Pierluigi Paganini
February 18, 2026
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added Google Chromium CSS, Microsoft Windows, TeamT5 ThreatSonar Anti-Ransomware, and Zimbra flaws to its Known Exploited Vulnerabilities (KEV) catalog.
Below are the flaws added to the catalog:
The first flaw added to the catalog is CVE-2026-2441, which is a Use after free in CSS component in Google Chrome prior to 145.0.7632.75. This week, Google released urgent security updates to address this high-severity zero-day vulnerability. This is the first actively exploited Chrome zero-day fixed in 2026, after eight similar flaws were patched in 2025.
An attacker could exploit the flaw to compromise affected systems. The issue was discovered and responsibly reported by security researcher Shaheen Fazim on February 11, 2026.
“CVE-2026-2441: Use after free in CSS. Reported by Shaheen Fazim on 2026-02-11.” reads the Google’s advisory. “Google is aware that an exploit for CVE-2026-2441 exists in the wild.”
Google has confirmed that an exploit for CVE-2026-2441 exists in the wild, but has not shared details about how it is being used or which threat actor is behind the exploitation of the flaw.
The second flaw, tracked as CVE-2024-7694, impacts TeamT5 ThreatSonar Anti-Ransomware. The issue is an arbitrary file upload vulnerability due to improper validation of uploaded content. An authenticated attacker with administrator privileges can upload crafted malicious files to the platform. This may allow arbitrary system command execution on the server, potentially leading to full system compromise, data exposure, and disruption of security functions.
The third flaw added to the catalog, tracked as CVE-2020-7796, impacts Zimbra Collaboration Suite (ZCS) before 8.8.15 Patch 7. The issue is an SSRF that can be exploited if the WebEx Zimlet is installed and its JSP component is enabled. An attacker can trick the server into making unauthorized outbound requests, potentially accessing internal services or sensitive resources. In March 2025, Threat intelligence firm GreyNoise observed Grafana path traversal exploitation attempts before the Server-Side Request Forgery (SSRF) surge on March 9, suggesting that attackers may be leveraging Grafana as an initial entry point for deeper exploitation. One of the vulnerabilities exploited in the attacks observed by the experts is CVE-2020-7796. Most Server-Side Request Forgery exploitation attempts targeted entities in the United States, Germany, Singapore, India, Lithuania, Japan, and Israel.
The experts warned that attackers leverage SSRF for pivoting and reconnaissance and cloud exploitation.
The last flaw added to the catalog, tracked as CVE-2008-0015, is a stack-based buffer overflow in the in CComVariant::ReadFromStream within ATL, used by the MPEG2TuneRequest ActiveX control (msvidctl.dll) in DirectShow, affects multiple legacy Windows versions. A crafted web page can trigger remote code execution. The flaw was exploited in the wild in July 2009.
According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.
Experts also recommend that private organizations review the Catalog and address the vulnerabilities in their infrastructure.
CISA orders federal agencies to fix the vulnerabilities by March 10, 2026.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, CISA)
Cyber Crime / February 17, 2026
