Critical vulnerabilities, curated daily for security professionals
đ¯ SSCV Profile
See how vulnerabilities affect your specific environment
CRS uses the System Security Context Vector (SSCV) Framework v1.0 to adjust CVSS scores based on your system's exposure level, network position, and business criticality. Learn more about SSCV Framework
Risk scores will be adjusted based on your selected environment
đ
Archived Security Brief
Sunday's vulnerability landscape is dominated by ten actively exploited CVEs spanning Microsoft Defender, Trend Micro Apex One, Drupal Core, and a cluster of long-standing Microsoft client-side flaws. No new Critical or High-priority CVEs were disclosed yesterday, matching the prior day's zero Critical count and reflecting a -100% change in High-priority disclosures. Notable exploited issues include CVE-2026-41091 and CVE-2026-45498 in Microsoft Defender, CVE-2026-34926 in Trend Micro Apex One, and CVE-2026-9082 in Drupal Core, all rated CVSS 9.5. Endpoint security platforms and content management systems remain the focal point for attackers, alongside continued opportunistic exploitation of decade-old Microsoft Internet Explorer and DirectX vulnerabilities against unpatched environments. With zero new disclosures requiring triage, defenders should redirect capacity toward verifying patch coverage on the exploited products listed below.
Microsoft Defender and Trend Micro Apex One headline active exploitation, signaling attacker focus on endpoint security tooling itself
Zero new Critical CVEs disclosed (unchanged from prior day)
Zero new High-priority CVEs disclosed (-100% from prior day's 6)
Exploitation patterns span modern enterprise security products (Defender, Apex One, Langflow) and legacy Microsoft client software (IE, DirectX, Windows)
Patch availability for newly disclosed CVEs is 0% because no new CVEs were published; patches exist for all 10 actively exploited items
10 CVEs on the actively exploited list, including CVE-2026-9082 (Drupal Core) and CVE-2025-34291 (Langflow)
Immediate action: Prioritize patch verification on Microsoft Defender (CVE-2026-41091, CVE-2026-45498), Trend Micro Apex One (CVE-2026-34926), Drupal Core (CVE-2026-9082), and Langflow (CVE-2025-34291), since these are confirmed under active exploitation. Vendor patches are available for all ten exploited CVEs, so today's effort should focus on coverage gap analysis and confirming deployment across endpoint security and public-facing web stacks.
đĄ Tip: Swipe CVE cards left to â star, right to â remove
Section Navigation
â ī¸
CISA Known Exploited Vulnerabilities
â ī¸ CISA KEVURGENT
CVE-2026-9082
9.5
DrupalCore
â° Federal Deadline:May 26, 2026(3 days remaining)
Drupal Core SQL Injection Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2008-4250
9.5đ Late Disclosure
MicrosoftWindows
â° Federal Deadline:June 2, 2026(10 days remaining)
Microsoft Windows Buffer Overflow Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2009-1537
9.5đ Late Disclosure
MicrosoftDirectX
â° Federal Deadline:June 2, 2026(10 days remaining)
Microsoft DirectX NULL Byte Overwrite Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2009-3459
9.5đ Late Disclosure
AdobeAcrobat and Reader
â° Federal Deadline:June 2, 2026(10 days remaining)
Adobe Acrobat and Reader Heap-Based Buffer Overflow Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2010-0249
9.5đ Late Disclosure
MicrosoftInternet Explorer
â° Federal Deadline:June 2, 2026(10 days remaining)
Microsoft Internet Explorer Use-After-Free Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2010-0806
9.5đ Late Disclosure
MicrosoftInternet Explorer
â° Federal Deadline:June 2, 2026(10 days remaining)
Microsoft Internet Explorer Use-After-Free Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2026-41091
9.5
MicrosoftDefender
â° Federal Deadline:June 2, 2026(10 days remaining)
Microsoft Defender Link Following Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2026-45498
9.5
MicrosoftDefender
â° Federal Deadline:June 2, 2026(10 days remaining)
Microsoft Defender Denial of Service Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2025-34291
9.5
LangflowLangflow
â° Federal Deadline:June 3, 2026(11 days remaining)
Langflow Origin Validation Error Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2026-34926
9.5
Trend MicroApex One
â° Federal Deadline:June 3, 2026(11 days remaining)
Trend Micro Apex One (On-Premise) Directory Traversal Vulnerability - Active in CISA KEV catalog.