Skip to main content
CVE-2026-56290 CRITICAL POC KEV THREAT NEWS Emergency

Unauthenticated arbitrary file upload in the Joomlack Page Builder CK extension for Joomla allows remote attackers to upload executable (PHP) files and achieve full remote code execution on the host. Any Joomla site running this extension is exposed to complete compromise without credentials. No public exploit identified at time of analysis, though the CVSS 4.0 threat metric (E:A) supplied by the scoring source signals observed exploitation activity, and the maximum 10.0 score plus AU:Y (automatable) indicate this is highly attractive for mass scanning.

Authentication Bypass File Upload Joomlack Fr Page Builder Ck Extension For Joomla
NVD VulDB GitHub Exploit-DB
CVSS 4.0
10.0
EPSS
0.2%
Threat
5.0
CVE-2026-57498 CRITICAL POC PATCH Act Now

Cross-team authorization bypass in Coolify (open-source self-hosted PaaS) before 4.0.0-beta.474 allows an authenticated, low-privileged member of one team to deploy and manipulate resources belonging to other teams. While the REST API controllers correctly enforce ownership via Server::whereTeamId($teamId), several Livewire web UI components trust attacker-supplied server_id and destination_uuid URL query parameters with no team-ownership check (CWE-639). No public exploit identified at time of analysis, but the CVSS 9.6 rating and trivially manipulable parameters make this a high-priority fix for any multi-tenant Coolify deployment.

Authentication Bypass Coolify
NVD GitHub
CVSS 3.1
9.6
EPSS
0.2%
CVE-2026-56782 CRITICAL POC PATCH Act Now

Unauthenticated database exfiltration and overwrite in Gorse (the open-source Go recommendation engine) before 0.5.10 lets remote attackers hit the /api/dump and /api/restore endpoints whenever admin_api_key is unset - the out-of-the-box default - bypassing authentication entirely. Attackers can dump the full backing dataset (user records, items, and feedback containing PII) or restore/overwrite it with arbitrary data. No public exploit is identified at time of analysis, but the flaw is trivially reachable on any default deployment, and the vendor (VulnCheck) rates it CVSS 4.0 9.3 (critical).

Authentication Bypass
NVD GitHub VulDB
CVSS 4.0
9.3
EPSS
0.9%
CVE-2026-57331 CRITICAL Act Now

Arbitrary file deletion in the VideoWhisper Paid Videochat Turnkey Site WordPress plugin (versions <= 7.4.8) lets an authenticated low-privilege 'Performer' account delete files outside the intended directory via path traversal. Because deleting critical WordPress files such as wp-config.php can force the site into setup mode and enable full takeover, the impact crosses a security boundary (scope change) and is rated CVSS 9.9. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Path Traversal Paid Videochat Turnkey Site
NVD
CVSS 3.1
9.9
EPSS
0.3%
CVE-2026-41052 CRITICAL PATCH GHSA Act Now

Privilege escalation in SUSE Rancher (Kubernetes management platform) allows a user holding the Project Owner role to improperly escalate their privileges beyond their assigned project scope, per advisory GHSA-vx8h-4prv-g744. Affected releases are 2.14 before 2.14.2, 2.13 before 2.13.6, and 2.12 before 2.12.10. There is no public exploit identified at time of analysis, but the CVSS 4.0 base score of 9.4 and scope-changing impact mean a successful escalation can compromise cluster-wide confidentiality, integrity, and availability.

Privilege Escalation Rancher
NVD GitHub VulDB
CVSS 4.0
9.4
EPSS
0.3%
CVE-2026-11720 CRITICAL PATCH Act Now

{{.id}} to sensitive endpoints such as /admin/secrets. Carries a CVSS 4.0 base score of 9.3 (critical); there is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Path Traversal Mcp Toolbox For Databases
NVD GitHub VulDB
CVSS 4.0
9.3
EPSS
0.4%
CVE-2026-37637 CRITICAL Act Now

Remote code execution in Alexantr filemanager v1.0 lets remote attackers run arbitrary code through the filemanager.php component, mapped to CWE-94 (code injection). The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N) indicates a network-reachable flaw requiring no authentication or user interaction, and publicly available exploit code exists (GitHub POC by SLO-CYBER-SEC). SSVC rates exploitation as proof-of-concept with total technical impact and automatable=yes, but it is not on CISA KEV and no EPSS score was provided.

Code Injection PHP RCE N A
NVD GitHub
CVSS 3.1
9.1
EPSS
0.5%
CVE-2026-39868 CRITICAL PATCH Act Now

Kernel memory corruption in Apple iOS/iPadOS (before 26.5.2) and macOS Tahoe (before 26.5.2) allows a malicious or compromised app to corrupt kernel memory or trigger unexpected system termination via malformed input that bypasses validation. Reported by Apple internally and fixed with improved input validation; no public exploit identified at time of analysis and the issue is not listed in CISA KEV. Despite a high CVSS of 9.1, the practical attack surface is bound to code already executing on the device as an app.

Apple Information Disclosure Ios And Ipados
NVD VulDB
CVSS 3.1
9.1
EPSS
0.2%
CVE-2026-13751 CRITICAL PATCH Act Now

Server-side request forgery in Snowflake CLI versions 3.6.0 through 3.18.x lets an attacker coerce a victim's CLI session into fetching attacker-chosen remote URLs and then retrieving and executing remote SQL in that session's context. The flaw lives in the SQL statement reader's !source/!load directives, which resolve remote references at runtime without restricting the request destination, so a victim who processes attacker-supplied SQL can be made to reach internal/non-public network locations. Despite a 9.6 CVSS, real-world urgency is tempered by required user interaction and a low EPSS (0.09%); there is no public exploit identified at time of analysis and it is not in CISA KEV.

SSRF Snowflake Cli
NVD VulDB
CVSS 3.1
9.6
EPSS
0.1%
CVE-2026-55276 CRITICAL PATCH Act Now

Incomplete security-constraint logging in Apache Tomcat (8.5.0-8.5.100, 9.0.0.M1-9.0.118, 10.1.0-M1-10.1.55, 11.0.0-M1-11.0.22) omits special roles and empty authorization constraints when the effective web.xml is written to the log, giving administrators an inaccurate view of the deployed access-control configuration. There is no public exploit identified at time of analysis, EPSS is low (0.17%, 7th percentile), and CISA SSVC marks exploitation status as none, despite the inflated 9.1 CVSS published by Apache. The practical effect is misleading audit/diagnostic output rather than direct attacker compromise.

Information Disclosure Tomcat Apache Apache Tomcat
NVD VulDB HeroDevs
CVSS 3.1
9.1
EPSS
0.2%
CVE-2026-53434 CRITICAL Act Now

Improper handling of a Certificate Revocation List (CRL) error condition in Apache Tomcat's FFM-based (Foreign Function & Memory / OpenSSL) connector allows revoked client certificates to be accepted during mutual TLS authentication, defeating revocation checking. The flaw affects Tomcat 9.0.83-9.0.118, 10.1.0-M7-10.1.55, and 11.0.0-M1-11.0.22 when a CRL is configured on the FFM connector, letting an attacker holding a revoked-but-otherwise-valid client certificate reach protected resources. There is no public exploit identified at time of analysis and the issue is not on CISA KEV, though the CVSS base score is 9.1 (CWE-390).

Information Disclosure Tomcat Apache Apache Tomcat
NVD VulDB
CVSS 3.1
9.1
EPSS
0.2%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy