48 vulnerabilities across 15 products scored HIGH or above on May 27, 2026.
- CRITICAL: 17
- HIGH: 31
[CRITICAL] pip/langroid
1 CVE | CVSS 9.8 | AAS 12.1
Langroid versions prior to 0.63.0 contain a critical vulnerability (CVE-2026-25879, CVSS 9.8) in which the SQLChatAgent executes dynamically generated SQL code influenced by large language model responses, enabling prompt injection attacks to escalate to remote code execution on systems with elevated database privileges. Organizations using Langroid should immediately upgrade to version 0.63.0 or later and review any deployments with database roles configured for code execution or filesystem access. Additional details are available in the vendor advisory at https://github.com/advisories/GHSA-mxfr-6hcw-j9rq.
- CVE-2026-25879 (CVSS 9.8)
[CRITICAL] budibase/budibase
15 CVEs | CVSS 9.9 | AAS 11.3
Budibase prior to 3.38.2 is affected by 15 vulnerabilities including multiple critical issues (max CVSS 9.9) stemming from insufficient access control on SCIM endpoints, allowing any authenticated user to fully manage all tenant users and groups. Organizations operating Budibase should immediately upgrade to version 3.38.2 or later. For additional details, see https://github.com/Budibase/budibase/releases/tag/3.38.2.
- CVE-2026-46425 (CVSS 9.9)
- CVE-2026-45717 (CVSS 8.8)
- CVE-2026-45716 (CVSS 8.8)
- CVE-2026-48153 (CVSS 8.5)
- CVE-2026-48152 (CVSS 8.1)
- CVE-2026-48149 (CVSS 8.1)
- CVE-2026-45715 (CVSS 7.7)
- CVE-2026-45548 (CVSS 7.7)
- CVE-2026-45061 (CVSS 7.7)
- CVE-2026-48146 (CVSS 7.7)
- CVE-2026-46426 (CVSS 7.6)
- CVE-2026-48151 (CVSS 7.5)
- CVE-2026-48150 (CVSS 9.0)
- CVE-2026-45719 (CVSS 6.5)
- CVE-2026-48147 (CVSS 6.5)
[CRITICAL] langchain-ai/langchain
1 CVE | CVSS 8.2 | AAS 10.5
LangChain versions prior to 0.3.85 and 1.3.3 contain a critical vulnerability (CVE-2026-44843, CVSS 8.2) where older runtime code paths deserialize application-controlled payloads using overly broad object allowlists, enabling attackers to revive any trusted LangChain-serializable object beyond the intended scope. Organizations using LangChain should immediately upgrade to version 0.3.85 or 1.3.3 or later to remediate this deserialization flaw. Additional details are available at https://github.com/langchain-ai/langchain/security/advisories/GHSA-pjwx-r37v-7724.
- CVE-2026-44843 (CVSS 8.2)
[HIGH] free5gc/free5gc
11 CVEs | CVSS 10.0 | AAS 9.9
free5GC prior to version 4.2.2 is affected by 11 vulnerabilities including multiple critical issues (max CVSS 10.0) stemming from missing OAuth2 and bearer-token authorization on the NEF’s nnef-pfdmanagement endpoints, allowing network attackers to read PFD application data and manipulate change-notification subscriptions using forged or arbitrary tokens. Organizations deploying free5GC should immediately upgrade to version 4.2.2 or later to enforce proper authorization controls. For additional details, see https://github.com/free5gc/free5gc/security/advisories/GHSA-rwww-x45w-p52w.
- CVE-2026-44330 (CVSS 10.0)
- CVE-2026-44327 (CVSS 10.0)
- CVE-2026-44329 (CVSS 10.0)
- CVE-2026-44315 (CVSS 9.4)
- CVE-2026-44326 (CVSS 9.4)
- CVE-2026-42083 (CVSS 8.2)
- CVE-2026-44328 (CVSS 8.2)
- CVE-2026-44316 (CVSS 7.5)
- CVE-2026-44322 (CVSS 7.5)
- CVE-2026-44321 (CVSS 7.5)
- CVE-2026-44320 (CVSS 7.3)
[HIGH] npm/liquidjs
3 CVEs | CVSS 10.0 | AAS 9.9
liquidjs is affected by 3 vulnerabilities including multiple critical issues (max CVSS 10.0) that enable arbitrary code execution through specially crafted Liquid templates exploiting filter evaluation mechanisms to access and manipulate the rendering context. Organizations using liquidjs should immediately update to a patched version to mitigate remote code execution risks. For remediation details, see https://github.com/advisories/GHSA-gf2q-c269-pqgc.
- CVE-2026-45618 (CVSS 10.0)
- CVE-2026-45357 (CVSS 7.5)
- CVE-2026-45617 (CVSS 7.5)
[HIGH] hahwul/dalfox
3 CVEs | CVSS 10.0 | AAS 9.9
Dalfox prior to version 2.13.0 is affected by 3 vulnerabilities including multiple critical issues (max CVSS 10.0) where the REST API server mode binds to 0.0.0.0:6664 without authentication by default and unsafely deserializes attacker-supplied JSON from the POST /scan endpoint, allowing unauthenticated remote code execution through FoundAction and FoundActionShell fields. Organizations running dalfox in server mode should immediately upgrade to version 2.13.0 or later and restrict network access to the API endpoint. Additional details are available at https://github.com/hahwul/dalfox/releases/tag/v2.13.0.
- CVE-2026-45087 (CVSS 10.0)
- CVE-2026-45089 (CVSS 8.2)
- CVE-2026-45088 (CVSS 7.5)
[HIGH] avaiga/taipy
1 CVE | CVSS 8.7 | AAS 9.9
Taipy version 4.1.1 contains a path traversal vulnerability (CVE-2026-48544, CVSS 8.7) in the ElementLibrary.get_resource() method where an incomplete path containment check using str.startswith() without a trailing separator allows unauthenticated attackers to escape the module directory and access arbitrary files on the system. Organizations using Taipy should immediately update to a patched version or apply commit 129fd40 to remediate this directory traversal flaw. For additional details, see https://github.com/Avaiga/taipy/commit/129fd407ffca49ee4ab853772c88d0c873e038dd.
- CVE-2026-48544 (CVSS 8.7)
[HIGH] saleswonder_team:_tobias/webinarignition
2 CVEs | CVSS 9.9 | AAS 9.8
The WebinarIgnition WordPress plugin prior to version 4.08.253 is affected by 2 vulnerabilities including multiple critical issues (max CVSS 9.9) involving path traversal flaws that allow attackers to manipulate file operations and access, modify, or delete arbitrary files on the server. WordPress site administrators using WebinarIgnition should immediately update the plugin to version 4.08.253 or later to remediate these path traversal vulnerabilities. For additional details, see https://patchstack.com/database/Wordpress/Plugin/webinar-ignition/vulnerability/wordpress-webinarignition-plugin-4-08-253-arbitrary-file-deletion-vulnerability?_s_id=cve.
- CVE-2026-42757 (CVSS 9.9)
- CVE-2026-42758 (CVSS 9.8)
[HIGH] wpify/wpify_woo_czech
1 CVE | CVSS 9.9 | AAS 9.8
The WPify Woo Czech WordPress plugin through version 5.4.1 contains an unrestricted file upload vulnerability (CVE-2026-42748, CVSS 9.9) that allows attackers to upload arbitrary files including web shells to the server, leading to remote code execution. WordPress site administrators using WPify Woo Czech should immediately upgrade the plugin to a version newer than 5.4.1 or disable and remove the plugin until a patched version is available. For additional details, see https://patchstack.com/database/Wordpress/Plugin/wpify-woo/vulnerability/wordpress-wpify-woo-czech-plugin-5-4-1-arbitrary-file-upload-vulnerability?_s_id=cve.
- CVE-2026-42748 (CVSS 9.9)
[HIGH] ludwig_you/quickwebp_–compress/optimize_images&convert_webp|_seo_friendly
1 CVE | CVSS 9.9 | AAS 9.8
The QuickWebP WordPress plugin through version 3.2.7 contains a path traversal vulnerability (CVE-2026-42756, CVSS 9.9) that allows attackers to bypass directory restrictions and access, modify, or delete arbitrary files on the server. WordPress site administrators using QuickWebP should immediately upgrade the plugin to a version newer than 3.2.7 to remediate this directory traversal flaw. For additional details, see https://patchstack.com/database/Wordpress/Plugin/quickwebp/vulnerability/wordpress-quickwebp-compress-optimize-images-convert-webp-seo-friendly-plugin-3-2-7-arbitrary-file-deletion-vulnerability?_s_id=cve.
- CVE-2026-42756 (CVSS 9.9)
[HIGH] amir20/dozzle
2 CVEs | CVSS 8.7 | AAS 9.8
Dozzle prior to version 10.5.2 is affected by 2 vulnerabilities including multiple high-severity issues (max CVSS 8.7) where the POST /api/notifications/test-webhook endpoint is accessible without authentication in default deployments, allowing attackers to perform server-side request forgery attacks and retrieve sensitive response data by sending arbitrary URLs and crafted headers. Organizations deploying Dozzle should immediately upgrade to version 10.5.2 or later and ensure authentication is properly configured, particularly in default installations. For additional details, see https://github.com/amir20/dozzle/releases/tag/v10.5.2.
- CVE-2026-45298 (CVSS 8.6)
- CVE-2026-44985 (CVSS 8.7)
[HIGH] gitlab/gitlab
1 CVE | CVSS 8.2 | AAS 9.8
GitLab Enterprise Edition is affected by a user identity resolution vulnerability (CVE-2026-4868, CVSS 8.2) in Duo AI workflow runners that allows authenticated users to trigger workflows under the identity of other users, potentially leading to privilege escalation and unauthorized actions. Affected versions include 18.8 before 18.10.7, 18.11 before 18.11.4, and 19.0 before 19.0.1. Organizations running GitLab EE should immediately upgrade to a patched version to remediate this identity spoofing flaw; see https://about.gitlab.com/releases/2026/05/27/patch-release-gitlab-19-0-1-released/ for details.
- CVE-2026-4868 (CVSS 8.2)
[HIGH] ibm/langflow_oss
2 CVEs | CVSS 9.8 | AAS 9.7
IBM Langflow OSS versions 1.0.0 through 1.9.1 are affected by 2 vulnerabilities including multiple critical issues (max CVSS 9.8) involving improper validation of symbolic links during archive extraction, allowing remote attackers to achieve code execution on affected systems. Organizations deploying Langflow OSS should immediately upgrade to version 1.9.2 or later to remediate these archive handling vulnerabilities. For additional details, see https://www.ibm.com/support/pages/node/7273426.
- CVE-2026-7524 (CVSS 9.8)
- CVE-2026-7528 (CVSS 7.1)
[HIGH] maven/org.yamcs:yamcs-core
3 CVEs | CVSS 9.8 | AAS 9.7
Yamcs is affected by 3 vulnerabilities including multiple critical issues (max CVSS 9.8) involving remote code execution through unfiltered Nashorn script evaluation in the mission database algorithm override API, which is reachable without authentication in default configurations where the superuser guest account is enabled. Organizations operating Yamcs should immediately apply security patches and disable the default guest superuser account, or implement a security.yaml configuration to restrict algorithm execution privileges. For additional details, see https://github.com/advisories/GHSA-vmwp-vh32-rj75.
- CVE-2026-46562 (CVSS 9.8)
- CVE-2026-46621 (CVSS 9.1)
- CVE-2026-44632 (CVSS 9.1)
[HIGH] miniorange/miniorange_otp_verification
1 CVE | CVSS 9.8 | AAS 9.7
The miniOrange OTP Verification WordPress plugin through version 5.4.9 contains an incorrect privilege assignment vulnerability (CVE-2026-42731, CVSS 9.8) that allows attackers to escalate privileges and gain unauthorized administrative access to WordPress sites. WordPress site administrators using this plugin should immediately update to a version newer than 5.4.9 to remediate the privilege escalation flaw. For additional details, see https://patchstack.com/database/Wordpress/Plugin/miniorange-otp-verification/vulnerability/wordpress-miniorange-otp-verification-plugin-5-4-9-privilege-escalation-vulnerability?_s_id=cve.
- CVE-2026-42731 (CVSS 9.8)