8 vulnerabilities across 6 products scored HIGH or above on June 22, 2026.
- π HIGH: 8
π [HIGH] ibm/langflow_oss
2 CVEs | CVSS 3.1: 10.0 | AAS 11.2
cpe:2.3:a:ibm:langflow_oss:*:*:*:*:*:*:*:*
IBM Langflow OSS versions 1.0.0 through 1.9.3 is affected by 2 vulnerabilities, including at least one critical-severity issue (CVSS 10.0) that combines an authentication bypass with unsafe Python execution isolation, allowing an unauthenticated attacker to achieve full remote code execution on the host. Active exploitation is feasible, and organizations running Langflow OSS in any capacity should treat this as an emergency-level patching priority.
Review the vendor advisory at https://www.ibm.com/support/pages/node/7277242 and upgrade to a fixed release immediately. If patching cannot be performed right away, restrict network access to Langflow instances and monitor for signs of compromise.
- π CVE-2026-10561 (CVSS 3.1: 10.0)
- π CVE-2026-7664 (CVSS 3.1: 9.8)
π [HIGH] paymenter/paymenter
1 CVE | CVSS 3.1: 9.9 | AAS 10.2
cpe:2.3:a:paymenter:paymenter:*:*:*:*:*:*:*:*
Paymenter, an open-source billing and hosting management platform, is affected by 1 critical-severity vulnerability (CVSS 9.9) in its ticket attachments functionality that allows an authenticated user to upload arbitrary files and achieve remote code execution on the underlying server. Successful exploitation can lead to full system compromise, including extraction of database contents, configuration file credentials, and execution of arbitrary system commands under the web server context.
Administrators running Paymenter should review the vendor advisory at https://github.com/advisories/GHSA-5pm9-r2m8-rcmj and apply the available fix immediately. Until patched, consider restricting ticket attachment uploads or limiting authenticated user access as an interim mitigation.
- π CVE-2025-58048 (CVSS 3.1: 9.9)
π [HIGH] chainlit/chainlit
1 CVE | CVSS 4.0: 9.1 | AAS 9.7
cpe:2.3:a:chainlit:chainlit:*:*:*:*:*:*:*:*(< 2.10.1)
Chainlit versions prior to 2.10.1 are affected by 1 high-severity vulnerability (CVSS 9.1) that allows an unauthenticated attacker to hijack authenticated user sessions by presenting a valid session ID during WebSocket session restoration, with no ownership verification performed. Successful exploitation lets an attacker assume the victim’s permissions and roles, enabling unauthorized tool invocation and access to restricted data.
Organizations using Chainlit for AI application interfaces should upgrade to version 2.10.1 or later immediately. The fix and technical details are available at the vendor commit linked in the advisory at https://github.com/Chainlit/chainlit/commit/5effb664f1e0af4a4f0a42fe63ea979676039a7f.
- π CVE-2026-56104 (CVSS 4.0: 9.1)
π [HIGH] ibm/websphere_application_server
1 CVE | CVSS 3.1: 7.5 | AAS 9.3
cpe:2.3:a:ibm:websphere_application_server:*:*:*:*:*:*:*:*
IBM WebSphere Application Server versions 8.5 and 9.0, as well as WebSphere Application Server Liberty versions 17.0.0.3 through 26.0.0.6, are affected by 1 high-severity denial-of-service vulnerability (CVSS 7.5) that allows a remote attacker to exhaust server memory resources by sending a specially crafted request. Any organization running WebSphere in production should take note, as exploitation requires no authentication and can directly impact application availability.
Review the vendor advisory at https://www.ibm.com/support/pages/node/7276579 and apply the recommended fix or interim mitigation as soon as possible.
- π CVE-2026-9071 (CVSS 3.1: 7.5)
π [HIGH] angular/angular
2 CVEs | CVSS 4.0: 8.7 | AAS 9.1
cpe:2.3:a:angular:angular:*:*:*:*:*:*:*:*(< 21.2.4)cpe:2.3:a:angular:angular:*:*:*:*:*:*:*:*(< 19.2.2)
The Angular Language Service VS Code Extension prior to version 21.2.4 is affected by 2 high-severity vulnerabilities (max CVSS 8.7), including at least one that allows a malicious workspace configuration to specify arbitrary TypeScript SDK paths without verifying VS Code Workspace Trust or prompting for user consent, potentially leading to code execution when a developer opens an untrusted project. Development teams using the Angular Language Service extension should treat this as a supply-chain risk to developer workstations.
Update the Angular Language Service VS Code Extension to version 21.2.4 or later immediately. Technical details and the fix are available at https://github.com/angular/angular/pull/68857.
- π CVE-2026-49241 (CVSS 4.0: 8.7)
- π CVE-2026-50178 (CVSS 4.0: 8.7)
π [HIGH] gogs.io/gogs
1 CVE | CVSS 3.1: 8.0 | AAS 9.0
cpe:2.3:a:gogs.io:gogs:*:*:*:*:*:*:*:*
Gogs, a self-hosted Git service, is affected by 1 high-severity authentication bypass vulnerability (CVSS 8.0) that impacts instances with reverse proxy authentication enabled. When this feature is active, Gogs accepts the authentication header directly from client requests without verifying the request originated from a trusted proxy, allowing any remote attacker who can reach the service to forge the header and impersonate any user or trigger automatic account creation.
Organizations running Gogs with reverse proxy authentication should review the advisory at https://github.com/advisories/GHSA-w6j9-vw59-27wv and apply the fix immediately. As an interim measure, ensure Gogs is not directly reachable by untrusted clients and restrict access exclusively through the trusted reverse proxy.
- π CVE-2026-25119 (CVSS 3.1: 8.0)