CVE-2026-48908
JoomShaper SP Page Builder is vulnerable to an unrestricted file upload flaw, allowing unauthenticated attackers to execute arbitrary code.
Critical vulnerabilities, curated daily for security professionals
See how vulnerabilities affect your specific environment
CRS uses the System Security Context Vector (SSCV) Framework v1.0 to adjust CVSS scores based on your system's exposure level, network position, and business criticality. Learn more about SSCV Framework
Friday's disclosures center on web-facing platforms and content management extensions, with Metabase (CVE-2026-59827, CVSS 9.9), the Xen hypervisor stack (CVE-2025-58146 XAPI and CVE-2025-27462/27463 Windows PV drivers, CVSS 9.4), and multiple WordPress plugins carrying near-maximum severity. The day brought 30 critical CVEs, up 88% from the prior day's 16, alongside 61 high-priority vulnerabilities, down 6% from 65. Notable critical entries include CVE-2026-15158 (CVSS 9.8) in Blocksy Companion, CVE-2026-14261 and CVE-2026-12116 in Xerte Online Tools, and CVE-2026-15282 (CVSS 9.8) in the Instant Appointment plugin. Attack patterns are dominated by remote code execution and authentication weaknesses in publicly exposed applications, with WordPress plugins, Joomla page builders, and virtualization infrastructure among the most affected products. No vendor patches were recorded at disclosure time, so teams should prioritize inventory review and compensating controls while awaiting fixes; four vulnerabilities have confirmed active exploitation.
Immediate action: Prioritize public-facing systems running Metabase, Xen/XAPI hypervisors, Adobe ColdFusion, Langflow, and Joomla/WordPress deployments, as these carry the highest-severity and actively exploited flaws. With no vendor patches available at disclosure, apply access restrictions, network segmentation, and monitoring for the affected services until fixes are released, and track the four exploited CVEs for emergency remediation as updates ship.
CVSS score (e.g. 9.1) — severity from 0–10. Red marks critical (9+), orange high (7–8.9).
Exploitability — how hard the flaw is to attack, read from the CVSS vector:
The lower the bar on all three, the easier to exploit at scale — “Network · No privileges · No interaction” is the worst case: hit from anywhere, no credentials, no victim action.
🔴 Actively exploited — confirmed under attack in the wild (CISA’s Known Exploited Vulnerabilities catalog). Prioritize these regardless of score.
EPSS · Nth percentile — FIRST.org’s estimated chance a flaw is exploited within 30 days. We flag it only in the top 10% — a statistical signal it’s unusually likely to be targeted, separate from whether attacks are confirmed.
JoomShaper SP Page Builder is vulnerable to an unrestricted file upload flaw, allowing unauthenticated attackers to execute arbitrary code.
An Insecure Direct Object Reference (IDOR) vulnerability in the Langflow /api/v1/responses endpoint allows authenticated attackers to execute unauthorized AI flows belonging to other users.
The Page Builder CK extension for Joomla is vulnerable to an unauthenticated arbitrary file upload, enabling attackers to execute malicious code on the server.
Adobe ColdFusion is affected by a path traversal vulnerability that permits unauthenticated remote attackers to execute arbitrary code.
A flaw in the Blocksy Companion plugin's file validation allows unauthenticated attackers to upload malicious files, leading to remote code execution when specific premium extensions are active.
The GEO my WP WordPress plugin is vulnerable to unauthenticated SQL injection via the 'distance', 'lat', and 'lng' parameters due to improper sanitization of numeric inputs.
Xerte Online Tools is vulnerable to an authentication bypass and remote code execution flaw via the /setup/ folder, allowing attackers to force a service reinstallation to a remote database.
Xen XAPI contains multiple vulnerabilities related to improper input validation, leading to potential database corruption, event thread termination, and service disruption.
The Instant Appointment WordPress plugin is vulnerable to unauthenticated arbitrary file uploads, potentially leading to remote code execution.
The Super Forms plugin for WordPress suffers from an unauthenticated arbitrary file upload vulnerability via the `submit_form` AJAX handler, enabling potential remote code execution.
Metabase instances using H2 database connections are vulnerable to remote code execution via the deserialization of untrusted data in native query results.
A code injection vulnerability in Xerte Online Tools allows unauthenticated attackers to achieve Remote Code Execution (RCE) by manipulating the antivirus binary path to execute arbitrary PHP code.
The Xen Windows PV drivers for the XenCons facility lack proper security descriptors, allowing unprivileged users to access the interface and potentially gain unauthorized system privileges.
The Xen Windows PV drivers for the XenIface facility lack proper security descriptors, allowing unprivileged users to access the interface and potentially gain unauthorized system privileges.
The Xen Windows PV drivers fail to implement security descriptors on various facilities, allowing unprivileged users to access sensitive interfaces.
A SQL injection vulnerability in the AcyMailing extension for Joomla allows unauthenticated attackers to access and leak sensitive database information.
Metabase fails to validate H2 database connection properties, allowing an authenticated administrator to execute arbitrary Java code on the server.
Ruflo's default deployment exposes unauthenticated MCP endpoints, allowing remote attackers to execute terminal commands and steal API keys.
A privilege escalation vulnerability in Xen XAPI allows a vm-admin to manipulate arbitrary files in dom0 by misconfiguring VBD settings, leading to unauthorized read or write access.
A vulnerability in Xen XAPI allows a vm-admin to mark a VM as a system domain, which can cause the domain to be hidden from management tooling and persist during host operations.
A vulnerability in Xen XAPI allows a vm-admin to manipulate storage domain configurations, potentially causing host storage connections to be erroneously marked as unplugged.
Xen XAPI fails to perform necessary authorization checks for PCI passthrough configuration, allowing lower-privileged administrators to access unintended host hardware.
Xen XAPI improperly restricts access to the VM.platform:hvm_serial parameter, allowing vm-admin users to write arbitrary files to the dom0 host system.
Langroid versions prior to 0.65.2 contain a sandbox escape vulnerability in its TableChatAgent and VectorStore capabilities, allowing unauthenticated Remote Code Execution via malicious LLM prompts.
Hermes WebUI contains an unauthenticated remote code execution vulnerability in its embedded terminal API, allowing attackers to execute arbitrary shell commands via sequential HTTP requests.
An authentication bypass vulnerability in Hermes WebUI allows attackers to spoof X-Forwarded-For headers to circumvent IP restrictions and perform unauthorized actions on onboarding endpoints.
Langroid contains an SQL injection vulnerability where bypassable regex blocklists allow attackers to execute restricted PostgreSQL functions despite existing security mitigations.
Xen's varstored component contains a TOCTOU race condition due to insufficient compiler barriers, potentially allowing an attacker to manipulate internal jump table indices.
Kirby CMS incorrectly trusts reverse proxy headers for IP verification, allowing unauthenticated attackers to bypass local-IP checks and perform unauthorized administrative installations.
BiEticaret is vulnerable to SQL injection, allowing unauthenticated attackers to execute arbitrary SQL commands against the database.
An unauthenticated arbitrary file upload vulnerability in the Balbooa Forms extension for Joomla allows attackers to upload executable files, leading to full remote code execution.
A resource leak in Xen oxenstored allows for improper node usage tracking during domain teardown, resulting in potential denial-of-service conditions for future domain IDs.
A Stored Cross-Site Scripting (XSS) vulnerability in OceanicSoft Informatics Systems ValeApp allows unauthenticated attackers to inject malicious scripts into web pages.
Langroid's Neo4jChatAgent is vulnerable to prompt injection, allowing attackers to execute arbitrary Cypher queries and potentially gain OS-level access if server configurations permit.
A use-after-free vulnerability in the IndexedDB component of Google Chrome allows for potential memory corruption and arbitrary code execution.
A use-after-free vulnerability exists within the Extensions component of Google Chrome, potentially allowing attackers to execute arbitrary code.
A use-after-free vulnerability in the Ozone graphics abstraction layer of Google Chrome could lead to memory corruption and potential code execution.
A use-after-free vulnerability exists in the Actor component of Google Chrome, potentially allowing for arbitrary code execution.
A use-after-free vulnerability in the Input component of Google Chrome may allow an attacker to achieve arbitrary code execution via a malicious webpage.
A use-after-free vulnerability in the WebRTC implementation of Google Chrome could lead to memory corruption and potential code execution.
A use-after-free vulnerability exists in the Forms component of Google Chrome, potentially allowing remote code execution via a specially crafted webpage.
A use-after-free vulnerability in the Views component of Google Chrome allows remote attackers to trigger memory corruption and potentially execute arbitrary code.
A use-after-free vulnerability in the InterestGroups component of Google Chrome allows remote attackers to cause memory corruption and potential arbitrary code execution.
A use-after-free vulnerability exists in the Core component of Google Chrome on Windows, potentially allowing for arbitrary code execution.
Pimcore is vulnerable to a weak password recovery mechanism, which could allow attackers to compromise user accounts through manipulated recovery processes.
Coolify is vulnerable to OS Command Injection, allowing an authenticated user to execute arbitrary commands on the underlying server.
An out-of-bounds read and write vulnerability exists within the Codecs component of Google Chrome, which can be exploited by remote attackers.
An inappropriate implementation vulnerability in the DOM (Document Object Model) of Google Chrome allows for potential security bypasses.
An inappropriate implementation vulnerability exists in the Forms component of Google Chrome, potentially leading to significant system impact.
An uninitialized use vulnerability in the V8 JavaScript engine of Google Chrome can be exploited to achieve unauthorized system impact.
Samsung Bixby contains a vulnerability due to improper export of Android application components, which may allow unauthorized local access to sensitive application data.
A race condition vulnerability in the GetUserMedia API of Google Chrome could allow for unauthorized access or system manipulation.
Google Chrome on Windows contains a vulnerability involving insufficient validation of untrusted input within its Codecs, potentially leading to arbitrary code execution.
The Pimcore Studio Backend Bundle is vulnerable to SQL Injection, allowing authenticated users to execute malicious database queries.
The LoginPress Pro plugin for WordPress is susceptible to an authentication bypass vulnerability due to unverified OAuth email handling.
The LoginPress Pro plugin for WordPress is vulnerable to an authentication bypass via the GitHub OAuth callback mechanism.
The LoginPress Pro plugin for WordPress contains an authentication bypass vulnerability that allows unauthenticated attackers to gain unauthorized access.
The Salon Booking System – Free Version plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF), potentially allowing unauthorized administrative actions.
The UsersWP plugin for WordPress is susceptible to an arbitrary file deletion vulnerability due to improper path validation.
The Divi Torque Lite plugin for WordPress is susceptible to Cross-Site Request Forgery (CSRF), potentially allowing unauthorized state-changing actions via a victim's session.
The WP Business Intelligence Lite plugin for WordPress contains an authorization bypass vulnerability, allowing authenticated users with lower privileges to perform actions restricted to higher-level roles.
The CPython incremental HTML parser is vulnerable to a denial-of-service condition via resource exhaustion, triggered by processing specially crafted HTML content.
Mockoon is susceptible to multiple vulnerabilities, including missing authentication for critical functions and Cross-Site Request Forgery (CSRF), potentially allowing unauthorized administrative actions.
The Axivion Dashboard API contains an authorization flaw that allows authenticated users to create API tokens for other users without the required permissions.
QuantumNous new-api is susceptible to Server-Side Request Forgery (SSRF), allowing an authenticated attacker to perform unauthorized requests from the application server.
SOPlanning contains a SQL injection vulnerability in the audit retention configuration, allowing an authenticated high-privileged user to execute arbitrary SQL commands.
Cotonti Siena is vulnerable to Cross-Site Request Forgery (CSRF) via the admin.php configuration update endpoint, potentially leading to unauthorized administrative actions.
The Allwinner H616 TV Box TV98 model ships with the Android Debug Bridge (ADB) enabled and exposed to the network by default, creating an unauthorized remote access vector.
The Langroid framework is vulnerable to path traversal and SQL injection attacks, allowing unauthenticated remote attackers to compromise data integrity and confidentiality.
The SiYuan personal knowledge management system contains multiple vulnerabilities, including Cross-site Scripting (XSS) and Code Injection, allowing for unauthorized remote execution.
SiYuan is vulnerable to stored Cross-Site Scripting (XSS) due to improper neutralization of script-related HTML tags, potentially allowing remote execution of malicious scripts.
The DeepSeek MCP Server is susceptible to an authorization bypass, allowing unauthenticated attackers to manipulate user-controlled keys to access unauthorized resources.
Kirby CMS is affected by multiple Cross-Site Scripting (XSS) vulnerabilities, allowing authenticated users with lower privileges to execute malicious scripts in the administrative interface.
An out-of-bounds write vulnerability exists in the libsavsac library within Samsung mobile devices, potentially allowing unauthorized memory modification.
An out-of-bounds write vulnerability in the libimagecodec component of Samsung mobile devices during TIFF parsing could lead to memory corruption.
A time-of-check time-of-use (TOCTOU) race condition in the fabricKeymaster trustlet on Samsung mobile devices allows local privileged attackers to execute arbitrary code.
An out-of-bounds write vulnerability exists in the libimagecodec component of Samsung mobile devices when parsing DNG format images.
An out-of-bounds write vulnerability exists in the libpadm library of Samsung mobile devices, potentially allowing for memory corruption.
A code injection vulnerability (CWE-94) exists in the Vim text editor, allowing for arbitrary code execution when processing malicious input.
A code injection vulnerability in Vim allows local attackers to execute arbitrary code via malicious input, potentially resulting in full system compromise.
OpenStack Ironic contains an improper protection of alternate path vulnerability that may allow authenticated administrators to perform unauthorized actions.
Discourse is affected by an improper privilege management vulnerability, which may allow unauthenticated remote attackers to gain unauthorized access to sensitive information.
PEAKUP Technology PassGate is vulnerable to LDAP injection due to improper neutralization of special elements in queries, allowing unauthenticated attackers to manipulate backend directory lookups.
The langroid framework is susceptible to special element injection due to a failure to sanitize input, which may allow an authenticated user to execute unauthorized actions.
Open WebUI is vulnerable to authentication bypass and spoofing, which could allow a remote, authenticated user to achieve total system compromise through cross-site scripting or related vectors.
NTPsec gpsd is vulnerable to OS command injection via the gnuplot plot title subtype field, allowing for arbitrary code execution.
SiYuan is vulnerable to path traversal, allowing authenticated users to access sensitive files outside of the intended directory structure.
Crypt::DSA versions before 1.
An SQL injection vulnerability in the Real State Services application allows unauthenticated remote attackers to execute unauthorized database queries via the 'loc' parameter.
A SQL injection vulnerability in the Hanwang e-Face General Management Platform allows unauthenticated remote attackers to manipulate database queries via the 'order' argument.
An SQL injection vulnerability in SourceCodester Class and Exam Timetabling System 1.0 allows unauthenticated remote attackers to execute arbitrary SQL commands via the 'ID' parameter.
A SQL injection vulnerability exists in the code-projects Smart Parking System 1.0, allowing unauthenticated remote attackers to execute arbitrary SQL commands and read files.
An unrestricted file upload vulnerability in Ruijie RG-UAC allows remote attackers to upload arbitrary files by manipulating the 'upload_image' argument in 'user_auth_commit.php'.
A SQL injection vulnerability in SourceCodester Class and Exam Timetabling System 1.0 allows unauthenticated attackers to manipulate SQL queries via the 'ID' parameter in 'edit_exam.php'.
SourceCodester Class and Exam Timetabling System 1.0 is vulnerable to SQL injection via the 'ID' parameter, allowing unauthorized database interaction.