Overview
- The update names CVE-2026-2441, CVE-2024-7694, CVE-2020-7796, and CVE-2008-0015, spanning Chrome, Zimbra, TeamT5 ThreatSonar, and a long-abused Windows Video ActiveX control.
- Google confirmed in-the-wild exploitation of the Chrome CSS use-after-free and pushed fixes to Stable 145.0.7632.75/76 on Windows and macOS and 144.0.7559.75 on Linux.
- The Zimbra SSRF flaw (CVE-2020-7796) has a documented abuse history, with GreyNoise tracking roughly 400 IPs exploiting SSRF against targets in multiple countries in 2025.
- TeamT5 ThreatSonar’s CVE-2024-7694 enables an authenticated administrator to upload malicious files and execute system commands on the server, though current exploitation details remain undisclosed.
- Under Binding Operational Directive 22-01, KEV listings trigger mandatory remediation for federal civilian agencies and serve as a priority patching guide for other organizations.