Flaws in the Google Chromium web browser engine and Microsoft Windows Video ActiveX Control are among six issues added to the Cybersecurity and Infrastructure Security Agency’s (Cisa’s) Known Exploited Vulnerabilities (Kev) catalogue this week.

Their inclusion on the regularly-updated Kev list mandates remedial action by agencies of the US government by a certain date – 10 March 2026 in this instance – but more broadly, for private sector organisations all over the world, it serves as a timely guide to what vulnerabilities are being actively exploited in the wild and which warrant urgent attention.

The Google Chromium issue, tracked as CVE-2026-2441, is a remote code execution (RCE) flaw arising from a use-after-free condition in which the application continues to point to a memory location after it has been freed. It is classed as a zero-day.

Google said it was “aware” that an exploit for the flaw exists in the wild and has updated the Stable channel to 145.0.7632.75/76 for Windows and Macintosh, and 144.0.7559.75 for Linux.

The Microsoft flaw dates back almost 20 years  and carries the identifier CVE-2008-0015. It is also an RCE vulnerability, but it arises from a stack-based buffer overflow in the ActiveX component of Windows Video and is triggered if a vulnerable user can be convinced to visit a malicious web page.

Its reemergence now implies threat actors are using it to target organisations that either failed or forgot to patch years ago and are still running legacy systems and discontinued software.

The other vulnerabilities on Cisa’s radar are CVE-2020-7796, a server-side request forgery (SSRF) vulnerability in Synacor Zimbra Collaboration Suite, and CVE-2024-7694 in Team T5 ThreatSonar Anti-Ransomware, in which a failure to properly validate the content of uploaded files enable a remote attacker with admin rights to upload malicious files in order to achieve arbitrary system command.

Also added to the Kev catalogue this week are CVE-2026-22769, a hardcoded credential vulnerability in Dell RecoverPoint for Virtual Machines that enables an unauthenticated, remote attacker to gain access to the operating system, and CVE-2021-22175, another SSRF issue in GitLab.

Gunter Ollman, chief technology officer (CTO) at Cobalt, a supplier of penetration-testing services, said that Cisa’s latest Kev additions highlighted a persistent reality for cyber security pros – namely that attackers are pragmatic, not fashionable.

“They will exploit a brand-new Chrome heap corruption vulnerability just as readily as a 2008-era ActiveX buffer overflow if it gives them reliable access,” said Ollman. “What stands out here is the diversity of attack surface, from browsers and collaboration platforms to endpoint software that is supposed to defend against ransomware.”

Ollman said this reinforced a clear need for continuous, adversary-driven testing that reflects the reality of how threat attackers chain exploits, SSRF flaws, and legacy weaknesses into practical intrusion paths.

He added: “Organisations cannot treat patching as a quarterly hygiene exercise. They need ongoing validation that exposed services, client-side software, and defensive tooling are resilient under real-world attack conditions. The Kev catalog is not just a list of bugs, it is a blueprint of what adversaries are successfully monetising today.”

Read more on Application security and coding requirements

• 
  

  SolarWinds RCE bug makes Cisa list as exploitation spreads

  By: Alex Scroxton

• 
  

  Fortinet vulnerabilities prompt pre-holiday warnings

  By: Alex Scroxton

• 
  

  Black Basta ransomware leak sheds light on targets, tactics

  By: Alexander Culafi

• 
  

  CISA: BeyondTrust flaw CVE-2024-12686 exploited in the wild

  By: Alexander Culafi