Critical vulnerabilities, curated daily for security professionals
đ¯ SSCV Profile
See how vulnerabilities affect your specific environment
CRS uses the System Security Context Vector (SSCV) Framework v1.0 to adjust CVSS scores based on your system's exposure level, network position, and business criticality. Learn more about SSCV Framework
Risk scores will be adjusted based on your selected environment
đ
Today's Security Brief
Monday's vulnerability disclosures highlight widespread risk across Apple, Google, Broadcom, and Qualcomm products, with 17 CVEs under active exploitation. The day saw 4 critical-severity vulnerabilities (up 100% from Sunday's 2) and 47 high-priority CVEs (down 49% from 93). Critical flaws include CVE-2026-3587 (CVSS 10.0) affecting Linux-based operating systems, CVE-2026-4567 (CVSS 9.8) in Tenda A15 routers, and CVE-2019-25614 (CVSS 9.8) targeting STOR FTP Server. Actively exploited vulnerabilities span Broadcom VMware Aria Operations, Qualcomm chipsets, Google Chrome V8, and multiple Apple products including iOS and iPadOS. No patches are currently available for the disclosed CVEs, requiring organizations to prioritize compensating controls and monitoring.
CVE-2026-3587 (CVSS 10.0) affects Linux-based operating systems â the highest severity rating possible, requiring immediate risk assessment
4 critical-severity CVEs disclosed, a 100% increase from Sunday's 2 critical vulnerabilities
47 high-priority CVEs (CVSS 7.0-8.9), down 49% from Sunday's 93, narrowing the scope of urgent triage
Active exploitation confirmed across Broadcom VMware Aria Operations, Qualcomm chipsets, Google Chrome V8/Skia, and Apple iOS/iPadOS
0% patch availability across all 51 disclosed CVEs â compensating controls and network segmentation are essential
17 CVEs flagged as actively exploited, including legacy vulnerabilities such as CVE-2017-7921 in Hikvision products
Immediate action: Prioritize risk assessment for Linux-based systems (CVE-2026-3587), Broadcom VMware Aria Operations, Qualcomm-powered devices, and Apple products including iOS and iPadOS, as these face active exploitation with no patches currently available. Implement compensating controls such as network segmentation, access restrictions, and enhanced monitoring for affected systems until vendor patches are released.
đĄ Tip: Swipe CVE cards left to â star, right to â remove
Section Navigation
â ī¸
CISA Known Exploited Vulnerabilities
â ī¸ CISA KEVURGENT
CVE-2026-22719
9.5đ
BroadcomVMware Aria Operations
â° Federal Deadline:March 23, 2026(1 days remaining)
VMware Aria Operations contains a command injection vulnerability that could allow an attacker to execute arbitrary commands on the affected system.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEVURGENT
CVE-2026-21385
9.5đ
QualcommMultiple Chipsets
â° Federal Deadline:March 23, 2026(1 days remaining)
A memory corruption vulnerability exists in memory allocation processes when handling specific alignments, potentially leading to arbitrary code execution or system instability.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEVURGENT
CVE-2025-68613
9.5đ
n8nn8n
â° Federal Deadline:March 24, 2026(2 days remaining)
n8n Improper Control of Dynamically-Managed Code Resources Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEVURGENT
CVE-2017-7921
9.5đ Late Disclosure
HikvisionMultiple Products
â° Federal Deadline:March 25, 2026(3 days remaining)
Hikvision Multiple Products Improper Authentication Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEVURGENT
CVE-2021-22681
9.5đ Late Disclosure
RockwellMultiple Products
â° Federal Deadline:March 25, 2026(3 days remaining)
Rockwell Multiple Products Insufficient Protected Credentials Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEVURGENT
CVE-2023-43000
9.5đ Late Disclosure
AppleMultiple Products
â° Federal Deadline:March 25, 2026(3 days remaining)
Apple Multiple products Use-After-Free Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEVURGENT
CVE-2021-30952
9.5đ Late Disclosure
AppleMultiple Products
â° Federal Deadline:March 25, 2026(3 days remaining)
Apple Multiple Products Integer Overflow or Wraparound Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEVURGENT
CVE-2023-41974
9.5đ Late Disclosure
AppleiOS and iPadOS
â° Federal Deadline:March 25, 2026(3 days remaining)
Apple iOS and iPadOS Use-After-Free Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEVURGENT
CVE-2026-3910
9.5đ
GoogleChromium V8
â° Federal Deadline:March 26, 2026(4 days remaining)
Google Chrome versions prior to 146 feature an inappropriate implementation in the V8 JavaScript engine that is currently being exploited in the wild to achieve code execution.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEVURGENT
CVE-2026-3909
9.5đ
GoogleSkia
â° Federal Deadline:March 26, 2026(4 days remaining)
Google Chrome versions prior to 146 contain an out-of-bounds write vulnerability in the Skia graphics engine, which is currently being exploited in the wild.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEVURGENT
CVE-2025-47813
9.5
Wing FTP ServerWing FTP Server
â° Federal Deadline:March 29, 2026(7 days remaining)
Wing FTP Server Information Disclosure Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2025-66376
9.5
SynacorZimbra Collaboration Suite (ZCS)
â° Federal Deadline:March 31, 2026(9 days remaining)
Synacor Zimbra Collaboration Suite (ZCS) Cross-Site Scripting Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2025-32432
9.5
Craft CMSCraft CMS
â° Federal Deadline:April 2, 2026(11 days remaining)
Craft CMS Code Injection Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2025-54068
9.5
LaravelLivewire
â° Federal Deadline:April 2, 2026(11 days remaining)
Laravel Livewire Code Injection Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2025-43510
9.5
AppleMultiple Products
â° Federal Deadline:April 2, 2026(11 days remaining)
Apple Multiple Products Improper Locking Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2025-43520
9.5
AppleMultiple Products
â° Federal Deadline:April 2, 2026(11 days remaining)
Apple Multiple Products Classic Buffer Overflow Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2025-31277
9.5
AppleMultiple Products
â° Federal Deadline:April 2, 2026(11 days remaining)
Apple Multiple Products Buffer Overflow Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
đ¨
Critical Vulnerabilities
CVE-2026-4567
9.8đ
TendaA15
A stack-based buffer overflow in the Tenda A15 UploadCfg function allows remote attackers to execute arbitrary code via a malicious File argument.
CVSS Base9.8
â
CRSSelect profile
CVE-2026-3587
10đ
Linuxbased OS
An unauthenticated remote attacker can escape a restricted CLI interface in certain Linux-based operating systems to gain root access.
CVSS Base10
â
CRSSelect profile
CVE-2019-25614
9.8đđ Late Disclosure
the STORFTP Server
Free Float FTP 1.0 contains a buffer overflow in the STOR command handler, enabling remote attackers to execute arbitrary code via a crafted payload.
CVSS Base9.8
â
CRSSelect profile
CVE-2026-4599
9.1đ
jsrsasignjsrsasign
The jsrsasign library is vulnerable to incomplete comparison checks in cryptographic functions, allowing attackers to bias DSA nonces and recover private keys.
CVSS Base9.1
â
CRSSelect profile
â ī¸
High Priority Updates
CVE-2019-25578
8.2đ Late Disclosure
HPwith SQL
phpTransformer 2016
CVSS Base8.2
â
CRSSelect profile
CVE-2026-33292
7.5đ
Oraclecondition where
WWBN AVideo, an open-source video platform, is affected by a high-severity vulnerability that could lead to unauthorized access or data compromise.
CVSS Base7.5
â
CRSSelect profile
CVE-2026-4314
8.8đ
WordPressToolkit
The WP Extended plugin for WordPress is vulnerable to privilege escalation, allowing low-privileged users to gain administrative access.
CVSS Base8.8
â
CRSSelect profile
CVE-2025-10679
7.3đ
GoogleReviews
The ReviewX WordPress plugin is vulnerable to arbitrary method calls, which could allow attackers to execute unauthorized functions within the application.
CVSS Base7.3
â
CRSSelect profile
CVE-2026-3629
8.1đ
WordPressis vulnerable
The Import and export users and customers WordPress plugin is vulnerable to privilege escalation, enabling attackers to gain unauthorized administrative rights.
CVSS Base8.1
â
CRSSelect profile
CVE-2026-2580
7.5đ
GoogleMaps
The WP Maps WordPress plugin is vulnerable to time-based SQL Injection via the âorderbyâ parameter, allowing attackers to extract sensitive database information.
CVSS Base7.5
â
CRSSelect profile
CVE-2019-25579
7.5đđ Late Disclosure
HPphpTransformer 2016
A security vulnerability has been identified in phpTransformer 2016. The flaw could allow an attacker to compromise the integrity or availability of the application.
CVSS Base7.5
â
CRSSelect profile
CVE-2019-25580
8.2đ Late Disclosure
HPwith crafted
ownDMS 4
CVSS Base8.2
â
CRSSelect profile
CVE-2019-25613
7.5đ Late Disclosure
HPendpoint and
Easy Chat Server 3
CVSS Base7.5
â
CRSSelect profile
CVE-2026-4540
7.3
HPof the
A vulnerability was detected in projectworlds Online Notes Sharing System 1
CVSS Base7.3
â
CRSSelect profile
CVE-2026-4562
7.3
HPof the
A security flaw has been discovered in MacCMS 2025
CVSS Base7.3
â
CRSSelect profile
CVE-2026-4579
7.3
HPof the
A vulnerability was identified in code-projects Simple Laundry System 1
CVSS Base7.3
â
CRSSelect profile
CVE-2019-25573
7.1đ Late Disclosure
HPwith
Green CMS 2
CVSS Base7.1
â
CRSSelect profile
CVE-2026-4529
8.8đ
HPDHP-1320
A critical security vulnerability has been identified in the D-Link DHP-1320 router. This flaw may allow for remote exploitation and unauthorized device control.
CVSS Base8.8
â
CRSSelect profile
CVE-2026-33293
8.1đ
HPAVideo
WWBN AVideo, an open-source video platform, is affected by a high-severity vulnerability. The flaw could permit unauthorized access or administrative bypass.
CVSS Base8.1
â
CRSSelect profile
CVE-2019-25607
8.4đđ Late Disclosure
logAxessh 4
A high-severity vulnerability has been identified in Axessh 4. This security flaw could allow for unauthorized remote access or command execution via the SSH service.
CVSS Base8.4
â
CRSSelect profile
CVE-2026-4534
8.8
TendaFH451
A flaw has been found in Tenda FH451 1
CVSS Base8.8
â
CRSSelect profile
CVE-2026-4535
8.8
TendaFH451
A vulnerability has been found in Tenda FH451 1
CVSS Base8.8
â
CRSSelect profile
CVE-2026-4551
8.8
TendaF453
A vulnerability was found in Tenda F453 1
CVSS Base8.8
â
CRSSelect profile
CVE-2026-4552
8.8
TendaF453
A vulnerability was determined in Tenda F453 1
CVSS Base8.8
â
CRSSelect profile
CVE-2026-4553
8.8
TendaF453
A vulnerability was identified in Tenda F453 1
CVSS Base8.8
â
CRSSelect profile
CVE-2026-4555
8.8
D-LinkDIR
A weakness has been identified in D-Link DIR-513 1
CVSS Base8.8
â
CRSSelect profile
CVE-2026-4558
8.8
LinksysMR9600
A flaw has been found in Linksys MR9600 2
CVSS Base8.8
â
CRSSelect profile
CVE-2026-4565
8.8
TendaAC21
A vulnerability was detected in Tenda AC21 16
CVSS Base8.8
â
CRSSelect profile
CVE-2019-25576
8.2đ Late Disclosure
Wallpaperversion details
Kepler Wallpaper Script 1
CVSS Base8.2
â
CRSSelect profile
CVE-2026-4545
7
Archpath
A security flaw has been discovered in Flos Freeware Notepad2 4
CVSS Base7
â
CRSSelect profile
CVE-2026-4546
7
Archpath
A weakness has been identified in Flos Freeware Notepad2 4
CVSS Base7
â
CRSSelect profile
CVE-2019-25611
8.4đđ Late Disclosure
parseconfMiniFtp
MiniFtp contains a buffer overflow vulnerability in the `parseconf_load_setting` function. This flaw allows local attackers to execute arbitrary code by providing oversized configuration values.
CVSS Base8.4
â
CRSSelect profile
CVE-2026-4528
7.3
trueleafMultiple Products
A vulnerability was determined in trueleaf ApiFlow 0
CVSS Base7.3
â
CRSSelect profile
CVE-2026-4566
8.8đ
BelkinF9K1122
A high-severity flaw has been identified in the Belkin F9K1122 router, which could allow for unauthorized access or device compromise.
CVSS Base8.8
â
CRSSelect profile
CVE-2026-4601
8.7
jsrsasignMultiple Products
Versions of the package jsrsasign before 11
CVSS Base8.7
â
CRSSelect profile
CVE-2019-25603
8.4đ Late Disclosure
TuneCloneMultiple Products
TuneClone 2
CVSS Base8.4
â
CRSSelect profile
CVE-2019-25604
8.4đ Late Disclosure
DVDXPlayerMultiple Products
DVDXPlayer Pro 5
CVSS Base8.4
â
CRSSelect profile
CVE-2019-25608
8.4đ Late Disclosure
IperiusMultiple Products
Iperius Backup 6
CVSS Base8.4
â
CRSSelect profile
CVE-2019-25609
8.4đ Late Disclosure
jetCastMultiple Products
JetAudio jetCast Server 2
CVSS Base8.4
â
CRSSelect profile
CVE-2019-25615
8.4đ Late Disclosure
LavavoMultiple Products
Lavavo CD Ripper 4
CVSS Base8.4
â
CRSSelect profile
CVE-2019-25619
8.4đ Late Disclosure
ShellMultiple Products
FTP Shell Server 6
CVSS Base8.4
â
CRSSelect profile
CVE-2019-25575
8.2đ Late Disclosure
SimplePressMultiple Products
SimplePress CMS 1
CVSS Base8.2
â
CRSSelect profile
CVE-2019-25581
8.2đ Late Disclosure
doitMultiple Products
i-doit CMDB 1
CVSS Base8.2
â
CRSSelect profile
CVE-2019-25612
7.8đ Late Disclosure
AdminMultiple Products
Admin Express 1
CVSS Base7.8
â
CRSSelect profile
CVE-2019-25552
7.5đ Late Disclosure
PHOTOMultiple Products
CEWE PHOTO SHOW 6
CVSS Base7.5
â
CRSSelect profile
CVE-2019-25560
7.5đ Late Disclosure
VideoMultiple Products
Lyric Video Creator 2
CVSS Base7.5
â
CRSSelect profile
CVE-2019-25605
7.5đ Late Disclosure
EquityPanditMultiple Products
EquityPandit 1
CVSS Base7.5
â
CRSSelect profile
CVE-2026-4598
7.5
jsrsasignMultiple Products
Versions of the package jsrsasign before 11
CVSS Base7.5
â
CRSSelect profile
CVE-2026-4602
7.5
jsrsasignMultiple Products
Versions of the package jsrsasign before 11
CVSS Base7.5
â
CRSSelect profile
CVE-2026-4600
7.4
jsrsasignMultiple Products
Versions of the package jsrsasign before 11
CVSS Base7.4
â
CRSSelect profile
CVE-2026-4536
7.3
CloudMultiple Products
A vulnerability was found in Acrel Environmental Monitoring Cloud Platform 1