What “Actively Exploited” Means and Why These Five Flaws Matter
Actively exploited vulnerabilities are security flaws where attackers are already using working exploits against real systems, meaning every unpatched instance is a likely target instead of a theoretical risk. When a weakness reaches active exploitation, security teams must treat it as a live incident: prioritize patching, consider compromise assessment, and strengthen monitoring for related attack patterns. This advisory focuses on five critical issues: a Chrome V8 zero-day vulnerability patch, exploited weaknesses added to the CISA KEV catalog, an unpatched Langflow path traversal bug enabling unauthenticated remote code execution, and critical RCE vulnerabilities in enterprise platforms from Fortinet, Ivanti, and SAP. Together, they span browsers, network infrastructure, AI application tooling, and core business software, creating a wide attack surface that most organizations rely on every day.
Chrome V8 Zero-Day CVE-2026-11645: Highest Priority for Endpoints
Your top endpoint priority is the Chrome V8 zero-day vulnerability patch for CVE-2026-11645, an out-of-bounds memory access in Chrome’s JavaScript and WebAssembly engine that allows remote code execution inside the browser sandbox via a crafted HTML page. Google’s latest Chrome V8 security update fixes this flaw along with 73 other issues, and the company confirms that “an exploit for CVE-2026-11645 exists in the wild.” Users should move to Chrome versions 149.0.7827.102/.103 on Windows and macOS and 149.0.7827.102 on Linux, then fully restart the browser. Other Chromium-based browsers, including Microsoft Edge, Brave, Opera, and Vivaldi, must also be updated as their vendors release patches. The researcher “303f06e3” received a bug bounty of USD 55,000 (approx. RM253,000) for reporting the flaw, reinforcing the ongoing pattern of V8-related zero-day discoveries.
Cisco SD-WAN Manager and Arista EOS: Network Devices Under Quiet Attack
At the network layer, two vulnerabilities newly added to the CISA KEV catalog show attackers are targeting infrastructure that many teams overlook. Cisco’s CVE-2026-20245, an improper encoding or escaping of output vulnerability in Catalyst SD-WAN Manager, lets an authenticated local attacker execute arbitrary commands as root through a crafted file. While not remotely exploitable without access, a compromised admin account or host can turn this into a powerful pivot point. Arista’s CVE-2026-7473, affecting EOS on 7020R, 7280R/R2, and 7500R/R2 series under specific tunnel decapsulation configurations, causes switches to decapsulate and forward unexpected tunneled packets because the tunnel protocol type is not checked. Arista notes the flaw has been “reported as being exploited in the wild” and, critically, is not planning a patch, so you must apply configuration hardening and traffic controls instead of waiting for firmware updates.
Langflow CVE-2026-5027: Unauthenticated RCE Against AI App Infrastructure
The Langflow path traversal flaw CVE-2026-5027 is a high-severity active exploitation CVE that directly targets AI application infrastructure. The bug in the POST /api/v2/files endpoint fails to sanitize the filename parameter from multipart form data, allowing attackers to write files to arbitrary filesystem locations using path traversal sequences like “../”. Tenable disclosed this issue after unsuccessful attempts to contact maintainers, and VulnCheck reports that exploitation in the wild has already begun. According to Caitlin Condon of VulnCheck, the vulnerability enables remote code execution, and because Langflow enables unauthenticated auto-login by default, a single unauthenticated request can obtain a valid session token before exploitation. About 7,000 Langflow instances are exposed online, making this a prime target for opportunistic scanning. Until an official fix is available, defenders should restrict network exposure, disable unauthenticated access, and use reverse proxies or WAF rules to block the vulnerable endpoint.
Fortinet, Ivanti, and SAP: Critical RCE and Admin Takeover Risks
Several enterprise platforms have released patches for critical RCE vulnerability chains that belong high on any patching schedule. Fortinet’s CVE-2026-25089 (CVSS 9.1) is an OS command injection flaw in FortiSandbox, FortiSandbox Cloud, and FortiSandbox PaaS WEB UI that lets unauthenticated attackers send crafted HTTP requests and execute unauthorized commands. Ivanti patched two severe issues in Ivanti Sentry: CVE-2026-10520 (CVSS 10.0), a remote unauthenticated OS command injection leading to root-level remote code execution, and CVE-2026-10523 (CVSS 9.9), an authentication bypass enabling arbitrary admin account creation and full administrative access. SAP fixed four critical vulnerabilities, including an XML signature wrapping issue in SAML authentication (CVE-2026-44748, CVSS 9.9) and a memory corruption bug in NetWeaver AS ABAP and ABAP Platform (CVE-2026-27671, CVSS 9.8). Organizations should prioritize these patches alongside Chrome, Cisco, Arista, and Langflow mitigations to prevent chained exploitation.
