Summary of Vulnerability Trends for the Second Quarter of 2026
A total of 20,701 new CVEs were reported in the second quarter of 2026.
Of these, 2,317 were “Critical” vulnerabilities with a CVSS score of 9.0 Or higher, accounting for 11.2% Of the total.
Medium- and high-risk vulnerabilities, including those rated “High,” accounted for 51.7% Of the total.
While the overall volume remained similar to Q1, the number of “Critical” vulnerabilities—which can cause immediate damage—increased by 62.5% From 1,426 in Q1.
Trends in CISA KEV (Known Exploited Vulnerabilities)
In the second quarter of 2026, 75 new vulnerabilities were added to the CISA KEV list.
Of these, 39 were classified as “Critical,” accounting for approximately 52%.
When including “High” vulnerabilities, the total reached 65, accounting for approximately 87%.
In the KEV, CWE-20 (Improper Input Validation) and CWE-306 (Missing Authentication for Critical Function) were frequently exploited.
Since vulnerabilities listed in the KEV indicate that actual attacks are underway, they should be treated as the highest-level threats.
Major Attack Trends
Attacks were concentrated on external access points such as firewalls, VPNs, enterprise management panels, and authentication portals.
Numerous reports also emerged of supply chain attacks targeting compromised official installation packages and open-source package managers like npm.
With advancements in generative AI and automated vulnerability detection tools, high-risk vulnerabilities are being discovered more quickly, and threat actors are also exploiting AI to develop exploit code more rapidly and with greater sophistication.
The time between a vulnerability’s disclosure and its actual exploitation has become extremely short.
Major Vulnerability Cases
CVE-2026-10520. A command injection vulnerability in Ivanti Sentry that allows an unauthenticated threat actor to achieve RCE (remote code execution) at the root privilege level.
CVE-2026-48172. A privilege escalation vulnerability in the LiteSpeed User-End cPanel Plugin; instances of exploitation in real-world environments have been reported.
CVE-2026-34908. A lack of access control in Ubiquiti UniFi OS allows settings to be changed without administrator authentication.
CVE-2026-35616. A vulnerability in Fortinet FortiClientEMS involving insufficient access control, which allows an unauthenticated threat actor to carry out a remote attack.
CVE-2026-20253. A vulnerability in the PostgreSQL sidecar (auxiliary component) endpoint of Splunk Enterprise that allows unauthenticated users to invoke file operations, potentially leading to RCE.
CVE-2026-8398. An attack case in DAEMON Tools Lite, where a Trojan horse was inserted into the official installation package.
CVE-2026-41940. A authentication bypass vulnerability in cPanel & WHM that allows an unauthenticated remote threat actor to access the control panel.
CVE-2026-0300. A buffer overflow vulnerability in Palo Alto Networks PAN-OS that allows code execution with root privileges through the User-ID authentication portal (Captive Portal, a web portal for user authentication).
CVE-2026-5281. A Use After Free (UAF) vulnerability in Dawn (WebGPU, a graphics processing component) in Google Chrome, which could lead to renderer takeover and sandbox bypass.
CVE-2026-42897. An XSS vulnerability in Microsoft Exchange Server, which was exploited to achieve the Initial Breach via malicious emails or links and to steal administrator privileges.
Key Implications from a Defense Perspective
Destructive vulnerabilities, such as RCE and privilege escalation, were more prominent than simple information exposure.
Externally exposed devices and management solutions became the primary Attack Targets.
The speed at which high-risk vulnerabilities are weaponized—potentially leading to ransomware distribution and botnet deployment—has accelerated significantly.
From a defense perspective, it is essential to prioritize checking for inclusion in the CISA KEV and to patch the most at-risk assets first based on actual attack telemetry.
For administrator control panels and internal authentication portals, it is crucial to implement attack surface management (ASM) by blocking exposure to the public internet and applying internal IP restrictions and multi-factor authentication (MFA).