Weekly Threat Intelligence Briefing: Chrome Zero-Days, SolarWinds RCE, and a Surge in Critical PoCs

The Executive Summary

Over the past seven days, our CVE Watchtower intercepted 1,388 new vulnerabilities, highlighting a relentless week in the cybersecurity landscape. While the sheer volume is high, the true risk is concentrated at the top of the pyramid: 97 Critical and 516 High-severity flaws.

More importantly, the data reveals 3 specific vulnerabilities actively under exploitation in the wild, alongside a concerning 58 vulnerabilities that now have public Proof-of-Concept (PoC) exploit code available.

Whether you are prioritizing this week’s patching schedule or evaluating overall organizational risk, here is exactly what you need to know.

The “Drop Everything and Patch” List (Actively Exploited)

If you only look at three vulnerabilities this week, make it these. Threat actors are currently weaponizing them in active campaigns.

• Google Chrome (CVE-2026-3910 & CVE-2026-3909): Two High-severity (CVSS 8.8) vulnerabilities have been discovered and exploited in Google Chrome’s rendering and JavaScript engines. CVE-2026-3910 allows an attacker to escape the browser sandbox entirely via V8 execution, while CVE-2026-3909 is an out-of-bounds memory write in the Skia graphics engine. Both can be triggered simply by navigating to a malicious HTML page. Update Chrome and Chromium-based browsers immediately.
• SolarWinds Web Help Desk (CVE-2025-26399): This is a Critical (CVSS 9.8) remote code execution (RCE) flaw rooted in an unauthenticated AjaxProxy deserialization vulnerability. If your IT teams are running an unpatched version of SolarWinds Web Help Desk, an attacker can completely compromise the host server without needing a username or password.

The PoC Watchlist (Public Exploits Available)

Our intelligence feeds show 58 vulnerabilities where security researchers (or attackers) have published the exact code needed to exploit them. This drastically lowers the barrier to entry for threat actors.

This week’s PoC releases heavily target perimeter networking and access control hardware. Threat actors are hunting for unpatched routers and controllers to establish initial network footholds:

• D-Link Routers (CVE-2026-4181, CVE-2026-4183, CVE-2026-4184): A trio of Critical (CVSS 9.8) flaws affecting the DIR-816 hardware. They stem from improper request handling in the router’s CGI scripts, allowing remote attackers to manipulate arguments and execute code.
• Wavlink Wireless Repeaters (CVE-2026-4163): Another Critical (CVSS 9.8) network hardware flaw. Attackers can manipulate POST requests sent to the wireless configuration API to compromise the device.
• ZKTeco ZKBioSecurity (CVE-2016-20026): A Critical (CVSS 9.8) legacy flaw making a resurgence due to new PoC activity. It involves hardcoded credentials within the bundled Apache Tomcat server, allowing unauthenticated attackers to walk right through the front door of the manager application.

The CVSS 10.0 Club (Maximum Severity)

While not actively exploited yet, a handful of vulnerabilities logged a perfect 10.0 severity score this week. System administrators should isolate or patch these systems before threat actors automate the exploit process:

1. Honeywell IQ4x Building Management Controllers (CVE-2026-3611): A nightmare for Operational Technology (OT) teams. In its factory-default state, this building management controller exposes its full web-based Human-Machine Interface (HMI) completely unauthenticated. Anyone who can route to the IP address can control the building.
2. Himmelblau for Azure/Intune (CVE-2026-31957): This Microsoft Azure Entra ID interoperability suite has a fatal flaw. If deployed without a highly specific configuration, it introduces an immediate, maximum-severity compromise vector into your identity and access management (IAM) pipeline.
3. Jellyfin Media System (CVE-2026-31852): The popular open-source media system suffers from an arbitrary code execution flaw tied to its GitHub Actions workflow.
4. SandboxJS (CVE-2026-26954): A highly utilized JavaScript sandboxing library allows an attacker to obtain arrays containing functions, entirely bypassing the sandbox restrictions and executing malicious code on the host.

Strategic Takeaway for IT Leaders

The primary theme of this week’s threat intelligence is perimeter and appliance fatigue. While standard endpoints are primarily threatened by the Chrome zero-days, the bulk of Critical PoCs and Maximum Severity (10.0) vulnerabilities are heavily concentrated in external routing hardware, IoT devices, and operational technology (OT). Ensure your vulnerability management program isn’t just scanning Windows and Linux servers, but is actively interrogating the routers, building controllers, and identity appliances sitting at the edge of your network.