THE U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added three new vulnerabilities to its Known Exploited Vulnerabilities catalog: 1) CVE-2026-8398 - Daemon Tools Lite, a supply chain attack affecting downloaded installers; 2) CVE-2026-45321 - TanStack npm packages, involving credential-stealing malware in malicious package versions; and 3) CVE-2026-48027 - Nx Console, where a malicious extension was briefly available in marketplaces.
CISA requires federal agencies to address these vulnerabilities by June 10, 2026, and recommends that private organizations review the catalog to mitigate risks.