Daily curated vulnerability bulletins from ARETIQ AI. Each bulletin highlights the day’s most critical vulnerabilities, ranked by real-world risk — not just CVSS scores.
Ranked by AAS (ARETIQ Adjusted Score) — a real-world risk score that considers exploit maturity, deployment scale, asset criticality, and remediation status.
Subscribe via JSON feed.
No EMERGENCY vulnerabilities this month.
Daily Bulletins#
41 vulnerabilities across 15 products scored HIGH or above on May 29, 2026.
CRITICAL: 18 HIGH: 23 [CRITICAL] infiniflow/ragflow 1 CVE | CVSS 9.9 | AAS 12.7
RAGFlow versions 0.24.0 and earlier contain a critical Jinja2 template injection vulnerability (CVE-2026-45312, CVSS 9.9) in the prompt generator that allows authenticated users to execute arbitrary OS commands on the affected server. Any user with the ability to register an account can create a Canvas workflow with a DuckDuckGo and LLM component chain to trigger the vulnerability. Organizations using RAGFlow should upgrade immediately and consult the vendor advisory at https://github.com/infiniflow/ragflow/security/advisories/GHSA-wpg4-h5g2-jxm6 for patching and mitigation details.
...
37 vulnerabilities across 15 products scored HIGH or above on May 28, 2026.
CRITICAL: 14 HIGH: 23 [CRITICAL] sherlock-project/sherlock 1 CVE | CVSS 9.3 | AAS 12.0
Sherlock versions prior to 0.16.1 are vulnerable to critical command injection in the GitHub Actions workflow validate_modified_targets.yml (CVE-2026-44590, CVSS 9.3), which allows unauthenticated attackers to execute arbitrary code and steal the GITHUB_TOKEN without requiring pull request approval or review. Security teams managing Sherlock deployments should immediately upgrade to version 0.16.1 or later to eliminate the risk of unauthorized CI runner access and credential compromise. Additional details are available in the vendor security advisory at https://github.com/sherlock-project/sherlock/security/advisories/GHSA-v6wr-ccr4-x8g9.
...
48 vulnerabilities across 15 products scored HIGH or above on May 27, 2026.
CRITICAL: 17 HIGH: 31 [CRITICAL] pip/langroid 1 CVE | CVSS 9.8 | AAS 12.1
Langroid versions prior to 0.63.0 contain a critical vulnerability (CVE-2026-25879, CVSS 9.8) in which the SQLChatAgent executes dynamically generated SQL code influenced by large language model responses, enabling prompt injection attacks to escalate to remote code execution on systems with elevated database privileges. Organizations using Langroid should immediately upgrade to version 0.63.0 or later and review any deployments with database roles configured for code execution or filesystem access. Additional details are available in the vendor advisory at https://github.com/advisories/GHSA-mxfr-6hcw-j9rq.
...
21 vulnerabilities across 15 products scored HIGH or above on May 26, 2026.
CRITICAL: 3 HIGH: 18 [CRITICAL] kareadita/kavita 3 CVEs | CVSS 9.3 | AAS 10.6
Kareadita’s Kavita cross-platform reading server is affected by three critical vulnerabilities (CVE-2026-47202, CVE-2026-44775, CVE-2026-44776) with a maximum CVSS score of 9.3. The most severe issue is an improper token validation flaw that allows unauthenticated remote attackers to request JWTs for any user, including administrators, if they know the username—a flaw present in versions prior to 0.9.0.2 and currently exploitable in the wild. Organizations deploying Kavita should immediately upgrade to version 0.9.0.2 or later to remediate these critical vulnerabilities.
...
20 vulnerabilities across 2 products scored HIGH or above on May 25, 2026.
HIGH: 20 [HIGH] totolink/a8000ru 19 CVEs | CVSS 8.9 | AAS 8.4
Totolink A8000RU routers through firmware version 7.1cu.643_b20200521 are affected by 19 vulnerabilities including multiple high-severity flaws with a maximum CVSS score of 8.9. The lead vulnerability allows unauthenticated remote OS command injection via the provider parameter in the Web Management Interface at /cgi-bin/cstecgi.cgi, with public exploits currently available. Network administrators and organizations operating this router model should immediately update to patched firmware and restrict access to the Web Management Interface until patches are deployed.
...
9 vulnerabilities across 1 products scored HIGH or above on May 24, 2026.
HIGH: 9 [HIGH] totolink/a8000ru 9 CVEs | CVSS 9.3 | AAS 8.4
Totolink A8000RU firmware version 7.1cu.643_b20200521 is affected by nine vulnerabilities, including multiple remote code execution flaws with a maximum CVSS score of 9.3. The primary issue involves an unauthenticated OS command injection vulnerability in the web management interface (/cgi-bin/cstecgi.cgi) for which public exploits exist. Organizations operating these devices should apply vendor updates immediately and restrict access to the management interface to trusted networks only.
...
2 vulnerabilities across 2 products scored HIGH or above on May 23, 2026.
HIGH: 2 [HIGH] userspice/userspice 1 CVE | CVSS 9.3 | AAS 7.2
userSpice 4.3.24 is affected by a high-severity username enumeration vulnerability (CVE-2018-25350, CVSS 9.3) that allows unauthenticated attackers to discover valid usernames through the existingUsernameCheck.php endpoint by analyzing responses for the ’taken’ string. Organizations deploying userSpice should upgrade immediately to a patched version to prevent account enumeration attacks. The vulnerability enables attackers to identify valid accounts, facilitating targeted credential attacks and account-specific exploits.
...
22 vulnerabilities across 15 products scored HIGH or above on May 22, 2026.
CRITICAL: 5 HIGH: 17 [CRITICAL] linux/linux_kernel 1 CVE | CVSS 9.2 | AAS 12.0
The Linux kernel contains a critical vulnerability (CVE-2026-9054, CVSS 9.2) that triggers a kernel panic when systems receive TCP, IL, RUDP, or GRE packets with header lengths shorter than expected. This affects all vulnerable kernel versions and can be exploited remotely by unauthenticated attackers. System administrators should apply available kernel patches from their distribution vendor immediately.
...
30 vulnerabilities across 15 products scored HIGH or above on May 21, 2026.
CRITICAL: 10 HIGH: 20 [CRITICAL] google/chrome 10 CVEs | CVSS 8.8 | AAS 10.0
Google Chrome versions prior to 148.0.7778.179 contain 10 vulnerabilities, including multiple use-after-free flaws in WebRTC that could allow remote code execution with a maximum CVSS score of 8.8. All organizations running Chrome should apply updates immediately, as these are critical-severity issues requiring urgent patching. Refer to the vendor advisory for complete CVE details and platform-specific update instructions.
...