37 vulnerabilities across 15 products scored HIGH or above on May 28, 2026.

  • CRITICAL: 14
  • HIGH: 23

[CRITICAL] sherlock-project/sherlock

1 CVE | CVSS 9.3 | AAS 12.0

Sherlock versions prior to 0.16.1 are vulnerable to critical command injection in the GitHub Actions workflow validate_modified_targets.yml (CVE-2026-44590, CVSS 9.3), which allows unauthenticated attackers to execute arbitrary code and steal the GITHUB_TOKEN without requiring pull request approval or review. Security teams managing Sherlock deployments should immediately upgrade to version 0.16.1 or later to eliminate the risk of unauthorized CI runner access and credential compromise. Additional details are available in the vendor security advisory at https://github.com/sherlock-project/sherlock/security/advisories/GHSA-v6wr-ccr4-x8g9.

Vendor Advisory

[CRITICAL] hmbown/codewhale

4 CVEs | CVSS 9.6 | AAS 11.4

CodeWhale prior to version 0.8.26 contains multiple critical vulnerabilities including CVE-2026-45374 (CVSS 9.6) that exploit insecure default configurations in the task_create tool, which spawns sub-agents with allow_shell and auto_approve enabled by default, enabling arbitrary shell command execution when users approve task creation requests. Developers and organizations using CodeWhale for AI-assisted code generation should immediately upgrade to version 0.8.26 or later and review task approval workflows to prevent unauthorized command execution. Full remediation details are available in the vendor security advisory at https://github.com/Hmbown/CodeWhale/security/advisories/GHSA-72w5-pf8h-xfp4.

Vendor Advisory

[CRITICAL] zed-industries/zed

5 CVEs | CVSS 8.6 | AAS 11.1

Zed prior to version 0.227.1 contains multiple critical vulnerabilities including CVE-2026-44461 (CVSS 8.6) affecting SSH and WSL remote command execution, where unvalidated environment variable keys allow shell expansion injection. An attacker who can control environment variable keys through project terminal settings can inject shell metacharacters and command substitutions that execute arbitrary code on the remote host when a terminal is opened. Users running Zed should immediately upgrade to version 0.227.1 or later and audit project configurations to remove untrusted environment variables, with additional remediation guidance available at https://github.com/zed-industries/zed/security/advisories/GHSA-63qj-jc2q-7hg5.

Vendor Advisory

[CRITICAL] electerm/electerm

2 CVEs | CVSS 9.4 | AAS 10.9

electerm version 3.8.8 and earlier is affected by multiple critical vulnerabilities including CVE-2026-45058 (CVSS 9.4) that enable persistent code execution through malicious bookmark imports or compromised sync targets. Attackers can inject exec* fields or global configuration to execute arbitrary code when a bookmark is opened or synchronization is applied, affecting users who import untrusted bookmark JSON files or use electerm sync with gist or WebDAV. Users of electerm should immediately upgrade to version 3.8.9 or later and avoid importing bookmarks from untrusted sources, with additional security details available at https://github.com/electerm/electerm/security/advisories/GHSA-jgg9-rw32-44pj.

Vendor Advisory

[CRITICAL] pip/dulwich

2 CVEs | CVSS 8.8 | AAS 10.9

Dulwich is affected by multiple critical vulnerabilities including CVE-2026-42305 (CVSS 8.8) that allow arbitrary file write and remote code execution on Windows systems during Git clone or checkout operations. The path-element validator improperly handles filenames containing Windows path syntax characters, allowing attackers to create malicious repositories that write files with path traversal sequences that materialize as nested directories on Windows, potentially placing executable code in sensitive locations. Windows users of Dulwich should immediately apply available patches and avoid cloning or checking out repositories from untrusted sources, with security details and remediation guidance available at https://github.com/advisories/GHSA-897w-fcg9-f6xj.

Vendor Advisory

[HIGH] tiny/tinymce

4 CVEs | CVSS 5.4 | AAS 9.9

TinyMCE versions prior to 5.11.1, 7.9.3, and 8.5.1 are affected by multiple high-severity vulnerabilities including CVE-2026-47759 (CVSS 5.4) that enable stored cross-site scripting through unsanitized data-mce-* attributes, allowing attackers to inject malicious values that override safe attributes during serialization and bypass validation. Applications using TinyMCE with user-supplied content are vulnerable to persistent XSS attacks when these attributes are not properly sanitized during editor initialization or content processing. Organizations should immediately upgrade to TinyMCE 5.11.1, 7.9.3, 8.5.1 or later and implement input validation for all user-supplied content, with additional security guidance available at https://github.com/tinymce/tinymce/security/advisories/GHSA-q742-qvgc-gc2f.

Vendor Advisory

[HIGH] gladinet/triofox

6 CVEs | CVSS 9.8 | AAS 9.7

Triofox is affected by multiple critical vulnerabilities including CVE-2026-8363 (CVSS 9.8) that exploit a stack-based buffer overflow in WOSDeviceDropFolder.dll when processing long URL paths beginning with /resources. Remote attackers can trigger the buffer overflow to achieve denial of service or potentially remote code execution without requiring authentication. Users of Triofox should immediately consult vendor advisories for patched versions and apply available updates urgently, with additional technical details available at https://www.tenable.com/security/research/TRA-2026-45.

Vendor Advisory

[HIGH] leiweibau/pi.alert

3 CVEs | CVSS 9.8 | AAS 9.7

Pi.Alert prior to 2026-05-07 is affected by multiple critical vulnerabilities including CVE-2026-44888 (CVSS 9.8) that allow unauthenticated remote code execution through improper input validation in the SaveConfigFile() endpoint. The vulnerability permits attackers to inject arbitrary Python code into pialert.conf, which is executed every 3 to 5 minutes by the background cron process, achieving OS-level command execution on default installations where PIALERT_WEB_PROTECTION is disabled. Organizations running Pi.Alert should immediately apply available patches and enable PIALERT_WEB_PROTECTION, with additional technical details available at https://github.com/leiweibau/Pi.Alert/security/advisories/GHSA-xg85-f8qw-7c5f.

Vendor Advisory

[HIGH] mapserver/mapserver

1 CVE | CVSS 7.5 | AAS 9.6

MapServer versions 6.4.0 through 8.6.2 are vulnerable to a denial of service condition via CVE-2026-45104 (CVSS 7.5) caused by a NULL pointer dereference in the SLD (Styled Layer Descriptor) parser when processing ElseFilter rules without symbolizers. Attackers can trigger the crash by sending a well-formed SLD payload through the WMS SLD_BODY parameter, causing the MapServer process to terminate and disrupting GIS services. Organizations running affected MapServer versions should immediately upgrade to 8.6.3 or later and restrict direct access to WMS endpoints, with additional technical information available at https://github.com/MapServer/MapServer/security/advisories/GHSA-4h8g-378q-r75m.

Vendor Advisory

[HIGH] jpettitt/meshcore-card

1 CVE | CVSS 9.6 | AAS 9.5

MeshCore Card prior to version 0.3.3 is vulnerable to stored cross-site scripting via CVE-2026-45323 (CVSS 9.6) due to improper HTML escaping of node names in the Lovelace card. Any node within direct or indirect radio range can inject arbitrary JavaScript that executes in the Home Assistant frontend of users viewing the card, potentially compromising user sessions and sensitive automation data. Home Assistant users should immediately upgrade MeshCore Card to version 0.3.3 or later and review any connected mesh nodes for suspicious names, with additional details available at https://github.com/jpettitt/meshcore-card/security/advisories/GHSA-5vrg-xpcj-xppc.

Vendor Advisory

[HIGH] veeam/service_provider_console

1 CVE | CVSS 9.4 | AAS 9.3

Veeam Service Provider Console is vulnerable to remote code execution via CVE-2026-32998 (CVSS 9.4), a critical vulnerability that allows attackers to execute arbitrary code on affected systems. Service providers and organizations running Veeam Service Provider Console should immediately consult the vendor advisory for affected version information and apply available patches or workarounds without delay. Additional technical details and remediation guidance are available at https://www.veeam.com/kb4853.

Vendor Advisory

[HIGH] mennekes/amtron

2 CVEs | CVSS 9.3 | AAS 9.2

Mennekes Amtron series with firmware versions 5.22.3 and earlier is affected by multiple critical vulnerabilities including CVE-2026-8980 (CVSS 9.3) that enable privilege escalation through improper access controls. Authenticated users with low-privilege accounts can craft malicious POST requests to change the passwords of admin and manufacturer accounts, gaining full system control. Organizations operating Amtron chargers should immediately upgrade to the latest firmware version and restrict administrative access to trusted networks, with additional details available at https://cyberdanube.com/security-research/multiple-vulnerabilities-in-mennekes-amtron-series/.

Vendor Advisory

[HIGH] rustfs/rustfs

3 CVEs | CVSS 9.8 | AAS 8.9

RustFS prior to version 1.0.0-beta.2 is affected by multiple critical vulnerabilities including CVE-2026-45039 (CVSS 9.8) stemming from a hardcoded default authentication secret in the internode RPC layer. When the RUSTFS_RPC_SECRET environment variable and S3 secret key are not configured, the system falls back to the publicly known default secret “rustfsadmin” for HMAC-SHA256 signature verification, allowing potential unauthorized internode communication. Organizations deploying RustFS should immediately upgrade to version 1.0.0-beta.2 or later and ensure RUSTFS_RPC_SECRET is explicitly configured in all deployments, with additional details available at https://github.com/rustfs/rustfs/security/advisories/GHSA-r5qv-rc46-hv8q.

Vendor Advisory

[HIGH] openreplay/openreplay

1 CVE | CVSS 7.7 | AAS 8.7

OpenReplay prior to version 1.26.0 is vulnerable to authorization bypass via CVE-2026-45296 (CVSS 7.7) in its Python API, which fails to validate tenant ownership when processing app_apikey routes. An attacker with a valid API key can access projects belonging to other tenants by providing a caller-supplied projectKey that exists within the deployment, potentially exposing sensitive session replay data. Organizations running OpenReplay should immediately upgrade to version 1.26.0 or later and implement network-level access controls to restrict API access to trusted sources, with additional details available at https://github.com/openreplay/openreplay/security/advisories/GHSA-8wmc-vpmf-cjf5.

Vendor Advisory

[HIGH] cssigniterteam/gutenbee_–_gutenberg_blocks

1 CVE | CVSS 8.8 | AAS 8.7

The GutenBee – Gutenberg Blocks WordPress plugin through version 2.20.1 is vulnerable to arbitrary file upload via CVE-2026-9227 (CVSS 8.8) due to improper file extension validation in the gutenbee_file_and_ext_json function. The vulnerability uses a flawed strpos() check that only verifies the filename contains ‘.json’ rather than ends with it, allowing authenticated attackers to bypass validation using double-extension techniques such as shell.json.php and upload executable code. WordPress administrators should immediately update GutenBee to the latest patched version and restrict plugin access to trusted users, with additional details available at https://github.com/cssigniter/gutenbee/commit/bde934cdecf67a4de1d6548cc1fc6c59bc6690e5.

Vendor Advisory