CVE-2026-48908
JoomShaper SP Page Builder is vulnerable to an unrestricted file upload flaw, allowing unauthenticated attackers to execute arbitrary code.
Critical vulnerabilities, curated daily for security professionals
See how vulnerabilities affect your specific environment
CRS uses the System Security Context Vector (SSCV) Framework v1.0 to adjust CVSS scores based on your system's exposure level, network position, and business criticality. Learn more about SSCV Framework
Saturday's disclosures center on infrastructure and developer-facing software, with Apache IoTDB (CVE-2026-40008, CVSS 9.8) and OpenPLC (CVE-2026-14480, CVSS 9.9) exposing industrial and time-series data systems to remote compromise. The set includes 28 critical CVEs, down 7% from the prior day's 30, alongside 67 high-priority issues, up 10% from 61. Browser and IDE users are affected by two Google Chrome flaws (CVE-2026-15113 and CVE-2026-15115) and JetBrains IntelliJ IDEA (CVE-2026-59792, CVSS 9.6), while a Kubernetes MCP server (CVE-2026-61459, CVSS 9.8) and Red Hat OpenShift AI (CVE-2026-15378, CVSS 9.3) extend the risk into cloud and AI tooling. Remote code execution and authentication bypass dominate, and six vulnerabilities across Joomla extensions, Adobe ColdFusion, and Langflow carry confirmed active exploitation. No vendor patches were confirmed available at disclosure, so teams should track upstream advisories and apply mitigations as fixes ship.
Immediate action: Prioritize the actively exploited issues in Adobe ColdFusion, Langflow, and the Joomla page-builder extensions (SP Page Builder, Page Builder CK, iCagenda, Balbooa Forms), then address Apache IoTDB, OpenPLC, and the Chrome and IntelliJ IDEA flaws affecting developer endpoints. With no patches confirmed at disclosure, monitor vendor advisories closely and apply available mitigations or access restrictions until updates are released.
CVSS score (e.g. 9.1) — severity from 0–10. Red marks critical (9+), orange high (7–8.9).
Exploitability — how hard the flaw is to attack, read from the CVSS vector:
The lower the bar on all three, the easier to exploit at scale — “Network · No privileges · No interaction” is the worst case: hit from anywhere, no credentials, no victim action.
🔴 Actively exploited — confirmed under attack in the wild (CISA’s Known Exploited Vulnerabilities catalog). Prioritize these regardless of score.
EPSS · Nth percentile — FIRST.org’s estimated chance a flaw is exploited within 30 days. We flag it only in the top 10% — a statistical signal it’s unusually likely to be targeted, separate from whether attacks are confirmed.
JoomShaper SP Page Builder is vulnerable to an unrestricted file upload flaw, allowing unauthenticated attackers to execute arbitrary code.
An Insecure Direct Object Reference (IDOR) vulnerability in the Langflow /api/v1/responses endpoint allows authenticated attackers to execute unauthorized AI flows belonging to other users.
The Page Builder CK extension for Joomla is vulnerable to an unauthenticated arbitrary file upload, enabling attackers to execute malicious code on the server.
Adobe ColdFusion is affected by a path traversal vulnerability that permits unauthenticated remote attackers to execute arbitrary code.
iCagenda is vulnerable to an unrestricted file upload flaw, allowing unauthenticated attackers to execute arbitrary code on the server.
An unauthenticated arbitrary file upload vulnerability in the Balbooa Forms extension for Joomla allows attackers to upload executable files, leading to full remote code execution.
Apache IoTDB versions 1.0.0 through 2.0.9 are vulnerable to unsafe reflection via the pipe processor, which fails to validate externally controlled Java class names.
An authenticated arbitrary file write vulnerability in the OpenPLC Runtime v3 web UI allows attackers to achieve native code execution by uploading malicious C++ source files.
A use-after-free vulnerability in the Google Chrome Autofill component on Android allows remote attackers to trigger a sandbox escape through a crafted HTML page.
JetBrains IntelliJ IDEA is vulnerable to remote code execution due to path traversal in project workspace ID handling.
The 9Router /api/settings/database endpoint allows unauthorized database export and import due to insufficient authentication checks.
The grav-plugin-database for Grav CMS is vulnerable to SQL injection via the PDO::tableExists method due to improper input sanitization.
Google Chrome on Android contains a vulnerability in WebAppInstalls that allows local attackers to bypass the same origin policy via crafted HTML pages due to insufficient input validation.
The miniOrange Social Login and Register plugin for WordPress is vulnerable to unauthenticated account takeover via flawed OAuth email validation and predictable OTP transaction hashing.
Flux159 mcp-server-kubernetes before 3.9.0 is susceptible to argument injection, allowing attackers to redirect kubectl commands and steal bearer tokens, leading to cluster compromise.
A blind SSRF vulnerability in the Red Hat OpenShift AI guardrails-detectors component allows remote attackers to access sensitive internal metadata and local files.
Dell PowerFlex Manager is susceptible to OS command injection, allowing a high-privileged attacker to execute arbitrary commands as root during repository processing.
A path traversal vulnerability in Apache IoTDB allows unauthenticated attackers to write arbitrary files to the filesystem by leveraging an unsafe API.
A session expiration and authentication bypass vulnerability in Apache IoTDB allows attackers to reuse stale credentials to gain unauthorized access via REST Basic Authentication.
Prowler is vulnerable to cross-tenant account takeover due to improper validation of SAML assertions within its authentication flow.
PraisonAI contains a code injection vulnerability in its API module where unsanitized user input is passed to subprocess.Popen(), allowing arbitrary code execution.
Tilt versions 0.20.8 through 0.37.3 lack authentication on the HUD HTTP server, allowing unauthenticated remote attackers to invoke internal resources and access sensitive session data.
A Server-Side Request Forgery vulnerability in the Red Hat OpenShift AI guardrails-detectors component permits unauthorized internal network requests and local file reading.
The Le Circuit Electrique charging station backend contains a websocket authentication bypass vulnerability that could lead to unauthorized privilege escalation.
The SEM-PMP application is susceptible to an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary commands on the underlying system.
Adam Retail Automation MobilMen 20T contains an SQL injection vulnerability that allows unauthenticated attackers to execute malicious database queries.
A hidden backdoor in Tenda firmware's /bin/httpd login() function allows unauthenticated attackers to bypass authentication and gain full administrative control.
Vikunja is affected by an authorization bypass vulnerability that allows unauthenticated users to access, download, and delete sensitive project attachments instance-wide.
Devolutions Server 2026.2.4.0 through 2026.2.9.0 fails to enforce mandatory multi-factor authentication (MFA) policies when encountering invalid default values, allowing credentialed bypass.
An authentication bypass vulnerability in the miniOrange OAuth Single Sign On plugin allows unauthorized attackers to exploit password recovery mechanisms.
A stored Cross-Site Scripting (XSS) vulnerability in the OpenReplay tracking SDK allows unauthenticated attackers to execute malicious scripts in the administrative dashboard.
Invixium IXM WEB v.2.3.85.25 contains a privilege escalation vulnerability in the /SystemUsers/CreateAppUser component that allows unauthorized users to elevate their access level.
The Fire-Boltt Smartwatch FB BGS001 firmware allows unauthorized access via GATT Write Request commands, enabling replay attacks using captured BLE packets.
A heap overflow vulnerability in Perl DBI before 1.650 allows remote attackers to trigger memory corruption via SQL statements with an excessive number of placeholders.
A command injection vulnerability in the Code Engine WordPress plugin allows authenticated users to execute arbitrary code on the underlying server.
Grist-core is vulnerable to Cross-site Scripting (XSS), which may allow an unauthenticated, remote attacker to execute arbitrary scripts in a user's browser via crafted input.
Grist-core is vulnerable to Cross-site Scripting (XSS) due to improper output encoding, allowing authenticated attackers to execute arbitrary scripts in a victim's browser.
ModSecurity contains an input validation vulnerability where incorrect behavior order during canonicalization allows for potential security control bypasses.
The WP Ultimate CSV Importer plugin for WordPress is vulnerable to authenticated Remote Code Execution, allowing attackers with low-level privileges to inject and execute arbitrary code.
The Essential Addons for Elementor plugin for WordPress is vulnerable to an authenticated account takeover via email header injection.
A high-performance PHP framework, Phalcon, is susceptible to a denial-of-service vulnerability due to inefficient regular expression complexity.
The Excelize Go library is vulnerable to uncontrolled resource consumption, which can lead to a Denial of Service (DoS) when processing maliciously crafted spreadsheet files.
The Phalcon PHP framework contains vulnerabilities related to timing discrepancies and improper cryptographic signature verification.
Lima contains vulnerabilities involving incorrect default permissions and improper resource exposure, potentially allowing for unauthorized system access.
LangChain4j is susceptible to SQL injection attacks, where an authenticated user may execute arbitrary SQL commands via improper neutralization of special elements.
The LA-Studio Element Kit for Elementor plugin for WordPress is vulnerable to Local File Inclusion (LFI) in all versions up to 1.6.1.
The WP Grid Builder plugin for WordPress contains a privilege escalation vulnerability allowing authenticated users to elevate their access level.
The SureCart plugin for WordPress is vulnerable to privilege escalation via account takeover due to a weak password recovery mechanism.
The WP CTA plugin for WordPress is susceptible to time-based blind SQL Injection via the 'fildname' parameter.
The Booking Package plugin for WordPress is vulnerable to SQL Injection via the 'email' form parameter, allowing unauthenticated attackers to query the database.
Oneblog V2.3.9 is vulnerable to an information disclosure flaw in its API components, allowing unauthenticated remote attackers to access sensitive data.
The Genolve AI plugin for WordPress is vulnerable to unauthorized data modification due to a missing capability check in the genolve_setOpt() function, exploitable by authenticated users.
The Swiss Toolkit For WP plugin for WordPress is vulnerable to arbitrary file uploads due to a flawed file type validation bypass in the upload_extension_files() function.
Dell Unisphere for PowerMax is vulnerable to deserialization of untrusted data, which can be exploited by an authenticated attacker to achieve full system compromise.
Dell PowerFlex Manager is affected by an SQL injection vulnerability allowing authenticated low-privileged users to execute unauthorized database commands.
The W3 Total Cache plugin for WordPress is vulnerable to path traversal, allowing unauthenticated attackers to read sensitive files via improper input validation in the Minify component.
Tilt is vulnerable to an information exposure flaw that may allow unauthorized access to sensitive environment data during the development of Kubernetes microservices.
Tilt is vulnerable to insufficient verification of data authenticity, which may allow an attacker to bypass security controls in microservice environments.
The Everest Forms WordPress plugin fails to securely delete temporary CSV files, allowing unauthenticated attackers to access sensitive form submissions via predictable file paths.
Dell PowerFlex Manager contains an SQL injection vulnerability that may allow authenticated low-privileged users to perform unauthorized data read operations.
The Frappe framework is vulnerable to path traversal, which could allow an authenticated high-privileged user to access or manipulate restricted files on the server.
FreeRDP is vulnerable to heap-based buffer overflow and integer overflow, which could allow remote code execution or system instability.
9Router is affected by missing and incorrect authorization vulnerabilities, enabling unauthorized access to critical functions.
9Router contains multiple authentication vulnerabilities, including improper authentication and missing checks for critical functions, leading to potential bypass.
9Router is vulnerable to multiple security flaws, including authentication bypass and server-side request forgery (SSRF), allowing unauthenticated remote attackers to compromise the system.
ST Engineering iDirect Evolution iQ-Series terminals fail to validate CSRF tokens on state-changing API endpoints, permitting Cross-Site Request Forgery attacks.
The Simple JWT Login plugin for WordPress contains an improper privilege management vulnerability that allows authenticated users to escalate their privileges.
Spinnaker is vulnerable to unsafe reflection and deserialization of untrusted data, which could allow an authenticated attacker to execute arbitrary code.
Krayin Laravel-CRM is susceptible to an authorization bypass vulnerability via user-controlled keys, allowing attackers to access unauthorized resources.
Teracity Software TeraMIS is impacted by an authorization bypass vulnerability, allowing authenticated users to manipulate user-controlled keys for unauthorized access.
HestiaCP is vulnerable to an authenticated OS command injection flaw during DNS record management, allowing attackers to execute arbitrary system commands.
Dify is vulnerable to an authenticated SQL injection flaw within the MyScale vector store search functionality, allowing attackers to manipulate database queries.
The Adam Retail MobilMen 20T software is vulnerable to an authorization bypass via user-controlled keys, allowing authenticated users to access unauthorized functions.
MaxKB contains an OS command injection vulnerability allowing authenticated attackers to execute arbitrary system commands.
JetBrains TeamCity contains a vulnerability related to external control of file name or path, impacting versions prior to 2026.1.2.
PraisonAI contains an OS command injection vulnerability allowing authenticated attackers to execute arbitrary system commands via a bypass.
RabbitMQ Server is susceptible to an information exposure vulnerability allowing unauthorized actors to access sensitive data due to improper handling of messaging streams.
The Grav Admin plugin is vulnerable to an authorization bypass, allowing authenticated users to perform unauthorized administrative actions through user-controlled keys.
Grav is susceptible to a resource exhaustion vulnerability due to improper allocation limits, which can be exploited by unauthenticated attackers to cause a denial-of-service.
R-SOFT SERWIS DMS is vulnerable to OS Command Injection via the konwertujAction() function, potentially allowing an authenticated attacker to execute arbitrary system commands.
Crawl4AI is susceptible to Server-Side Request Forgery (SSRF) via webhook URLs, allowing unauthenticated attackers to force the server to make unauthorized requests to internal or external resources.
Logto is vulnerable to XML/Blind XPath injection and dependency-related security flaws, requiring an update to version 1.41.0 to address these risks.
Snipe-IT contains a missing authorization vulnerability that allows authenticated users to perform unauthorized actions within the IT asset and license management system.
A missing authorization vulnerability in RustDesk allows authenticated users to gain unauthorized access to sensitive functionality, potentially leading to full system compromise.
Capgo contains a vulnerability involving unverified password changes, where the application fails to validate the current password, allowing authenticated attackers to hijack accounts.
EverOS contains a path traversal vulnerability that allows unauthenticated attackers to manipulate file paths and potentially access unauthorized areas of the system.
Lucee CFML Server is affected by a reflected Cross-Site Scripting (XSS) vulnerability triggered via manipulated URL path parsing.
R-SOFT DMS stores superadmin credentials using an insecure, non-salted nested MD5 hash, rendering them susceptible to offline cracking attacks.
Typebot.io is affected by a Server-Side Request Forgery (SSRF) vulnerability that allows an authenticated user to perform unauthorized requests.
Logto is affected by an improper authentication vulnerability that allows authenticated users to bypass security controls.
ZITADEL is affected by a missing authorization vulnerability that allows authenticated users to access resources without proper permission checks.
JetBrains TeamCity is vulnerable to Cross-Site Scripting (CWE-79), potentially allowing an attacker to execute arbitrary scripts in a user's browser.
JetBrains TeamCity contains an improper authorization vulnerability (CWE-862) that may allow an authenticated user to perform unauthorized actions.
FlaskBB is susceptible to an authorization bypass via topic ID manipulation, allowing authenticated users to perform unauthorized actions.
PraisonAI is vulnerable to a protection mechanism failure that can lead to remote code execution.
Snipe-IT contains an authorization bypass vulnerability allowing authenticated users to manipulate IT assets via user-controlled keys.
Open WebUI is susceptible to path traversal and server-side request forgery (SSRF) vulnerabilities.
Open WebUI is vulnerable to code injection, unauthorized information exposure, and authorization bypass, allowing authenticated users with specific access to impact the platform's integrity.
The n8n workflow automation platform contains vulnerabilities related to improper authentication and origin validation, which may allow an authenticated user to perform unauthorized actions.
A NULL pointer dereference in mrubyc's src/vm.c in the op_super() function allows for potential denial of service due to a missing runtime guard for top-level super.
A regular expression denial of service (ReDoS) vulnerability in the trim and rtrim functions of the String::Util Perl module allows for CPU exhaustion via maliciously crafted inputs.