Rce

• Langflow CVE-2026-33017: Unauthenticated RCE Exploited Within 20 Hours, Now on CISA KEV March 26, 2026

  CVE-2026-33017 is a CVSS 9.3 unauthenticated RCE in Langflow's public flow build endpoint. Attackers were scanning and exploiting within 20 hours of disclosure -- with no public PoC. CISA added it to the KEV catalog on March 25. If you run Langflow, upgrade to v1.9.0 now.

• Critical Unpatched Telnetd Flaw (CVE-2026-32746) Enables Unauthenticated Root RCE March 24, 2026

  CVE-2026-32746 is a CVSS 9.8 buffer overflow in GNU InetUtils telnetd that lets an unauthenticated attacker execute code as root before any login prompt appears. No patch yet. If you're running telnetd exposed to the internet, act now.

• Oracle Patches Critical CVE-2026-21992 Enabling Unauthenticated RCE in Identity Manager March 24, 2026

  Oracle issued an out-of-band emergency patch on March 19 for CVE-2026-21992, a CVSS 9.8 unauthenticated RCE affecting Oracle Identity Manager and Web Services Manager. If your org runs either product on versions 12.2.1.4.0 or 14.1.2.1.0, patching cannot wait for the next quarterly cycle.