CVE-2026-21513 is a protection mechanism failure in Microsoft's MSHTML rendering engine that allows an unauthenticated remote attacker to bypass a security control via network-based delivery of malicious HTML content. Successful exploitation can lead to unauthorized code execution or information disclosure, and CISA has mandated federal agency patching by March 3, 2026. Organizations should apply current Windows cumulative updates immediately and prioritize systems where users process email or run applications embedding MSHTML.

CVE-2026-21519 is a type confusion vulnerability in Microsoft's Desktop Window Manager that allows an authenticated local attacker to escalate privileges to SYSTEM on affected Windows systems. CISA has added the flaw to its Known Exploited Vulnerabilities catalog with a federal patch deadline of March 3, 2026, confirming active exploitation. Organizations should apply the latest Microsoft Windows cumulative updates immediately, prioritizing systems where standard users hold local logon rights.

CVE-2026-21533 is an improper privilege management vulnerability in Microsoft Windows Remote Desktop Services that allows an authenticated local attacker to escalate privileges to SYSTEM level. CISA has added it to the Known Exploited Vulnerabilities catalog with a mandatory patch deadline of March 3, 2026, for federal agencies. Organizations should apply Microsoft's patch immediately, restrict RDS access, enforce MFA on RDP endpoints, and monitor for privilege escalation indicators.

CVE-2026-21514 is a privilege escalation vulnerability in Microsoft Office Word caused by the application's reliance on untrusted inputs in security decisions. An authenticated local attacker can open a crafted document to escalate from standard user to elevated privileges without additional user interaction. CISA has added this CVE to its Known Exploited Vulnerabilities catalog with a federal patch deadline of March 3, 2026.

CVE-2025-11953 is an OS command injection vulnerability in the React Native Community CLI's Metro Development Server that allows unauthenticated network attackers to execute arbitrary binaries and shell commands by sending crafted POST requests to a vulnerable endpoint. Windows systems face elevated risk due to full shell command argument control. CISA has added the vulnerability to its KEV catalog with a federal patch deadline of 2026-02-26.

CVE-2026-24423 is a missing authentication vulnerability in the ConnectToHub API method of SmarterTools SmarterMail, allowing unauthenticated remote attackers to redirect the mail server to a malicious HTTP endpoint and execute arbitrary OS commands. Successful exploitation requires no credentials or user interaction and results in full server compromise. CISA has added the vulnerability to its Known Exploited Vulnerabilities catalog with a federal patch deadline of February 26, 2026.

CVE-2021-39935 is an unauthenticated server-side request forgery (SSRF) vulnerability in the GitLab CI Lint API affecting GitLab Community and Enterprise Editions prior to version 14.3.2. An external attacker with no credentials can force the GitLab server to issue arbitrary HTTP requests, exposing internal services, cloud metadata credentials, and sensitive infrastructure. CISA has added the vulnerability to the Known Exploited Vulnerabilities catalog with a federal patch deadline of February 24, 2026.

CVE-2019-19006 is an improper authentication vulnerability in Sangoma FreePBX that allows unauthenticated remote attackers to bypass password controls and gain full administrative access to the PBX management interface. Successful exploitation enables toll fraud, call interception, credential theft, and persistent account creation. CISA has added this CVE to the Known Exploited Vulnerabilities catalog with a federal patch deadline of February 24, 2026.

CVE-2025-40551 is a critical unauthenticated remote code execution vulnerability in SolarWinds Web Help Desk, caused by improper deserialization of untrusted data. An attacker with network access can send a malicious serialized payload to execute arbitrary commands on the host without any credentials. CISA has added the flaw to its Known Exploited Vulnerabilities catalog with a federal patch deadline of February 6, 2026.

CVE-2025-64328 is a post-authentication OS command injection vulnerability in Sangoma FreePBX Endpoint Manager, specifically within the testconnection check_ssh_connect() function. Authenticated attackers can execute arbitrary system commands as the asterisk user, gaining remote code execution on the PBX host. CISA has added this flaw to the KEV catalog with a federal patch deadline of February 24, 2026.

Scattered Lapsus ShinyHunters (SLSH) employs phishing and MFA bypass to steal data, then uses harassment, swatting, and media manipulation to extort victims. Experts advise against paying ransom due to the gang's unreliable and aggressive behavior.

CVE-2026-1281 is an unauthenticated code injection vulnerability in Ivanti Endpoint Manager Mobile (EPMM) that allows remote attackers to execute arbitrary code without credentials, gaining control of the EPMM service and access to all managed mobile devices and enterprise infrastructure. CISA has added the flaw to its Known Exploited Vulnerabilities catalog and mandates federal agency patching by February 1, 2026. Organizations should patch immediately, isolate exposed instances, rotate stored credentials, and audit logs for signs of exploitation.