This page tracks the vulnerabilities most actively exploited in the wild right now. Each entry is a CVE added to the CISA Known Exploited Vulnerabilities (KEV) catalog within the last 30 days and confirmed as under active exploitation by our CVE Watchtower. The list is ranked by EPSS score, which estimates the probability of exploitation, alongside CVSS severity. It refreshes automatically throughout the day. If you only have time to patch a few things this month, start here.
Last updated: July 11, 2026 · Source: CISA KEV + Daily CyberSecurity CVE Watchtower
| # | CVE | Vendor / Product | CVSS | EPSS | Added to KEV |
|---|---|---|---|---|---|
| 1 |
CVE-2026-35273
Vulnerability in the PeopleSoft Enterprise PeopleTools product of Oracle PeopleSoft (component: Updates Environment Management). Supported versions that are affected are…
|
Oracle PeopleSoft Enterprise PeopleTools | 9.8 | 92.3% | Jun 12, 2026 |
| 2 |
CVE-2026-20253
In Splunk Enterprise 10.2 versions below 10.2.4 and 10 versions below 10.0.7, an unauthenticated user could create or truncate arbitrary…
|
Splunk Enterprise | 9.8 | 88.2% | Jun 18, 2026 |
| 3 |
CVE-2026-48907
A vulnerability in the JCE editor extension for Joomla allows the creation of new editor profiles for unauthenticated users, ultimately…
|
Widget Factory Joomla Content Editor | 10.0 | 80.4% | Jun 16, 2026 |
| 4 |
CVE-2026-34910
A malicious actor with access to the network could exploit an Improper Input Validation vulnerability found in UniFi OS devices…
|
Ubiquiti UniFi OS | 10.0 | 78.6% | Jun 23, 2026 |
| 5 |
CVE-2026-20230
A vulnerability in Cisco Unified Communications Manager (Unified CM) and Cisco Unified Communications Manager Session Management Edition (Unified CM SME)…
|
Cisco Unified Communications Manager | 8.6 | 41.7% | Jun 25, 2026 |
| 6 |
CVE-2026-48282
ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path…
|
Adobe ColdFusion | 10.0 | 28.6% | Jul 7, 2026 |
| 7 |
CVE-2026-20262
A vulnerability in the web UI of Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, could allow an authenticated, remote attacker…
|
Cisco Catalyst SD-WAN Manager | 6.5 | 7.7% | Jun 15, 2026 |
| 8 |
CVE-2026-45659
Deserialization of untrusted data in Microsoft Office SharePoint allows an authorized attacker to execute code over a network.
|
Microsoft SharePoint Server | 8.8 | 3.2% | Jul 1, 2026 |
| 9 |
CVE-2026-56290
The Joomla extension Page Builder CK is vulnerable to an unauthenticated arbitrary file upload that allows uploading executable files and…
|
Joomlack Page Builder | 10.0 | 2.9% | Jul 7, 2026 |
| 10 |
CVE-2026-34908
A malicious actor with access to the network could exploit an Improper Access Control vulnerability found in UniFi OS devices…
|
Ubiquiti UniFi OS | 10.0 | 2.5% | Jun 23, 2026 |
| 11 |
CVE-2026-34909
A malicious actor with access to the network could exploit a Path Traversal vulnerability found in UniFi OS devices to…
|
Ubiquiti UniFi OS | 10.0 | 2.3% | Jun 23, 2026 |
| 12 |
CVE-2026-48908
A vulnerability in SP Page Builder for Joomla allows unauthenticated users to upload arbitrary files, ultimately resulting in the upload…
|
JoomShaper SP Page Builder | 10.0 | 1.6% | Jul 7, 2026 |
| 13 |
CVE-2026-54420
LiteSpeed cPanel plugin before 2.4.8 (as distributed in LiteSpeed WHM PlugIn before 5.3.2.0) mishandles symlinks provided by a user with…
|
LiteSpeed cPanel Plugin | 8.5 | 1.3% | Jun 15, 2026 |
| 14 |
CVE-2026-12569
A critical remote code execution (RCE) vulnerability has been reported in PTC Windchill PDMlink and PTC FlexPLM. The vulnerability may…
|
PTC Windchill and FlexPLM | 9.3 | 1.2% | Jun 25, 2026 |
| 15 |
CVE-2026-48558
SimpleHelp versions 5.5.15 and prior and 6.0 pre-release versions contain an authentication bypass vulnerability in the OIDC authentication flow. When…
|
SimpleHelp SimpleHelp | 10.0 | 1.2% | Jun 29, 2026 |
Previous 30 days
| # | CVE | Vendor / Product | CVSS | EPSS | Added to KEV |
|---|---|---|---|---|---|
| 1 |
CVE-2026-10520
An OS Command Injection vulnerability in Ivanti Sentry before the R10.5.2, R10.6.2 and R10.7.1 versions allows a remote unauthenticated user to achieve root-level remote code execution
|
Ivanti Sentry | 10.0 | 99.0% | Jun 11, 2026 |
| 2 |
CVE-2008-4250
The Server service in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2, Vista Gold and…
|
Microsoft Windows | 9.8 | 98.8% | May 20, 2026 |
| 3 |
CVE-2010-0249
Use-after-free vulnerability in Microsoft Internet Explorer 6, 6 SP1, 7, and 8 on Windows 2000 SP4; Windows XP SP2 and…
|
Microsoft Internet Explorer | 8.8 | 91.9% | May 20, 2026 |
| 4 |
CVE-2026-20182
May 2026: This security advisory provides the details and fix information for a vulnerability that was discovered and fixed after…
|
Cisco Catalyst SD-WAN | 10.0 | 88.5% | May 14, 2026 |
| 5 |
CVE-2026-0257
Authentication bypass vulnerabilities in the GlobalProtect portal and gateway of Palo Alto Networks PAN-OS® software allows the attacker to bypass…
|
Palo Alto Networks PAN-OS | 7.8 | 86.7% | May 29, 2026 |
| 6 |
CVE-2009-3459
Heap-based buffer overflow in Adobe Reader and Acrobat 7.x before 7.1.4, 8.x before 8.1.7, and 9.x before 9.2 allows remote…
|
Adobe Acrobat and Reader | 8.8 | 86.5% | May 20, 2026 |
| 7 |
CVE-2010-0806
Use-after-free vulnerability in the Peer Objects component (aka iepeers.dll) in Microsoft Internet Explorer 6, 6 SP1, and 7 allows remote…
|
Microsoft Internet Explorer | 8.8 | 82.0% | May 20, 2026 |
| 8 |
CVE-2026-42271
LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. From version 1.74.2 to…
|
BerriAI LiteLLM | 8.8 | 80.2% | Jun 8, 2026 |
| 9 |
CVE-2026-50751
A logic flow weakness in Remote Access and Mobile Access certificate validation in deprecated IKEv1 key exchange allows an unauthenticated…
|
Check Point Security Gateway | 9.3 | 70.1% | Jun 8, 2026 |
| 10 |
CVE-2026-45498
Microsoft Defender Denial of Service Vulnerability
|
Microsoft Defender | 4.0 | 63.1% | May 20, 2026 |
| 11 |
CVE-2009-1537
Unspecified vulnerability in the QuickTime Movie Parser Filter in quartz.dll in DirectShow in Microsoft DirectX 7.0 through 9.0c on Windows…
|
Microsoft DirectX | 8.8 | 50.9% | May 20, 2026 |
| 12 |
CVE-2024-21182
Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 12.2.1.4.0…
|
Oracle WebLogic Server | 7.5 | 49.7% | Jun 1, 2026 |
| 13 |
CVE-2026-9082
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Drupal Drupal core allows SQL Injection.…
|
Drupal Core | 6.5 | 33.7% | May 22, 2026 |
| 14 |
CVE-2026-45247
Mirasvit Full Page Cache Warmer for Magento 2 before version 1.11.12 contains a PHP object injection vulnerability that allows unauthenticated…
|
Mirasvit Mirasvit Full Page Cache Warmer | 9.8 | 27.5% | Jun 3, 2026 |
| 15 |
CVE-2026-20245
A vulnerability in the CLI of Cisco Catalyst SD-WAN Controller, formerly SD-WAN vSmart, Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage,…
|
Cisco Catalyst SD-WAN Manager | 7.8 | 25.3% | Jun 9, 2026 |
Frequently Asked Questions
What does “actively exploited” mean?
It means attackers are using the vulnerability in real-world attacks right now, not just in theory. Confirmation comes from the CISA KEV catalog and our own CVE Watchtower tracking.
What is the CISA KEV catalog?
The Known Exploited Vulnerabilities (KEV) catalog is a list maintained by the U.S. Cybersecurity and Infrastructure Security Agency. It only includes CVEs with reliable evidence of exploitation in the wild, which makes it a strong patching baseline for any organization.
What is an EPSS score?
EPSS (Exploit Prediction Scoring System) estimates the probability that a vulnerability will be exploited within the next 30 days. A score of 90% means very high likelihood. We rank this list by EPSS because it reflects real-world risk better than severity alone.
How is this different from CVSS?
CVSS measures how severe a vulnerability could be if exploited. EPSS measures how likely exploitation actually is. A flaw can be critical on paper but rarely attacked, or moderate on paper yet heavily abused. We show both so defenders can prioritize correctly.
How often is this page updated?
The list refreshes automatically several times a day from the CISA KEV feed and our CVE Watchtower database. The “Last updated” line above the table shows the most recent refresh.
Should I patch everything on this list?
Yes, treat every entry as a priority. These CVEs are confirmed under active exploitation, so the usual “wait and assess” approach does not apply. If a patch is unavailable, apply the vendor’s mitigations immediately.
Can I cite or link to this list?
Yes. This page is free to reference in reports, advisories, and articles. Please credit Daily CyberSecurity and link back to this page so readers always see the current data.