively exploited category with six Windows and Office vulnerabilities confirmed under exploitation, while legacy flaws in GitLab, FreePBX, and Notepad++ also appear on the KEV list. No patches are currently available for disclosed vulnerabilities, making compensating controls and network segmentation essential in the interim.
Microsoft Windows and Office account for 6 of 14 actively exploited vulnerabilities, including CVE-2026-21513 and CVE-2026-21514
4 critical-severity CVEs disclosed (CVSS 9.0+), a 33% increase from Sunday's 3
10 high-priority CVEs (CVSS 7.0โ8.9), down 63% from Sunday's 27
Remote code execution dominates attack patterns, affecting eNet SMART HOME servers (CVE-2026-26369, CVE-2026-26366) and WordPress (CVE-2026-1490)
0% patch availability across all disclosed CVEs โ no vendor fixes released yet
14 CVEs flagged as actively exploited, including legacy issues in GitLab CE/EE and Sangoma FreePBX
Immediate action: Prioritize reviewing Microsoft Windows and Office systems for exposure to the six actively exploited vulnerabilities, and isolate any eNet SMART HOME server deployments until patches are available. With 0% patch availability, apply network segmentation, restrict unnecessary access, and monitor for exploitation indicators across all affected products.
๐ก Tip: Swipe CVE cards left to โญ star, right to โ remove
Section Navigation
โ ๏ธ
CISA Known Exploited Vulnerabilities
โ ๏ธ CISA KEV
CVE-2021-39935
9.5๐ Late Disclosure
GitLabCommunity and Enterprise Editions
โฐ Federal Deadline:February 23, 2026(8 days remaining)
GitLab Community and Enterprise Editions Server-Side Request Forgery (SSRF) Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
โ
CRSSelect profile
โ ๏ธ CISA KEV
CVE-2025-64328
9.5
SangomaFreePBX
โฐ Federal Deadline:February 23, 2026(8 days remaining)
Sangoma FreePBX OS Command Injection Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
โ
CRSSelect profile
โ ๏ธ CISA KEV
CVE-2019-19006
9.5๐ Late Disclosure
SangomaFreePBX
โฐ Federal Deadline:February 23, 2026(8 days remaining)
Sangoma FreePBX Improper Authentication Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
โ
CRSSelect profile
โ ๏ธ CISA KEV
CVE-2025-11953
9.5๐
React Native CommunityCLI
โฐ Federal Deadline:February 25, 2026(10 days remaining)
React Native Community CLI OS Command Injection Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
โ
CRSSelect profile
โ ๏ธ CISA KEV
CVE-2026-24423
9.5
SmarterToolsSmarterMail
โฐ Federal Deadline:February 25, 2026(10 days remaining)
SmarterTools SmarterMail Missing Authentication for Critical Function Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
โ
CRSSelect profile
โ ๏ธ CISA KEV
CVE-2026-21513
9.5๐
MicrosoftWindows
โฐ Federal Deadline:March 2, 2026(15 days remaining)
A protection mechanism failure in the MSHTML Framework allows an unauthenticated attacker to bypass security features over a network, potentially leading to unauthorized system access.
CVSS Base9.5
โ
CRSSelect profile
โ ๏ธ CISA KEV
CVE-2026-21525
9.5
MicrosoftWindows
โฐ Federal Deadline:March 2, 2026(15 days remaining)
Microsoft Windows NULL Pointer Dereference Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
โ
CRSSelect profile
โ ๏ธ CISA KEV
CVE-2026-21510
9.5๐
MicrosoftWindows
โฐ Federal Deadline:March 2, 2026(15 days remaining)
A protection mechanism failure in the Windows Shell allows an unauthenticated attacker to bypass security features over a network connection.
CVSS Base9.5
โ
CRSSelect profile
โ ๏ธ CISA KEV
CVE-2026-21533
9.5๐
MicrosoftWindows
โฐ Federal Deadline:March 2, 2026(15 days remaining)
Improper privilege management in Windows Remote Desktop allows an authorized attacker to elevate their privileges locally on the affected system.
CVSS Base9.5
โ
CRSSelect profile
โ ๏ธ CISA KEV
CVE-2026-21519
9.5๐
MicrosoftWindows
โฐ Federal Deadline:March 2, 2026(15 days remaining)
A type confusion vulnerability in the Desktop Window Manager (DWM) allows an authorized local attacker to elevate their privileges to a higher level.
CVSS Base9.5
โ
CRSSelect profile
โ ๏ธ CISA KEV
CVE-2026-21514
9.5๐
MicrosoftOffice
โฐ Federal Deadline:March 2, 2026(15 days remaining)
A security feature bypass vulnerability in Microsoft Office Word exists due to reliance on untrusted inputs, allowing an unauthorized local attacker to circumvent security protections.
CVSS Base9.5
โ
CRSSelect profile
โ ๏ธ CISA KEV
CVE-2026-20700
9.5๐
AppleApple OS
โฐ Federal Deadline:March 4, 2026(17 days remaining)
A memory corruption vulnerability in Apple software was addressed through improved state management to prevent potential exploitation.
CVSS Base9.5
โ
CRSSelect profile
โ ๏ธ CISA KEV
CVE-2024-43468
9.5๐ Late Disclosure
MicrosoftConfiguration Manager
โฐ Federal Deadline:March 4, 2026(17 days remaining)
Microsoft Configuration Manager SQL Injection Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
โ
CRSSelect profile
โ ๏ธ CISA KEV
CVE-2025-15556
9.5
Notepad++Notepad++
โฐ Federal Deadline:March 4, 2026(17 days remaining)
Notepad++ Download of Code Without Integrity Check Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
โ
CRSSelect profile
๐จ
Critical Vulnerabilities
CVE-2026-1490
9.8๐
WordPressis vulnerable
The CleanTalk Anti-Spam plugin for WordPress allows unauthenticated attackers to install arbitrary plugins via PTR record spoofing, potentially leading to remote code execution.
CVSS Base9.8
โ
CRSSelect profile
CVE-2025-32058
9.3๐
Boschuses
A vulnerability in the Bosch Infotainment ECU's custom protocol allows an attacker with SoC code execution to execute code on the RH850 module and send arbitrary CAN messages.
CVSS Base9.3
โ
CRSSelect profile
CVE-2026-26369
9.8๐
eNetSMART HOME server
A privilege escalation vulnerability in the setUserGroup JSON-RPC method allows low-privileged users to gain administrative control by sending crafted POST requests to the management endpoint.
CVSS Base9.8
โ
CRSSelect profile
CVE-2026-26366
9.8๐
eNetSMART HOME server
The eNet SMART HOME server utilizes default credentials that remain active post-installation, allowing unauthenticated attackers to gain administrative access to the system.
CVSS Base9.8
โ
CRSSelect profile
โ ๏ธ
High Priority Updates
CVE-2026-1750
8.8๐
WordPressis vulnerable
The Ecwid by Lightspeed Ecommerce Shopping Cart plugin for WordPress is vulnerable to privilege escalation, which could allow unauthorized users to gain administrative access.
CVSS Base8.8
โ
CRSSelect profile
CVE-2026-2516
7๐
ezPDFpath
A vulnerability has been identified in Unidocs ezPDF DRM Reader and ezPDF Reader 2, which could allow for unauthorized code execution or data access.
CVSS Base7
โ
CRSSelect profile
CVE-2026-2533
7.3๐
HPSelf-service Washing Machine 4
A security flaw has been identified in the Tosei Self-service Washing Machine 4, which could allow for unauthorized access or manipulation of the device's operational functions.
CVSS Base7.3
โ
CRSSelect profile
CVE-2026-2542
7๐
Totalpath
A security weakness has been identified in Total VPN that could allow an attacker to compromise the confidentiality or integrity of the VPN service.
CVSS Base7
โ
CRSSelect profile
CVE-2026-2538
7๐
Archpath
A security flaw has been discovered in Flos Freeware Notepad2 that could potentially allow for unauthorized code execution or system compromise.
CVSS Base7
โ
CRSSelect profile
CVE-2025-32059
8.8๐
BoschInfotainment ECU (Alps Alpine Bluetooth stack)
A security flaw exists within the Alps Alpine Bluetooth stack utilized in Bosch Infotainment ECUs, potentially allowing for remote exploitation via Bluetooth.
CVSS Base8.8
โ
CRSSelect profile
CVE-2025-32061
8.8๐
BoschInfotainment ECU (Alps Alpine Bluetooth stack)
A vulnerability in the Alps Alpine Bluetooth stack used in Bosch Infotainment ECUs poses a risk of remote exploitation, affecting the security of the vehicle's infotainment system.
CVSS Base8.8
โ
CRSSelect profile
CVE-2025-32062
8.8๐
BoschInfotainment ECU (Alps Alpine Bluetooth stack)
The Alps Alpine Bluetooth stack in Bosch Infotainment ECUs contains a high-severity flaw that could lead to unauthorized system access or denial of service.
CVSS Base8.8
โ
CRSSelect profile
CVE-2026-26368
8.8๐
HOMESMART HOME server
The eNet SMART HOME server version 2 contains a security flaw that could allow for unauthorized access or system manipulation.
CVSS Base8.8
โ
CRSSelect profile
CVE-2026-2544
7.3๐
yued-feLuLu UI
A security flaw in yued-fe LuLu UI versions up to 3 allows for potential remote exploitation of the user interface components.