Critical vulnerabilities, curated daily for security professionals
đ¯ SSCV Profile
See how vulnerabilities affect your specific environment
CRS uses the System Security Context Vector (SSCV) Framework v1.0 to adjust CVSS scores based on your system's exposure level, network position, and business criticality. Learn more about SSCV Framework
Risk scores will be adjusted based on your selected environment
đ
Today's Security Brief
Oracle dominates Friday's disclosures with multiple near-maximum-severity flaws across REST Data Services, iAssets, and Universal Work Queue, joined by a perfect-score SandboxJS sandbox escape that exposes server-side JavaScript execution. The brief covers 19 critical CVEs, unchanged from the prior day, and 58 high-priority CVEs, a 93% increase over yesterday's 30. CVE-2026-46840 (CVSS 10, Oracle REST Data Services) and CVE-2026-43898 (CVSS 10, SandboxJS) headline the critical set, with CVE-2026-46775 (CVSS 9.9, Oracle REST Data Services) and a string of CVSS 9.8 WordPress plugin flaws including CVE-2026-3655 and CVE-2026-8809 close behind. Remote code execution and authentication bypass patterns predominate, concentrated in enterprise middleware, identity infrastructure, and the WordPress plugin ecosystem. No patches are currently reflected for the disclosed set, so affected operators should prioritize compensating controls and vendor advisory monitoring; five vulnerabilities, including flaws in Drupal Core and GitHub Actions OIDC, have confirmed active exploitation.
Oracle accounts for several near-maximum-severity flaws, led by CVE-2026-46840 (CVSS 10, REST Data Services) and CVE-2026-46775 (CVSS 9.9), plus iAssets and Universal Work Queue (both CVSS 9.9)
19 critical CVEs (CVSS 9.0+), unchanged from the prior day
58 high-priority CVEs (CVSS 7.0-8.9), a 93% increase from 30 yesterday
Remote code execution and authentication bypass dominate, including the CVSS 10 SandboxJS escape (CVE-2026-43898) and CVSS 9.8 WordPress plugin flaws (CVE-2026-3655, CVE-2026-8809)
Patch availability stands at 0% across the disclosed set, leaving Oracle middleware and WordPress plugin deployments exposed pending vendor fixes
Five vulnerabilities show confirmed active exploitation, spanning Drupal Core, LiteSpeed cPanel, GitHub Actions OIDC, and Nx
Immediate action: Prioritize Oracle REST Data Services, iAssets, and Universal Work Queue instances along with SandboxJS deployments and the affected WordPress plugins, restricting external access and applying compensating controls where exposure exists. With no patches reflected for the disclosed set, monitor vendor advisories closely and expedite remediation for the five actively exploited issues, including Drupal Core and GitHub Actions OIDC, as fixes become available.
đĄ Tip: Swipe CVE cards left to â star, right to â remove
Section Navigation
â ī¸
CISA Known Exploited Vulnerabilities
â ī¸ CISA KEVURGENT
CVE-2026-9082
9.5
DrupalCore
â° Federal Deadline:May 26, 2026(-2 days remaining)
Drupal Core SQL Injection Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2026-48172
9.5
LiteSpeedcPanel Plugin
â° Federal Deadline:May 28, 2026
LiteSpeed cPanel Plugin Privilege Escalation Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEVURGENT
CVE-2026-8398
9.5đ
AVB Disc SoftDAEMON Tools Lite
â° Federal Deadline:May 29, 2026(1 days remaining)
A supply chain compromise of DAEMON Tools Lite resulted in the distribution of trojanized binaries signed with a legitimate certificate.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2026-45321
9.5đ
GitHubActions OIDC
â° Federal Deadline:June 9, 2026(12 days remaining)
GitHub Actions OIDC was exploited to publish malicious npm packages by chaining multiple vulnerabilities, including cache poisoning and token extraction.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2026-48027
9.8
NxMultiple Products
â° Federal Deadline:June 9, 2026(12 days remaining)
Nx Console is the user interface for Nx & Lerna. On 19 May 2026, a malicious version of Nx Console, 18.95.0, was published at 12:30 PM UTC and removed soon after at 12:48 PM UTC, leaving it available for ~18 minutes in Visual Studio Marketplace. For OpenVSX, the problem was detected later, and the compromised version was available from 12:33 UTC to 13:09 UTC (~36 minutes). Version 18.100.0 of Nx Console is not compromised and users may remediate by upgrading to that version.
CVSS Base9.8
â
CRSSelect profile
đ¨
Critical Vulnerabilities
CVE-2026-3655
9.8đ
WordPressOTP Login With Phone Number, OTP Verification Plugin
The OTP Login With Phone Number plugin for WordPress is vulnerable to authentication bypass, allowing unauthenticated attackers to hijack user accounts by exploiting a flawed Firebase verification flow.
CVSS Base9.8
â
CRSSelect profile
CVE-2026-45288
9.8
ArchAPIs interpolated
Marten is a .NET Transactional Document DB and Event Store on PostgreSQL. Prior to 8.36.1, Marten's full-text search APIs interpolated the user-supplied regConfig parameter directly into the generated SQL without parameterization or validation, making every code path that exposes regConfig to untrusted input a SQL injection sink. This vulnerability is fixed in 8.36.1.
CVSS Base9.8
â
CRSSelect profile
CVE-2026-24444
9.8
HPMultiple Products
SDMC NE6037 cable modem routers running firmware 7.1.6.0.25 and 7.1.6.1.9_B9 contain a hardcoded password vulnerability in the web management interface recovery endpoints (mgmt.php, npcmd.php) that allows unauthenticated attackers to gain root access by submitting the hardcoded credential to the recovery endpoint via HTTP. Attackers can leverage this hardcoded password to enable filtered SSH and Telnet services on the device, resulting in unauthenticated root-level remote access to the underlying system.
CVSS Base9.8
â
CRSSelect profile
CVE-2026-8809
9.8đ
WordPressAdvanced Custom Fields: Extended Plugin
The Advanced Custom Fields: Extended plugin for WordPress contains a validation bypass vulnerability that allows unauthenticated attackers to create new administrator accounts.
CVSS Base9.8
â
CRSSelect profile
CVE-2026-8732
9.8
WordPressis vulnerable
The WP Maps Pro plugin for WordPress is vulnerable to Privilege Escalation via Administrator Account Creation in all versions up to, and including, 6.1.0. This is due to the wpgmp_temp_access_ajax AJAX action being registered with wp_ajax_nopriv_ and protected only by a nonce check using the fc-call-nonce nonce, which is publicly embedded into every frontend page via wp_localize_script as the nonce field of the wpgmp_local JavaScript object, rendering the check ineffective as an access control mechanism. This makes it possible for unauthenticated attackers to invoke the wpgmp_temp_access_support handler with check_temp=false, which unconditionally creates a new WordPress user with the hardcoded role of administrator via wp_insert_user() and returns a magic login URL that, when visited, calls wp_set_auth_cookie() to fully authenticate the attacker as the newly created administrator, resulting in complete site takeover.
CVSS Base9.8
â
CRSSelect profile
CVE-2026-43898
10đ
SandboxJSSandboxJS
A sandbox escape vulnerability in SandboxJS allows unauthenticated attackers to execute arbitrary host JavaScript code by leveraging an exposed internal runtime callback.
CVSS Base10
â
CRSSelect profile
CVE-2026-46840
10đ
OracleREST Data Services
An easily exploitable, unauthenticated remote code execution vulnerability exists in Oracle REST Data Services, allowing full system takeover via HTTPS.
CVSS Base10
â
CRSSelect profile
CVE-2026-46775
9.9đ
OracleREST Data Services
A critical vulnerability in the core of Oracle REST Data Services allows low-privileged attackers to gain full system control via network-based HTTPS exploitation.
CVSS Base9.9
â
CRSSelect profile
CVE-2026-46822
9.9đ
OracleiAssets
A critical vulnerability in the Oracle iAssets component of E-Business Suite allows low-privileged attackers to compromise the product via HTTP.
CVSS Base9.9
â
CRSSelect profile
CVE-2026-46824
9.9đ
OracleUniversal Work Queue
A critical vulnerability in the Oracle Universal Work Queue component of E-Business Suite allows low-privileged attackers to compromise the product via HTTP.
CVSS Base9.9
â
CRSSelect profile
CVE-2026-46839
9.9đ
OracleREST Data Services
A critical vulnerability in the core of Oracle REST Data Services allows low-privileged attackers to gain full system control via network-based HTTPS exploitation.
CVSS Base9.9
â
CRSSelect profile
CVE-2026-9645
9.9
ExposedMultiple Products
Exposed methods allow authenticated users to create and execute arbitrary JavaScript code on the server. The scripts execute with full access, enabling complete system compromise as commands are executed as root.
CVSS Base9.9
â
CRSSelect profile
CVE-2026-34311
9.8đ
OracleHospitality OPERA 5
An unauthenticated, easily exploitable vulnerability in Oracle Hospitality OPERA 5 allows remote attackers to compromise the property services platform via HTTP.
CVSS Base9.8
â
CRSSelect profile
CVE-2026-46817
9.8đ
OraclePayments
An unauthenticated, easily exploitable vulnerability in the Oracle Payments product of E-Business Suite allows remote attackers to compromise the service via HTTP.
A command injection vulnerability in the ZeroTier VPN feature of InHand Networks industrial routers allows remote attackers to gain root privileges.
CVSS Base9.8
â
CRSSelect profile
CVE-2026-38704
9.8đ
InHand NetworksIR302, IR305, IR315, and IR615
A command injection vulnerability in the WireGuard VPN feature of various InHand Networks devices allows remote unauthenticated attackers to execute arbitrary commands with ROOT privileges.
CVSS Base9.8
â
CRSSelect profile
CVE-2026-38707
9.8đ
InHand NetworksIR302, IR305, IR315, and IR615
A command injection vulnerability in the IPSec VPN feature of various InHand Networks devices allows remote unauthenticated attackers to execute arbitrary commands with ROOT privileges.
CVSS Base9.8
â
CRSSelect profile
CVE-2026-45039
9.8đ
RustFSDistributed Object Storage System
RustFS uses a hardcoded default secret key for internode RPC authentication, allowing attackers to bypass security if the environment is not explicitly configured.
CVSS Base9.8
â
CRSSelect profile
â ī¸
High Priority Updates
CVE-2025-11993
8.8
WordPressis vulnerable
The WooCommerce Infinite Scroll and Ajax Pagination plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1
CVSS Base8.8
â
CRSSelect profile
CVE-2025-58074
8.8đ
NortonSecure VPN
A privilege escalation vulnerability exists during the installation of Norton Secure VPN via the Microsoft Store, potentially allowing local users to gain elevated system rights.
CVSS Base8.8
â
CRSSelect profile
CVE-2026-6297
8.3
GoogleChrome prior
Use after free in Proxy in Google Chrome prior to 147
CVSS Base8.3
â
CRSSelect profile
CVE-2026-7862
8.6
WordPressplugin before
The Eupago Gateway For Woocommerce WordPress plugin before 4
CVSS Base8.6
â
CRSSelect profile
CVE-2019-13721
8.8đ Late Disclosure
GoogleChrome prior
Use after free in PDFium in Google Chrome prior to 78
CVSS Base8.8
â
CRSSelect profile
CVE-2026-5272
8.8
GoogleChrome prior
Heap buffer overflow in GPU in Google Chrome prior to 146
CVSS Base8.8
â
CRSSelect profile
CVE-2026-6310
8.3
GoogleChrome prior
Use after free in Dawn in Google Chrome prior to 147
CVSS Base8.3
â
CRSSelect profile
CVE-2026-46826
8.8
OraclePayroll product
Vulnerability in the Oracle Payroll product of Oracle E-Business Suite (component: Internal Operations)
CVSS Base8.8
â
CRSSelect profile
CVE-2026-46827
8.8
OraclePayroll product
Vulnerability in the Oracle Payroll product of Oracle E-Business Suite (component: Self Service Manager)
CVSS Base8.8
â
CRSSelect profile
CVE-2026-46837
8.8
OracleFlow Manufacturing
Vulnerability in the Oracle Flow Manufacturing product of Oracle E-Business Suite (component: Security)
CVSS Base8.8
â
CRSSelect profile
CVE-2026-46820
8.5
OracleFinancials Common
Vulnerability in the Oracle Financials Common Modules product of Oracle E-Business Suite (component: Common Components)
CVSS Base8.5
â
CRSSelect profile
CVE-2026-45108
8.4
MicrosoftAzure Entra
Himmelblau is an interoperability suite for Microsoft Azure Entra ID and Intune
CVSS Base8.4
â
CRSSelect profile
CVE-2026-6311
8.3
GoogleChrome on
Uninitialized Use in Accessibility in Google Chrome on Windows prior to 147
CVSS Base8.3
â
CRSSelect profile
CVE-2026-6921
8.3
GoogleChrome on
Race in GPU in Google Chrome on Windows prior to 147
CVSS Base8.3
â
CRSSelect profile
CVE-2026-6226
8.8
WordPressis vulnerable
The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to unauthenticated privilege escalation in versions up to and including 3
CVSS Base8.8
â
CRSSelect profile
CVE-2026-44850
8.5
DockerAPI
Portainer Community Edition is a lightweight service delivery platform for containerized applications that can be used to manage Docker, Swarm, Kubernetes and ACI environments
CVSS Base8.5
â
CRSSelect profile
CVE-2026-35671
8.8
HPMultiple Products
phpMyFAQ before 4
CVSS Base8.8
â
CRSSelect profile
CVE-2026-35438
8.3
UnknownMultiple Products
Missing authorization in Windows Admin Center allows an authorized attacker to elevate privileges over a network
CVSS Base8.3
â
CRSSelect profile
CVE-2026-42083
8.2
UnknownMultiple Products
free5GC is an open-source implementation of the 5G core network
CVSS Base8.2
â
CRSSelect profile
CVE-2026-44328
8.2
UnknownMultiple Products
free5GC is an open-source implementation of the 5G core network
CVSS Base8.2
â
CRSSelect profile
CVE-2026-35675
8.2
HPMultiple Products
phpMyFAQ before 4
CVSS Base8.2
â
CRSSelect profile
CVE-2026-35676
8.2
HPMultiple Products
phpMyFAQ before 4
CVSS Base8.2
â
CRSSelect profile
CVE-2026-44543
8.7
Kubernetescapabilities can
Local Path Provisioner provides a way for the Kubernetes users to utilize the local storage in each node
CVSS Base8.7
â
CRSSelect profile
CVE-2026-45298
8.6
Dockercontainers
Dozzle is a realtime log viewer for docker containers
CVSS Base8.6
â
CRSSelect profile
CVE-2026-45348
8.7
downloadMultiple Products
pyLoad is a free and open-source download manager written in Python
CVSS Base8.7
â
CRSSelect profile
CVE-2026-7101
8.8
TendaF456
A vulnerability has been found in Tenda F456 1
CVSS Base8.8
â
CRSSelect profile
CVE-2026-7365
8.4
IBMOperations Analytics
IBM Operations Analytics - Log Analysis and IBM SmartCloud Analytics - Log Analysis uses default passwords default passwords from the manufacturing process for use during the installation process, which could allow an attacker to bypass authentication
CVSS Base8.4
â
CRSSelect profile
CVE-2020-7534
8.8đ Late Disclosure
webMultiple Products
A CWE-352: Cross-Site Request Forgery (CSRF) vulnerability exists on the web server used, that could cause a leak of sensitive data or unauthorized actions on the web server during the time the user is logged in
CVSS Base8.8
â
CRSSelect profile
CVE-2026-44971
8.2
GitHubcredentials with
GuardDog is a CLI tool to identify malicious PyPI packages
CVSS Base8.2
â
CRSSelect profile
CVE-2026-4868
8.2
versionshas remediated
GitLab has remediated an issue in GitLab EE affecting all versions from 18
CVSS Base8.2
â
CRSSelect profile
CVE-2026-44712
8.2
Linuxusing ordinary
pam_usb provides hardware authentication for Linux using ordinary removable media
CVSS Base8.2
â
CRSSelect profile
CVE-2025-30028
8.6
Active BackupMultiple Products
A vulnerability in Active Backup for Business allows unauthorized remote attackers to read arbitrary files
CVSS Base8.6
â
CRSSelect profile
CVE-2022-2601
8.6đ Late Disclosure
UnknownMultiple Products
A buffer overflow was found in grub_font_construct_glyph()
CVSS Base8.6
â
CRSSelect profile
CVE-2026-42730
8.5
Stylemix MasterStudyMultiple Products
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Stylemix MasterStudy LMS masterstudy-lms-learning-management-system allows Blind SQL Injection
CVSS Base8.5
â
CRSSelect profile
CVE-2026-49046
8.5
Arjun ThakurMultiple Products
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Arjun Thakur Duplicate Page and Post allows Blind SQL Injection
CVSS Base8.5
â
CRSSelect profile
CVE-2026-42735
8.2
Iqonic DesignMultiple Products
Authentication Bypass Using an Alternate Path or Channel vulnerability in Iqonic Design KiviCare kivicare-clinic-management-system allows Password Recovery Exploitation
CVSS Base8.2
â
CRSSelect profile
CVE-2026-38807
8.8
kvfMultiple Products
Insecure Permissions vulnerability in kvf-admin v1
CVSS Base8.8
â
CRSSelect profile
CVE-2026-4944
8.8
vllmMultiple Products
vllm-project/vllm version 0
CVSS Base8.8
â
CRSSelect profile
CVE-2026-5781
8.8
MphRxMultiple Products
An authorization vulnerability in MphRx's Minerva V3
CVSS Base8.8
â
CRSSelect profile
CVE-2026-42197
8.7
UnknownMultiple Products
RELATE is a web-based courseware package
CVSS Base8.7
â
CRSSelect profile
CVE-2026-47759
8.7
UnknownMultiple Products
TinyMCE is an open source rich text editor
CVSS Base8.7
â
CRSSelect profile
CVE-2026-47760
8.7
UnknownMultiple Products
TinyMCE is an open source rich text editor
CVSS Base8.7
â
CRSSelect profile
CVE-2026-47761
8.7
mediaMultiple Products
TinyMCE is an open source rich text editor
CVSS Base8.7
â
CRSSelect profile
CVE-2026-47762
8.7
UnknownMultiple Products
TinyMCE is an open source rich text editor
CVSS Base8.7
â
CRSSelect profile
CVE-2026-42737
8.6
BookingMultiple Products
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in e4jvikwp VikBooking Hotel Booking Engine & PMS vikbooking allows Path Traversal
CVSS Base8.6
â
CRSSelect profile
CVE-2026-44461
8.6
UnknownMultiple Products
Zed is a code editor
CVSS Base8.6
â
CRSSelect profile
CVE-2026-44463
8.6
UnknownMultiple Products
Zed is a code editor
CVSS Base8.6
â
CRSSelect profile
CVE-2026-44465
8.6
UnknownMultiple Products
Zed is a code editor
CVSS Base8.6
â
CRSSelect profile
CVE-2026-44466
8.6
UnknownMultiple Products
Zed is a code editor
CVSS Base8.6
â
CRSSelect profile
CVE-2026-49127
8.6
beforeMultiple Products
Music Player Daemon (MPD) before version 0
CVSS Base8.6
â
CRSSelect profile
CVE-2025-10470
8.6
UnknownMultiple Products
The Magic Link authentication flow accepts multiple invalid authentication requests without adequate rate limiting or resource control, leading to uncontrolled memory usage growth
CVSS Base8.6
â
CRSSelect profile
CVE-2026-48153
8.5
UnknownMultiple Products
Budibase is an open-source low-code platform
CVSS Base8.5
â
CRSSelect profile
CVE-2026-44797
8.5
UnknownMultiple Products
Nautobot is a Network Source of Truth and Network Automation Platform
CVSS Base8.5
â
CRSSelect profile
CVE-2026-40851
8.4
UnknownMultiple Products
A local attacker can perform a confusion attack on the cfgparser via a specially crafted file on an USB stick leading to code execution
CVSS Base8.4
â
CRSSelect profile
CVE-2026-49238
8.4
beforeMultiple Products
An issue was discovered in Canonical Multipass before version 1
CVSS Base8.4
â
CRSSelect profile
CVE-2026-44483
8.2
UnknownMultiple Products
RVF (formerly Remix Validated Form) provides easy form validation and state management for React
CVSS Base8.2
â
CRSSelect profile
CVE-2026-45089
8.2
UnknownMultiple Products
Dalfox is a powerful open-source XSS scanner and utility focused on automation
CVSS Base8.2
â
CRSSelect profile
CVE-2026-45137
8.2
UnknownMultiple Products
Anchor is a framework providing several convenient developer tools for writing Solana programs