CVE-2026-41940
An authentication bypass vulnerability in the cPanel and WHM login flow allows unauthenticated remote attackers to gain unauthorized access to the control panel.
Critical vulnerabilities, curated daily for security professionals
See how vulnerabilities affect your specific environment
CRS uses the System Security Context Vector (SSCV) Framework v1.0 to adjust CVSS scores based on your system's exposure level, network position, and business criticality. Learn more about SSCV Framework
Friday's disclosures center on Progress Software MOVEit, Shopizer, and Totolink router platforms, with several remote code execution flaws affecting widely deployed enterprise and edge infrastructure. The brief includes 8 critical CVEs (unchanged from the prior day) and 99 high-priority vulnerabilities (down 1%). Notable entries include CVE-2026-4670 (CVSS 9.8) in MOVEit, CVE-2026-36767 (CVSS 10) in Shopizer, and CVE-2026-7546 (CVSS 9.8) in Totolink NR1800X routers. Attack patterns skew toward unauthenticated RCE and authentication bypass, with file transfer and e-commerce platforms representing the highest-impact targets. Patches are currently unavailable for the disclosed set, requiring compensating controls and exposure reduction until vendor fixes ship.
Immediate action: Prioritize compensating controls for Progress MOVEit, Shopizer storefronts, and Totolink NR1800X/A8000RU devices, and validate exposure of cPanel/WHM, PaperCut, TeamCity, and ConnectWise ScreenConnect instances against the active exploitation list. With no patches currently available for the disclosed critical set, restrict network exposure, enforce strict authentication, and monitor vendor advisories for fixes.
An authentication bypass vulnerability in the cPanel and WHM login flow allows unauthenticated remote attackers to gain unauthorized access to the control panel.
Kentico Xperience Path Traversal Vulnerability - Active in CISA KEV catalog.
PaperCut NG/MF Improper Authentication Vulnerability - Active in CISA KEV catalog.
Quest KACE Systems Management Appliance (SMA) Improper Authentication Vulnerability - Active in CISA KEV catalog.
JetBrains TeamCity Relative Path Traversal Vulnerability - Active in CISA KEV catalog.
Microsoft Defender Insufficient Granularity of Access Control Vulnerability - Active in CISA KEV catalog.
Marimo Remote Code Execution Vulnerability - Active in CISA KEV catalog.
D-Link DIR-823X Command Injection Vulnerability - Active in CISA KEV catalog.
Samsung MagicINFO 9 Server Path Traversal Vulnerability - Active in CISA KEV catalog.
SimpleHelp Path Traversal Vulnerability - Active in CISA KEV catalog.
SimpleHelp Missing Authorization Vulnerability - Active in CISA KEV catalog.
ConnectWise ScreenConnect Path Traversal Vulnerability - Active in CISA KEV catalog.
Microsoft Windows Protection Mechanism Failure Vulnerability - Active in CISA KEV catalog.
Weaver E-office is vulnerable to unauthenticated arbitrary file upload via OfficeServer.php, allowing remote attackers to execute code via webshells.
Synway SMG Gateway Management Software is vulnerable to unauthenticated OS command injection in the RADIUS configuration endpoint, leading to remote code execution.
An authentication bypass vulnerability in Progress Software MOVEit Automation allows unauthorized access to the application.
A stack-based buffer overflow exists in the Totolink NR1800X lighttpd component, allowing remote attackers to trigger a crash or execute code via the Host header.
The Totolink A8000RU router is vulnerable to remote OS command injection via the proto parameter in the CGI handler, allowing unauthenticated attackers to execute arbitrary system commands.
A path traversal vulnerability in Shopizer v3.2.5 allows remote attackers to write arbitrary files to any writable path via the image upload endpoint.
Authenticated attackers with file upload permissions can exploit a path traversal vulnerability in JeeSite v5.15.1 to upload arbitrary files to the filesystem.
A heap-based buffer overflow in libnv, caused by improper message size validation, allows for system crashes or potential privilege escalation.
Cockpit CMS contains an authenticated remote code execution vulnerability in the /cockpit/collections/save_collection endpoint that allows authenticated attackers with collection management privileges to inject arbitrary PHP code into collection rules parameters
A vulnerability exists in Chartbrew that may allow unauthorized access or impact data integrity due to its direct integration with databases and APIs.
A vulnerability in Chartbrew, an open-source data visualization tool, could potentially be leveraged by attackers to compromise connected data sources.
Jenkins Credentials Binding Plugin 719
An identified vulnerability in Chartbrew may expose connected databases or APIs to unauthorized access or manipulation.
A vulnerability within the Chartbrew web application may allow attackers to exploit its database and API integration features.
Cockpit 2
The Otter Blocks plugin for WordPress is vulnerable to Purchase Verification Bypass in all versions up to, and including, 3
XATABoost CMS 1
Improper neutralization of inputs used in an OS command in the FSx Windows File Server volume mounting component in Amazon ECS Agent on Windows before version 1
Jenkins HTML Publisher Plugin 427 and earlier does not escape job name and URL in the legacy wrapper file, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission
pgjdbc is an open source postgresql JDBC Driver
A weakness has been identified in SourceCodester Advanced School Management System 1
AgentFlow is vulnerable to arbitrary code execution, allowing attackers to execute local Python files via the pipeline_path parameter in specific API endpoints.
Improper neutralization of CRLF sequences ('CRLF injection') vulnerability in TUBITAK BILGEM Software Technologies Research Institute Pardus allows Authentication Bypass
The LabOne Q serialization framework uses a class-loading mechanism (import_cls) to dynamically import and instantiate Python classes during deserialization
A security vulnerability has been detected in EyouCMS up to 1
A vulnerability has been detected in VetCoders mcp-server-semgrep, potentially impacting its operation or security.
A vulnerability has been found in SourceCodester Hotel Management System 1
A flaw has been found in SourceCodester Pharmacy Sales and Inventory System 1
A vulnerability has been found in SourceCodester Pharmacy Sales and Inventory System 1
A vulnerability was identified in itsourcecode Electronic Judging System 1
TLS protocol dissector heap overflow in Wireshark 4
HKUDS OpenHarness contains a remote code execution vulnerability in the /bridge slash command that allows remote senders accepted by configuration to execute arbitrary operating system commands
Local privilege escalation due to improper input validation
Local privilege escalation due to improper input validation
Improper input validation vulnerability in Progress Software MOVEit Automation allows Privilege Escalation
Improper Privilege Management, Improper Access Control, Incorrect privilege assignment vulnerability in TUBITAK BILGEM Software Technologies Research Institute Pardus Software Center allows Hijacking a privileged process
Improper link resolution before file access ('link following') vulnerability in TUBITAK BILGEM Software Technologies Research Institute Pardus About allows Symlink Attack
Improper neutralization of special elements used in an OS command ('OS command injection') vulnerability in TUBITAK BILGEM Software Technologies Research Institute Pardus OS My Computer allows OS Command Injection
IBM Turbonomic prometurbo agent 8
IBM Langflow Desktop 1
A flaw in GnuTLS DTLS handshake parsing allows malformed fragments with zero length and non-zero offset, leading to an integer underflow during reassembly and resulting in an out-of-bounds read
A Cross-Site Request Forgery (CSRF) vulnerability exists in the web management interface of the Dbit N300 T1 Pro wireless router V1
A weakness has been identified in BurtTheCoder mcp-dnstwist up to 1
Insufficient validation of the prefix length field in IPv6 Router Advertisement processing in FreeRTOS-Plus-TCP before V4
IBM Langflow Desktop 1
NULL pointer dereference vulnerability in ASR1903 in ASR Lapwing_Linux on Linux (ims_client modules) allows Pointer Manipulation
Dbit N300 T1 Pro Easy Setup Wireless Wi-Fi Router V1
U-SPEED N300 router V1
The BOOTP file field is written to the lease file without escaping embedded double-quotes, allowing injection of arbitrary dhclient
An operator precedence bug in the kernel results in a scenario where a buffer overflow causes attacker-controlled data to overwrite adjacent execve(2) argument buffers
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Steve Burge TaxoPress simple-tags allows Blind SQL Injection
BuddyPress Xprofile Custom Fields Type 2
A vulnerability was determined in UTT HiPER 1250GW up to 3
A vulnerability was identified in UTT HiPER 1250GW up to 3
A security flaw has been discovered in UTT HiPER 1250GW up to 3
A flaw has been found in Tenda 4G300 US_4G300V1
A Cross-Site Request Forgery (CSRF) vulnerability exists in the web management interface of the U-SPEED N300 Rounter V1
A vulnerability was detected in code-projects for Plugin 4
A flaw has been found in UTT HiPER 1200GW up to 2
A vulnerability has been found in UTT HiPER 1200GW up to 2
A vulnerability was detected in Totolink NR1800X 9
Text::CSV_XS versions before 1
Prime95 29
Easy MPEG to DVD Burner 1
Allok Video to DVD Burner 2
Free Download Manager 2
SysGauge Pro 4
Allok soft WMV to AVI MPEG DVD WMV Converter 4
Alloksoft Video joiner 4
Integer underflow in the DHCPv6 sub-option parser in FreeRTOS-Plus-TCP before V4
Authorization bypass through User-Controlled key vulnerability in MeWare Software Development Inc
Improper Control of Interaction Frequency vulnerability in MeWare Software Development Inc
An issue in Krayin CRM v
A vulnerability in the access control mechanism of SonicOS may allow certain management interface functions to be accessible under specific conditions
This vulnerability impacts all versions of IdentityIQ and allows an authenticated identity that is the requestor or assignee of a work item to edit the definition of a role without having an assigned capability that would allow role editing
An issue in the TVicPort64
Allok AVI to DVD SVCD VCD Converter 4
When exchanging data over a socket, libnv uses select(2) to wait for data to arrive
SBC codec crash in Wireshark 4
RDP protocol dissector crash in Wireshark 4
TOTOLINK A3002RU V3 <= V3
An issue was discovered in libsndfile 1
Incorrect packet validation allowed unbounded recursion parsing SCTP chunk parameters
A denial-of-service vulnerability exists in the U-SPEED N300 V1
Weaver (Fanwei) E-cology 9
CryptPad 2025
Out-of-bounds read vulnerability in ASR Kestrel (nr_fw modules) allows Overflow Buffers
A security vulnerability in JetBrains IntelliJ IDEA before 2024 may impact system integrity.
A vulnerability was detected in ezequiroga mcp-bases 357ca19c7a49a9b9cb2ef639b366f03aba8bea39/c630b8ab0f970614d42da8e566e9c0d15a16414c
A flaw has been found in fatbobman mail-mcp-bridge up to 1
A weakness has been identified in florensiawidjaja BioinfoMCP up to 7ada7918b9e515604d3c0ae264d3a9af10bf6e54
A security vulnerability has been detected in geekgod382 filesystem-mcp-server 1
A vulnerability in B1 Free Archiver v1
A weakness has been identified in getsimpletool mcpo-simple-server up to 0
A vulnerability was found in PolarVista xcode-mcp-server 1
A vulnerability was found in Algovate xhs-mcp 0
A security vulnerability has been detected in 1024-lab smart-admin up to 3
As dhclient is building an environment to pass to dhclient-script, it may need to resize the array of string pointers
A flaw has been found in nextlevelbuilder GoClaw and GoClaw Lite up to 3
A vulnerability has been found in Fujian Apex LiveBOS up to 2
MyBB Recent threads 17
Pallets Click, versions 8
SSCMS v7
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wpeverest User Registration user-registration allows Reflected XSS
All versions of the package django-mdeditor are vulnerable to Missing Authentication for Critical Function in the image upload endpoint
ColorOS Assistant has an unauthenticated start-download channel, leading to file path traversal
Profile import path traversal in Wireshark 4