21 vulnerabilities across 15 products scored HIGH or above on May 26, 2026.
- CRITICAL: 3
- HIGH: 18
[CRITICAL] kareadita/kavita
3 CVEs | CVSS 9.3 | AAS 10.6
Kareadita’s Kavita cross-platform reading server is affected by three critical vulnerabilities (CVE-2026-47202, CVE-2026-44775, CVE-2026-44776) with a maximum CVSS score of 9.3. The most severe issue is an improper token validation flaw that allows unauthenticated remote attackers to request JWTs for any user, including administrators, if they know the username—a flaw present in versions prior to 0.9.0.2 and currently exploitable in the wild. Organizations deploying Kavita should immediately upgrade to version 0.9.0.2 or later to remediate these critical vulnerabilities.
- CVE-2026-47202 (CVSS 9.3)
- CVE-2026-44775 (CVSS 6.9)
- CVE-2026-44776 (CVSS 5.9)
[HIGH] red_hat/red_hat_container_native_virtualization_4.12
1 CVE | CVSS 9.9 | AAS 9.8
Red Hat Container Native Virtualization 4.12 contains a critical vulnerability (CVE-2026-7374) with a CVSS score of 9.9 in the KubeVirt virt-handler component. Authenticated OpenShift users with edit permissions in a single namespace can exploit improper symlink validation when connecting to virtual machine console sockets, allowing them to hijack virt-handler’s privileged connection and access any Unix socket on the host, potentially compromising the entire cluster. Organizations running Container Native Virtualization 4.12 should consult the Red Hat security advisory and apply patches immediately to remediate this exploitable vulnerability.
- CVE-2026-7374 (CVSS 9.9)
[HIGH] twenty/twenty
2 CVEs | CVSS 9.9 | AAS 9.8
Twenty open source CRM versions 1.7.7 through 1.16.7 are affected by two critical vulnerabilities (CVE-2026-46624, CVE-2026-44729) with a maximum CVSS score of 9.9 involving a chained SQL injection and PostgreSQL COPY TO PROGRAM attack. Authenticated users can exploit unsanitized input in the timeZone parameter of the REST API groupBy endpoint to execute arbitrary operating system commands on the database server if the PostgreSQL user has superuser privileges. Organizations deploying Twenty CRM should upgrade to a patched version beyond 1.16.7 immediately to remediate this exploitable vulnerability.
- CVE-2026-46624 (CVSS 9.9)
- CVE-2026-44729 (CVSS 8.7)
[HIGH] ibm/engineering_lifecycle_management
2 CVEs | CVSS 9.8 | AAS 9.7
IBM Engineering Lifecycle Management versions 7.0.3, 7.1.0, and 7.2.0 are affected by two critical vulnerabilities (CVE-2026-3660, CVE-2026-3603) with a maximum CVSS score of 9.8. Unauthenticated remote attackers can exploit these vulnerabilities to update server property files and gain unauthorized access to the application, and the attack is currently exploitable. Organizations running affected versions should immediately apply patches from IBM or upgrade to a newer version to remediate these critical vulnerabilities.
- CVE-2026-3660 (CVSS 9.8)
- CVE-2026-3603 (CVSS 7.1)
[HIGH] factionsecurity/faction
3 CVEs | CVSS 9.8 | AAS 9.7
FACTION PenTesting Report Generation and Collaboration Framework prior to version 1.8.3 is affected by three critical vulnerabilities (CVE-2026-44668, CVE-2026-44667, CVE-2026-44669) with a maximum CVSS score of 9.8. The AccessControlInterceptor authentication gate fails to validate user sessions before invoking Struts2 actions, and four action methods in BoilerPlateConfig perform no additional session checks, allowing unauthenticated attackers to read, overwrite, deactivate, and permanently delete any boilerplate template in the system. Organizations deploying FACTION should upgrade to version 1.8.3 or later immediately to remediate these exploitable vulnerabilities.
- CVE-2026-44668 (CVSS 9.8)
- CVE-2026-44667 (CVSS 8.7)
- CVE-2026-44669 (CVSS 8.7)
[HIGH] ibm/websphere_application_server
1 CVE | CVSS 9.8 | AAS 9.7
IBM WebSphere Application Server and WebSphere Liberty versions 8.5 and 9.0 contain a critical remote code execution vulnerability (CVE-2026-8633) with a CVSS score of 9.8 in the Web Server Plug-ins. Unauthenticated remote attackers can exploit this vulnerability by sending a specially crafted request, and the attack is currently exploitable. Organizations running affected versions should immediately consult the IBM security advisory and apply patches to remediate this critical vulnerability.
- CVE-2026-8633 (CVSS 9.8)
[HIGH] gitoxide/gitoxide
1 CVE | CVSS 8.5 | AAS 9.7
Gitoxide’s gix-submodule component before version 0.82.0 contains a critical remote code execution vulnerability (CVE-2026-40034) with a CVSS score of 8.5 due to improper validation of the update field in .gitmodules. Attackers can bypass the CommandForbiddenInModulesConfiguration guard by exploiting partial submodule configuration in .git/config to inject arbitrary shell commands that execute when Submodule::update() is called, and this vulnerability is currently exploitable. Organizations using gix-submodule should upgrade to version 0.82.0 or later immediately to remediate this vulnerability.
- CVE-2026-40034 (CVSS 8.5)
[HIGH] google_cloud/apigee-x
1 CVE | CVSS 9.2 | AAS 9.5
Google Cloud Apigee-X contains a critical vulnerability (CVE-2026-2264) with a CVSS score of 9.2 in the SetIntegrationRequest policy that allows remote attackers to perform Server-Side Request Forgery (SSRF) attacks and exfiltrate service account access tokens. The vulnerability is exploitable when an administrator has configured an API proxy with insecure settings, enabling potential unauthorized access to sensitive credentials. Organizations using Apigee-X should review their API proxy configurations, consult the Google Cloud security bulletin, and implement the recommended mitigations immediately.
- CVE-2026-2264 (CVSS 9.2)
[HIGH] openvpn_inc/openvpn_connect
1 CVE | CVSS 9.4 | AAS 9.3
OpenVPN Connect versions 3.5.1 through 3.8.1 on macOS contain a critical privilege escalation vulnerability (CVE-2026-9560) with a CVSS score of 9.4 in the background service. Attackers can exploit an insecure local IPC channel to execute arbitrary commands with elevated privileges, and this vulnerability is currently exploitable. macOS users running affected versions of OpenVPN Connect should consult the OpenVPN release notes and upgrade to a patched version immediately.
- CVE-2026-9560 (CVSS 9.4)
[HIGH] eppendorf/bioflo_320
1 CVE | CVSS 9.3 | AAS 9.2
Eppendorf BioFlo 320 bioprocessing system contains a critical vulnerability (CVE-2026-7251) with a CVSS score of 9.3 due to a hard-coded VNC server password that provides full control of the user interface. Remote attackers with knowledge of the network address can gain complete access to all control panel features if remote access is enabled, and VNC traffic is transmitted unencrypted, making the attack easily exploitable. Organizations operating BioFlo 320 systems should consult the vendor advisory, disable remote access if not required, and implement network segmentation and VNC traffic encryption to mitigate this vulnerability.
- CVE-2026-7251 (CVSS 9.3)
[HIGH] emagicone/emagicone_store_manager
1 CVE | CVSS 9.3 | AAS 9.2
eMagicOne Store Manager WordPress plugin through version 1.3.2 contains a critical SQL injection vulnerability (CVE-2026-42773) with a CVSS score of 9.3 that allows blind SQL injection attacks. Remote attackers can exploit this vulnerability to extract sensitive data from the WordPress database, and the attack is currently exploitable. WordPress site administrators running affected versions of eMagicOne Store Manager should update to a patched version immediately or disable the plugin until a fix is available.
- CVE-2026-42773 (CVSS 9.3)
[HIGH] mirasvit/full_page_cache_warmer_for_magento_2
1 CVE | CVSS 9.3 | AAS 9.2
Mirasvit Full Page Cache Warmer for Magento 2 before version 1.11.12 contains a critical PHP object injection vulnerability (CVE-2026-45247) with a CVSS score of 9.3 that enables remote code execution. Unauthenticated attackers can exploit unrestricted use of PHP’s unserialize() function by crafting a malicious serialized object in the CacheWarmer cookie, leveraging gadget chains in Magento and its dependencies to execute arbitrary code on the server. Magento 2 administrators running affected versions should upgrade to version 1.11.12 or later immediately to remediate this exploitable vulnerability.
- CVE-2026-45247 (CVSS 9.3)
[HIGH] totolink/n300rh
1 CVE | CVSS 8.9 | AAS 8.8
Totolink N300RH firmware version 6.1c.1353_B20190305 contains a critical remote command injection vulnerability (CVE-2026-9543) with a CVSS score of 8.9 in the Web Management Interface’s setPasswordCfg function. The admpass parameter in /cgi-bin/cstecgi.cgi is vulnerable to OS command injection, allowing unauthenticated remote attackers to execute arbitrary commands, and a public exploit is available. Organizations operating affected Totolink N300RH devices should update to the latest firmware immediately or restrict access to the web management interface through network segmentation.
- CVE-2026-9543 (CVSS 8.9)
[HIGH] freerdp/freerdp
1 CVE | CVSS 8.7 | AAS 8.7
FreeRDP before version 3.26.0 contains a heap buffer overflow vulnerability (CVE-2026-40033) with a CVSS score of 8.7 in the gdi_CacheToSurface function. A malicious RDP server can exploit improper rectangle validation to write out-of-bounds heap memory on the client, potentially leading to remote code execution or client crash, though exploitation is considered difficult. FreeRDP users should upgrade to version 3.26.0 or later immediately, and administrators should be cautious when connecting to untrusted RDP servers.
- CVE-2026-40033 (CVSS 8.7)
[HIGH] code100x/code100x
1 CVE | CVSS 8.8 | AAS 8.7
code100x contains a critical authentication bypass vulnerability (CVE-2026-8890) with a CVSS score of 8.8 in the Mobile API that allows unauthenticated attackers to impersonate arbitrary users. The vulnerability exists in the middleware.ts authentication logic, which skips identity header validation when an Auth-Key header is present without validating its value, enabling attackers to inject spoofed user identities that downstream handlers accept as trusted. Organizations using code100x should consult the GitHub advisory, update to a patched version immediately, and implement additional API authentication controls.
- CVE-2026-8890 (CVSS 8.8)