Welcome to vFeed February 2026 edition of Cybersecurity and Vulnerability Newsletter.
Key Highlights during the Month
- Critical Vulnerabilities Surged to a New High: Critical vulnerabilities (CVSS 9.0+) climbed to 489 in February, up from 452 in January and 419 in December — a steady and accelerating trend upward. The month also recorded 25 perfect 10.0 CVSS scores, more than double of January totaling 11, spanning weaknesses including code injection, out-of-bounds write, and missing authentication.
- WordPress Plugin Exploits Reached Record Levels: February saw 253 WordPress plugin vulnerabilities with known exploits out of 3,073 new CVEs (~8.2%) — the largest count ever recorded, nearly 2.4x January’s 106. Headline cases included CVE-2026-1357 (WPvivid, 900K+ sites at risk), CVE-2026-1729 (AdForest authentication bypass, CVSS 9.8), and CVE-2026-1405 (Slider Future arbitrary file upload, EPSS 41st percentile).
- New CVE Volume Rebounded Sharply: New CVEs jumped 66.28% month-over-month, from 1,848 in January to 3,073 in February — recovering strongly toward December’s elevated levels. This spike was accompanied by a notable rise in EPSS4 high-risk scores, with 45 critical CVEs carrying an EPSS percentile above 0.5, compared to just 33 in January.
- Microsoft Patch Tuesday Highlighted Actively Exploited Zero-Days: Microsoft’s February Patch Tuesday addressed 58 vulnerabilities including six zero-days actively exploited in the wild. Elevation of Privilege flaws dominated at 42% of patches. Key exploited CVEs included CVE-2026-21510 (Windows Shell SmartScreen bypass, CVSS 8.8) and CVE-2026-21533 (Windows Remote Desktop Services privilege escalation to SYSTEM).
- Buffer Overflow and Injection Weaknesses Led Critical Impact Categories: Of the critical vulnerabilities tracked, CWE-119 (buffer overflow/memory overrun) accounted for ~16% of critical findings, followed by CWE-74 injection flaws at ~15%. Missing authentication (CWE-306) and Use After Free (CWE-416) each contributed ~5%, with standout cases including CVE-2026-2577 (nanobot WhatsApp bridge, CVSS 10.0) and CVE-2026-27574 (OneUptime Node.js sandbox escape, CVSS 9.9).
Vulnerability Trends in February
We observed the following insights from the vFeed threat intel dataset during the month.
| CVEs | Nov ‘25 | Dec ‘25 | Jan ‘26 | Feb ‘26 | Month-over-Month Change |
| New CVEs | 2,928 | 3,451 | 1,848 | 3,073 | 66.28% |
| Modified CVEs | 4,180 | 4,985 | 4,710 | 3,331 | -29.27% |
- New published CVE publications spiked during February compared to the previous month. This trend is quite dissimilar from last year when published vulnerabilities remained the same during early months.
- Revisions and Modifications: While February witnessed a lower number of modified vulnerabilities compared to 2024 (4,710 vs. 2,990). This indicates that analysts are increasingly prioritizing the update of risk scores, priorities, and advisories for existing threats over the mere cataloging of new ones.
- Increased traction of CVEs: vFeed correlated 41,670 vulnerabilities throughout 2025, and 5,008 in 2026 so far in the year. The expected volume places the year on track to become one of the most active in recorded history, highlighting a sustained expansion of the attack surface across packages, platforms, cloud, hardware, and software ecosystems.
vFeed vendor patches exceeded 30M, led by sources such as Ubuntu, Suse, Debian, Microsoft, and Oracle, and others accounting for nearly 80% of patched advisories issued during the month. vFeed vendor advisories exceeded 2.52M, led by sources including Microsoft, Ubuntu, RedHat, Gentoo, GitHub, etc. vFeed has consolidated and kept track of over 930K affected packages just in the last several years, one of the significant counts.
vFeed threat intel data feeds have continued to embrace recent NIST NVD 2.0 schema and CISA schemas for correlating and maintaining our threat intel datasets. Our feed database continues to build upon CVSS4 and EPSS4 risk scoring metrics as part of our threat intel feed, and so far we recorded 17K risk scoring since 2025, the largest we have seen so far in any year. February alone accounted for about 1,286 new CVSS4 risk scores reported and aggregated, suggesting a much wider adoption of CVSS4 scoring.
Vulnerability Landscape
vFeed threat intel dataset successfully tracks approximately 93K known exploits reported from varied sources including GitHub, metasploit, and packetstorm accounting for a large portion of identified counts.
Critical vulnerabilities identified by vFeed in February – those with a critical score of 9.0 or higher continued to surge significantly to 489, compared to 452 in January, and 419 in December. Among those critical ones reported, 211 of those reported CVSS4. January recorded 45 critical vulnerabilities have EPSS4 percentile over 0.5, compared to just 33 last month, suggesting an increasing potential of being exploited in the next few days relative to all other tracked CVEs. Most importantly, January accounted for nearly 94 new vulnerabilities among 3,073 (~ 3.05%) that have been reported with one or more exploits available.
February accounted for 25 published critical vulnerabilities with a perfect 10.0 CVSS score, compared to just 11 in January. These perfect 10.0 scores were reported across several weaknesses including: code and command injection, out-of-bounds write, and missing authentication
Platform Impacts
vFeed’s observation in February was that the buffer and memory overflow critical vulnerabilities outpaced other categories in both volume and potential business impact during the month. Equivalent, CWE-74 SQL command injection across plugins was one the top weaknesses identified across vulnerabilities during the month. Here we briefly describe some of those.
A peculiar critical security vulnerability in Microsoft Azure AI Language CVE-2026-21531 SDK version 1.0.0 is a root cause of improper handling of deserialization in untrusted data (CWE-502), where maliciously crafted input is deserialized by the application leading to arbitrary code execution. A public exploit exists for this, and hence mitigation remediation is recommended to include: preventing untrusted data deserialization by validating all inputs before processing, avoiding deserializing untrusted data where possible, and updating the Azure SDK to the latest version.
WordPress plugins continue to be one of the highly exploitable vulnerabilities during the month. February saw even a higher volume jump of WordPress plugin vulnerabilities disclosed with several of them having known exploits. Specifically, February saw 253 known ones out of 3073 (~ 8.2%) the largest ever known, compared to 106 plugins and libraries that were left vulnerable in January.
Two of those high critical WordPress plugin vulnerabilities are known to have exploits affecting a large number of websites. CVE-2026-1729 — AdForest Theme Authentication Bypass (CVSS 9.8), where the AdForest theme for WordPress is vulnerable to authentication bypass in all versions up to and including 6.0.12. CVE-2026-1357 – a critical vulnerability in the WPvivid Backup & Migration plugin affects over 900,000 active WordPress installations, allowing unauthenticated attackers to upload and execute arbitrary PHP files on exposed sites. CVE-2026-1405 — Slider Future Plugin Unauthenticated Arbitrary File Upload (CVSS Critical, EPSS 41st Percentile) With an EPSS percentile of ~41%, this vulnerability sits meaningfully above average in terms of exploitation likelihood.
Interestingly, February saw one of the largest Node.js vulnerabilities reported, with 9 critical ones with EPSS percentiles greater than 20% reported. CVE-2026-27574 OneUptime is a solution for monitoring and managing online services that uses Node.js’s node:vm module to execute user-supplied code. With a high criticality and 17% EPSS percentile, and successful exploitation yields full control over the oneuptime-probe instance, leading attackers to read environment variables containing database credentials and API keys.
Microsoft’s February 2026 Patch Tuesday addressed 58 vulnerabilities, including six actively exploited zero-days and five rated Critical. Elevation of Privilege flaws dominated the release, accounting for 42% of patches, followed by Remote Code Execution (20%) and Spoofing (14%).
Microsoft Actively Exploited Zero-Days:
1) CVE-2026-21510 – Windows Shell Security Feature Bypass (CVSS 8.8). A protection mechanism failure in Windows Shell allows an attacker to circumvent Windows SmartScreen and similar security prompts by convincing a user to open a malicious shortcut or link file.
2) CVE-2026-21533 – Improper privilege management in Windows Remote Desktop allows an authorized attacker to elevate privileges locally. A local authenticated attacker can exploit the flaw to escalate to SYSTEM level, fully compromising CIA.
vFeed dataset identified about 19 Microsoft vulnerabilities published in February identified across Graphics Component, Microsoft Office, Azure, Graphics Component, Microsoft Edge, Semantic Kernel, and so on. Of those 5 were deemed critical, with the bulk marked important but still relevant for enterprise risk and mitigation including elevation of privilege and information disclosures.
Top Weaknesses
vFeed identified several top weaknesses that contributed to critical impacts during the month. Of the 486 critical vulnerabilities identified in January, 79 (~ 16%) were of weakness type CWE-119 buffer overflow and memory overrun, followed by 73 (~ 15%) CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component (‘Injection’), 22 of which (~ 5%) were Missing Authentication for Critical Function, and 21 of which (~ 5%) were CWE-416 Missing Authentication for Critical function.
CVE-2026-2577 – HKUDS Nanobot WhatsApp Bridge with critical CVSS 10.0 is such a CWE-416 is “Use After Free” vulnerability found in WebSocket server in the nanobot WhatsApp bridge is bound to all network interfaces on port 3001 with zero authentication, allowing any remote attacker with network access to connect and hijack WhatsApp sessions. Similarly, CVE-2026-1729 is a WordPress AdForest Theme (CVSS 9.8) in WordPress AdForest theme fails to verify a user’s identity through the sb_login_user_with_otp_fun function, allowing unauthenticated attackers to log in as any user including administrators across all versions up to 6.0.12.Two critical vulnerabilities were recently identified.
CVE-2026-2577, with a maximum CVSS score of 10.0, is a “Use After Free” vulnerability (CWE-416) found in the HKUDS Nanobot WhatsApp Bridge. The nanobot WhatsApp bridge uses a WebSocket server bound to all network interfaces on port 3001 with zero authentication. This allows any remote attacker with network access to connect and hijack WhatsApp sessions.
CVE-2026-1729, with a high CVSS score of 9.8, affects the WordPress AdForest Theme. This vulnerability exists because the theme fails to properly verify a user’s identity, consequently leading to unauthenticated attackers who can log in as any user, including administrators.
Critical Exploitable Vulnerabilities – February 2026
Pay attention to these top critical vulnerabilities that are likely exploitable this month.
| CVE | Description | CVSS 3 / 4 Base | EPSS Perc | Exploit PoC Available? | Date Published | Weakness | Versions Affected | References |
| CVE-2026-1731 | BeyondTrust Remote Support of Privileged Remote Access (PRA) contain a critical pre-authentication remote code execution vulnerability, sending specially crafted requests to have unauthenticated remote attacker execute operating system commands in the context of the site user | 9.9 | 98.3 | Yes | 2026-02-06 | CWE-78 | <=25.1 | https://www.beyondtrust.com/trust-center/security-advisories/bt26-02 |
| CVE-2026-20127 | Peering authentication in Cisco Catalyst SD-WAN Controller | 10.0 | 84.1 | Yes | 2026-02-25 | CWE-287 | >= 20.16, < 20.18.2.1 | https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-rpa-EHchtZk |
| CVE-2026-25643 | Frigate network video recorder IP camera with realtime local object detection has a critical RCE in integration with go2rtc | 9.1 | 75.9 | Yes | 2026-02-06 | CWE-250 | <0.16.4 | https://github.com/blakeblackshear/frigate/security/advisories/GHSA-4c97-5jmr-8f6x |
| CVE-2026-26030 | Semantic Kernel, Microsoft’s semantic kernel Python SDK has RCE | 9.9 | 24.7 | Yes | 2026-02-19 | CWE-94 | <1.39.4 | https://github.com/microsoft/semantic-kernel/security/advisories/GHSA-xjw9-4gw8-4rqx |
| CVE-2026-2329 | Stack-based buffer overflow in HTTP API endpoints leading to RCE on grandstream:gxp devices | 9.3 | 97.3 | Yes | 2026-02-18 | CWE-121 | <1.0.7.81 | https://www.rapid7.com/blog/post/ve-cve-2026-2329-critical-unauthenticated-stack-buffer-overflow-in-grandstream-gxp1600-voip-phones-fixed/ |
| CVE-2026-21531 | Deserialization of untrusted data in Azure SDK allows an unauthorized attacker to execute code over a network.” | 9.8 | 41.9 | Yes | 2026-02-10 | CWE-502 | N/A | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21531 |
| CVE-2026-1729 | AdForest theme for WordPress is vulnerable to authentication bypass | 9.8 | 44.5 | Yes | 2026-02-12 | CWE-306 | <=6.0.12. | https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-themes/adforest/adforest-6012-authentication-bypass |
| CVE-2026-1357 | Migration, Backup, Staging WPvivid Backup & Migration plugin for WordPress is vulnerable to Unauthenticated Arbitrary File Upload | 9.8 | 62.7 | Yes | 2026-02-11 | CWE-434 | <= 0.9.123. | https://www.wordfence.com/threat-intel/vulnerabilities/id/e5af0317-ef46-4744-9752-74ce228b5f37 |
| CVE-2026-27476 | RustFly 2.0.0 contains a command injection vulnerability in its remote UI control mechanism that accepts hex-encoded instructions over UDP port 5005 without proper sanitization | 9.8 | 0.59 | Yes | 2026-02-19 | CWE-78 | 2.0.0 | https://www.vulncheck.com/advisories/rustfly-command-injection-via-udp-remote-control |
| CVE-2026-27174 | MajorDoMo (aka Major Domestic Module) allows unauthenticated remote code execution via the admin panel’s PHP console feature | 9.8 | 0.60 | Yes | 2026-02-18 | CWE-94 | N/A | https://chocapikk.com/posts/2026/majordomo-revisited/ |
| CVE-2026-27574 | OneUptime is a solution for monitoring and managing online services that uses Node.js’s node:vm module to execute user-supplied code | 9.9 | 0.17 | Yes | 2026-02-21 | CWE-94 | <= 9.5.13 | https://github.com/OneUptime/oneuptime/security/advisories/GHSA-v264-xqh4-9xmm |
May you live in interesting times! 🙂
Click here to schedule your demo with vFeed Threat Intel today!