17 vulnerabilities across 15 products scored HIGH or above on June 16, 2026.

  • CRITICAL: 5
  • HIGH: 12

[CRITICAL] pip/langflow

3 CVEs | CVSS 3.1: 9.6 | AAS 13.4

  • cpe:2.3:a:pip:langflow:*:*:*:*:*:*:*:*

Langflow contains multiple critical vulnerabilities (including CVE-2026-48519, CVE-2026-33760, and CVE-2026-42867, CVSS 9.6) affecting the Shareable Playground feature, which allows unauthenticated users to execute arbitrary code via shared flow links. Organizations deploying Langflow should immediately disable the public flows feature or apply vendor patches to eliminate remote code execution risk. Full technical details and remediation guidance are available in the vendor advisory at https://github.com/advisories/GHSA-v5ff-9q35-q26f.

Vendor Advisory

[CRITICAL] dell/openmanage

1 CVE | CVSS 3.1: 8.8 | AAS 13.1

  • cpe:2.3:a:dell:openmanage:*:*:*:*:*:*:*:*

Dell OpenManage Integration with Microsoft Windows Admin Center contains a critical remote code execution vulnerability (CVE-2024-24909, CVSS 8.8) in the gateway plugin that allows authenticated remote users to escalate privileges and execute arbitrary code. Organizations using Dell OpenManage should apply the security update immediately to prevent unauthorized code execution. See Dell advisory DSA-2024-084 at https://www.dell.com/support/kbdoc/en-us/000222075/dsa-2024-084-security-update-for-dell-openmanage-integration-with-microsoft-windows-admin-center?lang=en for patch details and remediation guidance.

Vendor Advisory

[CRITICAL] go/traefik

1 CVE | CVSS 3.1: 8.0 | AAS 12.8

  • cpe:2.3:a:go:traefik:*:*:*:*:*:*:*:*

Traefik contains a critical vulnerability (CVE-2026-48491, CVSS 8.0) in the SNICheck domain-fronting protection that allows unauthenticated clients to bypass mutual TLS enforcement when using wildcard host rules, as exact map lookups fail to apply wildcard matching. Organizations deploying Traefik with wildcard router configurations and strict TLS requirements should upgrade immediately to patch the authentication bypass. See https://github.com/advisories/GHSA-5r4w-85f3-pw66 for patch details and remediation guidance.

Vendor Advisory

[HIGH] pip/vllm

1 CVE | CVSS 3.1: 9.1 | AAS 10.4

  • cpe:2.3:a:pip:vllm:*:*:*:*:*:*:*:*

vllm contains a critical authentication bypass vulnerability (CVE-2026-48746, CVSS 9.1) in the OpenAI API middleware that allows unauthenticated access without providing the configured VLLM_API_KEY or –api-key due to improper URL path handling in ASGI servers. Organizations running vllm should upgrade immediately to prevent unauthorized API access and potential data exposure. See https://github.com/advisories/GHSA-94f4-hr76-p5j6 for patch details and remediation guidance.

Vendor Advisory

[HIGH] liquid_web_/_stellarwp/the_events_calendar

1 CVE | CVSS 3.1: 9.3 | AAS 10.1

  • cpe:2.3:a:liquid_web_stellarwp:the_events_calendar:*:*:*:*:*:*:*:*

The Events Calendar WordPress plugin (versions 6.15.12 through 6.16.2) contains a blind SQL injection vulnerability (CVE-2026-49772, CVSS 9.3) that allows attackers to extract sensitive data from WordPress databases. WordPress administrators using The Events Calendar should update to the latest patched version immediately to prevent unauthorized database access. See https://patchstack.com/database/wordpress/plugin/the-events-calendar/vulnerability/wordpress-the-events-calendar-plugin-6-15-12-6-16-2-sql-injection-vulnerability?_s_id=cve for patch details and remediation guidance.

Vendor Advisory

[HIGH] red_hat/red_hat_enterprise_linux_10

1 CVE | CVSS 3.1: 8.6 | AAS 9.9

  • cpe:2.3:a:redhat:enterprise_linux:*:*:*:*:*:*:*:*

Red Hat Enterprise Linux 10 Pacemaker contains an integer overflow vulnerability (CVE-2026-10649, CVSS 8.6) in the remote message decompression process that allows unauthenticated attackers to cause denial of service by sending specially crafted messages before authentication, resulting in memory corruption and service crashes. Organizations deploying Pacemaker for clustering and high availability should apply the security update immediately to prevent DoS attacks. See https://access.redhat.com/security/cve/CVE-2026-10649 for patch details and remediation guidance.

Vendor Advisory

[HIGH] filipe_nasc/rd_station

1 CVE | CVSS 3.1: 9.9 | AAS 9.7

  • cpe:2.3:a:filipe_nasc:rd_station:*:*:*:*:*:*:*:*

The RD Station WordPress plugin (up to version 5.6.0) contains a critical code injection vulnerability (CVE-2026-49774, CVSS 9.9) that allows remote code execution through improper control of code generation. WordPress administrators using RD Station should update immediately to prevent unauthorized code execution on their sites. See https://patchstack.com/database/wordpress/plugin/integracao-rd-station/vulnerability/wordpress-rd-station-plugin-5-6-0-remote-code-execution-rce-vulnerability?_s_id=cve for patch details and remediation guidance.

Vendor Advisory

[HIGH] eyal_fitoussi/geo_my_wordpress

1 CVE | CVSS 3.1: 9.3 | AAS 9.6

  • cpe:2.3:a:eyal_fitoussi:geo_my_wordpress:*:*:*:*:*:*:*:*

The GEO my WordPress plugin (versions up to 4.5.5) contains an unauthenticated SQL injection vulnerability (CVE-2026-52715, CVSS 9.3) that allows remote attackers to extract sensitive data from WordPress databases without authentication. WordPress administrators using GEO my WordPress should update immediately to the patched version to prevent unauthorized database access. See https://patchstack.com/database/wordpress/plugin/geo-my-wp/vulnerability/wordpress-geo-my-wordpress-plugin-4-5-5-sql-injection-vulnerability?_s_id=cve for patch details and remediation guidance.

Vendor Advisory

[HIGH] forem/forem

1 CVE | CVSS 3.1: 8.2 | AAS 9.5

  • cpe:2.3:a:forem:forem:*:*:*:*:*:*:*:*

Forem contains an authentication bypass vulnerability (CVE-2026-48780, CVSS 8.2) where maliciously crafted email addresses can circumvent domain allowlist and denylist restrictions, allowing unauthorized access to invite-only deployments. Organizations running Forem with email domain restrictions should update to commit a2ab6d4 or later to patch the email validation bypass. See https://github.com/forem/forem/commit/a2ab6d409d2676eb0711ecbd737192043125b437 for patch details and remediation guidance.

Vendor Advisory

[HIGH] rockwell_automation/factorytalk_historian_se

1 CVE | CVSS 4.0: 9.2 | AAS 9.5

  • cpe:2.3:a:rockwellautomation:factorytalk_historian_se:*:*:*:*:*:*:*:*

FactoryTalk Historian Site Edition contains an authentication bypass vulnerability (CVE-2025-13036, CVSS 9.2) that allows attackers to obtain valid authentication tokens by repeatedly sending requests to the login endpoint, circumventing access controls. Organizations using FactoryTalk Historian SE should apply the security patch immediately to prevent unauthorized access to historical data and system controls. See https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1773.html for patch details and remediation guidance.

Vendor Advisory

[HIGH] npm/n8n

1 CVE | CVSS 3.1: 9.9 | AAS 9.2

  • cpe:2.3:a:npm:n8n:*:*:*:*:*:*:*:* (< 2.25.7)
  • cpe:2.3:a:npm:n8n:*:*:*:*:*:*:*:* (>= 2.26.0, < 2.26.2)

n8n contains a critical SQL injection vulnerability (CVE-2026-54310, CVSS 9.9) in the TimescaleDB and legacy Postgres v1 nodes that allows authenticated workflow creators to inject and execute arbitrary SQL commands with database account privileges. Organizations deploying n8n should upgrade immediately to version 2.25.7, 2.26.2, or later to patch the SQL injection vulnerability. See https://github.com/advisories/GHSA-c37g-w77q-m4vp for patch details and remediation guidance.

Vendor Advisory

[HIGH] themagnifico52/kids_online_store

1 CVE | CVSS 3.1: 9.9 | AAS 9.2

  • cpe:2.3:a:themagnifico52:kids_online_store:*:*:*:*:*:*:*:*

The Kids Online Store WordPress theme (versions up to 0.8.9) contains a critical unrestricted file upload vulnerability (CVE-2026-40750, CVSS 9.9) that allows attackers to upload web shells and execute arbitrary code on affected websites. WordPress administrators using the Kids Online Store theme should update immediately to patch the arbitrary file upload vulnerability. See https://patchstack.com/database/wordpress/theme/kids-online-store/vulnerability/wordpress-kids-online-store-theme-0-8-9-arbitrary-file-upload-vulnerability?_s_id=cve for patch details and remediation guidance.

Vendor Advisory

[HIGH] perryts/perry

1 CVE | CVSS 4.0: 9.3 | AAS 9.2

  • cpe:2.3:a:perryts:perry:*:*:*:*:*:*:*:*

Perry before version 0.5.1166 contains a JWT validation vulnerability (CVE-2026-53776, CVSS 9.3) that disables token expiration checks, allowing attackers with expired bearer tokens to retain indefinite authenticated access and bypass logout and administrative revocation. Organizations using Perry should upgrade to version 0.5.1166 or later immediately to restore token expiration validation. See https://github.com/PerryTS/perry/releases/v0.5.1166 for patch details and remediation guidance.

Vendor Advisory

[HIGH] suse/wicked

1 CVE | CVSS 3.1: 8.8 | AAS 9.1

  • cpe:2.3:a:suse:wicked:*:*:*:*:*:*:*:*

SUSE wicked DHCP client before version 0.6.79 contains a code injection vulnerability (CVE-2026-44932, CVSS 8.8) where unsanitized DHCP server replies can be exploited by attackers operating a malicious DHCP server to execute arbitrary code on affected systems. Organizations using wicked should upgrade to version 0.6.79 or later immediately to prevent local code execution attacks. See https://bugzilla.suse.com/show_bug.cgi?id=1265221 for patch details and remediation guidance.

Vendor Advisory

[HIGH] zyxel/gs1900-48hpv2_firmware

1 CVE | CVSS 3.1: 8.8 | AAS 9.1

  • cpe:2.3:a:zyxel:gs1900-48hpv2_firmware:*:*:*:*:*:*:*:*

Zyxel GS1900-48HPv2 switches with firmware through version 2.90(ABTQ.1)C0 contain a stack-based buffer overflow vulnerability (CVE-2026-7273, CVSS 8.8) in the CGI program that allows unauthenticated LAN-based attackers to execute OS commands via crafted HTTP requests. Organizations deploying GS1900-48HPv2 switches should upgrade firmware immediately to patch the remote code execution vulnerability. See https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-stack-based-buffer-overflow-vulnerability-in-gs1900-series-switches-06-16-2026 for patch details and remediation guidance.

Vendor Advisory