Critical vulnerabilities, curated daily for security professionals
π― SSCV Profile
See how vulnerabilities affect your specific environment
CRS uses the System Security Context Vector (SSCV) Framework v1.0 to adjust CVSS scores based on your system's exposure level, network position, and business criticality. Learn more about SSCV Framework
Risk scores will be adjusted based on your selected environment
π
Archived Security Brief
HP phpMyFAQ and Apache Velocity dominate Saturday's critical disclosures, with multiple remote code execution paths affecting web-facing application stacks. The day brought 6 critical CVEs (down 68% from prior day) and 39 high-priority vulnerabilities (down 39%), reflecting typical weekend disclosure cadence. Notable critical issues include CVE-2026-46364 in HP phpMyFAQ (CVSS 9.8), CVE-2026-41258 affecting Apache Velocity template rendering (CVSS 9.1), and CVE-2026-44717 in MCP Calculate Server (CVSS 9.8). Attack patterns concentrate on web application platforms, template injection, and AI/ML infrastructure components like Intel Open WebUI. Patches are not yet broadly available across these disclosures, so defenders should focus on identifying exposure and applying vendor mitigations or compensating controls.
HP phpMyFAQ affected by two critical vulnerabilities (CVE-2026-46364, CVE-2026-45010) enabling remote compromise of FAQ management systems
6 critical CVEs disclosed, down 68% from the prior day's 19
39 high-priority CVEs disclosed, down 39% from the prior day's 64
Remote code execution patterns dominate across Apache Velocity templates, MCP Calculate Server, and WordPress plugin ecosystems
Patch availability sits at 0% across the day's critical disclosures, requiring interim mitigations and exposure reviews
2 CVEs in the CISA KEV catalog including CVE-2026-20182 affecting Cisco Catalyst SD infrastructure
Immediate action: Prioritize inventory and exposure review for HP phpMyFAQ deployments, Apache Velocity-based applications, Intel Open WebUI instances, and Cisco Catalyst SD environments where CVE-2026-20182 is under active exploitation. With no patches available for the day's critical disclosures, apply vendor-recommended workarounds, restrict network access to affected services, and increase monitoring for exploitation indicators until fixes are released.
π‘ Tip: Swipe CVE cards left to β star, right to β remove
Seven sandbox escapes in vm2 Node.js library disclosed in one day
Seven independent sandbox-escape vulnerabilities in the vm2 Node.js sandbox library were disclosed together on May 13-14, 2026. Each lets attacker-controlled JavaScript break out of the sandbox and run as the host Node.js process. All seven were patched in 3.11.0 or 3.11.2, but the cluster is the latest in a long pattern of vm2 escapes β the editorial recommendation is to migrate away from vm2, not just upgrade.
β οΈ
CISA Known Exploited Vulnerabilities
β οΈ CISA KEVURGENT
CVE-2026-20182
10
CiscoCatalyst SD
β° Federal Deadline:May 16, 2026(1 days remaining)
May 2026: This security advisory provides the details and fix information for a vulnerability that was discovered and fixed after the was disclosed in February 2026. This new advisory is for a new vulnerability in the control connection handshaking. The section of this advisory includes Show Control Connections guidance to help with system checks.
A vulnerability in the peering authentication in Cisco Catalyst SD-WAN Controller, formerly SD-WAN vSmart, and Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, could allow an unauthenticated, remote attacker to bypass authentication and obtain administrative privileges on an affected system.
This vulnerability exists because the peering authentication mechanism in an affected system is not working properly. An attacker could exploit this vulnerability by sending crafted requests to the affected system. A successful exploit could allow the attacker to log in to an affected Cisco Catalyst SD-WAN Controller as an internal, high-privileged, non-root user account. Using this account, the attacker could access NETCONF, which would then allow the attacker to manipulate network configuration for the SD-WAN fabric.
CVSS Base10
β
CRSSelect profile
π¨
Critical Vulnerabilities
CVE-2026-46364
9.8π
HPphpMyFAQ
phpMyFAQ contains an unauthenticated SQL injection vulnerability in its captcha handling methods, allowing attackers to extract sensitive database information.
CVSS Base9.8
β
CRSSelect profile
CVE-2026-41258
9.1π
ApacheVelocity templates
OpenMRS Core fails to properly sandbox Apache Velocity templates, allowing authenticated users with specific privileges to achieve arbitrary Java reflection and code execution.
CVSS Base9.1
β
CRSSelect profile
CVE-2021-47965
9.8ππ Late Disclosure
WordPressPlugin WP
The WP Super Edit plugin for WordPress contains an unrestricted file upload vulnerability in the FCKeditor component, enabling remote code execution.
CVSS Base9.8
β
CRSSelect profile
CVE-2026-45010
9.1π
HPphpMyFAQ
phpMyFAQ lacks rate limiting on its TOTP authentication endpoint, allowing unauthenticated attackers to brute-force two-factor authentication tokens.
CVSS Base9.1
β
CRSSelect profile
CVE-2026-44717
9.8π
MCPCalculate Server
The MCP Calculate Server utilizes the unsafe eval() function to process mathematical expressions, allowing unauthenticated remote code execution.
CVSS Base9.8
β
CRSSelect profile
CVE-2026-44551
9.1π
IntelOpen WebUI
The LDAP authentication endpoint in Open WebUI fails to validate non-empty passwords, allowing unauthenticated attackers to bypass authentication and obtain session tokens.
CVSS Base9.1
β
CRSSelect profile
β οΈ
High Priority Updates
β οΈ CISA KEV
CVE-2026-42897
8.1π
MicrosoftExchange Server
β° Federal Deadline:May 28, 2026(13 days remaining)
A cross-site scripting (XSS) vulnerability in Microsoft Exchange Server allows unauthenticated attackers to perform spoofing over a network.
CVSS Base8.1
β
CRSSelect profile
CVE-2026-8558
8.8
GoogleChrome prior
Out of bounds write in Fonts in Google Chrome prior to 148
CVSS Base8.8
β
CRSSelect profile
CVE-2021-47966
8.2π Late Disclosure
HPTimeclock
PHP Timeclock 1
CVSS Base8.2
β
CRSSelect profile
CVE-2026-4094
8.1
WordPressis vulnerable
The FOX β Currency Switcher Professional for WooCommerce plugin for WordPress is vulnerable to unauthorized data loss due to a missing capability check on the 'admin_head' function in all versions up to, and including, 1
CVSS Base8.1
β
CRSSelect profile
CVE-2026-4030
8.1
WordPressplugin for
The Database Backup for WordPress plugin for WordPress is vulnerable to unauthorized arbitrary file read and deletion in all versions up to, and including, 2
CVSS Base8.1
β
CRSSelect profile
CVE-2021-47964
8.8π Late Disclosure
HPcode by
Schlix CMS 2
CVSS Base8.8
β
CRSSelect profile
CVE-2026-46367
7.6
HPMultiple Products
phpMyFAQ before 4
CVSS Base7.6
β
CRSSelect profile
CVE-2026-35194
8.1
ApacheFlink
Code injection in SQL code generation in Apache Flink 1
CVSS Base8.1
β
CRSSelect profile
CVE-2026-41702
7.8
VMwareFusion contains
VMware Fusion contains a TOCTOU (Time-of-check Time-of-use) vulnerabilityΒ that occurs during an operation performed by a SETUID binary
CVSS Base7.8
β
CRSSelect profile
CVE-2026-42283
7.7
KubernetesMultiple Products
DevSpace is a client-only developer tool for cloud-native development with Kubernetes
CVSS Base7.7
β
CRSSelect profile
CVE-2026-45370
7.7
UnknownMultiple Products
python-utcp is the python implementation of UTCP
CVSS Base7.7
β
CRSSelect profile
CVE-2026-8657
8.2
jsondiffpatchor JSON
Versions of the package jsondiffpatch before 0
CVSS Base8.2
β
CRSSelect profile
CVE-2026-45672
8.8π
IntelOpen WebUI
A vulnerability exists in Open WebUI that may allow for unauthorized access or system impact.
CVSS Base8.8
β
CRSSelect profile
CVE-2026-44552
8.7π
IntelOpen WebUI
A vulnerability exists in Open WebUI that may allow for unauthorized access or system impact.
CVSS Base8.7
β
CRSSelect profile
CVE-2026-45315
8.7π
IntelOpen WebUI
A vulnerability exists in Open WebUI that may allow for unauthorized access or system impact.
CVSS Base8.7
β
CRSSelect profile
CVE-2026-45331
8.5π
IntelOpen WebUI
A security vulnerability has been identified in the Open WebUI platform, an AI interface designed for self-hosted, offline environments.
CVSS Base8.5
β
CRSSelect profile
CVE-2026-45400
8.5π
IntelOpen WebUI
A security vulnerability has been identified in the Open WebUI platform, an AI interface designed for self-hosted, offline environments.
CVSS Base8.5
β
CRSSelect profile
CVE-2026-45401
8.5π
IntelOpen WebUI
A security vulnerability has been identified in the Open WebUI platform, an AI interface designed for self-hosted, offline environments.
CVSS Base8.5
β
CRSSelect profile
CVE-2026-44570
8.3π
IntelOpen WebUI
A security vulnerability has been identified in the Open WebUI platform, an AI interface designed for self-hosted, offline environments.
CVSS Base8.3
β
CRSSelect profile
CVE-2026-34253
8.2
UnknownMultiple Products
A buffer underflow vulnerability has been identified in the ogg123 utility from the vorbis-tools 1
CVSS Base8.2
β
CRSSelect profile
CVE-2026-44633
8.1
LiveMultiple Products
Live Helper Chat is an open-source application that enables live support websites
CVSS Base8.1
β
CRSSelect profile
CVE-2026-8629
8.1
ABBMultiple Products
Crabbox prior to v0
CVSS Base8.1
β
CRSSelect profile
CVE-2026-28761
8.1
InforMultiple Products
Cross-site request forgery vulnerability exists in Musetheque V4 Information Disclosure for IPKNOWLEDGE V4L1 rev2203
CVSS Base8.1
β
CRSSelect profile
CVE-2026-46407
8.1
UnknownMultiple Products
Vvveb is a powerful and easy to use CMS with page builder to build websites, blogs or ecommerce stores
CVSS Base8.1
β
CRSSelect profile
CVE-2026-44553
8.1π
IntelOpen WebUI
A security vulnerability has been identified in the Open WebUI platform, an AI interface designed for self-hosted, offline environments.
CVSS Base8.1
β
CRSSelect profile
CVE-2026-44554
8.1
IntelMultiple Products
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline
CVSS Base8.1
β
CRSSelect profile
CVE-2026-45675
8.1
IntelMultiple Products
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline
CVSS Base8.1
β
CRSSelect profile
CVE-2026-45402
8.1
IntelMultiple Products
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline
CVSS Base8.1
β
CRSSelect profile
CVE-2026-44565
8.1
IntelMultiple Products
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline
CVSS Base8.1
β
CRSSelect profile
CVE-2026-45301
8.1
IntelMultiple Products
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline
CVSS Base8.1
β
CRSSelect profile
CVE-2026-45665
8.1
IntelMultiple Products
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline
CVSS Base8.1
β
CRSSelect profile
CVE-2026-45671
8
IntelMultiple Products
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline
CVSS Base8
β
CRSSelect profile
CVE-2026-43903
7.8
UnknownMultiple Products
OpenImageIO is a toolset for reading, writing, and manipulating image files of any image file format relevant to VFX / animation
CVSS Base7.8
β
CRSSelect profile
CVE-2026-43904
7.8
UnknownMultiple Products
OpenImageIO is a toolset for reading, writing, and manipulating image files of any image file format relevant to VFX / animation
CVSS Base7.8
β
CRSSelect profile
CVE-2026-43905
7.8
UnknownMultiple Products
OpenImageIO is a toolset for reading, writing, and manipulating image files of any image file format relevant to VFX / animation
CVSS Base7.8
β
CRSSelect profile
CVE-2026-43906
7.8
UnknownMultiple Products
OpenImageIO is a toolset for reading, writing, and manipulating image files of any image file format relevant to VFX / animation
CVSS Base7.8
β
CRSSelect profile
CVE-2026-45303
7.7
IntelMultiple Products
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline
CVSS Base7.7
β
CRSSelect profile
CVE-2026-45338
7.7
IntelMultiple Products
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline
CVSS Base7.7
β
CRSSelect profile
CVE-2026-44516
7.6
InforMultiple Products
Valtimo is an open-source business process automation platform