46 CISA Known Exploited Vulnerabilities from 2026
Cisco Secure Firewall Management Center (FMC) — Unauthenticated Remote Code Execution via Java Deserialization
CVSS 10Cisco Catalyst SD-WAN — CVSS 10.0 Peering Authentication Bypass Enabling Fabric-Wide NETCONF Access, Exploited by UAT-8616 Since 2023
CVSS 10Dell RecoverPoint for Virtual Machines (RP4VMs) — Dell RecoverPoint for Virtual Machines (RP4VMs) Use of Hard-coded Credentials Vulnerability
CVSS 10WebPros cPanel & WHM — Pre-Auth CRLF Injection Grants Unauthenticated Root WHM Access
CVSS 9.8Marimo — Pre-Auth RCE via Unauthenticated Terminal WebSocket
CVSS 9.8Fortinet FortiClient EMS — Pre-Auth SQL Injection via Site HTTP Header
CVSS 9.8Ivanti Endpoint Manager Mobile (EPMM) — Pre-Auth Remote Code Execution via Android File Transfer URL Injection
CVSS 9.8Fortinet FortiClient EMS — Pre-Authentication Remote Code Execution
CVSS 9.8Citrix NetScaler ADC & Gateway — Memory Overread via Insufficient Input Validation (SAML IDP)
CVSS 9.8Langflow — Unauthenticated Remote Code Execution via Public Flow Build Endpoint
CVSS 9.8Microsoft SharePoint Server — Remote Code Execution via Deserialization of Untrusted Data
CVSS 9.8BeyondTrust Remote Support (RS) and Privileged Remote Access (PRA) — BeyondTrust Remote Support (RS) and Privileged Remote Access (PRA) OS Command Injection Vulnerability
CVSS 9.8SmarterTools SmarterMail — SmarterTools SmarterMail Missing Authentication for Critical Function Vulnerability
CVSS 9.8Ivanti EPMM — Pre-Auth Remote Code Execution via App Store URL Bash Injection
CVSS 9.8Fortinet Multiple Products — Fortinet Multiple Products Authentication Bypass Using an Alternate Path or Channel Vulnerability
CVSS 9.8SmarterTools SmarterMail — SmarterTools SmarterMail Authentication Bypass Using an Alternate Path or Channel Vulnerability
CVSS 9.8GNU InetUtils — GNU InetUtils Argument Injection Vulnerability
CVSS 9.8Apache ActiveMQ Classic — Authenticated RCE via Jolokia JMX-HTTP Bridge (13-Year-Old Flaw, AI-Discovered)
CVSS 8.8Google Dawn — Use-After-Free Vulnerability in Graphics Rendering
CVSS 8.8Aquasecurity Trivy — Supply Chain Compromise via Embedded Malicious Code
CVSS 8.8Google Skia — Out-of-Bounds Write via Crafted HTML Page
CVSS 8.8Google Chromium V8 — Arbitrary Code Execution via Inappropriate Implementation
CVSS 8.8Soliton Systems K.K FileZen — Soliton Systems K.K FileZen OS Command Injection Vulnerability
CVSS 8.8Google Chromium — Google Chromium CSS Use-After-Free Vulnerability
CVSS 8.8Microsoft Windows — Microsoft Windows Shell Protection Mechanism Failure Vulnerability
CVSS 8.8Microsoft Windows — Microsoft MSHTML Framework Protection Mechanism Failure Vulnerability
CVSS 8.8Adobe Acrobat & Reader — Zero-Day JavaScript Prototype Pollution Leading to Arbitrary Code Execution
CVSS 8.6Ivanti EPM — Unauthenticated Credential Vault Access via Magic Number Header Bypass
CVSS 8.6Cisco Unified Communications Manager — Cisco Unified Communications Products Code Injection Vulnerability
CVSS 8.2Broadcom VMware Aria Operations — Broadcom VMware Aria Operations Command Injection Vulnerability
CVSS 8.1Linux Kernel 'Copy Fail' — algif_aead Page Cache Write for Local Privilege Escalation
CVSS 7.8Microsoft Defender — BlueHammer TOCTOU Race Condition Enabling Local Privilege Escalation to SYSTEM
CVSS 7.8TrueConf Client — Arbitrary Code Execution via Insecure Update Mechanism ("TrueChaos")
CVSS 7.8Qualcomm Multiple Chipsets — Memory Corruption via Integer Overflow in Memory Allocation
CVSS 7.8Apple Multiple Products — Apple Multiple Buffer Overflow Vulnerability
CVSS 7.8Microsoft Office — Microsoft Office Word Reliance on Untrusted Inputs in a Security Decision Vulnerability
CVSS 7.8Microsoft Windows — Microsoft Windows Type Confusion Vulnerability
CVSS 7.8Microsoft Windows — Microsoft Windows Improper Privilege Management Vulnerability
CVSS 7.8Microsoft Office — Microsoft Office Security Feature Bypass Vulnerability
CVSS 7.8Cisco Catalyst SD-WAN Manager — DCA Credential Exposure via Accessible Filesystem Enabling Privilege Escalation
CVSS 7.5Cisco Catalyst SD-WAN Manager — Unauthenticated API Information Disclosure as First Step in SD-WAN Attack Chain
CVSS 6.5Microsoft SharePoint Server — Network Spoofing via Improper Input Validation (April 2026 Zero-Day)
CVSS 6.5Microsoft Windows — Microsoft Windows NULL Pointer Dereference Vulnerability
CVSS 6.2Microsoft Windows — Microsoft Windows Information Disclosure Vulnerability
CVSS 5.5Cisco Catalyst SD-WAN Manager — Authenticated API File Overwrite Enabling vManage Privilege Escalation
CVSS 5.4Microsoft Windows Shell — NTLM Credential Coercion via Malicious LNK Files (Incomplete APT28 Patch)
CVSS 4.3