// CVE Tracker

CVE-2026-21515 is a near-maximum severity privilege escalation vulnerability in Azure IoT Central. A low-privilege authenticated attacker can access sensitive platform configuration data — including device provisioning credentials and shared access signatures — that should be restricted to administrative accounts, then leverage that data to escalate to full tenant administrative control. Microsoft patched the vulnerability in the April 2026 Patch Tuesday release.

A SQL injection vulnerability in SAP Business Planning and Consolidation (BPC) and SAP BW/4HANA allows an authenticated user with low-privilege access to execute arbitrary SQL against the underlying database. Exploiting the flaw gives the attacker full read and write access to financial planning data, consolidated accounts, and audit records stored in the ERP database tier. The vulnerability was patched in SAP's April 2026 Security Patch Day. SAP BPC and BW/4HANA are deployed in large enterprise environments for financial close processes, regulatory reporting, and management consolidation — making the database tier a high-value target for financial fraud, data manipulation, and ransomware operators seeking maximum leverage.

A validation failure in SAP NetWeaver Application Server ABAP's SAML 2.0 assertion processing allows unauthenticated remote attackers to forge SAML assertions and impersonate any user including system administrators without valid credentials. Affects all SAP NetWeaver ABAP systems with SAML authentication enabled. Patched by SAP Security Note 3578412 in the June 2026 Security Patch Day.

A missing authorisation check in the SimpleHelp remote management and monitoring (RMM) server allows an unauthenticated remote attacker to enumerate user accounts, extract active session tokens, and escalate to full administrator access without credentials. The vulnerability exists in the server's API layer where administrative endpoints fail to validate caller authentication. Exploitation enables complete takeover of the SimpleHelp server and authenticated access to all managed endpoints connected to it.

An arbitrary file upload vulnerability in Samsung MagicINFO, the content and device management server for Samsung commercial displays and digital signage, allows an authenticated attacker with any user-level account to upload and execute arbitrary files on the server. The flaw exists in the content management component's lack of upload type validation. Successful exploitation provides full server compromise with code execution in the context of the MagicINFO service.

A remote code execution vulnerability in F5 BIG-IP Access Policy Manager (APM) affecting the apmd process. Initially disclosed in October 2025 as a denial-of-service flaw, F5 reclassified the vulnerability in March 2026 after new exploitation information emerged. An unauthenticated remote attacker can exploit the flaw to achieve code execution on the BIG-IP appliance. CISA confirmed active exploitation and added CVE-2025-53521 to its Known Exploited Vulnerabilities catalogue on 27 March 2026, issuing a three-day patch mandate to federal agencies.

A code injection vulnerability in legacy bash scripts used by Ivanti EPMM's Apache web server for URL rewriting allows unauthenticated remote attackers to execute arbitrary commands. This is the primary initial-access vector in the Ivanti EPMM exploit chain, typically followed by CVE-2026-1340 for further capability extension. CISA added this vulnerability to the KEV catalogue in January 2026 with exploitation confirmed in the wild targeting government and enterprise MDM deployments.

A code injection vulnerability in Ivanti Endpoint Manager Mobile (EPMM)'s Android File Transfer mechanism allows unauthenticated remote attackers to execute arbitrary code on internet-exposed appliances. The flaw is frequently chained with CVE-2026-1281 to achieve full appliance compromise. Active exploitation has been confirmed since January 2026, and CISA added the vulnerability to its Known Exploited Vulnerabilities catalogue on 8 April 2026 with a federal agency patch deadline of 11 April.

A critical authentication bypass in the Cisco Integrated Management Controller (IMC) allows an unauthenticated remote attacker to bypass authentication entirely and gain elevated access to the affected system. The vulnerability is caused by incorrect handling of password change requests — an attacker sends a crafted HTTP request to the IMC management interface to bypass authentication, reset the password of any local user including administrators, and gain full control of the server's out-of-band management plane. IMC access is equivalent to physical console access to the server.

A critical vulnerability in Cisco Smart Software Manager On-Prem (SSM On-Prem) allows an unauthenticated remote attacker to execute arbitrary commands on the underlying operating system. The flaw stems from the unintentional exposure of an internal administrative service that was not designed to accept external connections — an attacker who reaches this service can invoke OS-level commands without authentication. SSM On-Prem is used by enterprises to manage Cisco software licences on-premises, without sending licence data to Cisco's cloud.

An improper certificate validation flaw (CWE-295) in Cisco Webex Services' SSO integration with Control Hub allows unauthenticated remote attackers to supply crafted SAML tokens and be authenticated as any user within an enterprise's Webex tenant. Cisco has patched the cloud infrastructure, but enterprise administrators using SSO must manually regenerate and upload a new IdP SAML certificate to Control Hub to complete remediation.

Unauthenticated remote code execution in Splunk Enterprise via an exposed PostgreSQL sidecar service that binds to a network port without enforcing application-layer authentication. An attacker with network access to the Splunk host can send crafted database queries to trigger file operations resulting in arbitrary OS command execution — with no credentials required at any stage. Splunk Cloud Platform is not affected. SIEM compromise carries exceptional impact: attackers gain complete visibility into defender detection coverage, can disable or modify detection rules to suppress alerting, and can extract credentials stored in forwarder authentication configurations. Discovered and disclosed by Orca Security.

A critical pre-authentication SQL injection vulnerability (CWE-89) in Fortinet FortiClient EMS 7.4.4 allows an unauthenticated remote attacker to execute arbitrary code via the /api/v1/init_consts endpoint. The flaw was introduced when the multi-tenant database connection layer was refactored in 7.4.4, replacing parameterised queries with raw string interpolation. Because the PostgreSQL database user runs with superuser privileges in Fortinet's shipped VM image, successful SQL injection escalates to OS command execution via COPY ... TO/FROM PROGRAM. The vulnerability enables extraction of admin password hashes, API tokens, JWT secrets, and the complete endpoint inventory of all managed FortiClient deployments. CISA added CVE-2026-21643 to the KEV catalogue on 13 April 2026.

A critical pre-authentication remote code execution vulnerability in Oracle Identity Manager (OIM) and Oracle Web Services Manager (WSM) allows unauthenticated attackers to execute arbitrary code via HTTP by exploiting missing authentication on a critical REST WebServices component. The flaw has a CVSS score of 9.8, requires no credentials or user interaction, and is remotely exploitable with low attack complexity over a network. Oracle released an out-of-band emergency patch in March 2026 — only the second such emergency release Oracle has issued for Identity Manager.

Unauthenticated command injection in the FortiSandbox web management interface allows a remote attacker to execute arbitrary system commands with no credentials required. The vulnerability is in the input handling routines for system configuration parameters; crafted HTTP requests to the management port trigger OS command execution. No workaround is available — patching is the only remediation. Compromise of the sandboxing appliance is especially consequential as it allows an attacker to suppress malware detections and manipulate analysis verdicts, effectively disabling a critical security layer while it appears to function normally.

CVE-2026-26210 is a critical pre-authentication remote code execution vulnerability in the KTransformers AI inference acceleration framework. The scheduler's ZeroMQ ROUTER socket binds to all network interfaces by default with no authentication, and deserialises incoming messages using Python's pickle.loads() without validation. Any network-reachable attacker can supply a crafted pickle payload to execute arbitrary code as the process owner — typically a privileged GPU server. No exploitation in the wild has been confirmed at time of publication.

A critical sandbox escape vulnerability in vm2 — one of the most widely used Node.js sandbox libraries with approximately 1.3 million weekly npm downloads — allows code executing inside the vm2 sandbox to escape isolation and execute arbitrary code on the host Node.js process. The vulnerability exploits WebAssembly exception handling (the 'exnref' proposal) which was introduced in V8 and bypasses vm2's sandbox enforcement mechanisms. Any application using vm2 to execute untrusted or user-supplied JavaScript is at risk of complete host process compromise. Fixed in vm2 3.9.22.

A vulnerability in the Linux kernel netfilter connection tracking (conntrack) expectations mechanism allows a local attacker with access to netfilter configuration to trigger unsafe memory access, leading to kernel memory corruption, system crashes, or potential privilege escalation. In container environments with user namespaces enabled, the attack surface extends to unprivileged container processes that can configure netfilter rules within their namespace, potentially affecting the host kernel. Affects Linux kernel versions 6.1 through 6.10; patches backported to stable branches. Part of an April 2026 batch addressing multiple netfilter subsystem flaws (CVE-2026-31422, CVE-2026-31416).

A critical authentication bypass in the Palo Alto Networks PAN-OS GlobalProtect SAML authentication handler allows unauthenticated remote attackers to forge a valid SAML assertion and gain full administrative access to the firewall management plane. The vulnerability exploits a signature verification flaw in the XML SAML response parser, enabling an attacker to send a crafted assertion that PAN-OS accepts as legitimate without contacting the configured identity provider. Exploitation grants the attacker the ability to modify firewall policy, create persistent accounts, and extract VPN configuration data. When chained with CVE-2026-3201 (post-authentication command injection), the combined attack achieves unauthenticated root-level OS code execution.

All cameras within a Milesight AIOT model family share a single factory-embedded SSL private key that cannot be changed through the management interface. An attacker who extracts this key from any unit — achievable through firmware extraction or from publicly available firmware images — can perform silent man-in-the-middle attacks against all cameras in that model family, intercepting video streams, management credentials, and configuration traffic without triggering any certificate validation failure. Affects 18-plus model families; CISA advisory ICSA-26-113-03.

A critical authentication bypass in nginx-ui's Model Context Protocol (MCP) endpoint allows unauthenticated remote attackers to invoke all MCP tools including creating, modifying, and deleting Nginx configuration files and restarting the Nginx service. The /mcp_message endpoint applies only IP allowlisting with an empty default whitelist (effectively allow-all), bypassing the application's authentication layer entirely. Exploitation requires two HTTP requests and takes seconds to execute, resulting in full Nginx server takeover.

A deserialization vulnerability in LMDeploy's model loading API allows an unauthenticated remote attacker to execute arbitrary operating system commands as the service account running the inference server. The flaw exists in the absence of input validation during model configuration and adapter ingestion — a crafted payload triggers unsafe deserialization and achieves code execution. Active exploitation was confirmed within 13 hours of public disclosure on April 24 2026.

A critical remote code execution vulnerability in the Windows Internet Key Exchange Service Extensions allows an unauthenticated remote attacker to execute arbitrary code without user interaction. The network-accessible attack vector and complete absence of authentication requirements place this among the most severe vulnerabilities in the April 2026 Patch Tuesday release. Systems running Windows with IPsec/IKE services exposed to untrusted networks are at immediate risk.

A critical remote code execution vulnerability in Apache ActiveMQ's Jolokia JMX-over-HTTP bridge allows unauthenticated remote attackers to execute arbitrary OS commands by invoking the addNetworkConnector MBean operation with a crafted URI. The flaw causes the broker to fetch and parse an attacker-controlled XML configuration file, enabling arbitrary Java class instantiation and OS command execution under the service account context. Present since ActiveMQ 5.x, this design weakness was not addressed in the 6.x rewrite and is unauthenticated by default in ActiveMQ 6.0.0–6.1.1. When chained with CVE-2024-32114, the combined exploit achieves full unauthenticated root-level code execution in seconds.

Critical authentication bypass in Oracle PeopleSoft's PIA (PeopleSoft Internet Architecture) web tier affecting the Campus Community module. An unauthenticated remote attacker can send a crafted HTTP request to the PIA endpoint to trigger an authentication token validation error, receiving an administrative-level authenticated session without supplying credentials. The flaw affects all PeopleSoft PeopleTools versions 8.54 through 8.60 with the Campus Solutions module. Actively exploited by ShinyHunters since at least 9 June 2026; at least twelve universities in the US, UK, and Australia confirmed breached with student PII (SSNs, financial aid records, academic transcripts) exfiltrated. Oracle released an out-of-band emergency patch (Doc ID 2026-35273.8) on 15 June 2026.