Skip to main content

Critical Watch

AI-curated daily picks – the most critical CVEs requiring immediate attention

22
Unique CVEs
7
Days Tracked
7
Critical
4
High
1
KEV
15
POC Available
22 critical CVEs across 7 days
#1 Jun 29
CVE-2026-13528 MEDIUM CWE-22 This Month

ruoyi-vue-pro is a very widely deployed open-source Java RAD platform, and an unauthenticated path traversal allowing arbitrary file read AND write to its upload endpoint is effectively a pre-auth RCE/webshell vector across every affected version.

5.5
CVSS 4.0
0.4%
EPSS
48
Priority
#2 Jun 29
CVE-2026-13533 MEDIUM CWE-552 This Month

Cockpit CMS is a popular headless/API CMS, and this unauthenticated path-traversal lets attackers read files outside the web root (config, credentials, secrets) with a public exploit and no fix prerequisites.

5.5
CVSS 4.0
0.3%
EPSS
48
Priority
#3 Jun 29
CVE-2026-13524 LOW CWE-285 Monitor

Cherry Studio is a fast-growing AI/MCP desktop client now common on developer machines, and its OAuth callback server accepting authorization-code callbacks without validating the state parameter enables account/token compromise via auth-code injection.

2.9
CVSS 4.0
0.3%
EPSS
35
Priority
#4 Jun 29
CVE-2026-13536 LOW CWE-79 Monitor

GotoHTTP is a widely used remote-access/remote-desktop tool, so a reflected XSS in its web interface with a public PoC gives attackers a session-hijack path into machines that are remotely administered.

XSS Gotohttp PoC No patch available
2.1
CVSS 4.0
0.3%
EPSS
31
Priority
#1 Jun 28
CVE-2026-58052 MEDIUM CWE-693 This Month

7-Zip is installed on a huge share of Windows endpoints, and this Mark-of-the-Web bypass via crafted RAR5 archives strips the Internet-zone marker that SmartScreen and Office rely on-exactly the technique phishing and malware campaigns weaponize to get payloads to run silently.

Information Disclosure Microsoft 7 Zip PoC No patch available
4.8
CVSS 4.0
0.1%
EPSS
44
Priority
#2 Jun 28
CVE-2026-58051 HIGH CWE-908 This Week

libssh2 is embedded in countless clients and tools (curl, git, language SSH bindings, appliances), and this free-of-uninitialized-pointer flaw lets any malicious or compromised SSH server corrupt memory in connecting clients on all platforms, turning routine outbound SSH into a client-side compromise vector.

8.3
CVSS 4.0
0.3%
EPSS
62
Priority
#3 Jun 28
CVE-2026-58049 HIGH CWE-787 This Week

FFmpeg/libavcodec is ubiquitous in media pipelines, web servers, and desktop apps, so this out-of-bounds heap write in the RASC decoder means any service that auto-transcodes untrusted video can be driven to memory corruption by a crafted stream.

8.8
CVSS 4.0
0.3%
EPSS
64
Priority
#4 Jun 28
CVE-2026-58053 CRITICAL CWE-269 Act Now

This CRITICAL (9.4) container escape in Gitea's act_runner lets an authenticated user with workflow rights break out to root on the CI host even with privileged mode disabled, giving an attacker full control of build infrastructure-a high-value supply-chain pivot for any org self-hosting Gitea Actions.

9.4
CVSS 4.0
0.3%
EPSS
67
Priority
#5 Jun 28
CVE-2026-58055 MEDIUM CWE-444 This Month

nghttpx (nghttp2's reverse proxy) sits in front of production web services, and this HTTP request/response smuggling flaw lets unauthenticated attackers poison shared backend keep-alive connections, enabling cache poisoning, credential theft, and access-control bypass against internet-facing apps.

6.3
CVSS 4.0
0.2%
EPSS
52
Priority
#1 Jun 20
CVE-2026-11551 CRITICAL CWE-640 Act Now

Unauthenticated admin account takeover in the Branda WordPress plugin (white-labeling, widely deployed across agency/multisite WordPress installs) lets remote attackers reset any user's password including admins, enabling full site compromise.

WordPress Privilege Escalation No patch available
9.8
CVSS 3.1
0.6%
EPSS
49
Priority
#1 Jun 19
CVE-2026-8805 HIGH CWE-190 Act Now

Unauthenticated remote DoS in Mitsubishi MELSEC iQ-F FX5-EIP EtherNet/IP modules with known threat actor interest poses a real risk to manufacturing/OT environments where PLC downtime can halt production lines.

8.7
CVSS 4.0
0.4%
EPSS
54
Priority
#2 Jun 19
CVE-2026-8806 HIGH CWE-440 Act Now

Unauthenticated packet-flood DoS in Mitsubishi MELSEC iQ-F FX5-ENET/IP modules (all versions, no patch implied) is a high-severity OT risk with known actor tracking, and ICS teams should isolate/segment these modules immediately.

8.7
CVSS 4.0
0.4%
EPSS
54
Priority
#1 Jun 15
CVE-2026-12208 MEDIUM CWE-1321 This Month

Prototype pollution in jsonata-js affects a widely-used JSONata library embedded in many Node.js applications and integration platforms, making this a supply-chain risk that could enable RCE or auth bypass downstream.

5.5
CVSS 4.0
0.3%
EPSS
48
Priority
#3 Jun 15
CVE-2026-12198 MEDIUM CWE-22 This Month

Unauthenticated path traversal in Microweber CMS exposes file system contents on publicly-reachable websites, and the public PoC makes opportunistic mass scanning highly likely.

Path Traversal Microweber PoC No patch available
5.5
CVSS 4.0
0.5%
EPSS
48
Priority
#4 Jun 15
CVE-2026-12204 MEDIUM CWE-639 This Month

Unauthenticated access to ShopXO's scheduled-task API lets attackers manipulate order state on e-commerce deployments, with direct financial and fraud impact for any shop running affected versions.

PHP Authentication Bypass Shopxo PoC No patch available
5.5
CVSS 4.0
0.3%
EPSS
48
Priority
#5 Jun 15
CVE-2026-12209 MEDIUM CWE-1321 This Month

Prototype pollution in Avalon's template filter handler can be chained to gadget-based RCE in Node.js apps that embed the library, and a public PoC is already available.

5.5
CVSS 4.0
0.3%
EPSS
48
Priority
#1 Jun 12
CVE-2026-48611 CRITICAL CWE-287 Act Now

Unauthenticated account hijacking in phpBB affects default installations even when OAuth is disabled, putting one of the most widely deployed forum platforms at immediate risk of mass compromise with no patch signal.

Authentication Bypass Phpbb No patch available
9.8
CVSS 3.0
0.1%
EPSS
49
Priority
#2 Jun 12
CVE-2026-47370 CRITICAL CWE-20 Act Now

Command injection across Ubiquiti UniFi OS gateways, controllers, NVRs, and NAS devices threatens a massive enterprise and SMB footprint where a low-privileged foothold yields full device takeover on network infrastructure.

9.9
CVSS 3.1
0.2%
EPSS
50
Priority
#3 Jun 12
CVE-2026-47369 CRITICAL CWE-20 Act Now

Privilege escalation in Ubiquiti UniFi OS lets low-privileged network-adjacent attackers fully compromise UniFi devices, which sit at the network edge of countless organizations and are frequent targets of botnet and APT campaigns.

9.9
CVSS 3.1
0.1%
EPSS
50
Priority
#4 Jun 12
CVE-2026-47367 CRITICAL CWE-20 Act Now

Command injection in the Ubiquiti UID Enterprise Agent allows low-privileged attackers to run arbitrary commands on host devices, exposing endpoints managed by UniFi Identity across enterprise environments to lateral movement.

9.9
CVSS 3.1
0.2%
EPSS
50
Priority
#1 Jun 11
CVE-2026-35273 CRITICAL CWE-306 Emergency

Unauthenticated remote takeover of Oracle PeopleSoft Enterprise PeopleTools (8.61/8.62) via the Updates Environment Management component - PeopleSoft hosts HR/financial data for large enterprises and government, and a CVSS 9.8 pre-auth RCE on an internet-adjacent admin component is a top-tier ransomware and data-theft target.

9.8
CVSS 3.1
0.0%
EPSS
124
Priority

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy