Zero Day MonitorZDM

Dashboard Vulnerabilities Trending Zero-Days News About

Impressum Privacy Policy

Zero Day Monitor © 2026

3390 articles · 142067 vulns · 36/41 feeds (7d)

Trending Vulnerabilities

Top vulnerabilities ranked by news velocity, CISA KEV status, EPSS exploitation probability, and independent source coverage.

1

cpanel · CVE-2026-41940 — WebPros cPanel and WHM Authentication Bypass via Login FlowKEVEXPLOITEDPATCHED

cpanel· CVSS 9.8· CWE-306

2

ivanti · CVE-2026-6973 — CVE-2026-6973: An Improper Input Validation in Ivanti EPMM before versions 12.6.1.1, 12.7.0.1, and 12.8.0.1 allows a remotely authenticKEVEXPLOITEDPATCHED

endpoint_manager_mobile· CVSS 7.0· CWE-20

3

litellm · CVE-2026-42208 — LiteLLM: SQL injection in Proxy API key verificationKEVEXPLOITEDPATCHED

litellm· CVSS 9.8· CWE-89

4

linux · CVE-2026-31431 — crypto: algif_aead - Revert to operating out-of-placeKEVEXPLOITEDPATCHED

linux_kernel· CVSS 7.8· CWE-20

5

palo alto networks · CVE-2026-0300 — PAN-OS: Unauthenticated user initiated Buffer Overflow Vulnerability in User-ID™ Authentication PortalEXPLOITEDPATCHED

pan-os· CVSS 7.5· CWE-787

6

linux · CVE-2026-43284 — xfrm: esp: avoid in-place decrypt on shared skb fragsEXPLOITEDPATCHED

linux_kernel· CVSS 8.8· CWE-20

7

progress · CVE-2026-4670 — Improper Authentication vulnerability in Progress MOVEit AutomationEXPLOITEDPATCHED

moveit_automation· CVSS 9.8· CWE-305

8

go toolchain · CVE-2026-27143 — Missing bound checks can lead to memory corruption in safe Go in cmd/compileEXPLOITEDPATCHED

cmd/compile· CVSS 9.8

9

spring · CVE-2026-40982 — CVE-2026-40982: Spring Cloud Config allows applications to serve arbitrary text and binary files through the spring-cloud-config-server EXPLOITEDPATCHED

spring cloud config· CVSS 9.1· CWE-22

10

progress · CVE-2026-5174 — Improper Access Control Vulnerability in Progress MOVEit AutomationEXPLOITEDPATCHED

moveit_automation· CVSS 7.7· CWE-20

11

mozilla · CVE-2026-8091 — Incorrect boundary conditions in the Audio/Video: Playback componentEXPLOITEDPATCHED

firefox· CVSS 9.8

12

google · CVE-2026-7896 — CVE-2026-7896: Integer overflow in Blink in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to potentially exploit heap EXPLOITEDPATCHED

chrome· CVSS 8.8· CWE-472

13

axios · CVE-2026-42034 — Axios: HTTP adapter streamed uploads bypass maxBodyLength when maxRedirects: 0EXPLOITEDPATCHED

axios· CVSS 5.3· CWE-770

14

golang · CVE-2026-32283 — Unauthenticated TLS 1.3 KeyUpdate record can cause persistent connection retention and DoS in crypto/tlsEXPLOITEDPATCHED

15

jackc · CVE-2026-33816 — CVE-2026-33816 in github.com/jackc/pgxEXPLOITEDPATCHED

pgx/v5· CVSS 9.8· CWE-20

16

axios · CVE-2026-42033 — Axios: Prototype Pollution Gadgets - Response Tampering, Data Exfiltration, and Request HijackingEXPLOITEDPATCHED

axios· CVSS 7.4· CWE-1321

17

apache · CVE-2026-29129 — Apache Tomcat: TLS cipher order is not preservedEXPLOITEDPATCHED

tomcat· CVSS 7.5· CWE-327

18

lxml · CVE-2026-41066 — lxml: Default configuration of iterparse() and ETCompatXMLParser() allows XXE to local filesEXPLOITEDPATCHED

lxml· CVSS 7.5· CWE-611

19

golang · CVE-2026-33810 — Case-sensitive excludedSubtrees name constraints cause Auth Bypass in crypto/x509EXPLOITEDPATCHED

20

axios · CVE-2026-42035 — Axios: Header Injection via Prototype PollutionEXPLOITEDPATCHED

axios· CVSS 7.4· CWE-113

21

google · CVE-2026-7898 — CVE-2026-7898: Use after free in Chromoting in Google Chrome on Linux prior to 148.0.7778.96 allowed a remote attacker to execute arbitEXPLOITEDPATCHED

chrome· CVSS 8.8· CWE-416

22

google · CVE-2026-7908 — CVE-2026-7908: Use after free in Fullscreen in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to potentially perform a EXPLOITEDPATCHED

chrome· CVSS 9.6· CWE-416

23

amd · CVE-2026-43318 — drm/amdgpu: fix sync handling in amdgpu_dma_buf_move_notifyEXPLOITEDPATCHED

24

golang · CVE-2026-32281 — Inefficient policy validation in crypto/x509EXPLOITEDPATCHED

25

spring-projects · CVE-2026-41705 — CVE-2026-41705: Spring AI's MilvusVectorStore#doDelete(List) implementation is vulnerable to filter-expression injection via unsanitizedEXPLOITEDPATCHED

spring-ai· CVSS 8.6· CWE-917

26

google · CVE-2026-7333 — CVE-2026-7333: Use after free in GPU in Google Chrome prior to 147.0.7727.138 allowed a remote attacker to potentially perform a sandboEXPLOITEDPATCHED

chrome· CVSS 9.6· CWE-416

27

mozilla · CVE-2026-8090 — Use-after-free in the DOM: Networking componentEXPLOITEDPATCHED

firefox· CVSS 7.3

28

go jo · CVE-2026-34986 — Go JOSE affect by a panic in JWE decryptionEXPLOITEDPATCHED

go jose· CVSS 7.5· CWE-248

29

google · CVE-2026-7917 — CVE-2026-7917: Use after free in Fullscreen in Google Chrome on Windows prior to 148.0.7778.96 allowed a remote attacker who had comproEXPLOITEDPATCHED

chrome· CVSS 8.3· CWE-416

30

google · CVE-2026-7940 — CVE-2026-7940: Use after free in V8 in Google Chrome prior to 148.0.7778.96 allowed an attacker who convinced a user to install a malicEXPLOITEDPATCHED

chrome· CVSS 8.8· CWE-416

31

google · CVE-2026-7899 — CVE-2026-7899: Out of bounds read and write in V8 in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to execute arbitrarEXPLOITEDPATCHED

chrome· CVSS 8.8

32

google · CVE-2026-7902 — CVE-2026-7902: Out of bounds memory access in V8 in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to execute arbitraryEXPLOITEDPATCHED

chrome· CVSS 8.8

33

google · CVE-2026-7951 — CVE-2026-7951: Out of bounds write in WebRTC in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to execute arbitrary codEXPLOITEDPATCHED

chrome· CVSS 8.8· CWE-787

34

openexr · CVE-2026-34588 — OpenEXR has a signed 32-bit Overflow in PIZ Decoder Leads to OOB Read/WriteEXPLOITEDPATCHED

openexr· CVSS 7.8· CWE-125

35

google · CVE-2026-7903 — CVE-2026-7903: Integer overflow in ANGLE in Google Chrome on Mac,Windows prior to 148.0.7778.96 allowed a remote attacker to potentiallEXPLOITEDPATCHED

chrome· CVSS 8.8· CWE-472

36

google · CVE-2026-7911 — CVE-2026-7911: Use after free in Aura in Google Chrome on Windows prior to 148.0.7778.96 allowed a remote attacker who had compromised EXPLOITEDPATCHED

chrome· CVSS 8.3· CWE-416

37

google · CVE-2026-7901 — CVE-2026-7901: Use after free in ANGLE in Google Chrome on Mac prior to 148.0.7778.96 allowed a remote attacker to execute arbitrary coEXPLOITEDPATCHED

chrome· CVSS 8.8· CWE-416

38

google · CVE-2026-7900 — CVE-2026-7900: Heap buffer overflow in ANGLE in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the EXPLOITEDPATCHED

chrome· CVSS 8.3· CWE-122

39

google · CVE-2026-7930 — CVE-2026-7930: Insufficient validation of untrusted input in Cookies in Google Chrome prior to 148.0.7778.96 allowed a remote attacker EXPLOITEDPATCHED

chrome· CVSS 8.8· CWE-20

40

google · CVE-2026-7906 — CVE-2026-7906: Use after free in SVG in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to execute arbitrary code insideEXPLOITEDPATCHED

chrome· CVSS 8.8· CWE-416

41

google · CVE-2026-7938 — CVE-2026-7938: Use after free in CSS in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to execute arbitrary code insideEXPLOITEDPATCHED

chrome· CVSS 8.8· CWE-416

42

aiohttp · CVE-2026-34520 — AIOHTTP: C parser (llhttp) accepts null bytes and control characters in response header values - header injection / security bypassEXPLOITEDPATCHED

aiohttp· CVSS 9.1· CWE-113

43

google · CVE-2026-7925 — CVE-2026-7925: Use after free in Chromoting in Google Chrome on Windows prior to 148.0.7778.96 allowed a local attacker to perform OS-lEXPLOITEDPATCHED

chrome· CVSS 7.8· CWE-416

44

google · CVE-2026-7916 — CVE-2026-7916: Insufficient data validation in InterestGroups in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who hadEXPLOITEDPATCHED

chrome· CVSS 8.3

45

google · CVE-2026-7920 — CVE-2026-7920: Use after free in Skia in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the rendereEXPLOITEDPATCHED

chrome· CVSS 8.3· CWE-416

46

google · CVE-2026-7914 — CVE-2026-7914: Type Confusion in Accessibility in Google Chrome on Windows prior to 148.0.7778.96 allowed a remote attacker who had comEXPLOITEDPATCHED

chrome· CVSS 8.3· CWE-843

47

google · CVE-2026-7922 — CVE-2026-7922: Use after free in ServiceWorker in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to potentially performEXPLOITEDPATCHED

chrome· CVSS 8.3· CWE-416

48

google · CVE-2026-7918 — CVE-2026-7918: Use after free in GPU in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the rendererEXPLOITEDPATCHED

chrome· CVSS 8.3· CWE-416

49

google · CVE-2026-7927 — CVE-2026-7927: Type Confusion in Runtime in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to execute arbitrary code inEXPLOITEDPATCHED

chrome· CVSS 8.8· CWE-843

50

google · CVE-2026-7921 — CVE-2026-7921: Use after free in Passwords in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to execute arbitrary code EXPLOITEDPATCHED

chrome· CVSS 8.8· CWE-416