15 vulnerabilities scored HIGH or above on May 21, 2026.
- CRITICAL: 1
- HIGH: 14
[CRITICAL] google/chrome
CVE-2026-9111 | CVSS 8.8
Google Chrome versions prior to 148.0.7778.179 on Linux are affected by a critical use-after-free vulnerability in WebRTC that allows remote code execution through a crafted HTML page. CVSS 8.8. Organizations running Chrome on Linux systems should immediately update to version 148.0.7778.179 or later, as exploitation is difficult but feasible. Patch deployment should prioritize systems with direct internet access, particularly development workstations and Linux-based productivity environments.
[HIGH] isc/bind
CVE-2026-42000 | CVSS 6.8
ISC BIND has insufficient validation of domain names during AXFR zone transfer operations, which is readily exploitable and could allow unauthorized zone data acquisition or DNS cache poisoning attacks. CVSS 6.8. Organizations operating authoritative DNS servers should apply vendor patches immediately and audit their zone transfer configurations to ensure AXFR is restricted to authorized secondary nameservers only.
[HIGH] altium/365
CVE-2026-9152 | CVSS 10.0
Altium 365 contains a missing authentication vulnerability in the SearchService SOAP endpoint that allows unauthenticated network attackers to access search indexes across tenant boundaries if they know a target workspace identifier. CVSS 10.0. Organizations using Altium 365 should immediately contact Altium for patches and restrict network access to the SearchService endpoint. Review audit logs for evidence of unauthorized workspace access or index queries to determine if exploitation has occurred.
[HIGH] litespeed_technologies/cpanel_plugin
CVE-2026-48172 | CVSS 10.0
LiteSpeed User-End cPanel Plugin versions prior to 2.4.5 contain a privilege escalation vulnerability allowing root-level access that is actively exploited in the wild as of May 2026. CVSS 10.0. Organizations running affected versions must immediately upgrade to 2.4.5 or later. Check logs for exploitation by running grep -rE “cpanel_jsonapi_func=redisAble” against /var/cpanel/logs and /usr/local/cpanel/logs/ to identify suspicious activity and confirm whether systems have been compromised.
[HIGH] wp_swings/gift_cards_for_woocommerce_pro
CVE-2026-45444 | CVSS 10.0
WP Swings Gift Cards For WooCommerce Pro through version 4.2.6 contains an unrestricted file upload vulnerability allowing attackers to upload arbitrary files with dangerous types, potentially leading to remote code execution on affected WordPress sites. CVSS 10.0. Organizations running this plugin must immediately update to the latest patched version. Disable or remove the plugin if no patch is available, and audit your web server for suspicious uploaded files.
[HIGH] frappe/frappe
CVE-2026-39352 | CVSS 8.7
Frappe web application framework versions prior to 15.105.0 and 16.15.0 contain a path traversal vulnerability allowing arbitrary file read access to sensitive system files. CVSS 8.7. Organizations deploying Frappe-based applications must immediately upgrade to version 16.15.0 or 15.105.0 or later. Review server logs for suspicious file access patterns and audit sensitive configuration and data files for unauthorized reads.
[HIGH] apache_software_foundation/apache_fory
CVE-2026-48207 | CVSS 9.8
Apache Fory PyFory versions before 1.0.0 contain a deserialization vulnerability where ReduceSerializer can bypass DeserializationPolicy validation, allowing attackers to deserialize untrusted data and potentially execute arbitrary code. CVSS 9.8. Applications using PyFory in Python-native mode with strict mode disabled should immediately update to version 1.0.0 or later. Disable deserialization of untrusted data until patches are applied, and review application logs for suspicious deserialization attempts.
[HIGH] avada/avada_builder
CVE-2026-6279 | CVSS 9.8
Avada Builder (fusion-builder) plugin for WordPress through version 3.15.2 is vulnerable to unauthenticated remote code execution due to unvalidated PHP function injection in the conditional rendering helper. CVSS 9.8. WordPress site administrators must immediately update to the latest patched version of Avada Builder. Disable or remove the plugin if a patch is not immediately available, and check server logs and file modification times for evidence of compromise.
[HIGH] divi/divi_form_builder
CVE-2026-5118 | CVSS 9.8
Divi Form Builder plugin for WordPress through version 5.1.2 contains a privilege escalation vulnerability allowing unauthenticated attackers to create administrator accounts by manipulating the user-controlled role parameter during registration without proper validation. CVSS 9.8. WordPress site administrators must immediately update to the latest patched version of Divi Form Builder. Review user accounts created recently for unauthorized administrator accounts and disable or remove the plugin if a patch is not immediately available.
[HIGH] trend_micro/apex_one
CVE-2025-71210 | CVSS 9.8
Trend Micro Apex One management console is vulnerable to remote code execution allowing attackers to upload malicious code and execute commands on affected installations. CVSS 9.8. Organizations running on-premise Apex One deployments should immediately apply vendor patches. Note that SaaS versions of Apex One have already been mitigated and require no customer action.
[HIGH] powerdns/powerdns
CVE-2026-42001 | CVSS 7.5
PowerDNS contains insufficient validation of autoprimary SOA queries, which is exploitable and could allow attackers to manipulate DNS zone data or perform denial-of-service attacks. CVSS 7.5. Organizations operating PowerDNS authoritative servers should immediately apply vendor patches from the security advisory. Review zone transfer logs and SOA records for unauthorized modifications or suspicious autoprimary requests.
[HIGH] authentik/authentik
CVE-2026-40165 | CVSS 8.7
authentik identity provider versions 2025.12.4 and prior, and versions 2026.2.0-rc1 through 2026.2.2 are vulnerable to authentication bypass through SAML NameID XML Comment Injection, allowing attackers to gain unauthorized access to other user accounts. CVSS 8.7. Organizations running authentik with SAML authentication enabled must immediately update to patched versions 2025.12.5 or later and 2026.2.3 or later. Review authentication logs for suspicious SAML assertions or unauthorized account access attempts.
[HIGH] altium/enterprise_server
CVE-2026-9102 | CVSS 9.4
Altium Enterprise Server contains a path traversal vulnerability in the ComparisonService Gerber file upload APIs due to missing filename sanitization, allowing authenticated workspace users to write arbitrary files to the server filesystem and potentially achieve remote code execution. CVSS 9.4. Organizations running Altium Enterprise Server should immediately apply vendor patches. Restrict access to the ComparisonService upload APIs and review upload directories and web-accessible locations for suspicious files.
[HIGH] frappe/learning_management_system
CVE-2026-39405 | CVSS 9.4
Frappe Learning Management System versions 2.50.0 and below contain a path traversal vulnerability in SCORM ZIP package uploads that allows users with course editing privileges to write arbitrary files outside the intended directory. CVSS 9.4. Organizations running Frappe LMS should immediately upgrade to version 2.50.1 or later. Audit course editing role assignments and review uploaded SCORM packages and file system modifications for suspicious activity.
[HIGH] taiko/ag1000_01a
CVE-2026-9141 | CVSS 9.3
Taiko AG1000-01A SMS Alert Gateway Rev 7.3 and Rev 8 contain an authentication bypass vulnerability in the web configuration interface that allows unauthenticated attackers to access internal pages and gain full administrative read and write access without authentication. CVSS 9.3. Organizations deploying these devices should immediately apply vendor patches or firmware updates. Restrict network access to the web configuration interface using firewall rules and verify that default credentials have been changed.