Critical vulnerabilities, curated daily for security professionals
đ¯ SSCV Profile
See how vulnerabilities affect your specific environment
CRS uses the System Security Context Vector (SSCV) Framework v1.0 to adjust CVSS scores based on your system's exposure level, network position, and business criticality. Learn more about SSCV Framework
Risk scores will be adjusted based on your selected environment
đ
Today's Security Brief
Sunday's disclosures are dominated by 17 actively exploited vulnerabilities targeting Microsoft Windows, Office, Apple OS, and Google Chromium, all carrying CVSS 9.5 scores. No new critical CVEs were disclosed, a sharp drop from the prior day's 24, while high-priority vulnerabilities fell 64% to 35. Notable KEV entries include CVE-2026-21513 and CVE-2026-21525 affecting Microsoft Windows, CVE-2026-20700 targeting Apple OS, and CVE-2026-2441 in Google Chromium. Attack patterns center on remote code execution and privilege escalation across enterprise operating systems, productivity suites, and collaboration platforms including Roundcube Webmail and Zimbra. No patches are currently available for the disclosed vulnerabilities, requiring defenders to prioritize compensating controls and monitoring.
17 actively exploited vulnerabilities confirmed across Microsoft Windows, Apple OS, Google Chromium, and Roundcube Webmail â all rated CVSS 9.5
Critical CVE count dropped to 0, down 100% from the prior day's 24 disclosures
Remote code execution and privilege escalation patterns dominate across enterprise OS platforms, email clients (Roundcube, Zimbra), and collaboration tools (GitLab)
Patch availability stands at 0% â no vendor fixes currently released for today's disclosed vulnerabilities
Legacy CVEs resurfacing in KEV list include CVE-2008-0015 (Microsoft Windows) and CVE-2020-7796 (Zimbra Collaboration Suite)
Immediate action: Prioritize compensating controls for Microsoft Windows, Apple OS, and Google Chromium environments where active exploitation is confirmed but patches are unavailable. Review network segmentation and access restrictions for Roundcube Webmail, Zimbra, and GitLab instances given confirmed exploitation of CVE-2025-49113, CVE-2020-7796, and CVE-2021-22175. Monitor vendor security advisories closely for forthcoming patch releases and apply them immediately upon availability.
đĄ Tip: Swipe CVE cards left to â star, right to â remove
Section Navigation
â ī¸
CISA Known Exploited Vulnerabilities
â ī¸ CISA KEVURGENT
CVE-2026-21513
9.5đ
MicrosoftWindows
â° Federal Deadline:March 2, 2026(2 days remaining)
A protection mechanism failure in the MSHTML Framework allows an unauthenticated attacker to bypass security features over a network, potentially leading to unauthorized system access.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEVURGENT
CVE-2026-21525
9.5
MicrosoftWindows
â° Federal Deadline:March 2, 2026(2 days remaining)
Microsoft Windows NULL Pointer Dereference Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEVURGENT
CVE-2026-21510
9.5đ
MicrosoftWindows
â° Federal Deadline:March 2, 2026(2 days remaining)
A protection mechanism failure in the Windows Shell allows an unauthenticated attacker to bypass security features over a network connection.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEVURGENT
CVE-2026-21533
9.5đ
MicrosoftWindows
â° Federal Deadline:March 2, 2026(2 days remaining)
Improper privilege management in Windows Remote Desktop allows an authorized attacker to elevate their privileges locally on the affected system.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEVURGENT
CVE-2026-21519
9.5đ
MicrosoftWindows
â° Federal Deadline:March 2, 2026(2 days remaining)
A type confusion vulnerability in the Desktop Window Manager (DWM) allows an authorized local attacker to elevate their privileges to a higher level.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEVURGENT
CVE-2026-21514
9.5đ
MicrosoftOffice
â° Federal Deadline:March 2, 2026(2 days remaining)
A security feature bypass vulnerability in Microsoft Office Word exists due to reliance on untrusted inputs, allowing an unauthorized local attacker to circumvent security protections.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEVURGENT
CVE-2026-20700
9.5đ
AppleApple OS
â° Federal Deadline:March 4, 2026(4 days remaining)
A memory corruption vulnerability in Apple software was addressed through improved state management to prevent potential exploitation.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEVURGENT
CVE-2024-43468
9.5đ Late Disclosure
MicrosoftConfiguration Manager
â° Federal Deadline:March 4, 2026(4 days remaining)
Microsoft Configuration Manager SQL Injection Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEVURGENT
CVE-2025-15556
9.5
Notepad++Notepad++
â° Federal Deadline:March 4, 2026(4 days remaining)
Notepad++ Download of Code Without Integrity Check Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2020-7796
9.5đ Late Disclosure
SynacorZimbra Collaboration Suite
â° Federal Deadline:March 9, 2026(9 days remaining)
Synacor Zimbra Collaboration Suite (ZCS) Server-Side Request Forgery Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2024-7694
9.5đ Late Disclosure
TeamT5ThreatSonar Anti-Ransomware
â° Federal Deadline:March 9, 2026(9 days remaining)
TeamT5 ThreatSonar Anti-Ransomware Unrestricted Upload of File with Dangerous Type Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2008-0015
9.5đ Late Disclosure
MicrosoftWindows
â° Federal Deadline:March 9, 2026(9 days remaining)
Microsoft Windows Video ActiveX Control Remote Code Execution Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2026-2441
9.5đ
GoogleChromium
â° Federal Deadline:March 9, 2026(9 days remaining)
Google Chrome is vulnerable to a "Use After Free" condition in its CSS engine, which could allow a remote attacker to execute arbitrary code via a crafted webpage.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2021-22175
9.5đ Late Disclosure
GitLabGitLab
â° Federal Deadline:March 10, 2026(10 days remaining)
GitLab Server-Side Request Forgery (SSRF) Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2025-49113
9.5
RoundcubeWebmail
â° Federal Deadline:March 12, 2026(12 days remaining)
RoundCube Webmail Deserialization of Untrusted Data Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2025-68461
9.5
RoundcubeWebmail
â° Federal Deadline:March 12, 2026(12 days remaining)
RoundCube Webmail Cross-site Scripting Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2026-25108
9.5đ
Soliton Systems K.KFileZen
â° Federal Deadline:March 16, 2026(16 days remaining)
FileZen is affected by a high-severity OS command injection vulnerability that allows a threat actor to execute arbitrary commands on the underlying operating system.
CVSS Base9.5
â
CRSSelect profile
â ī¸
High Priority Updates
CVE-2019-25490
8.2đ Late Disclosure
HPendpoint with
Homey BNB V4 contains a SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'id' parameter
CVSS Base8.2
â
CRSSelect profile
CVE-2019-25491
8.2đ Late Disclosure
HPendpoint with
Homey BNB V4 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the catid parameter
CVSS Base8.2
â
CRSSelect profile
CVE-2019-25492
8.2đ Late Disclosure
HPendpoint with
Homey BNB V4 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'pt' parameter
CVSS Base8.2
â
CRSSelect profile
CVE-2019-25493
8.2đ Late Disclosure
HPendpoint with
Homey BNB V4 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'val' parameter
CVSS Base8.2
â
CRSSelect profile
CVE-2026-2471
7.5đ
WordPressis vulnerable
The WP Mail Logging plugin for WordPress is vulnerable to PHP Object Injection, which could allow for remote code execution.
CVSS Base7.5
â
CRSSelect profile
CVE-2026-28562
8.2đ
WordPressdatabase
The wpForo 2 forum plugin for WordPress contains a high-severity vulnerability that could lead to unauthorized database access or system compromise.
CVSS Base8.2
â
CRSSelect profile
CVE-2026-27836
7.5đ
HPphpMyFAQ
phpMyFAQ, an open-source FAQ web application, is affected by a high-severity vulnerability that could allow for unauthorized system interaction.
CVSS Base7.5
â
CRSSelect profile
CVE-2019-25489
8.2đđ Late Disclosure
InforHomey BNB
Homey BNB V4 contains an unauthenticated SQL injection vulnerability in the 'hosting_id' parameter, allowing for unauthorized database query manipulation.
CVSS Base8.2
â
CRSSelect profile
CVE-2025-13673
7.5đ
WordPressis vulnerable
The Tutor LMS plugin for WordPress is vulnerable to SQL Injection via the 'coupon_code' parameter, potentially allowing for unauthorized database access.
CVSS Base7.5
â
CRSSelect profile
CVE-2019-25495
8.2đ Late Disclosure
HPwith malicious
osCommerce 2
CVSS Base8.2
â
CRSSelect profile
CVE-2019-25496
8.2đ Late Disclosure
HPrequests and
osCommerce 2
CVSS Base8.2
â
CRSSelect profile
CVE-2019-25497
8.2đ Late Disclosure
HPwith malicious
osCommerce 2
CVSS Base8.2
â
CRSSelect profile
CVE-2026-28402
7.1đ
LGcore-rs-albatross
A security vulnerability exists in the Nimiq Proof-of-Stake protocol implementation within the Albatross consensus algorithm, potentially impacting network stability or integrity.
CVSS Base7.1
â
CRSSelect profile
CVE-2026-28400
7.5đ
DockerModel Runner
Docker Model Runner (DMR), used for managing AI models, contains a high-severity vulnerability that could lead to unauthorized access or model manipulation.
CVSS Base7.5
â
CRSSelect profile
CVE-2026-28406
8.2đ
KubernetesKaniko
A high-severity vulnerability in Kaniko, a container image builder, could allow attackers to compromise build environments within Kubernetes clusters.
CVSS Base8.2
â
CRSSelect profile
CVE-2026-25147
7.1đ
HPOpenEMR
OpenEMR, an open-source medical practice management application, contains a security vulnerability that could lead to unauthorized access or data compromise.
CVSS Base7.1
â
CRSSelect profile
CVE-2026-28416
8.2đ
GradioGradio
A high-severity security vulnerability has been identified in Gradio, an open-source Python package used for rapid prototyping of machine learning models.
CVSS Base8.2
â
CRSSelect profile
CVE-2026-3376
8.8
TendaF453
A security vulnerability has been detected in Tenda F453 1
CVSS Base8.8
â
CRSSelect profile
CVE-2026-3377
8.8
TendaF453
A vulnerability was detected in Tenda F453 1
CVSS Base8.8
â
CRSSelect profile
CVE-2026-3378
8.8
TendaF453
A flaw has been found in Tenda F453 1
CVSS Base8.8
â
CRSSelect profile
CVE-2026-3379
8.8
TendaF453
A vulnerability has been found in Tenda F453 1
CVSS Base8.8
â
CRSSelect profile
CVE-2026-3380
8.8
TendaF453
A vulnerability was found in Tenda F453 1
CVSS Base8.8
â
CRSSelect profile
CVE-2026-28414
7.5đ
GradioGradio
A security vulnerability in the Gradio Python package could allow attackers to compromise applications built for rapid machine learning prototyping.
CVSS Base7.5
â
CRSSelect profile
CVE-2026-2751
8.3đ
LinuxService Dependencies Management Component
A Blind SQL Injection vulnerability exists in the Service Dependencies deletion function due to the failure to sanitize array keys.
CVSS Base8.3
â
CRSSelect profile
CVE-2019-25494
8.2đ Late Disclosure
administrationMultiple Products
Homey BNB V4 contains an SQL injection vulnerability in the administration panel login that allows unauthenticated attackers to bypass authentication by injecting SQL syntax into username and password fields
CVSS Base8.2
â
CRSSelect profile
CVE-2026-27939
8.8đ
StatamicStatamic CMS
Statamic CMS, a Laravel and Git-powered content management system, contains a high-severity vulnerability that could allow for unauthorized system manipulation.
CVSS Base8.8
â
CRSSelect profile
CVE-2025-69437
8.7đ
PublicCMSPublicCMS
PublicCMS v5 is affected by a high-severity security vulnerability that could lead to unauthorized system access or data compromise.
CVSS Base8.7
â
CRSSelect profile
CVE-2026-28426
8.7
svgMultiple Products
Statmatic is a Laravel and Git powered content management system (CMS)
CVSS Base8.7
â
CRSSelect profile
CVE-2026-26861
8.3
SDKMultiple Products
CleverTap Web SDK version 1
CVSS Base8.3
â
CRSSelect profile
CVE-2026-26862
8.3
SDKMultiple Products
CleverTap Web SDK version 1
CVSS Base8.3
â
CRSSelect profile
CVE-2026-28272
8.1
KiteworksMultiple Products
Kiteworks is a private data network (PDN)
CVSS Base8.1
â
CRSSelect profile
CVE-2026-28425
8đ
StatamicStatamic CMS
Statamic CMS, built on Laravel and Git, is vulnerable to a high-severity security flaw that could compromise the integrity of the content management system.
CVSS Base8
â
CRSSelect profile
CVE-2025-10990
7.5đ
REXML ProjectREXML
A high-severity flaw was identified in the REXML library, a Ruby-based XML toolkit, which could lead to service disruption or data exposure.
CVSS Base7.5
â
CRSSelect profile
CVE-2026-27707
7.3
discoveryMultiple Products
Seerr is an open-source media request and discovery manager for Jellyfin, Plex, and Emby
CVSS Base7.3
â
CRSSelect profile
CVE-2026-27757
7.1
versionsMultiple Products
SODOLA SL902-SWTGW124AS firmware versions through 200