Cisco Catalyst SD-WAN Flaw Added to KEV

CISA has officially added CVE-2026-20182 to its Known Exploited Vulnerabilities catalog, highlighting ongoing active exploitation of the Cisco Catalyst SD-WAN Controller. This critical vulnerability in the control connection handler allows a remote, unauthenticated attacker to bypass authentication, effectively granting them administrative access to the controller. As Help Net Security reported, this marks the sixth exploited zero-day affecting this product family in 2026 alone. Security teams should prioritize patching immediately, as Cisco Talos Intelligence has detailed the ongoing nature of these attacks. The Rapid7 Blog provides further technical context on the risk posed by such "god mode" access.

Ivanti vTM is also under active exploitation, with CVE-2024-7593 listed in the KEV catalog due to an incorrect implementation of an authentication algorithm. This flaw, affecting versions other than 22.2R1 or 22.7R2, permits a remote, unauthenticated attacker to bypass authentication mechanisms on the administrative panel. Given the high EPSS score and its inclusion in the KEV, this represents a significant risk for organizations utilizing Ivanti vTM for traffic management. Administrators must verify their version and apply the necessary updates to mitigate the risk of unauthorized administrative access.

A severe supply-chain attack has compromised official installation packages for DAEMON Tools Lite on Windows, specifically versions 12.5.0.2421 through 12.5.0.2434. Tracked as CVE-2026-8398, this incident involved the distribution of malicious packages directly from the legitimate vendor website between early April and mid-May 2026. The compromise allows for remote code execution on affected systems, posing a critical risk to users who downloaded the software during this window. Organizations should audit their environments for these specific versions and immediately remediate any affected installations.

Several critical remote code execution vulnerabilities have been disclosed in popular developer tools and libraries. Hugging Face Diffusers is affected by CVE-2026-44827 and CVE-2026-44513, both of which allow for arbitrary code execution by bypassing the `trust_remote_code` safeguard when loading pipelines, requiring an update to version 0.38.0. Additionally, Gotenberg prior to version 8.31.0 is vulnerable to CVE-2026-42589, where the `/forms/pdfengines/metadata/write` endpoint fails to sanitize JSON metadata, allowing command injection via the go-exiftool library. These vulnerabilities highlight the importance of strictly managing dependencies and input sanitization in development environments.

The Form Notify plugin for WordPress is susceptible to an authentication bypass vulnerability, CVE-2026-5229, affecting versions up to and including 1.1.10. By manipulating user-controlled cookie data, an attacker can authenticate as any WordPress account, potentially leading to full site compromise. Furthermore, ERPNext prior to 16.9.1 is impacted by CVE-2026-44442, which fails to enforce proper authorization checks, allowing users to modify data beyond their permitted roles. These vulnerabilities underscore the necessity of keeping plugins and enterprise applications updated to prevent unauthorized access and data manipulation.