Vulnerability Report - January 2026
Introduction
This vulnerability report has been generated using data aggregated on Vulnerability-Lookup, with contributions from the platform’s community.
It highlights the most frequently mentioned vulnerability for January 2026, based on sightings collected from various sources, including MISP, Exploit-DB, Bluesky, Mastodon, GitHub Gists, The Shadowserver Foundation, Nuclei, SPLOITUS, Metasploit, and more. For further details, please visit this page.
The Month at a Glance
January 2026 saw two vulnerabilities tied for most frequently sighted with 110 sightings each: CVE-2026-21858, a Critical-severity vulnerability in n8n-io’s n8n workflow automation platform, and CVE-2026-24061, a Critical vulnerability affecting GNU Inetutils. The n8n vulnerability was extensively covered in contributor insights, notably in “The Ni8mare Test: n8n RCE Under the Microscope”.
Other critical vulnerabilities in the top 10 include CVE-2025-55182 in Meta’s react-server-dom-webpack (97 sightings), CVE-2026-20045 in Cisco Unified Communications Manager (80 sightings), CVE-2026-24858 in Fortinet FortiManager (80 sightings), CVE-2026-1281 in Ivanti Endpoint Manager Mobile (70 sightings), and CVE-2017-18368, an older but still active vulnerability in billion 5200w-t devices (62 sightings).
January was a busy month for actively exploited vulnerabilities, with 15 new entries added to the CISA Known Exploited Vulnerabilities catalog. Notable additions include:
- CVE-2026-24858: Fortinet FortiManager (Critical severity)
- CVE-2026-21509 and CVE-2026-24061: Microsoft 365 Apps and GNU Inetutils
- CVE-2025-52691 and CVE-2026-23760: SmarterTools SmarterMail
- CVE-2026-20045: Cisco Unified Communications Manager
- CVE-2025-34026: Versa Concerto
No new entries were added to the ENISA KEV catalog in January.
The Ghost CVE Report reveals early detection of vulnerabilities with limited public information. CVE-2025-58151 (Xen Security Advisory) and CVE-2026-23456 (YoSmart YoLink Smart Hub) led with 5 sightings each, followed by CVE-2024-31884 (4 sightings) and several GHSA identifiers and CVEs with 3 sightings.
Contributor insights covered a diverse range of topics, including EPMM detection techniques, PAN-OS firewall vulnerabilities, CVEs affecting the Svelte ecosystem, security advisories for Ivanti Endpoint Manager Mobile, GNU C Library updates, Trend Micro Apex Central vulnerabilities, and multiple vulnerabilities in GnuPG (gpg.fail).
Top 10 Vendors of the Month
Top 10 Assigners of the Month
Top 10 vulnerabilities of the Month
| Vulnerability | Sighting Count | Vendor | Product | VLAI Severity |
|---|---|---|---|---|
| CVE-2026-21858 | 110 | n8n-io | n8n | Critical (confidence: 0.8071) |
| CVE-2026-24061 | 110 | GNU | Inetutils | Critical (confidence: 0.9534) |
| CVE-2025-55182 | 97 | Meta | react-server-dom-webpack | Critical (confidence: 0.9914) |
| CVE-2026-21509 | 94 | Microsoft | Microsoft 365 Apps for Enterprise | High (confidence: 0.9735) |
| CVE-2025-8088 | 84 | win.rar GmbH | WinRAR | High (confidence: 0.9881) |
| CVE-2026-20045 | 80 | Cisco | Cisco Unified Communications Manager | Critical (confidence: 0.5226) |
| CVE-2026-24858 | 80 | Fortinet | FortiManager | Critical (confidence: 0.9378) |
| CVE-2025-14847 | 76 | MongoDB Inc. | MongoDB Server | High (confidence: 0.9349) |
| CVE-2026-1281 | 70 | Ivanti | Endpoint Manager Mobile | Critical (confidence: 0.9914) |
| CVE-2017-18368 | 62 | billion | 5200w-t | Critical (confidence: 0.9748) |
Known Exploited Vulnerabilities
New entries have been added to major Known Exploited Vulnerabilities catalogs.
CISA
| CVE ID | Date Added | Vendor | Product | VLAI Severity |
|---|---|---|---|---|
| CVE-2026-24858 | 2026-01-27 | Fortinet | FortiManager | Critical (confidence: 0.9378) |
| CVE-2025-52691 | 2026-01-26 | SmarterTools | SmarterMail | Critical (confidence: 0.7545) |
| CVE-2018-14634 | 2026-01-26 | The Linux Foundation | kernel | High (confidence: 0.8719) |
| CVE-2026-23760 | 2026-01-26 | SmarterTools | SmarterMail | Critical (confidence: 0.9916) |
| CVE-2026-21509 | 2026-01-26 | Microsoft | Microsoft 365 Apps for Enterprise | High (confidence: 0.9735) |
| CVE-2026-24061 | 2026-01-26 | GNU | Inetutils | Critical (confidence: 0.9534) |
| CVE-2024-37079 | 2026-01-23 | vmware | vcenter_server | Critical (confidence: 0.9302) |
| CVE-2025-54313 | 2026-01-22 | prettier | eslint-config-prettier | High (confidence: 0.8864) |
| CVE-2025-34026 | 2026-01-22 | Versa | Concerto | Critical (confidence: 0.9819) |
| CVE-2025-31125 | 2026-01-22 | vitejs | vite | Medium (confidence: 0.6523) |
| CVE-2026-20045 | 2026-01-21 | Cisco | Cisco Unified Communications Manager | Critical (confidence: 0.5226) |
| CVE-2026-20805 | 2026-01-13 | Microsoft | Windows 10 Version 1607 | Medium (confidence: 0.995) |
| CVE-2025-8110 | 2026-01-12 | Gogs | Gogs | High (confidence: 0.9905) |
| CVE-2009-0556 | 2026-01-07 | Microsoft | Office | High (confidence: 0.8535) |
| CVE-2025-37164 | 2026-01-07 | Hewlett Packard Enterprise (HPE) | HPE OneView | High (confidence: 0.6929) |
ENISA
No new entry in January.
Top 10 Weaknesses of the Month
Click the image for more information.
Ghost CVE Report
A ghost CVE is a vulnerability identifier that’s already popped up in the wild but is still listed as RESERVED or NOT_FOUND in official registries like NVD or MITRE.
Sightings detected between 2026-01-01 and 2026-01-31 that are associated with vulnerabilities without public records.
Insights from Contributors
- EPMM Nmap detection
- Detection of EPMM devices
- PAN-OS: Firewall Denial of Service (DoS) in GlobalProtect Gateway and Portal
- The Ni8mare Test: n8n RCE Under the Microscope (CVE-2026-21858)
- CVEs affecting the Svelte ecosystem
- Security Advisory Ivanti Endpoint Manager Mobile (EPMM)
- The GNU C Library version 2.43 is now available
- CRITICAL SECURITY BULLETIN: Trend Micro Apex Central (on-premise) January 2026 Multiple Vulnerabilities
- gpg.fail - multiple vulnerabilities in GnuPG
Thank you
Thank you to all the contributors and our diverse sources!
If you want to contribute to the next report, you can create your account.
Feedback and Support
If you have suggestions, please feel free to open a ticket on our GitHub repository. Your feedback is invaluable to us!
https://github.com/vulnerability-lookup/vulnerability-lookup/issues/
Funding
The main objective of Federated European Team for Threat Analysis (FETTA) is improvement of Cyber Threat Intelligence (CTI) products available to the public and private sector in Poland, Luxembourg, and the European Union as a whole.
Developing actionable CTI products (reports, indicators, etc) is a complex task and requires an in-depth understanding of the threat landscape and the ability to analyse and interpret large amounts of data. Many SOCs and CSIRTs build their capabilities in this area independently, leading to a fragmented approach and duplication of work.
The Computer Incident Response Center Luxembourg (CIRCL) is a government-driven initiative designed to provide a systematic response facility to computer security threats and incidents. The organization brings to the table its extensive experience in cybersecurity incident management, threat intelligence, and proactive response strategies. With a strong background in developing innovative open source cybersecurity tools and solutions, CIRCL’s contribution to the FETTA project is instrumental in achieving enhanced collaboration and intelligence sharing across Europe.