Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7

Google patches fourth Chrome zero-day of 2026 - WebGPU flaw exploited in the wild (CVE-2026-5281)

Google pushed an emergency Chrome update to fix a use-after-free bug in Dawn, the engine behind Chrome's WebGPU graphics standard. CVE-2026-5281 is already being exploited - an attacker who has compromised the browser's renderer process can use a crafted HTML page to execute arbitrary code, potentially escaping Chrome's sandbox. This is the fourth actively exploited Chrome zero-day in 2026, and the third targeting graphics or rendering subsystems. CISA added it to the KEV catalog with an April 15 deadline.

Check
Update Chrome immediately on all managed endpoints. Also check Edge, Brave, Opera, and Vivaldi - they share the same Chromium codebase.
Affected
Google Chrome prior to 146.0.7680.177/178 (Windows/macOS) or 146.0.7680.177 (Linux). All Chromium-based browsers are affected.
Fix
Update Chrome to 146.0.7680.177/178. Verify auto-update is enabled and not blocked by group policy. Push updates via enterprise management tools. Apply Chromium-based browser patches from Microsoft, Brave, and others as they release.

Chinese hackers exploited TrueConf video conferencing zero-day to backdoor Southeast Asian governments (CVE-2026-3502)

Check Point uncovered Operation TrueChaos - a Chinese-nexus espionage campaign that turned a video conferencing platform's update mechanism into a malware delivery system. The attackers compromised a central on-premises TrueConf server used by a government IT department, then swapped the legitimate client update with a weaponized package that deployed the Havoc post-exploitation framework. Every connected government agency pulled the poisoned update automatically, no individual endpoint compromise needed.

Check
Check if your organization uses TrueConf for video conferencing, especially in on-premises deployments.
Affected
TrueConf Windows client versions 8.1.0 through 8.5.2. On-premises deployments are at highest risk since the attack requires control of the TrueConf server.
Fix
Update TrueConf Windows client to version 8.5.3 or later. Audit TrueConf servers for unauthorized modifications. Check endpoints for IOCs: unsigned trueconf_windows_update.exe, files named poweriso.exe or 7z-x64.dll, and connections to 43.134.90.60, 43.134.52.221, or 47.237.15.197.

Fortinet FortiClient EMS SQL injection actively exploited - no authentication required (CVE-2026-21643)

A CVSS 9.1 SQL injection flaw in Fortinet's FortiClient Endpoint Management Server is now being exploited in the wild - four days before anyone flagged it publicly. An attacker only needs one crafted HTTP request with a malicious Site header to execute arbitrary SQL against the backing PostgreSQL database, no credentials required. Roughly 1,000 to 2,400 FortiClient EMS instances are exposed to the internet, mostly in the US and Europe.

Check
Check if you run FortiClient EMS with its web interface exposed to the internet.
Affected
FortiClient EMS 7.4.4 with multi-tenant mode enabled. Single-site deployments are not affected.
Fix
Upgrade to FortiClient EMS 7.4.5 or later. Restrict access to the EMS administrative interface immediately.

Citrix NetScaler exploitation confirmed - CISA adds to KEV with April 2 deadline (CVE-2026-3055)

The Citrix NetScaler flaw we reported under active recon two days ago has escalated fast. Attackers are now sending crafted SAMLRequest payloads that trigger memory leaks exposing sensitive data through session cookies. CISA added CVE-2026-3055 to the Known Exploited Vulnerabilities catalog on March 30 with an unusually tight April 2 remediation deadline - just three days for federal agencies.

Check
Check if you run NetScaler ADC or Gateway configured as a SAML identity provider.
Affected
NetScaler ADC/Gateway 14.1 < 14.1-66.59, 13.1 < 13.1-62.23, 13.1-FIPS/NDcPP < 13.1-37.262.
Fix
Update to 14.1-66.59, 13.1-62.23, or 13.1-37.262 respectively. CISA deadline is April 2, 2026.

Smart Slider 3 WordPress plugin exposes 800,000+ sites to file theft (CVE-2026-3098)

A flaw in Smart Slider 3 - one of WordPress's most popular slider plugins with over 800,000 active installations - lets anyone with a basic subscriber account download arbitrary files from the server. That includes wp-config.php, which contains database credentials, encryption keys, and salt data. An attacker only needs the lowest level of authenticated access to trigger the vulnerable export function and package sensitive files into a downloadable ZIP.

Check
Check if you run Smart Slider 3 on any WordPress site, especially sites with open registration.
Affected
Smart Slider 3 versions up to and including 3.5.1.33.
Fix
Update to Smart Slider 3 version 3.5.1.34. Rotate database credentials and salts if you suspect the vulnerability was exploited.

F5 BIG-IP APM flaw reclassified from DoS to pre-auth RCE - now actively exploited (CVE-2025-53521)

Remember that F5 BIG-IP APM bug from last year everyone treated as a denial-of-service issue? Turns out it's pre-auth remote code execution - CVSS 9.3. F5 quietly reclassified it after new findings in March 2026 and confirmed exploitation in the wild. CISA added it to the KEV catalog with a March 30 patch deadline. That's tomorrow.

Check
Check if you run F5 BIG-IP with APM access policies enabled.
Affected
BIG-IP APM 17.5.0-17.5.1, 17.1.0-17.1.2, 16.1.0-16.1.6, 15.1.0-15.1.10.
Fix
Update to 17.5.2, 17.1.3, 16.1.7, or 15.1.11 respectively. CISA deadline is March 30, 2026.

Citrix NetScaler under active recon - attackers fingerprinting SAML configs before exploitation (CVE-2026-3055)

Attackers are scanning internet-facing Citrix NetScaler ADC and Gateway appliances right now, probing the /cgi/GetAuthMethods endpoint to find which ones are configured as SAML identity providers - the exact setup needed to trigger this CVSS 9.3 memory-leak flaw. Not full exploitation yet, but researchers at watchTowr warn the jump from recon to attack could happen any day.

Check
Check if you run NetScaler ADC or Gateway configured as a SAML identity provider.
Affected
NetScaler ADC/Gateway 14.1 < 14.1-66.59, 13.1 < 13.1-62.23, 13.1-FIPS/NDcPP < 13.1-37.262.
Fix
Update to 14.1-66.59, 13.1-62.23, or 13.1-37.262 respectively. Patch immediately if configured as SAML IDP.

Langflow AI platform RCE exploited within 20 hours of disclosure - no auth required (CVE-2026-33017)

Attackers didn't wait for a proof-of-concept. Within 20 hours of CVE-2026-33017 being disclosed in Langflow - an open-source AI workflow builder with 145K+ GitHub stars - they built working exploits straight from the advisory. One crafted HTTP POST to the public flow endpoint is all it takes, no credentials needed. Compromised instances leak API keys for OpenAI, AWS, and connected databases.

Check
Check if you run Langflow, especially any instances exposed to the internet.
Affected
Langflow <= 1.8.1.
Fix
Upgrade to Langflow 1.9.0. If you can't patch now, take instances offline or block the /api/v1/build_public_tmp endpoint.

Oracle emergency patch for pre-auth RCE in Identity Manager and Web Services Manager (CVE-2026-21992)

Oracle broke its quarterly patch cycle to push an emergency fix for CVE-2026-21992 - a CVSS 9.8 pre-auth RCE in Oracle Identity Manager and Web Services Manager. An unauthenticated attacker with network access over HTTP can take over the entire identity management system. Oracle won't say if it's been exploited, but a nearly identical flaw in the same product (CVE-2025-61757) was added to CISA's KEV catalog just four months ago.

Check
Check if you run Oracle Identity Manager or Oracle Web Services Manager.
Affected
Oracle Identity Manager 12.2.1.4.0 and 14.1.2.1.0. Oracle Web Services Manager 12.2.1.4.0 and 14.1.2.1.0.
Fix
Apply the out-of-band Security Alert patch from Oracle immediately. Only available for versions under Premier or Extended Support.