Top/Articles

Articles

joomla-jce-cve-2026-48907-unauth-rce-cover-en-rewrite

Joomla Sites Using the JCE Editor Can Be Taken Over: Update to 2.9.99.6 Now (CVE-2026-48907)

A critical flaw, CVE-2026-48907, in JCE, a hugely popular editor add-on used by many Joomla sites, lets attackers take over a server with no login. Severity is a perfect 10.0, exploit code is public, and automated attacks are underway. CISA has ordered urgent remediation. Here are the affected versions and what to do now.

2026.06.1780 views

News

The Events Calendar CVE-2026-49772: Unauth SQL Injection, Patch Now

SecurityDevelopment

The Events Calendar, a WordPress plugin on 700,000+ sites, has a critical flaw (CVE-2026-49772, severity 9.3) that lets anyone read the database with no login. Here are the affected versions, how to check your site, and how to update to 6.16.3 now.

2026.06.167 views

zyxel-gs1900-cve-2026-7273-buffer-overflow-rce-cover-en

News

Zyxel GS1900 Switch Takeover Flaw CVE-2026-7273: Patch 10 Models Now

InfrastructureGlobal CompaniesSecurity

Zyxel's GS1900 office network switches — 10 models — have a flaw, CVE-2026-7273, that lets anyone on the same local network take the device over without a password, enabling traffic spying or cut-offs. Here are the affected models, the fixed firmware, and the update steps to run now.

2026.06.165 views

i18next-cve-2026-48713-48714-prototype-pollution-cover-en

News

Two Unauthenticated Flaws in the i18n Library i18next: CVE-2026-48713 / 48714

SecurityDevelopment

Two companion components of i18next, the JavaScript library widely used to translate web app UIs, have 9.1 flaws (CVE-2026-48713 / 48714). With no login, an attacker can poison the app's shared foundation, chaining to bypassed login checks or service outages. Update to 2.6.6 / 3.9.7.

2026.06.162 views

wordpress-plugins-june-2026-critical-vulnerabilities-roundup-cover-en

News

Takeover Flaws Across Many WordPress Plugins: June 2026 Disclosure, Update Each One Now

DevelopmentSecurity

In June 2026, dozens of WordPress plugins disclosed critical flaws leading to site takeover or data theft. The invoicing plugin Easy Invoice and the chatbot GeekyBot are rated a maximum 10.0, and a dozen-plus form-integration plugins are exploitable with no login. If your site uses an affected plugin, update each one to the latest version now.

2026.06.161 views

spring-ai-cve-2026-47835-vector-store-query-injection-cover-en

News

Query-Injection Flaw in Spring AI Vector Stores: CVE-2026-47835, Update to 1.0.9 / 1.1.8 Now

AIDevelopmentSecurity

Spring AI, a popular Java framework for building generative-AI apps, has an 8.6 flaw (CVE-2026-47835) in its vector database integrations. Special characters let an attacker run unauthorized queries against Elasticsearch and others with no login, risking data exfiltration. Fixed in 1.0.9 / 1.1.8; developers should update now.

2026.06.167 views

cisco-sd-wan-manager-cve-2026-20262-arbitrary-file-write-cover-en

News

Exploited Flaw in Cisco Catalyst SD-WAN Manager: CVE-2026-20262, Update to a Fixed Release Now

SecurityGlobal CompaniesInfrastructure

Cisco Catalyst SD-WAN Manager, the system that centrally manages a company's WAN, has a vulnerability already confirmed to be exploited (CVE-2026-20262). With just a low-privileged login, an attacker can overwrite server files and seize root. Fixed releases are out; affected organizations should update now.

2026.06.168 views

fortra-boks-cve-2026-9862-autoregisterd-command-injection-cover-en

News

Takeover Flaw in the PAM Tool Fortra BoKS: CVE-2026-9862, Update to s-9.0.0.5 / s-8.1.0.23 Now

Global CompaniesSecurityInfrastructure

Fortra Core Privileged Access Manager (BoKS), used to centrally manage admin access across server fleets, has a 9.8 flaw (CVE-2026-9862). With no login, an attacker on the internal network can take over the central server and seize company-wide privilege. Fixed releases s-9.0.0.5 and s-8.1.0.23 are out; affected orgs should update now.

2026.06.1610 views

woo-pdf-invoice-builder-cve-2026-52704-unauth-rce-cover-en

News

Max-Severity Takeover Flaw in a WooCommerce Invoice Plugin: CVE-2026-52704, Update to 2.0.9 Now

SecurityDevelopment

WooCommerce PDF Invoice Builder, a popular plugin for generating invoice PDFs on WordPress stores, has a max-severity flaw (CVE-2026-52704, scored 10.0). With no login required, anyone can take over the shop's server over the internet. The fixed version 2.0.9 is out; update affected stores now.

2026.06.162 views

foxit-ai-cve-2026-12057-pdf-javascript-rce-cover-en

News

Takeover Flaw in Foxit's AI PDF Tool: CVE-2026-12057, a Crafted PDF Can Lead to Remote Code Execution

AIGlobal CompaniesSecurity

Foxit AI, the browser-based AI PDF service, has a takeover flaw (CVE-2026-12057, severity 8.6). Feeding it a crafted PDF lets instructions hidden inside the file call out to an external program and run attacker code. Foxit applied a fix on June 15, 2026, and there are no reports of abuse so far.

2026.06.154 views

mitsubishi-electric-home-appliances-cve-2026-5667-hardcoded-wifi-credentials-cover-en

News Updated 3 days ago

Is Your Mitsubishi Wi-Fi Air Conditioner Safe? Hard-coded Password Flaw (CVE-2026-5667)

Japanese CompaniesSecurity

Mitsubishi Electric disclosed that many Wi-Fi-enabled home appliances—air conditioners, refrigerators, water heaters, IH cooktops, rice cookers and more—shipped with a hard-coded password (CVE-2026-5667). Appliances left with Wi-Fi on but never connected to a home router can let a nearby third party read operating data or change settings. Here are the affected models and what to do now.

2026.06.1524 views

litespeed-cpanel-cve-2026-54420-symlink-root-second-cover-en

News

LiteSpeed cPanel Plugin: 2nd Takeover Flaw CVE-2026-54420, Fix v2.4.8

SecurityGlobal CompaniesInfrastructure

A second takeover flaw, CVE-2026-54420, hits the LiteSpeed cPanel plugin a month after the first. One cheap plan can seize neighbors' sites. Fix: v2.4.8.

2026.06.143 views

1 2 3 456 7…15