KEV 2026
71 CISA Known Exploited Vulnerabilities from 2026
Critical 29
June 2026
Ivanti Sentry — Pre-Auth OS Command Injection via Unauthenticated MICS Configuration Endpoint
CVSS 10Oracle PeopleSoft Enterprise PeopleTools — Pre-Auth SSRF/RCE via Unauthenticated PSEMHUB Endpoint, Exploited by ShinyHunters
CVSS 9.8Mirasvit Full Page Cache Warmer for Magento — Unauthenticated RCE via PHP Object Injection in CacheWarmer Cookie
CVSS 9.8Check Point Security Gateway — IKEv1 Auth Bypass Allows Unauthenticated VPN Access; Actively Exploited by Qilin Ransomware
CVSS 9.3May 2026
Cisco Catalyst SD-WAN — Unauthenticated Remote Auth Bypass via vdaemon DTLS vHub Device-Type Confusion
CVSS 10Nx Console VS Code Extension — Supply-Chain Credential Stealer via TanStack-Linked Developer Compromise
CVSS 9.8DAEMON Tools Lite — Trojanized Official Installer Delivers .NET Infostealer and Selective Backdoor via Compromised Build Infrastructure
CVSS 9.8LiteSpeed User-End cPanel Plugin — Any cPanel User Can Execute Arbitrary Scripts as Root via Unguarded lsws.redisAble API Endpoint
CVSS 9.8BerriAI LiteLLM — Pre-Auth SQL Injection via Unsanitized Bearer Token in Authentication Path
CVSS 9.8TanStack npm Packages — Self-Propagating Supply-Chain Worm via GitHub Actions Cache Poisoning and OIDC Token Extraction
CVSS 9.6Palo Alto Networks PAN-OS — Unauthenticated RCE via Out-of-bounds Write in Authentication Portal
CVSS 9.3Palo Alto Networks PAN-OS GlobalProtect — Pre-Auth VPN Bypass via Forged Authentication Override Cookie
CVSS 9.1April 2026
WebPros cPanel & WHM — Pre-Auth CRLF Injection Grants Unauthenticated Root WHM Access
CVSS 9.8Marimo — Pre-Auth RCE via Unauthenticated Terminal WebSocket
CVSS 9.8Fortinet FortiClient EMS — Pre-Auth SQL Injection via Site HTTP Header
CVSS 9.8Ivanti Endpoint Manager Mobile (EPMM) — Pre-Auth Remote Code Execution via Android File Transfer URL Injection
CVSS 9.8Fortinet FortiClient EMS — Pre-Authentication Remote Code Execution
CVSS 9.8March 2026
Cisco Secure Firewall Management Center (FMC) — Unauthenticated Remote Code Execution via Java Deserialization
CVSS 10Citrix NetScaler ADC & Gateway — Memory Overread via Insufficient Input Validation (SAML IDP)
CVSS 9.8Langflow — Unauthenticated Remote Code Execution via Public Flow Build Endpoint
CVSS 9.8Microsoft SharePoint Server — Remote Code Execution via Deserialization of Untrusted Data
CVSS 9.8February 2026
Cisco Catalyst SD-WAN — CVSS 10.0 Peering Authentication Bypass Enabling Fabric-Wide NETCONF Access, Exploited by UAT-8616 Since 2023
CVSS 10Dell RP4VMs — Hard-coded Tomcat admin credentials allow unauthenticated root access; exploited by PRC-nexus UNC6201
CVSS 10BeyondTrust RS/PRA — Unauthenticated Remote Code Execution via WebSocket Bash Arithmetic Injection
CVSS 9.8SmarterMail — Unauthenticated ConnectToHub API enables OS command execution via malicious server redirect
CVSS 9.8January 2026
Ivanti EPMM — Pre-Auth Remote Code Execution via App Store URL Bash Injection
CVSS 9.8Fortinet FortiCloud SSO — Cross-tenant authentication bypass lets attackers log into other customers' devices
CVSS 9.8SmarterMail — Unauthenticated admin password reset via IsSysAdmin bypass; exploited within 2 days of patch
CVSS 9.8GNU InetUtils telnetd — 11-year-old USER variable injection grants instant unauthenticated root shell
CVSS 9.8High 31
June 2026
Google Chrome — Fifth 2026 V8 Zero-Day; TurboFan JIT OOB Enables In-Sandbox RCE
CVSS 8.8BerriAI LiteLLM — MCP Test Endpoint Command Injection; Chains with Starlette Auth Bypass for Fully Unauthenticated RCE on AI Gateways
CVSS 8.8LiteSpeed cPanel Plugin — Symlink Following Privilege Escalation on Shared Hosting
CVSS 8.5Cisco Catalyst SD-WAN Manager — Authenticated Local CLI Input Escaping Flaw Allows Root Command Execution; Chained with Auth Bypass Zero-Days
CVSS 7.8SolarWinds Serv-U — Unauthenticated deflate Header DoS Crashes File Transfer Service; ~12,000 Servers Exposed
CVSS 7.5May 2026
Microsoft Exchange Server OWA — Stored XSS via Crafted Email Enables Session Hijacking and Account Takeover
CVSS 8.1Microsoft Defender Malware Protection Engine — Low-Privilege Symlink Following Escalates to SYSTEM; Linked to BlueHammer Exploit Chain (CVE-2026-33825); May 2026 Patch Tuesday
CVSS 7.8Linux Kernel 'Copy Fail' — algif_aead Page Cache Write for Local Privilege Escalation
CVSS 7.8Ivanti EPMM — Authenticated Admin RCE Chained from CVE-2026-1340 Credential Theft
CVSS 7.2April 2026
Apache ActiveMQ Classic — Authenticated RCE via Jolokia JMX-HTTP Bridge (13-Year-Old Flaw, AI-Discovered)
CVSS 8.8Google Dawn — Use-After-Free Vulnerability in Graphics Rendering
CVSS 8.8Adobe Acrobat & Reader — Zero-Day JavaScript Prototype Pollution Leading to Arbitrary Code Execution
CVSS 8.6Microsoft Defender — BlueHammer TOCTOU Race Condition Enabling Local Privilege Escalation to SYSTEM
CVSS 7.8TrueConf Client — Arbitrary Code Execution via Insecure Update Mechanism ("TrueChaos")
CVSS 7.8Cisco Catalyst SD-WAN Manager — DCA Credential Exposure via Accessible Filesystem Enabling Privilege Escalation
CVSS 7.5March 2026
Aquasecurity Trivy — Supply Chain Compromise via Embedded Malicious Code
CVSS 8.8Google Skia — Out-of-Bounds Write via Crafted HTML Page
CVSS 8.8Google Chromium V8 — Arbitrary Code Execution via Inappropriate Implementation
CVSS 8.8Ivanti EPM — Unauthenticated Credential Vault Access via Magic Number Header Bypass
CVSS 8.6Broadcom VMware Aria Operations — Pre-Auth Command Injection During Support-Assisted Migration Workflow
CVSS 8.1Qualcomm Multiple Chipsets — Memory Corruption via Integer Overflow in Memory Allocation
CVSS 7.8February 2026
Soliton FileZen — Authenticated OS Command Injection via Antivirus Check Handler
CVSS 8.8Google Chrome / Chromium — CSS Use-After-Free Enabling Renderer Code Execution (First 2026 Chrome Zero-Day)
CVSS 8.8Microsoft Windows Shell — SmartScreen Bypass via Malicious LNK Files (Network-Delivered)
CVSS 8.8Microsoft MSHTML — APT28-Exploited Mark-of-the-Web Bypass via Malicious LNK Files
CVSS 8.8Apple dyld — Memory Corruption in Dynamic Linker Enabling Code Execution (Google TAG Spyware Chain)
CVSS 7.8Microsoft Office Word — OLE Security Bypass Exploited by MuddyWater (Operation Olalampo)
CVSS 7.8Microsoft Windows DWM — Type Confusion Enabling Local Privilege Escalation to SYSTEM
CVSS 7.8Microsoft Windows Remote Desktop Services — TermService Registry LPE to SYSTEM
CVSS 7.8January 2026
Medium 11
June 2026
Cisco Catalyst SD-WAN Manager — Arbitrary File Write via Path Traversal Leading to Root
CVSS 6.5Arista EOS — ASIC-Level Tunnel Protocol Confusion Enables Network Segmentation Bypass; No Patch Planned
CVSS 5.8May 2026
Trend Micro Apex One — Local Admin Path Traversal Overwrites Agent Key Table to Inject Code Distributed to All Managed Endpoints; Active Exploitation Confirmed May 2026
CVSS 6.7Drupal Core — Unauthenticated SQL Injection via PostgreSQL EntityQuery Array Key Injection Enables Privilege Escalation and RCE; Fixed 11.3.10 / 10.6.9; 15,000+ Attacks Within Days
CVSS 6.5Microsoft Defender Antimalware Platform — Crafted Payload Crashes Scan Engine Creating Detection Blind Spot; Chained with CVE-2026-41091 LPE; May 2026 Patch Tuesday
CVSS 4April 2026
Cisco Catalyst SD-WAN Manager — Unauthenticated API Information Disclosure as First Step in SD-WAN Attack Chain
CVSS 6.5Microsoft SharePoint Server — Network Spoofing via Improper Input Validation (April 2026 Zero-Day)
CVSS 6.5Cisco Catalyst SD-WAN Manager — Authenticated API File Overwrite Enabling vManage Privilege Escalation
CVSS 5.4Microsoft Windows Shell — NTLM Credential Coercion via Malicious LNK Files (Incomplete APT28 Patch)
CVSS 4.3