VULNERABILITY TRACKER

A security researcher revealed three critical Windows kernel zero‑days—YellowKey, GreenPlasma, and MiniPlasma—shortly after Microsoft’s latest Patch Tuesday, raising urgent remediation concerns for any organization relyi…

Drupal will release an emergency core security update on May 20 2026 for all supported branches. The undisclosed flaw could be weaponised within hours, putting government, education, media, and enterprise sites at risk. …

Four newly disclosed CVEs in the OpenClaw AI‑agent platform let attackers move from an initial foothold to persistent system control, stealing credentials and planting backdoors. The flaws have been patched, but unpatche…

Verizon’s 2026 DBIR, with Qualys data, reveals a reversal in remediation performance: 35% of known‑exploited vulnerabilities remain open after 28 days, and a long‑tail 9% (≈ 47 M) stay unresolved. The trend highlights a …

Researchers at Pwn2Own Berlin 2026 demonstrated 47 zero‑day vulnerabilities in major enterprise SaaS, cloud, and AI platforms, earning $1.3 million in payouts. The findings expose unknown risk to vendors and their custom…

Cisco Talos uncovered eight severe vulnerabilities in TP‑Link’s Archer AX53 router plus new bugs in Adobe Photoshop, OpenVPN, and Norton VPN. All patches are live except the Norton issue, creating immediate third‑party r…

Microsoft disclosed 1,273 vulnerabilities for 2025, but critical flaws surged from 78 to 157, with elevation‑of‑privilege bugs now accounting for 40 % of all CVEs. The spike in Azure and Dynamics 365 critical issues rais…

A buffer‑overflow in PAN‑OS’s User‑ID Authentication Portal (CVE‑2026‑0300) enables unauthenticated remote code execution with root privileges on Siemens RUGGEDCOM APE1808 devices. The flaw poses a high‑severity supply‑c…

Four high‑severity CVEs in ScadaBR 1.2.0 enable unauthenticated remote code execution, OS command injection, CSRF, and hard‑coded credentials. The flaws affect SCADA systems used in energy, water, and manufacturing, crea…

A critical authentication‑bypass flaw (CVE‑2026‑8598) in ZKTeco SSC335‑GC2063‑Face‑0b77 cameras allows unauthenticated retrieval of device configuration and clear‑text account passwords. The issue affects deployments wor…

ABB disclosed a path‑traversal vulnerability (CVE‑2025‑3465) affecting CoreSense HM and M10 controllers. The flaw permits unauthenticated file‑system access, risking full device takeover and exposure of sensitive operati…

A reflected XSS flaw (CVE‑2026‑4293) affects multiple Kieback & Peter DDC building‑automation controllers, allowing attackers to execute arbitrary JavaScript in a victim’s browser. The vulnerability spans firmware across…

Drupal will release an emergency core security patch on May 20 2026 for all supported versions, addressing several high‑severity CVEs that could be exploited within hours. Organizations relying on Drupal‑based sites must…

Threat actors are actively exploiting the Nginx Rift vulnerability (CVE‑2024‑XXXX) to crash NGINX and F5 BIG‑IP/NGINX PLUS appliances, causing denial‑of‑service conditions. The issue impacts any organization that relies …

Quarkslab researchers uncovered that many GPON Optical Line Terminals expose unauthenticated management interfaces, allowing attackers to pivot to cloud fleet managers and seize control of entire ISP infrastructures. The…

A critical cross‑site scripting vulnerability (CVE‑2026‑42897) in Microsoft Exchange Server is being weaponised in the wild, and Microsoft has not yet released a fix. The flaw enables attackers to hijack Outlook Web Acce…

OpenClaw, a fast‑growing AI‑agent framework, contained a series of chained vulnerabilities that could be used to steal credentials, elevate privileges, and maintain persistence. The issues have been patched, but any unpa…

Researchers disclosed several high‑severity NGINX vulnerabilities that enable unauthenticated remote code execution when ASLR is disabled. Exploits are publicly available and CVE‑2026‑42945 has been observed in the wild,…

A memory‑corruption flaw in NGINX (CVE‑2026‑42945) allows unauthenticated attackers to trigger RCE or denial‑of‑service via a crafted HTTP request. The vulnerability affects both open‑source and commercial NGINX releases…

A newly disclosed zero‑day, YellowKey, can defeat default BitLocker encryption on Windows 11 when an attacker briefly accesses the device, exposing any data stored on the volume. Organizations relying on BitLocker for da…

A wave of high‑severity vulnerabilities—including a CVSS 9.6 remote code execution in Ivanti Xtraction—has been disclosed across five major vendors. Exploits are already circulating, putting enterprises that rely on thes…

A new Windows zero‑day, dubbed MiniPlasma, exploits the cldflt.sys Cloud Files driver to grant attackers SYSTEM privileges on fully patched Windows 10/11 and Server installations. The flaw poses a high‑impact risk for an…

A previously reported Windows privilege‑escalation bug (CVE‑2020‑17103) remains exploitable on fully patched Windows 10 and Windows 11 machines. Public PoC demonstrates reliable SYSTEM‑level code execution, posing a high…

A publicly released proof‑of‑concept exploit for the DirtyDecrypt (CVE‑2026‑31635) Linux kernel privilege‑escalation flaw enables attackers to obtain root on systems with the rxgk module enabled. The issue impacts major …

A critical heap‑buffer overflow (CVE‑2026‑42945) affecting NGINX Plus and Open Source is being actively exploited. The flaw resides in the rewrite module and can cause crashes or remote code execution under specific conf…