CISA Adds Three Known Exploited Vulnerabilities to Catalog, Including Daemon Tools Lite and Nx Console Malicious Code Flaws
CISA added three vulnerabilities to its Known Exploited Vulnerabilities catalog on May 27, 2026, including two supply-chain style malicious code flaws in Daemon Tools Lite and Nx Console, plus an unspecified bug in TanStack.
CISA has added three new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, citing evidence of active exploitation. The additions include CVE-2026-8398 in Daemon Tools Lite, CVE-2026-45321 in TanStack, and CVE-2026-48027 in Nx Console. The latter two involve embedded malicious code, marking a troubling trend of supply-chain compromises reaching widely used developer tools.
CVE-2026-48027, which affects Nx Console — a popular Visual Studio Code extension used by developers for monorepo management — was previously flagged by CISA on May 27 in a separate alert tied to ransomware campaigns. The vulnerability stems from a malicious version of the extension (version 18.95.0) that was published to the marketplace, deploying a credential stealer targeting secrets from 1Password, npm, GitHub, and AWS. This incident underscores the growing risk of compromised developer toolchains.
CVE-2026-8398 involves embedded malicious code in Daemon Tools Lite, a widely used disk imaging utility. While specific technical details remain sparse, the inclusion in the KEV catalog confirms that attackers are actively exploiting the backdoored software to compromise systems. Daemon Tools Lite has a large user base, making this a significant threat for both consumers and enterprises.
CVE-2026-45321 is an unspecified vulnerability in TanStack, a popular open-source JavaScript framework used for building web applications. CISA has not disclosed the nature of the flaw, but its addition to the KEV catalog indicates that proof-of-concept exploitation is occurring in the wild. Organizations using TanStack libraries are urged to check for updates and apply patches immediately.
Binding Operational Directive (BOD) 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate these vulnerabilities by the specified due dates. Although the directive only applies to federal agencies, CISA strongly urges all organizations to prioritize patching these actively exploited flaws as part of their vulnerability management practices.
The addition of these three CVEs brings the KEV catalog to over 1,000 entries since its inception. The catalog has become a critical resource for defenders, providing a prioritized list of vulnerabilities known to be exploited in the wild. CISA continues to expand the catalog through internal analysis and, as of May 2026, external submissions from researchers and vendors.
This latest batch highlights the increasing prevalence of supply-chain attacks targeting developer tools and utilities. The inclusion of two malicious code vulnerabilities — in Nx Console and Daemon Tools Lite — signals that attackers are embedding backdoors directly into legitimate software, bypassing traditional perimeter defenses. Organizations should verify the integrity of their software supply chains and monitor for indicators of compromise related to these CVEs.