Vulnerabilities
Vulnerable Software
Security Vulnerabilities - Known exploited
CVE-2026-56291
Known exploited
The Joomla extension Balbooa Forms is vulnerable to an unauthenticated arbitrary file upload that allows uploading executable files and leads to full RCE.
CVSS Score
10.0
EPSS Score
0.008
Published
2026-07-09
CVE-2026-48282
Known exploited
ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could lead to arbitrary code execution in the context of the current user. Exploitation of this issue does not require user interaction. Scope is changed.
CVSS Score
10.0
EPSS Score
0.286
Published
2026-06-30
CVE-2026-56290
Known exploited
The Joomla extension Page Builder CK is vulnerable to an unauthenticated arbitrary file upload that allows uploading executable files and leads to full RCE.
CVSS Score
10.0
EPSS Score
0.029
Published
2026-06-29
CVE-2026-55255
Known exploited
Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to 1.9.1, an Insecure Direct Object Reference (IDOR) vulnerability in /api/v1/responses endpoint allows an authenticated attacker to execute any flow belonging to another user by specifying the victim's flow ID in the request. This vulnerability is fixed in 1.9.1.
CVSS Score
8.4
EPSS Score
0.005
Published
2026-06-23
CVE-2026-48908
Known exploited
A vulnerability in SP Page Builder for Joomla allows unauthenticated users to upload arbitrary files, ultimately resulting in the upload and execution of PHP code.
CVSS Score
10.0
EPSS Score
0.016
Published
2026-06-20
CVE-2026-48939
Known exploited
A vulnerability in the iCagenda extension for Joomla allows the upload of arbitrary files in the file attachment feature, ultimately resulting in PHP code upload and execution.
CVSS Score
10.0
EPSS Score
0.015
Published
2026-06-20
CVE-2026-12569
Known exploited
A critical remote code execution (RCE) vulnerability has been reported in PTC Windchill PDMlink and PTC FlexPLM. The vulnerability may be exploited through the deserialization of untrusted data.  * This advisory also applies to all CPS versions * The identified vulnerability also impacts Windchill and FlexPLM releases prior to 11.0 M030
CVSS Score
9.3
EPSS Score
0.012
Published
2026-06-18
CVE-2026-20262
Known exploited
A vulnerability in the web UI of Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, could allow an authenticated, remote attacker to create a file or overwrite any file on the filesystem of an affected system. This vulnerability exists because the affected software does not properly validate user-supplied input during a file upload process. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected API endpoint of the affected system. A successful exploit could allow the attacker to create or overwrite any file on the underlying operating system. This file could later be used to elevate to root. To exploit this vulnerability, the attacker must have valid credentials with at least a lower-privileged, single-task user account.
CVSS Score
6.5
EPSS Score
0.077
Published
2026-06-15
CVE-2026-54420
Known exploited
LiteSpeed cPanel plugin before 2.4.8 (as distributed in LiteSpeed WHM PlugIn before 5.3.2.0) mishandles symlinks provided by a user with FTP or web shell access on a shared hosting server running CloudLinux/CageFS, as exploited in the wild in May 2026.
CVSS Score
8.5
EPSS Score
0.013
Published
2026-06-14
CVE-2026-48558
Known exploited
SimpleHelp versions 5.5.15 and prior and 6.0 pre-release versions contain an authentication bypass vulnerability in the OIDC authentication flow. When OIDC authentication is configured, identity tokens submitted during login are accepted without verifying their cryptographic signature. In a vulnerable configuration, a remote, unauthenticated attacker can submit a forged token containing arbitrary identity claims to obtain a fully authenticated technician session. In some configurations, this may also allow bypass of multi-factor authentication. No user interaction is required.
CVSS Score
9.5
EPSS Score
0.012
Published
2026-06-12


Contact Us

Shodan ® - All rights reserved