VULNERABILITY TRACKER

Fortinet disclosed that its FortiClient EMS 7.4.5/7.4.6 contains a critical improper‑access‑control vulnerability (CVE‑2026‑35616) that is being exploited in the wild. The flaw permits unauthenticated attackers to execut…

Fortinet FortiClientEMS versions 7.4.5‑7.4.6 contain an unauthenticated code‑execution flaw (CVE‑2026‑35616) that is already being exploited. The vulnerability threatens any organization that relies on FortiClientEMS to …

A critical updater flaw in TrueConf (CVE‑2026‑3502) is being weaponised by a Chinese‑state‑aligned campaign targeting government and critical‑infrastructure networks. CISA has ordered all federal agencies to patch the is…

Apple released an emergency iOS 18 update that closes a zero‑day flaw exploited by the DarkSword framework, which could give attackers full control of iPhones and iPads. Organizations with iOS devices must patch immediat…

Cisco has patched a critical authentication bypass in its Integrated Management Controller (IMC) that lets unauthenticated attackers reset any user password, including the admin account. The flaw affects a wide range of …

A remote‑code‑execution flaw in Next.js (CVE‑2025‑55182) is being actively exploited to steal database passwords, SSH keys, AWS secrets, Stripe API keys, and GitHub tokens from at least 766 web applications. The breach c…

Google confirmed an actively exploited zero‑day in Chrome (CVE‑2026‑5281) that enables remote code execution, prompting emergency patches for 21 vulnerabilities. The flaw affects any organization using Chrome, raising ur…

Progress ShareFile versions before 5.12.4 contain two chained flaws (CVE‑2026‑2699, CVE‑2026‑2701) that let attackers bypass authentication and upload malicious ASPX web‑shells, achieving remote code execution. The issue…

Cisco released patches for two critical (CVSS 9.8) and six high‑severity flaws in its Integrated Management Controller and SSM On‑Prem. The vulnerabilities enable unauthenticated attackers to bypass authentication, execu…

Apple has rolled out a rare emergency update for iOS 18 to fix the DarkSword zero‑day vulnerability that could allow remote code execution on up to 270 million iPhones. The patch is critical for organizations with BYOD p…

Cisco has patched a CVE‑2026‑20093 flaw in its Integrated Management Controller that enables unauthenticated attackers to bypass authentication and gain elevated privileges. The 9.8‑score vulnerability puts data‑center a…

Cisco disclosed several vulnerabilities across its on‑prem management suite and Integrated Management Controller that could enable arbitrary code execution, risking full compromise of network and data‑center appliances. …

A path‑traversal vulnerability (CVE‑2025‑30208) in the open‑source frontend build tool Vite is being actively exploited against publicly exposed instances. The flaw enables attackers to read arbitrary files and inject ma…

OpenSSH 10.3 addresses five security flaws—including a shell‑injection via usernames and certificate‑principal mismatches—and drops legacy rekeying support, potentially breaking older SSH clients. Organizations must veri…

Apple broadened its iOS 18.7.7 update to patch the six‑vulnerability DarkSword exploit chain, covering older iPhone and iPad models that were left on vulnerable iOS 18 builds. The move mitigates a remote‑code‑execution t…

Researchers uncovered a chained authentication‑bypass and remote‑code‑execution vulnerability in Progress ShareFile’s Storage Zones Controller, affecting roughly 30 000 publicly exposed instances. The flaws allow unauthe…

CISA has placed TrueConf Client CVE‑2026‑3502 in its Known Exploited Vulnerabilities catalog after confirming active attacks. The flaw lets malicious actors download and run unsigned code, creating a supply‑chain risk fo…

A hard‑coded credential in Yokogawa CENTUM VP (CVE‑2025‑7741) permits an attacker who already reaches the HIS screen to log in as the PROG user and, if permissions are elevated, modify control‑system settings. The flaw a…

A Java deserialization vulnerability (CVE‑2025‑10492) in the JasperReports library bundled with Hitachi Energy Ellipse (≤ 9.0.50) allows unauthenticated remote code execution. The flaw impacts global deployments in criti…

Two CVEs in Siemens SICAM 8 firmware enable remote resource exhaustion, causing denial‑of‑service. The flaws affect CPCI85, RTUM85, and SICORE components used worldwide in critical manufacturing. TPRM teams must verify v…

Apple is back‑porting critical security fixes to iOS 18 devices after the DarkSword exploit kit began targeting legacy iPhones and iPads. The move expands protection for users who have not upgraded to iOS 26, reducing th…

Cisco has disclosed CVE‑2026‑20093, a critical authentication bypass in its Integrated Management Controller that allows unauthenticated attackers to obtain admin rights on UCS servers. The flaw affects out‑of‑band manag…

Shadowserver reports more than 14 k internet‑exposed BIG‑IP APM devices vulnerable to CVE‑2025‑53521, a critical RCE that is actively being exploited. Organizations using F5’s access management platform must patch immedi…

A critical local privilege escalation (CVE‑2026‑3775) has been disclosed in Foxit PDF Reader's Update Service. The flaw lets a low‑privileged attacker load a malicious library and gain SYSTEM rights, posing a serious ris…

A type‑confusion vulnerability (CVE‑2026‑4698) in Mozilla Firefox’s IonMonkey JavaScript engine allows remote attackers to execute arbitrary code after a user visits a malicious page or opens a crafted file. The flaw pos…