CVE-2026-48908
JoomShaper SP Page Builder is vulnerable to an unrestricted file upload flaw, allowing unauthenticated attackers to execute arbitrary code.
Critical vulnerabilities, curated daily for security professionals
Sunday's disclosures are dominated by MervinPraison PraisonAI, which accounts for three of the day's critical vulnerabilities, alongside a broad cluster of Joomla and Drupal extension flaws. The set includes 7 critical CVEs (down 75% from 28 the prior day) and 44 high-priority CVEs (down 34% from 67). Standouts include CVE-2026-61447 (CVSS 10, PraisonAI), CVE-2026-57827 (CVSS 10, RSJoomla RSFiles), and CVE-2026-48282 (CVSS 9.5, Adobe ColdFusion). Remote code execution and injection flaws in web application platforms and CMS extensions are the prevailing pattern, with the Joomla ecosystem particularly heavily represented across both the critical and actively exploited sets. No vendor patches were confirmed available at disclosure, so teams should prioritize mitigations and exposure reduction while monitoring for vendor advisories.
Immediate action: Prioritize Adobe ColdFusion, Langflow, and MervinPraison PraisonAI deployments, along with the affected Joomla extensions (SP Page Builder, Page Builder CK, Balbooa Forms, iCagenda), given confirmed exploitation and CVSS 9.5+ scores. With no vendor patches confirmed available, apply available mitigations, restrict external exposure, and monitor vendor channels for forthcoming updates.
CVSS score (e.g. 9.1) — severity from 0–10. Red marks critical (9+), orange high (7–8.9).
Exploitability — how hard the flaw is to attack, read from the CVSS vector:
The lower the bar on all three, the easier to exploit at scale — “Network · No privileges · No interaction” is the worst case: hit from anywhere, no credentials, no victim action.
🔴 Actively exploited — confirmed under attack in the wild (CISA’s Known Exploited Vulnerabilities catalog). Prioritize these regardless of score.
EPSS · Nth percentile — FIRST.org’s estimated chance a flaw is exploited within 30 days. We flag it only in the top 10% — a statistical signal it’s unusually likely to be targeted, separate from whether attacks are confirmed.
JoomShaper SP Page Builder is vulnerable to an unrestricted file upload flaw, allowing unauthenticated attackers to execute arbitrary code.
An Insecure Direct Object Reference (IDOR) vulnerability in the Langflow /api/v1/responses endpoint allows authenticated attackers to execute unauthorized AI flows belonging to other users.
The Page Builder CK extension for Joomla is vulnerable to an unauthenticated arbitrary file upload, enabling attackers to execute malicious code on the server.
Adobe ColdFusion is affected by a path traversal vulnerability that permits unauthenticated remote attackers to execute arbitrary code.
An unauthenticated arbitrary file upload vulnerability in the Balbooa Forms extension for Joomla allows attackers to upload executable files, leading to full remote code execution.
iCagenda is vulnerable to an unrestricted file upload flaw, allowing unauthenticated attackers to execute arbitrary code on the server.
PraisonAI fails to validate the dimension argument in its knowledge-store backends, enabling SQL/CQL injection via specially crafted strings.
PraisonAI contains a remote code execution vulnerability in CodeAgent._execute_python() that allows attackers to execute arbitrary code via LLM prompt injection.
The RSFiles extension for Joomla is vulnerable to an unauthenticated arbitrary file upload, allowing remote attackers to execute malicious code on the server.
PraisonAI is vulnerable to arbitrary file write and command execution via the AICoder component due to missing path and command validation in LLM tool calls.
An object injection vulnerability in the Drupal Flag attendance field module allows unauthorized modification of object attributes via improperly handled PHP-serialized strings.
The Phoca Download extension for Joomla contains an authenticated file upload vulnerability that allows registered users to upload executable files and achieve remote code execution.
Imager for Perl mishandles large EXIF IFD entry counts, leading to excessive memory allocation attempts and process termination.
A use-after-free vulnerability in the Google Chrome Payments component allows heap corruption via a crafted HTML page.
A deserialization vulnerability in Microsoft Edge (Chromium-based) allows an unauthorized attacker to achieve remote code execution via untrusted data.
The CorvusPay WooCommerce Payment Gateway plugin for WordPress contains a stored cross-site scripting (XSS) vulnerability in the 'approval_code' parameter.
The Excelize Go library is vulnerable to a resource exhaustion flaw due to improper limits on resource allocation during spreadsheet processing.
The Form Vibes WordPress plugin is vulnerable to stored cross-site scripting (XSS) via Contact Form 7 form fields.
Gotenberg contains a Server-Side Request Forgery (SSRF) vulnerability that allows unauthenticated attackers to perform unauthorized requests.
The Planyo Online Reservation System plugin for WordPress contains an SSRF vulnerability leading to Local File Inclusion (LFI) due to improper input validation.
The Motors – Car Dealership & Classified Listings Plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) via user-controlled input fields.
The GEO Plugin by Squirrly SEO for WordPress is vulnerable to arbitrary post creation and stored cross-site scripting (XSS) due to missing authorization checks in all versions up to 14.0.0.
FreeRDP is affected by an out-of-bounds write vulnerability caused by incorrect buffer size calculations, potentially allowing for memory corruption.
Several Grafana OSS API endpoints fail to limit the size of request bodies before processing, leading to potential resource exhaustion and denial-of-service.
ST Engineering iDirect Evolution iQ-Series terminals expose critical API endpoints without authentication, allowing unauthorized access to identity and system information.
The 9router AI router and token saver contains vulnerabilities involving TOCTOU race conditions and Server-Side Request Forgery (SSRF) that can be exploited by authenticated users.
9router fails to properly restrict excessive authentication attempts, potentially allowing attackers to conduct brute-force or credential-stuffing attacks against the system.
A buffer overflow vulnerability in TRENDnet TEW-821DAP version 1.12B01 allows for memory corruption.
A buffer overflow vulnerability in TRENDnet TEW-821DAP version 1.12B01 allows for memory corruption.
A stack-based buffer overflow vulnerability in Trendnet TEW-635BRM version 1.00.03 allows for potential memory corruption.
A command injection vulnerability exists in the Trendnet TEW-635BRM router, allowing remote authenticated attackers to execute arbitrary system commands.
PraisonAI versions prior to 1.7.3 are susceptible to an information exposure vulnerability due to insecure default configurations.
A Server-Side Request Forgery (SSRF) vulnerability in PraisonAI versions before 1.6.78 allows authenticated users to trigger unauthorized requests to internal network resources.
A stack-based buffer overflow in the Tenda CP3 V3.0 RTSP service allows unauthenticated remote attackers to cause a denial-of-service condition.
A vulnerability in Capgo allows unauthenticated attackers to perform sensitive information disclosure through a security-definer RPC function.
PraisonAI versions before 4.6.78 are susceptible to a vulnerability related to insecure default resource initialization, facilitating potential security bypasses.
A lack of request throttling on the charging station backend of Le Circuit Electrique allows unauthenticated attackers to perform denial-of-service attacks.
A session management vulnerability in the Le Circuit Electrique backend allows multiple connections with the same ID, potentially leading to a denial-of-service via resource exhaustion.
A deserialization vulnerability in the Spinnaker continuous delivery platform allows authenticated users to execute arbitrary code or cause system compromise.
The h2o HTTP server is vulnerable to memory exhaustion due to improper handling of excessive allocation requests, leading to potential denial-of-service.
OpenResty is vulnerable to an out-of-bounds write, potentially leading to service disruption or memory corruption.
RabbitMQ Server is vulnerable to resource exhaustion due to lack of proper rate limiting or throttling of incoming requests.
The Espressif IoT Development Framework (ESP-IDF) is vulnerable to multiple memory corruption issues, including stack-based buffer overflows.
A missing authorization vulnerability in Capgo allows unauthenticated attackers to perform unauthorized actions via the get-orgs-v7 RPC endpoint.
Misskey is susceptible to an authentication bypass vulnerability due to improper handling of capture-replay scenarios.
Coturn is vulnerable to Server-Side Request Forgery (SSRF) due to improper validation of user-supplied input, allowing for unauthorized internal network requests.
ZITADEL is affected by vulnerabilities related to improper authentication and incorrect authorization, potentially allowing unauthorized access or privilege escalation.
The cpp-httplib library is susceptible to improper certificate validation, which may allow attackers to perform man-in-the-middle attacks.
Aster Telecom Azcall versions 10 and 11 are affected by SQL injection and injection vulnerabilities that could allow unauthorized database manipulation.
A weak password recovery vulnerability in H3C NX15 V100R017 allows unauthenticated attackers to manipulate account security settings.
An authentication bypass vulnerability in PraisonAI AgentMail allows remote attackers to perform unauthorized message injection via webhooks.
A stored Cross-Site Scripting (XSS) vulnerability in the ZITADEL identity platform allows an authenticated, high-privileged user to execute malicious scripts.
JetBrains TeamCity contains a Cross-Site Scripting (XSS) vulnerability allowing authenticated users with low privileges to execute malicious scripts in the context of the application.
The coturn TURN and STUN server contains an SQL injection vulnerability that can be exploited by high-privileged authenticated users to compromise the backend database.
PraisonAI contains an unauthenticated Server-Side Request Forgery (SSRF) vulnerability that allows attackers to force the server to send requests to arbitrary internal or external destinations.
An improper authorization vulnerability in the Mysterium Node configuration endpoint allows unauthenticated attackers to overwrite node settings and achieve full takeover.
An access control flaw in Proximus b-box v8c.725A allows authenticated attackers to remotely modify port forwarding rules.