Daily Updates
Cyber News
Short, concise cybersecurity updates. 67 records found.
Critical Vulnerability in Siemens Opcenter X Allows Arbitrary JWT Forging
A critical vulnerability (CVE-2026-56451) with a CVSS score of 10 has been identified in Siemens Opcenter X versions prior to V2604. This vulnerability allows an unauthenticated remote attacker to forge arbitrary JSON Web Tokens (JWT), bypass authentication mechanisms, and impersonate any user, including administrative accounts. Immediate action is required to update affected systems.
Integer Overflow Vulnerability in WinFsp (CVE-2026-7162)
A high-severity integer overflow vulnerability (CVE-2026-7162) has been discovered in WinFsp, a software package. Successful exploitation could allow an attacker to achieve system-level access. Affected versions include WinFsp 2.2.26112 and lower.
CVE-2026-15506: SecureAge CatchPulse Heap-Based Buffer Overflow Vulnerability
A heap-based buffer overflow vulnerability has been detected in SecureAge CatchPulse up to version 10.9.3. The vulnerability is located in the library saappctl.sys of the Driver component and requires local access to be exploited. A CVSS score of 7.8 indicates a high severity level.
CVE-2026-61875: Stored Cross-Site Scripting in luci-app-upnp via UPnP IGD AddPortMapping SOAP Requests
A stored cross-site scripting vulnerability exists in luci-app-upnp, allowing unauthenticated LAN clients to inject JavaScript via UPnP IGD AddPortMapping SOAP requests. This vulnerability has a CVSS score of 8.8 and is considered high severity. Affected users should update luci-app-upnp to the latest version.
CVE-2026-15155: Authenticated Account Takeover via Email Header Injection in Essential Addons for Elementor
The Essential Addons for Elementor plugin for WordPress is vulnerable to authenticated account takeover via email header injection. An attacker with Contributor-level access can inject a Bcc header into the administrator's password-reset notification email, potentially leading to full administrator account takeover. The vulnerability has a CVSS score of 8.8 and affects all versions up to 6.6.10.
Critical Path Traversal Vulnerability in JetBrains IntelliJ IDEA
A critical vulnerability (CVE-2026-59792) with a CVSS score of 9.6 was discovered in JetBrains IntelliJ IDEA, allowing for code execution via path traversal in project workspace ID handling. Users of IntelliJ IDEA versions before 2026.1.4 and 2026.2 are affected. Immediate action is required to update to a patched version.
CVE-2026-15293: WP Business Intelligence Lite Plugin Vulnerability
The WP Business Intelligence Lite plugin for WordPress is vulnerable to authorization bypass, allowing authenticated attackers with Subscriber-level access to modify stored SQL queries, potentially leading to privilege escalation. This affects all versions up to and including 3.2.0, with a CVSS score of 8.
Mistune Vulnerability: Potential DoS via Quadratic-Time Parsing in parse_link_text
Mistune is vulnerable to a CPU exhaustion DoS due to superlinear (approximately O(n²)) behavior in parse_link_text. An attacker-controlled Markdown input can trigger excessive CPU usage with a very small payload. Affected applications include web applications, API services, and documentation rendering systems.
CVE-2026-15158: Critical Arbitrary File Upload Vulnerability in Blocksy Companion Plugin
A critical vulnerability (CVE-2026-15158, CVSS 9.8) exists in the Blocksy Companion plugin for WordPress, allowing unauthenticated attackers to upload executable files, leading to remote code execution. This vulnerability affects the premium version of the plugin (blocksy-companion-pro) when used with specific extensions. Immediate action is required to mitigate this threat.
Critical SQL Injection Vulnerability in Snowflake Snowpark Python SDK (CVE-2026-15062)
A critical SQL injection vulnerability (CVE-2026-15062) with a CVSS score of 9.6 affects Snowflake Snowpark Python SDK versions prior to 1.53.0. Authenticated low-privilege users could exploit this vulnerability to execute SQL beyond their authorization scope, potentially leading to source database compromise, unauthorized cross-tenant data exfiltration, or unauthorized read of Snowflake account data. Immediate action is required to update to version 1.53.0 or later.
Critical Heap Buffer Overflow Vulnerability in X.Org xorg-server and xwayland
A critical vulnerability, CVE-2026-55999, with a CVSS score of 8.5, was discovered in X.Org's xorg-server and xwayland. Local attackers with an X connection can exploit this vulnerability to cause a heap buffer overflow via SetFont due to missing glyph boundary checks. Affected versions include xorg-server before 21.2.24 and xwayland before 24.1.13.
CVE-2026-53518: @better-auth/oauth-provider's OAuth authorization-code grant allows concurrent redemption
A vulnerability in @better-auth/oauth-provider allows concurrent redemption of OAuth authorization codes, potentially leading to multiple independent token sets being issued from a single authorization code. Users of @better-auth/oauth-provider versions >= 1.6.0, < 1.6.11 are affected. Upgrade to @better-auth/[email protected] or later to mitigate.
SQL Injection Vulnerability in mjperpinosa stumasy
A SQL injection vulnerability has been discovered in mjperpinosa stumasy up to version 327d1b0f2915ba79d7ef8ebb74553e987609d9be. The vulnerability is located in the Notes_controller::accessing_dictionary_authorization function and can be exploited remotely. The CVSS score for this vulnerability is 7.3, indicating a high severity level.
SQL Injection Vulnerability in CodeAstro Apartment Visitor Management System 1.0
A SQL injection vulnerability was found in CodeAstro Apartment Visitor Management System 1.0, specifically in the login function of the /index.php file. This vulnerability allows remote attackers to exploit the system, and a proof-of-concept exploit has been made public. Affected users should update to a patched version or apply mitigations immediately.
SQL Injection Vulnerability in itsourcecode Hospital Management System 1.0
A SQL injection vulnerability has been found in itsourcecode Hospital Management System 1.0, specifically in the /patient.php file. This vulnerability allows remote attackers to inject malicious SQL code, potentially leading to data breaches or system compromise. The CVSS score for this vulnerability is 6.3, indicating a medium severity level.
Critical Vulnerability in Keras: Arbitrary Code Execution via Deserialization
A critical vulnerability (CVE-2026-12481) in Keras version 3.14.0 allows for arbitrary code execution due to improper handling of deserialization in the `Lambda` layer. This vulnerability has a CVSS score of 8.8 and can be exploited to achieve OS-level code execution. Affected users must update to a patched version to mitigate this risk.
Critical Shellcode Injection Vulnerability in openSUSE Build Service
A critical vulnerability (CVE-2026-56004) with a CVSS score of 10 has been discovered in the obs tar_scm source service before version 0.12.4. This vulnerability allows attackers to inject shellcode and execute code as the source service or local user. Immediate action is required to update to version 0.12.4 or later.
GeoWebPlayer Vulnerability: CVE-2026-57264
A high-severity vulnerability (CVSS 8.3) exists in GeoWebPlayer, an addon for GeoVision software, allowing for out-of-bound access to arrays via a websocket server command. This could lead to arbitrary code execution. Affected versions include V1.1.1.0 on Windows and 64-bit platforms.
CVE-2026-53943: Ghost Cache-Poisoning XSS via x-ghost-preview Header
A critical vulnerability (CVE-2026-53943) was discovered in Ghost, a popular blogging platform. An unauthenticated attacker can exploit this flaw to poison the cache, potentially leading to staff user account takeovers. Affected versions range from v4.0 to v6.36.0, and the issue is patched in v6.37.0.
Rancher Vulnerable to Command Injection via Unsanitized YAML Parameter (CVE-2026-44939)
A critical command injection vulnerability (CVE-2026-44939, CVSS 9.4) has been identified in Rancher Manager's cluster import endpoint. An attacker can exploit this flaw by injecting malicious YAML configurations, potentially achieving full control over downstream Kubernetes clusters. Affected versions of Rancher must be updated to patched releases to mitigate this vulnerability.
CVE-2026-48307: Reflected Cross-Site Scripting (XSS) in Adobe ColdFusion
A reflected Cross-Site Scripting (XSS) vulnerability exists in Adobe ColdFusion versions 2025.9, 2023.20, and earlier. An attacker could exploit this vulnerability to inject malicious scripts into a web page, potentially resulting in arbitrary code execution in the context of the current user. This requires user interaction, as a victim must open a malicious link.
CVE-2026-11590: WP Support Plus Responsive Ticket System SQL Injection Vulnerability
The WP Support Plus Responsive Ticket System WordPress plugin through 9.1.2 is vulnerable to SQL injection attacks. An unauthenticated attacker can exploit this vulnerability to perform malicious SQL queries. The vulnerability has a CVSS score of 8.6, indicating high severity.
CVE-2026-40521: Path Traversal Vulnerability in FrontAccounting
A path traversal vulnerability in FrontAccounting before 2.4.20 allows authenticated attackers to execute arbitrary code by uploading files with traversal sequences. This vulnerability has a CVSS score of 8.8 and is considered high severity.
Open Memory Protocol Vulnerability Under Scrutiny
A potential vulnerability in the Open Memory Protocol, used by AI models like Claude, ChatGPT, and Curso, has been identified. Although actively exploited, the severity and impact are still being assessed. Security professionals should investigate and apply necessary mitigations.
Information Exposure Vulnerability in Hitachi Storage Navigator (CVE-2025-7386)
A vulnerability in Hitachi Storage Navigator, tracked as CVE-2025-7386, exposes sensitive information. This medium-severity vulnerability affects various Hitachi Virtual Storage Platform models and versions. Administrators should update to the specified versions to mitigate this vulnerability.
SQL Injection Vulnerability in Restaurant Management System
A SQL injection vulnerability was identified in the Restaurant Management System, specifically in the /forgotpassword.php file. This vulnerability allows remote attackers to inject malicious SQL code, potentially leading to data breaches or system compromise. The vulnerability has a CVSS score of 7.3, indicating a high severity level.
CVE-2026-3462: Frisbii Pay Plugin for WordPress Vulnerability
The Frisbii Pay plugin for WordPress has a vulnerability (CVE-2026-3462) that allows authenticated attackers with Subscriber-level access to modify data by uploading arbitrary CSV files. This vulnerability has a CVSS score of 6.5 and affects all versions up to 1.8.9. To mitigate, update the plugin to a patched version.
CVE-2026-54825: Unauthenticated SQL Injection in wpDataTables Plugin
A critical vulnerability (CVE-2026-54825, CVSS score 9.3) was discovered in the wpDataTables plugin (versions <= 7.4) for WordPress, allowing unauthenticated SQL injection attacks. This vulnerability is not currently being exploited, but it poses a significant risk to WordPress sites using affected versions. Immediate action is required to update to a patched version.
Dell Container Storage Modules OS Command Injection Vulnerability
A high-severity vulnerability (CVE-2026-40711, CVSS score of 8) exists in Dell Container Storage Modules, allowing a high-privileged attacker with remote access to potentially exploit the vulnerability, leading to command execution. Affected versions include csi-powerstore v2.16.0, csi-unity v2.16.0, csi-powerflex v2.16.0, and csi-powermax v2.16.0. Users should update to version 2.15.2 or later, or 2.17.0 or later.
CVE-2026-54838: SQL Injection Vulnerability in WC Vendors Marketplace
A SQL injection vulnerability exists in WC Vendors Marketplace plugin versions up to 2.6.8, allowing attackers to inject malicious SQL code. This vulnerability has a CVSS score of 8.5 and is considered high severity. Affected users should update to version 2.6.9 or later.