CVE-2026-56291
An unauthenticated arbitrary file upload vulnerability in the Balbooa Forms extension for Joomla allows attackers to upload executable files, leading to full remote code execution.
Critical vulnerabilities, curated daily for security professionals
Wednesday's brief is dominated by Microsoft Windows and Windows Server, which account for multiple critical remote-code-execution and privilege issues, alongside a maximum-severity JetBrains YouTrack vulnerability. The set includes 48 critical CVEs (up 20% from 40) and 92 high-priority CVEs (up 2% from 90). Standout entries are CVE-2026-62422 (CVSS 10) in JetBrains YouTrack, CVE-2026-57092 (CVSS 9.9) in Microsoft Windows, and CVE-2026-54990 (CVSS 9.8) affecting Windows 11 and Windows Server 2025. Attack patterns concentrate on remote code execution and authentication bypass across enterprise platforms, developer tooling (sigstore-js, vitest), and web infrastructure. Vendor patch data was not yet reflected at collection time, so teams should treat these as unpatched pending vendor confirmation and prioritize verification of fixed builds. Seven CVEs show confirmed active exploitation, including SonicWall SMA1000 and Microsoft SharePoint Server.
Immediate action: Prioritize Microsoft Windows, Windows Server, and JetBrains YouTrack for immediate review, and validate SonicWall SMA1000 and SharePoint Server given confirmed active exploitation. Patch status was not yet reflected at collection time, so confirm fixed builds directly with each vendor and apply mitigations where updates are pending.
CVSS score (e.g. 9.1) — severity from 0–10. Red marks critical (9+), orange high (7–8.9).
Exploitability — how hard the flaw is to attack, read from the CVSS vector:
The lower the bar on all three, the easier to exploit at scale — “Network · No privileges · No interaction” is the worst case: hit from anywhere, no credentials, no victim action.
🔴 Actively exploited — confirmed under attack in the wild (CISA’s Known Exploited Vulnerabilities catalog). Prioritize these regardless of score.
EPSS · Nth percentile — FIRST.org’s estimated chance a flaw is exploited within 30 days. We flag it only in the top 10% — a statistical signal it’s unusually likely to be targeted, separate from whether attacks are confirmed.
An unauthenticated arbitrary file upload vulnerability in the Balbooa Forms extension for Joomla allows attackers to upload executable files, leading to full remote code execution.
iCagenda is vulnerable to an unrestricted file upload flaw, allowing unauthenticated attackers to execute arbitrary code on the server.
Cisco IOS is susceptible to a Cross-Site Request Forgery (CSRF) vulnerability that is currently being actively exploited in the wild.
Microsoft SharePoint Server contains a vulnerability involving missing authentication for critical functions, allowing unauthenticated remote access.
SonicWall SMA1000 appliances are vulnerable to code injection, which can be exploited by an authenticated administrator to execute arbitrary code.
A Server-side request forgery (SSRF) vulnerability in the SonicWall SMA1000 Work Place interface allows remote unauthenticated attackers to force the appliance to make unauthorized network requests.
Microsoft Active Directory Federation Services is affected by a vulnerability involving insufficient granularity of access control.
The Word Count and Social Shares WordPress plugin contains a file deletion vulnerability due to insufficient validation and authorization checks.
A heap-based buffer overflow in the Microsoft Windows Remote Desktop Client allows an unauthenticated remote attacker to execute arbitrary code over the network.
A use-after-free vulnerability in the Google Chrome Core component allows a remote attacker to achieve sandbox escape via a crafted HTML page.
A credential disclosure vulnerability in sigstore-js allows authentication keys to be transmitted to incorrect registries due to improper substring matching.
When coupled with the SSL bypass vulnerability, JavaScript can be injected into a WebView in the PayRange version 7.0.7 app. The injection of specific JavaScript function calls allows the attacker to escape the WebView sandbox and perform a number of dangerous actions on the user's device.
The Vitest UI/API server is vulnerable to path traversal and arbitrary script execution due to improper path validation on Windows systems.
JetBrains YouTrack is affected by an authentication bypass vulnerability allowing unauthenticated attackers to gain administrative access via direct database manipulation.
A use after free vulnerability in the Windows VMSwitch component allows an authenticated attacker to elevate privileges over a network.
A heap-based buffer overflow in Windows Message Queuing allows an unauthenticated, remote attacker to execute arbitrary code.
A heap-based buffer overflow in the Windows DHCP Server service allows an unauthenticated, remote attacker to execute arbitrary code.
A heap-based buffer overflow in the Microsoft Minecraft Bedrock Dedicated Server allows unauthenticated, remote attackers to execute arbitrary code via network packets.
An insecure deserialization vulnerability in Microsoft Dynamics NAV 2018 allows an unauthenticated attacker to execute arbitrary code remotely.
A heap-based buffer overflow in the Windows DHCP Server component allows an unauthenticated attacker to execute code remotely.
A heap-based buffer overflow exists in the SQL Server ODBC driver on various Windows versions, allowing unauthenticated remote code execution.
A heap-based buffer overflow in the Windows FTP Service allows an unauthenticated attacker to execute arbitrary code over a network.
A deserialization vulnerability in Microsoft SharePoint allows an unauthenticated attacker to execute code over a network.
A deserialization of untrusted data vulnerability in Microsoft SharePoint allows an unauthenticated, remote attacker to execute arbitrary code.
A heap-based buffer overflow in the Windows GDI+ component allows a remote attacker to execute code on affected Windows systems.
The Podlove Podcast Publisher plugin for WordPress contains an arbitrary file upload vulnerability allowing unauthenticated attackers to achieve remote code execution.
An incorrect authorization vulnerability in Adobe ColdFusion allows an unauthenticated attacker to achieve privilege escalation and gain unauthorized read and write access.
Adobe ColdFusion is affected by a path traversal vulnerability that allows an authenticated attacker to read arbitrary files from the file system.
A race condition in the Windows Server Network driver allows an unauthenticated attacker to achieve remote code execution over the network.
A vulnerability in Windows RDP involving the use of uninitialized resources allows an unauthenticated attacker to execute code remotely.
Apache Kylin is susceptible to an SQL injection vulnerability via a backend API used for refreshing table catalogs.
Adobe ColdFusion is vulnerable to improper input validation, allowing unauthenticated attackers to achieve arbitrary code execution.
Adobe ColdFusion contains a code injection vulnerability that allows an authenticated user to execute arbitrary code.
Adobe Commerce is vulnerable to an unrestricted file upload flaw that can lead to arbitrary code execution if a user interacts with a malicious URL.
Adobe Experience Manager contains a Server-Side Request Forgery vulnerability that allows authenticated attackers to perform unauthorized server-side requests and potentially execute arbitrary code.
Adobe Experience Manager is vulnerable to XML External Entity injection, which allows authenticated, low-privileged attackers to read sensitive files and potentially execute arbitrary code.
Microsoft 365 Copilot for Android and iOS is susceptible to a command injection vulnerability that allows unauthorized attackers to execute code over a network.
Microsoft Exchange Server is vulnerable to cross-site scripting (XSS), allowing an unauthenticated attacker to perform spoofing over a network.
Vitest Browser Mode fails to restrict Chrome DevTools Protocol methods, allowing remote attackers to execute arbitrary Node.js code by overwriting configuration files.
Adobe Illustrator is affected by an improper input validation vulnerability that allows arbitrary code execution when a victim opens a malicious file.
Adobe ColdFusion contains a missing authentication vulnerability for critical functions, enabling arbitrary code execution without requiring user interaction.
A cross-site scripting vulnerability in Vitest Browser Mode allows attackers to inject malicious JavaScript and steal sensitive API tokens via crafted URLs.
The Totolink NR1800X router contains a stack-based buffer overflow vulnerability in the lighttpd component, allowing for remote code execution.
The Rockwell Automation 1715 EtherNet/IP Communications Module contains an unauthenticated debug port, allowing remote attackers to execute intrusive CLI commands and manipulate device operations.
Siemens Opcenter X fails to properly validate JWT signatures, enabling unauthenticated remote attackers to forge tokens and impersonate any user, including administrative accounts.
ASUS routers are vulnerable to a man-in-the-middle attack due to improper certificate and integrity check validation, allowing attackers to force the device to download and execute arbitrary commands.
A critical SQL injection vulnerability in the Drupal Location Selector module allows unauthenticated attackers to execute arbitrary SQL commands via unsanitized input in Views filters.
Sustainable Irrigation Platform (SIP) contains a command injection vulnerability in the cli_control plugin that allows unauthenticated attackers to execute arbitrary OS commands.
DBI::SQL::Nano for Perl incorrectly evaluates SQL WHERE predicates, leading to inverted comparisons for <= and >= operators.
A missing authorization vulnerability in the Drupal LocalGov Workflows module allows unauthorized users to access restricted resources via forceful browsing.
The Drupal Formatter Field module contains an object injection vulnerability due to improper control of dynamically determined object attributes.
The Drupal Login Disable module fails to properly restrict excessive authentication attempts, creating a vulnerability that facilitates brute force attacks against user accounts.
An insufficient input validation vulnerability in the RTSP service of MERCURY MIPC252W v1.0.5 Build 230306 Rel.79931n allows an unauthenticated remote attacker to render an individual TCP connection temporarily unusable via sending an RTSP request with a Content-Length header but no corresponding me
A critical security vulnerability exists in the Drupal Commerce guest registration module, which is now unmaintained and obsolete.
A Server-Side Request Forgery (SSRF) vulnerability in the Drupal OpenAI Provider module allows remote attackers to force the server to make unauthorized requests to internal or external resources.
A use-after-free vulnerability in Windows Remote Desktop Services allows an authenticated attacker to elevate privileges over a network.
A use after free vulnerability in the Microsoft Windows Remote Desktop Client allows an unauthenticated attacker to execute arbitrary code over a network via user interaction.
A use after free vulnerability in the Windows Remote Access Connection Manager allows an authenticated attacker to elevate privileges over a network.
A use after free vulnerability in Windows Remote Desktop Services allows an authenticated attacker to execute code over a network.
An integer overflow in the Windows Remote Access Service Infrastructure permits an authenticated attacker to elevate privileges over a network.
A heap buffer overflow in the libyuv library within Google Chrome on Windows allows for potential code execution.
An authentication bypass vulnerability in ASP.NET allows an authenticated attacker to manipulate data and gain unauthorized access.
A SQL injection vulnerability in Microsoft SQL Server allows an authenticated attacker to execute arbitrary SQL commands and elevate privileges across the network.
A heap-based buffer overflow in the Windows DHCP Server allows an unauthenticated, adjacent attacker to achieve remote code execution.
A use-after-free vulnerability in the Windows Runtime allows an authenticated local attacker to escalate their privileges.
A heap-based buffer overflow in the Windows Kernel allows an authenticated attacker to elevate privileges locally on the affected system.
A heap-based buffer overflow in the Windows Win32K component allows an authenticated attacker to elevate their privileges locally.
A use-after-free vulnerability in the Windows Kernel allows an authenticated attacker to elevate privileges locally on the affected system.
A heap-based buffer overflow in the Desktop Window Manager allows an authenticated attacker to achieve local privilege escalation.
A heap-based buffer overflow in the Windows Network File System allows an authenticated attacker to elevate privileges over the network.
A stack-based buffer overflow in Microsoft Fabric Data Warehouse allows an authenticated attacker to execute code over the network.
A heap-based buffer overflow in Microsoft Windows Media Foundation allows an unauthenticated attacker to execute arbitrary code over a network via a specially crafted file.
A heap-based buffer overflow in Microsoft Windows Media Foundation allows an unauthenticated attacker to execute arbitrary code over a network via a specially crafted file.
A heap-based buffer overflow and out-of-bounds read in Microsoft Windows Media Foundation allow an unauthenticated attacker to execute arbitrary code over a network via a crafted file.
A heap-based buffer overflow in the Microsoft Input Method Editor (IME) allows an authorized local attacker to elevate privileges on affected Windows systems.
A heap-based buffer overflow in the Windows DHCP Server allows an authenticated attacker to execute arbitrary code over a network.
A heap-based buffer overflow in Active Directory Domain Services allows an authenticated attacker to execute arbitrary code over a network.
A use after free vulnerability in the Windows Kernel allows a locally authenticated attacker to elevate privileges to the system level.
A deserialization vulnerability in Microsoft SQL Server allows an authenticated attacker to execute arbitrary code over the network.
A deserialization of untrusted data flaw in various Microsoft SQL Server releases allows authenticated attackers to execute code over a network.
A heap-based buffer overflow in Microsoft Exchange Server allows an authenticated attacker to achieve remote code execution.
A type confusion vulnerability in the V8 engine of Google Chrome allows a remote attacker to execute arbitrary code via a malicious webpage.
Symfony components are vulnerable to insufficient verification of data authenticity and improper input validation, potentially allowing unauthorized data access.
An improper access control vulnerability in Microsoft Configuration Manager allows an authenticated attacker to elevate privileges over a network.
An incorrect implementation of the authentication algorithm in ASP.NET allows authenticated attackers to potentially compromise the integrity and availability of the system.
An incorrect implementation of the authentication algorithm in the Windows SMB Server allows authorized attackers to elevate privileges over a network.
An untrusted pointer dereference in Windows DirectX allows an authorized attacker to execute code locally on the target system.
A race condition vulnerability in the Windows Runtime allows an authenticated local attacker to achieve privilege escalation by exploiting improper synchronization of shared resources.
A race condition in Windows Media allows an authenticated attacker to escalate privileges over a network, potentially leading to unauthorized system control.
An improper link resolution vulnerability in Microsoft PC Manager allows an authenticated local attacker to perform file access operations that lead to privilege escalation.
A missing authentication vulnerability in the Windows Server Update Service allows an authenticated attacker to elevate privileges over a network.
An out-of-bounds read vulnerability in the Windows Kernel allows an authenticated attacker to perform local privilege escalation.
Improper authorization in Active Directory Certificate Services (AD CS) allows an authenticated attacker to elevate privileges over a network.
A missing authorization vulnerability in Microsoft SharePoint allows an authenticated attacker to elevate privileges over a network.
A relative path traversal vulnerability in Microsoft Windows Admin Center allows an authenticated attacker to execute arbitrary code over a network.
A command injection vulnerability in Microsoft Windows Admin Center allows an authenticated attacker to execute arbitrary commands over a network.
Visual Studio Code contains a vulnerability involving the inclusion of functionality from an untrusted control sphere, which allows an unauthorized attacker to bypass security features over a network.
Microsoft SharePoint contains an improper authorization vulnerability that allows an authenticated attacker to elevate their privileges over a network.
An integer overflow or wraparound vulnerability in Windows RDP allows an unauthorized attacker to execute arbitrary code over a network.
Improper certificate validation in the Azure Monitor Agent Metrics Extension allows an unauthenticated attacker to elevate privileges over an adjacent network.
Improper access control in the Windows MIDI Service Module allows an authenticated attacker to perform local privilege escalation.
A relative path traversal vulnerability in Age of Empires II: Definitive Edition allows an unauthenticated attacker to execute code over a network.
A race condition in the Windows Win32K component allows an authenticated local attacker to elevate privileges on the affected system.
An integer underflow in the Windows Reliable Multicast Transport Driver (RMCAST) allows an unauthenticated attacker to execute code over an adjacent network.
A race condition in the Windows TCP/IP stack allows an unauthenticated attacker to execute code over an adjacent network.
A missing authentication vulnerability in Microsoft Azure CycleCloud allows an authenticated attacker to elevate privileges over the network.
A race condition in the Windows Print Spooler allows an authenticated attacker to execute arbitrary code over the network.
Twig is vulnerable to code injection, allowing an authenticated user to perform unauthorized actions by manipulating template generation.
Twig is vulnerable to code injection, allowing an authenticated attacker to manipulate template generation and execute arbitrary code.
A stored Cross-Site Scripting (XSS) vulnerability in Adobe Commerce allows a low-privileged attacker to inject malicious scripts into form fields.
A vulnerability in the Symfony framework and Mailer component allows for argument injection due to improper neutralization of argument delimiters.
An XML External Entity (XXE) vulnerability in the Symfony DomCrawler component allows unauthenticated attackers to potentially read sensitive local files.
An incorrect authorization vulnerability in the Symfony Security-Http component allows unauthenticated remote attackers to bypass security controls.
A vulnerability in the Symfony YAML component allows for XML entity expansion, which can lead to denial of service via resource exhaustion.
The Symfony YAML component is susceptible to inefficient regular expression complexity, which can be exploited by an unauthenticated attacker to cause a denial of service.
Adobe Illustrator is susceptible to an untrusted search path vulnerability that could allow an attacker to execute arbitrary code with the privileges of the current user.
An issue in docuForm GmbH Client v.
A Local File Inclusion (LFI) vulnerability exists in docuForm GmbH Client v.
A vulnerability in the docuForm GmbH FSM Client v.11.11c login.php component allows remote attackers to perform user enumeration.
Apache Kylin is vulnerable to OS command injection, which allows an authenticated attacker to execute arbitrary system commands on the underlying server.
A vulnerability in Spotfire Server modules allows for potential security compromise, requiring user interaction to facilitate unauthorized access or impact.
A vulnerability in the Argo CD repo-server allows an unauthenticated attacker with network access to achieve remote code execution.
A vulnerability in Pi-hole allows for improper ownership management, which may lead to unauthorized system-level actions when exploited by a local user.
A memory allocation vulnerability in the Pillow library allows remote attackers to trigger excessive memory consumption, leading to a denial of service.
A vulnerability in Nexus Repository Manager's API key generation process allows remote attackers to gain unauthorized access to repository operations as a targeted user.
Sesame Time contains an authorization bypass vulnerability in its session management and REST v3 API, allowing unauthenticated attackers to access unauthorized information.
Grafana MCP Server is vulnerable to a confused-deputy attack, allowing unauthenticated remote attackers to exfiltrate service-account tokens via a crafted X-Grafana-URL header.
MetaGuru HCM is susceptible to SQL injection, which could allow an authenticated attacker to manipulate database queries and potentially access or modify sensitive data.
The DP Calendar extension for Joomla contains an unauthenticated SQL injection vulnerability that allows remote attackers to execute arbitrary database queries.
The EDocman extension for Joomla contains an unauthenticated SQL injection vulnerability allowing remote attackers to execute arbitrary database commands.
Rclone is susceptible to path traversal and authorization bypass vulnerabilities that may allow an authenticated user to access or manipulate restricted files.
Rockwell Automation FactoryTalk Services Platform version 6.60 contains a flaw that permits the bypass of JSON Web Token signature validation during Okta Web Authentication.
A stack-based buffer overflow vulnerability exists in the Tenda BE12 Pro router, which may allow an authenticated attacker to trigger memory corruption.
A stack-based buffer overflow vulnerability exists in Tenda BE12 Pro firmware version 16.03.66.23, which could allow an authenticated attacker to trigger memory corruption.
A stack-based buffer overflow vulnerability exists in Tenda BE12 Pro firmware version 16.03.66.23, which could allow an authenticated attacker to trigger memory corruption.
A stack-based buffer overflow vulnerability exists in Tenda BE12 Pro firmware version 16.03.66.23, which could allow an authenticated attacker to trigger memory corruption.
A stack-based buffer overflow vulnerability in the Tenda BE12 Pro router allows for potential memory corruption.
A memory corruption vulnerability exists in the Tenda BE12 Pro router, specifically involving a stack-based buffer overflow.
A regular expression denial of service vulnerability exists in the linkify-it library due to inefficient complexity.
A double free vulnerability exists in the Rockwell Automation FLEX 5000 EtherNet/IP Adapter, potentially leading to a denial-of-service condition.
A resource exhaustion vulnerability exists in the Rockwell Automation 1734 POINT I/O module, allowing unauthenticated attackers to trigger a denial-of-service.
A resource exhaustion vulnerability in the Rockwell Automation 1718-AENTR and 1719-AENTR modules allows unauthenticated, remote attackers to cause a denial-of-service.
A denial-of-service vulnerability in Rockwell Automation communication modules arises from improper validation of CIP Implicit Connection packets, allowing unauthenticated remote disruption.
TP-Link Kasa EC71 and EC70 v4 firmware versions store a static cryptographic private key on a read-only filesystem, which is shared across all devices.
A PHP object injection vulnerability exists in the Drupal Plotly.js Graphing module due to improper control of dynamically determined object attributes during deserialization.
An Insecure Direct Object Reference (IDOR) in docuForm GmbH Client v.11.11c allows remote attackers with low privileges to execute arbitrary code and access other users' data.
decompress before 4.