Critical Alert 2 Active Exploits Detected Today

CVE-2026-56291 Balbooa Forms Unrestricted Upload of File with Dangerous Type Vulnerability →
CVE-2026-48939 iCagenda Unrestricted Upload of File with Dangerous Type Vulnerability →
Powered by CVE Watchtower
×

Top Exploited CVEs This Month

most exploited vulnerabilities, actively exploited CVEs

This page tracks the vulnerabilities most actively exploited in the wild right now. Each entry is a CVE added to the CISA Known Exploited Vulnerabilities (KEV) catalog within the last 30 days and confirmed as under active exploitation by our CVE Watchtower. The list is ranked by EPSS score, which estimates the probability of exploitation, alongside CVSS severity. It refreshes automatically throughout the day. If you only have time to patch a few things this month, start here.

Last updated: July 11, 2026 · Source: CISA KEV + Daily CyberSecurity CVE Watchtower

#CVEVendor / ProductCVSSEPSSAdded to KEV
1 CVE-2026-35273
Vulnerability in the PeopleSoft Enterprise PeopleTools product of Oracle PeopleSoft (component: Updates Environment Management). Supported versions that are affected are…
Oracle PeopleSoft Enterprise PeopleTools 9.8 92.3% Jun 12, 2026
2 CVE-2026-20253
In Splunk Enterprise 10.2 versions below 10.2.4 and 10 versions below 10.0.7, an unauthenticated user could create or truncate arbitrary…
Splunk Enterprise 9.8 88.2% Jun 18, 2026
3 CVE-2026-48907
A vulnerability in the JCE editor extension for Joomla allows the creation of new editor profiles for unauthenticated users, ultimately…
Widget Factory Joomla Content Editor 10.0 80.4% Jun 16, 2026
4 CVE-2026-34910
A malicious actor with access to the network could exploit an Improper Input Validation vulnerability found in UniFi OS devices…
Ubiquiti UniFi OS 10.0 78.6% Jun 23, 2026
5 CVE-2026-20230
A vulnerability in Cisco Unified Communications Manager (Unified CM) and Cisco Unified Communications Manager Session Management Edition (Unified CM SME)…
Cisco Unified Communications Manager 8.6 41.7% Jun 25, 2026
6 CVE-2026-48282
ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path…
Adobe ColdFusion 10.0 28.6% Jul 7, 2026
7 CVE-2026-20262
A vulnerability in the web UI of Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, could allow an authenticated, remote attacker…
Cisco Catalyst SD-WAN Manager 6.5 7.7% Jun 15, 2026
8 CVE-2026-45659
Deserialization of untrusted data in Microsoft Office SharePoint allows an authorized attacker to execute code over a network.
Microsoft SharePoint Server 8.8 3.2% Jul 1, 2026
9 CVE-2026-56290
The Joomla extension Page Builder CK is vulnerable to an unauthenticated arbitrary file upload that allows uploading executable files and…
Joomlack Page Builder 10.0 2.9% Jul 7, 2026
10 CVE-2026-34908
A malicious actor with access to the network could exploit an Improper Access Control vulnerability found in UniFi OS devices…
Ubiquiti UniFi OS 10.0 2.5% Jun 23, 2026
11 CVE-2026-34909
A malicious actor with access to the network could exploit a Path Traversal vulnerability found in UniFi OS devices to…
Ubiquiti UniFi OS 10.0 2.3% Jun 23, 2026
12 CVE-2026-48908
A vulnerability in SP Page Builder for Joomla allows unauthenticated users to upload arbitrary files, ultimately resulting in the upload…
JoomShaper SP Page Builder 10.0 1.6% Jul 7, 2026
13 CVE-2026-54420
LiteSpeed cPanel plugin before 2.4.8 (as distributed in LiteSpeed WHM PlugIn before 5.3.2.0) mishandles symlinks provided by a user with…
LiteSpeed cPanel Plugin 8.5 1.3% Jun 15, 2026
14 CVE-2026-12569
A critical remote code execution (RCE) vulnerability has been reported in PTC Windchill PDMlink and PTC FlexPLM. The vulnerability may…
PTC Windchill and FlexPLM 9.3 1.2% Jun 25, 2026
15 CVE-2026-48558
SimpleHelp versions 5.5.15 and prior and 6.0 pre-release versions contain an authentication bypass vulnerability in the OIDC authentication flow. When…
SimpleHelp SimpleHelp 10.0 1.2% Jun 29, 2026
Previous 30 days
#CVEVendor / ProductCVSSEPSSAdded to KEV
1 CVE-2026-10520
An OS Command Injection vulnerability in Ivanti Sentry before the R10.5.2, R10.6.2 and R10.7.1 versions allows a remote unauthenticated user to achieve root-level remote code execution
Ivanti Sentry 10.0 99.0% Jun 11, 2026
2 CVE-2008-4250
The Server service in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2, Vista Gold and…
Microsoft Windows 9.8 98.8% May 20, 2026
3 CVE-2010-0249
Use-after-free vulnerability in Microsoft Internet Explorer 6, 6 SP1, 7, and 8 on Windows 2000 SP4; Windows XP SP2 and…
Microsoft Internet Explorer 8.8 91.9% May 20, 2026
4 CVE-2026-20182
May 2026: This security advisory provides the details and fix information for a vulnerability that was discovered and fixed after…
Cisco Catalyst SD-WAN 10.0 88.5% May 14, 2026
5 CVE-2026-0257
Authentication bypass vulnerabilities in the GlobalProtect portal and gateway of Palo Alto Networks PAN-OS® software allows the attacker to bypass…
Palo Alto Networks PAN-OS 7.8 86.7% May 29, 2026
6 CVE-2009-3459
Heap-based buffer overflow in Adobe Reader and Acrobat 7.x before 7.1.4, 8.x before 8.1.7, and 9.x before 9.2 allows remote…
Adobe Acrobat and Reader 8.8 86.5% May 20, 2026
7 CVE-2010-0806
Use-after-free vulnerability in the Peer Objects component (aka iepeers.dll) in Microsoft Internet Explorer 6, 6 SP1, and 7 allows remote…
Microsoft Internet Explorer 8.8 82.0% May 20, 2026
8 CVE-2026-42271
LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. From version 1.74.2 to…
BerriAI LiteLLM 8.8 80.2% Jun 8, 2026
9 CVE-2026-50751
A logic flow weakness in Remote Access and Mobile Access certificate validation in deprecated IKEv1 key exchange allows an unauthenticated…
Check Point Security Gateway 9.3 70.1% Jun 8, 2026
10 CVE-2026-45498
Microsoft Defender Denial of Service Vulnerability
Microsoft Defender 4.0 63.1% May 20, 2026
11 CVE-2009-1537
Unspecified vulnerability in the QuickTime Movie Parser Filter in quartz.dll in DirectShow in Microsoft DirectX 7.0 through 9.0c on Windows…
Microsoft DirectX 8.8 50.9% May 20, 2026
12 CVE-2024-21182
Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 12.2.1.4.0…
Oracle WebLogic Server 7.5 49.7% Jun 1, 2026
13 CVE-2026-9082
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Drupal Drupal core allows SQL Injection.…
Drupal Core 6.5 33.7% May 22, 2026
14 CVE-2026-45247
Mirasvit Full Page Cache Warmer for Magento 2 before version 1.11.12 contains a PHP object injection vulnerability that allows unauthenticated…
Mirasvit Mirasvit Full Page Cache Warmer 9.8 27.5% Jun 3, 2026
15 CVE-2026-20245
A vulnerability in the CLI of Cisco Catalyst SD-WAN Controller, formerly SD-WAN vSmart, Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage,…
Cisco Catalyst SD-WAN Manager 7.8 25.3% Jun 9, 2026

Frequently Asked Questions

What does “actively exploited” mean?

It means attackers are using the vulnerability in real-world attacks right now, not just in theory. Confirmation comes from the CISA KEV catalog and our own CVE Watchtower tracking.

What is the CISA KEV catalog?

The Known Exploited Vulnerabilities (KEV) catalog is a list maintained by the U.S. Cybersecurity and Infrastructure Security Agency. It only includes CVEs with reliable evidence of exploitation in the wild, which makes it a strong patching baseline for any organization.

What is an EPSS score?

EPSS (Exploit Prediction Scoring System) estimates the probability that a vulnerability will be exploited within the next 30 days. A score of 90% means very high likelihood. We rank this list by EPSS because it reflects real-world risk better than severity alone.

How is this different from CVSS?

CVSS measures how severe a vulnerability could be if exploited. EPSS measures how likely exploitation actually is. A flaw can be critical on paper but rarely attacked, or moderate on paper yet heavily abused. We show both so defenders can prioritize correctly.

How often is this page updated?

The list refreshes automatically several times a day from the CISA KEV feed and our CVE Watchtower database. The “Last updated” line above the table shows the most recent refresh.

Should I patch everything on this list?

Yes, treat every entry as a priority. These CVEs are confirmed under active exploitation, so the usual “wait and assess” approach does not apply. If a patch is unavailable, apply the vendor’s mitigations immediately.

Can I cite or link to this list?

Yes. This page is free to reference in reports, advisories, and articles. Please credit Daily CyberSecurity and link back to this page so readers always see the current data.