Welcome to vFeed January 2026 edition of Cybersecurity and Vulnerability Newsletter.
Key Highlights during the Month
- The most striking pattern in January was the significant drop in new vulnerability volume published contrasted by a sharp rise in critical risk scores across. New CVE published decelerated compared to December, but is generally inline with January seasonally when compared to previous years, with nearly 4,710 CVEs modified.
- Critical risk accelerated: January recorded a milder 223 critical vulnerabilities (CVSS ≥9.0) — up again from November — with 11 perfect 10.0 issues, comparatively lower than last month. This doesn’t signify reduced severity, as seasonally January posts are lower published than other months.
- Quantity vs. Quality: New CVEs dropped by 46.45% (from 3,451 in December to 1,848 in January). However, critical vulnerabilities (score 9.0+) surged for the third month in a row, reaching 452—a 19% increase from November.
- CVSS4 Adoption: January saw a major uptick in the newer scoring standard, with 434 new CVSS4 scores recorded, of which about 10% (45 CVEs) accounting for critical vulnerabilities.
- Exploitation Readiness: Approximately 3.35% (62 CVEs) of the month’s new vulnerabilities were released with functional exploits already available, shortening the window for defenders to patch.
- Attackers prioritized Elevation of Privilege (EoP) and Remote Code Execution (RCE), specifically targeting identity artifacts and edge services. These included “Sandbox Break” (Node.js) CVE-2026-21636, Legacy Risks in GNU Inetutils CVE-2026-24061, and WordPress Ecosystem weakness including Modular DS (CVE-2026-23550) and Snow Monkey Forms (CVE-2026-1056).
- Patch volume hit historic scale: vFeed tracked 314K vulnerabilities, 29M+ vendor patches and 2.52M+ advisories, with over 900K affected packages in the last five years — underscoring the unsustainable pace of manual patch triage.
Vulnerability Trends in January
We observed the following insights from the vFeed threat intel dataset during the month.
| CVEs | Nov ‘25 | Dec ‘25 | Jan ‘26 | Month-over-Month Change |
| New CVEs | 2,928 | 3,451 | 1,848 | -46.45% |
| Modified CVEs | 4,180 | 4,985 | 4,710 | -5.52% |
- Typical January CVE publications are lower compared to other months, and the month published is about the same as last January 2025.
- Increased Revisions and Modifications: January also witnessed a 57% increase year-over-year increase in modified vulnerabilities compared to 2024 (4,710 vs. 2,990). This indicates that analysts are increasingly prioritizing the update of risk scores, priorities, and advisories for existing threats over the mere cataloging of new ones.
- Larger traction of CVEs: vFeed correlated 40,565 vulnerabilities throughout 2025, and 1943 in 2026 so far This volume places the year on track to become one of the most prolific in recorded history, highlighting a sustained expansion of the attack surface across cloud, hardware, and software ecosystems.
vFeed vendor patches exceeded 29M, led by sources such as Suse, Ubuntu, Microsoft, Debian, and Oracle accounting for nearly 79% of patched advisories issued during the month. vFeed vendor advisories exceeded 2.52M, led by sources including Microsoft, Ubuntu, RedHat, Gentoo, GitHub, etc. vFeed has consolidated and kept track of over 900K affected packages just in the last several years, one of the significant counts.
vFeed threat intel data feeds have continued to adopt and embrace the latest NIST NVD 2.0 schema and CISA schemas for correlating and maintaining our threat intel feeds. Our feed database continues to build upon CVSS4 and EPSS4 risk scoring metrics as part of our threat intel feed, and so far we recorded 13,749 risk scoring since 2025, the largest we have seen so far in any year. January alone accounted for about 452 new CVSS4 risk scores reported and aggregated, suggesting a wider adoption of CVSS4 scoring.
Vulnerability Landscape
vFeed tracks nearly 91K exploits in our threat intelligence dataset so far with exploits reported from metasploit, packetstorm, and GitHub accounting for a large portion of identified counts.
Critical vulnerabilities identified by vFeed in January – those with a critical score of 9.0 or higher continued to surge significantly to 452, compared to 419 in December and to 379 in the previous month. Among those, CVSS4 reported scores were 434, and others included CVSS2/3. January recorded 223 critical vulnerabilities in a wide range of hardware and software platforms, of which 33 of those have EPSS4 percentile over 0.5, suggesting those potentially being exploited in the next few days relative to all other tracked CVEs. Most importantly, January accounted for nearly 62 new vulnerabilities among 1,848 (~3.35%) that have been reported with one or more exploits available.
January accounted for 11 critical vulnerabilities that reported perfect 10.0 score observed in out-of-bounds write, buffer copy without checking, unrestricted upload of file, buffer copy without checking size of input, and with TinyWeb web server written in Delphi for Win32 over OS command injection. These accounted for more than double from last month. January led to several high‑impact platform and library vulnerabilities including OS, routers, and software plugins such as WordPress, and libraries such as Node.js.
Platform Impacts
vFeed’s observation in January was that the Elevation of Privilege and Remote Code Execution (RCE) outpaced other categories (like Denial of Service or Information Disclosure) in both volume and potential business impact during the month. CWE-74 SQL command injection across plugins was one the top weaknesses identified across vulnerabilities during the month. Here we briefly describe some of those.
A peculiar CVE-2026-21636 identified in Node.js, a flaw in its experimental permission model that allowed Unix Domain Socket (UDS) connections to bypass network restrictions when –permission was enabled. This is recently patched by Node.hs community, but the code could still talk to local services such as Docker or databases over UDS even when –allow-net was not granted, undermining sandbox assumptions. This weakness opened the door to potential privilege escalations and data exposures if untrusted code could control socket paths or URLs.
In a different context, CVE-2026-23744 critical RCE defect in MCPJam Inspector, a local-first development tool for MCP servers exposed unauthenticated HTTP endpoint that lets an attacker install a malicious MCP server via a single crafted request, which then runs arbitrary code on the host. Because MCPJam Inspector listens on 0.0.0.0 by default, vulnerable instances are reachable over the network, making exploitation trivial and fully remote.
A critical authentication-bypass flaw reported by CVE-2026-24061 in `telnetd` daemon from GNU Inetutils that allows remote attackers to gain an immediate root shell with no valid credentials. The bug stems from unsafe handling of USER environment variable. Because exploitation is trivial and can be fully remote, and already under active attack in the wild, organizations should urgently patch to a fixed Inetutils release or disable telnetd entirely, and block or tightly restrict Telnet services (port 23 or other custom ports).
January saw a higher volume of WordPress plugin vulnerabilities disclosed with about 106 plugins and libraries that were left vulnerable. Of those plugins, 2 of them are highly critical ones with known exploitations. These include CVE-2026-1056 in Snow Monkey Forms plugin, and CVE-2026-0920 in LA-Studio Element Kit for Elementor plugi enabling unauthenticated attackers to gain elevated privileges and inject malicious content or code via insecure request handling, and both flaws have public proof‑of‑concept exploits and evidence of in‑the‑wild attacks.
A maximum‑severity flaw in the Modular DS WordPress plugin (CVE‑2026‑23550) allowed unauthenticated attackers to escalate privileges to admin and fully compromise sites until it was patched in version 2.5.2. Broader ecosystem data shows hundreds of plugin vulnerabilities reported over the month—often involving broken access control, SQL injection, and Cross‑Site Scripting.
On the windows side, two critical vulnerabilities were reported that included:
1) CVE-2026-22864 – Deno on Windows (command injection) that affects Deno, the JavaScript/TypeScript/WebAssembly runtime, on Windows prior to version 2.5.6. Combined with user‑controlled arguments (for example passing [“&calc.exe”]), an attacker can inject extra commands into the Windows command line and trigger arbitrary programs, achieving remote code execution if they can influence what the Deno app spawns.
2) CVE-2026-22781 – TinyWeb web server for Win32 that affects TinyWeb, a lightweight web server written in Delphi for Win32, commonly used as an embedded or test server. Since TinyWeb is often deployed with minimal hardening and sometimes directly exposed, a successful exploit can lead to full compromise of the underlying Windows system.
vFeed has identified about 28 Microsoft platform and component vulnerabilities published in January, and those were identified across Microsoft Office, Graphics Component, Microsoft Edge, DotNetNuke (DNN) on Microsoft ecosystem and so on. Of those 8 were deemed critical, with the bulk marked important but still relevant for enterprise risk and mitigation including elevation of privilege and information disclosures.
Top Weaknesses
vFeed identified several top weaknesses that contributed to critical impacts during the month. Of the 223 critical vulnerabilities identified in January, 43 (~ 19%) were of weakness type CWE-74 Improper Neutralization injection, followed by 27 (~ 12%) CWE-94 Code Injection, and 11 (~ 5%) of CWE-284 Improper Access Control weaknesses.
Critical vulnerabilities possessing CWE-74 included CVE-2026-1535 code-projects Online Music Site sql injection attack remotely, CVE-2026-24002 Grist is spreadsheet software using Python, CVE-2026-0544 security flaw has been discovered in itsourcecode School Management System, and so on.
Critical Exploitable Vulnerabilities – January 2026
Pay attention to these top critical vulnerabilities that are likely exploitable this month.
| CVE | Description | CVSS 3 / 4 Base | EPSS Perc | Exploit PoC Available? | Date Published | Weakness | Versions Affected | References |
| CVE-2026-21877 | Nxn an authenticated attacker may be able to execute malicious code using the n8n service | 9.9 | 0.93 | Yes | 2026-01-08 | CWE-434 | >= 0.123.0, <1.121.3 | https://github.com/n8n-io/n8n/commit/f4b009d00d1f4ba9359b8e8f1c071e3d910a55f6 |
| CVE-2026-23760 | SmarterTools SmarterMail auth bypass in password reset API | 9.8 | 0.97 | Yes | 2026-01-22 | CWE-288 | <100.0.9511 | https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-23760 |
| CVE-2026-24061 | telnetd in GNU Inetutils through 2.7 allows remote authentication bypass via a \”-f root\ ” value for the USER environment variable | 9.8 | 0.29 | Yes | 2026-01-21 | CWE-88 | >=1.9.3, <2.7 | https://lists.gnu.org/archive/html/bug-inetutils/2026-01/msg00004.html |
| CVE-2026-1281 | A code injection in Ivanti Endpoint Manager Mobile allowing attackers to achieve unauthenticated remote code execution | 9.8 | 0.13 | Yes | 2026-01-29 | CWE-94 | <12.5.0.0 | https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-1281 |
| CVE-2026-23744 | MCPJam inspector is the local-first development platform for MCP servers. Versions 1.4.2 and earlier are vulnerable to remote code execution (RCE) vulnerability, which allows an attacker to send a crafted HTTP request that triggers the installation of an MCP server | 9.8 | 0.70 | Yes | 2026-01-16 | CWE-306 | <1.4.2 | https://github.com/MCPJam/inspector/security/advisories/GHSA-232v-j27c-5pp6 |
| CVE-2026-24841 | Dokploy command injection in WebSocket endpoint allowing authenticated attackers to execute arbitrary commands on the host server | 9.9 | 0.55 | Yes | 2026-01-28 | CWE-78 | <0.26.6 | https://github.com/Dokploy/dokploy/security/advisories/GHSA-vx6x-6559-x35r |
| CVE-2026-22844 | Zoom Node Multimedia Routers Command Injection vulnerability that may allow a meeting participant to conduct remote code execution of the MMR via network access | 9.9 | 0.53 | Yes | 2026-01-20 | CWE-78 | <5.2.17160 | https://www.zoom.com/en/trust/security-bulletin/zsb-26001 |
| CVE-2026-23550 | Incorrect Privilege Assignment vulnerability in Modular DS WordPress allows Privilege Escalation | 10.0 | 0.90 | Yes | 2026-01-14 | CWE-266 | <2.5.1 | https://patchstack.com/articles/critical-privilege-escalation-vulnerability-in-modular-ds-plugin-affecting-40k-sites-exploited-in-the-wild |
| CVE-2026-21962 | Vulnerability in the Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in product of Oracle Fusion Middleware (component: Weblogic Server Proxy Plug-in for Apache HTTP Server, Weblogic Server Proxy Plug-in for IIS). | 10.0 | 0.19 | Yes | 2026-01-20 | CWE-284 | 12.2.1.4.0, 14.1.1.0.0 and 14.1.2.0.0 | https://www.oracle.com/security-alerts/cpujan2026.html |
| CVE-2026-21636 | Flaw in Node.js’s permission model allows Unix Domain Socket connections to bypass network restrictions when `–permission` is enabled. | 10.0 | 0.07 | No | 2026-01-20 | CWE-284 | >=25.0.0, <25.3.0 | https://nodejs.org/en/blog/vulnerability/december-2025-security-releases |
| CVE-2026-1056 | Snow Monkey Forms WordPress plugin vulnerable to arbitrary file deletion due to insufficient file path validation | 9.8 | 0.34 | Yes | 2026-01-28 | CWE-22 | <= 12.0.3 | https://www.wordfence.com/threat-intel/vulnerabilities/id/37a8642d-07f5-4b1b-8419-e30589089162 |
May you live in interesting times! 🙂
Click here to schedule your demo with vFeed Threat Intel today!