CRA Now Driving 2026 Security Spend: What SMEs Need to Know
EU Cyber Resilience Act Compliance Roadmap
CRA Published
Regulation (EU) 2024/2847 published in the Official Journal; enters into force 11 December 2024
Art. 14 Enforcement Begins
Vulnerability reporting obligations apply to all products in scope
Full Conformity Deadline
Design and production requirements (Annex I, CE marking) apply to new products placed on the market
Three Pillars of CRA CVD Compliance
A complete vulnerability disclosure infrastructure designed for economic operators subject to the Cyber Resilience Act.
Dual-Track SLA Compliance
48-hour acknowledgment per CVD best practice (ISO/IEC 29147, Art. 13), plus mandatory 24-hour early warning and 72-hour full notification to authorities under Article 14 of the CRA.
Single Point of Contact
A unified, branded vulnerability intake portal for your organization. Security researchers submit reports through a standardized, encrypted channel.
ENISA-Aligned Triage
All submissions follow ENISA coordinated vulnerability disclosure (CVD) best practices with CVSS scoring, reporter communication, and mitigation tracking.
Are You CRA Ready?
EU Vulnerability Database (EUVD) Pulse
Official feed of the latest critical and actively exploited vulnerabilities tracked by European authorities.
Latest Critical Vulnerabilities
CVSS 9.0+Pachno 1.0.6 contains a deserialization vulnerability that allows unauthenticated attackers to execute arbitrary code by injecting malicious serialized objects into cache files. Attackers can write PHP object payloads to world-writable cache files with predictable names in the cache directory, which are unserialized during framework bootstrap before authentication checks occur.
Pachno 1.0.6 contains an XML external entity injection vulnerability that allows unauthenticated attackers to read arbitrary files by exploiting unsafe XML parsing in the TextParser helper. Attackers can inject malicious XML entities through wiki table syntax and inline tags in issue descriptions, comments, and wiki articles to trigger entity resolution via simplexml_load_string() without LIBXML_NONET restrictions.
A series of Improper Input Validation vulnerabilities could allow a Command Injection by a malicious actor with access to the UniFi Play network. Affected Products: UniFi Play PowerAmp (Version 1.0.35 and earlier) UniFi Play Audio Port (Version 1.0.24 and earlier) Mitigation: Update UniFi Play PowerAmp to Version 1.0.38 or later Update UniFi Play Audio Port to Version 1.1.9 or later
A malicious actor with access to the UniFi Play network could exploit a Path Traversal vulnerability found in the device firmware to write files on the system that could be used for a remote code execution (RCE). Affected Products: UniFi Play PowerAmp (Version 1.0.35 and earlier) UniFi Play Audio Port (Version 1.0.24 and earlier) Mitigation: Update UniFi Play PowerAmp to Version 1.0.38 or later Update UniFi Play Audio Port to Version 1.1.9 or later
Actively Exploited (KEV)
In the wildA code injection in Ivanti Endpoint Manager Mobile allowing attackers to achieve unauthenticated remote code execution.
A improper access control vulnerability in Fortinet FortiClientEMS 7.4.5 through 7.4.6 may allow an unauthenticated attacker to execute unauthorized code or commands via crafted requests.
TrueConf Client downloads application update code and applies it without performing verification. An attacker who is able to influence the update delivery path can substitute a tampered update payload. If the payload is executed or installed by the updater, this may result in arbitrary code execution in the context of the updating process or user.
Use after free in Dawn in Google Chrome prior to 146.0.7680.178 allowed a remote attacker who had compromised the renderer process to execute arbitrary code via a crafted HTML page. (Chromium security severity: High)
CRA Vulnerability Handling: What Every Manufacturer Needs to Know Before September 2026
The EU Cyber Resilience Act creates the first mandatory vulnerability handling framework for products with digital elements. We break down the 26 articles, the key deadlines, and the practical steps manufacturers should take today to prepare.
12 min readTechnical Deep DiveAnatomy of a Coordinated Vulnerability Disclosure: From Report to Patch
A step-by-step walkthrough of the full CVD lifecycle — receiving a researcher report, triaging with CVSS, coordinating with upstream maintainers, developing a fix, and publishing a CSAF advisory. Includes timeline expectations and common pitfalls.
15 min readSupply Chain SecurityWhy Your SBOM Is the Foundation of Your Security Posture
The CRA mandates Software Bills of Materials for all products with digital elements. But an SBOM isn't just a compliance checkbox — it's the foundation for vulnerability correlation, supply chain risk management, and incident response. Here's how to get it right.
10 min read