Critical vulnerabilities, curated daily for security professionals
đ¯ SSCV Profile
See how vulnerabilities affect your specific environment
CRS uses the System Security Context Vector (SSCV) Framework v1.0 to adjust CVSS scores based on your system's exposure level, network position, and business criticality. Learn more about SSCV Framework
Risk scores will be adjusted based on your selected environment
đ
Today's Security Brief
Monday's brief is led by three critical WordPress component vulnerabilities, all rated CVSS 9.8, affecting the Seotheme, Background Image Cropper, and Travelscape products. The day brought 3 critical CVEs, up from none the prior day, alongside 33 high-priority issues, a 43% increase over yesterday's 23. CVE-2023-54352 in WordPress Seotheme, CVE-2024-58348 in Background Image Cropper, and CVE-2024-58349 in the Travelscape theme each enable high-impact compromise of affected sites. The disclosures cluster around web application and CMS components, with active exploitation observed across a broader set of products including Oracle WebLogic Server, the Linux kernel, the Android Framework, Magento, and SolarWinds Serv-U. No vendor patches were available at disclosure for the day's CVEs, so defenders should prioritize mitigations and monitoring while fixes are pending.
WordPress themes and plugins dominate, with three CVSS 9.8 flaws in Seotheme, Background Image Cropper, and Travelscape
Critical CVEs rose to 3 from 0 the prior day, a 100% increase
High-priority CVEs climbed to 33 from 23, up 43%
Web application and CMS components are the primary attack surface, with high-impact site compromise the dominant pattern
Patch availability stands at 0% across the day's disclosed CVEs, requiring interim mitigations
Five CVEs show active exploitation, spanning Oracle WebLogic, the Linux kernel, Android Framework, Magento, and SolarWinds Serv-U
Immediate action: Prioritize WordPress installations running the Seotheme, Background Image Cropper, or Travelscape components, and review exposure to actively exploited products including Oracle WebLogic Server, SolarWinds Serv-U, and Magento. With no patches available for the day's critical CVEs, apply available mitigations, restrict access to affected components, and increase monitoring until vendor fixes are released.
đĄ Tip: Swipe CVE cards left to â star, right to â remove
Section Navigation
â ī¸
CISA Known Exploited Vulnerabilities
â ī¸ CISA KEVURGENT
CVE-2024-21182
9.5đđ Late Disclosure
OracleWebLogic Server
â° Federal Deadline:June 3, 2026(-4 days remaining)
Oracle WebLogic Server contains an unspecified vulnerability that is currently being exploited in the wild.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEVURGENT
CVE-2022-0492
9.5đđ Late Disclosure
LinuxKernel
â° Federal Deadline:June 4, 2026(-3 days remaining)
A privilege escalation vulnerability in the Linux Kernel cgroup_release_agent_write function allows unprivileged users to escape container environments and gain elevated host privileges.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEVURGENT
CVE-2025-48595
9.5đ
AndroidFramework
â° Federal Deadline:June 4, 2026(-3 days remaining)
An integer overflow vulnerability in the Android Framework allows for potential unauthorized system access and is currently tracked in the CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEVURGENT
CVE-2026-45247
9.5đ
MirasvitFull Page Cache Warmer for Magento 2
â° Federal Deadline:June 5, 2026(-2 days remaining)
Mirasvit Full Page Cache Warmer for Magento 2 contains a PHP object injection vulnerability allowing unauthenticated RCE via the CacheWarmer cookie.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2026-28318
9.5đ
SolarWindsServ-U
â° Federal Deadline:June 18, 2026(11 days remaining)
SolarWinds Serv-U is vulnerable to an uncontrolled resource consumption flaw allowing unauthenticated attackers to crash the service via specially crafted POST requests.
CVSS Base9.5
â
CRSSelect profile
đ¨
Critical Vulnerabilities
CVE-2023-54352
9.8đđ Late Disclosure
WordPressSeotheme
WordPress Seotheme contains a critical remote code execution vulnerability allowing unauthenticated attackers to upload and execute arbitrary PHP files.
CVSS Base9.8
â
CRSSelect profile
CVE-2024-58348
9.8đđ Late Disclosure
WordPressBackground Image Cropper
WordPress Background Image Cropper 1.2 allows unauthenticated attackers to execute arbitrary code via an insecure file upload endpoint.
CVSS Base9.8
â
CRSSelect profile
CVE-2024-58349
9.8đđ Late Disclosure
WordPressTheme Travelscape
WordPress Theme Travelscape 1.0.3 is susceptible to remote code execution due to insufficient validation of file uploads in the theme directory.
CVSS Base9.8
â
CRSSelect profile
â ī¸
High Priority Updates
CVE-2023-54350
7.5đđ Late Disclosure
WordPressAugmented-Reality plugin
The WordPress Augmented-Reality plugin contains a remote code execution vulnerability in the elFinder connector, allowing unauthenticated file uploads.
CVSS Base7.5
â
CRSSelect profile
CVE-2026-11010
8.3đ
GoogleChrome on Android
A use-after-free vulnerability in the WebShare component of Google Chrome on Android allows for potential remote code execution.
CVSS Base8.3
â
CRSSelect profile
CVE-2026-11012
8.3đ
GoogleChrome on Android
A use-after-free vulnerability in the Serial component of Google Chrome on Android allows for potential remote code execution.
CVSS Base8.3
â
CRSSelect profile
CVE-2026-11072
7.8đ
GoogleChrome for Android
A use-after-free vulnerability exists in the WebView component of Google Chrome for Android, potentially allowing for memory corruption or arbitrary code execution.
CVSS Base7.8
â
CRSSelect profile
CVE-2026-11211
8.8đ
GoogleChrome
An integer overflow vulnerability in the V8 JavaScript engine of Google Chrome may lead to memory corruption or arbitrary code execution.
CVSS Base8.8
â
CRSSelect profile
CVE-2026-11103
7.8đ
GoogleChrome
An inappropriate implementation flaw in the Google Chrome Installer for Windows may allow for unauthorized system-level actions.
CVSS Base7.8
â
CRSSelect profile
CVE-2023-54351
7.2đđ Late Disclosure
WordPressSonaar Music Plugin
WordPress Sonaar Music Plugin 4.7 contains a stored cross-site scripting (XSS) vulnerability in the comment functionality.
CVSS Base7.2
â
CRSSelect profile
CVE-2026-11456
7.3đ
ChanjetCRM
Chanjet CRM 1.0 contains an SQL injection vulnerability in the /tools/jxf_dump_systable.php file due to improper sanitization of the 'gblOrgID' parameter.
CVSS Base7.3
â
CRSSelect profile
CVE-2026-11462
7.3đ
Chengdu Everbrite Network TechnologyBeikeShop
An improper authorization vulnerability in BeikeShop up to 1.6.0.22 allows attackers to bypass security controls via the Stripe plugin callback.
CVSS Base7.3
â
CRSSelect profile
CVE-2026-11474
7.3đ
Kushan2kstudent-management-system
An unrestricted file upload vulnerability in the Kushan2k student-management-system registration endpoint allows attackers to upload malicious files via the 'stimg' argument.
CVSS Base7.3
â
CRSSelect profile
CVE-2026-11488
7.3đ
code-projectsSimple Flight Ticket Booking System
A security vulnerability has been identified in the code-projects Simple Flight Ticket Booking System.
CVSS Base7.3
â
CRSSelect profile
CVE-2026-11471
7.3đ
SourceCodesterClass and Exam Timetabling System
A SQL injection vulnerability in SourceCodester Class and Exam Timetabling System 1.0 allows remote attackers to compromise the database via the 'Password' argument in index2.php.
CVSS Base7.3
â
CRSSelect profile
CVE-2026-11472
7.3đ
SourceCodesterClass and Exam Timetabling System
A security vulnerability has been identified in the SourceCodester Class and Exam Timetabling System.
CVSS Base7.3
â
CRSSelect profile
CVE-2026-11489
7.3đ
code-projectsOnline Music Site
A security vulnerability has been identified within the code-projects Online Music Site application.
CVSS Base7.3
â
CRSSelect profile
CVE-2026-49494
7.5đ
ComodoInternet Security
A security vulnerability exists within the firewall driver component of Comodo Internet Security.
CVSS Base7.5
â
CRSSelect profile
CVE-2026-26422
8.4đ
clash-verge-serviceipc
A vulnerability has been identified in the clash-verge-service-ipc package before version 2.
CVSS Base8.4
â
CRSSelect profile
CVE-2026-33999
7.8đ
UnknownUnknown
A security flaw has been identified in an unspecified product, requiring immediate investigation and remediation.
CVSS Base7.8
â
CRSSelect profile
CVE-2026-34001
7.8đ
UnknownUnknown
A security flaw has been identified in an unspecified product, necessitating immediate review and update procedures.
CVSS Base7.8
â
CRSSelect profile
CVE-2026-34003
7.8đ
InforMultiple Products
A security flaw has been identified in an unspecified component of Infor products.
CVSS Base7.8
â
CRSSelect profile
CVE-2026-11435
7.3đ
JinherOA
A security vulnerability has been identified in the Jinher OA software, potentially exposing the system to unauthorized access or operational disruption.
CVSS Base7.3
â
CRSSelect profile
CVE-2026-11437
7.3đ
perfreego-fastdfs-web
A Server-Side Request Forgery (SSRF) vulnerability in perfree go-fastdfs-web allows unauthenticated attackers to perform unauthorized requests to internal systems via the /install/checkServer endpoint.
CVSS Base7.3
â
CRSSelect profile
CVE-2026-11450
7.3đ
GLMultiple Products
A security vulnerability has been detected in GL software, requiring further investigation to determine the specific impact and affected components.
CVSS Base7.3
â
CRSSelect profile
CVE-2026-11451
7.3đ
GLMultiple Products
A security flaw has been identified in GL software, requiring administrators to monitor vendor updates for mitigation instructions.
CVSS Base7.3
â
CRSSelect profile
CVE-2026-11452
7.3đ
GLMultiple Products
A vulnerability has been discovered in GL software, with further details pending from the vendor.
CVSS Base7.3
â
CRSSelect profile
CVE-2026-11457
7.3đ
erzhongxmuJeeWMS
A security flaw in erzhongxmu JeeWMS enables remote information disclosure via the /base-boot/actuator component.
CVSS Base7.3
â
CRSSelect profile
CVE-2026-11460
7.3đ
BoostSerialization
A flaw in Boost Serialization allows remote attackers to manipulate input data types due to improper validation during the serialization process.
CVSS Base7.3
â
CRSSelect profile
CVE-2026-11463
7.3đ
USCiLabCereal
A type confusion vulnerability in the Shared Pointer Handler component of USCiLab Cereal allows remote attackers to trigger unauthorized actions without user interaction.
CVSS Base7.3
â
CRSSelect profile
CVE-2026-11482
7.3đ
SourceCodesterClass and Exam Timetabling System
A security vulnerability has been identified in the SourceCodester Class and Exam Timetabling System, which could lead to unauthorized system impacts.
CVSS Base7.3
â
CRSSelect profile
CVE-2026-11483
7.3đ
SourceCodesterClass and Exam Timetabling System
A security flaw has been identified in the SourceCodester Class and Exam Timetabling System, potentially allowing unauthorized system access.
CVSS Base7.3
â
CRSSelect profile
CVE-2026-11484
7.3đ
SourceCodesterClass and Exam Timetabling System
A security weakness has been identified in the SourceCodester Class and Exam Timetabling System, potentially impacting system security.
CVSS Base7.3
â
CRSSelect profile
CVE-2026-11485
7.3đ
SourceCodesterClass and Exam Timetabling System
A security vulnerability has been detected in the SourceCodester Class and Exam Timetabling System, which could lead to unauthorized system interactions.
CVSS Base7.3
â
CRSSelect profile
CVE-2026-11486
7.3đ
SourceCodesterClass and Exam Timetabling System
A SQL injection vulnerability exists in SourceCodester Class and Exam Timetabling System 1.0 via the 'sy' argument in the /archive1.php file.
CVSS Base7.3
â
CRSSelect profile
CVE-2026-11490
7.3đ
code-projectsOnline Music Site
An SQL injection vulnerability in code-projects Online Music Site 1.0 allows attackers to manipulate the 'Category' argument in /Frontend/Search.php.