the watchlist
| CVE | Type | Severity | Status | Do this | Story |
|---|---|---|---|---|---|
| CVE-2026-20230Cisco Unified Communications Manager | Server-side request forgery (SSRF) | — | exploited · KEV | Apply Cisco's fixed Unified Communications Manager release immediately, treating it as an incident-response task rather than routine patching. Until patched, restrict network access to the CUCM administrative and web interfaces, segment voice infrastructure away from sensitive internal services, and monitor the server for anomalous outbound requests that would indicate SSRF abuse. | ↗ |
| CVE-2024-42009Roundcube Webmail | Cross-site scripting (XSS), near-zero interaction | CVSS 9.3 | exploited | Update Roundcube to a fixed release immediately; the patch has existed since 2024 and closes the flaw outright. Put webmail behind SSO with phishing-resistant MFA, enforce a strict content-security policy to blunt XSS, monitor for anomalous or mass mailbox reads, and rotate credentials and session tokens for any account that opened a suspicious message. | ↗ |
| CVE-2026-25089 / CVE-2026-39808 / CVE-2026-39813Fortinet FortiSandbox | Auth bypass + OS command injection to unauthenticated RCE | — | exploited | Apply Fortinet's April and June FortiSandbox updates immediately (all three are patched). Keep FortiSandbox management interfaces off the internet, and assume-breach on any appliance that was exposed and unpatched: review for unexpected accounts, tasks, and outbound connections, and rotate every credential the box could reach. | ↗ |
| ShareFile Storage Zone zero-day (CVE pending)Progress ShareFile Storage Zone Controller | Path traversal (arbitrary file read/write, filesystem enumeration) | — | exploited | Apply Progress's new Storage Zone Controller update before bringing any server back online, keep the controller off the public internet, and assume-breach on anything that was exposed: hunt for files written to unexpected directories, unfamiliar accounts, and outbound connections, and rotate every credential the service account could reach. Install February's 5.12.4/v6 updates too if you skipped them. | ↗ |
| CVE-2026-56155 / CVE-2026-56164Microsoft ADFS & SharePoint Server | Elevation of privilege (identity federation; unauthenticated network) | — | exploited | Patch both before anything else in July's Patch Tuesday. If a SharePoint server cannot be updated at once, apply Microsoft's interim mitigation: enable the Antimalware Scan Interface (AMSI) and set Request Body Scan to Full. Review ADFS and SharePoint logs for anomalous privilege elevation during the exposure window. | ↗ |
| CVE-2026-55255Langflow (AI agent orchestration platform) | Cross-tenant IDOR / authorization bypass via user-controlled flow ID | CVSS 6.1 | exploited · KEV | Update to Langflow 1.9.2 or later, then rotate every API key, LLM provider credential and cloud key stored in any flow; audit /api/v1/responses logs for cross-user flow IDs | ↗ |
| CVE-2026-8037Progress Kemp LoadMaster | Command injection → RCE | CVSS 9.6 | exploited | Patch now; take management interfaces off the internet | ↗ |
| CVE-2026-45659Microsoft SharePoint Server (on-prem) | Unsafe deserialization → RCE | CVSS 8.8 | exploited · KEV | Apply the May 2026 patch — every unpatched on-prem server is a target | ↗ |
| CVE-2026-20896Gitea (official Docker images ≤ 1.26.2) | Authentication bypass / account takeover | CVSS 9.8 | was exploited | Upgrade to Gitea 1.26.3 or later immediately; it removes the wildcard trust of the X-WEBAUTH-USER header and makes reverse-proxy auth opt-in. Audit for unexpected admin logins or new tokens, and never expose a self-hosted Git instance to the internet without a hardened proxy. | ↗ |
| CVE-2026-35273Oracle PeopleSoft | Unauthenticated SSRF → RCE | CVSS 9.8 | was exploited · KEV | Apply Oracle's June 10 emergency patch; assume compromise if exposed pre-patch | ↗ |
| CVE-2026-33825Microsoft Defender (BlueHammer) | Race condition → SYSTEM privilege escalation | CVSS 7.8 | was exploited · KEV | Apply the April 14 Patch Tuesday fix; audit for rollback-engine abuse | ↗ |
| CVE-2026-40138 / CVE-2026-40139BeyondTrust Remote Support & Privileged Remote Access | Pre-authentication (unauthenticated exploitation) | CVSS 9.2 | disclosed | Patch all affected Remote Support and Privileged Remote Access instances immediately, prioritizing internet-facing appliances, then restrict management access to trusted networks and review logs for anomalous pre-authentication activity during the exposure window. Rotate any secrets the appliance could have exposed if you find signs of compromise. | ↗ |
| CVE-2026-41106 / CVE-2026-54998Microsoft 365 Copilot & Exchange Online | Cloud privilege escalation (open redirect; incorrect authorization) | — | disclosed | No customer patch: Microsoft fixed both server-side. Review sign-in and audit logs for anomalous M365 Copilot activity and any unexpected elevated or cross-tenant access during the exposure window, and confirm conditional-access policies are tight. | ↗ |
| Zimbra Classic XSSZimbra Collaboration (Classic Web Client) | Stored cross-site scripting to session compromise / RCE risk | — | disclosed | Apply Zimbra's update across all nodes and confirm the Classic Web Client is on the fixed build. Until patched, restrict external access to the Classic client or force users onto the modern interface. After patching, treat the pre-patch window as potentially compromised: rotate sessions and tokens, review admin accounts, and hunt for anomalous mail-forwarding or filter rules and logins from unfamiliar IPs. | ↗ |
| Grok Build CLI repo uploadxAI Grok Build CLI (v0.2.93) | Unauthorized codebase and secrets exfiltration to xAI cloud | — | disclosed | Rotate every credential in any repo you opened with Grok Build, and until xAI publishes an advisory scope agent sessions to a temp directory holding only the files a task needs. | ↗ |
how to read this
exploited means confirmed in-the-wild attacks are happening now — patch out of cycle, today. was exploited means attacks happened before a patch shipped; if you were exposed unpatched, assume compromise and investigate, don't just update. disclosed means details are public but no confirmed exploitation yet — attackers read the same write-ups, so patch on an accelerated cadence.
Curated from our coverage, not an exhaustive CVE database — for completeness use CISA KEV alongside this list. Raw data: JSON · CSV.