Wordfence Intelligence Weekly WordPress Vulnerability Report (June 1, 2026 to June 7, 2026)

Last week, there were 159 vulnerabilities disclosed in 142 WordPress Plugins and 2 WordPress Themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 96 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities...

Updated sqlite3 packages fix bug & security vulnerability

sqlite3 shipped in Mageia 9 lacks ICU support. This update brings sqlite3-icu to allow ICU support be loaded as an optional extension. This update fixes CVE-2025-70873, an information disclosure issue. The zipfileInflate function in the zipfile extension in SQLite v3.51.1 and earlier allows...

MGASA-2026-0195 Updated sqlite3 packages fix bug & security vulnerability

sqlite3 shipped in Mageia 9 lacks ICU support. This update brings sqlite3-icu to allow ICU support be loaded as an optional extension. This update fixes CVE-2025-70873, an information disclosure issue. The zipfileInflate function in the zipfile extension in SQLite v3.51.1 and earlier allows...

CVE-2026-53462

A flaw was found in ImageMagick. When an allocation fails in the CheckPrimitiveExtent function, it can lead to a heap-use-after-free vulnerability. This memory corruption issue can result in a denial of service DoS by causing the application to crash...

CVE-2026-47712

A flaw was found in Dulwich, a pure-Python implementation of Git file formats and protocols. A remote attacker could exploit this vulnerability by crafting a malicious commit subject. When the formatpatch function processes this subject, it could lead to an arbitrary file write, allowing the...

Security Bulletin: IBM Maximo Scheduler Optimizer uses axios-1.15.0.tgz which is vulnerable to CVE-2026-42033

Summary IBM Maximo Scheduler Optimizer uses axios-1.15.0.tgz which is vulnerable to CVE-2026-42033. This bulletin contains information regarding the vulnerability and its fixture. Vulnerability Details CVEID:CVE-2026-42033 DESCRIPTION: Axios is a promise based HTTP client for the browser and...

Security Bulletin: Vulnarability in openssl library (CVE-2025-69419) affects Power HMC.

Summary The openssl library is used by Power Hardware Management Console HMC. HMC has addressed the applicable CVE. Vulnerability Details CVEID:CVE-2025-69419 DESCRIPTION: Issue summary: Calling PKCS12getfriendlyname function on a maliciously crafted PKCS12 file with a BMPString UTF-16BE friendly...

EUVD-2026-36256

Axios is a promise based HTTP client for the browser and Node.js. From 1.15.2 to before 1.16.0, nested objects created by utils.merge e.g., config.proxy are still constructed as plain with Object.prototype in their chain. The setProxy function at lib/adapters/http.js:209-223 reads proxy.username,...

CVE-2026-44489

Axios version range 1.15.2–1.15.x is vulnerable to a header injection via the Proxy-Authorization header. The root cause is that nested objects created by utils.merge() (e.g., config.proxy) retain plain {} with Object.prototype in their chain, and setProxy() in lib/adapters/http.js (lines ~209–22...

CVE-2026-44489 Axios: Proxy-Authorization Header Injection via Prototype Pollution — Incomplete Null-Prototype Fix

Axios is a promise based HTTP client for the browser and Node.js. From 1.15.2 to before 1.16.0, nested objects created by utils.merge e.g., config.proxy are still constructed as plain with Object.prototype in their chain. The setProxy function at lib/adapters/http.js:209-223 reads proxy.username,...

CVE-2026-44489 Axios: Proxy-Authorization Header Injection via Prototype Pollution — Incomplete Null-Prototype Fix

Axios is a promise based HTTP client for the browser and Node.js. From 1.15.2 to before 1.16.0, nested objects created by utils.merge e.g., config.proxy are still constructed as plain with Object.prototype in their chain. The setProxy function at lib/adapters/http.js:209-223 reads proxy.username,...

CVE-2026-44489

Axios is a promise based HTTP client for the browser and Node.js. From 1.15.2 to before 1.16.0, nested objects created by utils.merge e.g., config.proxy are still constructed as plain with Object.prototype in their chain. The setProxy function at lib/adapters/http.js:209-223 reads proxy.username,...

CVE-2026-52757

Ghidra before 12.1 contains a heap-use-after-free vulnerability in the decompiler's HighVariable::merge function during the variable merging pass. Attackers can trigger this vulnerability by crafting a binary that causes stale pointers in the HighIntersectTest::highedgemap cache to be dereference...

CVE-2026-42570

A flaw was found in devalue, a JavaScript library used for serializing values. Due to quirks in some JavaScript engines, the devalue.parse function could be exploited by a remote attacker when deserializing specially crafted sparse arrays. This could lead to excessive memory consumption, resultin...

MAL-2026-5672 Malicious code in vqlxjmpr (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector aeb63fbed71a85092bf04cb120b4d1f19a3edaa74ac1c0cb47ce36f622d0062e Package is published as a generic 'Utility library' under an opaque name vqlxjmpr with no repository or homepage, but its sole exported function...

Malicious code in vqlxjmpr (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector aeb63fbed71a85092bf04cb120b4d1f19a3edaa74ac1c0cb47ce36f622d0062e Package is published as a generic 'Utility library' under an opaque name vqlxjmpr with no repository or homepage, but its sole exported function...

crypto/x509: golang: Denial of Service due to excessive resource consumption via crafted certificate

A flaw was found in golang. A remote attacker could exploit this vulnerability by providing a specially crafted certificate during the error string construction process within the HostnameError.Error function. This flaw, caused by unbounded string concatenation, leads to excessive resource...

net/url: Incorrect parsing of IPv6 host literals in net/url

The Go standard library function net/url.Parse insufficiently validated the host/authority component and accepted some invalid URLs by effectively treating garbage before an IP-literal as ignorable. The function should have rejected this as invalid...

crypto/x509: golang: Denial of Service due to excessive resource consumption via crafted certificate

A flaw was found in golang. A remote attacker could exploit this vulnerability by providing a specially crafted certificate during the error string construction process within the HostnameError.Error function. This flaw, caused by unbounded string concatenation, leads to excessive resource...

net/url: Incorrect parsing of IPv6 host literals in net/url

The Go standard library function net/url.Parse insufficiently validated the host/authority component and accepted some invalid URLs by effectively treating garbage before an IP-literal as ignorable. The function should have rejected this as invalid...