Zero Day MonitorZDM

Dashboard Vulnerabilities Trending Zero-Days News About

Impressum Privacy Policy

Zero Day Monitor © 2026

3192 articles · 168075 vulns · 37/41 feeds (7d)

Trending Vulnerabilities

Top vulnerabilities ranked by news velocity, CISA KEV status, EPSS exploitation probability, and independent source coverage.

1

linux · CVE-2026-31431 — crypto: algif_aead - Revert to operating out-of-placeKEVEXPLOITEDPATCHED

linux_kernel· CVSS 7.8

2

linux · CVE-2026-43284 — xfrm: esp: avoid in-place decrypt on shared skb fragsKEVEXPLOITEDPATCHED

linux_kernel· CVSS 8.8

3

linux · CVE-2026-43500 — rxrpc: Also unshare DATA/RESPONSE packets when paged frags are presentKEVEXPLOITEDPATCHED

linux_kernel· CVSS 7.8

4

ui · CVE-2026-34908 — CVE-2026-34908: A malicious actor with access to the network could exploit an Improper Access Control vulnerability found in UniFi OS deKEVEXPLOITEDPATCHED

unifi_os_server· CVSS 10.0· CWE-284

5

ptc · CVE-2026-12569 — Remote Code Execution (RCE) vulnerability in Windchill PDMlinkEXPLOITEDPATCHED

flexplm· CWE-20

6

ui · CVE-2026-34909 — CVE-2026-34909: A malicious actor with access to the network could exploit a Path Traversal vulnerability found in UniFi OS devices to aKEVEXPLOITEDPATCHED

unifi_os_server· CVSS 10.0· CWE-22

7

mappress · CVE-2026-56011 — WordPress MapPress Maps for WordPress plugin <= 2.97.3 - Cross Site Scripting (XSS) vulnerabilityKEVEXPLOITED

mappress maps for wordpress· CVSS 7.1· CWE-79

8

linux · CVE-2026-46333 — ptrace: slightly saner 'get_dumpable()' logicEXPLOITEDPATCHED

kernel· CVSS 7.1· CWE-362

9

libssh2 · CVE-2026-55200 — libssh2 - Out-of-Bounds Write via Unchecked packet_length in transport.cEXPLOITEDPATCHED

libssh2· CVSS 9.2· CWE-680

10

cis · CVE-2026-20230 — CVE-2026-20230: A vulnerability in Cisco Unified Communications Manager (Unified CM) and Cisco Unified Communications Manager Session MaEXPLOITEDPATCHED

unified_communications_manager· CVSS 8.6· CWE-918

11

cis · CVE-2026-20245 — Cisco Catalyst SD-WAN Controller Authenticated Privilege Escalation VulnerabilityEXPLOITEDPATCHED

catalyst_sd-wan_manager· CVSS 7.8· CWE-116

12

langflow · CVE-2026-55255 — Langflow: IDOR Vulnerability in `/api/v1/responses` Endpoint Allows Authenticated Attackers to Access Another User's FlowKEVEXPLOITEDPATCHED

langflow· CVSS 9.9· CWE-639

13

gpac project · CVE-2025-60474 — CVE-2025-60474: A buffer overflow in the gf_media_import function (/media_tools/av_parsers.c) of GPAC Project/MP4Box before 26.02.0 alloEXPLOITED

mp4box· CVSS 7.5

14

google · CVE-2026-13033 — CVE-2026-13033: Out of bounds read and write in Blink>InterestGroups in Google Chrome prior to 149.0.7827.197 allowed a remote attacker EXPLOITEDPATCHED

chrome· CVSS 8.8· CWE-125

15

google · CVE-2026-13038 — CVE-2026-13038: Use after free in Autofill in Google Chrome on Windows prior to 149.0.7827.197 allowed a remote attacker to execute arbiEXPLOITEDPATCHED

chrome· CVSS 8.8· CWE-416

16

linux · CVE-2026-46300 — net: skbuff: preserve shared-frag marker during coalescingEXPLOITEDPATCHED

linux_kernel· CVSS 7.8

17

google · CVE-2026-13031 — CVE-2026-13031: Use after free in Blink in Google Chrome prior to 149.0.7827.197 allowed a remote attacker to execute arbitrary code insEXPLOITEDPATCHED

chrome· CVSS 8.8· CWE-416

18

google · CVE-2026-13029 — CVE-2026-13029: Use after free in Web Authentication in Google Chrome prior to 149.0.7827.197 allowed an attacker who convinced a user tEXPLOITEDPATCHED

chrome· CVSS 7.5· CWE-416

19

google · CVE-2026-13026 — CVE-2026-13026: Use after free in Digital Credentials in Google Chrome on Mac prior to 149.0.7827.197 allowed a remote attacker to potenEXPLOITEDPATCHED

chrome· CVSS 8.8· CWE-416

20

google · CVE-2026-13025 — CVE-2026-13025: Race in DevTools in Google Chrome prior to 149.0.7827.197 allowed a remote attacker who had compromised the renderer proEXPLOITEDPATCHED

chrome· CVSS 8.3· CWE-20

21

google · CVE-2026-13036 — CVE-2026-13036: Use after free in Blink in Google Chrome prior to 149.0.7827.197 allowed a remote attacker to execute arbitrary code insEXPLOITEDPATCHED

chrome· CVSS 8.8· CWE-416

22

google · CVE-2026-13035 — CVE-2026-13035: Use after free in Bluetooth in Google Chrome on Mac prior to 149.0.7827.197 allowed a remote attacker to execute arbitraEXPLOITEDPATCHED

chrome· CVSS 8.8· CWE-416

23

google · CVE-2026-13027 — CVE-2026-13027: Use after free in FileSystem in Google Chrome prior to 149.0.7827.197 allowed a remote attacker to potentially exploit hEXPLOITEDPATCHED

chrome· CVSS 8.8· CWE-416

24

gpac project · CVE-2025-60467 — CVE-2025-60467: A use-after-free in the gf_filter_pid_inst_swap_delete_task function (/filter_core/filter_pid.c) of GPAC Project/MP4Box EXPLOITED

mp4box· CVSS 7.5

25

apache · CVE-2026-49486 — Apache Airflow FTP provider: FTP Provider does not protect FTPS data channel (missing PROT_P)EXPLOITEDPATCHED

apache-airflow-providers-ftp· CVSS 7.5· CWE-319

26

jqlang · CVE-2026-39979 — jq: Out-of-Bounds Read in jv_parse_sized() Error Formatting for Non-NUL-Terminated Counted BuffersEXPLOITEDPATCHED

jq· CVSS 8.2· CWE-125

27

gpac project · CVE-2025-60464 — CVE-2025-60464: A use-after-free in the gf_sei_load_from_state_internal function (/filters/sei_load.c) of GPAC Project/MP4Box before 26.EXPLOITEDPATCHED

mp4box· CVSS 7.8

28

flowi · CVE-2025-71327 — Flowise - Authentication Bypass via Unprotected Registration EndpointEXPLOITEDPATCHED

flowise· CVSS 9.1· CWE-306

29

flowi · CVE-2025-71334 — Flowise - Arbitrary File Access via Missing Chat Flow ID ValidationEXPLOITEDPATCHED

flowise· CVSS 9.8· CWE-73

30

flowi · CVE-2025-71338 — Flowise - Arbitrary File Write to Remote Code Execution via document-store APIEXPLOITEDPATCHED

flowise· CVSS 10.0· CWE-73

31

google · CVE-2026-13022 — CVE-2026-13022: Inappropriate implementation in Autofill in Google Chrome prior to 149.0.7827.197 allowed a remote attacker who had compEXPLOITEDPATCHED

32

google · CVE-2026-13281 — CVE-2026-13281: Integer overflow in Mojo in Google Chrome prior to 149.0.7827.201 allowed a remote attacker who had compromised the rendEXPLOITEDPATCHED

chrome· CVSS 8.3· CWE-472

33

jqlang · CVE-2026-49839 — jq --rawfile invalid-state reuse after String too long causes heap-buffer-overflowEXPLOITEDPATCHED

jq· CVSS 7.1· CWE-787

34

perl · CVE-2026-11702 — Bytes::Random::Secure::Tiny versions through 1.011 for Perl share internal state across forked processesEXPLOITEDPATCHED

bytes::random::secure::secure::tiny· CVSS 7.5· CWE-335

35

linux · CVE-2026-43503 — net: skbuff: propagate shared-frag marker through frag-transfer helpersEXPLOITEDPATCHED

linux_kernel· CVSS 8.8· CWE-20

36

gravity forms · CVE-2026-4020 — Gravity SMTP <= 2.1.4 - Unauthenticated Sensitive Information Exposure via REST APIKEVEXPLOITED

gravity smtp· CVSS 7.5· CWE-200

37

perl · CVE-2026-11625 — Bytes::Random::Secure versions through 0.29 for Perl share internal state across forked processesEXPLOITEDPATCHED

bytes::random::secure· CVSS 7.5· CWE-335

38

dragonflydb · CVE-2026-54341 — Dragonfly: RESTORE operations may crash the serverEXPLOITEDPATCHED

dragonfly· CVSS 7.5· CWE-125

39

paytium · CVE-2026-56030 — WordPress Paytium plugin <= 5.0.2 - Privilege Escalation vulnerabilityEXPLOITED

paytium· CVSS 9.8· CWE-266

40

budiba · CVE-2026-54350 — Budibase: Anonymous NoSQL operator injection via published-app query templatesEXPLOITEDPATCHED

budiba· CVSS 10.0· CWE-89

41

GPAC Project · CVE-2025-60473 — CVE-2025-60473: A NULL pointer dereference in the gf_filter_in_parent_chain function (/filter_core/filter_pid.c) of GPAC Project/MP4Box EXPLOITED

42

GPAC Project · CVE-2025-60466 — CVE-2025-60466: A use-after-free in the gf_filter_pid_get_packet function (/filter_core/filter_pid.c) of GPAC Project/MP4Box before 26.0EXPLOITED

43

broadcom · CVE-2026-40012 — Information about ECS zero scoped answers might leak to clients that use a specific ECSEXPLOITEDPATCHED

symantec endpoint security· CVSS 5.3

44

dokan · CVE-2026-56033 — WordPress Dokan Pro plugin <= 5.0.4 - Privilege Escalation vulnerabilityEXPLOITED

dokan pro· CVSS 9.8· CWE-266

45

wso2 · CVE-2026-2053 — Unauthenticated Server-Side Request Forgery via WS-Addressing in WSO2 API ManagerEXPLOITEDPATCHED

api· CVSS 8.3· CWE-918

46

gpac project · CVE-2025-60465 — CVE-2025-60465: A use-after-free in the gf_filter_pid_inst_swap function (/filter_core/filter_pid.c) of GPAC Project/MP4Box before 26.02EXPLOITEDPATCHED

mp4box· CVSS 6.1

47

google · CVE-2026-13282 — CVE-2026-13282: Use after free in Payments in Google Chrome on Android prior to 149.0.7827.201 allowed a local attacker to potentially eEXPLOITEDPATCHED

chrome· CVSS 6.8· CWE-416

48

google · CVE-2026-13024 — CVE-2026-13024: Insufficient validation of untrusted input in Navigation in Google Chrome prior to 149.0.7827.197 allowed a remote attacEXPLOITEDPATCHED

chrome· CVSS 4.2· CWE-20

49

buddyboss · CVE-2026-56032 — WordPress Buddyboss Platform plugin <= 3.0.4 - PHP Object Injection vulnerabilityEXPLOITED

buddyboss· CVSS 9.8· CWE-502

50

google · CVE-2026-13023 — CVE-2026-13023: Uninitialized Use in GPU in Google Chrome prior to 149.0.7827.197 allowed a remote attacker who had compromised the rendEXPLOITEDPATCHED

chrome· CVSS 5.3· CWE-457