Daily Updates

Cyber News

Short, concise cybersecurity updates. 67 records found.

newsCRITICAL 10.0

Critical Vulnerability in Siemens Opcenter X Allows Arbitrary JWT Forging

A critical vulnerability (CVE-2026-56451) with a CVSS score of 10 has been identified in Siemens Opcenter X versions prior to V2604. This vulnerability allows an unauthenticated remote attacker to forge arbitrary JSON Web Tokens (JWT), bypass authentication mechanisms, and impersonate any user, including administrative accounts. Immediate action is required to update affected systems.

1 source
newsHIGH 7.8

Integer Overflow Vulnerability in WinFsp (CVE-2026-7162)

A high-severity integer overflow vulnerability (CVE-2026-7162) has been discovered in WinFsp, a software package. Successful exploitation could allow an attacker to achieve system-level access. Affected versions include WinFsp 2.2.26112 and lower.

1 source
newsHIGH 7.8

CVE-2026-15506: SecureAge CatchPulse Heap-Based Buffer Overflow Vulnerability

A heap-based buffer overflow vulnerability has been detected in SecureAge CatchPulse up to version 10.9.3. The vulnerability is located in the library saappctl.sys of the Driver component and requires local access to be exploited. A CVSS score of 7.8 indicates a high severity level.

1 source
newsHIGH 8.8

CVE-2026-61875: Stored Cross-Site Scripting in luci-app-upnp via UPnP IGD AddPortMapping SOAP Requests

A stored cross-site scripting vulnerability exists in luci-app-upnp, allowing unauthenticated LAN clients to inject JavaScript via UPnP IGD AddPortMapping SOAP requests. This vulnerability has a CVSS score of 8.8 and is considered high severity. Affected users should update luci-app-upnp to the latest version.

1 source
newsHIGH 8.8

CVE-2026-15155: Authenticated Account Takeover via Email Header Injection in Essential Addons for Elementor

The Essential Addons for Elementor plugin for WordPress is vulnerable to authenticated account takeover via email header injection. An attacker with Contributor-level access can inject a Bcc header into the administrator's password-reset notification email, potentially leading to full administrator account takeover. The vulnerability has a CVSS score of 8.8 and affects all versions up to 6.6.10.

1 source
newsCRITICAL 9.6

Critical Path Traversal Vulnerability in JetBrains IntelliJ IDEA

A critical vulnerability (CVE-2026-59792) with a CVSS score of 9.6 was discovered in JetBrains IntelliJ IDEA, allowing for code execution via path traversal in project workspace ID handling. Users of IntelliJ IDEA versions before 2026.1.4 and 2026.2 are affected. Immediate action is required to update to a patched version.

1 source
newsHIGH 8.0

CVE-2026-15293: WP Business Intelligence Lite Plugin Vulnerability

The WP Business Intelligence Lite plugin for WordPress is vulnerable to authorization bypass, allowing authenticated attackers with Subscriber-level access to modify stored SQL queries, potentially leading to privilege escalation. This affects all versions up to and including 3.2.0, with a CVSS score of 8.

1 source
newsHIGH 8.7

Mistune Vulnerability: Potential DoS via Quadratic-Time Parsing in parse_link_text

Mistune is vulnerable to a CPU exhaustion DoS due to superlinear (approximately O(n²)) behavior in parse_link_text. An attacker-controlled Markdown input can trigger excessive CPU usage with a very small payload. Affected applications include web applications, API services, and documentation rendering systems.

1 source
newsCRITICAL 9.8

CVE-2026-15158: Critical Arbitrary File Upload Vulnerability in Blocksy Companion Plugin

A critical vulnerability (CVE-2026-15158, CVSS 9.8) exists in the Blocksy Companion plugin for WordPress, allowing unauthenticated attackers to upload executable files, leading to remote code execution. This vulnerability affects the premium version of the plugin (blocksy-companion-pro) when used with specific extensions. Immediate action is required to mitigate this threat.

1 source
newsCRITICAL 9.6

Critical SQL Injection Vulnerability in Snowflake Snowpark Python SDK (CVE-2026-15062)

A critical SQL injection vulnerability (CVE-2026-15062) with a CVSS score of 9.6 affects Snowflake Snowpark Python SDK versions prior to 1.53.0. Authenticated low-privilege users could exploit this vulnerability to execute SQL beyond their authorization scope, potentially leading to source database compromise, unauthorized cross-tenant data exfiltration, or unauthorized read of Snowflake account data. Immediate action is required to update to version 1.53.0 or later.

1 source
newsHIGH 8.5

Critical Heap Buffer Overflow Vulnerability in X.Org xorg-server and xwayland

A critical vulnerability, CVE-2026-55999, with a CVSS score of 8.5, was discovered in X.Org's xorg-server and xwayland. Local attackers with an X connection can exploit this vulnerability to cause a heap buffer overflow via SetFont due to missing glyph boundary checks. Affected versions include xorg-server before 21.2.24 and xwayland before 24.1.13.

1 source
newsHIGH 7.6

CVE-2026-53518: @better-auth/oauth-provider's OAuth authorization-code grant allows concurrent redemption

A vulnerability in @better-auth/oauth-provider allows concurrent redemption of OAuth authorization codes, potentially leading to multiple independent token sets being issued from a single authorization code. Users of @better-auth/oauth-provider versions >= 1.6.0, < 1.6.11 are affected. Upgrade to @better-auth/[email protected] or later to mitigate.

1 source
newsHIGH 7.3

SQL Injection Vulnerability in mjperpinosa stumasy

A SQL injection vulnerability has been discovered in mjperpinosa stumasy up to version 327d1b0f2915ba79d7ef8ebb74553e987609d9be. The vulnerability is located in the Notes_controller::accessing_dictionary_authorization function and can be exploited remotely. The CVSS score for this vulnerability is 7.3, indicating a high severity level.

1 source
newsHIGH 7.3

SQL Injection Vulnerability in CodeAstro Apartment Visitor Management System 1.0

A SQL injection vulnerability was found in CodeAstro Apartment Visitor Management System 1.0, specifically in the login function of the /index.php file. This vulnerability allows remote attackers to exploit the system, and a proof-of-concept exploit has been made public. Affected users should update to a patched version or apply mitigations immediately.

1 source
newsMEDIUM 6.3

SQL Injection Vulnerability in itsourcecode Hospital Management System 1.0

A SQL injection vulnerability has been found in itsourcecode Hospital Management System 1.0, specifically in the /patient.php file. This vulnerability allows remote attackers to inject malicious SQL code, potentially leading to data breaches or system compromise. The CVSS score for this vulnerability is 6.3, indicating a medium severity level.

1 source
newsHIGH 8.8

Critical Vulnerability in Keras: Arbitrary Code Execution via Deserialization

A critical vulnerability (CVE-2026-12481) in Keras version 3.14.0 allows for arbitrary code execution due to improper handling of deserialization in the `Lambda` layer. This vulnerability has a CVSS score of 8.8 and can be exploited to achieve OS-level code execution. Affected users must update to a patched version to mitigate this risk.

1 source
newsCRITICAL 10.0

Critical Shellcode Injection Vulnerability in openSUSE Build Service

A critical vulnerability (CVE-2026-56004) with a CVSS score of 10 has been discovered in the obs tar_scm source service before version 0.12.4. This vulnerability allows attackers to inject shellcode and execute code as the source service or local user. Immediate action is required to update to version 0.12.4 or later.

1 source
newsHIGH 8.3

GeoWebPlayer Vulnerability: CVE-2026-57264

A high-severity vulnerability (CVSS 8.3) exists in GeoWebPlayer, an addon for GeoVision software, allowing for out-of-bound access to arrays via a websocket server command. This could lead to arbitrary code execution. Affected versions include V1.1.1.0 on Windows and 64-bit platforms.

1 source
newsCRITICAL 9.6

CVE-2026-53943: Ghost Cache-Poisoning XSS via x-ghost-preview Header

A critical vulnerability (CVE-2026-53943) was discovered in Ghost, a popular blogging platform. An unauthenticated attacker can exploit this flaw to poison the cache, potentially leading to staff user account takeovers. Affected versions range from v4.0 to v6.36.0, and the issue is patched in v6.37.0.

1 source
newsCRITICAL 9.4

Rancher Vulnerable to Command Injection via Unsanitized YAML Parameter (CVE-2026-44939)

A critical command injection vulnerability (CVE-2026-44939, CVSS 9.4) has been identified in Rancher Manager's cluster import endpoint. An attacker can exploit this flaw by injecting malicious YAML configurations, potentially achieving full control over downstream Kubernetes clusters. Affected versions of Rancher must be updated to patched releases to mitigate this vulnerability.

1 source
newsHIGH 8.8

CVE-2026-48307: Reflected Cross-Site Scripting (XSS) in Adobe ColdFusion

A reflected Cross-Site Scripting (XSS) vulnerability exists in Adobe ColdFusion versions 2025.9, 2023.20, and earlier. An attacker could exploit this vulnerability to inject malicious scripts into a web page, potentially resulting in arbitrary code execution in the context of the current user. This requires user interaction, as a victim must open a malicious link.

1 source
newsHIGH 8.6

CVE-2026-11590: WP Support Plus Responsive Ticket System SQL Injection Vulnerability

The WP Support Plus Responsive Ticket System WordPress plugin through 9.1.2 is vulnerable to SQL injection attacks. An unauthenticated attacker can exploit this vulnerability to perform malicious SQL queries. The vulnerability has a CVSS score of 8.6, indicating high severity.

1 source
newsHIGH 8.8

CVE-2026-40521: Path Traversal Vulnerability in FrontAccounting

A path traversal vulnerability in FrontAccounting before 2.4.20 allows authenticated attackers to execute arbitrary code by uploading files with traversal sequences. This vulnerability has a CVSS score of 8.8 and is considered high severity.

1 source
newsMEDIUM 5.0

Open Memory Protocol Vulnerability Under Scrutiny

A potential vulnerability in the Open Memory Protocol, used by AI models like Claude, ChatGPT, and Curso, has been identified. Although actively exploited, the severity and impact are still being assessed. Security professionals should investigate and apply necessary mitigations.

1 source
newsMEDIUM 6.8

Information Exposure Vulnerability in Hitachi Storage Navigator (CVE-2025-7386)

A vulnerability in Hitachi Storage Navigator, tracked as CVE-2025-7386, exposes sensitive information. This medium-severity vulnerability affects various Hitachi Virtual Storage Platform models and versions. Administrators should update to the specified versions to mitigate this vulnerability.

1 source
newsHIGH 7.3

SQL Injection Vulnerability in Restaurant Management System

A SQL injection vulnerability was identified in the Restaurant Management System, specifically in the /forgotpassword.php file. This vulnerability allows remote attackers to inject malicious SQL code, potentially leading to data breaches or system compromise. The vulnerability has a CVSS score of 7.3, indicating a high severity level.

1 source
newsMEDIUM 6.5

CVE-2026-3462: Frisbii Pay Plugin for WordPress Vulnerability

The Frisbii Pay plugin for WordPress has a vulnerability (CVE-2026-3462) that allows authenticated attackers with Subscriber-level access to modify data by uploading arbitrary CSV files. This vulnerability has a CVSS score of 6.5 and affects all versions up to 1.8.9. To mitigate, update the plugin to a patched version.

1 source
newsCRITICAL 9.3

CVE-2026-54825: Unauthenticated SQL Injection in wpDataTables Plugin

A critical vulnerability (CVE-2026-54825, CVSS score 9.3) was discovered in the wpDataTables plugin (versions <= 7.4) for WordPress, allowing unauthenticated SQL injection attacks. This vulnerability is not currently being exploited, but it poses a significant risk to WordPress sites using affected versions. Immediate action is required to update to a patched version.

1 source
newsHIGH 8.0

Dell Container Storage Modules OS Command Injection Vulnerability

A high-severity vulnerability (CVE-2026-40711, CVSS score of 8) exists in Dell Container Storage Modules, allowing a high-privileged attacker with remote access to potentially exploit the vulnerability, leading to command execution. Affected versions include csi-powerstore v2.16.0, csi-unity v2.16.0, csi-powerflex v2.16.0, and csi-powermax v2.16.0. Users should update to version 2.15.2 or later, or 2.17.0 or later.

1 source
newsHIGH 8.5

CVE-2026-54838: SQL Injection Vulnerability in WC Vendors Marketplace

A SQL injection vulnerability exists in WC Vendors Marketplace plugin versions up to 2.6.8, allowing attackers to inject malicious SQL code. This vulnerability has a CVSS score of 8.5 and is considered high severity. Affected users should update to version 2.6.9 or later.

1 source