The number of critical-severity vulnerabilities disclosed worldwide jumped sharply in the second quarter of 2026, even as the overall volume held steady. According to a quarterly trends report from AhnLab Security Intelligence Center (ASEC), 20,701 new CVEs were published between April and June, of which 2,317 carried a CVSS score of 9.0 or higher. That is a 62.5 percent increase in critical flaws over the 1,426 recorded in the first quarter.
The rise matters because critical bugs are the ones that let attackers take over a system outright. ASEC found that destructive flaws such as remote code execution and privilege escalation were far more common this quarter than simple information leaks, and that the window between public disclosure and real-world exploitation keeps shrinking. The report attributes part of that acceleration to generative AI, which both helps researchers surface high-risk bugs faster and helps attackers write working exploit code more quickly.
What attackers are actually hitting
Exploitation concentrated on internet-facing choke points: firewalls, VPNs, enterprise management panels, and authentication portals. ASEC also flagged a run of supply chain attacks that tampered with official installation packages and open-source package registries such as npm. Of the 75 vulnerabilities that CISA added to its Known Exploited Vulnerabilities (KEV) catalog during the quarter, 39 were rated critical and 65 were critical or high, meaning nearly nine in ten KEV additions were serious. Improper input validation and missing authentication for critical functions were the most frequently abused weakness types.
Notable flaws from the quarter
Several of the cases ASEC highlights have already featured in active-exploitation reporting. They include CVE-2026-10520, an unauthenticated command injection in Ivanti Sentry that yields root-level remote code execution, which we covered when it was exploited in the wild after a public exploit appeared. Others include CVE-2026-0300, a root-privilege buffer overflow in Palo Alto Networks PAN-OS reached through the User-ID authentication portal; CVE-2026-20253, an unauthenticated file-operation flaw in a Splunk Enterprise PostgreSQL sidecar that can lead to code execution; CVE-2026-42897, a cross-site scripting bug in Microsoft Exchange Server used for initial access through malicious email; and authentication weaknesses in cPanel and WHM (CVE-2026-41940) and the LiteSpeed cPanel plugin (CVE-2026-48172), echoing earlier CISA warnings about actively exploited cPanel bugs.
What defenders should do
ASEC's guidance is blunt: prioritize patching by real attack telemetry rather than raw CVSS, and check the CISA KEV catalog first, since anything on it is under active attack. Because so much exploitation targets exposed edge devices and admin panels, the report urges organizations to pull management interfaces off the public internet, restrict them to internal IP ranges, and enforce multi-factor authentication. Attack surface management, keeping an accurate inventory of what is exposed, rounds out the shortlist.
This briefing is provided by IntelFusions for informational and defensive purposes only. It is based on sources assessed to be reliable at the time of writing, and analytic judgments carry the confidence levels indicated. Indicators of compromise are defanged; re-arm them only in controlled environments. IntelFusions is not affiliated with the organizations named and makes no warranty as to completeness or accuracy.