CVE-2026-56291
An unauthenticated arbitrary file upload vulnerability in the Balbooa Forms extension for Joomla allows attackers to upload executable files, leading to full remote code execution.
Critical vulnerabilities, curated daily for security professionals
Thursday's brief centers on several maximum-severity flaws in widely deployed web and infrastructure software, including Metabase, NocoBase, and Apache Tomcat, alongside actively exploited weaknesses in SonicWall SMA1000 appliances and Microsoft SharePoint Server. The set includes 18 critical CVEs (down 62% from 48 the prior day) and 34 high-priority CVEs (down 63% from 92), a lighter volume overall but weighted toward perfect and near-perfect scores. Notable entries include CVE-2026-50148 (CVSS 10) in Metabase, CVE-2026-52887 (CVSS 10) in NocoBase, and CVE-2026-59083 (CVSS 9.1) in Apache Tomcat, with CVE-2026-44986 (CVSS 9.9) affecting Penpot. Remote code execution, authentication bypass, and single-sign-on weaknesses dominate the pattern, spanning developer platforms, WordPress plugins, and edge network devices. Patch data was not yet reflected for these disclosures at brief time, so teams should confirm fixed versions directly against vendor advisories before deploying.
Immediate action: Prioritize the actively exploited SonicWall SMA1000, Microsoft SharePoint Server, and Microsoft ADFS issues, then address the maximum-severity Metabase, NocoBase, and 9router flaws on internet-facing and internal platforms. Patch availability was not yet reflected at brief time, so verify fixed releases and interim mitigations directly with each vendor before scheduling deployment.
CVSS score (e.g. 9.1) — severity from 0–10. Red marks critical (9+), orange high (7–8.9).
Exploitability — how hard the flaw is to attack, read from the CVSS vector:
The lower the bar on all three, the easier to exploit at scale — “Network · No privileges · No interaction” is the worst case: hit from anywhere, no credentials, no victim action.
🔴 Actively exploited — confirmed under attack in the wild (CISA’s Known Exploited Vulnerabilities catalog). Prioritize these regardless of score.
EPSS · Nth percentile — FIRST.org’s estimated chance a flaw is exploited within 30 days. We flag it only in the top 10% — a statistical signal it’s unusually likely to be targeted, separate from whether attacks are confirmed.
An unauthenticated arbitrary file upload vulnerability in the Balbooa Forms extension for Joomla allows attackers to upload executable files, leading to full remote code execution.
iCagenda is vulnerable to an unrestricted file upload flaw, allowing unauthenticated attackers to execute arbitrary code on the server.
Cisco IOS is susceptible to a Cross-Site Request Forgery (CSRF) vulnerability that is currently being actively exploited in the wild.
Microsoft SharePoint Server contains a vulnerability involving missing authentication for critical functions, allowing unauthenticated remote access.
SonicWall SMA1000 appliances are vulnerable to code injection, which can be exploited by an authenticated administrator to execute arbitrary code.
A Server-side request forgery (SSRF) vulnerability in the SonicWall SMA1000 Work Place interface allows remote unauthenticated attackers to force the appliance to make unauthorized network requests.
An unauthenticated, easily exploitable vulnerability in the Oracle Payments product of E-Business Suite allows remote attackers to compromise the service via HTTP.
Microsoft Active Directory Federation Services is affected by a vulnerability involving insufficient granularity of access control.
The KNX Protocol Connection Authorization Option 1 contains an overly restrictive account lockout mechanism vulnerability that is currently being exploited in the wild.
A stored DOM Cross-Site Scripting vulnerability in the YPTSocket plugin of AVideo allows unauthenticated attackers to hijack administrative sessions via malicious WebSocket parameters.
A critical vulnerability in Metabase allows users with database connection permissions to achieve remote code execution via a flaw in the Snowflake JDBC driver.
NocoBase is vulnerable to SQL injection due to improper sanitization of input in the application notification plugin, allowing unauthenticated remote code execution.
Penpot contains an authentication bypass vulnerability that allows registered users to hijack arbitrary accounts by manipulating invitation flows and profile registration processes.
A URL encoding vulnerability in Apache Tomcat's RewriteValve allows unauthenticated attackers to bypass security constraints by manipulating hex-encoded characters in requests.
The SAML SSO plugin for WordPress is vulnerable to signature algorithm confusion, allowing unauthenticated attackers to forge assertions and gain administrative access.
Crypt::OpenSSL::X509 for Perl is vulnerable to a heap out-of-bounds read via a long certificate extension OID, potentially leading to sensitive information disclosure.
9Router contains an authentication bypass vulnerability allowing unauthenticated remote command execution via unprotected API endpoints.
A vulnerability in the OpenWrt DHCPv6 client allows for Cross-site Scripting (XSS) via injected lease hostnames displayed in the web administrative interface.
The Grav API plugin is vulnerable to an open redirect during password reset, allowing attackers to hijack reset tokens and perform full account takeover.
Wekan avatar upload functionality fails to sanitize filenames, leading to OS command injection via shell metacharacters during MIME-type detection.
A multi-tenancy authorization bypass in n8n-mcp allows authenticated tenants to access, modify, or delete sensitive workflow backups belonging to other tenants.
Wekan improperly trusts client-supplied X-Forwarded-For headers during header-based authentication, allowing unauthenticated attackers to spoof identities and gain administrative access.
9Router contains a hardcoded fallback JWT secret in its authentication routing and middleware, allowing unauthenticated attackers to forge authentication tokens.
A critical vulnerability in the Drupal Mother May I module allows unauthenticated attackers to execute arbitrary code or perform unauthorized actions on the host site.
Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Drupal AlternativeCommerce (Basket) allows Object Injection. This issue affects Drupal AlternativeCommerce (Basket) versions: from 0.0.0 to 2.1.17.
Wazuh Manager fails to sanitize input in the DataValue.index field, allowing unauthenticated agents to perform NDJSON injection attacks against the manager.
The better-auth SSO plugin fails to validate OIDC configuration URLs, allowing authenticated users to perform server-side request forgery and potentially achieve account linking.
The Newsletters WordPress plugin before 4.15 is vulnerable to unauthenticated PHP object injection via a public form, leading to arbitrary file write and remote code execution.
The WPFunnels plugin for WordPress is vulnerable to privilege escalation via an arbitrary option update, allowing authenticated users to modify sensitive application settings.
A privilege management vulnerability in phpMyFAQ before 4.1.5 allows authenticated users to perform unauthorized actions due to a missing superadmin guard in the user-add endpoint.
A SQL injection vulnerability in the Apache Fineract Report Execution API (runreports endpoint) allows authenticated users to execute arbitrary SQL commands.
The Digits: WordPress Mobile Number Signup and Login plugin contains an improper privilege management flaw allowing authenticated users to escalate privileges.
The Loco Translate plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF), which may allow an attacker to perform unauthorized actions on behalf of an authenticated administrator.
Cisco RoomOS Software contains an improper access control vulnerability that could allow an authenticated remote attacker to perform unauthorized actions.
The AI Engine WordPress plugin before 3.5.5 allows authenticated users with editor access to perform path traversal and write arbitrary files to the server.
The Tutor LMS WordPress plugin fails to enforce capability checks in its page-builder integrations, allowing unauthorized access to restricted course content.
An OS command injection vulnerability in decolua 9router versions before 0.5.2 allows authenticated attackers to execute arbitrary system commands.
The Grav API plugin is vulnerable to an unrestricted file upload flaw, which may allow authenticated users with low privileges to execute arbitrary code on the server.
A vulnerability exists in decolua 9router allowing improper control of dynamically determined object attributes, which may lead to unauthorized data modification.
The BankAccountListController in Prospero Flow CRM suffers from a missing authorization flaw, allowing unauthorized users to access sensitive bank account information.
Crypt::OpenSSL::X509 versions before 2.1.3 for Perl are vulnerable to a denial of service via NULL pointer dereference when parsing specific X.509 extensions.
The Quix Page Builder Pro extension for Joomla is vulnerable to unauthenticated SQL injection, allowing attackers to manipulate database queries.
A flaw in the vllm-orchestrator-gateway component of Red Hat OpenShift AI causes sensitive information exposure by logging bearer tokens and chat payloads at DEBUG level.
Software installed and run as a non-privileged user may cause OOB kernel memory reads or writes through GPU API calls.
MaaAssistantArknights is vulnerable to OS command injection and code injection, allowing unauthenticated attackers to execute arbitrary commands.
Cherry Studio is susceptible to an inclusion of functionality from an untrusted control sphere, leading to remote code execution.
ERPNext is vulnerable to incorrect authorization and improper template engine neutralization, which can be exploited by an authenticated local user.
Penpot is vulnerable to an exposed dangerous method or function, which could allow an unauthenticated attacker to perform unauthorized operations.
FastGPT contains hard-coded credentials, which may allow an unauthenticated attacker to gain unauthorized access to sensitive information.
The Grav Flex Objects plugin is vulnerable to server-side template injection, allowing authenticated attackers to execute arbitrary code.
A memory management vulnerability in Absolute Security Secure Access allows for potential denial of service conditions.
An SQL injection vulnerability exists in DataEase, allowing authenticated users to execute arbitrary SQL commands.
A second SQL injection vulnerability in DataEase allows authenticated users to execute arbitrary database commands due to improper input sanitization.
DataEase is vulnerable to SQL injection, allowing authenticated attackers to execute arbitrary SQL commands via improper neutralization of special elements in input.
The 4Analytics extension for Joomla is susceptible to an unauthenticated stored cross-site scripting (XSS) vulnerability, allowing remote attackers to inject malicious scripts into the application.
Kernel software installed and running inside a Host VM may post improper commands to the GPU Firmware to trigger a GPU register access which can lead to privilege escalation.
Software installed and run as a non-privileged user may conduct a sequence of improper GPU system calls causing use after free, which helps in facilitating unprivileged memory access from a shader code.
A privilege management vulnerability in OpenWrt's luci-app-samba4 allows authenticated delegated users to execute the Samba daemon with arbitrary arguments, resulting in command execution.
Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Tealium iQ Tag Management allows Object Injection.
Software installed and run as a non-privileged user may conduct improper GPU system calls to cause an integer overflow and map two GPU virtual addresses to the same physical address.
Kernel software installed and running inside a Host VM may post improper commands to the GPU Firmware to trigger a memory write outside the permitted range of memory for the host kernel.