Critical vulnerabilities, curated daily for security professionals
π― SSCV Profile
See how vulnerabilities affect your specific environment
CRS uses the System Security Context Vector (SSCV) Framework v1.0 to adjust CVSS scores based on your system's exposure level, network position, and business criticality. Learn more about SSCV Framework
Risk scores will be adjusted based on your selected environment
π
Archived Security Brief
Saturday's disclosures are led by infrastructure and e-commerce platform flaws, including a maximum-severity Kubernetes identity configuration vulnerability (CVE-2026-46389, CVSS 10) and a perfect-score WooCommerce product slider plugin flaw (CVE-2026-49777, CVSS 10). The day brought 10 critical CVEs, down 41% from the prior day's 17, alongside 30 high-priority vulnerabilities, a 63% decrease from 82. Notable critical issues include Termix remote code execution flaws (CVE-2026-45744 and CVE-2026-45748, CVSS 9.9 and 9.8) and dual Morse Micro HaLowLink 2 wireless gateway vulnerabilities (CVE-2026-7762 and CVE-2026-7763, both CVSS 9.8). Affected products span container orchestration, WordPress/WooCommerce plugins, industrial UPS controllers (NetMan 204), and embedded networking hardware, with remote code execution and authentication bypass the dominant attack patterns. No patches were available for these disclosures at publication, so teams should prioritize mitigations and exposure reduction; six separately tracked vulnerabilities across Ivanti, Oracle, Linux, Android, Magento, and SolarWinds remain under active exploitation.
Kubernetes UDS identity configuration flaw (CVE-2026-46389) and ShapedPlugin WooCommerce Product Slider Pro (CVE-2026-49777) both rated CVSS 10, affecting container orchestration and e-commerce platforms
10 critical CVEs disclosed, down 41% from 17 the prior day
30 high-priority CVEs disclosed, down 63% from 82 the prior day
0% patch availability across these disclosures, leaving NetMan 204 UPS controllers and WordPress/WooCommerce plugins exposed pending vendor fixes
Six actively exploited vulnerabilities span Ivanti vTM, Oracle WebLogic, Linux Kernel, Android Framework, Magento, and SolarWinds Serv-U
Immediate action: Prioritize Kubernetes identity configurations (CVE-2026-46389) and WooCommerce/WordPress plugin deployments (CVE-2026-49777, CVE-2026-10580), then assess Termix, Morse Micro HaLowLink 2, and NetMan 204 exposure for remote code execution risk. With no patches available for these disclosures, apply vendor mitigations, restrict network exposure of affected management interfaces, and monitor for vendor advisories. Separately, ensure the six actively exploited vulnerabilities across Ivanti, Oracle, Linux, Android, Magento, and SolarWinds are remediated.
π‘ Tip: Swipe CVE cards left to β star, right to β remove
Section Navigation
β οΈ
CISA Known Exploited Vulnerabilities
β οΈ CISA KEVURGENT
CVE-2024-7593
9.8π
IvantivTM (Virtual Traffic Manager)
β° Federal Deadline:October 14, 2024(-599 days remaining)
An authentication bypass vulnerability in the Ivanti vTM admin panel allows remote unauthenticated attackers to gain unauthorized administrative access.
CVSS Base9.8
β
CRSSelect profile
β οΈ CISA KEVURGENT
CVE-2024-21182
9.5ππ Late Disclosure
OracleWebLogic Server
β° Federal Deadline:June 3, 2026(-2 days remaining)
Oracle WebLogic Server contains an unspecified vulnerability that is currently being exploited in the wild.
CVSS Base9.5
β
CRSSelect profile
β οΈ CISA KEVURGENT
CVE-2022-0492
9.5ππ Late Disclosure
LinuxKernel
β° Federal Deadline:June 4, 2026(EXPIRED)
A privilege escalation vulnerability in the Linux Kernel cgroup_release_agent_write function allows unprivileged users to escape container environments and gain elevated host privileges.
CVSS Base9.5
β
CRSSelect profile
β οΈ CISA KEVURGENT
CVE-2025-48595
9.5π
AndroidFramework
β° Federal Deadline:June 4, 2026(EXPIRED)
An integer overflow vulnerability in the Android Framework allows for potential unauthorized system access and is currently tracked in the CISA KEV catalog.
CVSS Base9.5
β
CRSSelect profile
β οΈ CISA KEV
CVE-2026-45247
9.5π
MirasvitFull Page Cache Warmer for Magento 2
β° Federal Deadline:June 5, 2026
Mirasvit Full Page Cache Warmer for Magento 2 contains a PHP object injection vulnerability allowing unauthenticated RCE via the CacheWarmer cookie.
CVSS Base9.5
β
CRSSelect profile
β οΈ CISA KEV
CVE-2026-28318
9.5π
SolarWindsServ-U
β° Federal Deadline:June 18, 2026(13 days remaining)
SolarWinds Serv-U is vulnerable to an uncontrolled resource consumption flaw allowing unauthenticated attackers to crash the service via specially crafted POST requests.
CVSS Base9.5
β
CRSSelect profile
π¨
Critical Vulnerabilities
CVE-2026-46389
10π
KubernetesUDS Identity Config
A logic error in the Kubernetes UDS Identity Config component allows attackers to bypass client secret authentication and obtain unauthorized OAuth2 tokens.
CVSS Base10
β
CRSSelect profile
CVE-2026-10580
9.8π
WordPressHippoo Mobile App for WooCommerce
The Hippoo Mobile App for WooCommerce plugin for WordPress contains an authentication bypass flaw that allows unauthenticated attackers to take over administrator accounts.
CVSS Base9.8
β
CRSSelect profile
CVE-2026-45744
9.9π
TermixTermix
The Termix platform contains an OS command injection vulnerability in the resolvePath endpoint, allowing authenticated users with an active session to execute arbitrary commands on remote hosts.
CVSS Base9.9
β
CRSSelect profile
CVE-2025-71317
9.8π
NetMan204
NetMan 204 contains a hard-coded backdoor account that allows remote, unauthenticated attackers to gain administrative access via the login endpoint.
CVSS Base9.8
β
CRSSelect profile
CVE-2026-45748
9.8π
TermixTermix
The Termix platform is vulnerable to persistent OS command injection via the tunnel connect endpoint due to improper input sanitization of host record fields.
CVSS Base9.8
β
CRSSelect profile
CVE-2026-7762
9.8π
Morse MicroHaLowLink 2
A heap-based buffer overflow in the Morse Micro HaLowLink 2 kernel driver allows unauthenticated attackers within radio range to achieve DoS or Remote Code Execution.
CVSS Base9.8
β
CRSSelect profile
CVE-2026-7763
9.8π
Morse MicroHaLowLink 2
A heap-based buffer overflow in the Morse Micro HaLowLink 2 kernel driver allows unauthenticated attackers within radio range to cause system crashes or Remote Code Execution.
CVSS Base9.8
β
CRSSelect profile
CVE-2026-49777
10π
ShapedPluginProduct Slider Pro for WooCommerce
An improper validation vulnerability in ShapedPlugin Product Slider Pro for WooCommerce allows unauthenticated attackers to perform malicious software implantation.
CVSS Base10
β
CRSSelect profile
CVE-2025-71318
9.8π
NetMan204
NetMan 204 fails to enforce authentication on administrative pages, allowing unauthenticated attackers to disclose sensitive information and execute privileged commands.
CVSS Base9.8
β
CRSSelect profile
CVE-2026-6274
9.8π
DTS ElectronicsRedline WR3200
A critical authentication bypass vulnerability in DTS Electronics Redline WR3200 allows unauthenticated attackers to access restricted functions due to missing access control validation.
CVSS Base9.8
β
CRSSelect profile
β οΈ
High Priority Updates
CVE-2026-10893
8.8π
GoogleChrome
A use-after-free vulnerability exists in the Chromoting component of Google Chrome prior to version 149, which could lead to arbitrary code execution.
CVSS Base8.8
β
CRSSelect profile
CVE-2026-10923
8.8π
GoogleChrome on Android
A use-after-free vulnerability in the WebAppInstalls component of Google Chrome on Android prior to version 149 may allow for arbitrary code execution.
CVSS Base8.8
β
CRSSelect profile
CVE-2026-10951
8.8π
GoogleChrome on iOS
A use-after-free vulnerability in the Autofill component of Google Chrome on iOS prior to version 149 could lead to memory corruption and potential code execution.
CVSS Base8.8
β
CRSSelect profile
CVE-2026-10988
8.8π
GoogleChrome
A use-after-free vulnerability in the Views component of Google Chrome prior to version 149 could allow for arbitrary code execution.
CVSS Base8.8
β
CRSSelect profile
CVE-2026-10995
8.8π
GoogleChrome
A heap buffer overflow vulnerability exists in the TabStrip component of Google Chrome, potentially allowing for heap corruption via crafted HTML pages.
CVSS Base8.8
β
CRSSelect profile
CVE-2026-11030
8.8π
GoogleChrome
A use-after-free vulnerability in the Network module of Google Chrome allows remote attackers to trigger heap corruption via crafted network traffic.
CVSS Base8.8
β
CRSSelect profile
CVE-2026-11042
8.8π
GoogleChrome
A use-after-free vulnerability in the Views component of Google Chrome may allow remote attackers to exploit heap corruption via crafted HTML pages.
CVSS Base8.8
β
CRSSelect profile
CVE-2026-11071
8.8π
GoogleChrome
A use-after-free vulnerability in the Base component of Google Chrome on Linux allows attackers to disclose sensitive process memory information.
CVSS Base8.8
β
CRSSelect profile
CVE-2026-11080
8.8π
GoogleChrome (WebView)
A use-after-free vulnerability in the WebView component of Google Chrome on Android allows remote attackers to trigger heap corruption via crafted HTML content.
CVSS Base8.8
β
CRSSelect profile
CVE-2026-11116
8.8π
GoogleChrome
A use-after-free vulnerability exists in the Chromoting component of Google Chrome, allowing remote attackers to execute arbitrary code via malicious network traffic.
CVSS Base8.8
β
CRSSelect profile
CVE-2026-11144
8.8π
GoogleChrome
A use-after-free vulnerability in the Media component of Google Chrome allows a remote, unauthenticated attacker to execute arbitrary code within the browser sandbox via a crafted video file.
CVSS Base8.8
β
CRSSelect profile
CVE-2026-11177
8.8π
GoogleChrome
A use-after-free vulnerability in the Omnibox feature of Google Chrome allows an attacker to potentially execute arbitrary code or cause a denial of service via a crafted HTML page.
CVSS Base8.8
β
CRSSelect profile
CVE-2026-11188
8.8π
GoogleChrome on Android
A use-after-free vulnerability in the USB component of Google Chrome on Android allows a remote attacker to achieve a sandbox escape via a crafted HTML page.
CVSS Base8.8
β
CRSSelect profile
CVE-2026-10897
8.8π
GoogleChrome
An inappropriate implementation in the GPU component of Google Chrome allows a remote, unauthenticated attacker to potentially perform a sandbox escape via a crafted HTML page.
CVSS Base8.8
β
CRSSelect profile
CVE-2026-10904
8.8π
GoogleChrome
An inappropriate implementation vulnerability in the V8 engine of Google Chrome allows remote attackers to execute arbitrary code within the sandbox via a crafted HTML page.
CVSS Base8.8
β
CRSSelect profile
CVE-2026-10922
8.8π
GoogleChrome
Insufficient input validation in Google Chrome DevTools allows a remote attacker to bypass the Same Origin Policy via malicious network traffic after triggering specific UI gestures.
CVSS Base8.8
β
CRSSelect profile
CVE-2026-10955
8.8π
GoogleChrome
A Type Confusion vulnerability in the ANGLE graphics library in Google Chrome on Windows allows a remote attacker to trigger out-of-bounds memory access.
CVSS Base8.8
β
CRSSelect profile
CVE-2026-10989
8.8π
GoogleChrome
An inappropriate implementation in the V8 engine of Google Chrome allows remote attackers to potentially exploit heap corruption via a crafted HTML page.
CVSS Base8.8
β
CRSSelect profile
CVE-2026-11041
8.8π
GoogleChrome
Insufficient validation of untrusted input in the Media component of Google Chrome on Windows allows a remote attacker to perform a sandbox escape.
CVSS Base8.8
β
CRSSelect profile
CVE-2026-11079
8.8π
GoogleChrome
Insufficient validation of untrusted input in Google Chrome Codecs allows a remote attacker to perform an out-of-bounds memory write via a crafted video file.
CVSS Base8.8
β
CRSSelect profile
CVE-2026-11085
8.8π
GoogleChrome
An integer overflow vulnerability in the GPU component of Google Chrome on Android allows a remote attacker to perform out-of-bounds memory access via a crafted HTML page.
CVSS Base8.8
β
CRSSelect profile
CVE-2026-11091
8.8π
GoogleChrome
An inappropriate implementation in the Dawn component of Google Chrome allows a remote attacker to potentially perform out-of-bounds memory access via a crafted HTML page.
CVSS Base8.8
β
CRSSelect profile
CVE-2026-11092
8.8π
GoogleChrome
Insufficient policy enforcement in Google Chrome DevTools allows an attacker who convinces a user to install a malicious extension to perform privilege escalation.
CVSS Base8.8
β
CRSSelect profile
CVE-2026-11102
8.8π
GoogleChrome
An insecure implementation in Google Chrome's Isolated Web Apps framework allows a malicious file to trigger code execution within a sandboxed environment.
CVSS Base8.8
β
CRSSelect profile
CVE-2026-11108
8.8π
GoogleChrome on Android
An inappropriate implementation of NFC in Google Chrome on Android allows a remote attacker to perform privilege escalation via a crafted HTML page.
CVSS Base8.8
β
CRSSelect profile
CVE-2026-11172
8.8π
GoogleChrome on Android
An incorrect security UI implementation in the Contact Picker of Google Chrome on Android allows remote attackers to perform UI spoofing via a crafted HTML page.
CVSS Base8.8
β
CRSSelect profile
CVE-2026-11175
8.8π
GoogleChrome on Android
An incorrect security UI implementation in the Messages component of Google Chrome on Android enables remote attackers to perform UI spoofing via a malicious HTML page.
CVSS Base8.8
β
CRSSelect profile
CVE-2026-11179
8.8π
GoogleChrome
An inappropriate implementation in the Opaque Response Blocking (ORB) mechanism in Google Chrome allows remote attackers to bypass site isolation via a crafted HTML page.
CVSS Base8.8
β
CRSSelect profile
CVE-2025-9798
8.9π
Netcad SoftwareNetigma
A stored Cross-site Scripting (XSS) vulnerability in Netcad Software's Netigma platform allows remote attackers to inject malicious scripts into web pages.
CVSS Base8.9
β
CRSSelect profile
CVE-2025-10467
8.9π
PROLIZ ComputerOBS (Student Affairs Information System)
A cross-site scripting (XSS) vulnerability exists in PROLIZ Computer's OBS system due to improper neutralization of user-supplied input during web page generation.