The CVE Watchtower: Weekly Threat Intelligence Briefing (March 23 – March 29, 2026)

Whether you are steering the organizational ship as a CISO or maintaining the operational engines as a system administrator, cutting through the noise of weekly vulnerabilities is essential to keeping your environment secure.

Between March 23 and March 29, 2026, the global security community tracked a staggering 1,740 newly published vulnerabilities. While most of these require standard, scheduled patching, a handful of zero-days, supply chain attacks, and maximum-severity flaws demand your immediate attention.

Here is the intelligence you need to prioritize effectively this week.

By the Numbers: The Week at a Glance

When it comes to triage, context is everything. Out of the 1,740 new vulnerabilities identified this week, here is how the severity breakdown looks:

• Critical (CVSS 9.0–10.0): 147
• High: 635
• Medium: 536
• Low: 65
• Unknown/Pending: 355

While 147 “Critical” vulnerabilities might sound like an emergency across the board, only a select few are currently being weaponized by threat actors.

The CISA KEV Hotlist

The Cybersecurity and Infrastructure Security Agency (CISA) added three new vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog this week. If these technologies exist in your environment, they should bypass your standard patch cycle and be remediated immediately:

1. F5 BIG-IP APM (CVE-2025-53521): This High-severity flaw (CVSS 8.7) affects the Access Policy Manager. When configured on a virtual server, undisclosed traffic patterns can cause the Traffic Management Microkernel (TMM) to crash, resulting in a severe denial-of-service condition.
2. Langflow (CVE-2026-33017): Langflow, a popular tool for building and deploying AI-powered agents and workflows, is under active exploitation. As AI agents become more embedded in enterprise networks, securing their foundational deployment platforms is critical.
3. Trivy Security Scanner (CVE-2026-33634): In a classic supply chain attack, threat actors utilized compromised credentials on March 19, 2026, to publish malicious payloads associated with Trivy—a widely used container and vulnerability scanner. Note: Because this is a supply-chain attack on a security tool itself, it poses a unique, systemic risk to DevOps pipelines.

In the Wild: Active Exploitation

Outside of the KEV additions, our threat intelligence flagged an additional high-priority threat currently marked as ACTIVE in the wild:

• Kali Forms WordPress Plugin (CVE-2026-3584): Rated Critical with a CVSS score of 9.8, this flaw allows unauthenticated remote attackers to execute arbitrary code on affected WordPress sites. If your marketing or web teams use Kali Forms, assume breach attempts are actively hitting your perimeter and update the plugin immediately.

The Maximum CVSS Score

A CVSS score of 10.0 means a vulnerability is trivial to exploit, requires no authentication, and results in total system compromise. This week, several flaws achieved this dubious honor. Keep a close eye out for:

• CVE-2026-4688 & CVE-2026-4689: Two highly dangerous “Sandbox Escape” vulnerabilities. One leverages a use-after-free memory corruption flaw in Disability Access APIs, while the other exploits an integer overflow and improper boundary conditions in the XPCOM component. Sandbox escapes are notoriously dangerous because they allow malicious code to break out of isolated environments and infect the host operating system.
• CVE-2026-3587: An unauthenticated remote attacker can exploit a hidden function within a specific Command Line Interface (CLI) prompt to bypass restrictions.
• WWBN AVideo (CVE-2026-33478): Multiple critical vulnerabilities were uncovered in versions 26.0 and earlier of this open-source video platform.

The Bottom Line

For the System Administrators and Engineers: Your immediate weekend-saving mission is to check for F5 BIG-IP, Langflow, and Trivy infrastructure. Furthermore, audit your public-facing WordPress instances for the Kali Forms plugin.

For the CISOs and Security Directors: The compromise of the Trivy security scanner serves as a stark reminder that our own security tools remain prime targets for supply chain attacks. Ensure your DevSecOps teams have robust integrity checks and secondary verifications in place for the security tools operating within your CI/CD pipelines.