VULNERABILITY TRACKER

A new Apache HTTP Server vulnerability (CVE‑2026‑34032) allows remote attackers to read memory contents via mod_proxy_ajp, but only after compromising an AJP backend. The CVSS score is 3.7 (Low), yet third‑party risk man…

Langflow, a popular open‑source AI development platform, contains a high‑severity path‑traversal bug (CVE‑2026‑5027) that lets attackers write arbitrary files without authentication. Exploitation is confirmed in the wild…

A researcher published a proof‑of‑concept for a Windows Defender bug that grants attackers complete control of the host. The vulnerability affects any organization using Defender, creating urgent patch and mitigation req…

A critical command‑injection flaw (CVE‑2026‑25089) in FortiSandbox’s web UI, along with undisclosed high‑severity bugs in Ivanti and SAP, is being actively exploited. Vendors have released emergency patches; TPRM teams m…

A path‑traversal flaw (CVE‑2026‑5027) in the open‑source Langflow AI low‑code platform is being exploited in the wild, enabling unauthenticated remote code execution. Organizations that host or consume Langflow‑based se…

CISA has listed CVE‑2026‑20245, a critical output‑encoding bug in Cisco Catalyst SD‑WAN Manager, in its KEV catalog after confirming active exploitation. The flaw threatens organizations that depend on Cisco‑managed SD‑W…

Microsoft’s June Patch Tuesday addressed roughly 200 security flaws, among them public zero‑day exploits and critical Windows vulnerabilities. Organizations that depend on Microsoft OS, Azure, or Office 365 must verify r…

Microsoft patched a critical XSS zero‑day (CVE‑2026‑42897) affecting Exchange Server 2016, 2019 and Subscription Edition after confirming active exploitation in the wild. The flaw enables remote attackers to run arbitrar…

Two Russian‑linked APT groups are actively exploiting CVE‑2025‑8088, a path‑traversal bug in WinRAR that was patched in July 2025. Unpatched installations enable silent file writes that drop PowerShell loaders and DLLs c…

Ivanti Sentry versions prior to 10.5.2, 10.6.2 and 10.7.1 contain two critical vulnerabilities that allow unauthenticated attackers to execute code as root and to create privileged accounts. The flaws expose credentials …

Microsoft’s June Patch Tuesday delivered 206 fixes—the largest ever—driven by AI‑assisted discovery. One of the patches, CVE‑2026‑45657, is a wormable Windows kernel vulnerability rated 9.8 that attackers are already lev…

Microsoft’s June 2026 Patch Tuesday patched 206 security flaws, among them three zero‑day vulnerabilities (BitLocker, HTTP.sys, CTFMON). The update is critical for any organization using Microsoft software, and TPRM team…

CISA has placed three high‑severity flaws—Cisco Catalyst SD‑WAN Manager, Arista EOS, and Google Chromium V8—in its Known Exploited Vulnerabilities catalog. The bugs enable privilege escalation, traffic misrouting, and re…

Microsoft’s June 2026 Patch Tuesday shipped fixes for nearly 200 vulnerabilities, highlighted by a newly disclosed zero‑day ‘RoguePlanet’ that exploits a race condition in Windows Defender to gain SYSTEM privileges. The …

Microsoft released June 2026 patches for three zero‑day flaws—GreenPlasma, MiniPlasma and YellowKey—that allow local attackers to obtain SYSTEM rights or bypass BitLocker encryption. The vulnerabilities affect all Window…

Researcher Chaotic Eclipse released a PoC for the RoguePlanet zero‑day in Microsoft Defender that can obtain SYSTEM privileges on Windows 10 and 11 machines with the latest June 2026 patches. The vulnerability undermines…

Microsoft released patches for a historic 206 vulnerabilities, three of which are zero‑days and many are critical RCE bugs. Organizations using Windows, Azure, and Office 365 must apply the updates immediately to mitigat…

Microsoft's June 2026 Patch Tuesday addressed 206 security flaws, among them three critical zero‑day vulnerabilities in the Windows kernel, networking stack, and HTTP.sys driver. The fixes are essential for any organizat…

ServiceNow confirmed that an unauthenticated flaw was exploited to gain deeper access to customer instances, potentially exposing configuration data and employee information. The issue was patched on June 5 2026, but org…

A researcher released a proof‑of‑concept exploit for a race‑condition vulnerability in Microsoft Defender, named RoguePlanet, that can obtain SYSTEM privileges on fully patched Windows 10/11 devices. The flaw poses a cri…

Security researchers disclosed six critical vulnerabilities in protobuf.js that can lead to remote code execution or denial‑of‑service when a malicious protobuf payload is processed. The issue impacts any Node.js app tha…

Adobe Acrobat Reader DC contains a use‑after‑free vulnerability (CVE‑2026‑27220) that enables remote code execution when a user opens a crafted PDF or visits a malicious page. The flaw scores 7.8 CVSS and has been patche…

A researcher disclosed “RoguePlanet,” a race‑condition zero‑day in Microsoft Defender that can elevate a user to SYSTEM on fully patched Windows 10 and Windows 11 machines. The exploit works despite the June 2026 Patch T…

Microsoft’s June 2026 Patch Tuesday delivered fixes for a historic 208 CVEs, covering Windows, Azure, Office and AI tooling. The bundle contains an actively exploited zero‑day and three critical remote‑code‑execution fla…

A historic Patch Tuesday saw 206 CVEs published, many uncovered by AI‑driven tools, expanding the potential attack surface for organizations that depend on third‑party software. TPRM teams must accelerate patching and ve…