CVE-2026-56291
An unauthenticated arbitrary file upload vulnerability in the Balbooa Forms extension for Joomla allows attackers to upload executable files, leading to full remote code execution.
Critical vulnerabilities, curated daily for security professionals
Two maximum-severity flaws in VITEC Flamingo (CVE-2026-60121 and CVE-2026-61498, both CVSS 9.8) lead the day's disclosures, alongside a critical issue in Google Cloud BigQuery, Dataform, and Colab Enterprise (CVE-2026-14934, CVSS 9.4). Critical CVEs rose to 40 from 5 the prior day (+700%), while high-priority CVEs climbed to 90 from 35 (+157%), across 130 total disclosures. Additional critical vulnerabilities affect the EVbee Service (CVE-2026-22093, CVSS 9.5) and several web platforms including Mura CMS and ChurchCRM. The disclosures span EV charging infrastructure, cloud data platforms, WordPress plugins, and Joomla extensions, with remote code execution and authentication weaknesses recurring across the set. No vendor patches were confirmed available at disclosure, so teams should prioritize inventory and compensating controls while monitoring for fixes; three CVEs, including Joomla Balbooa Forms and iCagenda extensions, have confirmed active exploitation.
Immediate action: Prioritize VITEC Flamingo, Google Cloud BigQuery/Dataform/Colab Enterprise, and the actively exploited Joomla Balbooa Forms and iCagenda extensions for immediate review and mitigation. With no vendor patches confirmed available at disclosure, apply available compensating controls, restrict network exposure, and monitor vendor advisories for fixes.
CVSS score (e.g. 9.1) — severity from 0–10. Red marks critical (9+), orange high (7–8.9).
Exploitability — how hard the flaw is to attack, read from the CVSS vector:
The lower the bar on all three, the easier to exploit at scale — “Network · No privileges · No interaction” is the worst case: hit from anywhere, no credentials, no victim action.
🔴 Actively exploited — confirmed under attack in the wild (CISA’s Known Exploited Vulnerabilities catalog). Prioritize these regardless of score.
EPSS · Nth percentile — FIRST.org’s estimated chance a flaw is exploited within 30 days. We flag it only in the top 10% — a statistical signal it’s unusually likely to be targeted, separate from whether attacks are confirmed.
An unauthenticated arbitrary file upload vulnerability in the Balbooa Forms extension for Joomla allows attackers to upload executable files, leading to full remote code execution.
iCagenda is vulnerable to an unrestricted file upload flaw, allowing unauthenticated attackers to execute arbitrary code on the server.
Cisco IOS is susceptible to a Cross-Site Request Forgery (CSRF) vulnerability that is currently being actively exploited in the wild.
An unauthenticated arbitrary file write vulnerability in the Eclipse BaSyx Java Server SDK allows remote attackers to write files to the server filesystem via the AAS thumbnail API.
The EVbee Service Android app fails to validate server certificates and uses weak encryption, allowing network-based attackers to intercept and manipulate communication with charging stations.
ThemisNETPanel contains a critical remote code execution vulnerability due to the lack of authentication on its file upload functionality.
Mura Software CMS contains a critical remote code execution vulnerability via the “method” parameter in the “/index.cfm/_api/json/v1/default” endpoint, allowing unauthenticated injection of CFML code.
ChurchCRM versions prior to 7.4.0 contain an unrestricted file upload vulnerability that allows an authenticated administrator to achieve remote code execution via malicious plugin ZIP archives.
Google Cloud BigQuery, Dataform, and Colab Enterprise contained a missing authorization vulnerability that allowed authenticated attackers to perform cross-tenant repository takeovers.
Vitec Flamingo 4.12.2 contains an unauthenticated OS command injection vulnerability in the admin/ajax/ping.php endpoint due to improper shell argument handling.
Vitec Flamingo 4.12.2 is susceptible to unauthenticated OS command injection via the admin/ajax/gen_graphs.php endpoint due to insufficient input sanitization.
The User Registration & Membership WordPress plugin fails to validate payment-provider webhooks, allowing unauthenticated attackers to bypass subscription payments.
Thales CERT "Suspicious" versions 1.2.0-1.3.4 contain a path traversal and code injection vulnerability ("Matryoshka Mail") allowing unauthenticated remote code execution.
Rejetto HFS uses a predictable PRNG for session-cookie signing, allowing unauthenticated attackers to forge administrator session cookies and achieve remote code execution.
A remote code execution vulnerability in the ServiceNow AI Platform allows unauthenticated users to execute arbitrary code, necessitating an immediate security update.
Apache Gravitino is vulnerable to URL path injection due to improper handling of unencoded user-supplied identifiers.
The network diagnosis endpoint on EVbee DC-80 chargers (port 8090) is vulnerable to command injection, enabling unauthenticated remote code execution.
An unauthenticated arbitrary file write vulnerability in the EVbee DC-80 webserver allows attackers to overwrite system files via a crafted POST request.
The EVbee DC-80 web server contains a command injection vulnerability in the NPC start endpoint on port 8090, enabling unauthenticated remote code execution.
The AcyMailing SMTP Newsletter plugin for WordPress contains a Blind SQL Injection vulnerability allowing unauthenticated attackers to extract database information.
SAP Approuter is vulnerable to HTTP Request Smuggling, allowing unauthenticated attackers to desynchronize requests, leading to potential information disclosure and denial-of-service.
SAP Commerce Cloud retains default, publicly documented OAuth2 client credentials, allowing unauthenticated attackers to gain unauthorized API access and modify data.
SAP NetWeaver Application Server ABAP contains a memory corruption vulnerability that allows authenticated attackers to gain unauthorized access or cause system failure.
The Realtyna Organic IDX plugin for WordPress contains a Code Injection vulnerability, allowing unauthenticated remote code execution.
A missing authentication vulnerability in decolua 9Router allows unauthenticated remote attackers to interact with management API endpoints.
The EVbee DC-80 web server on port 8090 lacks authentication, permitting unauthorized sensitive data exposure and file uploads.
The EVbee DC-80 firmware update mechanism lacks cryptographic signature validation, allowing unauthenticated remote attackers to execute arbitrary code via malicious firmware uploads.
The EVbee DC-80 writes sensitive information, including passwords and charging card UIDs, to log files in plaintext, leading to potential credential exposure.
The decolua 9Router /api/usage/stats endpoint lacks authentication, allowing unauthenticated attackers to retrieve plaintext API keys for connected AI accounts.
A deserialization of untrusted data vulnerability in the Themeum Kirki WordPress plugin allows for PHP object injection.
A deserialization of untrusted data vulnerability in the axiomthemes 777 WordPress theme allows for PHP object injection.
A deserialization of untrusted data vulnerability in the stmcan RT-Theme 18 | Extensions WordPress plugin allows for PHP object injection.
ThemeGoods Grand Photography is vulnerable to PHP Object Injection due to improper deserialization of untrusted data, allowing unauthenticated attackers to execute arbitrary code.
The MailOptin plugin for WordPress contains an incorrect privilege assignment vulnerability, allowing unauthenticated attackers to escalate their privileges to administrative levels.
The Directorist plugin for WordPress is vulnerable to PHP Object Injection via deserialization of untrusted data, allowing unauthenticated attackers to execute arbitrary code on the server.
The Amelia WordPress plugin contains a Blind SQL Injection vulnerability, allowing unauthenticated attackers to execute arbitrary SQL commands.
The Simple Business Directory Pro plugin for WordPress is vulnerable to SQL injection, allowing unauthenticated attackers to execute arbitrary database commands.
The LatePoint WordPress plugin is susceptible to Blind SQL Injection, enabling unauthenticated remote attackers to execute malicious database queries.
Themeum Kirki is susceptible to a Blind SQL Injection vulnerability, allowing unauthenticated attackers to manipulate SQL queries.
The Sergey AIWU WordPress plugin contains a Blind SQL Injection vulnerability, permitting unauthenticated attackers to execute malicious database queries.
CodeRevolution Aimogen Pro for WordPress is vulnerable to an unrestricted file upload flaw, allowing unauthenticated attackers to upload malicious files.
A path traversal vulnerability in the Brainstorm Force SureDash plugin allows authenticated users to access or delete arbitrary files on the server.
An unrestricted file upload vulnerability in the quantumcloud WoowBot Pro Max plugin allows authenticated attackers to upload malicious files, potentially leading to remote code execution.
The Struktur Core plugin for WordPress is vulnerable to local file inclusion due to improper filename validation, potentially allowing attackers to read or execute sensitive server files.
A DLL hijacking vulnerability in SAProuter on Windows allows unauthenticated local attackers to execute arbitrary code by loading malicious libraries from untrusted paths.
A local file inclusion vulnerability in the RT-Theme 18 | Extensions WordPress plugin allows unauthenticated attackers to potentially read or execute arbitrary files on the server.
A Cross-Site Request Forgery (CSRF) vulnerability in the WorkScout-Core WordPress plugin enables an attacker to perform unauthorized actions, potentially leading to authentication bypass.
A Local File Inclusion (LFI) vulnerability in the Aalto WordPress theme allows authenticated users with low privileges to include arbitrary local files.
A Local File Inclusion (LFI) vulnerability in the Aqua WordPress theme allows authenticated users with low privileges to include arbitrary local files.
A Local File Inclusion (LFI) vulnerability in the Billey WordPress theme allows authenticated users with low privileges to include arbitrary local files.
The Brook WordPress theme is vulnerable to Local File Inclusion (LFI) due to improper control of filenames used in include/require statements.
The Dør WordPress theme contains a Local File Inclusion (LFI) vulnerability resulting from improper validation of filenames used in include/require functions.
The Flow WordPress theme is susceptible to Local File Inclusion (LFI) due to insufficient input validation when handling filenames in include/require statements.
The Golo Framework WordPress plugin contains a Local File Inclusion (LFI) vulnerability due to improper control of filenames in include/require statements, allowing unauthorized file access.
The Kitchor WordPress theme contains a Local File Inclusion (LFI) vulnerability due to improper control of filenames in include/require statements, allowing unauthorized file access.
The Leedo WordPress theme contains a Local File Inclusion (LFI) vulnerability due to improper control of filenames in include/require statements, allowing unauthorized file access.
The NewsPlus Shortcodes WordPress plugin is vulnerable to Local File Inclusion (LFI) due to improper control of filenames used in include/require statements.
The Nuss WordPress theme contains a Local File Inclusion (LFI) vulnerability that allows authenticated attackers to include arbitrary local files via improper filename handling.
The Overworld WordPress theme is affected by a Local File Inclusion (LFI) vulnerability resulting from insecure handling of filenames in PHP include/require operations.
The SetSail WordPress theme contains a Local File Inclusion (LFI) vulnerability due to improper handling of filename inputs in PHP include/require statements.
The Struktur WordPress theme contains a Local File Inclusion (LFI) vulnerability due to improper handling of filename inputs in PHP include/require statements.
The cedar-java library is vulnerable to multiple issues including code injection, incorrect comparison, and type confusion, which can lead to authorization bypass.
CedarJava is vulnerable to code injection, allowing an authenticated attacker to execute arbitrary code due to improper control of code generation.
CedarJava is susceptible to a type confusion vulnerability, which can be exploited by an authenticated attacker to manipulate authorization decisions or trigger system instability.
SAP NetWeaver Application Server Java contains a cross-site scripting (XSS) vulnerability allowing unauthenticated attackers to inject malicious JavaScript through crafted URLs.
A Cross-site Scripting (XSS) vulnerability in MCP Appium allows for unauthorized script execution via improper input neutralization.
Adobe ColdFusion is susceptible to an Uncontrolled Search Path Element vulnerability (CWE-427), which could allow an attacker to execute arbitrary code.
Adobe ColdFusion is susceptible to an Uncontrolled Search Path Element vulnerability (CWE-427), which could allow an attacker to execute arbitrary code.
The EscortWP WordPress theme contains a vendor-authored, obfuscated backdoor allowing unauthenticated attackers to delete site content and exfiltrate information.
The Library Management System WordPress plugin is vulnerable to SQL injection via unauthenticated input, potentially allowing unauthorized database access.
The User Registration & Membership WordPress plugin contains an authorization bypass vulnerability that allows authenticated users to manipulate data via user-controlled keys.
A Blind SQL Injection vulnerability in the APIExperts Square for WooCommerce plugin allows authenticated attackers to manipulate database queries.
A stack exhaustion vulnerability in Apache IoTDB's AirGap receiver allows unauthenticated attackers to cause a denial-of-service via uncontrolled recursion.
An authorization bypass in the Apache IoTDB /rest/v2/fastLastQuery endpoint allows authenticated users to access unauthorized last-value data.
An out-of-bounds read vulnerability in the Apache IoTDB C++ client TsBlock deserializer causes client crashes when processing malformed server data.
An insecure deserialization vulnerability in SAP's ctsattach tool allows authenticated attackers to execute arbitrary code via specially crafted archives.
The Lorex 2K Indoor Wi-Fi Security Camera is vulnerable to a format string flaw in CDeviceOperator, which could allow an unauthenticated attacker to execute arbitrary code remotely.
Cockpit CMS contains a missing authorization vulnerability in the Bucket file storage API that allows authenticated users to perform unauthorized actions.
Cockpit CMS is susceptible to a path traversal vulnerability in the Bucket file storage API that allows an authenticated user to access files outside of the intended directory.
SAP Approuter contains a URL redirection vulnerability in the OAuth2 login flow due to improper request header validation, which may allow attackers to redirect users to malicious sites.
Shiori is vulnerable to a privilege escalation flaw in the account update endpoint, allowing authenticated users to modify the owner field without proper authorization checks.
The WPJAM Basic plugin for WordPress is vulnerable to PHP object injection via the deserialization of untrusted data, which can lead to remote code execution.
The aBlocks WordPress plugin is susceptible to an incorrect privilege assignment vulnerability, allowing authenticated users to escalate their privileges within the application.
The MailerPress WordPress plugin contains an incorrect privilege assignment vulnerability that enables authenticated users to escalate their access level.
The Events Manager WordPress plugin is vulnerable to PHP object injection due to the insecure deserialization of untrusted data, which can lead to remote code execution.
The appsbd Vitepos plugin for WordPress contains a Blind SQL Injection vulnerability due to improper neutralization of special elements in SQL commands.
The Milan Petrovic GD Rating System plugin for WordPress is susceptible to Blind SQL Injection due to improper input sanitization.
The WP Inventory Manager plugin for WordPress contains a Blind SQL Injection vulnerability caused by insufficient input validation.
The CWS SVGicons plugin for WordPress contains a Blind SQL Injection vulnerability, allowing authenticated users with low privileges to execute arbitrary SQL commands.
9Router is vulnerable to unauthenticated information disclosure through API usage endpoints, resulting from missing authorization and improper exposure of sensitive data.
The Houzez Login Register plugin for WordPress contains an incorrect privilege assignment vulnerability, allowing unauthenticated attackers to escalate privileges.
A blind SQL injection vulnerability in the Advanced Shipment Tracking for WooCommerce plugin allows authenticated attackers with administrative privileges to execute arbitrary SQL commands.
The Persian Gravity Forms plugin for WordPress contains a blind SQL injection vulnerability that allows authenticated attackers with administrative privileges to compromise the database.
The ProfileGrid WordPress plugin contains an authentication bypass vulnerability that allows unauthenticated attackers to manipulate the password recovery process.
Eclipse Kura versions 5.0.0 through 5.6.1 contain vulnerabilities related to the reliance on untrusted inputs and insufficient verification of data authenticity.
OpenClaw versions before 2026.6.9 are vulnerable to authorization bypass due to incorrect name resolution and improper handling of security references.
OpenClaw is susceptible to privilege escalation due to incorrect permission assignments and missing authorization checks during plugin installation.
OpenClaw is vulnerable to an authentication bypass caused by an incomplete list of disallowed inputs within the application's environment filtering mechanism.
OpenClaw contains an authentication bypass vulnerability stemming from an incomplete list of disallowed inputs within the Git external transport functionality.
Laravel-Mediable before 7.0.0 is vulnerable to path traversal due to improper sanitization of file paths, potentially allowing unauthorized file access.
Laravel-Mediable before 7.0.0 is susceptible to unrestricted file uploads, which can be leveraged by an attacker to achieve remote code execution via file extension bypass.
Shibby Tomato firmware versions 1.0 through 1.7 are vulnerable to stack-based buffer overflows and memory corruption, which can lead to system crashes or arbitrary code execution.
A stored XSS vulnerability in OpenWrt LuCI allows adjacent network attackers to inject malicious HTML via DHCPv6 lease hostnames.
The EVbee DC-80 charging station lacks authentication for Bluetooth commands, allowing unauthorized parties to execute commands.
The codecentric Spring Boot Admin Server is susceptible to Server-Side Request Forgery (SSRF) during unauthenticated instance registration.
The zereight mcp-gitlab package is susceptible to a path traversal vulnerability in the job_id parameter, enabling attackers to access arbitrary files on the system.
The EVbee DC-80 charging station is vulnerable to OS command injection via the OCPP `ReserveLogin` DataTransfer message.
The Groundhogg WordPress plugin is vulnerable to a path traversal attack, allowing unauthenticated attackers to potentially trigger arbitrary file deletion.
The Membership for WooCommerce plugin is affected by a path traversal vulnerability that may allow unauthenticated attackers to delete arbitrary files on the server.
OpenClaw is susceptible to a Server-Side Request Forgery (SSRF) vulnerability that allows authenticated users to bypass security policies via CDP discovery.
HedgeDoc is susceptible to uncontrolled resource consumption and data amplification vulnerabilities that may allow a logged-in user to cause a denial-of-service condition.
OpenClaw contains an authorization bypass vulnerability via MCP loopback, allowing authenticated users to perform unauthorized actions with elevated privileges.
OpenClaw is vulnerable to an authorization bypass flaw involving WhatsApp group IDs, which may allow authenticated users to perform unauthorized actions.
Eclipse Vert.x is susceptible to information exposure due to an origin validation error, allowing unauthorized actors to potentially access sensitive data.
Eclipse Vert.x suffers from an origin validation error, which may allow attackers to perform unauthorized actions by bypassing intended origin-based security controls.
The OpenClaw Feishu npm package contains an authorization bypass vulnerability, allowing authenticated users to perform unauthorized operations.
The @openclaw/feishu package contains an incorrect authorization vulnerability that allows authenticated users to perform unauthorized actions.
The OpenClaw platform contains an incorrect authorization vulnerability that allows authenticated users to trigger unauthorized state changes.
The Argoproj argo-helm chart uses insecure default configurations for network policies, potentially allowing unauthorized network access.
OpenClaw is susceptible to authorization bypass vulnerabilities due to missing or incorrect checks, allowing authenticated users to perform unauthorized actions.
The Lorex 2K Indoor Wi-Fi Security Camera device management server fails to properly validate certificates, potentially allowing man-in-the-middle attacks.
Ollama is affected by a denial-of-service vulnerability due to improper validation of array indices in the downloadBlob function.
PasswordPusher is vulnerable to improper restriction of excessive authentication attempts, allowing attackers to perform brute-force attacks against sensitive credentials.
The luci-app-banip component in OpenWrt is vulnerable to log injection, where an attacker can influence log parsing to inject arbitrary IP addresses.
The Advanced Forms plugin for WordPress is vulnerable to a missing authorization flaw that allows unauthenticated users to exploit incorrectly configured access controls.
A missing authorization vulnerability in the Nexcess Event Tickets plugin allows unauthenticated attackers to perform unauthorized actions due to improper access control configuration.
A missing authorization vulnerability in the Themeum Kirki plugin allows unauthenticated attackers to exploit incorrectly configured access controls and potentially access sensitive information.
A missing authorization vulnerability in the UX-themes Flatsome theme allows unauthenticated attackers to bypass access controls and potentially access sensitive information.
In CAXperts UPVWebServices 2.
In Adalo’s no-code app builder, (Versions 1 and 2) the attackers may extract full user records and correlate user behavior across multiple applications via dbId enumeration.
A path traversal vulnerability in the file() function of OpenBMB XAgent allows unauthenticated attackers to read sensitive files via the "filename" parameter.
In OpENer 2.
An integer overflow in the jbig2_arith_iaid_ctx_new() function of Artifex jbig2dec allows unauthenticated attackers to trigger a Denial of Service (DoS) via crafted input.