AtRisk June 4, 2026 Vol. XXVI

Jump to:

Internet Storm Center Spotlight
Recent CVEs
Sponsors
Read More

ISC provides a free analysis and warning service to thousands of Internet users and organizations, and is actively working with Internet Service Providers to fight back against the most malicious attackers. https://isc.sans.edu/about.html

Reconstructing an Akira Ransomware Kill Chain from Perimeter and Endpoint Logs

Published: 2026-05-27

Last Updated: 2026-05-27 21:14:03 UTC

by Manuel Humberto Santander Pelaez (Version: 1)

Most Akira write-ups focus on the ransom note or the encryption routine. By the time those show up the interesting forensic work is over. The questions that matter to defenders sit earlier. How did they get in. When did they get domain admin. What did they touch before the binary fired. Those answers live in the days before impact. They sit in two log sources that almost never get joined. The perimeter firewall and the Windows event channel.

This diary walks through a recent Akira-attributed intrusion at a mid-sized organization. The reconstruction used only SSLVPN syslog and Windows EVTX exports. No EDR. No memory captures. Every identifier in the post has been anonymized. The event types and sequencing are preserved exactly as observed.

The setup

The environment was a single-site Active Directory forest behind a perimeter NGFW. SSLVPN gave remote access to a small workforce. We started the engagement with the following sources available:

*Firewall syslog covering roughly seven days before the encryption event. Authentication, IPS and traffic categories were retained.

*EVTX exports from both domain controllers and three member servers. Channels covered were Security, System and Microsoft-Windows-PowerShell/Operational.

*The ransom note text file and a sample of encrypted files. Used only to confirm attribution.

No EDR. No PCAP. No proxy logs. This is a representative starting point for many small and mid-sized organizations. It is also why the joinable signal between the firewall and the Windows event channels matters so much.

Stage 1: Initial access

The first useful signal came from the firewall authentication log. We filtered SSLVPN events for the 72 hours before the encryption event. An unambiguous brute-force pattern jumped out. It targeted a single local SSLVPN account. The customer confirmed later that the account had been disabled in Active Directory. It remained provisioned as a local firewall user ...

Read the full entry: https://isc.sans.edu/diary/Reconstructing+an+Akira+Ransomware+Kill+Chain+from+Perimeter+and+Endpoint+Logs/33024/

Unidentified RAT pushes NetSupport RAT

Published: 2026-06-01

Last Updated: 2026-06-01 00:02:30 UTC

by Brad Duncan (Version: 1)

Introduction

This diary provides indicators from an unidentified RAT infection on Wednesday 2026-05-27 that was followed by a malicious NetSupport Manager RAT package. This originated from the SmartApeSG ClickFix campaign. I still don't know the name of the initial RAT, but it has consistently been generating encoded (not HTTPS/SSL/TLS) traffic to a command and control (C2) server at 89.110.110[.]119 over TCP port 443 since I first noticed it sometime in April 2026.

Images from the infection ...

Read the full entry: https://isc.sans.edu/diary/Unidentified+RAT+pushes+NetSupport+RAT/33034/

New Wave Of Phishing Emails with SVG Files

Published: 2026-06-02

Last Updated: 2026-06-02 07:29:25 UTC

by Xavier Mertens (Version: 1)

For a few days, my SANS ISC mailbox is flooded with emails that delivers SVG files. An SVG ("Scalable Vector Graphic") is a web-friendly vector file format used for graphics and icons. No URL in the body, just “an image”, that’s the perfect way to deliver some malicious content. This isn’t the first time that we see this technique used by threat actors.

This time, the SVG files are really simple and even don’t contain any graphical element but a simple piece of JavaScript that will redirect the victim's browser to the phishing page ...

Read the full entry: https://isc.sans.edu/diary/New+Wave+Of+Phishing+Emails+with+SVG+Files/33040/

YARA-X 1.17.0 Release (2026.05.31)

https://isc.sans.edu/diary/YARAX+1170+Release/33032/

Analysis of a Year of Files Uploaded to DShield Sensors (2026.05.27)

https://isc.sans.edu/diary/Analysis+of+a+Year+of+Files+Uploaded+to+DShield+Sensors/33026/

The list is assembled by pulling recent vulnerabilities from NIST NVD, Microsoft, Twitter mentions of vulnerabilities, ISC Diaries and Podcast, and the CISA list of known exploited vulnerabilities. There are also some unscored, but significant, vulnerabilities at the end. This includes vulnerabilities that have not been added to the NVD yet.

CVE-2026-48027 - Nx Console was briefly compromised on 19 May 2026 with a malicious version available for about 18 minutes on Visual Studio Marketplace.

Product: Nx Console

CVSS Score: 9.8

** KEV since 2026-05-27 **

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-48027

NVD References:

- https://github.com/nrwl/nx-console/security/advisories/GHSA-c9j4-9m59-847w

- https://www.stepsecurity.io/blog/nx-console-vs-code-extension-compromised

- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-48027

CVE-2026-0257 - Palo Alto Networks PAN-OS® software vulnerability allows attackers to bypass security restrictions and establish unauthorized VPN connections.

Product: Palo Alto Networks PAN-OS® software

CVSS Score: 0

** KEV since 2026-05-29 **

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-0257

ISC Podcast: https://isc.sans.edu/podcastdetail/9952

NVD Reference: https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-0257

CVE-2025-48595 - Android Framework has an integer overflow issue in multiple locations, allowing for possible code execution and local privilege escalation without requiring user interaction.

Product: Android Framework

CVSS Score: 0

** KEV since 2026-06-02 **

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-48595

NVD Reference: https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-48595

CVE-2022-0492 - Linux kernel's cgroup_release_agent_write vulnerability in the kernel/cgroup/cgroup-v1.c function allows for privilege escalation and namespace isolation bypass.

Product: Linux Kernal

CVSS Score: 0

** KEV since 2026-06-02 **

NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-0492

NVD Reference: https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-0492

CVE-2026-45659 - Microsoft SharePoint Remote Code Execution Vulnerability

Product: Microsoft Office SharePoint

CVSS Score: 8.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-45659

ISC Podcast: https://isc.sans.edu/podcastdetail/9946

MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45659

CVE-2026-41089 - Windows Netlogon Remote Code Execution Vulnerability

Product: Microsoft Windows Netlogon

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-41089

ISC Podcast: https://isc.sans.edu/podcastdetail/9954

MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-41089

CVE-2026-42898 - Microsoft Dynamics 365 On-Premises Remote Code Execution Vulnerability

Product: Microsoft Dynamics 365

CVSS Score: 9.9

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-42898

MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-42898

CVE-2026-0826 - Poly Voice products on the Linux platform may be vulnerable to remote code execution due to a buffer overflow when the admin has enabled ICE.

Product: Poly Voice products on the Linux platform

CVSS Score: 0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-0826

ISC Podcast: https://isc.sans.edu/podcastdetail/9956

CVE-2026-9614 - Ivanti Neurons for ITSM (cloud and on-premises) has an Improper Access Control vulnerability that can be exploited by a remote authenticated attacker to gain administrative access.

Product: Ivanti Neurons for ITSM

CVSS Score: 0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-9614

ISC Podcast: https://isc.sans.edu/podcastdetail/9956

CVE-2025-41268, CVE-2025-41269, CVE-2025-41270, CVE-2025-41272, CVE-2025-41273, CVE-2025-41274 through CVE-2025-41277 - Waterfall WF-500 TX and RX Hosts in version 7.9.1.0 R2502171040 are vulnerable to a CWE-23: Relative Path Traversal in the Administration WebUI, enabling remote unauthenticated attackers to delete arbitrary files on the Host machines.

Product: Waterfall WF-500 TX and RX Hosts

CVSS Scores: 9.1 - 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-41268

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-41269

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-41270

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-41272

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-41273

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-41274

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-41275

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-41276

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-41277

NVD References:

- https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-41268

- https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-41269

- https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-41270

- https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-41272

- https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-41273

- https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-41274

- https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-41275

- https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-41276

- https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-41277

CVE-2026-45247 - The vulnerability in Mirasvit Full Page Cache Warmer for Magento 2 allows unauthenticated attackers to remotely execute code by manipulating a serialized PHP object in the CacheWarmer cookie.

Product: Mirasvit Full Page Cache Warmer for Magento 2

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-45247

NVD References: https://www.vulncheck.com/advisories/mirasvit-cache-warmer-for-magento-php-object-injection

CVE-2026-48686, CVE-2026-48687, CVE-2026-48689, CVE-2026-48691 - Multiple vulnerabilities in FastNetMon Community Edition through 1.2.9.

Product: FastNetMon Community Edition

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-48686

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-48687

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-48689

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-48691

NVD References:

- https://lorikeetsecurity.com/blog/fastnetmon-cve-2026-48686-bgp-nlri-stack-overflow

- https://lorikeetsecurity.com/blog/fastnetmon-cve-2026-48687-juniper-cmd-injection

- https://lorikeetsecurity.com/blog/fastnetmon-cve-2026-48689-dynamic-buffer-off-by-one

- https://lorikeetsecurity.com/blog/fastnetmon-cve-2026-48691-bgp-as-path-overflow

CVE-2026-35221, CVE-2026-35222, CVE-2026-35223, CVE-2026-40383, CVE-2026-48898, CVE-2026-48899, CVE-2026-48902, CVE-2026-48904 - Multiple vulnerabilities in Joomla!

Product: Joomla!

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-35221 (SQL injection)

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-35222 (SQL injection)

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-35223 (improper access control)

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-40383 (path traversal)

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-48898 (improper access control)

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-48899 (improper access control)

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-48902 (cleartext transmission of sensitive information)

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-48904 (improper access control)

NVD References:

- https://developer.joomla.org/security-centre/1038-20260506-core-authenticated-blind-sqli-in-com-finder.html

- https://developer.joomla.org/security-centre/1039-20260507-core-authenticated-blind-sqli-in-com-tags.html

- https://developer.joomla.org/security-centre/1040-20260508-core-improper-access-check-in-com-config-webservice-endpoints.html

- https://developer.joomla.org/security-centre/1041-20260509-core-lfi-in-htmlview-layout-parameter.html

- https://developer.joomla.org/security-centre/1045-20260513-core-privilege-escalation-through-com-users-batch-task.html

- https://developer.joomla.org/security-centre/1047-20260515-core-incorrect-access-control-in-sample-data-plugins.html

- https://developer.joomla.org/security-centre/1050-20260518-core-transport-encryption-downgrade-for-password-and-username-reset-links.html

- https://developer.joomla.org/security-centre/1046-20260514-core-privilege-escalation-through-com-users-webservice-endpoints.html

CVE-2026-46624 - Twenty CRM is vulnerable to a critical Remote Code Execution (RCE) exploit via unsanitized timeZone parameter in the REST API groupBy endpoint, allowing authenticated users to execute arbitrary OS commands on the database server.

Product: Twenty CRM

CVSS Score: 9.9

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-46624

NVD References: https://github.com/twentyhq/twenty/security/advisories/GHSA-jgx4-6mr9-9573

CVE-2026-7251 - Eppendorf BioFlo 320 is vulnerable to unauthorized remote control due to a hard-coded VNC server password, allowing attackers full access to the control panel features.

Product: Eppendorf BioFlo 320

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-7251

NVD References: https://www.cisa.gov/news-events/ics-medical-advisories/icsma-26-146-01

CVE-2026-8633 - IBM WebSphere Application Server and WebSphere Application Server Liberty are vulnerable to remote code execution via specially crafted requests in the Web Server Plug-ins.

Product: IBM Websphere Application Server

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-8633

NVD References: https://www.ibm.com/support/pages/node/7274072

CVE-2026-9170 - IBM HTTP Server 8.5, and 9.0

Product: IBM HTTP Server

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-9170

NVD References: https://www.ibm.com/support/pages/node/7274065

CVE-2026-3660 - IBM Engineering Lifecycle Management 7.0.3, 7.1.0, and 7.2.0 have a vulnerability that enables unauthenticated remote attackers to update server property files and gain unauthorized access.

Product: IBM Engineering Lifecycle Management

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-3660

NVD References: https://www.ibm.com/support/pages/node/7274079

CVE-2026-7524 - IBM Langflow OSS 1.0.0 through 1.9.1 is vulnerable to remote code execution through improper validation of symbolic links during archive extraction.

Product: IBM Langflow

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-7524

NVD References: https://www.ibm.com/support/pages/node/7273426

CVE-2026-7876 - IBM Aspera HSTS for CP4I 1.5.1 through 1.5.19

Product: IBM Aspera High-Speed Transfer Server For Cloud Pak For Integration

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-7876

NVD References: https://www.ibm.com/support/pages/node/7274127

CVE-2026-8175 - IBM Aspera High-Speed Transfer Endpoint and Server are prone to a buffer overflow in the asperahttpd component, allowing for denial of service, authentication bypass, and remote code execution.

Product: IBM Aspera High-Speed Transfer Endpoint

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-8175

NVD References: https://www.ibm.com/support/pages/node/7273615

CVE-2026-44985 - Dozzle allows Cross-Site WebSocket Hijacking (CSWSH) prior to version 10.5.2, enabling attackers to gain shell access in containers with victim's valid JWT cookie.

Product: Dozzle

CVSS Score: 9.6

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-44985

NVD References: https://github.com/amir20/dozzle/security/advisories/GHSA-j643-x8pv-8m67

CVE-2025-12686 - AdminCenter in Synology BeeStation OS before 1.3.2-65648 allows remote attackers to execute arbitrary code due to a classic buffer overflow vulnerability.

Product: Synology BeeStation OS

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-12686

NVD References: https://www.synology.com/en-global/security/advisory/Synology_SA_25_12

CVE-2026-44315, CVE-2026-44326, CVE-2026-44327, CVE-2026-44329, CVE-2026-44330 - Multiple vulnerabilities in Free5GC prior to version 4.2.2.

Product: Free5GC

CVSS Score2: 9.4 - 10.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-44315

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-44326

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-44327

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-44329

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-44330

NVD References:

- https://github.com/free5gc/free5gc/security/advisories/GHSA-5f62-53r8-qrqf

- https://github.com/free5gc/free5gc/security/advisories/GHSA-3p28-73q7-45xp

- https://github.com/free5gc/free5gc/security/advisories/GHSA-cmpj-2x3g-m7g3

- https://github.com/free5gc/free5gc/security/advisories/GHSA-3258-qmv8-frp3

- https://github.com/free5gc/free5gc/security/advisories/GHSA-rwww-x45w-p52w

CVE-2026-4408 - Samba is vulnerable to remote command execution due to a misconfiguration in Samba file servers and classic domain controllers.

Product: Samba

CVSS Score: 9.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-4408

CVE-2026-38702, CVE-2026-38703, CVE-2026-38704, CVE-2026-38707 - Command injection vulnerabilities in InHand Networks IR firmware.

Product: InHand Networks

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-38702

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-38703

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-38704

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-38707

NVD References: https://www.inhand.com/wp-content/uploads/InHand-PSA-2026-05_EN.pdf

CVE-2026-9090 through CVE-2026-9098 - Multiple vulnerabilities in Casdoor versions 2.362.0 and earlier.buildSpCertificateStore function.

Product: Casbin Casdoor

CVSS Scores: 9.1 - 9.8

NVD References: https://kb.cert.org/vuls/id/780781

CVE-2026-43898 - SandboxJS prior to version 0.9.6 allows attackers to execute arbitrary JavaScript by exploiting a vulnerability that exposes Function.caller in sandbox-defined functions.

Product: SandboxJS

CVSS Score: 10.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-43898

NVD References: https://github.com/nyariv/SandboxJS/security/advisories/GHSA-g8f2-4f4f-5jqw

CVE-2026-45323 - MeshCore Card allows for arbitrary JavaScript execution in Home Assistant frontend by nodes in radio range before version 0.3.3.

Product: MeshCore Card

CVSS Score: 9.6

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-45323

NVD References: https://github.com/jpettitt/meshcore-card/security/advisories/GHSA-5vrg-xpcj-xppc

CVE-2026-9645 - ScadaBR allows authenticated users to execute arbitrary JavaScript code on the server, potentially leading to complete system compromise with root access.

Product: ScadaBR

CVSS Score: 9.9

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-9645

NVD References: https://www.tenable.com/security/research/tra-2026-46

CVE-2026-44881 - Portainer Community Edition allows authenticated users to read arbitrary files via a symlink vulnerability in its Git-backed stack deployment feature, fixed in versions 2.33.8, 2.39.2, and 2.41.0.

Product: Portainer

CVSS Score: 9.9

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-44881

NVD References: https://github.com/portainer/portainer/security/advisories/GHSA-rpgq-m5fp-32wr

CVE-2026-9872 - Google Chrome on Android prior to 148.0.7778.216 allowed a remote attacker to perform a sandbox escape through a crafted HTML page.

Product: Google Chrome

CVSS Score: 9.6

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-9872

NVD References: https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html

CVE-2026-46376 - FreePBX version 15.0.42 to before 16.0.45 and 17.0.7 allows unauthenticated users to access the User Control Panel via hard-coded initial template credentials if not changed by the Administrator.

Product: Sangoma FreePBX

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-46376

NVD References: https://github.com/FreePBX/security-reporting/security/advisories/GHSA-m55x-h47x-v3gx

CVE-2026-44962 - Plesk's APS Application Catalog search functionality is susceptible to XPath injection, allowing low-privileged users to run arbitrary commands on the server.

Product: Plesk APS Application Catalog

CVSS Score: 9.9

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-44962

NVD References: https://support.plesk.com/hc/en-us/articles/38633651286679-Vulnerability-CVE-2026-44962-in-Plesk-s-APS-Catalog

CVE-2026-5386 - KMW CCTV Security Cameras are exposed to a critical unauthenticated password reset that grants unauthorized access to camera feeds and settings.

Product: KMW CCTV Security Cameras

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-5386

NVD References: https://www.cisa.gov/news-events/ics-advisories/icsa-26-148-06

CVE-2026-7786 - Jinan USR IOT Technology Limited (PUSR) USR-W610 RS232/485 to Wi-Fi/Ethernet Converter firmware vulnerability exposes plaintext administrative credentials.

Product: Jinan USR IOT Technology Limited (PUSR) USR-W610 RS232/485 to Wi-Fi/Ethernet Converter

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-7786

NVD References: https://www.cisa.gov/news-events/ics-advisories/icsa-26-148-02

CVE-2026-9051 - NI SystemLink Enterprise Dashboard application is vulnerable to an authentication bypass that could allow unauthenticated remote attackers to escalate privileges or disclose information by sending a specially crafted HTTP request.

Product: NI (National Instruments) SystemLink Enterprise Dashboard

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-9051

NVD References: https://www.ni.com/en/support/security/available-critical-and-security-updates-for-ni-software/2026/authentication-bypass-vulnerability-in-ni-systemlink-enterprise.html

CVE-2026-45372 - cpp-httplib versions prior to 0.44.0 have a vulnerability where encoded %0D%0A can pass validity checks and lead to stored \r\n byte pairs in header values.

Product: cpp-httplib

CVSS Score: 9.9

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-45372

CVE-2026-45700 - FreeRDP allows for an out-of-bounds heap write vulnerability in versions prior to 3.26.0.

Product: FreeRDP

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-45700

NVD References: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-mpxh-8fq3-x8mh

CVE-2018-25412 - Delta Sql 1.8.2 is vulnerable to an arbitrary file upload flaw that enables unauthenticated adversaries to upload malicious PHP files and execute them for remote code execution.

Product: Delta Sql 1.8.2

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2018-25412

CVE-2026-48188 - OTRS and ((OTRS)) Community Edition are vulnerable to an SQL injection in the database layer module, potentially leading to an authentication bypass if the MySQL/MariaDB server is configured with the NO_BACKSLASH_ESCAPES SQL mode.

Product: OOTRS Community Edition

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-48188

CVE-2026-42252 - Apache Airflow's official documentation at `core-concepts/dag-run.html` exposed users to shell-metacharacter injection via the `conf` field of the trigger API due to a missing quoting/sanitization warning.

Product: Apache Airflow

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-42252

NVD References: https://lists.apache.org/thread/8f4sc0rfn154jprmnwtmlst4p9zfw3w7

CVE-2026-7858 - Teamwork Cloud and Magic Collaboration Studio are vulnerable to unauthenticated remote code execution due to a Deserialization of Untrusted Data flaw from No Magic Release 2022x through No Magic Release 2026x and CATIA Magic Release 2022x through CATIA Magic Release 2026x.

Product: Teamwork Cloud

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-7858

CVE-2026-34311 - Oracle Hospitality OPERA 5 Property Services is vulnerable to an easily exploitable attack that can result in a complete takeover by an unauthenticated attacker.

Product: Oracle Hospitality Opera 5 Property Services

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-34311