Most of today's newly disclosed CVEs will never become operationally relevant.

These are the signals that stood out to me from today's vulnerability activity.

1. Palo Alto PAN-OS is now on KEV

CVE-2026-0257

• Added to the CISA KEV catalog
• Confirmed in-the-wild exploitation
• Authentication bypass vulnerability

For most enterprises, a KEV-listed vulnerability on an internet-facing security appliance deserves immediate attention. Attackers consistently prioritize edge infrastructure because it often provides privileged network access and visibility.

2. Langflow now has public exploit activity

CVE-2026-0770

• Public exploit / PoC available
• Remote Code Execution
• Exploit activity linked

What caught my attention here isn't just the RCE itself, but the continued trend of vulnerabilities emerging around AI workflow tooling and self-hosted LLM infrastructure.

Once public exploit code appears, opportunistic scanning typically follows.

3. Windows privilege escalation vulnerability saw a major EPSS increase

CVE-2019-0543

EPSS moved:

25% → 43% (+18%)

That's one of the largest EPSS increases observed today.

EPSS isn't proof of exploitation, but large upward moves often indicate growing attacker interest before broader exploitation becomes visible.

Other signals worth watching

Wing FTP Server

CVE-2026-44403

• Public exploit / PoC linked
• Authenticated RCE
• Organizations exposing FTP infrastructure should review patch status.

WordPress ecosystem

Two vulnerabilities showed exploit activity today, including:

• CVE-2026-1830 (Quick Playground Plugin RCE)

WordPress remains one of the most consistently targeted attack surfaces due to deployment volume and plugin fragmentation.

Apache ActiveMQ

CVE-2026-34197

EPSS increased:

70% → 84% (+14%)

A high EPSS score getting even higher is usually more interesting than a low-score vulnerability moving a few points.

My patching priority order today

1. PAN-OS (KEV)
2. Langflow RCE
3. Wing FTP Server
4. Apache ActiveMQ
5. Windows privilege escalation cases with rising EPSS

Curious how others prioritize vulnerabilities internally.

Do you treat KEV as the primary signal, or are EPSS changes becoming part of your patch prioritization process?

[Threat Intel] May 26, 2026 Vulnerability Intelligence Briefing

Curated from daily vulnerability intelligence monitoring and exploitation telemetry analysis by cvelogic.

---

1. Known Exploited Vulnerabilities (CISA KEV)

CVE-2026-48172 (LiteSpeed cPanel Plugin)
Added to the CISA KEV catalog following confirmed in-the-wild exploitation activity. Shared hosting and cPanel-managed environments are considered at elevated exposure risk.

---

2. Significant EPSS Risk Shifts (24H Volatility)

Leading indicators showing sharp changes in exploitation probability over the last 24 hours:

• CVE-2024-36420 (FlowiseAI Flowise)
  EPSS surged from approximately 0.2% to 57%, indicating rapidly increasing exploitation likelihood and elevated attacker interest.

• CVE-2026-23918 (Apache HTTP Server)
  Public exploit/PoC activity emerged, accompanied by increased telemetry discussion across vulnerability monitoring channels.

• CVE-2026-7567
  Observed increase in exploit-related chatter and active scanning signals across exposed internet-facing deployments.

---

3. New Critical Infrastructure Disclosures

Several newly disclosed critical vulnerabilities were published affecting enterprise and internet-facing software stacks:

• CVE-2026-42607 (IBM Engineering Lifecycle Management)
  Critical remote attack surface exposure potentially enabling unauthorized code execution under specific deployment conditions.

• CVE-2026-41940 (GitLab MCP Server)
  Critical vulnerability affecting MCP integration components with potential privilege escalation and remote compromise implications.

• CVE-2026-48712 (Lumiverse AI Platform)
  CVSS 9.x class vulnerability impacting AI workflow orchestration components with potential remote exploitation vectors.

• CVE-2026-48715 (Lumiverse AI Platform)
  Critical authentication and session-handling weakness affecting administrative interfaces.

• CVE-2026-48802 (IBM WebSphere Liberty Plugin)
  High-severity flaw impacting enterprise middleware deployments and reverse proxy integration layers.

---

4. Operational Security Notes

• Prioritize patch validation for externally exposed Apache HTTP/2 services.
• Audit LiteSpeed and cPanel shared hosting environments for vulnerable plugin deployments.
• Monitor FlowiseAI instances for abnormal inbound requests and unauthorized workflow execution.
• Review WordPress plugin exposure due to continued exploit disclosure momentum across the ecosystem.
• Validate segmentation and least-privilege controls around AI orchestration platforms and middleware services.

[Threat Intel] May 22, 2026 Vulnerability Intelligence Briefing

1. Known Exploited Vulnerabilities (CISA KEV)

• CVE-2026-9082 (Drupal Core): Officially added to the CISA KEV catalog. Active in-the-wild exploitation confirmed. Federal agencies are mandated to patch or mitigate within the compliance window.

2. Significant EPSS Risk Shifts (24H Volatility)

Leading indicators showing sharp increases in exploitation probability metrics over the last 24 hours:

• CVE-2023-33466 (Orthanc-server): EPSS jumped from 25% to 59% (A massive +35% daily delta).
• CVE-2022-32276 (Grafana): EPSS score adjusted from 17% to 51% (+34% shift).
• CVE-2022-0735 (GitLab): Experiencing renewed active telemetry scanning; EPSS score rose to 71% (+14% change).

3. New Critical Infrastructure Disclosures (CVSS >= 9.0)

Ubiquiti released security advisories regarding a cluster of critical remote vulnerabilities affecting UniFi OS and Network environments:

• CVE-2026-34908 (UniFi OS Devices): CVSS 10.0 - Improper Access Control allowing unauthenticated complete device takeovers.
• CVE-2026-34909 (UniFi OS Devices): CVSS 10.0 - Path Traversal vulnerability enabling unauthorized remote access to the root filesystem.
• CVE-2026-34910 (UniFi OS Devices): CVSS 10.0 - Improper Input Validation facilitating unauthenticated Remote Code Execution (RCE).
• CVE-2026-33000 (UniFi Network): CVSS 9.1 - Input Validation Bypass impacting high-privilege system profiles.
• CVE-2026-48700 (PCManFM-Qt): CVSS 9.3 - Critical vulnerability impacting file manager environments starting from v1.1.0.