Introduction

This vulnerability report has been generated using data aggregated on Vulnerability-Lookup, with contributions from the platform’s community.

It highlights the most frequently mentioned vulnerability for January 2026, based on sightings collected from various sources, including MISP, Exploit-DB, Bluesky, Mastodon, GitHub Gists,The Shadowserver Foundation, Nuclei, SPLOITUS, Metasploit, and more.

For further details, please visit this page.

The Month at a Glance

January 2026 saw two vulnerabilities tied for most frequently sighted with 110 sightings each: CVE-2026-21858, a Critical-severity vulnerability in n8n-io’s n8n workflow automation platform, and CVE-2026-24061, a Critical vulnerability affecting GNU Inetutils. The n8n vulnerability was extensively covered in contributor insights, notably in “The Ni8mare Test: n8n RCE Under the Microscope”.

Other critical vulnerabilities in the top 10 include CVE-2025-55182 in Meta’s react-server-dom-webpack (97 sightings), CVE-2026-20045 in Cisco Unified Communications Manager (80 sightings), CVE-2026-24858 in Fortinet FortiManager (80 sightings), CVE-2026-1281 in Ivanti Endpoint Manager Mobile (70 sightings), and CVE-2017-18368, an older but still active vulnerability in billion 5200w-t devices (62 sightings).

January was a busy month for actively exploited vulnerabilities, with 15 new entries added to the CISA Known Exploited Vulnerabilities catalog. Notable additions include:

• CVE-2026-24858: Fortinet FortiManager (Critical severity)
• CVE-2026-21509 and CVE-2026-24061: Microsoft 365 Apps and GNU Inetutils
• CVE-2025-52691 and CVE-2026-23760: SmarterTools SmarterMail
• CVE-2026-20045: Cisco Unified Communications Manager
• CVE-2025-34026: Versa Concerto

No new entries were added to the ENISA KEV catalog in January.

The Ghost CVE Report reveals early detection of vulnerabilities with limited public information. CVE-2025-58151 (Xen Security Advisory) and CVE-2026-23456 (YoSmart YoLink Smart Hub) led with 5 sightings each, followed by CVE-2024-31884 (4 sightings) and several GHSA identifiers and CVEs with 3 sightings.

Contributor insights covered a diverse range of topics, including EPMM detection techniques, PAN-OS firewall vulnerabilities, CVEs affecting the Svelte ecosystem, security advisories for Ivanti Endpoint Manager Mobile, GNU C Library updates, Trend Micro Apex Central vulnerabilities, and multiple vulnerabilities in GnuPG (gpg.fail).

Top 10 Vendors of the Month

Top 10 Assigners of the Month

Top 10 vulnerabilities of the Month

Vulnerability	Sighting Count	Vendor	Product	VLAI Severity
CVE-2026-21858	110	n8n-io	n8n	Critical (confidence: 0.8071)
CVE-2026-24061	110	GNU	Inetutils	Critical (confidence: 0.9534)
CVE-2025-55182	97	Meta	react-server-dom-webpack	Critical (confidence: 0.9914)
CVE-2026-21509	94	Microsoft	Microsoft 365 Apps for Enterprise	High (confidence: 0.9735)
CVE-2025-8088	84	win.rar GmbH	WinRAR	High (confidence: 0.9881)
CVE-2026-20045	80	Cisco	Cisco Unified Communications Manager	Critical (confidence: 0.5226)
CVE-2026-24858	80	Fortinet	FortiManager	Critical (confidence: 0.9378)
CVE-2025-14847	76	MongoDB Inc.	MongoDB Server	High (confidence: 0.9349)
CVE-2026-1281	70	Ivanti	Endpoint Manager Mobile	Critical (confidence: 0.9914)
CVE-2017-18368	62	billion	5200w-t	Critical (confidence: 0.9748)

Known Exploited Vulnerabilities

New entries have been added to major Known Exploited Vulnerabilities catalogs.

CISA

CVE ID	Date Added	Vendor	Product	VLAI Severity
CVE-2026-24858	2026-01-27	Fortinet	FortiManager	Critical (confidence: 0.9378)
CVE-2025-52691	2026-01-26	SmarterTools	SmarterMail	Critical (confidence: 0.7545)
CVE-2018-14634	2026-01-26	The Linux Foundation	kernel	High (confidence: 0.8719)
CVE-2026-23760	2026-01-26	SmarterTools	SmarterMail	Critical (confidence: 0.9916)
CVE-2026-21509	2026-01-26	Microsoft	Microsoft 365 Apps for Enterprise	High (confidence: 0.9735)
CVE-2026-24061	2026-01-26	GNU	Inetutils	Critical (confidence: 0.9534)
CVE-2024-37079	2026-01-23	vmware	vcenter_server	Critical (confidence: 0.9302)
CVE-2025-54313	2026-01-22	prettier	eslint-config-prettier	High (confidence: 0.8864)
CVE-2025-34026	2026-01-22	Versa	Concerto	Critical (confidence: 0.9819)
CVE-2025-31125	2026-01-22	vitejs	vite	Medium (confidence: 0.6523)
CVE-2026-20045	2026-01-21	Cisco	Cisco Unified Communications Manager	Critical (confidence: 0.5226)
CVE-2026-20805	2026-01-13	Microsoft	Windows 10 Version 1607	Medium (confidence: 0.995)
CVE-2025-8110	2026-01-12	Gogs	Gogs	High (confidence: 0.9905)
CVE-2009-0556	2026-01-07	Microsoft	Office	High (confidence: 0.8535)
CVE-2025-37164	2026-01-07	Hewlett Packard Enterprise (HPE)	HPE OneView	High (confidence: 0.6929)

ENISA

No new entry in January.

Top 10 Weaknesses of the Month

Click the image for more information.

Ghost CVE Report

A ghost CVE is a vulnerability identifier that’s already popped up in the wild but is still listed as RESERVED or NOT_FOUND in official registries like NVD or MITRE.

Sightings detected between 2026-01-01 and 2026-01-31 that are associated with vulnerabilities without public records.

Vulnerability ID	Occurrences	Comment
CVE-2025-58151	5	Xen Security Advisory 478 v2
CVE-2026-23456	5	Critical Vulnerabilities in YoSmart YoLink Smart Hub Expose Smart Homes to Remote Attacks
CVE-2024-31884	4	Incorrect usage of certificate checking via Pybind
GHSA-7hf5-mc28-xmcv	3	CVE-2026-22794: Trust Issues: Hijacking Appsmith Accounts via Origin Header Abuse
GHSA-7g7f-ff96-5gcw	3	CVE-2025-8217: Amazon Q’s Self-Sabotage: The Backdoor That Couldn’t Code
CVE-2026-23594	3	Remote Privilege Elevation in HPE Alletra & Nimble Storage
CVE-2026-1220	3	Google Chrome 144 Update Patches High-Severity V8 Vulnerability
CVE-2023-42344	2	XXE in OpenCMS
CVE-2026-12345	2	Zero-day RCE in NexusFlow API Gateway is actively exploited
CVE-2025-53086	2	The recent patch for HarfBuzz (CVE-2025-53086) addresses a classic yet dangerous heap corruption bug
CVE-2025-134655	1	prototype pollution flaw
CVE-2025-63261	3	vulnerability in AWStats as shipped with cPanel

Insights from Contributors

• EPMM Nmap detection
• Detection of EPMM devices
• PAN-OS: Firewall Denial of Service (DoS) in GlobalProtect Gateway and Portal
• The Ni8mare Test: n8n RCE Under the Microscope (CVE-2026-21858)
• CVEs affecting the Svelte ecosystem
• Security Advisory Ivanti Endpoint Manager Mobile (EPMM)
• The GNU C Library version 2.43 is now available
• CRITICAL SECURITY BULLETIN: Trend Micro Apex Central (on-premise) January 2026 Multiple Vulnerabilities
• gpg.fail - multiple vulnerabilities in GnuPG

Thank you

Thank you to all the contributors and our diverse sources!

If you want to contribute to the next report, you can create your account.

Feedback and Support

If you have suggestions, please feel free to open a ticket on our GitHub repository. Your feedback is invaluable to us!
https://github.com/vulnerability-lookup/vulnerability-lookup/issues/

Funding

The main objective of Federated European Team for Threat Analysis (FETTA) is improvement of Cyber Threat Intelligence (CTI) products available to the public and private sector in Poland, Luxembourg, and the European Union as a whole.
Developing actionable CTI products (reports, indicators, etc) is a complex task and requires an in-depth understanding of the threat landscape and the ability to analyse and interpret large amounts of data. Many SOCs and CSIRTs build their capabilities in this area independently, leading to a fragmented approach and duplication of work.

The Computer Incident Response Center Luxembourg (CIRCL) is a government-driven initiative designed to provide a systematic response facility to computer security threats and incidents. The organization brings to the table its extensive experience in cybersecurity incident management, threat intelligence, and proactive response strategies. With a strong background in developing innovative open source cybersecurity tools and solutions, CIRCL’s contribution to the FETTA project is instrumental in achieving enhanced collaboration and intelligence sharing across Europe.

Press release