30 vulnerabilities across 15 products scored HIGH or above on May 21, 2026.
- CRITICAL: 10
- HIGH: 20
[CRITICAL] google/chrome
10 CVEs | CVSS 8.8 | AAS 10.0
Google Chrome versions prior to 148.0.7778.179 contain 10 vulnerabilities, including multiple use-after-free flaws in WebRTC that could allow remote code execution with a maximum CVSS score of 8.8. All organizations running Chrome should apply updates immediately, as these are critical-severity issues requiring urgent patching. Refer to the vendor advisory for complete CVE details and platform-specific update instructions.
- CVE-2026-9120 (CVSS 8.8)
- CVE-2026-9114 (CVSS 8.8)
- CVE-2026-9126 (CVSS 8.8)
- CVE-2026-9112 (CVSS 8.8)
- CVE-2026-9119 (CVSS 8.8)
- CVE-2026-9111 (CVSS 8.8)
- CVE-2026-9118 (CVSS 8.8)
- CVE-2026-9121 (CVSS 8.8)
- CVE-2026-9117 (CVSS 7.5)
- CVE-2026-9123 (CVSS 7.5)
[HIGH] isc/bind
1 CVE | CVSS 6.8 | AAS 10.0
ISC BIND is affected by a vulnerability in domain name validation during zone transfers (AXFR) with a CVSS score of 6.8. Organizations operating BIND DNS servers should apply vendor updates immediately, as this flaw is actively exploitable and impacts core DNS infrastructure. Refer to the vendor advisory for complete details on affected versions and remediation steps.
- CVE-2026-42000 (CVSS 6.8)
[HIGH] wp_swings/gift_cards_for_woocommerce_pro
1 CVE | CVSS 10.0 | AAS 9.9
The Gift Cards For WooCommerce Pro plugin for WordPress through version 4.2.6 contains an unrestricted file upload vulnerability allowing attackers to upload malicious files, with a CVSS score of 10.0. WordPress site administrators using this plugin should immediately update to a patched version or disable the plugin, as this flaw is actively exploitable. Refer to the vendor advisory for complete details and recommended mitigations.
- CVE-2026-45444 (CVSS 10.0)
[HIGH] litespeed_technologies/cpanel_plugin
1 CVE | CVSS 10.0 | AAS 9.9
LiteSpeed Technologies cPanel Plugin versions before 2.4.5 contain a privilege escalation vulnerability leading to potential root-level compromise, with a CVSS score of 10.0, and has been exploited in the wild as of May 2026. System administrators running this plugin should immediately upgrade to version 2.4.5 or later, as active exploitation is confirmed. Refer to the vendor advisory for complete details and recommended detection and remediation procedures.
- CVE-2026-48172 (CVSS 10.0)
[HIGH] altium/365
1 CVE | CVSS 10.0 | AAS 9.9
Altium 365 contains a missing authentication vulnerability in the SearchService SOAP endpoint that allows unauthenticated attackers to access search indexes and workspace data across tenant boundaries, with a CVSS score of 10.0. Organizations using Altium 365 should immediately apply vendor patches and review access logs for evidence of exploitation, as this flaw can expose sensitive project and component data. Refer to the vendor advisory for affected versions and complete remediation guidance.
- CVE-2026-9152 (CVSS 10.0)
[HIGH] frappe/frappe
1 CVE | CVSS 8.7 | AAS 9.9
Frappe framework versions prior to 15.105.0 and 16.15.0 contain an arbitrary file read vulnerability via path traversal that could allow attackers to access sensitive files, with a CVSS score of 8.7. Organizations running applications built on Frappe should immediately upgrade to version 16.15.0, 15.105.0, or later, as this flaw is actively exploitable. Refer to the vendor advisory for complete details and upgrade instructions.
- CVE-2026-39352 (CVSS 8.7)
[HIGH] divi/divi_form_builder
1 CVE | CVSS 9.8 | AAS 9.7
The Divi Form Builder plugin for WordPress through version 5.1.2 contains a privilege escalation vulnerability allowing unauthenticated attackers to create administrator accounts by tampering with user role parameters during registration, with a CVSS score of 9.8. WordPress site administrators using this plugin should immediately update to a patched version, as this flaw is actively exploitable and grants full site control. Refer to the vendor advisory for complete details and remediation steps.
- CVE-2026-5118 (CVSS 9.8)
[HIGH] trend_micro/apex_one
4 CVEs | CVSS 9.8 | AAS 9.7
Trend Micro Apex One contains multiple vulnerabilities, including remote code execution flaws in the management console with a maximum CVSS score of 9.8, affecting on-premises installations. Organizations running on-premises Apex One should immediately apply vendor patches, while SaaS customers have already been mitigated and require no action. Refer to the vendor advisory for affected versions, deployment-specific guidance, and complete remediation details.
- CVE-2025-71210 (CVSS 9.8)
- CVE-2025-71211 (CVSS 9.8)
- CVE-2026-34926 (CVSS 6.7)
- CVE-2025-71212 (CVSS 7.8)
[HIGH] avada/avada_builder
1 CVE | CVSS 9.8 | AAS 9.7
The Avada Builder (fusion-builder) plugin for WordPress through version 3.15.2 contains an unauthenticated remote code execution vulnerability via PHP function injection, with a CVSS score of 9.8. WordPress site administrators using this plugin should immediately update to a patched version, as this flaw allows attackers to execute arbitrary code without authentication. Refer to the vendor advisory for complete details and remediation guidance.
- CVE-2026-6279 (CVSS 9.8)
[HIGH] apache_software_foundation/apache_fory
1 CVE | CVSS 9.8 | AAS 9.7
Apache Fory PyFory before version 1.0.0 contains a deserialization vulnerability that can bypass DeserializationPolicy validation when strict mode is disabled, with a CVSS score of 9.8. Applications deserializing untrusted data with PyFory in Python-native mode should immediately upgrade to version 1.0.0 or later, or ensure strict mode is enabled to prevent exploitation. Refer to the vendor advisory for complete details, affected configurations, and remediation options.
- CVE-2026-48207 (CVSS 9.8)
[HIGH] powerdns/powerdns
1 CVE | CVSS 7.5 | AAS 9.6
PowerDNS contains a vulnerability involving insufficient validation of Autoprimary SOA queries that could allow attackers to manipulate DNS records, with a CVSS score of 7.5. Organizations operating PowerDNS should immediately apply vendor updates to the latest patched version, as this flaw is actively exploitable. Refer to the vendor advisory for affected versions and complete remediation guidance.
- CVE-2026-42001 (CVSS 7.5)
[HIGH] authentik/authentik
1 CVE | CVSS 8.7 | AAS 9.5
Authentik through version 2025.12.4 and versions 2026.2.0-rc1 through 2026.2.2 contain an authentication bypass vulnerability via SAML NameID XML comment injection that could allow attackers to gain unauthorized access to accounts, with a CVSS score of 8.7. Organizations deploying Authentik should immediately update to a patched version outside the affected ranges, as this flaw is actively exploitable. Refer to the vendor advisory for complete details on affected versions and remediation steps.
- CVE-2026-40165 (CVSS 8.7)
[HIGH] altium/enterprise_server
2 CVEs | CVSS 9.4 | AAS 9.3
Altium Enterprise Server contains multiple vulnerabilities, including a path traversal flaw in the ComparisonService that allows authenticated users to write arbitrary files to the server filesystem and potentially achieve remote code execution, with a maximum CVSS score of 9.4. Organizations running Altium Enterprise Server should immediately apply vendor patches, as this flaw is actively exploitable by regular workspace users. Refer to the vendor advisory for affected versions and complete remediation guidance.
- CVE-2026-9102 (CVSS 9.4)
- CVE-2026-9129 (CVSS 9.4)
[HIGH] frappe/learning_management_system
1 CVE | CVSS 9.4 | AAS 9.3
Frappe Learning Management System through version 2.50.0 contains an arbitrary file write vulnerability that allows users with course editing privileges to upload malicious SCORM ZIP packages and write files outside the intended directory, with a CVSS score of 9.4. Organizations using Frappe LMS should immediately update to version 2.50.1 or later, as this flaw is actively exploitable. Refer to the vendor advisory for complete details and remediation steps.
- CVE-2026-39405 (CVSS 9.4)
[HIGH] taiko/ag1000_01a
3 CVEs | CVSS 9.3 | AAS 9.2
Taiko AG1000-01A SMS Alert Gateway Rev 7.3 and Rev 8 contain multiple vulnerabilities, including an authentication bypass in the web configuration interface that allows unauthenticated attackers to gain full administrative read and write access, with a maximum CVSS score of 9.3. Organizations operating these devices should immediately apply vendor updates or implement network-level access controls to restrict access to the web interface. Refer to the vendor advisory for complete details on affected revisions and remediation options.
- CVE-2026-9141 (CVSS 9.3)
- CVE-2026-9139 (CVSS 9.3)
- CVE-2026-9144 (CVSS 8.4)