Threat Intel · Updated Hourly

Live cybersecurity intel, straight from the sources we trust.

Actively exploited vulnerabilities (CISA KEV), recently disclosed CVEs (NVD), and the cybersecurity newsroom — all in one place. We refresh on the hour so what you see is what's hitting the wire.

Feed catching up · last update 21 d ago

CISA Known Exploited Vulnerabilities

What's being actively exploited right now

Every CVE below is on CISA's KEV catalog — meaning attackers are using it in the wild, today. Filter to the categories your stack actually runs.

CVE-2026-10520 Actively exploited
Ivanti Sentry OS Command Injection Vulnerability
Ivanti Sentry (formerly known as MobileIron Sentry) contains an OS command injection vulnerability which could allow a remote unauthenticated user to achieve root-level remote code execution. This vulnerability can be successfull…
Ivanti · Sentry Added Jun 11, 2026
endpoint vpn remote
Read advisory at NVD →
CVE-2026-50751 Actively exploited
Check Point Security Gateway Improper Authentication Vulnerability
Check Point Security Gateway contains an improper authentication vulnerability in IKEv1 key exchange that could allow an unauthenticated remote attacker to bypass user authentication and establish a remote access VPN connection w…
Check Point · Security Gateway Added Jun 8, 2026 Ransomware
network vpn remote
Read advisory at NVD →
CVE-2026-0257 Actively exploited
Palo Alto Networks PAN-OS Authentication Bypass Vulnerability
Palo Alto Networks PAN-OS contains an authentication bypass vulnerability that allows attackers to bypass security restrictions and establish an unauthorized VPN connection.
Palo Alto Networks · PAN-OS Added May 29, 2026
network vpn remote
Read advisory at NVD →
CVE-2026-6973 Actively exploited
Ivanti Endpoint Manager Mobile (EPMM) Improper Input Validation Vulnerability
Ivanti Endpoint Manager Mobile (EPMM) contains an improper input validation vulnerability that allows a remotely authenticated user with administrative access to achieve remote code execution.
Ivanti · Endpoint Manager Mobile (EPMM) Added May 7, 2026
endpoint vpn remote
Read advisory at NVD →
CVE-2026-0300 Actively exploited
Palo Alto Networks PAN-OS Out-of-bounds Write Vulnerability
Palo Alto Networks PAN-OS contains an out-of-bounds write vulnerability in the User-ID Authentication Portal (aka Captive Portal) service that can allow an unauthenticated attacker to execute arbitrary code with root privileges o…
Palo Alto Networks · PAN-OS Added May 6, 2026
network vpn remote
Read advisory at NVD →
CVE-2026-21643 Actively exploited
Fortinet FortiClient EMS SQL Injection Vulnerability
Fortinet FortiClient EMS contains a SQL injection vulnerability that may allow an unauthenticated attacker to execute unauthorized code or commands via specifically crafted HTTP requests.
Fortinet · FortiClient EMS Added Apr 13, 2026
network vpn remote
Read advisory at NVD →
CVE-2026-1340 Actively exploited
Ivanti Endpoint Manager Mobile (EPMM) Code Injection Vulnerability
Ivanti Endpoint Manager Mobile (EPMM) contains a code injection vulnerability that could allow attackers to achieve unauthenticated remote code execution.
Ivanti · Endpoint Manager Mobile (EPMM) Added Apr 8, 2026
endpoint vpn remote
Read advisory at NVD →
CVE-2026-35616 Actively exploited
Fortinet FortiClient EMS Improper Access Control Vulnerability
Fortinet FortiClient EMS contains an improper access control vulnerability that may allow an unauthenticated attacker to execute unauthorized code or commands via crafted requests.
Fortinet · FortiClient EMS Added Apr 6, 2026
network vpn remote
Read advisory at NVD →
CVE-2026-3055 Actively exploited
Citrix NetScaler Out-of-Bounds Read Vulnerability
Citrix NetScaler ADC (formerly Citrix ADC), NetScaler Gateway (formerly Citrix Gateway) and NetScaler ADC FIPS and NDcPP contain an out-of-bounds reads vulnerability when configured as a SAML IDP leading to memory overread.
Citrix · NetScaler Added Mar 30, 2026
enterprise vpn remote
Read advisory at NVD →
CVE-2025-53521 Actively exploited
F5 BIG-IP Stack-Based Buffer Overflow Vulnerability
F5 BIG-IP APM contains a stack-based buffer overflow vulnerability that could allow a threat actor to achieve remote code execution.
F5 · BIG-IP Added Mar 27, 2026
network vpn remote
Read advisory at NVD →
CVE-2026-1603 Actively exploited
Ivanti Endpoint Manager (EPM) Authentication Bypass Vulnerability
Ivanti Endpoint Manager (EPM) contains an authentication bypass using an alternate path or channel vulnerability that could allow a remote unauthenticated attacker to leak specific stored credential data.
Ivanti · Endpoint Manager (EPM) Added Mar 9, 2026
endpoint vpn remote
Read advisory at NVD →
CVE-2026-1281 Actively exploited
Ivanti Endpoint Manager Mobile (EPMM) Code Injection Vulnerability
Ivanti Endpoint Manager Mobile (EPMM) contains a code injection vulnerability that could allow attackers to achieve unauthenticated remote code execution.
Ivanti · Endpoint Manager Mobile (EPMM) Added Jan 29, 2026
endpoint vpn remote
Read advisory at NVD →

See the full KEV catalog (1,619 entries) →

NVD · Recent Disclosures

Recently disclosed CVEs (last 7 days)

Newly published vulnerabilities from the National Vulnerability Database, ranked critical-first. Most of these aren't being exploited yet — but the patches need to be on your roadmap.

CVE CVSS Severity Published Description
CVE-2026-11499 9.8 CRITICAL Jun 8, 2026 A vulnerability was determined in Tenda HG7HG9 and HG10 300001138_en_xpon. This affects the function formDOMAINBLK of the file /boaform/formDOMAINBLK. Executing a manipulation of the argument blkDomain can lead to stack-based buffer overflow. The attack may be performed from remote.
CVE-2024-58349 9.8 CRITICAL Jun 8, 2026 WordPress Theme Travelscape 1.0.3 contains an arbitrary file upload vulnerability that allows unauthenticated attackers to upload malicious files by exploiting insufficient validation in the theme's upload functionality. Attackers can upload arbitrary files to the theme directory and execute them to achieve remote code execution on the affected WordPress in…
CVE-2024-58348 9.8 CRITICAL Jun 8, 2026 WordPress Background Image Cropper version 1.2 contains a remote code execution vulnerability that allows unauthenticated attackers to upload arbitrary files by accessing the ups.php endpoint. Attackers can upload PHP files through the file upload form in the plugin directory to execute arbitrary code on the server.
CVE-2023-54352 9.8 CRITICAL Jun 8, 2026 WordPress Seotheme contains a remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary PHP code by uploading malicious files to the theme directory. Attackers can access the uploaded PHP shell at /wp-content/themes/seotheme/mar.php to execute system commands and upload additional files for persistent access.
CVE-2026-45779 9.8 CRITICAL Jun 5, 2026 OpenXDMoD is an open framework for collecting and analyzing HPC metrics. An SQL injection vulnerability exists in Open XDMoD versions prior to 10.0.3 that allows an unauthenticated remote attacker to execute arbitrary SQL statements. Exploitation requires no authentication or user interaction and can result in complete compromise of the underlying database.…
CVE-2026-45777 9.8 CRITICAL Jun 5, 2026 OpenXDMoD is an open framework for collecting and analyzing HPC metrics. Starting in version 9.5.0 and prior to version 11.0.3, an attacker can remotely execute arbitrary system commands on the web server hosting Open XDMoD with the privileges of the web server process. This could allow an attacker to read or modify application data, alter system configurat…
CVE-2026-45758 9.6 CRITICAL Jun 5, 2026 Guardrails AI is a Python framework that helps build AI applications. On May 11, 2026 at approximately 6:00 PM Pacific, an attacker published a malicious version of `guardrails-ai` (0.10.1) to PyPI. Aany user who installed `guardrails-ai==0.10.1` from PyPI on May 11, 2026 may be affected. Security researchers identified the malicious package within approxim…
CVE-2026-50751 9.3 CRITICAL Jun 8, 2026 A logic flow weakness in Remote Access and Mobile Access certificate validation in deprecated IKEv1 key exchange allows an unauthenticated remote attacker to bypass user authentication and establish a remote access VPN connection without a valid user password.
CVE-2026-11517 8.8 HIGH Jun 8, 2026 A vulnerability was determined in UTT HiPER 2610G up to 3.0.0-171107. This impacts the function strcpy of the file /goform/formConfigDnsFilterGlobal. Executing a manipulation of the argument GroupName can lead to buffer overflow. The attack can be executed remotely. The exploit has been publicly disclosed and may be utilized.
CVE-2026-11504 8.8 HIGH Jun 8, 2026 A vulnerability was detected in Tenda CX12L 16.03.53.12. The impacted element is the function setSchedWifi of the file /goform/openSchedWifi of the component Wi-Fi Schedule Configuration Endpoint. Performing a manipulation of the argument schedStartTime/schedEndTime results in stack-based buffer overflow. The attack may be initiated remotely. The exploit is…
CVE-2026-11503 8.8 HIGH Jun 8, 2026 A security vulnerability has been detected in Tenda CX12L 16.03.53.12. The affected element is the function form_fast_setting_wifi_set of the file /goform/fast_setting_wifi_set of the component Wi-Fi Configuration Endpoint. Such manipulation of the argument ssid leads to stack-based buffer overflow. The attack can be launched remotely. The exploit has been…
CVE-2026-11498 8.8 HIGH Jun 8, 2026 A vulnerability was found in Tenda HG7HG9 and HG10 300001138_en_xpon. Affected by this issue is the function asp_voip_OtherSet of the file /boaform/voip_other_set of the component Web Management Interface. Performing a manipulation of the argument funckey_transfer results in stack-based buffer overflow. The attack is possible to be carried out remotely.
CVE-2026-11413 8.8 HIGH Jun 6, 2026 A security vulnerability has been detected in JingDong JD Cloud Box AX6600 4.5.3.r4546. The impacted element is the function set_macfilter of the file /sbin/jdcweb_rpc. The manipulation leads to stack-based buffer overflow. It is possible to initiate the attack remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early…
CVE-2026-7654 8.8 HIGH Jun 5, 2026 The Admin Columns plugin for WordPress is vulnerable to PHP Object Injection leading to Remote Code Execution in versions up to and including 7.0.18. This is due to the use of `unserialize()` without an `allowed_classes` restriction in the `IdsToCollection::get_ids_from_string()` function, which processes attacker-controlled post meta values without proper…
CVE-2026-26422 8.4 HIGH Jun 6, 2026 clash-verge-service-ipc before 2.3.0 has a world-reachable IPC endpoint, leading to local privilege escalation.
CVE-2026-11416 8.1 HIGH Jun 5, 2026 MoviePilot contains a path traversal vulnerability in the AliPan, U115, and Rclone cloud storage download handlers where the local destination path is constructed by concatenating the configured download directory with a filename taken directly from remote cloud API metadata without basename normalization or path validation. An attacker who controls a filen…
CVE-2026-41724 8 HIGH Jun 8, 2026 VMware Cloud Foundation Operations contains multiple stored cross-site scripting vulnerabilities.A malicious actor with privileges to create policies, views or text-widgets may be able to inject scripts to perform administrative actions in VMware Cloud Foundation Operations.
CVE-2026-41723 8 HIGH Jun 8, 2026 VMware Cloud Foundation Operations contains multiple stored cross-site scripting vulnerabilities.A malicious actor with privileges to create policies, views or text-widgets may be able to inject scripts to perform administrative actions in VMware Cloud Foundation Operations.
CVE-2026-41722 8 HIGH Jun 8, 2026 VMware Cloud Foundation Operations contains multiple stored cross-site scripting vulnerabilities.A malicious actor with privileges to create policies, views or text-widgets may be able to inject scripts to perform administrative actions in VMware Cloud Foundation Operations.
CVE-2026-11401 8 HIGH Jun 5, 2026 An untrusted search path issue in the GlobalDatabasePlugin in the AWS Advanced Go Wrapper for Amazon Aurora PostgreSQL will allow a remote authenticated low-privilege actor to escalate privileges to those of another Amazon RDS user, including rds_superuser, via a crafted function created by the actor that runs when that user connects to the cluster through…
CVE-2026-11400 8 HIGH Jun 5, 2026 An untrusted search path issue in the GlobalDatabasePlugin in the AWS Advanced JDBC Wrapper for Amazon Aurora PostgreSQL will allow a remote authenticated low-privilege actor to escalate privileges to those of another Amazon RDS user, including rds_superuser, via a crafted function created by the actor that runs when that user connects to the cluster throug…
CVE-2026-49235 7.5 HIGH Jun 8, 2026 When Routinator encounters a file via RRDP using a specifically crafted Document Type Definition, Routinator crashes.
CVE-2026-49234 7.5 HIGH Jun 8, 2026 When sending a specifically crafted non-UTF-8 string as select-asn query parameter to the /api/v1/origins endpoint, Routinator crashes. This only affects users who allow API access from untrusted networks.
CVE-2026-49233 7.5 HIGH Jun 8, 2026 Routinator does not properly check the module component of rsync URIs, which are used to create the file system paths for the Routinator cache. This allows for path traversal by having a module name containing .., potentially providing an attacker access to the entire Routinator rsync cache.
CVE-2026-36789 7.5 HIGH Jun 8, 2026 Shenzhen Tenda Technology Co., Ltd Tenda AC1206 v15.03.06.23 was discovered to contain multiple stack overflows in the fromGstDhcpSetSer function via the username and password parameters. These vulnerabilities allow attackers to cause a Denial of Service (DoS) via a crafted HTTP request.

From the Cybersecurity Newsroom

What's making cyber headlines

Hand-picked feeds from Krebs on Security, The Hacker News, BleepingComputer, and SANS Internet Storm Center. Headlines link to the original source — full credit, no scraping.

BleepingComputer
Maine disables data breach notification portal after fake disclosures
Maine has taken its public data breach reporting portal offline after fraudulent breach disclosures were published on the state's website, prompting a review of procedures to prevent abuse in the future. [...]
Jun 12, 2026
Read at source →
The Hacker News
400+ Arch Linux AUR Packages Hijacked to Install Rust Credential Stealer
Attackers took over more than 400 packages in the Arch User Repository (AUR) this week and rewrote their build scripts to install a credential stealer on any machine that built them. The malware is a Rust binary built to harvest developer secrets. When it lands with root, it can…
Jun 12, 2026
Read at source →
The Hacker News
Google Sues Chinese Smishing Network Accused of Using Gemini AI in Phishing
Google on Friday said it's pursuing legal action against a Chinese cybercrime network, accusing it of using its Gemini artificial intelligence (AI) agent to send phishing text messages targeting Americans. The network is said to be behind the development and management of a phis…
Jun 12, 2026
Read at source →
BleepingComputer
phpBB forum fixes auth bypass bug lurking for a decade
A 10-year-old authentication bypass vulnerability discovered in the phpBB forum software allows an attacker to log in as any user, including administrators. [...]
Jun 12, 2026
Read at source →
The Hacker News
China-Linked Hackers Backdoored Linux Login Software to Hide for Nearly a Decade
Instead of hiding on the laptops and servers defenders watch most closely, a China-nexus group spent close to a decade hidden inside the Linux login system itself. Sygnia, which tracks the group as Velvet Ant, says it backdoored the PAM and OpenSSH components that decide who is…
Jun 12, 2026
Read at source →
BleepingComputer
Ukrainian national pleads guilty to role in Conti ransomware operation
A Ukrainian national extradited from Ireland to the United States last year has pleaded guilty to conspiracy charges tied to the Conti ransomware operation. [...]
Jun 12, 2026
Read at source →
BleepingComputer
Over 400 Arch Linux packages compromised to push rootkit, infostealer
More than 400 packages in the Arch User Repository (AUR) are distributing a Linux rootkit and infostealer malware targeting credentials and access tokens. [...]
Jun 12, 2026
Read at source →
BleepingComputer
Early Warning Signs of Supply-Chain Attacks Live in the Dark Web
GitHub access sales, leaked repositories, and stolen API keys can all become supply-chain attack footholds. Flare explores how underground forums expose early signals tied to software supply-chain risk. [...]
Jun 12, 2026
Read at source →
SANS Internet Storm Center
ISC Stormcast For Friday, June 12th, 2026 https://isc.sans.edu/podcastdetail/9970, (Fri, Jun 12th)
Jun 12, 2026
Read at source →
The Hacker News
Agentjacking Attack Tricks AI Coding Agents Into Running Malicious Code
Cybersecurity researchers have described what they say is a new class of attack that can trick artificial intelligence (AI) coding agents into running arbitrary code on developer machines. Called Agentjacking by Tenet Security, the attack can be triggered by means of a fake erro…
Jun 12, 2026
Read at source →
The Hacker News
Rethinking MDR as Attackers and Defenders Embrace AI
For most of the past decade, managed detection and response was the answer to a real problem. Security teams couldn't staff around the clock, couldn't hire enough analysts, and needed someone else to handle the alert queue. MDR stepped in. It worked well enough. Until now. The t…
Jun 12, 2026
Read at source →
SANS Internet Storm Center
ISC Stormcast For Thursday, June 11th, 2026 https://isc.sans.edu/podcastdetail/9968, (Thu, Jun 11th)
Jun 11, 2026
Read at source →

Headlines and snippets © their respective publishers; links go directly to the original sources.

Why this matters for your business

Most of these attacks start with a person, not a firewall

Phishing, hostile Wi-Fi, an unpatched laptop in the wrong place — the techniques behind the headlines are the same ones that target every small and growing business today. OfficeGuardIT keeps the patches current, the EDR sharp, and your team trained to spot what slips through.

Worried about what you don't know?

A free OfficeGuardIT assessment finds the gaps before someone else does.

Book a 20-Min IT Risk Review