CVE-2026-48908
JoomShaper SP Page Builder is vulnerable to an unrestricted file upload flaw, allowing unauthenticated attackers to execute arbitrary code.
Critical vulnerabilities, curated daily for security professionals
See how vulnerabilities affect your specific environment
CRS uses the System Security Context Vector (SSCV) Framework v1.0 to adjust CVSS scores based on your system's exposure level, network position, and business criticality. Learn more about SSCV Framework
Thursday's disclosures were led by a maximum-severity flaw in CoreWCF (CVE-2026-54782, CVSS 10) alongside critical issues in the Snowflake Snowpark Python SDK and Apache Gravitino, concentrating risk in data-platform and web-application infrastructure. The set includes 16 critical CVEs, down 30% from the prior day's 23, and 65 high-priority CVEs, unchanged day-over-day. Notable entries include CVE-2026-15062 (CVSS 9.6) in the Snowflake Snowpark Python SDK, CVE-2026-41042 (CVSS 9.1) in Apache Gravitino, and CVE-2026-9074 (CVSS 9.1) in IBM API Connect, spanning developer tooling, WordPress plugins, and enterprise API gateways. Four vulnerabilities carry confirmed active exploitation, affecting Adobe ColdFusion, Langflow, and Joomla-based page builders. Patches were not yet available for any of the disclosed critical issues at time of publication, so teams should prioritize mitigations and exposure reduction until vendor fixes ship.
Immediate action: Prioritize CoreWCF, Snowflake Snowpark SDK, Apache Gravitino, and IBM API Connect deployments for immediate review, and restrict exposure on actively exploited Adobe ColdFusion and Langflow instances. With no vendor patches yet available for the critical issues, apply network segmentation, access controls, and vendor-recommended mitigations while monitoring for patch releases.
CVSS score (e.g. 9.1) — severity from 0–10. Red marks critical (9+), orange high (7–8.9).
Exploitability — how hard the flaw is to attack, read from the CVSS vector:
The lower the bar on all three, the easier to exploit at scale — “Network · No privileges · No interaction” is the worst case: hit from anywhere, no credentials, no victim action.
🔴 Actively exploited — confirmed under attack in the wild (CISA’s Known Exploited Vulnerabilities catalog). Prioritize these regardless of score.
EPSS · Nth percentile — FIRST.org’s estimated chance a flaw is exploited within 30 days. We flag it only in the top 10% — a statistical signal it’s unusually likely to be targeted, separate from whether attacks are confirmed.
JoomShaper SP Page Builder is vulnerable to an unrestricted file upload flaw, allowing unauthenticated attackers to execute arbitrary code.
An Insecure Direct Object Reference (IDOR) vulnerability in the Langflow /api/v1/responses endpoint allows authenticated attackers to execute unauthorized AI flows belonging to other users.
The Page Builder CK extension for Joomla is vulnerable to an unauthenticated arbitrary file upload, enabling attackers to execute malicious code on the server.
Adobe ColdFusion is affected by a path traversal vulnerability that permits unauthenticated remote attackers to execute arbitrary code.
The Blocksy Companion WordPress plugin is vulnerable to unauthenticated arbitrary file uploads via the save_attachments function, enabling remote code execution by bypassing file extension validation.
SQL injection vulnerabilities in the Snowflake Snowpark Python SDK allow authenticated low-privilege users to execute unauthorized SQL queries and potentially exfiltrate data.
CoreWCF fails to properly validate SAML token signatures when using federated bindings, allowing unauthenticated attackers to impersonate arbitrary principals.
An unauthenticated remote code execution vulnerability in Apache Gravitino allows attackers to execute arbitrary Java code via malicious H2 JDBC URLs.
The miniOrange OTP Login, Verification and SMS Notifications plugin for WordPress is vulnerable to an authentication bypass that allows unauthenticated attackers to hijack administrator accounts.
A cross-site scripting (XSS) vulnerability in Microsoft Dynamics 365 Customer Voice allows unauthorized attackers to perform spoofing over a network.
JupyterLab Git is vulnerable to stored Cross-site Scripting (XSS) via crafted filenames, allowing JavaScript execution when a victim views the rename diff in the Git History tab.
Dgraph Alpha exposes RPCs for external snapshot imports on the public gRPC port without authentication, allowing unauthenticated remote attackers to overwrite database contents.
An unauthenticated SQL injection vulnerability exists in the password reset functionality of IBM API Connect, potentially allowing unauthorized access to backend data.
Repomix contains a server-side request forgery (SSRF) vulnerability in the POST /api/pack endpoint, allowing unauthenticated attackers to make arbitrary outbound requests.
Mediküm Web is susceptible to a critical SQL injection vulnerability, allowing unauthorized attackers to execute arbitrary SQL commands against the backend database.
Fluentd allows path traversal via the ${tag} placeholder in file configurations, enabling attackers to write or overwrite arbitrary files and potentially achieve remote code execution.
When reusing a libcurl handle for sequential transfers driven by environment-variable proxy configuration, libcurl fails to clear the proxy authentication state between requests. Specifically, if the initial transfer authenticates against `proxyA` using Digest auth, a subsequent transfer routed thro
The node-tar library for Node.js fails to enforce resource limits during archive extraction, allowing attackers to trigger denial-of-service via crafted gzip bombs.
libcurl keeps previously used connections in a connection pool for subsequent transfers to reuse if one of them matches the setup. An easy handle that first uses default native CA trust can continue trusting the native platform store after the application switches that same handle to custom CA mate
When asking curl to use a `.netrc` file to find credentials and at the same time specifying a URL with a username(without a password), like `https://user@example.com/`, curl could wrongly get and use the password for *another* user set in the `.netrc` file for that host if such a one exists and ther
A vulnerability in the HAPI FHIR core library allows for XML External Entity (XXE) injection, potentially leading to unauthorized information disclosure.
A local privilege escalation vulnerability in Omnissa Workspace ONE Tunnel for Windows allows authenticated users to gain elevated system privileges.
A sandbox escape vulnerability in the HashiCorp Nomad Docker task driver allows job submitters to bind-mount host paths, enabling unauthorized read/write access to the host filesystem.
An incorrect permission assignment in the Cloud Foundry Foundation BOSH Windows stemcell builder allows local users to escalate privileges to system level via executable overwriting.
Microsoft Edge (Chromium-based) contains an improper access control vulnerability that enables unauthenticated attackers to perform security feature bypasses.
LiquidJS is vulnerable to an allocation of resources without limits or throttling, potentially allowing an unauthenticated attacker to cause a denial-of-service condition.
The WCFM Membership plugin for WordPress contains an Insecure Direct Object Reference (IDOR) vulnerability that allows authenticated users to bypass authorization controls.
The Symfony UX JavaScript ecosystem is susceptible to a path traversal vulnerability that may allow an attacker to access or manipulate restricted files.
The Divi Form Builder plugin for WordPress is vulnerable to an authorization bypass, allowing authenticated users to perform unauthorized actions via improper capability checks.
The Appointment Booking Calendar Plugin for WordPress is vulnerable to insecure deserialization of untrusted data, potentially leading to remote code execution.
Dell PowerProtect Data Domain is affected by an incorrect authorization vulnerability that may allow authenticated users to perform unauthorized actions.
Nozomi Remote Collector fails to verify TLS certificates when configured via n2os-tui, exposing communication to potential interception.
The py7zr library is susceptible to a data amplification attack due to improper handling of highly compressed 7zip archive data.
The py7zr library contains a vulnerability related to inefficient algorithmic complexity, which can be exploited to cause a denial-of-service.
The pypdf library is susceptible to an infinite loop vulnerability caused by an unreachable exit condition when processing malformed PDF files.
A vulnerability in the pypdf library allows for uncontrolled resource consumption when processing maliciously crafted PDF documents.
RestrictedPython contains a flaw in its input filtering mechanism, allowing for the potential execution of unauthorized code via incomplete blocklists.
AsyncSSH contains a path traversal vulnerability that allows unauthorized file system access due to improper path validation in the SSHv2 protocol implementation.
LiteLLM proxy server contains a critical authentication vulnerability that allows unauthenticated access to sensitive functions.
The Horde Virtual File System (VFS) API is susceptible to OS command injection, enabling authenticated attackers to execute arbitrary commands on the underlying system.
IBM API Connect versions 12.1.0.0 through 12.1.0.2 are susceptible to a vulnerability involving the use of default credentials, potentially allowing unauthorized access.
When a user invokes curl using a schemeless URL combined with `--proto-default` sftp (or scp), a disconnect occurs between the tool layer and libcurl.
A heap-based buffer overflow in libXfont2's ComputeScaledProperties function allows for potential memory corruption when parsing malformed PCF font files.
A heap-based buffer overflow in the BitmapScaleBitmaps function of libXfont2 can lead to memory corruption when processing specific bitmap font data.
An issue in curl’s QUIC UDP receive function allows a malicious HTTP/3 server to trigger a remote denial of service against a curl or libcurl client.
The BOSH CLI fails to verify server certificates when uploading data to the DAV blobstore, enabling potential man-in-the-middle attacks and root code execution.
Cline contains an Origin Validation Error (CWE-346) that can allow unauthorized cross-origin interactions with the coding agent.
A sandbox escape vulnerability in Ubuntu's OpenJDK packages allows arbitrary code execution outside the sandbox when the mailcap package is installed.
NATS Server is affected by an improper authentication vulnerability (CWE-287) that may allow unauthorized access to the messaging system.
Copier contains vulnerabilities related to path traversal (CWE-22) and code injection (CWE-94) during the rendering of project templates.
The Snowflake Terraform Provider is vulnerable to SQL Injection, allowing authenticated attackers to execute arbitrary SQL commands via improper input neutralization.
Parse Server contains a vulnerability involving inefficient algorithmic complexity, which can be exploited by unauthenticated attackers to cause a denial-of-service condition.
GitLab EE is vulnerable to a stored Cross-Site Scripting (XSS) attack, allowing authenticated users to inject malicious scripts into web pages viewed by other users.
The Plate rich-text editor is susceptible to a stored Cross-Site Scripting (XSS) vulnerability, allowing authenticated users to inject malicious scripts into web pages.
Bitwarden Server is susceptible to an authorization bypass vulnerability allowing authenticated users to manipulate access keys.
The immutable-js library is vulnerable to uncontrolled resource consumption and infinite loops, potentially leading to denial-of-service conditions.
The node-tar library is vulnerable to an infinite loop condition when processing malformed tar archives, resulting in denial-of-service.
A vulnerability in immutable-js allows unauthenticated remote attackers to cause a Denial of Service (DoS) via inefficient algorithmic complexity.
A path traversal vulnerability in Appium allows unauthenticated remote attackers to perform unauthorized file operations via improper limitation of pathnames.
Monsta FTP contains a Server-Side Request Forgery (SSRF) vulnerability that allows unauthenticated attackers to bypass address restrictions via IPv4-mapped IPv6 addresses.
The CloudFoundry BOSH CLI tool is vulnerable to a path traversal flaw in the blobs.yaml file processing, which can allow an attacker to perform unauthorized file writes.
The @cyclonedx/cyclonedx-npm package is vulnerable to OS Command Injection, allowing an attacker to execute arbitrary commands during the generation of Software Bill of Materials (SBOM).
A heap-based buffer overflow exists in the pcfReadFont() function of libXfont2 due to insufficient bounds checking on glyph data.
PasswordPusher is susceptible to a redirect-based Cross-Site Scripting (XSS) vulnerability due to improper input validation of data-URI schemes in URL push payloads.
The Astro web framework contains a vulnerability where non-canonical URL paths can be used to bypass authorization decisions.
A buffer overflow vulnerability exists in U-Boot through 2026.04-rc3, specifically within the NFS readlink reply handling, potentially leading to denial-of-service or code execution.
An incorrect privilege assignment vulnerability in the synchronization functionality allows Arc sensors to receive CLI permissions.
Frigate contains multiple vulnerabilities related to improper privilege management, sensitive information in logs, and insecure use of GET requests for sensitive data.
An improper authorization vulnerability in Capgo allows cross-organization authorization bypass via scoped API key privilege inheritance.
A cross-site scripting (XSS) vulnerability in the Ad Hoc module of Progress MOVEit Transfer allows for improper neutralization of user input during web page generation.
A symlink following vulnerability exists in the Go standard library 'os' package on Unix systems, which could lead to unauthorized file access or modification.
Gitea 1.
A privilege management vulnerability in SourceCodester's Online Examination & Learning Management System 1.0 allows for potential unauthorized access.
A SQL injection vulnerability in the 'head.php' file of code-projects Online Examination 1.0 allows unauthenticated remote attackers to manipulate database queries.
An unauthenticated SQL injection vulnerability in SourceCodester Pizzafy E-Commerce System 1.0 permits remote attackers to execute arbitrary database queries via the 'ID' parameter.
A code injection vulnerability in the 'eval' function of mjperpinosa stumasy allows unauthenticated remote attackers to execute arbitrary code via the 'mathematical_sentence' argument.
A SQL injection vulnerability in code-projects Real State Services 1.0 allows unauthenticated remote attackers to manipulate database queries via the 'amen' parameter in /addprojectsale.php.
A SQL injection vulnerability exists in code-projects Real State Services 1.0, allowing unauthenticated attackers to compromise database security via the 'ID' parameter in /single-list_rent.php.
A SQL injection vulnerability in code-projects Real State Services 1.0 allows remote unauthenticated attackers to execute arbitrary database commands via the 'amen' parameter in /addprojectrent.php.
A SQL injection vulnerability in code-projects Real State Services 1.0 allows unauthenticated remote attackers to execute arbitrary database commands via the 'loc' argument in /normalHomeSale.php.
Gitea versions before 1.
Gitea versions before 1.
Successfully using libcurl to do a transfer to a specific HTTP origin (`hostA`) with **Digest** authentication and then changing the origin to a different one (`hostB`) for a second transfer, reusing the same handle, makes libcurl wrongly pass on the `Authorization:` header field meant for `hostA`,.
An improper memory calculation vulnerability exists in the Linux kernel's IPv6 paged-allocation path, potentially leading to memory corruption.
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: fix UAF in l2cap_sock_cleanup_listen() vs l2cap_conn_del() bt_accept_dequeue() unlinks a not-yet-accepted child from the parent accept queue and release_sock()s it before returning, so the returned sk has no caller refe.