Skip to main content
CVE-2026-30861 CRITICAL POC PATCH Act Now

OS command injection in WeKnora from version 0.2.5 allows authenticated users to execute arbitrary system commands. CVSS 9.9 with scope change. PoC available.

RCE Command Injection AI / ML Weknora Suse
NVD GitHub
CVSS 3.1
9.9
EPSS
0.2%
CVE-2026-30860 CRITICAL POC PATCH Act Now

SQL injection in WeKnora LLM document understanding framework allows authenticated users to extract arbitrary database contents. CVSS 9.9 with scope change. PoC available.

PostgreSQL RCE SQLi AI / ML Weknora +1
NVD GitHub
CVSS 3.1
9.9
EPSS
0.2%
CVE-2026-30821 CRITICAL POC PATCH Act Now

Unrestricted file upload in Flowise LLM workflow builder before 3.0.13 via /api/v1/attachments endpoint allows unauthenticated attackers to upload and execute malicious files. PoC available.

RCE AI / ML Flowise
NVD GitHub
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-30824 CRITICAL POC PATCH Act Now

Missing authentication on NVD data endpoint in Flowise before 3.0.13 allows unauthenticated access to internal vulnerability data. PoC available.

Authentication Bypass AI / ML Flowise
NVD GitHub
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-30832 CRITICAL POC PATCH Act Now

SSRF in Soft Serve Git server versions 0.6.0 to 0.11.3 allows authenticated attackers to make requests to internal services. PoC and patch available.

SSH Soft Serve Suse
NVD GitHub
CVSS 3.1
9.1
EPSS
0.0%
CVE-2026-25070 CRITICAL Act Now

OS command injection in XikeStor SKS8310-8X network switch firmware 1.04.B07 and prior via management interface. Unauthenticated RCE on network infrastructure.

RCE Command Injection Zikestor Sks8310 8x Firmware
NVD
CVSS 3.1
9.8
EPSS
1.0%
CVE-2026-25072 CRITICAL Act Now

Predictable session identifier generation in XikeStor SKS8310-8X network switch allows session hijacking even if the command injection (CVE-2026-25070) is patched.

Authentication Bypass Zikestor Sks8310 8x Firmware
NVD
CVSS 3.1
9.8
EPSS
0.2%
CVE-2026-29186 CRITICAL PATCH Act Now

Arbitrary code execution in Backstage's @backstage/plugin-techdocs-node (versions <= 1.14.2) allows attackers who can influence an mkdocs.yml file to run arbitrary Python during the documentation build, bypassing TechDocs' allowlist-based configuration filtering. The flaw stems from MkDocs configuration keys (notably the hooks feature) that the security allowlist failed to block, meaning any contributor able to merge or supply a crafted mkdocs.yml gains code execution on the build host. No public exploit identified at time of analysis, and EPSS is low (0.07%), but the CVSS 9.8 rating and trivial exploitation primitive make this a high-priority patch for self-hosted developer portals.

Python Backstage Plugin Techdocs Node RCE
NVD GitHub
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-30863 CRITICAL PATCH Act Now

Authentication bypass in Parse Server allows unauthenticated access to protected API endpoints. Parse Server is a popular open-source backend framework for mobile and web applications.

Node.js Parse Server
NVD GitHub
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-29191 CRITICAL PATCH Act Now

Stored XSS in ZITADEL identity management platform versions 4.0.0 to 4.11.1 allows unauthenticated attackers to inject persistent scripts through the login flow. Patch available.

XSS Zitadel Suse
NVD GitHub
CVSS 3.1
9.3
EPSS
0.0%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy