3 vulnerabilities across 3 products scored HIGH or above on June 04, 2026.

  • HIGH: 3

[HIGH] cloud_foundry_foundation/bosh_director

1 CVE | CVSS 4.0: 8.7 | AAS 8.5

Cloud Foundry Foundation’s BOSH Director contains a command injection vulnerability (CVE-2026-41010, CVSS 8.7) in the ReleaseJob#unpack function, where attacker-supplied job names from release manifests are directly interpolated into shell commands without proper sanitization. Organizations deploying BOSH Director should immediately review the vendor advisory and apply available patches to remediate this exploitable flaw. See https://www.cloudfoundry.org/blog/cve-2026-41010-release-job-name-command-injection-on-bosh-director/ for mitigation details.

Vendor Advisory

[HIGH] acer/connect_m6e_5g_portable_wifi_router

1 CVE | CVSS 4.0: 10.0 | AAS 7.9

Acer’s Connect M6E 5G Portable WiFi Router is affected by a critical command injection vulnerability (CVE-2026-49185, CVSS 10.0) in the FieldX MDM adb messaging topic, which fails to verify payloads before passing them to Runtime.exec(). Users of this device should immediately consult the vendor advisory and apply any available firmware updates or security patches to remediate this exploitable flaw. For details and mitigation steps, see https://community.acer.com/en/kb/articles/19707.

Vendor Advisory

[HIGH] smartypants/sp_project_&_document_manager

1 CVE | CVSS 3.1: 7.5 | AAS 7.4

The SP Project & Document Manager WordPress plugin through version 4.71 contains an unauthorized access vulnerability (CVE-2026-10737, CVSS 7.5) due to missing capability checks on the view_file function, allowing unauthenticated attackers to read file metadata and obtain download links for arbitrary files stored in project folders. WordPress site administrators using this plugin should immediately update to the latest patched version or disable the plugin until a fix is available. See https://plugins.trac.wordpress.org/browser/sp-client-document-manager/trunk/ajax.php#L155 for technical details.

Vendor Advisory