The Week in Security
Adobe had 2 vulnerabilities this week including Adobe Campaign Classic (ACC) Remote code execution (CVSS 10.0). Other had 150 vulnerabilities this week including Server-side request forgery (ssrf) Privilege escalation (CVSS 9.9). IBM had 17 vulnerabilities this week including IBM Langflow OSS 1.0.0 Vulnerability (CVSS 9.6).
We tracked 180 vulnerabilities this week. 24 scored 9.0 or above. If you only have time for one thing today, scroll to "What To Do This Week" at the bottom.
Adobe Patches 2 Vulnerabilities
2 vulnerabilities across Adobe products this week. The worst: CVE-2026-48286 (CVSS 10.0) lets attackers run code on your systems. Patch now if you run Adobe.
- CVE-2026-48286: Adobe Campaign Classic (ACC) Remote code execution (CVSS 10.0)
- CVE-2026-48307: adobe coldfusion Remote code execution (CVSS 8.8)
Other Had a Rough Week
150 vulnerabilities across Other products this week. The worst: CVE-2026-57100 (CVSS 9.9) lets attackers run code on your systems. Patch now if you run Other.
- CVE-2026-57100: Server-side request forgery (ssrf) Privilege escalation (CVSS 9.9)
- CVE-2026-45499: Server-side request forgery (ssrf) Privilege escalation (CVSS 9.9)
- CVE-2026-58466: AutoBangumi before 3.2.8 hard-coded Vulnerability (CVSS 9.8)
- CVE-2026-58455: Dockwatch through 0.6.567 unauthenticated Command injection (CVSS 9.8)
- CVE-2026-58449: txtai through 9.10.0, fixed Remote code execution (CVSS 9.8)
- CVE-2026-58138: Orkes Conductor 3.21.21 before Remote code execution (CVSS 9.8)
- CVE-2026-56700: Grav CMS before 2.0.0-beta.2 Remote code execution (CVSS 9.8)
- CVE-2026-4321: Improper neutralization of special SQL injection (CVSS 9.8)
- CVE-2026-14544: A flaw was found Remote code execution (CVSS 9.8)
- CVE-2026-12073: ProfileGrid - User Profiles, Privilege escalation (CVSS 9.8)
- CVE-2026-11387: SMS Alert - SMS Privilege escalation (CVSS 9.8)
- CVE-2026-41106: Url redirection to untrusted Privilege escalation (CVSS 9.3)
- CVE-2026-9725: Printcart Web to Print Remote code execution (CVSS 9.1)
- CVE-2026-59099: Apereo CAS 7.3.0 before Vulnerability (CVSS 9.1)
- CVE-2026-58172: Ocelot through 24.1.0, fixed Vulnerability (CVSS 9.1)
- CVE-2026-58166: OpenBMB ChatDev through 2.2.0, Directory traversal (CVSS 9.1)
- CVE-2026-56278: Flowise before 3.1.0 (CVSS 9.1)
- CVE-2026-58289: Access of resource using Vulnerability (CVSS 9.0)
- CVE-2026-9085: Incorrect Permission Assignment for Authorization bypass (CVSS 8.8)
- CVE-2026-59093: Weaviate before 1.38.0 does Vulnerability (CVSS 8.8)
- CVE-2026-57999: luci-app-tailscale-community command injection vulnerability (CVSS 8.8)
- CVE-2026-57974: Integer overflow or wraparound Vulnerability (CVSS 8.8)
- CVE-2026-56645: Heap-based buffer overflow in CVSS 8.8 (CVSS 8.8)
- CVE-2026-56247: Capgo before 12.128.2 allows Vulnerability (CVSS 8.8)
- CVE-2026-56230: Capgo before 12.128.2 broken Vulnerability (CVSS 8.8)
- CVE-2026-40521: FrontAccounting before 2.4.20 path Remote code execution (CVSS 8.8)
- CVE-2026-14721: UTT HiPER 1250GW up Buffer overflow (CVSS 8.8)
- CVE-2026-14460: Missing Authorization vulnerability in CVSS 8.8 (CVSS 8.8)
- CVE-2026-14459: Improper neutralization of argument Vulnerability (CVSS 8.8)
- CVE-2026-13583: Edimax EW-7478APC 1.04. Impacted Buffer overflow (CVSS 8.8)
- CVE-2026-13562: A flaw has been Buffer overflow (CVSS 8.8)
- CVE-2026-13545: D-Link DCS-935L 1.10.01. This Command injection (CVSS 8.8)
- CVE-2026-13539: Wavlink WL-NU516U1-A M16U1_V240425. The Buffer overflow (CVSS 8.8)
- CVE-2026-13519: Tenda JD12L 16.03.53.23. This Buffer overflow (CVSS 8.8)
- CVE-2026-13518: Tenda JD12L 16.03.53.23. This Buffer overflow (CVSS 8.8)
- CVE-2026-13517: A flaw has been Buffer overflow (CVSS 8.8)
- CVE-2026-13516: Tenda JD12L 16.03.53.23. The Buffer overflow (CVSS 8.8)
- CVE-2026-13515: A security vulnerability has Buffer overflow (CVSS 8.8)
- CVE-2026-12158: RegistrationMagic - User Registration Vulnerability (CVSS 8.8)
- CVE-2025-71380: Execute Command node in Remote code execution (CVSS 8.8)
- CVE-2026-58295: Access of resource using Vulnerability (CVSS 8.3)
- CVE-2026-58285: Access of resource using Vulnerability (CVSS 8.3)
- CVE-2026-56233: Capgo before 12.128.2 path Privilege escalation (CVSS 8.3)
- CVE-2026-14637: A security vulnerability has Deserialization (CVSS 8.2)
- CVE-2026-58283: Access of resource using Vulnerability (CVSS 8.1)
- CVE-2026-56286: Capgo before 12.128.2 Authentication bypass (CVSS 8.1)
- CVE-2026-56264: Crawl4AI before 0.8.7 arbitrary Vulnerability (CVSS 8.1)
- CVE-2026-40524: FrontAccounting before 2.4.20 SQL injection (CVSS 8.1)
- CVE-2025-71375: picklescan before 0.0.34 fails Vulnerability (CVSS 8.1)
- CVE-2025-71374: picklescan before 0.0.29 fails Deserialization (CVSS 8.1)
- CVE-2025-71373: picklescan before 0.0.33 fails Vulnerability (CVSS 8.1)
- CVE-2025-71372: Picklescan before 0.0.33 fails Remote code execution (CVSS 8.1)
- CVE-2025-71371: picklescan before 0.0.29 fails Vulnerability (CVSS 8.1)
- CVE-2025-71369: picklescan before 0.0.28 fails Remote code execution (CVSS 8.1)
- CVE-2025-71368: picklescan before 0.0.30 fails Remote code execution (CVSS 8.1)
- CVE-2025-71367: picklescan before 0.0.34 fails Vulnerability (CVSS 8.1)
- CVE-2025-71366: picklescan before 0.0.28 fails Remote code execution (CVSS 8.1)
- CVE-2025-71364: picklescan before 0.0.30 fails Remote code execution (CVSS 8.1)
- CVE-2025-71363: picklescan before 0.0.30 fails Deserialization (CVSS 8.1)
- CVE-2025-71362: picklescan before 0.0.33 fails Deserialization (CVSS 8.1)
- CVE-2025-71360: picklescan before 0.0.29 fails Vulnerability (CVSS 8.1)
- CVE-2025-71359: picklescan before 0.0.29 fails Remote code execution (CVSS 8.1)
- CVE-2025-71356: picklescan before 0.0.28 fails Vulnerability (CVSS 8.1)
- CVE-2025-71353: picklescan before 0.0.28 fails Vulnerability (CVSS 8.1)
- CVE-2025-71352: picklescan before 0.0.29 fails Vulnerability (CVSS 8.1)
- CVE-2025-71350: picklescan before 0.0.28 fails Vulnerability (CVSS 8.1)
- CVE-2025-71347: picklescan before 0.0.33 fails Remote code execution (CVSS 8.1)
- CVE-2025-71345: picklescan before 0.0.30 fails Remote code execution (CVSS 8.1)
- CVE-2025-71343: picklescan before 0.0.30 fails Vulnerability (CVSS 8.1)
- CVE-2025-71342: picklescan before 0.0.30 fails Remote code execution (CVSS 8.1)
- CVE-2026-12240: Export User Data plugin Remote code execution (CVSS 8.0)
- CVE-2026-6509: Missing Authorization vulnerability in Privilege escalation (CVSS 7.8)
- CVE-2026-14606: RT-Thread up to 5.0.2. Buffer overflow (CVSS 7.8)
- CVE-2026-14605: RT-Thread up to 5.0.2. Buffer overflow (CVSS 7.8)
- CVE-2026-59095: LobeChat before 2.2.10-canary.18 server-side SSRF (CVSS 7.7)
- CVE-2026-59092: JuiceFS through 1.3.1, fixed Authentication bypass (CVSS 7.7)
- CVE-2026-58460: react-native-receive-sharing-intent path traversal (CVSS 7.7)
- CVE-2026-56249: Capgo before 12.128.2 Authorization bypass (CVSS 7.6)
- CVE-2026-59096: Dapr Sentry's OIDC discovery Vulnerability (CVSS 7.5)
- CVE-2026-58375: JimuReport through 2.5.0 exposes Vulnerability (CVSS 7.5)
- CVE-2026-58290: Access of resource using Vulnerability (CVSS 7.5)
- CVE-2026-57975: Access of resource using Vulnerability (CVSS 7.5)
- CVE-2026-56780: Modoboa before 2.9.0 insecure Authorization bypass (CVSS 7.5)
- CVE-2026-56300: Capgo before 12.128.2 contains Vulnerability (CVSS 7.5)
- CVE-2026-56219: Capgo before 12.128.2 NULL-auth Vulnerability (CVSS 7.5)
- CVE-2026-13468: Visualizer - Tables & Authorization bypass (CVSS 7.5)
- CVE-2026-1239: Ninja Forms - The Vulnerability (CVSS 7.5)
- CVE-2026-11823: BookingPress Appointment Booking Pro SQL injection (CVSS 7.5)
- CVE-2026-58379: A flaw was found Remote code execution (CVSS 7.3)
- CVE-2026-14772: SourceCodester Class and Exam SQL injection (CVSS 7.3)
- CVE-2026-14771: A flaw has been SQL injection (CVSS 7.3)
- CVE-2026-14770: SourceCodester Class and Exam SQL injection (CVSS 7.3)
- CVE-2026-14769: A security vulnerability has SQL injection (CVSS 7.3)
- CVE-2026-14768: A weakness has been SQL injection (CVSS 7.3)
- CVE-2026-14764: code-projects Hotel and Tourism SQL injection (CVSS 7.3)
- CVE-2026-14763: A flaw has been SQL injection (CVSS 7.3)
- CVE-2026-14762: code-projects Hotel and Tourism SQL injection (CVSS 7.3)
- CVE-2026-14756: code-projects Hotel and Tourism SQL injection (CVSS 7.3)
- CVE-2026-14755: code-projects Hotel and Tourism SQL injection (CVSS 7.3)
- CVE-2026-14754: A flaw has been SQL injection (CVSS 7.3)
- CVE-2026-14753: mjperpinosa stumasy up to Authorization bypass (CVSS 7.3)
- CVE-2026-14750: mjperpinosa stumasy up to SQL injection (CVSS 7.3)
- CVE-2026-14749: mjperpinosa stumasy up to Code injection (CVSS 7.3)
- CVE-2026-14747: code-projects Real State Services SQL injection (CVSS 7.3)
- CVE-2026-14746: A security vulnerability has SQL injection (CVSS 7.3)
- CVE-2026-14745: A weakness has been SQL injection (CVSS 7.3)
- CVE-2026-14744: code-projects Real State Services SQL injection (CVSS 7.3)
- CVE-2026-14743: code-projects Real State Services SQL injection (CVSS 7.3)
- CVE-2026-14737: Hanwang e-Face General Management SQL injection (CVSS 7.3)
- CVE-2026-14736: Ruijie RG-UAC up to Vulnerability (CVSS 7.3)
- CVE-2026-14735: code-projects Smart Parking System SQL injection (CVSS 7.3)
- CVE-2026-14734: A flaw has been SQL injection (CVSS 7.3)
- CVE-2026-14733: SourceCodester Class and Exam SQL injection (CVSS 7.3)
- CVE-2026-14732: A security vulnerability has SQL injection (CVSS 7.3)
- CVE-2026-14722: tiddly-gittly TidGi-Desktop up to Code injection (CVSS 7.3)
- CVE-2026-14719: A flaw has been Vulnerability (CVSS 7.3)
- CVE-2026-14713: SourceCodester Pizzafy E-Commerce System SQL injection (CVSS 7.3)
- CVE-2026-14705: code-projects Online Examination 1.0. SQL injection (CVSS 7.3)
- CVE-2026-14700: A security vulnerability has SQL injection (CVSS 7.3)
- CVE-2026-14695: SourceCodester Multi-Vendor Online Grocery SQL injection (CVSS 7.3)
- CVE-2026-14690: A weakness has been Authorization bypass (CVSS 7.3)
- CVE-2026-14688: itsourcecode Online Hotel Management SQL injection (CVSS 7.3)
- CVE-2026-14660: code-projects Online Job Portal SQL injection (CVSS 7.3)
- CVE-2026-14654: SourceCodester Simple and Nice SQL injection (CVSS 7.3)
- CVE-2026-14653: SourceCodester Simple and Nice SQL injection (CVSS 7.3)
- CVE-2026-14652: SourceCodester Simple and Nice SQL injection (CVSS 7.3)
- CVE-2026-14649: code-projects Online Voting System SQL injection (CVSS 7.3)
- CVE-2026-14648: A security vulnerability has SQL injection (CVSS 7.3)
- CVE-2026-14642: SourceCodester Class and Exam SQL injection (CVSS 7.3)
- CVE-2026-14641: SourceCodester Class and Exam SQL injection (CVSS 7.3)
- CVE-2026-14640: CodeAstro Apartment Visitor Management SQL injection (CVSS 7.3)
- CVE-2026-14635: kirilkirkov Ecommerce-CodeIgniter-Bootstrap up to Directory (CVSS 7.3)
- CVE-2026-13592: liftoff-sr CIPster up to Vulnerability (CVSS 7.3)
- CVE-2026-13568: A weakness has been Authorization bypass (CVSS 7.3)
- CVE-2026-13566: SourceCodester Class and Exam SQL injection (CVSS 7.3)
- CVE-2026-13551: A security vulnerability has SQL injection (CVSS 7.3)
- CVE-2026-13550: A weakness has been SQL injection (CVSS 7.3)
- CVE-2026-13547: Hanwang e-Face General Management Vulnerability (CVSS 7.3)
- CVE-2026-13546: Feehi CMS up to Vulnerability (CVSS 7.3)
- CVE-2026-13528: YunaiV/zhijiantianya ruoyi-vue-pro up to Directory traversal (CVSS 7.3)
- CVE-2026-13527: SourceCodester Class and Exam SQL injection (CVSS 7.3)
- CVE-2026-13526: A flaw has been SQL injection (CVSS 7.3)
- CVE-2026-13521: SourceCodester Class and Exam SQL injection (CVSS 7.3)
- CVE-2026-9148: Comments - wpDiscuz plugin Cross-site scripting (CVSS 7.2)
- CVE-2026-7517: Custom Payment Gateways for Cross-site scripting (CVSS 7.2)
- CVE-2026-58298: Improper neutralization of input Cross-site scripting (CVSS 7.2)
- CVE-2026-13731: WPBot - AI ChatBot Cross-site scripting (CVSS 7.2)
- CVE-2026-13040: NEX-Forms - Ultimate Forms Cross-site scripting (CVSS 7.2)
- CVE-2026-57977: Improper neutralization of input Cross-site scripting (CVSS 7.1)
- CVE-2026-56320: Capgo before 12.128.2 authorization Vulnerability (CVSS 7.1)
IBM Had a Rough Week
17 vulnerabilities across IBM products this week. The worst: CVE-2026-10140 (CVSS 9.6) lets anyone bypass authentication. Patch now if you run IBM.
- CVE-2026-10140: IBM Langflow OSS 1.0.0 Vulnerability (CVSS 9.6)
- CVE-2026-11712: IBM WebSphere Application Server Cross-site scripting (CVSS 9.3)
- CVE-2026-11708: IBM WebSphere Application Server Cross-site scripting (CVSS 9.3)
- CVE-2026-7874: IBM Langflow OSS 1.0.0 Vulnerability (CVSS 9.1)
- CVE-2026-11714: IBM WebSphere Application Server Vulnerability (CVSS 8.5)
- CVE-2026-11594: IBM WebSphere Application Server Cross-site scripting (CVSS 8.5)
- CVE-2026-10129: IBM Langflow OSS 1.0.0 SSRF (CVSS 8.5)
- CVE-2026-10564: IBM Langflow OSS 1.0.0 SSRF (CVSS 8.2)
- CVE-2026-10560: IBM Langflow OSS 1.0.0 Information disclosure (CVSS 8.2)
- CVE-2025-36359: IBM DevOps Automation 1.0.1 Vulnerability (CVSS 8.1)
- CVE-2026-13449: IBM Business Automation Manager XXE (CVSS 7.6)
- CVE-2026-13772: IBM WebSphere Extreme Scale Vulnerability (CVSS 7.5)
- CVE-2026-13759: IBM WebSphere Extreme Scale Vulnerability (CVSS 7.5)
- CVE-2026-11541: IBM WebSphere Application Server Vulnerability (CVSS 7.4)
- CVE-2026-11806: IBM WebSphere Application Server File read (CVSS 7.2)
- CVE-2026-11546: IBM WebSphere Application Server Vulnerability (CVSS 7.1)
- CVE-2026-10546: IBM Langflow OSS 1.0.0 SSRF (CVSS 7.1)
WordPress Patches 6 Vulnerabilities
6 vulnerabilities across WordPress products this week. The worst: CVE-2026-6070 (CVSS 9.1) lets attackers run code on your systems. Patch now if you run WordPress.
- CVE-2026-6070: WP-BusinessDirectory plugin for WordPress Directory traversal (CVSS 9.1)
- CVE-2026-12224: Dokan Pro plugin for Privilege escalation (CVSS 8.8)
- CVE-2026-14352: AR for WooCommerce plugin Directory traversal (CVSS 7.5)
- CVE-2026-14327: AR for WordPress plugin Directory traversal (CVSS 7.5)
- CVE-2026-12923: Youtube Showcase plugin for Information disclosure (CVSS 7.5)
- CVE-2026-10513: Webmention plugin for WordPress Cross-site scripting (CVSS 7.2)
PHP Patches 2 Vulnerabilities
2 vulnerabilities across PHP products this week. The worst: CVE-2026-57995 (CVSS 8.8) lets anyone bypass authentication. Patch now if you run PHP.
- CVE-2026-57995: phpMyFAQ before 4.1.5 Privilege escalation (CVSS 8.8)
- CVE-2026-14622: jairiidriss restaurant-website-php-mysql up to Vulnerability (CVSS 7.3)
Microsoft Patches 2 Vulnerabilities
2 vulnerabilities across Microsoft products this week. The worst: CVE-2026-54998 (CVSS 8.8) lets anyone bypass authentication. Patch now if you run Microsoft.
- CVE-2026-54998: Incorrect authorization in Microsoft Privilege escalation (CVSS 8.8)
- CVE-2026-57983: Improper authorization in Microsoft Authorization bypass (CVSS 8.7)
Cockpit Hit With CVSS 7.5
CVE-2026-58467 scores a 7.5. Cockpit lets attackers run code on your systems.
- CVE-2026-58467: Cockpit CMS before release Directory traversal (CVSS 7.5)
By the Numbers
| Total CVEs analyzed | 180 |
| Critical (9.0+) | 24 |
| High (7.0-8.9) | 156 |
| Remote code execution | 134 |
| Authentication bypass | 45 |
| Cross-site scripting | 0 |
| SQL injection | 0 |
What To Do This Week
One action item per vendor. Start at the top and work down.
- Adobe: Update immediately. 1 critical-severity issues patched this week.
- Other: Update immediately. 18 critical-severity issues patched this week.
- IBM: Update immediately. 4 critical-severity issues patched this week.
- WordPress: Update immediately. 1 critical-severity issues patched this week.
- PHP: Review and patch 2 high-severity vulnerabilities when possible.
- Microsoft: Review and patch 2 high-severity vulnerabilities when possible.
- Cockpit: Review and patch 1 high-severity vulnerabilities when possible.