Topic · vuln-advisory

Vulnerability Advisory

CVE additions, KEV catalog updates, vendor patch advisories. Routed to the Watch rail rather than the main ranking — high frequency and vendor-specific, narrative-poor individually.

RSS feed ↗

regulator
CISA adds Langflow, Trend Micro Apex One CVEs to KEV Catalog
Both entries trigger BOD 22-01 mandatory remediation deadlines for Federal Civilian Executive Branch agencies; contractors and MSPs on federal systems inherit the same obligation.
CISA added CVE-2025-34291 (Langflow origin validation error) and CVE-2026-34926 (Trend Micro Apex One on-premise directory traversal) to the Known Exploited Vulnerabilities Catalog on May 21, 2026. Federal Civilian Executive Branch agencies must remediate both by CISA-set deadlines under Binding Operational Directive 22-01. Specific due dates were not published in the alert. Contractors and MSPs supporting FCEB systems should add both CVEs to their active vulnerability management queues; the Trend Micro entry's on-premise scope may exclude cloud or SaaS deployments.
YESTERDAY
regulator
CISA adds CVE-2026-42897 Exchange Server XSS to KEV Catalog
Active exploitation of a cross-site scripting flaw in Exchange Server triggers BOD 22-01 remediation deadlines for all FCEB agencies.
CISA added CVE-2026-42897, a cross-site scripting vulnerability in Microsoft Exchange Server, to the Known Exploited Vulnerabilities Catalog on May 15, 2026, citing evidence of active exploitation. Federal Civilian Executive Branch agencies must remediate by the BOD 22-01-assigned due date, which CISA has not yet published. Contractors supporting federal systems face audit exposure if affected Exchange deployments remain unpatched. Patch availability has not been confirmed in the advisory.
YESTERDAY
regulator
CISA adds Cisco SD-WAN auth bypass CVE-2026-20182 to KEV catalog
BOD 22-01 remediation deadlines are binding for FCEB agencies; ED 26-03 and its supplemental hardening guidance set the specific patch path.
CISA added CVE-2026-20182, a Cisco Catalyst SD-WAN Controller authentication bypass vulnerability, to the Known Exploited Vulnerabilities catalog based on evidence of active exploitation. Federal Civilian Executive Branch agencies must remediate under Binding Operational Directive 22-01 or discontinue use; Emergency Directive 26-03 and its supplemental hunt-and-hardening guidance govern the specific mitigation path. Non-federal organizations with SD-WAN infrastructure in remote access or branch connectivity roles should treat this as a prioritized patch.
YESTERDAY
regulator
CISA adds seven CVEs to KEV Catalog, two targeting Microsoft Defender
Most of the seven are legacy CVEs from 2008-2010, but the two 2026 Microsoft Defender entries are the unusual ones: exploited vulnerabilities in a defensive tool, not the OS.
CISA added seven CVEs to its Known Exploited Vulnerabilities Catalog on May 20, 2026, triggering mandatory remediation deadlines for Federal Civilian Executive Branch agencies under Binding Operational Directive 22-01. Five entries are legacy Microsoft and Adobe vulnerabilities (2008-2010); two are 2026 Microsoft Defender flaws, CVE-2026-41091, an elevation of privilege, and CVE-2026-45498, a denial of service. The Defender inclusions are notable: KEV additions typically target OS or browser attack surface, not defensive tooling itself. CISA urges all organizations to prioritize remediation regardless of BOD 22-01 applicability.
YESTERDAY
regulator
CISA adds Drupal Core SQL injection CVE-2026-9082 to KEV Catalog
BOD 22-01 triggers a binding remediation deadline for FCEB agencies; contractors on federal networks should treat this as equally urgent.
CISA added CVE-2026-9082, a Drupal Core SQL injection vulnerability, to the Known Exploited Vulnerabilities Catalog based on evidence of active exploitation. Federal Civilian Executive Branch agencies are bound by Binding Operational Directive 22-01 to remediate by the catalog-assigned due date. The source advisory does not specify that deadline or confirm patch availability from Drupal maintainers. Contractors supporting federal networks should patch or mitigate without waiting for agency direction.
FRI

Vulnerability Advisory

CISA adds Langflow, Trend Micro Apex One CVEs to KEV Catalog

CISA adds CVE-2026-42897 Exchange Server XSS to KEV Catalog

CISA adds Cisco SD-WAN auth bypass CVE-2026-20182 to KEV catalog

CISA adds seven CVEs to KEV Catalog, two targeting Microsoft Defender

CISA adds Drupal Core SQL injection CVE-2026-9082 to KEV Catalog