CVE-2026-48908
JoomShaper SP Page Builder is vulnerable to an unrestricted file upload flaw, allowing unauthenticated attackers to execute arbitrary code.
Critical vulnerabilities, curated daily for security professionals
See how vulnerabilities affect your specific environment
CRS uses the System Security Context Vector (SSCV) Framework v1.0 to adjust CVSS scores based on your system's exposure level, network position, and business criticality. Learn more about SSCV Framework
Enterprise infrastructure led yesterday's disclosures, with Dell PowerProtect Data Domain, Apache Airflow, and the Gitea self-hosted Git server all carrying critical remote-exploitation flaws. The day brought 23 critical CVEs (down 34% from 35) and 65 high-priority CVEs (down 24% from 86), a lower overall volume weighted toward high-impact enterprise targets. Standouts include CVE-2026-53481 and CVE-2026-53483 (CVSS 9.8) in Dell PowerProtect Data Domain, CVE-2026-33264 (CVSS 9.8) in Apache Airflow, and CVE-2026-13019 (CVSS 9.8) in Esri Portal for ArcGIS. Four vulnerabilities have confirmed active exploitation, including Adobe ColdFusion (CVE-2026-48282) and Langflow (CVE-2026-55255), spanning web application builders and AI orchestration tooling. Patches were not yet published for the disclosed set at collection time, so teams should prioritize vendor advisories and interim mitigations for exposed data-protection, CI/CD, and web-facing systems.
Immediate action: Prioritize Dell PowerProtect Data Domain, Apache Airflow, Gitea, and Esri Portal for ArcGIS, along with the actively exploited Adobe ColdFusion and Langflow instances, for immediate review and network exposure reduction. With no patches published for the disclosed set at collection time, apply vendor mitigations, restrict external access, and monitor advisories for fixes as they are released.
CVSS score (e.g. 9.1) — severity from 0–10. Red marks critical (9+), orange high (7–8.9).
Exploitability — how hard the flaw is to attack, read from the CVSS vector:
The lower the bar on all three, the easier to exploit at scale — “Network · No privileges · No interaction” is the worst case: hit from anywhere, no credentials, no victim action.
🔴 Actively exploited — confirmed under attack in the wild (CISA’s Known Exploited Vulnerabilities catalog). Prioritize these regardless of score.
EPSS · Nth percentile — FIRST.org’s estimated chance a flaw is exploited within 30 days. We flag it only in the top 10% — a statistical signal it’s unusually likely to be targeted, separate from whether attacks are confirmed.
JoomShaper SP Page Builder is vulnerable to an unrestricted file upload flaw, allowing unauthenticated attackers to execute arbitrary code.
An Insecure Direct Object Reference (IDOR) vulnerability in the Langflow /api/v1/responses endpoint allows authenticated attackers to execute unauthorized AI flows belonging to other users.
The Page Builder CK extension for Joomla is vulnerable to an unauthenticated arbitrary file upload, enabling attackers to execute malicious code on the server.
Adobe ColdFusion is affected by a path traversal vulnerability that permits unauthenticated remote attackers to execute arbitrary code.
The Simple Coherent Form WordPress plugin contains a path traversal vulnerability allowing unauthenticated remote file deletion and potential code execution.
A deserialization vulnerability in Apache Airflow allows unauthenticated attackers to achieve remote code execution via malicious DAG serialization.
The Eventer WordPress plugin stores password reset keys in plaintext, allowing unauthenticated attackers to hijack user accounts.
Esri Portal for ArcGIS versions 12.1 and earlier contain a missing authentication vulnerability allowing remote, unauthenticated attackers to access an unprotected API.
Coder contains an improper cryptographic signature verification flaw in `azureidentity.Validate()`, allowing attackers to forge session tokens via manipulated Azure VM identities.
Dell PowerProtect Data Domain is affected by an unauthenticated path traversal vulnerability that could allow attackers to gain unauthorized access and take control of the system.
Dell PowerProtect Data Domain contains an improper authentication vulnerability that allows unauthenticated remote attackers to gain unauthorized access and full system control.
Gitea versions before 1.25.5 fail to properly enforce OAuth2 authorization code expiry and single-use requirements, allowing attackers to replay codes to bypass authentication.
Gitea versions before 1.25.5 fail to correctly persist OAuth2 PKCE S256 challenges, allowing token exchange to proceed without mandatory verifier validation.
The WP Learn Manager plugin for WordPress contains an authorization bypass vulnerability that allows unauthenticated attackers to install and activate arbitrary plugins on the host site.
The Uncanny Automator Pro WordPress plugin was distributed with a backdoor, allowing unauthenticated attackers to gain administrative access and exfiltrate site credentials.
The DoLeads Integrator and wp2epub WordPress plugins are susceptible to code injection, allowing unauthorized users to achieve remote code execution.
WebPros Plesk contains an authorization flaw in the XML-RPC API that allows authenticated customers to access cross-tenant data and plaintext FTP credentials.
The mem0 API component suffers from an unauthenticated access vulnerability allowing remote attackers to read, write, or delete user memories and trigger a denial-of-service state.
9Router contains an OS command injection vulnerability in an unauthenticated API endpoint, allowing remote attackers to execute arbitrary system commands as root.
Unauthenticated configuration endpoints in mem0 expose plaintext API keys and allow for server-side request forgery (SSRF) attacks against internal services.
A heap use-after-free vulnerability in X.Org xorg-x11-server and xwayland allows local attackers with a GLX connection to trigger memory corruption via the CommonMakeCurrent() function.
An improper authentication vulnerability in Dassault Systèmes DELMIA Apriso (2020-2026) allows remote, unauthenticated attackers to gain privileged access to the server.
A vulnerability in the Perl Module::Load library allows unauthenticated attackers to load arbitrary modules from unauthorized paths, potentially leading to remote code execution.
Cognee contains an improper access control vulnerability allowing unauthenticated attackers to overwrite global LLM provider settings via the API, enabling wide-scale data exfiltration.
Gitea versions before 1.25.5 fail to use the migration HTTP transport for LFS operations, bypassing configured security protections for push and sync mirror requests.
Gitea versions before 1.25.5 contain an improper input validation vulnerability in repository creation fields, potentially allowing unauthorized data manipulation.
Gitea versions before 1.25.5 improperly handle path resolution during template repository generation, allowing reads or writes through symlinks or non-regular paths.
The Widget Logic Visual plugin for WordPress contains an unrestricted file upload vulnerability that allows authenticated users with low-level access to execute arbitrary code.
A local privilege escalation vulnerability exists in the MSI KernCoreLib64.sys kernel driver due to insufficient access control on exposed IOCTL handlers.
Koodo Reader is susceptible to a code injection vulnerability, which can be triggered when a user opens a malicious file, leading to potential arbitrary code execution.
Oraios Serena is vulnerable to missing authentication and Cross-Site Request Forgery (CSRF), allowing unauthorized users to potentially trigger critical functions.
Foxit PDF Editor and Reader are susceptible to a use-after-free vulnerability triggered by maliciously crafted JavaScript within a PDF document.
A use-after-free vulnerability in Foxit PDF Editor and Reader allows for potential code execution when processing PDFs with embedded JavaScript.
A use-after-free vulnerability in Foxit PDF Editor and Reader allows attackers to execute arbitrary code via a maliciously crafted PDF file using a damaged field tree.
A use-after-free vulnerability in Foxit PDF Editor and Reader allows attackers to execute arbitrary code by manipulating form field properties via JavaScript.
A use-after-free vulnerability in Foxit PDF Editor and Reader permits arbitrary code execution when JavaScript performs invalid operations on deleted form field objects.
A use-after-free vulnerability in Foxit PDF Editor/Reader occurs when JavaScript deletes PDF fields, leading to invalid pointer references and potential application crashes or arbitrary code execution.
A use-after-free vulnerability exists in Foxit PDF Editor and Reader where JavaScript-driven form modifications can lead to memory corruption and potential system instability.
A use-after-free vulnerability in Foxit PDF Editor/Reader occurs due to a lack of re-entry protection and object verification during form synchronization, leading to control pointer failure.
A buffer handling vulnerability in Foxit PDF Editor and Reader allows for application crashes and potential code execution via abnormally constructed objects and JavaScript triggers.
A memory management vulnerability in Foxit PDF Editor and Reader allows for potential arbitrary code execution when processing malicious PDF files containing specifically crafted annotation attributes.
A use-after-free vulnerability in Foxit PDF Editor and Reader exists when resetting form fields via JavaScript, potentially leading to arbitrary code execution.
A use-after-free vulnerability exists in Foxit PDF Editor and Reader, where processing malicious JavaScript while deleting pages and annotations leads to an application crash or potential code execution.
A use-after-free vulnerability in Foxit PDF Editor and Reader occurs when executing JavaScript that performs abnormal operations on list box fields, potentially leading to arbitrary code execution.
The DoLogin Security plugin for WordPress is vulnerable to authentication bypass due to the use of a cryptographically weak pseudo-random number generator.
The 多说社会化评论框 WordPress plugin is susceptible to a privilege escalation vulnerability, allowing authenticated attackers to elevate their access level.
The WHMCS Bridge plugin for WordPress is vulnerable to arbitrary file uploads due to a failure to validate file types in the connect() function.
The Frontend File Manager Plugin for WordPress is vulnerable to path traversal and improper file handling, allowing attackers to manipulate file operations.
An authorization bypass vulnerability in Coder allows an authenticated user with administrative privileges to manipulate remote development environment provisioning via Terraform.
Coder is susceptible to OS command injection and output injection, potentially allowing unauthorized code execution in remote development environments.
Coder contains an authorization flaw that may allow authenticated users to perform unauthorized actions within the development environment.
Coder is vulnerable to OS command injection, which can be triggered by unauthenticated users through specially crafted requests.
A heap-based buffer overflow vulnerability exists in the SASL I/O layer of Red Hat Directory Server (389-ds-base), potentially allowing for arbitrary code execution.
A stack-based buffer overflow vulnerability in Labcenter Proteus allows a local attacker to execute arbitrary code via a malicious file.
Gitea versions before 1.25.5 exhibit insufficient visibility checks within organization permission APIs, potentially exposing private information about hidden members and organizations.
Vtiger CRM is vulnerable to an unrestricted file upload flaw, enabling authenticated attackers to perform Remote Code Execution (RCE).
A vulnerability in the SUSE Rancher Fleet agent-side deployer fails to filter sensitive security keys from namespaceLabels, potentially leading to unauthorized information disclosure.
HAVELSAN Liman MYS is susceptible to an LDAP injection vulnerability, allowing authenticated attackers to manipulate LDAP queries.
A flaw in the SSSD LDAP sudo provider within Red Hat Enterprise Linux and OpenShift allows potential security misconfiguration risks.
DataEase is vulnerable to an incorrect authorization flaw, which may allow unauthenticated attackers to access sensitive data.
DataEase is susceptible to an authorization bypass vulnerability allowing unauthenticated attackers to access sensitive data via user-controlled keys.
DataEase contains a missing authorization vulnerability that allows authenticated users to perform actions exceeding their intended privileges.
DataEase is vulnerable to code injection, allowing authenticated users to execute arbitrary code within the application environment.
DataEase is susceptible to an unrestricted file upload vulnerability, allowing authenticated attackers to upload malicious files.
DataEase contains an SQL injection vulnerability that allows authenticated attackers to manipulate database queries.
The Phoenix framework is vulnerable to resource exhaustion through an allocation of resources without proper limits or throttling.
FastGPT is susceptible to an authorization bypass vulnerability allowing unauthenticated attackers to access restricted knowledge base data via user-controlled keys.
LocalAI contains an unauthenticated server-side request forgery (SSRF) vulnerability in the /models/apply endpoint that allows attackers to force the server to fetch arbitrary internal URLs.
A heap-based buffer overflow exists in xorg-server and xwayland, which could allow a local attacker with an X connection to execute arbitrary code.
Fuji Electric Pupsman is susceptible to an incorrect default permissions vulnerability, which may allow local authenticated users to gain unauthorized access to system resources.
The Calibre e-book manager is vulnerable to code injection, which can be triggered when a user processes a maliciously crafted e-book file.
Fuji Electric Pupsman contains an uncontrolled search path element vulnerability that may allow an attacker to execute arbitrary code via a malicious library file.
Labcenter Proteus contains an out-of-bounds write vulnerability that allows an attacker to cause the application to write data past the end of an allocated memory buffer.
PcVue projects utilize an inadequate encryption algorithm to protect user account configurations stored in the built-in user directory, affecting all versions prior to 17.
The Actual personal finance application suffers from insufficient session expiration, which could allow an attacker to maintain unauthorized access to a user's account.
DataEase contains hard-coded cryptographic keys and credentials that could allow an attacker to bypass security controls.
Liman MYS is affected by a missing authorization vulnerability that permits authenticated users to perform unauthorized actions.
Foxit PDF Editor and Reader contain an uncontrolled search path vulnerability that allows low-privileged users to achieve system-level code execution.
A weak password recovery mechanism in Esri Portal for ArcGIS allows for potential unauthorized account access.
Liman MYS is susceptible to an improper cryptographic signature verification vulnerability, potentially allowing unauthorized data manipulation.
A path traversal vulnerability in the SSSD AD GPO provider of Red Hat Enterprise Linux allows for potential unauthorized file access.
A use-after-free vulnerability exists in Foxit PDF Editor and Reader, which may allow an attacker to execute arbitrary code when opening a maliciously crafted PDF file.
A use-after-free vulnerability in Foxit PDF Editor and Reader arises from improper validation of annotation relationships and field combinations during hyperlink processing.
A use-after-free vulnerability in Foxit PDF Editor and Reader occurs when the software incorrectly processes document fields after a page deletion, leading to an illegal memory read.
A use-after-free vulnerability in Foxit PDF Editor and Reader allows attackers to execute arbitrary code via a malicious PDF file that resets annotation status and triggers a form reset event.
An improper array index validation vulnerability in Foxit PDF Editor and Reader allows attackers to trigger memory corruption via a malicious PDF with improper cloud-like construction parameters.
A type confusion vulnerability in Foxit PDF Editor and Reader exists when processing abnormal annotations, potentially allowing an attacker to execute arbitrary code.
An out-of-bounds write vulnerability exists in Foxit PDF Editor and Reader when processing specially crafted Unity 3D objects, potentially allowing for arbitrary code execution.
A use-after-free vulnerability in Labcenter Proteus during file parsing can lead to memory corruption, potentially allowing an attacker to execute arbitrary code.
Gitea versions before 1.25.5 contain an access control vulnerability that allows unauthorized updating or rebasing of pull request branches.
Gitea 1.26.2 contains an improper authorization vulnerability that allows unauthenticated users to access labels belonging to private organizations.
Gitea versions before 1.25.5 contain an authorization bypass vulnerability allowing an attacker to modify the primary email address of other users.