Cybersecurity
Critical CVEs of 2026
Notifire's running roll-up of the year's highest-impact vulnerabilities — what they were, who was affected, what defenders did.
Each year a small handful of CVEs reshape security practice. Heartbleed (2014), Shellshock (2014), Spectre/Meltdown (2018), Log4Shell (2021), XZ (2024). This page is Notifire's running index of the 2026 entrants: which were exploited in the wild, which forced industry-wide patching, and which changed default trust assumptions for years to come.
Notifire's editorial team curates this list against three criteria: severity (CVSS ≥ 9.0 or active exploitation), reach (millions of affected systems or supply-chain blast radius), and persistence (the disclosure changed defensive practice). News briefings on the individual CVEs are linked below as they appear.
Latest briefings on Critical CVEs of 2026
AI
A Normal-Looking Image Can Jailbreak AI Models
Researchers found a way to jailbreak vision-language AI models using tiny, invisible changes to images. This new attack method bypasses standard safety filters that only analyze text prompts, creating a significant new security risk.
Neeraj Dhiman ·
Infra
Global push to replace US cloud with open source
At a recent UN event, global leaders argued for replacing proprietary US cloud services with open-source alternatives. This push for 'digital sovereignty' stems from a growing distrust of American tech giants and a view of open source as critical infrastructure.
Ashish Kale ·
AI
Government Request Forces OpenAI to Limit GPT-5.6 Access
OpenAI is limiting access to its new GPT-5.6 model following a government request. The company warns this sets a concerning precedent for AI regulation, potentially restricting access to powerful tools for developers, businesses, and security teams.
Neeraj Dhiman ·
Security
New AI Coalition to Find and Fix Open Source Flaws
Cybersecurity firm Chainguard has launched Athena, an industry coalition using AI to find and fix vulnerabilities in critical open-source software. The group aims to secure the foundational components of the internet before attackers can exploit them.
Neeraj Dhiman ·
AI
Salesforce AI Agent Only Charges for Solved Problems
Salesforce launched a new AI help agent with a novel pricing model. Companies will only pay when the AI successfully resolves a customer issue, directly linking support costs to its actual performance and value.
Neeraj Dhiman ·
AI
Vercel Adds AI Model with Double the Throughput
Vercel's AI Gateway now offers the GLM 5.2 Fast model, which runs with twice the throughput of other serverless options. This allows developers to build faster and more responsive AI-powered applications on the platform.
Neeraj Dhiman ·
Tech
Ukraine Open-Sources Captured Russian Military Technology
Ukraine's Ministry of Defence has launched TrophyLab, a new platform open-sourcing intelligence on captured Russian military hardware. Verified allies can access technical data, schematics, and even request physical samples to develop countermeasures.
Taranpreet Singh ·
Infra
Find and Fix Workflow Bugs Faster on Vercel
Vercel has launched a redesigned trace viewer for its Workflows tool. The update helps developers debug complex processes more quickly by making it easier to search, zoom, and inspect each step of a workflow run.
Ashish Kale ·
AI
OpenAI Is Using AI to Fix Open-Source Flaws
OpenAI is now using AI to automatically find and fix security bugs in popular open-source projects. The "Patch the Planet" initiative aims to secure the software supply chain that underpins countless enterprise applications.
Neeraj Dhiman ·
Infra
Vercel Wants to Replace Your Feature Flag Tool
Vercel has launched its own feature flagging tool, built directly into its platform. This gives developers a native way to safely roll out new features and test changes, potentially replacing third-party services like LaunchDarkly.
Ashish Kale ·
AI
Cursor Acquires Open-Source Copilot Rival Continue
AI code editor Cursor has acquired Continue, an open-source alternative to GitHub Copilot. The move signals further consolidation in the competitive market for AI-powered developer tools, reducing the number of independent players.
Neeraj Dhiman ·
Infra
Vercel Now Lets You Build Real-Time Apps
Vercel now supports WebSockets in its serverless functions, a long-requested feature. This allows developers to build real-time applications like live chats and collaborative tools directly on the platform, paying only for active processing time.
Ashish Kale ·
Tech
US Space Force Just Ran a Secretive Space Drill
The US Space Force and Rocket Lab quietly launched a satellite from New Zealand in a rapid-response military drill. The exercise tests the ability to quickly deploy space assets during a crisis, with little to no advance notice.
Taranpreet Singh ·
Infra
Vercel Unlocks 24-Hour Sessions for Developers
Vercel now allows its Sandboxes to run for up to 24 hours, a major increase from the previous five-hour limit. This change helps developers run complex, long-running tasks like large data processing and extensive testing.
Ashish Kale ·
Infra
Vercel Adds a Stop Button for In-Flight Workflows
Vercel's Workflow SDK now lets developers cancel long-running tasks while they're still in progress. This gives them more control over complex application processes and helps prevent wasted resources on jobs that are no longer needed.
Ashish Kale ·
Security
Chrome and Defender Under Active Attack
Google issued an urgent update for a critical Chrome vulnerability that could allow code execution. Meanwhile, attackers are actively exploiting flaws in Microsoft Defender. Other security news includes scrutiny of child safety on major platforms and new spyware detection tools.
Neeraj Dhiman ·
Security
Critical GDAL Library Vulnerability Discovered
A high-severity vulnerability has been discovered in the Geospatial Data Abstraction Library (GDAL). The flaw, located in its bundled LibTIFF component, could allow an attacker to execute arbitrary code, cause a denial of service, or access sensitive information by using a specially crafted TIFF image file.
Neeraj Dhiman ·
Security
Open-source private security camera updated
Secluso, an open-source home security camera system, has been updated. Formerly Privastead, it offers end-to-end encryption using OpenMLS and focuses on user privacy. The system is designed for easy deployment on hardware like the Raspberry Pi, providing a private alternative to commercial IoT solutions.
Neeraj Dhiman ·
Data
Elastic Releases Important Security Update
Elastic has released version 8.19.16 of the Elastic Stack, a security patch that addresses potential vulnerabilities. The company recommends all users upgrade to this latest version to ensure their deployments are protected. This update supersedes previous versions and is crucial for maintaining system security.
Taranpreet Singh ·
Security
Multiple Security Flaws Found In MediaWiki
Multiple vulnerabilities have been discovered in MediaWiki, the popular open-source wiki software. The flaws could allow attackers to determine if users have two-factor authentication enabled and to view the titles of intentionally hidden log entries, posing a risk to user privacy and site security.
Neeraj Dhiman ·
Security
Ubuntu SSSD Flaw Creates Service Disruption
A vulnerability was discovered in Ubuntu's System Security Services Daemon (SSSD). A local attacker can exploit this by sending malformed data to the PAM passkey responder, causing it to crash. This results in a denial of service, preventing users from authenticating on affected systems.
Neeraj Dhiman ·
Security
A Perl Library Flaw Makes Passwords Easier to Crack
The Crypt-SaltedHash library for Perl used a weak method to generate random "salts," a key part of password security. This makes the salts predictable, allowing attackers to more easily crack hashed passwords on systems using this library.
Neeraj Dhiman ·
Security
Ubuntu Patches Local Eavesdropping Vulnerability
Ubuntu has released a security update for its 20.04 LTS version, addressing a vulnerability in the xdg-dbus-proxy component. The flaw could allow a local attacker to intercept certain D-Bus messages by exploiting incorrect handling of policy rules. Users are advised to apply the patch promptly.
Neeraj Dhiman ·
Security
Ubuntu Patches Flaw That Lets JPEGs Crash Apps
Ubuntu has patched a critical vulnerability in its GDK-PixBuf image library. A specially crafted JPEG file could crash an application, cause a denial of service, or even allow an attacker to execute arbitrary code on affected systems.
Neeraj Dhiman ·
Security
NNCP Flaw Allows Remote File Access
A security vulnerability has been found in the NNCP file transfer utility. The flaw allows a remote attacker to bypass directory restrictions and read or write files anywhere on the system. This is a high-severity path traversal issue affecting users of this specific tool.
Neeraj Dhiman ·
Security
Ubuntu 20.04 Flaw Lets Attackers Crash Systems
A security flaw has been found in a core audio library on Ubuntu 20.04 LTS. Attackers could exploit it with a special file to crash applications or potentially run malicious code, requiring an immediate system update.
Neeraj Dhiman ·
Security
Security Flaw in Ubuntu Papers App
A remote code execution vulnerability was found in the Papers reference management app on Ubuntu. Attackers can exploit it by tricking users into opening a malicious PDF file, potentially allowing them to run arbitrary code. The flaw stems from how the application handles specific PDF actions.
Neeraj Dhiman ·
Security
Vulnerability Found in Highlight.js Library
A prototype pollution vulnerability has been discovered in Highlight.js, a widely-used syntax highlighting library. The flaw could allow an attacker to cause a denial of service or trigger unexpected application behavior. It affects web applications that use the library for displaying code snippets.
Neeraj Dhiman ·
Security
Media File Flaw Puts Legacy Ubuntu Servers at Risk
A security patch has been released for a critical GStreamer vulnerability affecting Ubuntu 16.04 LTS. Malicious AVI files could allow attackers to crash systems or run arbitrary code, making this update crucial for teams managing legacy infrastructure.
Neeraj Dhiman ·
Security
Texmaker Vulnerability Allows Code Execution
A security flaw has been discovered in the Texmaker LaTeX editor. The vulnerability stems from how the application handles TIFF image files, allowing a malicious image to cause a denial of service, leak sensitive information, or permit remote code execution on a user's system.
Neeraj Dhiman ·
Frequently asked questions
What makes a CVE “critical”?
A CVSS base score ≥ 9.0, plus at least one of: active in-the-wild exploitation, very large affected population, or remote unauthenticated RCE. Notifire applies the same bar to its critical list.
Where can I subscribe to CVE alerts?
The NVD RSS feed, CISA's Known Exploited Vulnerabilities (KEV) catalog, and vendor PSIRT mailing lists. Notifire's /security RSS feed (notifire.in/rss.xml filtered to security) covers the highest-impact disclosures.
How fast should we patch a critical CVE?
Active in-the-wild exploitation: same day. Critical remote unauthenticated RCE without active exploitation: 72 hours. Critical authenticated or local: 14 days, prioritised against business risk. CISA mandates 14 days for KEV-listed CVEs on US federal systems.
What is SBOM-driven CVE response?
Maintain a signed Software Bill of Materials for every artifact in production; when a CVE drops, query the SBOM database to find every running workload that contains the vulnerable component. Reduces MTTD on a new CVE from days to minutes.