CVE-2026-48908
JoomShaper SP Page Builder is vulnerable to an unrestricted file upload flaw, allowing unauthenticated attackers to execute arbitrary code.
Critical vulnerabilities, curated daily for security professionals
Development tooling for AI and LLM applications anchors Monday's disclosures, with critical flaws reported in Flowise, Langflow, and Crawl4AI alongside Adobe ColdFusion and WAGO industrial controllers. The day recorded 5 critical vulnerabilities (CVSS 9.0+), down 29% from 7 the prior day, and 35 high-priority updates, down 20% from 44. Notable critical entries include CVE-2026-56271 in Flowise (CVSS 9.8), CVE-2026-4769 in WAGO controllers (CVSS 9.8), and CVE-2026-14453 in Centreon Infrastructure Monitoring (CVSS 9.6). Remote code execution and authentication weaknesses dominate across web applications, AI orchestration platforms, and industrial devices, with a cluster of flaws affecting Joomla extensions. No vendor patches are recorded yet for the new disclosures; six vulnerabilities are under active exploitation and warrant prioritized mitigation and monitoring.
Immediate action: Immediate action: Prioritize the six actively exploited vulnerabilities — Adobe ColdFusion (CVE-2026-48282), Langflow (CVE-2026-55255), and the Joomla extension cluster (SP Page Builder, Page Builder CK, Balbooa Forms, iCagenda) — applying vendor mitigations and restricting external access where fixes are unavailable. For the critical disclosures in Flowise, WAGO, Comfast, and Centreon, no patches are recorded yet, so segment and monitor affected systems until vendor updates ship.
CVSS score (e.g. 9.1) — severity from 0–10. Red marks critical (9+), orange high (7–8.9).
Exploitability — how hard the flaw is to attack, read from the CVSS vector:
The lower the bar on all three, the easier to exploit at scale — “Network · No privileges · No interaction” is the worst case: hit from anywhere, no credentials, no victim action.
🔴 Actively exploited — confirmed under attack in the wild (CISA’s Known Exploited Vulnerabilities catalog). Prioritize these regardless of score.
EPSS · Nth percentile — FIRST.org’s estimated chance a flaw is exploited within 30 days. We flag it only in the top 10% — a statistical signal it’s unusually likely to be targeted, separate from whether attacks are confirmed.
JoomShaper SP Page Builder is vulnerable to an unrestricted file upload flaw, allowing unauthenticated attackers to execute arbitrary code.
An Insecure Direct Object Reference (IDOR) vulnerability in the Langflow /api/v1/responses endpoint allows authenticated attackers to execute unauthorized AI flows belonging to other users.
The Page Builder CK extension for Joomla is vulnerable to an unauthenticated arbitrary file upload, enabling attackers to execute malicious code on the server.
Adobe ColdFusion is affected by a path traversal vulnerability that permits unauthenticated remote attackers to execute arbitrary code.
An unauthenticated arbitrary file upload vulnerability in the Balbooa Forms extension for Joomla allows attackers to upload executable files, leading to full remote code execution.
iCagenda is vulnerable to an unrestricted file upload flaw, allowing unauthenticated attackers to execute arbitrary code on the server.
Crawl4AI before 0.8.7 is vulnerable to arbitrary file write via the output_path parameter in the /screenshot and /pdf endpoints, allowing attackers to overwrite critical server files.
Centreon Infra Monitoring is vulnerable to Server-Side Template Injection (SSTI) in the open-tickets module, allowing authenticated users to execute arbitrary code on the server.
WAGO System I/O Field series devices contain undocumented diagnostic functionality accessible without authentication during the boot sequence, leading to full system compromise.
A critical OS command injection vulnerability exists in the Comfast CF-WR631AX V3 router via the FastCGI backend, allowing unauthenticated remote attackers to execute arbitrary system commands.
Flowise versions prior to 3.1.0 utilize hardcoded default JWT secrets, allowing unauthenticated remote attackers to forge authentication tokens and impersonate any user, including administrators.
A use-after-free vulnerability in the Views component of Google Chrome allows remote attackers to trigger heap corruption via a crafted HTML page and specific UI gestures.
An untrusted pointer dereference vulnerability in Microsoft Edge (Chromium-based) allows an unauthorized attacker to potentially elevate privileges via a specifically crafted network interaction.
Permissive CORS configuration in Apache Helix REST API allows remote attackers to read responses from and issue cross-origin requests to administrative endpoints.
SecureAge CatchPulse versions 10.9.0 through 10.9.3 contain heap-based buffer overflow and memory corruption vulnerabilities.
Apache IoTDB contains multiple vulnerabilities including missing authentication and improper resource management, allowing unauthenticated remote attackers to trigger denial-of-service conditions.
Shibby Tomato versions 1.0 through 1.7 contain out-of-bounds write and memory corruption vulnerabilities.
A buffer overflow vulnerability in Tenda CH22 allows authenticated remote attackers to corrupt memory and potentially execute arbitrary code.
Shibby Tomato firmware contains a stack-based buffer overflow vulnerability that allows authenticated attackers to corrupt memory and potentially execute arbitrary code.
The Helix Ultimate extension for Joomla is vulnerable to unauthenticated arbitrary file deletion, potentially leading to significant system disruption.
The Helix Ultimate extension for Joomla is vulnerable to unauthenticated stored Cross-site Scripting (XSS), which could allow attackers to execute arbitrary scripts in the context of a user's browser.
A Server-Side Request Forgery (SSRF) protection bypass exists in the html_to_markdown expansion module of misp-modules, allowing authenticated users to perform unauthorized network requests.
An improper authorization flaw exists in Capgo versions prior to 12.128.2, leading to potential privilege retention by stale organization users.
Crawl4AI is vulnerable to sensitive information exposure, allowing unauthenticated attackers to exfiltrate LLM credentials via base URL and environment variable resolution.
A memory-safety vulnerability in the parse_ipv4() function within the Zephyr RTOS networking stack may allow for potential remote code execution or system instability.
Capgo is affected by an improper authorization vulnerability that allows an authenticated user to disrupt cross-organization accounts via the SSO prelink endpoint.
A vulnerability in WinFsp involving an integer overflow may allow a local attacker to achieve system-level access.
An improper access control vulnerability in the MBStorage DRAM lighting module of Gigabyte Control Center allows local attackers to exploit exposed IOCTLs.
A use-after-free vulnerability in the Zephyr RTOS kernel-object tracking mechanism could allow unauthorized operations.
Tuleap Enterprise Edition is vulnerable to an authorization bypass allowing unauthenticated attackers to access sensitive information via user-controlled keys.
Capgo before 12.128.2 is vulnerable to an information disclosure flaw that allows unauthenticated actors to access sensitive global statistics.
A buffer overflow vulnerability in the WireGuard subsystem of Zephyr RTOS 4.4.0 allows remote attackers to cause potential integrity or availability impacts.
A missing and incorrect authorization vulnerability in will-moss Isaiah allows unauthenticated attackers to perform unauthorized actions.
An improper authentication vulnerability in will-moss Isaiah allows unauthenticated attackers to bypass authentication mechanisms.
A SQL injection vulnerability in SourceCodester Online Book Store System v1.0 allows unauthenticated attackers to execute arbitrary SQL commands.
Jinher OA version 1.0 contains a SQL injection vulnerability that allows unauthenticated remote attackers to execute arbitrary database queries.
Metasoft MetaCRM version 6.4.0 Beta06 contains a SQL injection vulnerability that allows unauthenticated remote attackers to execute arbitrary database commands.
Capgo before 12.128.2 contains a weak password recovery mechanism that can be exploited by authenticated users to compromise accounts.
A SQL injection vulnerability exists in the sergomanov SmartHomeAdatum Login component (users.php), allowing unauthenticated attackers to potentially access or manipulate database information.
An unauthenticated code injection vulnerability exists in the JWT Authentication Filter of the SonicCloudOrg sonic-agent, affecting versions up to 2.7.2.
A SQL injection vulnerability in RafyMrX TOKO-ONLINE-ROTI allows remote attackers to execute arbitrary SQL commands via the 'kode_produk' or 'kd_cs' arguments in 'proses/add.php'.
RafyMrX TOKO-ONLINE-ROTI contains a vulnerability involving missing or improper authentication, allowing unauthenticated access to sensitive functions.
hcr707305003 shiroiAdmin contains an unrestricted file upload vulnerability and improper access controls, enabling potential remote code execution.
RafyMrX TOKO-ONLINE-ROTI is vulnerable to SQL injection, allowing an unauthenticated attacker to manipulate backend database queries.
PraisonAI Platform is vulnerable to a missing authorization flaw allowing logged-in users to perform unauthorized actions due to insufficient access control checks.
Tencent PC Manager is susceptible to an uncontrolled search path vulnerability, potentially allowing local attackers to execute arbitrary code with elevated privileges.