Oracle, OpenStack, SAP, Salesforce and ServiceNow are among the many high-profile enterprise merchandise with vulnerabilities in want of consideration by safety groups.
Cyble Vulnerability Intelligence researchers tracked 1,031 vulnerabilities in the final week, and practically 200 have already got a publicly obtainable Proof-of-Idea (PoC), considerably rising the probability of real-world assaults on these vulnerabilities.
A complete of 72 vulnerabilities had been rated as important beneath the CVSS v3.1 scoring system, whereas 33 acquired a important severity score primarily based on the newer CVSS v4.0 scoring system.
Beneath are a few of the vulnerabilities flagged by Cyble risk intelligence researchers for prioritization by safety groups in current studies to shoppers.
The Week’s Prime IT Vulnerabilities
CVE-2026-21969 is a 9.8-severity vulnerability in Oracle Agile Product Lifecycle Administration for Course of, particularly within the Provider Portal element of Oracle Provide Chain. The flaw may allow unauthenticated distant attackers to attain full system takeover through HTTP while not having credentials or person interplay.
CVE-2026-22797 is a 9.9-rated authentication bypass vulnerability within the OpenStack keystonemiddleware’s external_oauth2_token element. An authenticated attacker may escalate privileges or impersonate different customers by sending cast id headers similar to X-Is-Admin-Challenge, X-Roles, or X-Person-Id.
CVE-2026-0501 is a 9.9-severity SQL injection vulnerability in SAP S/4HANA Non-public Cloud and On-Premise, particularly the Financials Common Ledger module, that would enable an authenticated attacker with low privileges to craft SQL queries, probably enabling them to learn delicate monetary knowledge, modify data, or delete backend database content material.
CVE-2026-22584 is an 8.5-rated code injection vulnerability in Salesforce’s Uni2TS library, affecting MacOS, Home windows, and Linux programs, that would enable attackers to leverage executable code in non-executable recordsdata.
CVE-2025-69258 is a 9.8-rated unauthenticated distant code execution (RCE) vulnerability in Development Micro Apex Central. The flaw may enable an unauthenticated, distant attacker to load an attacker-controlled DLL right into a key executable, ensuing within the execution of attacker-supplied code beneath the SYSTEM context on affected installations.
Among the many vulnerabilities added to CISA’s Identified Exploited Vulnerabilities (KEV) catalog had been CVE-2024-37079, a 9.8-severity Broadcom VMware vCenter Server out-of-bounds write vulnerability, CVE-2026-21509, a 7.8-rated Microsoft Workplace Safety Characteristic Bypass vulnerability, CVE-2026-24858, a 9.8-severity Fortinet Authentication Bypass vulnerability, and CVE-2025-34026, a 9.2-rated Versa Concerto improper authentication vulnerability within the Traefik reverse proxy configuration that may probably enable an attacker to entry administrative endpoints.
Notable vulnerabilities mentioned in open-source communities included CVE-2025-64155, a important OS command injection vulnerability in Fortinet FortiSIEM, affecting Tremendous and Employee nodes. An unauthenticated distant attacker may exploit the phMonitor service through crafted requests to execute arbitrary instructions, probably enabling full system compromise, together with root entry by way of file overwrites and privilege escalation. Cyble has additionally noticed the vulnerability mentioned by risk actors on darkish internet cybercrime boards.
One other vulnerability getting consideration in open-source communities is CVE-2025-12420, dubbed ‘BodySnatcher’, a important privilege escalation vulnerability in ServiceNow’s AI Platform, particularly involving the Digital Agent API and Now Help AI Brokers. It may enable unauthenticated distant attackers to impersonate any ServiceNow person, together with directors, by leveraging a hardcoded authentication secret and email-based id linking, resulting in arbitrary actions, similar to creating backdoor admin accounts.
Vulnerabilities Underneath Dialogue on the Darkish Net
Along with CVE-2025-64155, Cyble darkish internet researchers noticed risk actors discussing a number of different vulnerabilities on darkish internet and cybercrime boards. They embody:
CVE-2026-23745, a high-severity listing traversal vulnerability within the node-tar library (variations ≤ 7.5.2) for Node.js. The vulnerability stems from improper sanitization of the linkpath in hardlink and symbolic hyperlink entries when preservePaths is about to false, which is the default safe conduct. An attacker may exploit this flaw by crafting malicious tar archives to bypass extraction root restrictions, attaining arbitrary file overwrite through hardlinks and symlink poisoning assaults. In CI/CD environments or automated pipelines, profitable exploitation may lead to distant code execution by overwriting configuration recordsdata, scripts, or binaries, although npm stays unaffected as a result of it filters out Hyperlink and SymbolicLink tar entries.
CVE-2026-22812, a high-severity vulnerability in OpenCode, an open-source AI coding agent, affecting variations previous to 1.0.216. The flaw includes a number of weaknesses, together with lacking authentication for important features, uncovered harmful strategies, and permissive cross-domain safety insurance policies. OpenCode robotically begins an unauthenticated HTTP server that permits any native course of or any web site through permissive CORS to execute arbitrary shell instructions with the person’s privileges. After profitable exploitation requiring person interplay, similar to visiting a malicious web site, attackers may acquire full compromise of confidentiality, integrity, and availability, with excessive influence throughout all three safety dimensions.
A risk actor shared a high-severity exploit chain focusing on Apple’s WebKit engine on iOS variations earlier than iOS 26. The chain hyperlinks CVE-2025-43529, a use-after-free flaw, with CVE-2025-14174, a reminiscence corruption problem within the ANGLE Metallic renderer. By delivering malicious internet content material, attackers first obtain code execution inside the browser sandbox after which leverage the reminiscence corruption to bypass platform safety. Upon profitable exploitation through a malicious webpage, attackers can set up refined spyware and adware to monitor location, intercept messages, and entry the machine’s digital camera and microphone.
Conclusion
The variety of vulnerabilities affecting high-profile enterprise environments highlights the fixed strain going through safety groups, who should reply with speedy, well-targeted actions to patch the most important vulnerabilities and efficiently defend IT and significant infrastructure. A risk-based vulnerability administration program needs to be on the coronary heart of these defensive efforts.
Different cybersecurity greatest practices that may assist guard in opposition to a variety of threats embody segmentation of important property; eradicating or defending web-facing property; Zero-Belief entry rules; ransomware-resistant backups; hardened endpoints, infrastructure, and configurations; community, endpoint, and cloud monitoring; and well-rehearsed incident response plans.
Cyble’s complete assault floor administration options may also help by scanning community and cloud property for exposures and prioritizing fixes, along with monitoring for leaked credentials and different early warning indicators of main cyberattacks.
