News
Goobi Viewer Hit by Unauthenticated CVE-2026-45083: Digital Archives At Risk
SecurityInfrastructureDevelopment
CVE-2026-45083 (CVSS 9.8) lets unauthenticated network clients send arbitrary Solr streaming expressions to Goobi viewer, the digital archive platform widely used by libraries, museums and research institutions. Versions 4.8.0 through 26.04.0 are affected; the broken endpoint was removed in 26.04.1.
2026.05.2816 views
News
Two Unauthenticated RCEs in Pi.Alert: CVE-2026-44887 / 44888 Hit Home Network Watchers
SecurityLinuxInfrastructure
Pi.Alert, the home/SOHO Wi-Fi and LAN intruder detector, ships with two unauthenticated RCE flaws (CVE-2026-44887/44888, both CVSS 9.8). Web protection is disabled by default, letting any attacker write Python code into pialert.conf which the scan daemon then loads via exec(). Patched in the 2026-05-07 release.
2026.05.2816 views
News
Three Critical Flaws Hit Gladinet Triofox: CVE-2026-8362 / 8363 / 8364, Enterprise File Sharing At Risk
Global CompaniesSecurityInfrastructure
Tenable Research disclosed three critical unauthenticated RCE vulnerabilities (CVE-2026-8362/8363/8364, all CVSS 9.8) in Gladinet Triofox enterprise file sharing on May 27, 2026. Versions up to 17.1.10488.57063 are vulnerable; fixed in 17.3.10565.57509.
2026.05.2823 views
News
Budibase Hit by Five Critical Authz Flaws: CVE-2026-46425 et al., Update to v3.39.0
AISecurityDevelopment
Five critical authorization and SSRF vulnerabilities in the Budibase low-code platform (CVE-2026-46425/48150/45716/45717/48153, CVSS 9.9 to 8.5) were disclosed on May 27, 2026. Issues range from SCIM router bypass to tenant-wide privilege escalation to global admin. Fixed in v3.39.0.
2026.05.2816 views
News
XSS Scanner Dalfox Hit by Unauthenticated RCE: CVE-2026-45087 (CVSS 10.0)
DevelopmentSecurity
Dalfox, the XSS scanner widely used by bug-bounty hunters, exposes an unauthenticated RCE in REST API server mode (CVE-2026-45087, CVSS 10.0). Versions up to 2.12.0 bind 0.0.0.0:6664 with no API key and accept shell commands via JSON. Update to v2.13.0 immediately.
2026.05.285 views
News
free5GC Hit by Five Critical Auth Bypass Flaws: CVE-2026-44315/26/27/29/30
InfrastructureDevelopmentSecurity
Five critical OAuth2 authorization bypass vulnerabilities (CVE-2026-44315/26/27/29/30, three at CVSS 10.0) hit the free5GC 5G core network implementation in versions up to v4.2.1. NEF and SMF API routes accept unauthenticated read/write/delete. Fixed in v4.2.2.
2026.05.289 views
News
From TanStack to Nx Console: Chained Supply-Chain Attack CVE-2026-45321 / CVE-2026-48027
AIDevelopmentSecurity
Two CISA KEV-listed npm and VS Code supply-chain breaches in May 2026 turned out to be one connected attack. CVE-2026-45321 hit 84 versions across 42 @tanstack/* packages on May 11; stolen GitHub credentials from that leak then powered CVE-2026-48027, the malicious Nx Console v18.95.0 push on May 18.
2026.05.2828 views
News
LibVNCClient Flaw CVE-2026-44988: Malicious VNC Server Can Hijack Your PC On Connect
SecurityDevelopmentLinux
CVE-2026-44988 (CVSS 8.8) hits LibVNCClient v0.9.15 and earlier. A malicious VNC server can send crafted framebuffer-update rectangles to overwrite memory on the connecting client, leading to potential RCE. Remmina, KRDC, ZoneMinder and other downstream projects are affected. No tagged release with the fix has shipped yet.
2026.05.2817 views
News
IBM Aspera Hit by Two asperahttpd Buffer Overflows: CVE-2026-8175 / CVE-2026-8179
SecurityInfrastructure
IBM disclosed two critical buffer overflow vulnerabilities in Aspera High-Speed Transfer Server and Endpoint on May 21, 2026: CVE-2026-8175 (heap BOF, CVSS 9.8, unauthenticated) and CVE-2026-8179 (stack BOF, CVSS 8.8, authenticated). Used by broadcasters, media, and large enterprises worldwide.
2026.05.2839 views
News
Critical Langflow Flaw CVE-2026-7524: TAR Symlinks Leak JWT Secret, Chain to RCE
SecurityDevelopmentAI
IBM disclosed CVE-2026-7524 (CVSS 9.8) in Langflow OSS on May 27, 2026. Versions 1.0.0 through 1.9.1 are vulnerable: a crafted tar with symlinks can steal the JWT secret, forge tokens, then chain to RCE via Python Interpreter nodes. Update to v1.9.2 or later immediately.
2026.05.2815 views
News
WordPress WPCode patches Author-level RCE in v2.3.6, 3 million sites affected (CVE-2026-8832)
Global CompaniesDevelopmentSecurity
A code injection flaw (CVE-2026-8832, CVSS 8.8) has been disclosed in WPCode, a WordPress code-snippet management plugin installed on over 3 million sites. The flaw lets any user with Author-level access or higher run arbitrary code on the server. The vendor released v2.3.6 on May 26, 2026; Wordfence published the advisory on May 27.
2026.05.279 views
News
IBM WebSphere vulnerability roundup: CVE-2026-8633 plus four new June flaws
Global CompaniesSecurityInfrastructure
IBM WebSphereに重大欠陥が相次ぎ公開。6月1日に新たに4件(CVE-2026-8644ほか、3件が遠隔コード実行)、5月のCVE-2026-8633(CVSS9.8)も継続対象。8.5系/9.0系の確認と修正パッチの当て方を優先順位つきで整理。
2026.05.2734 views
