18 vulnerabilities across 15 products scored HIGH or above on May 27, 2026.

  • CRITICAL: 1
  • HIGH: 17

[CRITICAL] langchain-ai/langchain

1 CVE | CVSS 8.2 | AAS 10.5

LangChain versions prior to 0.3.85 and 1.3.3 contain a critical deserialization vulnerability (CVE-2026-44843, CVSS 8.2) in older runtime code paths that use overly broad object allowlists, allowing any trusted LangChain-serializable object to be deserialized beyond intended scope. Organizations deploying LangChain should immediately upgrade to the patched versions; detailed remediation guidance is available in the vendor advisory at https://github.com/langchain-ai/langchain/security/advisories/GHSA-pjwx-r37v-7724.

Vendor Advisory

[HIGH] dotcms/dotcms_core

1 CVE | CVSS 10.0 | AAS 9.9

dotCMS Core versions 25.11.04-1 through 26.04.28-02 contain an unauthenticated SQL injection vulnerability (CVE-2026-8054, CVSS 10.0) in the Publish Audit API endpoints that allows remote attackers to read, modify, or destroy arbitrary database content due to missing authentication enforcement and unsanitized input. Organizations should immediately upgrade to version 26.04.28-03 or later; details and remediation guidance are available at https://dev.dotcms.com/docs/known-security-issues?issueNumber=SI-75.

Vendor Advisory

[HIGH] saleswonder_team:_tobias/webinarignition

2 CVEs | CVSS 9.9 | AAS 9.8

The WebinarIgnition WordPress plugin versions prior to 4.08.253 contain multiple path traversal vulnerabilities (CVE-2026-42757, CVE-2026-42758, CVSS 9.9) allowing attackers to perform arbitrary file operations through improper pathname validation. WordPress administrators should immediately upgrade to version 4.08.253 or later; details are available at https://patchstack.com/database/Wordpress/Plugin/webinar-ignition/vulnerability/wordpress-webinarignition-plugin-4-08-253-arbitrary-file-deletion-vulnerability?_s_id=cve.

Vendor Advisory

[HIGH] ludwig_you/quickwebp_–compress/optimize_images&convert_webp|_seo_friendly

1 CVE | CVSS 9.9 | AAS 9.8

The QuickWebP WordPress plugin versions through 3.2.7 contain a path traversal vulnerability (CVE-2026-42756, CVSS 9.9) that allows attackers to perform arbitrary file operations through improper pathname validation. WordPress administrators should immediately upgrade to a patched release; details are available at https://patchstack.com/database/Wordpress/Plugin/quickwebp/vulnerability/wordpress-quickwebp-compress-optimize-images-convert-webp-seo-friendly-plugin-3-2-7-arbitrary-file-deletion-vulnerability?_s_id=cve.

Vendor Advisory

[HIGH] wpify/wpify_woo_czech

1 CVE | CVSS 9.9 | AAS 9.8

The WPify Woo Czech WordPress plugin versions through 5.4.1 contain an unrestricted file upload vulnerability (CVE-2026-42748, CVSS 9.9) allowing attackers to upload malicious files, including web shells, due to insufficient file type validation. WordPress and WooCommerce administrators should immediately upgrade to a patched release; details are available at https://patchstack.com/database/Wordpress/Plugin/wpify-woo/vulnerability/wordpress-wpify-woo-czech-plugin-5-4-1-arbitrary-file-upload-vulnerability?_s_id=cve.

Vendor Advisory

[HIGH] amir20/dozzle

2 CVEs | CVSS 8.7 | AAS 9.8

Dozzle versions prior to 10.5.2 contain multiple vulnerabilities (CVE-2026-45298, CVE-2026-44985, CVSS 8.7) in the unauthenticated POST /api/notifications/test-webhook endpoint that allow attackers to perform server-side request forgery and retrieve response bodies from arbitrary URLs, particularly in default deployments without authentication. Dozzle operators should immediately upgrade to version 10.5.2 or later; details are available at https://github.com/amir20/dozzle/releases/tag/v10.5.2.

Vendor Advisory

[HIGH] miniorange/miniorange_otp_verification

1 CVE | CVSS 9.8 | AAS 9.7

The miniOrange OTP Verification WordPress plugin versions through 5.4.9 contain a privilege escalation vulnerability (CVE-2026-42731, CVSS 9.8) due to incorrect privilege assignment that allows attackers to escalate their access level. WordPress administrators should immediately upgrade to a patched release; details are available at https://patchstack.com/database/Wordpress/Plugin/miniorange-otp-verification/vulnerability/wordpress-miniorange-otp-verification-plugin-5-4-9-privilege-escalation-vulnerability?_s_id=cve.

Vendor Advisory

[HIGH] india-web-developer/login_with_otp

1 CVE | CVSS 9.8 | AAS 9.7

The Login with OTP WordPress plugin versions through 1.6 contain an authentication bypass vulnerability (CVE-2026-8760, CVSS 9.8) due to incomplete rate-limiting that allows attackers to brute-force six-digit OTPs without expiration. WordPress administrators should immediately upgrade to a patched release or disable the plugin; details are available at https://nvd.nist.gov/vuln/detail/CVE-2024-11178.

Vendor Advisory

[HIGH] hassantafreshi/easy_form_builder

1 CVE | CVSS 9.3 | AAS 9.2

The Easy Form Builder WordPress plugin versions through 4.0.6 contain a blind SQL injection vulnerability (CVE-2026-42747, CVSS 9.3) that allows attackers to execute arbitrary SQL commands and potentially read or modify database content. WordPress administrators should immediately upgrade to a patched release; details are available at https://patchstack.com/database/Wordpress/Plugin/easy-form-builder/vulnerability/wordpress-easy-form-builder-plugin-4-0-6-sql-injection-vulnerability?_s_id=cve.

Vendor Advisory

[HIGH] realmag777/active_products_tables_for_woocommerce

2 CVEs | CVSS 9.3 | AAS 9.2

The Active Products Tables for WooCommerce plugin versions through 1.0.8 contain multiple blind SQL injection vulnerabilities (CVE-2026-42727, CVE-2026-42761, CVSS 9.3) allowing attackers to execute arbitrary SQL commands and potentially read or modify database content. WordPress and WooCommerce administrators should immediately upgrade to a patched release; details are available at https://patchstack.com/database/Wordpress/Plugin/profit-products-tables-for-woocommerce/vulnerability/wordpress-active-products-tables-for-woocommerce-plugin-1-0-8-sql-injection-vulnerability?_s_id=cve.

Vendor Advisory

[HIGH] realmag777/tableon

1 CVE | CVSS 9.3 | AAS 9.2

The TableOn WordPress plugin versions through 1.0.5.1 contain a blind SQL injection vulnerability (CVE-2026-42755, CVSS 9.3) allowing attackers to execute arbitrary SQL commands and potentially read or modify database content. WordPress administrators should immediately upgrade to a patched release; details are available at https://patchstack.com/database/Wordpress/Plugin/posts-table-filterable/vulnerability/wordpress-tableon-plugin-1-0-5-1-sql-injection-vulnerability?_s_id=cve.

Vendor Advisory

[HIGH] tassos.gr/novarain/tassos_framework_(plg_system_nrframework)

1 CVE | CVSS 9.3 | AAS 9.2

The Tassos Framework Plugin contains an arbitrary file deletion vulnerability (CVE-2026-48906, CVSS 9.3) allowing users to delete arbitrary files on affected systems. Administrators should immediately apply available patches or upgrade to a patched version; details are available at https://tassos.gr.

Vendor Advisory

[HIGH] maven/org.yamcs:yamcs-core

1 CVE | CVSS 9.1 | AAS 9.0

Yamcs (org.yamcs:yamcs-core) contains a server-side code injection vulnerability (CVE-2026-44632, CVSS 9.1) in the algorithm evaluation engine allowing authenticated users with ChangeMissionDatabase privilege to execute arbitrary code on the underlying system via dynamic Java compilation without sandbox restrictions. Organizations should immediately upgrade to a patched version; details are available at https://github.com/advisories/GHSA-524g-x36v-9wm6.

Vendor Advisory

[HIGH] github/enterprise_server

1 CVE | CVSS 9.2 | AAS 9.0

GitHub Enterprise Server contains a server-side request forgery (SSRF) vulnerability (CVE-2026-9312, CVSS 9.2) in an upload endpoint that allows unauthenticated attackers to access internal services and potentially expose sensitive credentials via insufficient input validation and path traversal. Organizations should immediately upgrade to version 3.16.20 or later; details are available at https://docs.github.com/en/enterprise-server@3.16/admin/release-notes#3.16.20.

Vendor Advisory

[HIGH] zte/zxunipos_nds-lte

1 CVE | CVSS 9.1 | AAS 9.0

ZTE ZXUniPOS NDS-LTE contains an access control failure vulnerability (CVE-2026-49002, CVSS 9.1) allowing unauthorized users to access and modify system configuration information and sensitive data beyond their permissions. Organizations should immediately apply patches available from the vendor; details are available at https://support.zte.com.cn/zte-iccp-isupport-webui/bulletin/detail/6783201397271515377.

Vendor Advisory