Skip to main content
CVE-2026-7786 CRITICAL CISA Emergency

Hardcoded administrative credentials in Jinan USR IOT (PUSR) USR-W610 RS232/485-to-Wi-Fi/Ethernet serial converter firmware allow remote unauthenticated attackers to gain full administrative control of affected industrial gateway devices. The CVSS 9.8 rating reflects network-reachable, no-interaction exploitation against an OT/ICS device class typically deployed in serial-to-IP bridging roles, and no public exploit identified at time of analysis, though credential recovery via firmware extraction is straightforward for any researcher.

Authentication Bypass Usr W610 Rs232 485 To Wi Fi Ethernet Converter
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
0.0%
Threat
4.0
CVE-2026-5386 CRITICAL CISA Emergency

Unauthenticated administrator password reset in KMW KM-IP521 and KM-IP421 CCTV cameras allows remote network-based attackers to reset the admin credential to a known value and obtain full control of the device, including live video feeds and configuration. The flaw is classified under CWE-620 (Unverified Password Change) and was disclosed via CISA's ICS-CERT coordination channel with a CVSS 9.1 rating. No public exploit identified at time of analysis and the issue is not listed in CISA KEV, but the trivial attack complexity and lack of authentication make it high-priority for any internet- or LAN-exposed deployments.

Information Disclosure Km Ip521 Km Ip421
NVD GitHub VulDB
CVSS 3.1
9.1
EPSS
0.1%
CVE-2026-49199 CRITICAL Act Now

Remote unauthenticated command injection in the Acer Predator Connect W6x router enables root-level code execution via crafted MQTT messages, scoring a maximum 10.0 CVSS v4.0 across all impact metrics including subsequent system impact. The flaw was disclosed by Acer and tracked in the ENISA EUVD as EUVD-2026-33269, but no public exploit identified at time of analysis. Affects firmware W6x_GBL_2.00.000005 and earlier, with no special authentication or user interaction required.

Command Injection RCE Predator Connect W6X
NVD VulDB
CVSS 4.0
10.0
EPSS
0.7%
CVE-2026-47208 CRITICAL PATCH GHSA Act Now

Remote code execution in the vm2 Node.js sandbox library (versions <= 3.11.3) allows sandboxed JavaScript to escape isolation and execute arbitrary commands on the host. The flaw stems from a missing resetPromiseSpecies call in the localPromise swallow tail, letting a sandbox subclass hijack Promise species resolution and capture a raw host-realm RangeError that exposes the host Function constructor. Publicly available exploit code exists (POC published in the advisory), though no public exploit identified at time of analysis as actively exploited in the wild; given vm2's heavy use as an untrusted-code sandbox in SaaS, CI, and serverless platforms, this is a top-priority issue.

RCE Red Hat
NVD GitHub VulDB
CVSS 3.1
10.0
EPSS
0.5%
CVE-2026-47137 CRITICAL PATCH GHSA Act Now

Sandbox escape in vm2 (npm package, versions <= 3.11.3) allows full remote code execution by bypassing the GHSA-8hg8-63c5-gwmx (CVE-2023-37903) patch through omission of the require option when nesting:true is set. Publicly available exploit code exists in the GHSA advisory itself, and with a CVSS of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C) any application passing untrusted code to a NodeVM configured this way is trivially compromised on the host.

RCE Red Hat
NVD GitHub VulDB
CVSS 3.1
10.0
EPSS
0.2%
CVE-2026-47140 CRITICAL PATCH GHSA Act Now

Sandbox escape leading to remote code execution in vm2 NodeVM versions 3.11.3 and earlier allows attackers running untrusted JavaScript inside the sandbox to break out via two missing entries in the dangerous-builtin denylist: `process` (whose `getBuiltinModule()` reloads any core module, including `child_process`) and `inspector/promises` (whose `Session().post('Runtime.evaluate', ...)` evaluates code in the host realm). The flaw is exploitable only when the embedder allows `process`, `inspector/promises`, or wildcard `*` in `require.builtin`. Publicly available exploit code exists (PoC published with the advisory), and a patch is available in vm2 3.11.4; no public exploit identified at time of analysis as actively used in the wild.

Node.js RCE Red Hat
NVD GitHub VulDB
CVSS 3.1
10.0
EPSS
0.1%
CVE-2026-47131 CRITICAL PATCH GHSA Act Now

Sandbox escape in the vm2 Node.js sandbox library (versions <= 3.11.3) allows untrusted JavaScript executed inside a vm2 VM to reach the host realm and achieve arbitrary code execution. By chaining Buffer.call.call indirection with __lookupGetter__/__lookupSetter__ to obtain host Object.prototype.__proto__ accessors and using a WebAssembly.compileStreaming rejection to surface a host TypeError, an attacker severs a host prototype chain, causing the bridge's proto-walk to return the raw host error unwrapped - yielding e.constructor.constructor as host Function and full RCE. Publicly available exploit code exists (advisory ships a working PoC); CVSS is 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).

Node.js RCE Red Hat
NVD GitHub VulDB
CVSS 3.1
10.0
EPSS
0.1%
CVE-2026-45631 CRITICAL PATCH Act Now

Remote code execution in Dokploy 0.27.0 through 0.29.2 allows unauthenticated attackers to forge email-verification JWTs using a hardcoded BETTER_AUTH_SECRET fallback ('better-auth-secret-123456789'), auto-sign-in as admin, and run arbitrary commands on the host through the built-in SSH terminal. The flaw carries a CVSS 10.0 score with network attack vector and no required privileges, and while no public exploit is identified at time of analysis, the trivially guessable secret makes weaponization straightforward.

Authentication Bypass Dokploy
NVD GitHub
CVSS 3.1
10.0
EPSS
0.1%
CVE-2026-49200 CRITICAL Act Now

Credential disclosure in the Acer Wave 7 router (firmware T7c_GBL_1.01.000055 and earlier) exposes the acer_cgi.log file over the web interface without authentication, leaking cleartext web and Telnet login credentials to any network-reachable attacker. With CVSS 4.0 of 10.0 and a vector indicating no privileges or user interaction, exploitation enables full device takeover; no public exploit identified at time of analysis, but the trivial nature of fetching a log file makes weaponization straightforward.

Authentication Bypass Wave 7 Router
NVD VulDB
CVSS 4.0
10.0
EPSS
0.1%
CVE-2026-49197 CRITICAL Act Now

Authentication bypass in Acer Predator Connect W6x routers (firmware W6x_GBL_2.00.000005 and earlier) allows remote unauthenticated attackers to reach app-facing web endpoints by sending an HTTP Authorization header whose Base64 payload is intentionally malformed, because the endpoint treats a decoding failure as a pass rather than a rejection. The CVSS 4.0 score of 10.0 (AV:N/AC:L/PR:N/UI:N with high confidentiality, integrity, availability impact on both vulnerable and subsequent systems) reflects full takeover potential against an internet-reachable consumer/SOHO router, though no public exploit identified at time of analysis.

Authentication Bypass Predator Connect W6X
NVD VulDB
CVSS 4.0
10.0
EPSS
0.0%
CVE-2026-49201 CRITICAL Act Now

Hardcoded AES encryption key in the upload.cgi binary of the Acer Wave 7 router (firmware T7c_GBL_1.01.000055 and earlier) allows remote unauthenticated attackers to decrypt, tamper with, and re-encrypt device backup files, enabling persistent backdoor injection on affected devices. The CVSS 4.0 score of 10.0 reflects full compromise of confidentiality, integrity, and availability across both the vulnerable component and downstream subsequent systems. No public exploit identified at time of analysis, and CISA SSVC reports exploitation status as 'none', though the issue is flagged as automatable with total technical impact.

Authentication Bypass Wave 7 Router
NVD VulDB
CVSS 4.0
10.0
EPSS
0.0%
CVE-2026-9508 CRITICAL PATCH Act Now

Unauthenticated backup file disclosure in Suprema BioStar 2 server (versions 2.9.3 through 2.9.11) allows remote attackers to download sensitive backup ZIP archives directly via predictable '/download/' URLs when the administrator places the backup path inside the NGINX webroot. The exposed archives can contain database credentials and cryptographic material enabling server impersonation, database compromise, and lateral movement. No public exploit identified at time of analysis, but SSVC rates the flaw as automatable with total technical impact and CVSS 4.0 scores it 10.0.

Authentication Bypass Nginx
NVD
CVSS 4.0
10.0
EPSS
0.1%
CVE-2026-8326 CRITICAL Act Now

Path traversal in Remote Spark SparkView before build 1127 enables remote attackers to read and write arbitrary files as root through the RDP drive redirection component, leading to full remote code execution. CVSS 4.0 scores this 10.0 with no public exploit identified at time of analysis, though SSVC marks it automatable with total technical impact. Depending on the deployment, exploitation can be performed without authentication, making vulnerable internet-facing instances a high-priority patching target.

Path Traversal Www Remotespark Com
NVD
CVSS 4.0
10.0
EPSS
0.1%
CVE-2026-45629 CRITICAL Act Now

Authenticated OS command injection in Dokploy 0.28.8 and earlier lets any organization member execute arbitrary system commands on remote servers managed by the PaaS via the /listen-deployment WebSocket endpoint, resulting in full server compromise. With a CVSS 9.9 (scope changed) and low-privilege precondition, the flaw effectively turns any low-tier org account into a foothold on every connected host. No public exploit identified at time of analysis, but the vendor security advisory (GHSA-r73h-qr3p-hf7f) confirms the issue.

Command Injection Dokploy
NVD GitHub
CVSS 3.1
9.9
EPSS
0.2%
CVE-2026-9559 CRITICAL PATCH GHSA Act Now

Remote code execution in Mautic 7 allows authenticated users with the campaign:imports:create permission to write arbitrary PHP files outside the intended extraction directory via a malicious ZIP uploaded through the campaign import feature. The flaw is a path traversal in the ZIP extraction routine that can be leveraged to overwrite cache or configuration files, yielding code execution as the web server user. No public exploit identified at time of analysis, and the CVSS 9.9 score reflects the combination of low attack complexity, scope change, and full CIA impact.

RCE PHP Path Traversal
NVD GitHub VulDB
CVSS 3.1
9.9
EPSS
0.2%
CVE-2026-9558 CRITICAL PATCH GHSA Act Now

Server-Side Template Injection in Mautic's theme engine allows authenticated users with theme creation or upload permissions to execute arbitrary code on the host. Because the platform renders uploaded Twig templates without a sandbox or strict function allowlist, an attacker who already holds theme-management rights can pivot from administrative content control to full server compromise, including reads of restricted system files and configuration. No public exploit identified at time of analysis, and the issue has not been listed in CISA KEV.

RCE Ssti
NVD GitHub VulDB
CVSS 3.1
9.9
EPSS
0.2%
CVE-2026-45661 CRITICAL Act Now

Authenticated path traversal in Dokploy v0.26.5 and earlier (CWE-22) enables arbitrary file write during application deployment, escalating to remote code execution when the affected instance uses the remote server deployment feature. With a CVSS 9.9 score reflecting scope change and full CIA impact, any user with deployment privileges can drop cron jobs onto remote hosts to fully compromise them, bypassing container isolation. No public exploit identified at time of analysis, though the vendor's own GHSA-66v7-g3fh-47h3 advisory characterizes the chain as critical.

RCE Path Traversal Dokploy
NVD GitHub
CVSS 3.1
9.9
EPSS
0.1%
CVE-2026-45312 CRITICAL Act Now

Server-side template injection in RAGFlow 0.24.0 and earlier allows any authenticated user to execute arbitrary operating system commands on the host through the Jinja2-based prompt generator (rag/prompts/generator.py). Because RAGFlow installations commonly permit open self-registration, the practical barrier is minimal: an attacker registers an account, builds a Canvas workflow chaining a DuckDuckGo retrieval node with an LLM node, and triggers the SSTI to break out of the Jinja2 sandbox. No public exploit identified at time of analysis, but the vendor security advisory describes the chain explicitly.

Ssti Code Injection
NVD GitHub
CVSS 3.1
9.9
EPSS
0.0%
CVE-2026-45632 CRITICAL Act Now

Cross-tenant remote code execution in Dokploy 0.26.7 and earlier allows any authenticated user to hijack scheduled tasks belonging to other organizations and execute arbitrary scripts on the Dokploy host or managed remote servers. The schedule router fails to enforce organization and role authorization, so knowledge of a scheduleId/serverId is sufficient to create, modify, or trigger server-type schedules that run attacker-controlled shell commands. No public exploit identified at time of analysis, but the trivial authorization bypass combined with built-in script execution makes this a high-priority issue for multi-tenant Dokploy deployments.

Command Injection Dokploy
NVD GitHub
CVSS 3.1
9.9
EPSS
0.0%
CVE-2026-45372 CRITICAL PATCH Act Now

HTTP response/header injection in cpp-httplib server versions prior to 0.44.0 allows remote unauthenticated attackers to smuggle CRLF sequences into stored header values, because the is_field_value validity check runs before percent-decoding lets %0D%0A through and expand to literal \r\n. The CVSS 9.9 score with Scope:Changed reflects the ability to influence downstream HTTP components, but no public exploit identified at time of analysis and the issue is not on the CISA KEV list.

Information Disclosure Suse
NVD GitHub VulDB
CVSS 3.1
9.9
EPSS
0.0%
CVE-2026-47392 CRITICAL PATCH GHSA Act Now

Remote code execution in PraisonAI praisonaiagents <=1.6.39 and PraisonAI <=4.6.39 allows authenticated attackers to fully escape the execute_code() subprocess sandbox by leveraging print.__self__ to reach the real builtins module and reconstructing __import__ at runtime. The flaw defeats prior patches for CVE-2026-39888, CVE-2026-34938, and CVE-2026-40158, enabling arbitrary OS command execution on the host wherever agent input can be influenced via prompt injection or direct code submission. Publicly available exploit code exists in the GitHub Security Advisory (GHSA-4mr5-g6f9-cfrh), and EPSS/KEV signals are not yet published for this newly disclosed novel bypass.

Command Injection Node.js RCE Python
NVD GitHub
CVSS 3.1
9.9
EPSS
0.1%
CVE-2026-47744 CRITICAL PATCH GHSA Act Now

Privilege escalation in Shopper headless e-commerce admin panel prior to version 2.8.0 allows any low-privilege authenticated panel user to seize full administrator control by chaining two distinct broken-authorization defects in the team settings module. By combining an unprotected Settings/Team/Index mount with a RolePermission write path that only checks the read-only view_users permission, an attacker can mint new roles, grant themselves manage_users and edit_orders, and delete legitimate administrators. No public exploit identified at time of analysis, but the bugs are straightforward to weaponize once panel credentials are obtained.

Privilege Escalation Shopper
NVD GitHub VulDB
CVSS 3.1
9.9
EPSS
0.0%
CVE-2026-45663 CRITICAL Act Now

Command injection in Dokploy 0.29.1 and earlier allows authenticated users to execute arbitrary OS commands on the host by abusing the Docker file upload feature's unsanitized destinationPath parameter. The CVSS 9.9 score reflects scope change to the underlying host from a containerized context, and no public exploit identified at time of analysis though the GHSA advisory provides sufficient technical detail to reconstruct one.

Docker File Upload Command Injection
NVD GitHub VulDB
CVSS 3.1
9.9
EPSS
0.2%
CVE-2026-44962 CRITICAL PATCH Act Now

Local privilege escalation in Plesk's APS Application Catalog allows an authenticated low-privileged user to execute arbitrary operating system commands by injecting malicious XPath syntax into the catalog search functionality. The flaw carries a critical CVSS 3.1 score of 9.9 due to scope change and full CIA impact, and no public exploit identified at time of analysis. The advisory was disclosed via HackerOne and acknowledged in a Plesk support article, but EPSS and KEV signals are not provided in the available intelligence.

Privilege Escalation
NVD
CVSS 3.1
9.9
EPSS
0.0%
CVE-2026-45633 CRITICAL Act Now

Authenticated command injection in Dokploy 0.26.6 and earlier enables any logged-in user to run arbitrary OS commands as root via the /docker-container-logs WebSocket endpoint. The tail and since parameters are concatenated into shell commands without validation, yielding a CVSS 9.9 (Scope:Changed) issue affecting this self-hosted PaaS. No public exploit identified at time of analysis, and the vulnerability is not currently listed in CISA KEV.

Docker Command Injection
NVD GitHub
CVSS 3.1
9.9
EPSS
0.2%
CVE-2026-47210 CRITICAL PATCH GHSA Act Now

Sandbox escape in vm2 (npm package, versions <= 3.11.3) allows arbitrary code execution in the Node.js host process when untrusted code is run on runtimes exposing WebAssembly JSPI (Node 24 with --experimental-wasm-jspi, or Node 26+ by default). A working PoC demonstrates that a JSPI-backed Promise reaches host-realm Promise.prototype.finally without bridge interposition, letting attacker-controlled species logic walk a rejection object's constructor chain to host process and execute arbitrary commands. No public exploit identified as actively used in the wild, but a complete weaponized PoC is published in the GHSA advisory.

Node.js RCE Red Hat
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-47410 CRITICAL PATCH GHSA Act Now

Pre-authentication full account takeover in praisonai-platform (pip package, versions <= 0.1.2) allows remote unauthenticated attackers to forge JWTs for any user, including workspace owners and admins. The JWT signing key silently falls back to the hardcoded literal 'dev-secret-change-me' from the public GitHub source because the production-mode guard only triggers when PLATFORM_ENV is explicitly set to a non-default value, which default deployments do not do. Publicly available exploit code exists in the GHSA advisory itself, though no public exploit campaign or CISA KEV listing has been reported at time of analysis.

RCE Python
NVD GitHub
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-47391 CRITICAL PATCH GHSA Act Now

Remote code execution in PraisonAI's first-party A2A server example (pip package <= 4.6.39) allows unauthenticated network attackers to execute arbitrary Python on the server process by sending a JSON-RPC message/send request to /a2a that drives the LLM-backed agent into invoking an eval()-based calculate tool. The chain combines three first-party defaults - no auth_token, 0.0.0.0 bind, and an eval()-backed example tool - and was confirmed end-to-end against a real Gemini model with a canary marker file write. No public exploit identified at time of analysis beyond the proof-of-concept in the advisory itself, and the issue is not in CISA KEV.

Denial Of Service RCE Code Injection Python
NVD GitHub
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-47393 CRITICAL PATCH GHSA Act Now

Authentication bypass in PraisonAI versions <= 4.6.39 allows remote unauthenticated attackers to invoke arbitrary LLM orchestration via the Flask API server generated by the documented `praisonai deploy --type api` quickstart. The generator defaults `auth_enabled=False`, causing `check_auth()` to short-circuit to `True` and accept any request to `/chat` and `/agents`, exposing the operator's LLM API keys and any agent-attached tools (python_repl, bash, file I/O, HTTP). Publicly available exploit code exists in the form of a working PoC, and CVSS scores this 9.8 critical.

Python Authentication Bypass
NVD GitHub
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-47396 CRITICAL PATCH GHSA Act Now

Unauthenticated remote agent control in PraisonAI's call server (versions <= 4.6.39) allows any network-reachable client to enumerate, inspect, invoke, and unregister registered agents when the operator launches `praisonai-call` without setting the `CALL_SERVER_TOKEN` environment variable. The flaw stems from a fail-open authentication dependency combined with the server binding to 0.0.0.0 by default, and a working proof-of-concept is published in the GHSA advisory demonstrating end-to-end exploitation against a default deployment.

Python Authentication Bypass Information Disclosure
NVD GitHub
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-3655 CRITICAL Act Now

Authentication bypass in the OTP Login With Phone Number, OTP Verification WordPress plugin versions 1.8.50 through 1.8.60 allows unauthenticated remote attackers to log in as any user - including administrators - whose phone number is stored in user meta. The flaw stems from the Firebase OTP verification flow failing to bind the verified Firebase session to the phone number supplied in the request, so attackers can verify their own phone via Firebase and then submit a victim's number to be authenticated as that victim. No public exploit identified at time of analysis, but the trivial logic flaw and CVSS 9.8 score make this a critical priority.

WordPress Authentication Bypass
NVD VulDB
CVSS 3.1
9.8
EPSS
0.3%
CVE-2026-8732 CRITICAL Act Now

Remote unauthenticated privilege escalation in the WP Maps Pro WordPress plugin (all versions through 6.1.0) allows attackers to create a new administrator account and authenticate as that user, resulting in complete site takeover. The flaw stems from an AJAX handler exposed to unauthenticated users and protected only by a publicly-embedded nonce, making the access check ineffective. No public exploit identified at time of analysis, but the trivial nature of the bug (default-enabled handler, no authentication, magic login URL returned to the caller) makes weaponization straightforward once details circulate.

Privilege Escalation WordPress Authentication Bypass
NVD VulDB
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-47416 CRITICAL PATCH GHSA Act Now

{workspace_id}/members/{user_id} request. The route's FastAPI dependency defaults to min_role="member" and is never overridden, while the service layer applies the requested role with no caller-privilege or role-hierarchy checks. No public exploit identified at time of analysis, but the GitHub Security Advisory (GHSA-c2m8-4gcg-v22g) provides full reproduction details and a fix is shipped in 0.1.4.

Privilege Escalation Python
NVD GitHub
CVSS 3.1
9.6
EPSS
0.0%
CVE-2026-45628 CRITICAL Act Now

Command injection in Dokploy 0.29.2 and earlier allows authenticated users with application create/edit permissions to execute arbitrary shell commands on the host by injecting metacharacters into branch names, repository URLs, or Docker credentials. The flaw stems from unsanitized template-literal interpolation passed to child_process.exec(), and at time of analysis no public exploit identified at time of analysis, but the vendor security advisory GHSA-3frc-cfh9-ch2c documents the issue.

Docker Information Disclosure
NVD GitHub
CVSS 3.1
9.6
EPSS
0.0%
CVE-2025-41277 CRITICAL Act Now

Remote OS command execution in Waterfall WF-500 TX and RX Hosts version 7.9.1.0 R2502171040 allows unauthenticated network attackers to run arbitrary operating system commands through the Console WebUI. The flaw, identified by Nozomi Networks Labs and tracked as CVE-2025-41277, carries a CVSS 4.0 base score of 9.3 and represents a critical risk for industrial environments relying on Waterfall's data diode gateways. No public exploit identified at time of analysis, and EPSS sits at 1.02% (78th percentile) indicating elevated but not yet widespread exploitation activity.

Command Injection Wf 500
NVD
CVSS 4.0
9.3
EPSS
1.0%
CVE-2025-41276 CRITICAL Act Now

Remote code execution in Waterfall WF-500 TX and RX Host appliances (version 7.9.1.0 R2502171040) allows unauthenticated network attackers to inject and execute arbitrary OS commands through the Console WebUI. Discovered by Nozomi Networks Labs, the flaw carries a CVSS 4.0 score of 9.3 with no required privileges or user interaction; no public exploit identified at time of analysis, and EPSS sits at 1.02% (78th percentile).

Command Injection Wf 500
NVD
CVSS 4.0
9.3
EPSS
1.0%
CVE-2025-41275 CRITICAL Act Now

Remote unauthenticated OS command injection in the Waterfall WF-500 TX and RX Host Console WebUI (version 7.9.1.0 R2502171040) allows attackers reachable on the management network to execute arbitrary operating system commands on the appliance. The flaw was reported by Nozomi Networks Labs, carries a CVSS 4.0 score of 9.3, and currently has no public exploit identified at time of analysis, with an EPSS score of 1.02% (78th percentile).

Command Injection Wf 500
NVD
CVSS 4.0
9.3
EPSS
1.0%
CVE-2025-41274 CRITICAL Act Now

Remote code execution in Waterfall WF-500 TX and RX Hosts (version 7.9.1.0 R2502171040) allows unauthenticated attackers to inject and execute arbitrary OS commands through the Console WebUI. The flaw, identified by Nozomi Networks Labs, carries a CVSS 4.0 score of 9.3 and represents a critical risk to industrial unidirectional gateway deployments. No public exploit identified at time of analysis, and EPSS is 1.02% (78th percentile), suggesting elevated but not yet widespread exploitation interest.

Command Injection Wf 500
NVD
CVSS 4.0
9.3
EPSS
1.0%
CVE-2025-41272 CRITICAL Act Now

Remote unauthenticated OS command injection in Waterfall WF-500 TX and RX Hosts version 7.9.1.0 R2502171040 allows attackers reachable over the network to execute arbitrary operating system commands through the Console WebUI. The flaw was discovered by Nozomi Networks Labs and carries a CVSS 4.0 score of 9.3; no public exploit identified at time of analysis, and EPSS sits at 1.02% (78th percentile) indicating moderate predicted exploitation interest.

Command Injection Wf 500
NVD
CVSS 4.0
9.3
EPSS
1.0%
CVE-2025-41270 CRITICAL Act Now

Remote OS command injection in Waterfall WF-500 TX and RX Hosts version 7.9.1.0 R2502171040 allows unauthenticated network attackers to execute arbitrary operating system commands via the Console WebUI. The flaw was identified by Nozomi Networks Labs and carries a CVSS 4.0 score of 9.3, though there is no public exploit identified at time of analysis and EPSS sits at 1.02%, indicating elevated but not yet realized exploitation pressure.

Command Injection Wf 500
NVD
CVSS 4.0
9.3
EPSS
1.0%
CVE-2025-41269 CRITICAL Act Now

Remote command execution in Waterfall WF-500 TX and RX Hosts (version 7.9.1.0 R2502171040) allows unauthenticated network attackers to run arbitrary operating system commands via the Console WebUI. The flaw was disclosed by Nozomi Networks Labs and carries a CVSS 4.0 score of 9.3, but no public exploit identified at time of analysis and EPSS sits at 1.02% (78th percentile), indicating credible but not yet widespread exploitation pressure.

Command Injection Wf 500
NVD
CVSS 4.0
9.3
EPSS
1.0%
CVE-2025-41273 CRITICAL Act Now

Authentication bypass in Waterfall WF-500 TX and RX Hosts version 7.9.1.0 R2502171040 allows remote unauthenticated attackers to perform privileged actions through the Console WebUI via an alternate path or channel. Discovered by Nozomi Networks Labs, the flaw scores CVSS 9.3 (Critical) under v4.0 with network attack vector and no privileges required, though EPSS is low at 0.14% (34th percentile) and no public exploit identified at time of analysis. Given Waterfall's role in OT/ICS unidirectional gateway deployments, successful exploitation of the management console could enable adversaries to manipulate security-critical configurations.

Authentication Bypass Wf 500
NVD
CVSS 4.0
9.3
EPSS
0.1%
CVE-2026-46376 CRITICAL PATCH Act Now

Authentication bypass in FreePBX User Control Panel (UCP) versions 15.0.42 through 16.0.44 and 17.0.0 through 17.0.6 allows remote unauthenticated attackers to access UCP accounts using hard-coded initial template credentials when administrators fail to rotate them after enabling the feature. With a CVSS 4.0 score of 9.3 and CWE-798 (Use of Hard-coded Credentials), the flaw exposes high-confidentiality and high-integrity impact to the affected component, though no public exploit identified at time of analysis.

Authentication Bypass Security Reporting
NVD GitHub
CVSS 4.0
9.3
EPSS
0.1%
CVE-2026-45043 CRITICAL PATCH Act Now

Privilege escalation in RustFS distributed object storage before 1.0.0-beta.2 lets a low-privileged user holding ImportIAMAction abuse the PUT /rustfs/admin/v3/import-iam endpoint to mint service accounts under arbitrary parent identities - including the root minioadmin user - granting full administrative control via attacker-chosen, persistent credentials. CVSS 4.0 scores this 9.3 (Critical) reflecting low attack complexity, low privileges, and high confidentiality/integrity impact with scope change. No public exploit identified at time of analysis, and no EPSS or KEV signal is provided.

Privilege Escalation Rustfs
NVD GitHub
CVSS 4.0
9.3
EPSS
0.0%
CVE-2026-9051 CRITICAL Act Now

Authentication bypass in NI SystemLink Enterprise Dashboard (versions 2026-04 and prior) allows a remote, unauthenticated attacker to send a crafted HTTP request that circumvents authentication controls, leading to privilege escalation or disclosure of sensitive information. The flaw carries a CVSS 4.0 base score of 9.3 and is network-reachable with low attack complexity and no user interaction. No public exploit identified at time of analysis, and it is not currently listed in CISA KEV.

Privilege Escalation Information Disclosure Authentication Bypass Systemlink Enterprise
NVD
CVSS 4.0
9.3
EPSS
0.0%
CVE-2026-45668 CRITICAL PATCH Act Now

Remote code execution in TriliumNext Trilium Notes desktop client prior to 0.102.2 allows attackers to achieve arbitrary code execution by tricking a user into importing a malicious ZIP archive with safe import enabled. The flaw chains a #docName path traversal (CWE-22) with stored XSS, and the Electron renderer's nodeIntegration=true setting elevates the XSS into full host RCE. No public exploit identified at time of analysis, but the vendor advisory describes a complete working chain and the CVSS 4.0 score of 9.3 reflects subsequent-system impact.

XSS Path Traversal Trilium
NVD GitHub
CVSS 4.0
9.3
EPSS
0.0%
CVE-2026-10071 CRITICAL Act Now

Unauthenticated arbitrary file upload in Interinfo DreamMaker allows remote attackers to upload web shell backdoors and execute arbitrary code on the server, scoring CVSS 4.0 9.3 (Critical). No public exploit identified at time of analysis, but the combination of no authentication, low attack complexity, and complete CIA impact makes this a high-priority issue. TWCERT (Taiwan's national CERT) is the reporting source, indicating regional advisory coordination.

File Upload RCE Dreammaker
NVD
CVSS 4.0
9.3
EPSS
0.2%
CVE-2026-10042 CRITICAL PATCH Act Now

{method_name} and /simple_execute/{method_name} endpoints, which call pickle.loads() on raw HTTP request bodies. The flaw scored CVSS 4.0 of 9.2 and has an upstream fix in commit d7441481, but no public exploit was identified at time of analysis; risk is amplified by the default Docker image running as root, leading to full container compromise.

Docker RCE Deserialization
NVD GitHub
CVSS 4.0
9.2
EPSS
0.4%
CVE-2026-4290 CRITICAL Act Now

Unauthenticated arbitrary user deletion in the WP Travel Pro WordPress plugin (versions through 10.6.0) allows remote attackers to delete any WordPress account, including administrators, via an exposed REST API endpoint. The flaw stems from a broken permission callback combined with missing role validation, producing a CVSS 9.1 integrity/availability impact. No public exploit identified at time of analysis, but the trivial nature of the bug and Wordfence's disclosure make weaponization straightforward for any actor reading the advisory.

WordPress Authentication Bypass
NVD
CVSS 3.1
9.1
EPSS
0.0%
CVE-2026-45630 CRITICAL Act Now

Authenticated OS command injection in Dokploy 0.28.8 and earlier lets admin or owner users execute arbitrary shell commands on remote servers managed by the PaaS through the application.updateTraefikConfig tRPC endpoint. The flaw stems from unsanitized shell interpolation in an echo call, granting full command execution across any host the Dokploy controller manages. No public exploit identified at time of analysis, but the high-privilege admin context combined with cross-server reach makes this a meaningful post-compromise escalation path.

Command Injection Dokploy
NVD GitHub
CVSS 3.1
9.0
EPSS
0.2%
Page 1 of 2 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy