Executive Summary
In January 2026, Microsoft’s Patch Tuesday addressed 114 vulnerabilities, including 8 Critical flaws primarily in Windows and Office. The release fixed multiple remote code execution (RCE) and elevation of privilege (EoP) bugs. Microsoft confirmed one actively exploited zero-day (CVE-2026-20805) and two publicly disclosed issues patched this month (CVE-2023-31096 and CVE-2026-21265). One publicly known flaw led Microsoft to outright remove vulnerable modem drivers (Agere Soft Modem) from Windows. Additionally, an important Secure Boot update addresses expiring UEFI certificates in 2026 (CVE-2026-21265). This Patch Tuesday also delivers critical fixes for Microsoft Office (several RCEs exploitable via malicious documents, including via the Preview Pane without needing the user to open the file), as well as key Windows components (Graphics, LSASS, Virtualization-Based Security, etc.).
Other major vendors released notable security updates as well. Mozilla shipped patches for 34 vulnerabilities in Firefox/Thunderbird, including two memory corruption flaws believed to be under active exploitation (CVE-2026-0891 and CVE-2026-0892) that could enable arbitrary code execution. Google updated Chrome (and Edge) to fix a high-severity WebView component bug (CVE-2026-0628) that allowed bypassing security policies. Adobe issued 11 security bulletins covering 25 CVEs across multiple products (Dreamweaver, InDesign, Illustrator, ColdFusion, etc.), including several critical RCEs – none of which were reported as actively exploited. Fortinet announced patches for critical flaws in its products, notably an unauthenticated OS command injection in FortiSIEM (CVE-2025-64155, CVSS 9.4) and a critical configuration leak in FortiFone (CVE-2025-47855, CVSS 9.3), as well as a heap buffer overflow in FortiOS leading to potential remote code execution (CVE-2025-25249). SAP delivered 17 security notes, with 4 critical vulnerabilities – for example, a critical SQL injection (CVSS 9.9) in SAP S/4HANA (CVE-2026-0501) that can be exploited to fully compromise the system, and an RCE (CVSS 9.6) in SAP Wily Introscope (CVE-2026-0500) triggered via a malicious JNLP file. Lastly, while VMware did not have a Patch Tuesday release this month, it’s worth noting that in late 2025 researchers uncovered critical ESXi zero-day flaws (e.g. ESXicape: CVE-2025-22224/5/6) that were exploited by attackers to escape virtual machines and execute code on the hypervisor
Microsoft Vulnerabilities
Scope and Severity. In the first Patch Tuesday of 2026, Microsoft released fixes for 112 new CVEs (plus 2 updated advisories) spanning Windows, Office, Azure, Microsoft SQL Server, .NET, and other products. In total, 8 vulnerabilities are rated Critical and 104 are Important (with none classified as Moderate or Low). Nearly half of the addressed flaws are elevation of privilege (57 EoP vulnerabilities), and about 19% are remote code execution (22 RCE vulnerabilities). The majority of patches target the Windows OS (93 CVEs affecting various Windows components), followed by the Office suite (16 CVEs).
Exploited Zero-Day (DWM). The sole vulnerability listed as actively exploited this month is CVE-2026-20805, an Important information disclosure flaw in the Windows Desktop Window Manager (DWM). It carries a CVSS 5.5 score. The bug allows a local attacker with basic user privileges to read sensitive data from kernel memory by abusing a Windows internal communication (ALPC) channel. In essence, it leaks the address of a section of memory from a remote ALPC port, which could then be used to facilitate further exploitation (e.g., to bypass ASLR and make subsequent code execution exploits more reliable). It’s unusual for an information leak to be singled out as exploited in the wild, but this case underscores that memory disclosure bugs can be crucial links in exploit chains. Microsoft has not disclosed how widespread the attacks are, but given the source, they are likely targeted. All supported and ESU-supported versions of Windows 10, 11, and Windows Server are affected by this DWM issue, and administrators should prioritize this patch despite its lower severity rating, due to its active exploitation status.
Publicly Disclosed Vulnerabilities. Two patched vulnerabilities were publicly known prior to this release. The first is CVE-2023-31096, a Windows Agere Soft Modem driver privilege escalation bug (CVSS 7.8). This issue, originally assigned a CVE in 2023, was already public knowledge (though not known to be exploited). Microsoft’s update simply removes the vulnerable driver from Windows. As a result, any old internal modem hardware reliant on these drivers will cease functioning after the January update – a clear indication of the risk posed by this flaw. The second is CVE-2026-21265, a Secure Boot Certificate Expiration security feature bypass (CVSS 6.4). This vulnerability arises from the upcoming expiration of certain Microsoft UEFI certificates in 2026. Windows Secure Boot trusts a set of Microsoft CA certificates (from 2011) stored in UEFI (KEK and DB); once they expire (June 24, 2026 for the Microsoft KEK CA, among others), systems lacking the updated certificates would no longer accept new bootloaders or security updates signed with the new keys. Microsoft had published guidance on this months ago, hence it’s considered publicly disclosed. The January patch updates Windows systems with the new 2023 Secure Boot certificates, ensuring Secure Boot will continue to function and allow future patches. While the likelihood of this issue being maliciously exploited is low (it’s more of a maintenance and trust continuity issue), the impact of not addressing it is high – devices could effectively fall out of compliance and fail to receive future patches if the certificates lapse. Administrators should apply this update and may need to plan for updating certificates on dual-boot or custom UEFI environments as well.
Critical Flaws in Windows and Office. Microsoft tagged eight vulnerabilities as Critical this month. Of these, six enable remote code execution (RCE) and two allow elevation of privilege (EoP). While none were reported as exploited, they represent significant risks:
Microsoft Office (Document RCE via Preview Pane) – Two critical CVEs (CVE-2026-20952 and CVE-2026-20953) impact Microsoft Office, each CVSS 8.4. These are use-after-free vulnerabilities that could allow an attacker to execute arbitrary code by getting a target to open a malicious Office document. Notably, Microsoft warns that the Outlook Preview Pane can serve as an attack vector for both. This means an attacker could trigger code execution merely by sending a specially crafted Office file (e.g., as an email attachment) that the user only has to preview in Explorer/Outlook, without fully opening it. In the worst case scenario, for example, an email with a booby-trapped document could compromise the system as soon as the user highlights it in Outlook’s reading pane. Although Microsoft rates exploitation as “Less Likely,” the recurring appearance of Preview Pane vectors in Office vulnerabilities is a concern; it’s a reminder of past attacks (like Follina in 2022) and organizations may consider disabling preview panes as a precaution.
Microsoft Word & Excel (RCE) – In addition to the above, CVE-2026-20944 (Word) and CVE-2026-20955 / CVE-2026-20957 (Excel) are critical RCE flaws in Office apps. CVE-2026-20944 (Word, CVSS 8.4) involves an out-of-bounds read in Microsoft Word that can be exploited to execute code. Exploitation requires user interaction – the attacker must convince the target to open a malicious .docx file (with the preview pane also a potential vector). For Excel, CVE-2026-20955 and 20957 (each CVSS 7.8) are due to an untrusted pointer dereference and an integer underflow leading to a heap overflow, respectively. Both could allow code execution if a user opens a malicious spreadsheet. Unlike the Word bug, the Preview Pane is not an attack vector for the Excel flaws – the user must actually open the file. These Office vulnerabilities, while requiring social engineering, are critical because Office documents are common attack vectors. The fact that some do not require a file to be opened (preview suffices) significantly increases their risk in enterprise environments.
Windows Graphics Component (EoP) – CVE-2026-20822 is a critical privilege escalation in the Windows Graphics component (CVSS 7.8). It stems from a use-after-free bug that an attacker can leverage to gain SYSTEM-level privileges from a local user account. Exploitation involves winning a race condition (making it high-complexity and less reliable) and requires no user interaction. Interestingly, in environments using GPU virtualization (e.g., Remote Desktop or cloud VMs with virtual GPU), this bug could allow a malicious VM guest to escape to the host by exploiting the graphics driver interface. Microsoft marked this as “Exploitation Less Likely” and no public exploit code is known. However, the vulnerability is notable as it is effectively a VM sandbox escape under certain conditions – something that is highly prized by sophisticated attackers.
Windows LSASS (Network RCE) – CVE-2026-20854 is a critical RCE in the Local Security Authority Subsystem Service (LSASS) of Windows (CVSS 7.5). LSASS is responsible for authentication and handling credentials. This bug is a use-after-free (CWE-416) that can be triggered remotely by an authenticated attacker manipulating certain directory attributes to feed malicious data during the authentication process. In effect, an attacker with standard user credentials on a network could cause memory corruption in LSASS, potentially crashing it or achieving code execution in the context of the LSASS process. Exploiting LSASS could mean a complete domain compromise (since LSASS has access to credentials/tokens). The attack doesn’t require elevated privileges, but it is rated high complexity because the target environment likely needs specific conditions prepared to reliably exploit (perhaps specific AD configurations or timing to hit the race). Microsoft deems it “Less Likely” to be exploited. Nonetheless, any RCE in LSASS draws attention given the critical role of that service – this is the type of bug that, if a reliable exploit emerges, would be a P1 emergency patch due to the risk of credential theft or domain controller takeover.
Windows VBS Enclave (High-privilege EoP) – CVE-2026-20876 is a critical flaw (CVSS 6.7) in the Virtualization-Based Security (VBS) Enclave feature. VBS uses virtualization to isolate sensitive security functions (with Virtual Trust Levels 0, 1, 2). This vulnerability is a heap-based buffer overflow that allows an attacker who already has administrative privileges on a machine to break into the most privileged security context (VTL2). In plainer terms, if an attacker has admin on Windows, this bug could let them disable or bypass crucial security safeguards protected by VBS – for example, defeating Credential Guard or other hypervisor-protected processes. It does not help an attacker get initial access (they need admin rights first), but it can be used for post-exploitation full system control, even of security features that are meant to remain secure in a compromised OS. The exploit is considered straightforward once admin access is obtained (no user interaction needed). This is reportedly the first VTL escalation bug patched in VBS, highlighting a new area of research for attackers. Organizations with hardened environments leveraging virtualization-based security should ensure this patch is applied to maintain those protective guarantees.
Noteworthy Important Vulnerabilities. A few non-critical Windows flaws also deserve attention due to exploitability:
Windows NTFS (Authenticated RCE) – CVE-2026-20840 and CVE-2026-20922 are Important RCEs (CVSS 7.8) in the NTFS file system driver. Microsoft assesses both as “Exploitation More Likely”. They involve heap-based buffer overflow issues whereby any authenticated local attacker (even with low privileges) could run arbitrary code in the context of the OS kernel. This means an attacker who has a foothold on a machine (via a limited user account or service) might exploit these to escalate privileges to SYSTEM or execute code in the kernel. Although they require local access, vulnerabilities in core file system code with a reliability rating of “more likely” for exploits suggest that attackers may well develop local exploits, especially for post-compromise scenarios. Environments where multiple users share systems or where attackers might already have some limited access (through phishing or malware) should patch these to prevent easy privilege escalation.
Vulnerable Third-Party Drivers (Mitigation). In addition to the Agere modem driver issue (CVE-2023-31096) discussed earlier, Microsoft’s release notes list another driver vulnerability: CVE-2024-55414, described as a Windows Motorola Soft Modem Driver EoP (CVSS 7.8). It appears Microsoft similarly addressed this by blocking or removing the outdated Motorola modem driver (the “Yes” under “Public” suggests it was known, possibly via MITRE). This continuing effort to proactively remove insecure drivers from the OS (via Windows Update) is notable. Attackers have in the past exploited vulnerable third-party drivers (bring your own vulnerable driver attacks) to escalate privileges; by eliminating these known-bad drivers, Microsoft reduces the attack surface.
Detection Rules (Snort). Cisco Talos released updated Snort intrusion detection rules to cover some of the Patch Tuesday vulnerabilities. Specifically, new Snort 2 signatures #65498, #65499, #65663–#65676 were issued, and corresponding Snort 3 rules #301344, #301368–#301374 are available. These rules aim to detect exploitation attempts for various issues, likely including the critical RCEs and some important flaws discussed (though Talos doesn’t publicly map which CVEs each SID covers). Administrators of Cisco Secure Firewall and Snort-based IDS/IPS should update to the latest ruleset to ensure coverage. Talos notes that rules may be updated or added as more information on these vulnerabilities comes to light, so maintaining current threat intelligence feeds is advised.
Vulnerabilities in Other Vendors
Outside of Microsoft’s ecosystem, early January 2026 saw several significant security updates from other major vendors:
Mozilla (Firefox & Thunderbird).
Mozilla released fixes for 34 CVEs as part of Firefox 147, Firefox ESR 115.32 / 140.7, and Thunderbird 115.32 / 147 / 140.7. All addressed vulnerabilities were rated High impact by Mozilla. Notably, Mozilla flagged two zero-day issues: CVE-2026-0891 and CVE-2026-0892. These refer to groups of memory safety bugs in the browser and email client (e.g., use-after-free, sandbox escape, etc.). According to Mozilla’s advisories, “some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code”. In other words, while no specific exploit is public, the nature of the flaws suggests they could be (or have been) abused. CVE-2026-0891 covers memory safety issues present in Firefox 146, Firefox ESR 140.6, and Thunderbird 146 (fixed in Firefox 147 / ESR 140.7). CVE-2026-0892 similarly addresses memory safety bugs in Firefox 146 / Thunderbird 146 (also fixed by Firefox 147). These CVEs often serve as “catch-all” for miscellaneous memory corruptions not individually enumerated, and they received a high criticality (CISA’s assessment gives CVSS 3.1 score 9.8 for CVE-2026-0892). Two other notable Mozilla flaws include sandbox escapes via incorrect boundary checks in graphics components (CVE-2026-0878, CVE-2026-0879). While Mozilla did not confirm active exploitation beyond suspecting it for 0891/0892, the presence of actively exploitable memory corruption is taken seriously. Users and enterprises should deploy Firefox 147 (and the ESR and Thunderbird updates) quickly. Given attackers’ interest in browser flaws, and the hint that some of these were likely exploited or at least exploitable in the wild, running outdated Firefox/Thunderbird versions poses a risk (especially for web browsing or viewing potentially malicious emails).
Google (Chrome/Chromium).
On January 6, 2026, Google released a stable channel update for Chrome (reflected in the subsequent Microsoft Edge update on January 13) addressing several issues, most importantly CVE-2026-0628, rated High. This is a vulnerability of insufficient policy enforcement in Chromium’s WebView component. WebView is used by applications to render web content; the flaw could allow malicious web pages or extensions to bypass security restrictions and inject scripts or code into privileged contexts. Effectively it’s a form of universal cross-site scripting or policy bypass in Chrome’s internals. While technical specifics were not fully detailed in the initial advisory, third-party analysis describes it as a potential way to subvert extension or web security policy in Chrome’s tag. Chrome version 143.0.7499.192 fixes this issue. There was no mention of active exploitation, but because Chrome is widely targeted and this bug could lead to code execution or security sandbox escape, Google pushed the fix promptly. Enterprise IT should ensure Chrome/Edge browsers are updated across endpoints, especially because such high-severity browser issues can be leveraged in drive-by download attacks or malware installation if chained with other exploits.
Adobe.
Adobe’s January security updates (aligned with Patch Tuesday) included 11 bulletins addressing 25 CVEs across numerous products. Affected applications ranged from creative software (Adobe Illustrator, InDesign, InCopy, Bridge, Dreamweaver), to the Substance 3D suite (Modeler, Stager, Painter, Sampler, Designer) and the ColdFusion web application server platform. Most of these flaws are critical arbitrary code execution vulnerabilities, typically memory corruptions or buffer overflows that could allow an attacker to execute code on the victim’s machine if they open a malicious file. For instance, the Dreamweaver update fixed five Critical RCE bugs, and the InDesign patch fixed four critical and one important issue. In the Substance 3D line, Modeler had two RCEs fixed out of six issues, and Stager, Painter, Bridge, InCopy each had one critical RCE fix. Adobe ColdFusion 2023 Update 4 addressed a single code execution flaw; although Adobe labeled it Priority 1 (indicating the highest deployment urgency), they noted it was not public or under attack. In fact, Adobe stated that none of the vulnerabilities patched this month were known to be publicly exploited or disclosed. Most patches were Priority 3 (standard priority) except ColdFusion. Still, given the critical nature of many of these bugs, organizations should not delay patching. ColdFusion servers especially should be updated immediately because historically ColdFusion has been a target for attackers (and a Priority 1 suggests mitigating a high-risk scenario even absent known exploits). End-user applications like Illustrator or Dreamweaver should be updated through Creative Cloud as part of routine security hygiene, as they could be targeted via malicious files from untrusted sources.
Fortinet.
On January 13, 2026, Fortinet disclosed multiple vulnerabilities in its products, notably in FortiSIEM, FortiOS / FortiSwitchManager, and FortiFone. In total, at least six vulnerabilities were patched, including two critical ones. The most severe is CVE-2025-64155 (CVSS 9.4), an OS command injection vulnerability in FortiSIEM. It can be exploited by an unauthenticated attacker via crafted TCP requests to the FortiSIEM monitor service (phMonitor) to execute arbitrary commands on the system. Fortinet clarified that only Super/Worker nodes are affected (not Collector nodes) and suggested mitigating by restricting access to the service port. FortiSIEM versions 7.1.9, 7.2.7, 7.3.5, 7.4.1 contain the fix. Another critical bug is CVE-2025-47855 (CVSS 9.3) in FortiFone appliances. It allows an unauthenticated attacker to retrieve the device’s configuration via HTTP/HTTPS requests, due to a lack of access control on the web portal. The config could include sensitive info like credentials. FortiFone firmware versions 3.0.24 and 7.0.2 fix the issue. Additionally, CVE-2025-25249 (CVSS 7.4) was addressed – a heap buffer overflow in the cw_acd daemon used by FortiOS and FortiSwitchManager. By sending specially crafted requests, an attacker could trigger the overflow and potentially achieve remote code or command execution on FortiOS/FortiSwitchManager, without needing to authenticate. Patched builds include FortiOS 7.0.18 / 7.2.12 / 7.4.9 / 7.6.4 (and upcoming 6.4.17), FortiSwitchManager 7.0.6 / 7.2.7, and FortiSASE 25.2.c. No public exploits were reported at release, but soon after, proof-of-concept code for the FortiSIEM issue (CVE-2025-64155) was observed on forums, increasing the urgency. Given how quickly Fortinet bugs have been weaponized in the past (e.g., VPN and firewall exploits), organizations should apply these Fortinet updates immediately and consider network segmentation and monitoring for any unusual access to these management interfaces.
SAP.
On SAP’s January 2026 Patch Day (Jan 13), the company issued 17 new security notes (patches), with 4 rated critical. The foremost is CVE-2026-0501 (CVSS 9.9), a SQL injection vulnerability in an ABAP module of SAP S/4HANA. The bug exists in a Remote Function Call-enabled module using ABAP Database Connectivity (ADBC) to execute native SQL commands. It takes an input parameter that isn’t properly sanitized, allowing an attacker to inject arbitrary SQL queries. Successful exploitation means the attacker can run any SQL on the backend database, likely leading to full compromise of the SAP application’s data. SAP also fixed CVE-2026-0500 (CVSS 9.6), a remote code execution flaw in SAP Wily Introscope Enterprise Manager. This monitoring tool was vulnerable to a scenario where an attacker could craft a malicious JNLP (Java Network Launch Protocol) file and trick the server into loading it (e.g., via an open HTTP endpoint). If a user on the Introscope server opens such a link, it could execute attacker-controlled code on that server. The next critical is CVE-2026-0498 (CVSS 9.1), a code injection vulnerability in SAP S/4HANA. It involves a remote-enabled function module that insufficiently authenticates changes to ABAP code. An attacker with administrative privileges in SAP could modify ABAP program code arbitrarily without proper checks. This is somewhat an “insider” threat scenario (requires high privileges in SAP) but would allow persistence or deeper OS-level exploits if leveraged. CVE-2026-0491 (CVSS 9.1) is another code injection in SAP Landscape Transformation (LT) – essentially the same underlying issue as 0498, but affecting the LT component (delivered via a DMIS add-on). All four critical flaws can lead to full system compromise (through SQL or code execution). No active exploits are known, but SAP environments are high-value targets and often quickly scanned for known vulnerable versions once patches drop. It’s essential for SAP administrators to implement these patches. Particularly, the S/4HANA SQL injection (0501) should be addressed immediately given its 9.9 CVSS and ease of exploitation remotely. SAP also issued high-priority patches for other issues (including several High-severity in NetWeaver, Business Objects, etc., not detailed here). The breadth of affected components (ERP, BI, monitoring) underlines that SAP security remains a critical area in 2026, following a record year of patches in 2025.
VMware.
VMware did not release new advisories on Patch Tuesday itself, but it’s worth highlighting recent developments: in late 2025, researchers uncovered a set of critical zero-day vulnerabilities in VMware ESXi, Workstation, and Fusion that were exploited in the wild by advanced attackers. Dubbed “ESXicape”, they include CVE-2025-22224 (CVSS 9.3), CVE-2025-22225 (CVSS 8.2), and CVE-2025-22226 (CVSS 7.1). These were actually patched by VMware in March 2025 (as out-of-band security updates), but came to light because threat actors (likely China-linked) used them to escape virtual machine isolation and execute code on the host hypervisor. Specifically, exploitation of these allowed an attacker with admin rights in a guest VM to leak memory from the VMX process or execute code as the VMX (the hypervisor process), effectively taking control of the ESXi host. The U.S. CISA added these CVEs to its Known Exploited Vulnerabilities catalog in 2025 due to evidence of active use. In January 2026, security firm Huntress disclosed details on a toolkit that chains an information leak, a memory corruption, and a sandbox escape to achieve the VM escape – confirming that a sophisticated exploit existed, possibly developed in late 2023, well before VMware released patches. This context is crucial: if organizations have not applied the ESXi patches from March 2025, their virtual infrastructure may remain exposed to these stealthy exploits. While not a “new” patch this month, security teams (especially in cloud hosting, data center ops, etc.) should double-check that all hypervisors are up-to-date. The fear scenario is an attacker jumping from a compromised VM to control the hypervisor and all other VMs – exactly what these ESXicape flaws enable. Thus, even in 2026, ensuring those prior VMware patches are applied is an essential part of the overall security posture.
(Side note: Oracle’s quarterly Critical Patch Update is scheduled for Jan 20, 2026. That will bring a separate batch of fixes (for Oracle DB, Java, etc.), which organizations should also prepare for as part of their January patch cycle, though it falls outside the immediate Patch Tuesday coverage.)
Summary Table – Notable CVEs (January 2026)
| CVE | CVSS | Component (Product) | Impact | Vulnerability Type | Exploitation Status |
|---|---|---|---|---|---|
| CVE-2026-20805 | 5.5 | Desktop Window Manager (Windows) | Information Disclosure | Memory disclosure (ALPC) | Actively exploited |
| CVE-2023-31096 | 7.8 | Agere Soft Modem driver (Windows) | Elevation of Privilege | Legacy driver EoP | Publicly disclosed (driver removed) |
| CVE-2026-21265 | 6.4 | Secure Boot (Windows/UEFI trust chain) | Security Feature Bypass | Certificate / trust enforcement | Publicly disclosed |
| CVE-2026-20952 | 8.4 | Microsoft Office | Remote Code Execution | Use-after-free | Not known exploited (vendor: “less likely”) |
| CVE-2026-20953 | 8.4 | Microsoft Office | Remote Code Execution | Use-after-free | Not known exploited (vendor: “less likely”) |
| CVE-2026-20944 | 7.8 | Microsoft Word | Remote Code Execution | Out-of-bounds read | Not known exploited |
| CVE-2026-20955 | 7.8 | Microsoft Excel | Remote Code Execution | Untrusted pointer reference | Not known exploited |
| CVE-2026-20957 | 7.8 | Microsoft Excel | Remote Code Execution | Integer underflow | Not known exploited |
| CVE-2026-20822 | 7.8 | Windows Graphics Component | Elevation of Privilege | Use-after-free / race condition | Not known exploited |
| CVE-2026-20854 | 7.5 | LSASS (Windows) | Remote Code Execution | Use-after-free | Not known exploited |
| CVE-2026-20876 | 6.7 | Windows VBS Enclave | Elevation of Privilege (VTL2) | Heap-based buffer overflow | Not known exploited |
| CVE-2026-20922 | 7.8 | Windows NTFS | Remote Code Execution | Heap buffer overflow | Not known exploited (vendor: “more likely”) |
| CVE-2026-20840 | 7.8 | Windows NTFS | Remote Code Execution | Heap buffer overflow | Not known exploited (vendor: “more likely”) |
| CVE-2026-0891 | (High) | Firefox / Thunderbird | Potential code execution | Memory corruption class | Suspected exploitation (per vendor language) |
| CVE-2026-0892 | (High) | Firefox / Thunderbird | Potential code execution | Memory corruption class | Suspected exploitation (per vendor language) |
| CVE-2026-0628 | 8.8 | Chromium WebView tag | Insufficient policy enforcement | Policy enforcement bypass | Not known exploited |
| CVE-2025-64155 | 9.4 | FortiSIEM (Fortinet) | Remote Code Execution | OS command injection | PoC reported / weaponization risk |
| CVE-2025-47855 | 9.3 | FortiFone (Fortinet) | Sensitive config disclosure | Unauthenticated access | Not known exploited |
| CVE-2025-25249 | 7.4 | FortiOS / FortiSwitchManager | Potential RCE | Heap-based overflow | Not known exploited |
| CVE-2026-0501 | 9.9 | SAP S/4HANA | Full system compromise via DB | SQL injection | Not known exploited |
| CVE-2026-0500 | 9.6 | SAP Wily Introscope | Remote Code Execution | JNLP handling | Not known exploited |
