Critical vulnerabilities, curated daily for security professionals
π― SSCV Profile
See how vulnerabilities affect your specific environment
CRS uses the System Security Context Vector (SSCV) Framework v1.0 to adjust CVSS scores based on your system's exposure level, network position, and business criticality. Learn more about SSCV Framework
Risk scores will be adjusted based on your selected environment
π
Today's Security Brief
Sunday's disclosures center on a Python serialization flaw in jsonpickle and digital signage and image-processing libraries, alongside actively exploited issues in Cisco Catalyst SD-WAN and Microsoft products. The day brought 3 critical CVEs (down 50% from the prior day) and 57 high-priority CVEs (up 46%), reflecting a shift toward high-severity rather than critical-rated issues. Notable critical entries include CVE-2021-47952 in Python jsonpickle, CVE-2020-37228 in iDS6 DSSPro Digital Signage System, and CVE-2020-37239 in libbabl. Remote code execution and deserialization weaknesses dominate the critical set, while the Cisco and Microsoft KEV entries indicate ongoing targeting of enterprise network and platform infrastructure. No vendor patches are currently linked in today's data, so teams should rely on vendor advisories and apply mitigations or workarounds where available.
Python jsonpickle deserialization flaw (CVE-2021-47952, CVSS 9.8) leads the critical set with potential for remote code execution
Critical CVEs: 3 (down 50% from 6 the prior day)
High-priority CVEs: 57 (up 46% from 39 the prior day)
Remote code execution and unsafe deserialization patterns affect Python jsonpickle, iDS6 DSSPro digital signage, and the libbabl image library
Patch availability sits at 0% across today's set; teams should consult vendor advisories directly for mitigations
2 actively exploited CVEs reported in Cisco Catalyst SD-WAN (CVE-2026-20182) and Microsoft (CVE-2026-42897), both CVSS 9.5
Immediate action: Prioritize the actively exploited Cisco Catalyst SD-WAN and Microsoft issues for immediate review, and audit any use of Python jsonpickle, iDS6 DSSPro digital signage, and libbabl across your environment. With no patches currently linked in today's data, rely on vendor advisories for fixed versions and apply available workarounds, network restrictions, or input validation controls in the interim.
π‘ Tip: Swipe CVE cards left to β star, right to β remove
Seven sandbox escapes in vm2 Node.js library disclosed in one day
Seven independent sandbox-escape vulnerabilities in the vm2 Node.js sandbox library were disclosed together on May 13-14, 2026. Each lets attacker-controlled JavaScript break out of the sandbox and run as the host Node.js process. All seven were patched in 3.11.0 or 3.11.2, but the cluster is the latest in a long pattern of vm2 escapes β the editorial recommendation is to migrate away from vm2, not just upgrade.
β οΈ
CISA Known Exploited Vulnerabilities
β οΈ CISA KEV
CVE-2026-20182
9.5
CiscoCatalyst SD-WAN
β° Federal Deadline:May 16, 2026
Cisco Catalyst SD-WAN Controller Authentication Bypass Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
β
CRSSelect profile
β οΈ CISA KEV
CVE-2026-42897
9.5π
MicrosoftMicrosoft
β° Federal Deadline:May 28, 2026(12 days remaining)
A cross-site scripting (XSS) vulnerability in Microsoft Exchange Server allows unauthenticated attackers to perform spoofing over a network.
CVSS Base9.5
β
CRSSelect profile
π¨
Critical Vulnerabilities
CVE-2021-47952
9.8ππ Late Disclosure
Pythonjsonpickle
The python jsonpickle library contains a remote code execution vulnerability via deserialization of malicious JSON payloads containing py/repr objects.
CVSS Base9.8
β
CRSSelect profile
CVE-2020-37228
9.8ππ Late Disclosure
iDS6DSSPro Digital Signage System
The iDS6 DSSPro Digital Signage System 6.2 contains a CAPTCHA bypass vulnerability that allows attackers to retrieve valid codes and perform brute-force attacks against user accounts.
CVSS Base9.8
β
CRSSelect profile
CVE-2020-37239
9.8ππ Late Disclosure
libbabllibbabl
libbabl 0.1.62 contains a memory safety vulnerability where a broken double-free detection allows attackers to bypass checks and achieve memory corruption.
CVSS Base9.8
β
CRSSelect profile
β οΈ
High Priority Updates
CVE-2021-47956
8.2π Late Disclosure
HPwith malicious
EgavilanMedia PHPCRUD 1
CVSS Base8.2
β
CRSSelect profile
CVE-2026-45539
7.4
MicrosoftAPM is
Microsoft APM is an open-source, community-driven dependency manager for AI agents
CVSS Base7.4
β
CRSSelect profile
CVE-2026-8719
8.8
WordPressplugin for
The AI Engine β The Chatbot, AI Framework & MCP for WordPress plugin for WordPress is vulnerable to Privilege Escalation in version 3
CVSS Base8.8
β
CRSSelect profile
CVE-2026-44641
7.1
MicrosoftAPM is
Microsoft APM is an open-source, community-driven dependency manager for AI agents
CVSS Base7.1
β
CRSSelect profile
CVE-2021-47977
7.5π Late Disclosure
WordPressPlugin Anti
WordPress Plugin Anti-Malware Security and Bruteforce Firewall 4
CVSS Base7.5
β
CRSSelect profile
CVE-2021-47979
8.8π Late Disclosure
WordPressPlugin Backup
WordPress Plugin Backup and Restore 1
CVSS Base8.8
β
CRSSelect profile
CVE-2020-37227
8.8π Late Disclosure
HPto achieve
HS Brand Logo Slider 2
CVSS Base8.8
β
CRSSelect profile
CVE-2021-47976
8.8π Late Disclosure
HPfiles by
TextPattern CMS 4
CVSS Base8.8
β
CRSSelect profile
CVE-2026-6403
7.5
WordPressis vulnerable
The Quick Playground plugin for WordPress is vulnerable to Path Traversal in versions up to and including 1
CVSS Base7.5
β
CRSSelect profile
CVE-2026-44714
7.5
UnknownMultiple Products
The bitcoinj library is a Java implementation of the Bitcoin protocol
CVSS Base7.5
β
CRSSelect profile
CVE-2021-47959
7.5π Late Disclosure
WordPressPlugin WPGraphQL
WordPress Plugin WPGraphQL 1
CVSS Base7.5
β
CRSSelect profile
CVE-2026-46359
7.5
HPMultiple Products
phpMyFAQ before 4
CVSS Base7.5
β
CRSSelect profile
CVE-2026-46366
7.5
HPMultiple Products
phpMyFAQ before 4
CVSS Base7.5
β
CRSSelect profile
CVE-2026-8725
7.3
UnknownMultiple Products
A weakness has been identified in CoreWorxLab CAAL up to 1
CVSS Base7.3
β
CRSSelect profile
CVE-2026-38728
7.5
UnknownMultiple Products
An issue in Nodemailer smtp_server before v
CVSS Base7.5
β
CRSSelect profile
CVE-2021-47974
7.8π Late Disclosure
ArchServer and
VX Search 13
CVSS Base7.8
β
CRSSelect profile
CVE-2020-37242
8.2π Late Disclosure
UltimateMultiple Products
Supsystic Ultimate Maps 1
CVSS Base8.2
β
CRSSelect profile
CVE-2020-37243
8.2π Late Disclosure
PricingMultiple Products
Supsystic Pricing Table 1
CVSS Base8.2
β
CRSSelect profile
CVE-2020-37244
8.2π Late Disclosure
SupsysticMultiple Products
Supsystic Membership 1
CVSS Base8.2
β
CRSSelect profile
CVE-2021-47954
8.2π Late Disclosure
ArchMultiple Products
LayerBB 1
CVSS Base8.2
β
CRSSelect profile
CVE-2026-46728
8.2
BootMultiple Products
Das U-Boot before 2026
CVSS Base8.2
β
CRSSelect profile
CVE-2020-37229
7.8π Late Disclosure
PortMultiple Products
OKI sPSV Port Manager 1
CVSS Base7.8
β
CRSSelect profile
CVE-2020-37230
7.8π Late Disclosure
SMWebRestServicev5Multiple Products
Syncplify
CVSS Base7.8
β
CRSSelect profile
CVE-2020-37231
7.8π Late Disclosure
PrivacyMultiple Products
Privacy Drive 3
CVSS Base7.8
β
CRSSelect profile
CVE-2020-37232
7.8π Late Disclosure
CareMultiple Products
Advanced System Care Service 13
CVSS Base7.8
β
CRSSelect profile
CVE-2020-37247
7.8π Late Disclosure
KiteServiceMultiple Products
Kite 4
CVSS Base7.8
β
CRSSelect profile
CVE-2026-46408
7.6
UnknownMultiple Products
Vvveb is a powerful and easy to use CMS with page builder to build websites, blogs or ecommerce stores
CVSS Base7.6
β
CRSSelect profile
CVE-2026-44555
7.6π
IntelOpen WebUI
Open WebUI is a self-hosted AI platform; information regarding this vulnerability is currently limited, requiring users to consult vendor advisories.
CVSS Base7.6
β
CRSSelect profile
CVE-2026-8695
7.5
gdbrMultiple Products
radare2 6
CVSS Base7.5
β
CRSSelect profile
CVE-2026-44826
7.5
UnknownMultiple Products
Vvveb is a powerful and easy to use CMS with page builder to build websites, blogs or ecommerce stores
CVSS Base7.5
β
CRSSelect profile
CVE-2026-8686
7.5
MissingMultiple Products
Missing bounds validation in the MQTT v5
CVSS Base7.5
β
CRSSelect profile
CVE-2026-45398
7.5π
IntelOpen WebUI
Open WebUI, a self-hosted artificial intelligence platform, is affected by a high-severity security vulnerability requiring immediate attention.
CVSS Base7.5
β
CRSSelect profile
CVE-2026-8696
7.5
InforMultiple Products
radare2 6
CVSS Base7.5
β
CRSSelect profile
CVE-2020-37245
7.5π Late Disclosure
DigitalMultiple Products
Supsystic Digital Publications 1
CVSS Base7.5
β
CRSSelect profile
CVE-2021-47942
7.5π Late Disclosure
HomeMultiple Products
Home Assistant Community Store (HACS) 1
CVSS Base7.5
β
CRSSelect profile
CVE-2021-47969
7.5π Late Disclosure
ColorMultiple Products
Color Notes 1
CVSS Base7.5
β
CRSSelect profile
CVE-2021-47970
7.5π Late Disclosure
MacaronMultiple Products
Macaron Notes 5
CVSS Base7.5
β
CRSSelect profile
CVE-2021-47971
7.5π Late Disclosure
NotesMultiple Products
My Notes Safe 5
CVSS Base7.5
β
CRSSelect profile
CVE-2021-47972
7.5π Late Disclosure
ColorMultiple Products
Sticky Notes & Color Widgets 1
CVSS Base7.5
β
CRSSelect profile
CVE-2021-47973
7.5π Late Disclosure
NotesMultiple Products
Sticky Notes Widget 3
CVSS Base7.5
β
CRSSelect profile
CVE-2026-39054
7.3
OinoneMultiple Products
Oinone Pamirs 7
CVSS Base7.3
β
CRSSelect profile
CVE-2026-44721
7.3π
IntelOpen WebUI
A high-severity vulnerability has been identified in the Open WebUI self-hosted AI platform, requiring immediate review of vendor-provided security patches.
CVSS Base7.3
β
CRSSelect profile
CVE-2026-44549
7.3π
IntelOpen WebUI
Open WebUI, a self-hosted AI platform, contains a high-severity vulnerability that requires immediate remediation through vendor-issued security updates.
CVSS Base7.3
β
CRSSelect profile
CVE-2026-44566
7.3π
IntelOpen WebUI
A high-severity vulnerability has been reported in the Open WebUI self-hosted AI platform, requiring prompt security remediation.
CVSS Base7.3
β
CRSSelect profile
CVE-2026-44567
7.3π
IntelOpen WebUI
Open WebUI, a self-hosted AI platform, is subject to a high-severity vulnerability requiring immediate security review and remediation.
CVSS Base7.3
β
CRSSelect profile
CVE-2026-8734
7.3
UnknownMultiple Products
A vulnerability was determined in Oinone Pamirs up to 7
CVSS Base7.3
β
CRSSelect profile
CVE-2021-47963
7.2π Late Disclosure
AnoteMultiple Products
Anote 1
CVSS Base7.2
β
CRSSelect profile
CVE-2026-45395
7.2π
IntelOpen WebUI
A high-severity vulnerability has been identified in the Open WebUI AI platform, requiring immediate attention from security administrators.
CVSS Base7.2
β
CRSSelect profile
CVE-2021-47975
7.2π Late Disclosure
LearnMultiple Products
WP Learn Manager 1
CVSS Base7.2
β
CRSSelect profile
CVE-2026-45037
7.1
ABBMultiple Products
Tabby (formerly Terminus) is a highly configurable terminal emulator
CVSS Base7.1
β
CRSSelect profile
CVE-2026-44556
7.1π
IntelOpen WebUI
A security vulnerability has been identified in the Open WebUI platform that may expose the system to unauthorized access or manipulation.
CVSS Base7.1
β
CRSSelect profile
CVE-2026-45349
7.1π
IntelOpen WebUI
A security vulnerability has been identified in the Open WebUI platform that may expose the system to unauthorized access or manipulation.
CVSS Base7.1
β
CRSSelect profile
CVE-2026-45399
7.1π
IntelOpen WebUI
A security vulnerability has been identified in the Open WebUI platform that may expose the system to unauthorized access or manipulation.
CVSS Base7.1
β
CRSSelect profile
CVE-2026-44569
7.1π
IntelOpen WebUI
A security vulnerability has been identified in the Open WebUI platform that may expose the system to unauthorized access or manipulation.
CVSS Base7.1
β
CRSSelect profile
CVE-2026-45350
7.1π
IntelOpen WebUI
A security vulnerability has been identified in the Open WebUI platform that may expose the system to unauthorized access or manipulation.
CVSS Base7.1
β
CRSSelect profile
CVE-2021-47980
7.1π Late Disclosure
FuelMultiple Products
Fuel CMS 1
CVSS Base7.1
β
CRSSelect profile
CVE-2026-45036
7
ABBMultiple Products
Tabby (formerly Terminus) is a highly configurable terminal emulator