Vulnerability Report - March 2026
Introduction
This vulnerability report has been generated using data aggregated on Vulnerability-Lookup, with contributions from the platform’s community.
It highlights the most frequently mentioned vulnerability for March 2026, based on sightings collected from various sources, including MISP, Exploit-DB, Bluesky, Mastodon, GitHub Gists, The Shadowserver Foundation, Nuclei, SPLOITUS, Metasploit, and more. For further details, please visit this page.
The Month at a Glance
March 2026 was led by CVE-2026-3055, a Critical-severity memory overread in Citrix NetScaler ADC and Gateway when configured as a SAML IDP, with 154 sightings. Active exploitation was confirmed in the wild by multiple sources including honeypot operators, and a proof-of-concept was publicly released by watchTowr. It was followed by CVE-2026-20131 in Cisco Secure Firewall Management Center (FMC) with 121 sightings – notably flagged by CISA as having known ransomware campaign use.
Network appliances and edge devices dominated the threat landscape in March, with Citrix NetScaler, Cisco FMC, and F5 BIG-IP (CVE-2025-53521) all appearing in both the top sightings and the CISA KEV catalog. AI and workflow automation tools also drew significant attention, with Langflow (CVE-2026-33017) suffering an unauthenticated RCE via code injection and n8n (CVE-2025-68613) being added to CISA KEV. A notable supply-chain entry was the Aquasecurity Trivy embedded malicious code vulnerability (CVE-2026-33634), which could expose CI/CD credentials.
On the Linux side, CVE-2026-3888, a local privilege escalation in snapd affecting multiple Ubuntu LTS versions, attracted 96 sightings. Qualcomm chipset memory corruption (CVE-2026-21385) was added to CISA KEV early in the month via the Android Security Bulletin. Legacy IoT devices continued to be targeted by botnets such as Mozi, with Zyxel (CVE-2017-18368) and D-Link (CVE-2015-2051) routers still appearing in the top 10 sightings despite being years old.
The CISA Known Exploited Vulnerabilities catalog added 26 new entries during the month. Notable additions include:
- CVE-2026-3055: Citrix NetScaler ADC & Gateway
- CVE-2026-20131: Cisco Secure Firewall Management Center (FMC) – known ransomware use
- CVE-2026-33634: Aquasecurity Trivy (supply-chain compromise)
- CVE-2026-33017: Langflow (unauthenticated RCE)
- CVE-2025-53521: F5 BIG-IP (RCE)
- CVE-2025-54068: Laravel Livewire (code injection)
The CIRCL Known Exploited Vulnerabilities catalog added five entries, all confirmed via sinkhole and CTI feed evidence: CVE-2024-13030 (D-Link DIR-823G), CVE-2021-35394 (Realtek Jungle SDK), CVE-2017-17215 (Huawei HG532), CVE-2014-8361 (Realtek SDK), and GCVE-1-2026-0020 (Eir D1000 router). The ENISA KEV catalog had no new entries in March.
Contributor insights this month covered Citrix NetScaler CVE-2026-3055 exploitation analysis and PoC details, F5 BIG-IP indicators of compromise, Oracle Identity Manager critical vulnerabilities, BMC FootPrints pre-auth RCE chains, Veeam Backup & Replication security updates, and Lantronix industrial device vulnerabilities.
Top 10 vulnerabilities of the Month
| Vulnerability | Sighting Count | Vendor | Product | VLAI Severity |
|---|---|---|---|---|
| CVE-2026-3055 | 154 | Citrix | NetScaler ADC & Gateway | Critical (confidence: 0.9651) |
| CVE-2026-20131 | 121 | Cisco | Secure Firewall Management Center (FMC) | Critical (confidence: 0.978) |
| CVE-2026-33017 | 101 | Langflow | Langflow | Critical (confidence: 0.9904) |
| CVE-2026-3888 | 96 | Canonical | snapd (Ubuntu) | High (confidence: 0.9876) |
| CVE-2026-21385 | 93 | Qualcomm | Snapdragon | High (confidence: 0.9871) |
| CVE-2025-53521 | 87 | F5 | BIG-IP | Critical (confidence: 0.9364) |
| CVE-2026-21992 | 81 | Oracle | Identity Manager & Web Services Manager | Critical (confidence: 0.9929) |
| CVE-2026-32746 | 72 | GNU | inetutils (telnetd) | Critical (confidence: 0.8862) |
| CVE-2017-18368 | 62 | Zyxel | P660HN-T1A Router | Medium (confidence: 0.5886) |
| CVE-2015-2051 | 60 | D-Link | DIR-645 Router | Critical (confidence: 0.7862) |
Known Exploited Vulnerabilities
New entries have been added to major Known Exploited Vulnerabilities catalogs.
CISA
| CVE ID | Date Added | Vendor | Product | VLAI Severity |
|---|---|---|---|---|
| CVE-2026-3055 | 2026-03-30 | Citrix | NetScaler | Critical (confidence: 0.9651) |
| CVE-2025-53521 | 2026-03-27 | F5 | BIG-IP | Critical (confidence: 0.9364) |
| CVE-2026-33634 | 2026-03-26 | Aquasecurity | Trivy | Critical (confidence: 0.9963) |
| CVE-2026-33017 | 2026-03-25 | Langflow | Langflow | Critical (confidence: 0.9904) |
| CVE-2025-31277 | 2026-03-20 | Apple | Multiple Products | High (confidence: 0.9935) |
| CVE-2025-43520 | 2026-03-20 | Apple | Multiple Products | High (confidence: 0.891) |
| CVE-2025-43510 | 2026-03-20 | Apple | Multiple Products | Medium (confidence: 0.7061) |
| CVE-2025-54068 | 2026-03-20 | Laravel | Livewire | Critical (confidence: 0.9685) |
| CVE-2025-32432 | 2026-03-20 | Craft CMS | Craft CMS | High (confidence: 0.8744) |
| CVE-2026-20131 | 2026-03-19 | Cisco | Secure Firewall Management Center (FMC) | Critical (confidence: 0.978) |
| CVE-2026-20963 | 2026-03-18 | Microsoft | SharePoint | Critical (confidence: 0.6657) |
| CVE-2025-66376 | 2026-03-18 | Synacor | Zimbra Collaboration Suite (ZCS) | Medium (confidence: 0.9952) |
| CVE-2025-47813 | 2026-03-16 | Wing FTP Server | Wing FTP Server | Medium (confidence: 0.8028) |
| CVE-2026-3909 | 2026-03-13 | Skia | High (confidence: 0.9471) | |
| CVE-2026-3910 | 2026-03-13 | Chromium V8 | High (confidence: 0.98) | |
| CVE-2025-68613 | 2026-03-11 | n8n | n8n | Critical (confidence: 0.8146) |
| CVE-2026-1603 | 2026-03-09 | Ivanti | Endpoint Manager (EPM) | High (confidence: 0.9622) |
| CVE-2025-26399 | 2026-03-09 | SolarWinds | Web Help Desk | Critical (confidence: 0.9655) |
| CVE-2021-22054 | 2026-03-09 | Omnissa | Workspace One UEM | High (confidence: 0.9505) |
| CVE-2023-41974 | 2026-03-05 | Apple | iOS and iPadOS | High (confidence: 0.997) |
| CVE-2021-30952 | 2026-03-05 | Apple | Multiple Products | High (confidence: 0.9971) |
| CVE-2023-43000 | 2026-03-05 | Apple | Multiple Products | High (confidence: 0.9948) |
| CVE-2021-22681 | 2026-03-05 | Rockwell | Multiple Products | High (confidence: 0.5079) |
| CVE-2017-7921 | 2026-03-05 | Hikvision | Multiple Products | Critical (confidence: 0.9056) |
| CVE-2026-21385 | 2026-03-03 | Qualcomm | Multiple Chipsets | High (confidence: 0.9871) |
| CVE-2026-22719 | 2026-03-03 | Broadcom | VMware Aria Operations | Critical (confidence: 0.5026) |
More KEV entries from the CISA Catalog.
CIRCL
| Vulnerability ID | Date Added | Vendor | Product | VLAI Severity |
|---|---|---|---|---|
| CVE-2024-13030 | 2026-03-12 | D-Link | DIR-823G | Critical (confidence: 0.5827) |
| CVE-2021-35394 | 2026-03-12 | Realtek | Jungle SDK | Critical (confidence: 0.9847) |
| CVE-2017-17215 | 2026-03-12 | Huawei | HG532 | High (confidence: 0.4429) |
| CVE-2014-8361 | 2026-03-12 | Realtek | SDK | Critical (confidence: 0.9846) |
| GCVE-1-2026-0020 | 2026-03-23 | Eir | D1000 | Critical (confidence: 0.944) |
More KEV entries from the CIRCL Catalog.
ENISA
No new entry in March.
More KEV entries from the ENISA Catalog.
Insights from Contributors
- NetScaler ADC and NetScaler Gateway Security Bulletin for CVE-2026-3055 and CVE-2026-4368
- Vulnerability CVE-2026-21992 in Oracle Identity Manager and Oracle Web Services Manager
- Critical RCE Vulnerability reported in Windchill
- The Most Organized Threat Actors Use Your ITSM (BMC FootPrints Pre-Auth Remote Code Execution Chains)
- Vulnerabilities Resolved in Veeam Backup & Replication 12.3.2.4465
- Lantronix EDS3000PS and EDS5000
- Please, We Beg, Just One Weekend Free Of Appliances (Citrix NetScaler CVE-2026-3055 Memory Overread Part 2) – watchTowr PoC and analysis
- CVE-2026-3055 actively exploited in the wild, confirmed by Defused honeypot data
- K000160486: Indicators of Compromise for F5 BIG-IP CVE-2025-53521
Thank you
Thank you to all the contributors and our diverse sources!
If you want to contribute to the next report, you can create your account.
Feedback and Support
If you have suggestions, please feel free to open a ticket on our GitHub repository. Your feedback is invaluable to us!
https://github.com/vulnerability-lookup/vulnerability-lookup/issues/
Funding
The main objective of Federated European Team for Threat Analysis (FETTA) is improvement of Cyber Threat Intelligence (CTI) products available to the public and private sector in Poland, Luxembourg, and the European Union as a whole.
Developing actionable CTI products (reports, indicators, etc) is a complex task and requires an in-depth understanding of the threat landscape and the ability to analyse and interpret large amounts of data. Many SOCs and CSIRTs build their capabilities in this area independently, leading to a fragmented approach and duplication of work.
The Computer Incident Response Center Luxembourg (CIRCL) is a government-driven initiative designed to provide a systematic response facility to computer security threats and incidents. The organization brings to the table its extensive experience in cybersecurity incident management, threat intelligence, and proactive response strategies. With a strong background in developing innovative open source cybersecurity tools and solutions, CIRCL’s contribution to the FETTA project is instrumental in achieving enhanced collaboration and intelligence sharing across Europe.