Mar 13, 2026 Cyber Threat Intelligence

Track daily vulnerability activity, KEV additions, public exploits, critical disclosures, and EPSS risk shifts.

Daily summary

  • Google Skia: 2 CVEs added to CISA KEV today.
  • 10 new critical disclosures — review patch status on exposed services.

Top threats today

Three highest-priority changes — analyst brief, not a CVE dump.

Critical active threat

CVE-2026-3909 Google Skia Out-of-Bounds Write

  • Actively exploited (CISA KEV)
  • Listed on CISA KEV

Google Skia Out-of-Bounds Write is on CISA KEV — confirmed in-the-wild exploitation. Expect continued targeting while the issue remains on the catalog.

Critical exposure

CVE-2026-26954 SandboxJS is a JavaScript sandboxing library.

  • CVSS 10

New critical disclosure (CVSS 10) — high severity with a short public awareness window before exploit material typically surfaces.

Critical exposure

CVE-2026-32306 OneUptime is a solution for monitoring and managing online services.

  • CVSS 9.9

New critical Hackerbay Oneuptime SQL injection (CVSS 9.9) — fresh disclosure window; early internet scanning often precedes mature exploit chains.

Active exploitation

CISA KEV — confirmed in-the-wild exploitation.

Google Chromium V8 Improper Restriction of Operations Within the Bounds of a Memory Buffer

View KEV additions

Exploit & PoC activity

Nothing flagged in this category for this digest.

View new exploit links

Exploitation dynamics

Nothing flagged in this category for this digest.

See EPSS increases

New critical disclosures

CVE-2026-25823 CVSS 9.8

HMS Networks Ewon Flexy with firmware before 15.0s4, Cosy+ with firmware 22.xx before 22.1s6, and Cosy+ with firmware 23.xx before 23.0s3...

CVE-2026-26954 CVSS 10

SandboxJS is a JavaScript sandboxing library.

CVE-2026-31806 CVSS 9.3

FreeRDP is a free implementation of the Remote Desktop Protocol.

CVE-2026-31886 CVSS 9.1

Dagu is a workflow engine with a built-in Web user interface.

CVE-2026-32301 CVSS 9.3

Centrifugo is an open-source scalable real-time messaging server.

CVE-2026-32304 CVSS 9.8

Locutus brings stdlibs of other programming languages to JavaScript for educational purposes.

CVE-2026-32306 CVSS 9.9

OneUptime is a solution for monitoring and managing online services.

CVE-2026-32367 CVSS 9.1

Improper Control of Generation of Code ('Code Injection') vulnerability in Yannick Lefebvre Modal Dialog modal-dialog allows Remote Code...

CVE-2026-32746 CVSS 9.8

telnetd in GNU inetutils through 2.7 allows an out-of-bounds write in the LINEMODE SLC (Set Local Characters) suboption handler because a...

CVE-2026-3891 CVSS 9.8

The Pix for WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads due to missing capability check and missing file typ...

View critical disclosures

cvelogic Threat Intelligence