CISA Adds Exploited Magento RCE Flaw CVE-2026-45247 to KEV Catalog

The U.S. Cybersecurity and Infrastructure Security Agency CISA on Wednesday added a critical flaw impacting Mirasvit Cache Warmer, a popular Magento full-page cache extension, to its Known Exploited Vulnerabilities KEV catalog, following reports of active exploitation in the wild. The...

Exploit for CVE-2026-35904

T3 Technology CPE — Security Advisories Multiple critical vul...

Security update for grafana

This update for grafana to version to 11.6.14+security01 fixes the following issues: Security Fixes: CVE-2026-34986: Fixed unrecoverable error in JWE decryption that could lead to a denial of service bsc1262950 CVE-2026-41602: Fixed Integer Overflow or Wraparound vulnerability in Apache Thrift...

CVE-2026-5241

A vulnerability in the LightGlue model loading path of huggingface/transformers version 5.2.0 allows an attacker-controlled model repository to execute arbitrary code during model initialization. The issue arises because the trustremotecode parameter, intended to prevent remote code execution, is...

CVE-2026-5241

A vulnerability in the LightGlue model loading path of huggingface/transformers version 5.2.0 allows an attacker-controlled model repository to execute arbitrary code during model initialization. The issue arises because the trustremotecode parameter, intended to prevent remote code execution, is...

CVE-2026-5241

Technical details (affected products, versions, fixes, or exploit specifics) are not publicly available in the provided connected documents. Monitor for updates from vendors and security advisories.

CVE-2026-5241 Policy Bypass in LightGlue Nested Config Resolution in huggingface/transformers

A vulnerability in the LightGlue model loading path of huggingface/transformers version 5.2.0 allows an attacker-controlled model repository to execute arbitrary code during model initialization. The issue arises because the trustremotecode parameter, intended to prevent remote code execution, is...

EUVD-2026-34084

A vulnerability in the LightGlue model loading path of huggingface/transformers version 5.2.0 allows an attacker-controlled model repository to execute arbitrary code during model initialization. The issue arises because the trustremotecode parameter, intended to prevent remote code execution, is...

CVE-2026-5241 Policy Bypass in LightGlue Nested Config Resolution in huggingface/transformers

A vulnerability in the LightGlue model loading path of huggingface/transformers version 5.2.0 allows an attacker-controlled model repository to execute arbitrary code during model initialization. The issue arises because the trustremotecode parameter, intended to prevent remote code execution, is...

CVE-2026-10194

A flaw was found in OFFIS DCMTK, specifically within its dcmqrscp component. A remote attacker could exploit a heap-based buffer overflow vulnerability. This occurs when processing manipulated data, potentially allowing the attacker to execute arbitrary code or cause the application to crash,...

Security Bulletin: IBM WebSphere Application Server shipped with Jazz for Service Management (JazzSM) is affected by a remote code execution vulnerability

Summary IBM WebSphere Application Server shipped with Jazz for Service Management JazzSM is affected by a remote code execution vulnerability CVE-2026-9319 Vulnerability Details Refer to the security bulletins listed in the Remediation/Fixes section Affected Products and Versions Affected Product...

Security Bulletin: IBM WebSphere Application Server shipped with Jazz for Service Management (JazzSM) is affected by remote code execution

Summary IBM WebSphere Application Server shipped with Jazz for Service Management JazzSM is affected by remote code execution CVE-2026-9311, CVE-2026-9330 Vulnerability Details Refer to the security bulletins listed in the Remediation/Fixes section Affected Products and Versions Affected Products...

E-Learning System 1.0 - SQL Injection

E-Learning System 1.0 contains an unauthenticated SQL injection caused by unsanitized input, letting remote attackers execute arbitrary code on the server and gain a reverse shell, exploit requires no authentication. id: CVE-2021-3239 info: name: E-Learning System 1.0 - SQL Injection author:...

Apache Airflow OS Command Injection

Apache Airflow prior to version 2.2.4 is vulnerable to OS command injection attacks because some example DAGs do not properly sanitize user-provided parameters, making them susceptible to OS Command Injection from the web UI. id: CVE-2022-24288 info: name: Apache Airflow OS Command Injection...

geojson2kml - Command Injection

Detects command injection vulnerability by checking if hacked.txt is created and contains the expected content. id: CVE-2020-28429 info: name: geojson2kml - Command Injection author: eeche,chae1xx1os,persona-twotwo,soonghee2 severity: critical description: | Detects command injection vulnerabilit...

Artica Web Proxy 4.30 - OS Command Injection

Artica Web Proxy 4.30 allows an authenticated remote attacker to inject commands via the service-cmds parameter in cyrus.php. These commands are executed with root privileges via servicecmdspeform. id: CVE-2020-17505 info: name: Artica Web Proxy 4.30 - OS Command Injection author: dwisiswant0...

Adning Advertising <= 1.5.5 - Arbitrary File Upload

The Adning Advertising plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the ninguploadimage function in versions up to, and including, 1.5.5. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected sites...

Apache Airflow <=1.10.10 - Remote Code Execution

Apache Airflow versions 1.10.10 and below are vulnerable to remote code/command injection vulnerabilities in one of the example DAGs shipped with Airflow. This could allow any authenticated user to run arbitrary commands as the user running airflow worker/scheduler depending on the executor in us...

Anyscale Ray - Remote Code Execution

Anyscale Ray 2.6.3 and 2.8.0 contain a remote code execution vulnerability due to insecure job submission API, allowing attackers to execute arbitrary code remotely if they have network access to the Ray Dashboard API. id: CVE-2023-48022 info: name: Anyscale Ray - Remote Code Execution author:...

Wavlink WN535K2/WN535K3 - OS Command Injection

Wavlink WN535K2 and WN535K3 routers are susceptible to OS command injection in an unknown part of the file /cgi-bin/mesh.cgi?page=upgrade via manipulation of the argument key. An attacker can execute malware, obtain sensitive information, modify data, and/or gain full control over a compromised...