CVE Watch: Top 10 CVEs — Severity, Impact & Patch Status
| CVE ID | Severity | CVSS | Product | Impact | Source |
|---|
| CVE-2026-9082 | Critical | 6.5 (NVD) / 20/25 Drupal | Drupal Core (PostgreSQL) | Unauthenticated SQL injection → data theft, potential RCE; CISA KEV; 15,000+ exploit attempts | Tenable |
| CVE-2026-41089 | Critical | 9.8 | Windows Netlogon (Server 2022/2025, Win11) | Unauthenticated wormable RCE on domain controllers; stack buffer overflow | ZDI |
| CVE-2026-42898 | Critical | 9.9 | Microsoft Dynamics 365 On-Premises | Auth’d user RCE with scope change; cross-component exploitation possible | Arctic Wolf |
| CVE-2026-41096 | Critical | Critical | Windows DNS Client (all Windows) | Malicious DNS response → heap overflow → unauthenticated RCE on all Windows systems | CCB Belgium |
| CVE-2026-41091 | High | 7.8 | Microsoft Defender Antivirus | RedSun zero-day; privilege escalation to SYSTEM via link-following; exploited in wild | SecurityWeek |
| CVE-2026-45498 | Medium | 4.0 | Microsoft Defender Antivirus | UnDefend zero-day; DoS → silent blocking of Defender signature updates; exploited in wild | SecurityWeek |
| CVE-2026-41103 | Critical | 9.1 | Microsoft SSO for Atlassian Jira/Confluence | Unauthenticated network-based EoP; no user interaction required; “Exploitation More Likely” | Lansweeper |
| CVE-2026-7359 | High | High | Google Chrome (< 147.0.7727.138) | Use-after-free in ANGLE/WebGPU; sandbox escape via crafted HTML page | Help AG |
| CVE-2024-9643 | Critical | Critical | Four-Faith F3x36 Industrial Routers | Hardcoded credential auth bypass; mass exploitation mid-May; botnet folding | SecurityWeek |
| CVE-2026-40365 | Critical | Critical | Microsoft SharePoint Server | Authenticated network-based RCE on internet-facing SharePoint servers | Microsoft/LinkedIn |
