Analyst Guidance
This week prioritizes three verified CVEs with explicit IDs and active or high-severity status. CVE-2026-46331 (Linux kernel pedit COW exploit) enables local root access with public exploits in circulation; CVE-2026-12957 (Amazon Q Developer MCP flaw) permits credential theft through malicious repositories; and. Russian intelligence phishing campaigns targeting Signal backup recovery keys and Chinese APT activity deploying TinyRCT backdoor represent ongoing threats requiring awareness but lack specific CVE tracking in source material.
CVE Details & Remediation
How to read this report
🛡️Verified facts — NVD & CISA KEV
⏳Partially verified — awaiting NVD enrichment
🧠AI analysis — synthesis, verify before acting
🛡️Actionable · Verified facts
NVD-published · CISA KEV cross-checked🛡️CVE-2026-10520 – Ivanti Sentry ✓ NVD
CVSS10 NVD 3.1
Triage statusActive Exploit
Exploitation⚠️ In the wild 🔥 In CISA KEV ↻ Ongoing
EPSS99% · P100
ActionPatch immediately
Remediation Steps
- Apply the vendor security update from Ivanti
- Verify successful patch deployment across all affected systems
- Review authentication logs for suspicious activity
References:
🛡️CVE-2026-12569 – PTC Windchill And FlexPLM ✓ NVD
CVSS9.8 NVD 3.1
Triage statusActive Exploit
Exploitation⚠️ In the wild 🔥 In CISA KEV
EPSS1% · P62
ActionPatch immediately
AffectedGovernment
Remediation Steps
- Consult CISA Known Exploited Vulnerabilities catalog for product-specific details and vendor advisories
- Apply vendor patch according to CISA KEV guidance
- Prioritize federal and government systems per CISA directive
- Document patch application and validation
References:
🛡️CVE-2025-67038 – Lantronix EDS5000 ✓ NVD
CVSS9.8 NVD 3.1
Triage statusActive Exploit
Exploitation⚠️ In the wild 🔥 In CISA KEV ↻ Ongoing
EPSS1% · P62
ActionPatch immediately
Remediation Steps
- Apply vendor patches immediately per Lantronix security advisory
- Isolate affected Lantronix EDS5000 devices from untrusted network segments
- Monitor for signs of unauthorized access or code execution
- Implement network access controls to restrict inbound traffic to EDS5000 management interfaces
References:
🛡️CVE-2026-20253 – Splunk Enterprise ✓ NVD
CVSS9.8 NVD 3.1
Triage statusActive Exploit
Exploitation⚠️ In the wild 🔥 In CISA KEV ↻ Ongoing
EPSS88% · P100
ActionPatch immediately
Remediation Steps
- Apply the vendor patch for Splunk Enterprise Missing Authentication issue immediately
- Verify patch installation across all Splunk Enterprise instances
- Monitor Splunk logs for any evidence of unauthorized access or exploitation attempts
- Restrict network access to Splunk management interfaces to trusted networks only
References:
🛡️CVE-2026-35273 – Oracle PeopleSoft Enterprise PeopleTools ✓ NVD
CVSS9.8 NVD 3.1
Triage statusActive Exploit
Exploitation⚠️ In the wild 🔥 In CISA KEV ↻ Ongoing
EPSS90% · P100
ActionPatch immediately
Remediation Steps
- Apply Oracle PeopleSoft Enterprise security patch
- Review Oracle security advisories for affected version guidance
- Prioritize patching systems accessible from external networks
References:
🛡️CVE-2026-45247 – Mirasvit Full Page Cache Warmer ✓ NVD
CVSS9.8 NVD 3.1
Triage statusActive Exploit
Exploitation⚠️ In the wild 🔥 In CISA KEV ↻ Ongoing
EPSS28% · P98
ActionPatch immediately
Remediation Steps
- Consult CISA Known Exploited Vulnerabilities catalog entry for full product and version details
- Apply vendor security patch
- Verify patch deployment across affected systems
- Review security logs for evidence of exploitation
References:
🛡️CVE-2026-48907 – Widget Factory Joomla Content Editor ✓ NVD
CVSS9.8 NVD 3.1
Triage statusActive Exploit
Exploitation⚠️ In the wild 🔥 In CISA KEV ↻ Ongoing
EPSS80% · P100
ActionPatch immediately
Remediation Steps
- Apply security patch from Widget Factory/Joomla vendor immediately
- Disable the JCE plugin if patch is not immediately available
- Review access logs for evidence of exploitation attempts
References:
🛡️CVE-2026-50751 – Check Point Security Gateway ✓ NVD
CVSS9.3 NVD 3.1
Triage statusActive Exploit
Exploitation⚠️ In the wild 🔥 In CISA KEV ↻ Ongoing
EPSS71% · P99
ActionPatch immediately
AffectedTechnology Finance Government Defense
Remediation Steps
- Apply the vendor security update for Check Point Remote Access VPN / Mobile Access as a priority.
- Restrict network exposure of the affected service to trusted sources until patched.
- Review logs and detections for indicators of exploitation.
- Confirm fixed versions against the official vendor advisory before deploying.
References:
🛡️CVE-2026-42271 – BerriAI LiteLLM ✓ NVD
CVSS8.8 NVD 3.1
Triage statusActive Exploit
Exploitation⚠️ In the wild 🔥 In CISA KEV ↻ Ongoing
EPSS75% · P99
ActionPatch immediately
Remediation Steps
- Check CISA's Known Exploited Vulnerabilities catalog for product-specific guidance
- Contact vendor for available security patches
- Apply patch or implement recommended mitigations from vendor advisory
- Verify patch installation and monitor for indicators of active exploitation
References:
🛡️CVE-2026-11645 – Google Chromium V8 ✓ NVD
CVSS8.8 NVD 3.1
Triage statusActive Exploit
Exploitation⚠️ In the wild 🔥 In CISA KEV ↻ Ongoing
EPSS2% · P74
ActionPatch immediately
Remediation Steps
- Update Google Chrome to version 149.0.7827.103 or later
- Enable automatic updates to receive future security patches promptly
- Check for and remove any suspicious browser extensions
- Clear browser cache and temporary files after patching
References:
🛡️CVE-2026-20230 – Cisco Unified Communications Manager ✓ NVD
CVSS8.6 NVD 3.1
Triage statusActive Exploit
Exploitation⚠️ In the wild 🔥 In CISA KEV ↻ Ongoing
EPSS42% · P99
ActionPatch immediately
AffectedTechnology
Remediation Steps
- Apply the vendor security update for Cisco Unified Communications Manager Server as a priority.
- Restrict network exposure of the affected service to trusted sources until patched.
- Review logs and detections for indicators of exploitation.
- Confirm fixed versions against the official vendor advisory before deploying.
References:
🛡️CVE-2026-54420 – LiteSpeed CPanel Plugin ✓ NVD
CVSS8.5 NVD 3.1
Triage statusActive Exploit
Exploitation⚠️ In the wild 🔥 In CISA KEV ↻ Ongoing
EPSS1% · P66
ActionPatch immediately
Remediation Steps
- Apply the patch for the LiteSpeed cPanel user-end plugin to all cPanel servers
- Test patched plugin functionality in a staging environment before production deployment
- Review server logs for evidence of exploitation attempts
- Notify hosting customers of patch deployment timeline
References:
🛡️CVE-2025-48595 – Android Framework ✓ NVD
CVSS8.4 NVD 3.1
Triage statusActive Exploit
Exploitation⚠️ In the wild 🔥 In CISA KEV ↻ Ongoing
EPSS2% · P75
ActionPatch immediately
AffectedTechnology Government
Remediation Steps
- Apply the vendor security update for Google Android as a priority.
- Restrict network exposure of the affected service to trusted sources until patched.
- Review logs and detections for indicators of exploitation.
- Confirm fixed versions against the official vendor advisory before deploying.
References:
🛡️CVE-2026-20245 – Cisco Catalyst SD-WAN Manager ✓ NVD
CVSS7.8 NVD 3.1
Triage statusActive Exploit
Exploitation⚠️ In the wild 🔥 In CISA KEV ↻ Ongoing
EPSS10% · P95
ActionPatch immediately
AffectedGovernment Technology
Remediation Steps
- Apply the vendor security update for Cisco Catalyst SD-WAN Manager as a priority.
- Restrict network exposure of the affected service to trusted sources until patched.
- Review logs and detections for indicators of exploitation.
- Confirm fixed versions against the official vendor advisory before deploying.
References:
🛡️CVE-2022-0492 – Linux Kernel ✓ NVD
CVSS7.8 NVD 3.1
Triage statusActive Exploit
Exploitation⚠️ In the wild 🔥 In CISA KEV ↻ Ongoing
EPSS6% · P92
ActionPatch immediately
AffectedTechnology Government Energy
Remediation Steps
- Identify Linux systems running vulnerable kernel versions
- Apply the latest stable kernel update from your distribution's repository
- Reboot systems to activate patched kernel
- Verify kernel version post-reboot using 'uname -r'
- Prioritize kernel patching for systems exposed to untrusted local users or containers
References:
🛡️CVE-2026-28318 – SolarWinds Serv-U ✓ NVD
CVSS7.5 NVD 3.1
Triage statusActive Exploit
Exploitation⚠️ In the wild 🔥 In CISA KEV ↻ Ongoing
EPSS11% · P95
ActionPatch immediately
Remediation Steps
- Check CISA's Known Exploited Vulnerabilities catalog for product-specific guidance
- Contact vendor for available security patches
- Apply patch or implement recommended mitigations from vendor advisory
- Verify patch installation and monitor for indicators of active exploitation
References:
🛡️CVE-2024-21182 – Oracle WebLogic Server ✓ NVD
CVSS7.5 NVD 3.1
Triage statusActive Exploit
Exploitation⚠️ In the wild 🔥 In CISA KEV ↻ Ongoing
EPSS50% · P99
ActionPatch immediately
AffectedTechnology Government
Remediation Steps
- Apply the vendor security update for Oracle Weblogic Server as a priority.
- Restrict network exposure of the affected service to trusted sources until patched.
- Review logs and detections for indicators of exploitation.
- Confirm fixed versions against the official vendor advisory before deploying.
References:
🛡️CVE-2026-20262 – Cisco Catalyst SD-WAN Manager ✓ NVD
CVSS6.5 NVD 3.1
Triage statusActive Exploit
Exploitation⚠️ In the wild 🔥 In CISA KEV ↻ Ongoing
EPSS8% · P94
ActionPatch immediately
AffectedDefense Technology
Remediation Steps
- Apply the vendor security update for Cisco Catalyst SD-WAN Manager as a priority.
- Restrict network exposure of the affected service to trusted sources until patched.
- Review logs and detections for indicators of exploitation.
- Confirm fixed versions against the official vendor advisory before deploying.
References:
🛡️CVE-2026-7473 – Arista Extensible Operating System ✓ NVD
CVSS5.8 NVD 3.1
Triage statusActive Exploit
Exploitation⚠️ In the wild 🔥 In CISA KEV ↻ Ongoing
EPSS1% · P53
ActionPatch immediately
Remediation Steps
- Apply the vendor security update from Arista
- Review network device access logs for unauthorized activity
- Restrict management access to network devices from trusted administrative networks
References:
🛡️CVE-2026-46331 – Linux kernel (traffic-control subsystem, act_pedit) ✓ NVD
CVSS7.8 NVD 3.1
Triage statusNo Known Exploit
ExploitationNo exploitation reported
EPSS<1% · P14
ActionPatch this week
AffectedGovernment Energy
Remediation Steps
- Apply the latest Linux kernel security patch addressing the pedit COW out-of-bounds write vulnerability
- Verify all systems running affected kernel versions are identified and prioritized
- Test patches in staging environment before production deployment
- Monitor systems for signs of privilege escalation attempts
References:
🛡️CVE-2026-12957 – Amazon Q Developer ✓ NVD
CVSS7.8 NVD 3.1
Triage statusNo Known Exploit
ExploitationNo exploitation reported
EPSS<1% · P2
ActionPatch this week
Remediation Steps
- Update Amazon Q Developer to the patched version
- Review workspace trust settings and audit recent repository access
- Rotate any cloud credentials that may have been exposed through compromised MCP configurations
- Implement code review processes for external and newly-added repositories before workspace activation
References:
🤖 This vulnerability report was compiled by defend.network using AI-powered analysis of vulnerability databases, vendor advisories, and threat intelligence feeds. Always verify remediation steps through official vendor channels before implementing changes in production environments.