Security Bulletins

Active threat advisories and known exploited vulnerabilities.

Pulled daily from the CISA Known Exploited Vulnerabilities catalog. Every entry has confirmed active exploitation in the wild. Last synced Jun 12, 2026.

1,619 total bulletins 1,619 critical or high severity Source: CISA KEV + NVD
All 1,619 Critical 1,619 High 0 Medium 0 Low 0 1,619 entries
Critical CVE-2023-20198 Cisco · IOS XE Web UI Added Oct 16, 2023

Cisco IOS XE Web UI Privilege Escalation Vulnerability

Cisco IOS XE Web UI contains a privilege escalation vulnerability in the web user interface that could allow a remote, unauthenticated attacker to create an account with privilege level 15 access. The attacker can then use that account to gain control of the affected device.

NVD Detail ↗ CISA KEV ↗ Patch deadline passed
Critical CVE-2023-21608 Adobe · Acrobat and Reader Added Oct 10, 2023

Adobe Acrobat and Reader Use-After-Free Vulnerability

Adobe Acrobat and Reader contains a use-after-free vulnerability that allows for code execution in the context of the current user.

NVD Detail ↗ CISA KEV ↗ Patch deadline passed
Critical CVE-2023-20109 Cisco · IOS and IOS XE Added Oct 10, 2023

Cisco IOS and IOS XE Group Encrypted Transport VPN Out-of-Bounds Write Vulnerability

Cisco IOS and IOS XE contain an out-of-bounds write vulnerability in the Group Encrypted Transport VPN (GET VPN) feature that could allow an authenticated, remote attacker who has administrative control of either a group member or a key server to execute malicious code or cause a device to crash.

NVD Detail ↗ CISA KEV ↗ Patch deadline passed
Critical CVE-2023-41763 Microsoft · Skype for Business Added Oct 10, 2023

Microsoft Skype for Business Privilege Escalation Vulnerability

Microsoft Skype for Business contains an unspecified vulnerability that allows for privilege escalation.

NVD Detail ↗ CISA KEV ↗ Patch deadline passed
Critical CVE-2023-36563 Microsoft · WordPad Added Oct 10, 2023

Microsoft WordPad Information Disclosure Vulnerability

Microsoft WordPad contains an unspecified vulnerability that allows for information disclosure.

NVD Detail ↗ CISA KEV ↗ Patch deadline passed
Critical CVE-2023-44487 IETF · HTTP/2 Added Oct 10, 2023

HTTP/2 Rapid Reset Attack Vulnerability

HTTP/2 contains a rapid reset vulnerability that allows for a distributed denial-of-service attack (DDoS).

NVD Detail ↗ CISA KEV ↗ Patch deadline passed
Critical CVE-2023-22515 Atlassian · Confluence Data Center and Server Added Oct 5, 2023

Atlassian Confluence Data Center and Server Broken Access Control Vulnerability

Atlassian Confluence Data Center and Server contains a broken access control vulnerability that allows an attacker to create unauthorized Confluence administrator accounts and access Confluence.

NVD Detail ↗ CISA KEV ↗ Patch deadline passed
Critical CVE-2023-40044 Progress · WS_FTP Server Added Oct 5, 2023

Progress WS_FTP Server Deserialization of Untrusted Data Vulnerability

Progress WS_FTP Server contains a deserialization of untrusted data vulnerability in the Ad Hoc Transfer module that allows an authenticated attacker to execute remote commands on the underlying operating system.

NVD Detail ↗ CISA KEV ↗ Patch deadline passed
Critical CVE-2023-42824 Apple · iOS and iPadOS Added Oct 5, 2023

Apple iOS and iPadOS Kernel Privilege Escalation Vulnerability

Apple iOS and iPadOS contain an unspecified vulnerability that allows for local privilege escalation.

NVD Detail ↗ CISA KEV ↗ Patch deadline passed
Critical CVE-2023-42793 JetBrains · TeamCity Added Oct 4, 2023

JetBrains TeamCity Authentication Bypass Vulnerability

JetBrains TeamCity contains an authentication bypass vulnerability that allows for remote code execution on TeamCity Server.

NVD Detail ↗ CISA KEV ↗ Patch deadline passed
Critical CVE-2023-28229 Microsoft · Windows CNG Key Isolation Service Added Oct 4, 2023

Microsoft Windows CNG Key Isolation Service Privilege Escalation Vulnerability

Microsoft Windows Cryptographic Next Generation (CNG) Key Isolation Service contains an unspecified vulnerability that allows an attacker to gain specific limited SYSTEM privileges.

NVD Detail ↗ CISA KEV ↗ Patch deadline passed
Critical CVE-2023-4211 Arm · Mali GPU Kernel Driver Added Oct 3, 2023

Arm Mali GPU Kernel Driver Use-After-Free Vulnerability

Arm Mali GPU Kernel Driver contains a use-after-free vulnerability that allows a local, non-privileged user to make improper GPU memory processing operations to gain access to already freed memory.

NVD Detail ↗ CISA KEV ↗ Patch deadline passed
Critical CVE-2023-5217 Google · Chromium libvpx Added Oct 2, 2023

Google Chromium libvpx Heap Buffer Overflow Vulnerability

Google Chromium libvpx contains a heap buffer overflow vulnerability in vp8 encoding that allows a remote attacker to potentially exploit heap corruption via a crafted HTML page. This vulnerability could impact web browsers using libvpx, including but not limited to Google Chrome.

NVD Detail ↗ CISA KEV ↗ Patch deadline passed
Critical CVE-2018-14667 Red Hat · JBoss RichFaces Framework Added Sep 28, 2023

Red Hat JBoss RichFaces Framework Expression Language Injection Vulnerability

Red Hat JBoss RichFaces Framework contains an expression language injection vulnerability via the UserResource resource. A remote, unauthenticated attacker could exploit this vulnerability to execute malicious code using a chain of Java serialized objects via org.ajax4jsf.resource.UserResource$UriData.

NVD Detail ↗ CISA KEV ↗ Patch deadline passed
Critical CVE-2023-41991 Apple · Multiple Products Added Sep 25, 2023

Apple Multiple Products Improper Certificate Validation Vulnerability

Apple iOS, iPadOS, macOS, and watchOS contain an improper certificate validation vulnerability that can allow a malicious app to bypass signature validation.

NVD Detail ↗ CISA KEV ↗ Patch deadline passed
Critical CVE-2023-41992 Apple · Multiple Products Added Sep 25, 2023

Apple Multiple Products Kernel Privilege Escalation Vulnerability

Apple iOS, iPadOS, macOS, and watchOS contain an unspecified vulnerability that allows for local privilege escalation.

NVD Detail ↗ CISA KEV ↗ Patch deadline passed
Critical CVE-2023-41993 Apple · Multiple Products Added Sep 25, 2023

Apple Multiple Products WebKit Code Execution Vulnerability

Apple iOS, iPadOS, macOS, and Safari WebKit contain an unspecified vulnerability that leads to code execution when processing maliciously crafted web content. This vulnerability could impact HTML parsers that use WebKit, including but not limited to Apple Safari and non-Apple products which rely on WebKit for HTML processing.

NVD Detail ↗ CISA KEV ↗ Patch deadline passed
Critical CVE-2023-41179 Trend Micro · Apex One and Worry-Free Business Security Added Sep 21, 2023

Trend Micro Apex One and Worry-Free Business Security Remote Code Execution Vulnerability

Trend Micro Apex One and Worry-Free Business Security contain an unspecified vulnerability in the third-party anti-virus uninstaller that could allow an attacker to manipulate the module to conduct remote code execution. An attacker must first obtain administrative console access on the target system in order to exploit this vulnerability.

NVD Detail ↗ CISA KEV ↗ Patch deadline passed
Critical CVE-2023-28434 MinIO · MinIO Added Sep 19, 2023

MinIO Security Feature Bypass Vulnerability

MinIO contains a security feature bypass vulnerability that allows an attacker to use crafted requests to bypass metadata bucket name checking and put an object into any bucket while processing `PostPolicyBucket` to conduct privilege escalation. To carry out this attack, the attacker requires credentials with `arn:aws:s3:::*` permission, as well as enabled Console API access.

NVD Detail ↗ CISA KEV ↗ Patch deadline passed
Critical CVE-2022-22265 Samsung · Mobile Devices Added Sep 18, 2023

Samsung Mobile Devices Use-After-Free Vulnerability

Samsung devices with selected Exynos chipsets contain a use-after-free vulnerability that allows malicious memory write and code execution.

NVD Detail ↗ CISA KEV ↗ Patch deadline passed
Critical CVE-2014-8361 Realtek · SDK Added Sep 18, 2023

Realtek SDK Improper Input Validation Vulnerability

Realtek SDK contains an improper input validation vulnerability in the miniigd SOAP service that allows remote attackers to execute malicious code via a crafted NewInternalClient request.

NVD Detail ↗ CISA KEV ↗ Patch deadline passed
Critical CVE-2017-6884 Zyxel · EMG2926 Routers Added Sep 18, 2023

Zyxel EMG2926 Routers Command Injection Vulnerability

Zyxel EMG2926 routers contain a command injection vulnerability located in the diagnostic tools, specifically the nslookup function. A malicious user may exploit numerous vectors to execute malicious commands on the router, such as the ping_ip parameter to the expert/maintenance/diagnostic/nslookup URI.

NVD Detail ↗ CISA KEV ↗ Patch deadline passed
Critical CVE-2021-3129 Laravel · Ignition Added Sep 18, 2023

Laravel Ignition File Upload Vulnerability

Laravel Ignition contains a file upload vulnerability that allows unauthenticated remote attackers to execute malicious code due to insecure usage of file_get_contents() and file_put_contents().

NVD Detail ↗ CISA KEV ↗ Patch deadline passed
Critical CVE-2023-26369 Adobe · Acrobat and Reader Added Sep 14, 2023

Adobe Acrobat and Reader Out-of-Bounds Write Vulnerability

Adobe Acrobat and Reader contains an out-of-bounds write vulnerability that allows for code execution.

NVD Detail ↗ CISA KEV ↗ Patch deadline passed
Critical CVE-2023-35674 Android · Framework Added Sep 13, 2023

Android Framework Privilege Escalation Vulnerability

Android Framework contains an unspecified vulnerability that allows for privilege escalation.

NVD Detail ↗ CISA KEV ↗ Patch deadline passed

Need help prioritizing these vulnerabilities?

ThreatGrid can assess your environment and map active CVEs to your monitored assets.