CVE Watch: Top 10 CVEs — Severity, Impact & Patch Status

CVE IDSeverityCVSSProductImpactPatch StatusSource
CVE-2026-48558Critical10.0SimpleHelp RMMUnauthenticated OIDC auth bypass → full technician session, MFA bypass possible; TaskWeaver loader deployed[^2][^35]✅ Patched — CISA KEV, deadline July 2CISA KEV / Hive Pro
CVE-2026-48276Critical10.0Adobe ColdFusion 2025/2023Unrestricted file upload → arbitrary code execution, no user interaction[^11][^12]✅ Patched — Update 10/21Adobe APSB26-68
CVE-2026-48286Critical10.0Adobe Campaign Classic v7.4.3Incorrect authorization → arbitrary code execution on on-premise instances[^11][^13]✅ Patched — Build 9397Adobe Security Bulletin
CVE-2026-48282Critical10.0Adobe ColdFusion 2025/2023Path traversal → arbitrary code execution; first exploitation attempt logged within hours of patch release[^11]✅ Patched — actively monitoredThe Hacker News
CVE-2026-45659High8.8Microsoft SharePoint ServerDeserialization RCE; authenticated attacker with Site Member permissions can compromise server; CISA KEV confirmed[^38][^39]✅ Patched May 2026 — CISA KEV, deadline July 4SecurityWeek / CISA
CVE-2026-8037Critical9.6–9.8Progress Kemp LoadMasterPre-auth OS command injection RCE via API; commands execute as root; public PoC available[^41][^42]✅ Patched — GA 7.2.63.2; active exploitation attemptseSentire / The Hacker News
CVE-2026-35616Critical9.1Fortinet FortiClient EMSActively exploited to deploy EKZ credential-stealing malware in energy sector; browser credential theft + PowerShell exfil[^1]✅ Patched — active exploitationCyberInfos
CVE-2026-33825 (BlueHammer)HighTBDWindows DefenderPrivilege escalation to SYSTEM in Microsoft’s AV engine; actively used in ransomware intrusion chains; compromises the detection tool itself[^1]✅ Patched — active ransomware exploitationCyberInfos
CVE-2025-5777 (Citrix Bleed 2)CriticalHighCitrix NetScaler ADC/GatewaySession token hijacking without authentication; primary initial access for Anubis RaaS ransomware deployments[^2][^1]✅ Patched — actively exploited by Anubis RaaSThe Hacker News
CVE-2026-50548/50549 (DuneSlide)HighN/ACursor AI IDEPrompt injection via MCP server → sandbox escape → RCE with no user interaction; patched in Cursor 3.0[^44]✅ Patched — Cursor 3.0About DFIR