Cyble Vulnerability Intelligence researchers tracked 1,031 vulnerabilities in the last week, and nearly 200 already have a publicly available Proof-of-Concept (PoC), significantly increasing the likelihood of real-world attacks on those vulnerabilities. 

A total of 72 vulnerabilities were rated as critical under the CVSS v3.1 scoring system, while 33 received a critical severity rating based on the newer CVSS v4.0 scoring system. 

Below are some of the vulnerabilities flagged by Cyble threat intelligence researchers for prioritization by security teams in recent reports to clients. 

The Week’s Top IT Vulnerabilities 

CVE-2026-21969 is a 9.8-severity vulnerability in Oracle Agile Product Lifecycle Management for Process, specifically in the Supplier Portal component of Oracle Supply Chain. The flaw could enable unauthenticated remote attackers to achieve full system takeover via HTTP without needing credentials or user interaction. 

CVE-2026-22797 is a 9.9-rated authentication bypass vulnerability in the OpenStack keystonemiddleware’s external_oauth2_token component. An authenticated attacker could escalate privileges or impersonate other users by sending forged identity headers such as X-Is-Admin-Project, X-Roles, or X-User-Id. 

CVE-2026-0501 is a 9.9-severity SQL injection vulnerability in SAP S/4HANA Private Cloud and On-Premise, specifically the Financials General Ledger module, that could allow an authenticated attacker with low privileges to craft SQL queries, potentially enabling them to read sensitive financial data, modify records, or delete backend database content. 

CVE-2026-22584 is an 8.5-rated code injection vulnerability in Salesforce’s Uni2TS library, affecting MacOS, Windows, and Linux systems, that could allow attackers to leverage executable code in non-executable files. 

CVE-2025-69258 is a 9.8-rated unauthenticated remote code execution (RCE) vulnerability in Trend Micro Apex Central. The flaw could allow an unauthenticated, remote attacker to load an attacker-controlled DLL into a key executable, resulting in the execution of attacker-supplied code under the SYSTEM context on affected installations. 

Among the vulnerabilities added to CISA’s Known Exploited Vulnerabilities (KEV) catalog were CVE-2024-37079, a 9.8-severity Broadcom VMware vCenter Server out-of-bounds write vulnerability, CVE-2026-21509, a 7.8-rated Microsoft Office Security Feature Bypass vulnerability, and CVE-2025-34026, a 9.2-rated Versa Concerto improper authentication vulnerability in the Traefik reverse proxy configuration that could potentially allow an attacker to access administrative endpoints. 

Notable vulnerabilities discussed in open-source communities included CVE-2025-64155, a critical OS command injection vulnerability in Fortinet FortiSIEM, affecting Super and Worker nodes. An unauthenticated remote attacker could exploit the phMonitor service via crafted requests to execute arbitrary commands, potentially enabling full system compromise, including root access through file overwrites and privilege escalation. Cyble has also observed the vulnerability discussed by threat actors on dark web cybercrime forums. 

Another vulnerability getting attention in open-source communities is CVE-2025-12420, dubbed ‘BodySnatcher’, a critical privilege escalation vulnerability in ServiceNow’s AI Platform, specifically involving the Virtual Agent API and Now Assist AI Agents. It could allow unauthenticated remote attackers to impersonate any ServiceNow user, including administrators, by leveraging a hardcoded authentication secret and email-based identity linking, leading to arbitrary actions, such as creating backdoor admin accounts. 

Vulnerabilities Under Discussion on the Dark Web

In addition to CVE-2025-64155, Cyble dark web researchers observed threat actors discussing several other vulnerabilities on dark web and cybercrime forums. They include: 

CVE-2026-23745, a high-severity directory traversal vulnerability in the node-tar library (versions ≤ 7.5.2) for Node.js. The vulnerability stems from improper sanitization of the linkpath in hardlink and symbolic link entries when preservePaths is set to false, which is the default secure behavior. An attacker could exploit this flaw by crafting malicious tar archives to bypass extraction root restrictions, achieving arbitrary file overwrite via hardlinks and symlink poisoning attacks. In CI/CD environments or automated pipelines, successful exploitation could result in remote code execution by overwriting configuration files, scripts, or binaries, though npm remains unaffected because it filters out Link and SymbolicLink tar entries. 

CVE-2026-22812, a high-severity vulnerability in OpenCode, an open-source AI coding agent, affecting versions prior to 1.0.216. The flaw involves multiple weaknesses, including missing authentication for critical functions, exposed dangerous methods, and permissive cross-domain security policies. OpenCode automatically starts an unauthenticated HTTP server that allows any local process or any website via permissive CORS to execute arbitrary shell commands with the user’s privileges. After successful exploitation requiring user interaction, such as visiting a malicious website, attackers could gain complete compromise of confidentiality, integrity, and availability, with high impact across all three security dimensions. 

A threat actor shared a high-severity exploit chain targeting Apple’s WebKit engine on iOS versions before iOS 26. The chain links CVE-2025-43529, a use-after-free flaw, with CVE-2025-14174, a memory corruption issue in the ANGLE Metal renderer. By delivering malicious web content, attackers first achieve code execution within the browser sandbox and then leverage the memory corruption to bypass platform security. Upon successful exploitation via a malicious webpage, attackers can install sophisticated spyware to monitor location, intercept messages, and access the device’s camera and microphone. 

Conclusion 

The number of vulnerabilities affecting high-profile enterprise environments highlights the constant pressure facing security teams, who must respond with rapid, well-targeted actions to patch the most critical vulnerabilities and successfully defend IT and critical infrastructure. A risk-based vulnerability management program should be at the heart of those defensive efforts. 

Other cybersecurity best practices that can help guard against a wide range of threats include segmentation of critical assets; removing or protecting web-facing assets; Zero-Trust access principles; ransomware-resistant backups; hardened endpoints, infrastructure, and configurations; network, endpoint, and cloud monitoring; and well-rehearsed incident response plans. 

Cyble’s comprehensive attack surface management solutions can help by scanning network and cloud assets for exposures and prioritizing fixes, in addition to monitoring for leaked credentials and other early warning signs of major cyberattacks. 

The post The Week in Vulnerabilities: Cyble Urges Oracle, OpenStack Fixes appeared first on Cyble.

Cyble – ​Read More