CISA added four actively exploited vulnerabilities to its KEV catalog: a PHP remote file inclusion flaw in Zimbra Collaboration Suite, an authentication bypass in Versa Concerto SD-WAN, an improper access control issue in Vite, and embedded malicious code in eslint-config-prettier from a supply chain attack. The eslint vulnerability stems from a phishing campaign that compromised maintainer credentials to publish trojanized npm packages. U.S. federal agencies must apply fixes by February 12, 2026, with exploitation of the Zimbra vulnerability confirmed since January 14, 2026.
Sort: