Oracle issued an out-of-band emergency patch for CVE-2026-21992 (CVSS 9.8) in Identity Manager. PTC disclosed a CVSS 10.0 deserialization flaw in Windchill with indicators of compromise but no patch. Langflow's AI pipeline RCE drew active exploitation within 20 hours of disclosure. Chrome's two latest zero-days entered the CISA KEV list. A GNU telnetd pre-auth buffer overflow threatens 3,362 exposed hosts with no fix until April.
Critical
The emergency patch dropped on Friday, March 21. CVE-2026-21992 (CVSS 9.8) affects the REST WebServices component of Identity Manager and the Web Services Security component of Web Services Manager. Both belong to the Fusion Middleware suite. An unauthenticated attacker with HTTP access can achieve full system takeover.
Oracle described the flaw as "easily exploitable." The advisory landed through the Security Alert programme, reserved for flaws too critical to wait for the quarterly CPU. This is only the second out-of-band alert for Identity Manager. The first, CVE-2017-10151 (CVSS 10.0), was a default account vulnerability. Whether CVE-2026-21992 has been exploited in the wild remains unconfirmed.
A nearly identical flaw, CVE-2025-61757 (CVSS 9.8), hit the same product and component in October 2025. CISA added it to the KEV list one month later. Searchlight Cyber researchers published a writeup calling the earlier flaw "somewhat trivial." Fusion Middleware now has six entries in CISA's KEV database. Affected versions are 12.2.1.4.0 and 14.1.2.1.0 for both products. Patch immediately.
PTC disclosed a CVSS 10.0 RCE in Windchill and FlexPLM on March 20, 2026. No CVE identifier has been assigned. The flaw is a deserialization vulnerability in the /servlet/WindchillGW/com.ptc.wvs.server.publish.Publish and /servlet/WindchillAuthGW/com.ptc.wvs.server.publish.Publish endpoints. All versions of both products are affected. No patch exists.
The Windchill advisory also published indicators of compromise. The IOCs include a GW.class webshell (SHA-256: C818011CAFF82272F8CC50B670304748984350485383EBAD5206D507A4B44FF1) and a matching payload.bin. Their presence on a server means the attacker completed weaponization prior to executing code. The advisory states "no evidence of confirmed exploitation affecting PTC customers," but the existence of IOCs contradicts that claim. Self-hosted customers must apply the Apache workaround immediately.
Instances hosted by PTC are already protected.
PTC rates this flaw CVSS 10.0 and publishes webshell IOCs in the same advisory, yet states there is no evidence of confirmed exploitation. The IOCs could not exist without prior attack activity against at least one instance. Windchill administrators should treat this as an active zero-day, apply the Apache LocationMatch workaround, scan forGW.classandpayload.bin, and check logs for the suspicious User-Agent header PTC specifies.
WWBN AVideo ≤26.0 has a chained RCE scored CVSS 10.0. CVE-2026-33478 exploits the CloneSite plugin. The clones.json.php endpoint leaks clone secrets without authentication. An attacker uses those credentials to trigger a full database dump via cloneServer.json.php. The dump contains admin password hashes stored as MD5. After cracking the hash, the attacker logs in and reaches an authenticated eval() endpoint for arbitrary PHP execution.
Two additional AVideo flaws dropped the same day. CVE-2026-33351 (CVSS 9.1) is an SSRF in the Live plugin's standalone configuration. CVE-2026-33479 (CVSS 8.8) chains CSRF with eval() in the Gallery plugin. All three require AVideo ≤26.0. The platform has no automatic update mechanism.
GoHarbor Harbor ≤2.15.0 ships with hardcoded default credentials. CVE-2026-4404 (CVSS 9.4) grants web UI access to any attacker who knows the default password. Harbor is a CNCF-graduated container registry used in Kubernetes environments. Compromising the registry gives control over every container image the cluster pulls.
Active exploitation
Langflow CVE-2026-33017 (CVSS 9.3) drew exploitation within 20 hours of the March 17 advisory. Sysdig's Threat Research Team documented three phases. Automated scanning from four source IPs came first. Custom Python scripts for reconnaissance followed. Credential harvesting from .env files, databases, and cloud tokens completed the chain. No public PoC existed at the time. Attackers built working exploits directly from the advisory description.
The framework is open-source, built for AI agents and RAG pipelines, and has 145,000+ GitHub stars. The vulnerable endpoint, /api/v1/build_public_tmp/{flow_id}/flow, accepts attacker-supplied Python code in flow node definitions and passes it to exec() with no sandboxing. A single HTTP POST request achieves RCE. Researcher Aviral Srivastava, who reported the flaw on February 26, noted the endpoint is unauthenticated by design because it serves public flows. Update to Langflow 1.8.2+. Rotate all credentials on any exposed instance.
Google patched two Chrome zero-days exploited in the wild. CVE-2026-3909 (CVSS 8.8) is an out-of-bounds write in the Skia 2D graphics library. CVE-2026-3910 (CVSS 8.8) is an implementation flaw in the V8 JavaScript engine allowing sandbox code execution via crafted HTML. Google discovered both internally on March 10. CISA added both to its exploited-vulnerabilities database. Both affect all Chromium-based browsers. Chrome 135.0.7049.84 contains the fix.
GNU InetUtils telnetd has a pre-authentication buffer overflow. CVE-2026-32746 (CVSS 9.8) is an out-of-bounds write in the LINEMODE SLC suboption handler. Israeli firm Dream reported the flaw on March 11. It affects all versions through 2.7. A fix is not expected until April 1. Censys counts 3,362 exposed hosts as of March 18. watchTowr Labs found the vulnerable code in FreeBSD, NetBSD, Citrix NetScaler, TrueNAS Core, and DragonFlyBSD. A related flaw, CVE-2026-24061, is already on CISA's KEV under active exploitation. Disable telnetd or block port 23 at the perimeter.
| Product | Action | Status |
|---|---|---|
| Oracle Identity Manager (CVE-2026-21992) | Apply out-of-band patch | Patched (v12.2.1.4.0, v14.1.2.1.0) |
| PTC Windchill / FlexPLM (no CVE) | Apache LocationMatch workaround, scan for GW.class IOC | No patch, zero-day |
| Langflow (CVE-2026-33017) | Update to 1.8.2+, rotate API keys | Actively exploited |
| Chrome (CVE-2026-3909, CVE-2026-3910) | Update to 135.0.7049.84 | Exploited, CISA KEV |
| GNU telnetd (CVE-2026-32746) | Disable telnetd, block port 23 | No patch until April 1 |
| AVideo (CVE-2026-33478, -33351, -33479) | Update beyond 26.0 | Unpatched |
| GoHarbor Harbor (CVE-2026-4404) | Change default password, update beyond 2.15.0 | Patched in later releases |
Three items on this list have no patch at all. PTC Windchill administrators must apply the Apache LocationMatch workaround against the WindchillGW and WindchillAuthGW servlets. GNU telnetd users must disable the daemon or firewall port 23. AVideo administrators should restrict access to the CloneSite, Live, and Gallery plugins until a fixed release ships.
Have a story? Become a contributor.
We work with independent researchers and cybersecurity professionals. Send us a tip or submit your article for editorial review.
