The most featured CVEs in this week’s security newsletters, with public Proof-of-Concepts, ordered by mention count.

For the most up-to-date and accurate info, visit the NIST links. Always audit PoCs thoroughly before running them. I don’t vouch for any links in this list: follow them with caution.

CVE-2026-27574 NEW

• Severity: 9.9 CRITICAL
• Impacted Products: OneUptime 9.5.13 and below, OneUptime 10.0.5
• Description: OneUptime is a solution for monitoring and managing online services. In versions 9.5.13 and below, custom JavaScript monitor feature uses Node.js’s node:vm module (explicitly documented as not a security mechanism) to execute user-supplied code, allowing trivial sandbox escape via a well-known one-liner that grants full access to the underlying process.
• Remediation:
  • https://github.com/OneUptime/oneuptime/commit/7f9ed4d43945574702a26b7c206e38cc344fe427
  • Unsandboxed code execution in probe allows any project member to achieve RCE · Advisory · OneUptime/oneuptime · GitHub
• More Info: NVD - CVE-2026-27574
• PoC:
  • https://github.com/mbanyamer/CVE-2026-27574-OneUptime-RCE

CVE-2026-27507 NEW

• Severity: 9.8 CRITICAL
• Impacted Products: Binardat 10G08-0800GSM network switch firmware V300SP10260209 and prior
• Description: Binardat 10G08-0800GSM network switch firmware version V300SP10260209 and prior contain hard-coded administrative credentials that cannot be changed by users. Knowledge of these credentials allows full administrative access to the device.
• Remediation: Follow vendor security advisories and apply the latest patches. Review affected systems and prioritize patching based on exploitability and business impact.
• More Info: NVD - CVE-2026-27507
• PoC:
  • https://github.com/RootAid/CVE-2026-27507

CVE-2026-27211 NEW

• Severity: 10.0 CRITICAL
• Impacted Products: Cloud Hypervisor 34.0 through 50.0
• Description: Cloud Hypervisor is a Virtual Machine Monitor for Cloud workloads. Versions 34.0 through 50.0 arevulnerable to arbitrary host file exfiltration (constrained by process privileges) when using virtio-block devices backed by raw images. A malicious guest can overwrite its disk header with a crafted QCOW2 structure pointing to a sensitive host path.
• Remediation:
  • https://github.com/cloud-hypervisor/cloud-hypervisor/commit/081a6ebb5184228ff348601502258f3f72bd8b43
  • https://github.com/cloud-hypervisor/cloud-hypervisor/commit/509832298b6865365b00bda88722e76e41ce7f41
  • https://github.com/cloud-hypervisor/cloud-hypervisor/commit/a63315df54e06f6ec867f17b63076c266e2d8648
• More Info: NVD - CVE-2026-27211
• PoC:
  • https://github.com/glitchhawks/CVE-2026-27211

CVE-2026-27180 NEW

• Severity: 9.8 CRITICAL
• Impacted Products: MajorDoMo
• Description: MajorDoMo (aka Major Domestic Module) is vulnerable to unauthenticated remote code execution through supply chain compromise via update URL poisoning.
• Remediation: Follow vendor security advisories and apply the latest patches. Review affected systems and prioritize patching based on exploitability and business impact.
• More Info: NVD - CVE-2026-27180
• PoC:
  • https://github.com/mbanyamer/CVE-2026-27180-MajorDoMo-unauthenticated-RCE

CVE-2026-27174 NEW

• Severity: 9.8 CRITICAL
• Impacted Products: MajorDoMo
• Description: MajorDoMo (aka Major Domestic Module) allows unauthenticated remote code execution via the admin panel’s PHP console feature. An include order bug in modules/panel.class.php causes execution to continue past a redirect() call that lacks an exit statement, allowing unauthenticated requests to reach the ajax handler in inc_panel_ajax.php.
• Remediation: Follow vendor security advisories and apply the latest patches. Review affected systems and prioritize patching based on exploitability and business impact.
• More Info: NVD - CVE-2026-27174
• PoC:
  • https://github.com/MaxMnMl/majordomo-CVE-2026-27174-poc

CVE-2026-26988 NEW

• Severity: 9.1 CRITICAL
• Impacted Products: LibreNMS 25.12.0 and below, LibreNMS 26.2.0
• Description: LibreNMS is an auto-discovering PHP/MySQL/SNMP based network monitoring tool. Versions 25.12.0 and below contain an SQL Injection vulnerability in the ajax_table.php endpoint. The application fails to properly sanitize or parameterize user input when processing IPv6 address searches.
• Remediation:
  • https://github.com/librenms/librenms/commit/15429580baba03ed1dd377bada1bde4b7a1175a1
  • SQL Injection in ajax_table.php spreads through a covert data stream. · Advisory · librenms/librenms · GitHub
• More Info: NVD - CVE-2026-26988
• PoC:
  • https://github.com/mbanyamer/CVE-2026-26988-LibreNMS-SQLi

CVE-2026-2686 NEW

• Severity: 9.8 CRITICAL
• Impacted Products: SECCN Dingcheng G10 3.1.0.181203
• Description: A security vulnerability has been detected in SECCN Dingcheng G10 3.1.0.181203. This impacts the function qq of the file /cgi-bin/session_login.cgi. The manipulation of the argument User leads to os command injection. The attack is possible to be carried out remotely. The exploit has been disclosed publicly and may be used.
• Remediation: Follow vendor security advisories and apply the latest patches. Review affected systems and prioritize patching based on exploitability and business impact.
• More Info: NVD - CVE-2026-2686
• PoC:
  • https://github.com/cha0yang1/SECCN/blob/main/UnauthorizedRCE.md

CVE-2026-26198 NEW

• Severity: 9.8 CRITICAL
• Impacted Products: Ormar 0.9.9, Ormar 0.10.0, Ormar 0.11.0, Ormar 0.12.0, Ormar 0.13.0
• Description: Ormar is a async mini ORM for Python. In versions 0.9.9 through 0.22.0, when performing aggregate queries, Ormar ORM constructs SQL expressions by passing user-supplied column names directly into sqlalchemy.text() without any validation or sanitization.
• Remediation:
  • https://github.com/collerek/ormar/commit/a03bae14fe01358d3eaf7e319fcd5db2e4956b16
  • SQL Injection in aggregate functions min() and max() · Advisory · collerek/ormar · GitHub
• More Info: NVD - CVE-2026-26198
• PoC:
  • https://github.com/blackhatlegend/CVE-2026-26198

CVE-2026-26030 NEW

• Severity: 9.9 CRITICAL
• Impacted Products: Semantic Kernel Python SDK, versions prior to 1.39.4
• Description: Semantic Kernel, Microsoft’s semantic kernel Python SDK, has a remote code execution vulnerability in versions prior to 1.39.4, specifically within the InMemoryVectorStore filter functionality. The problem has been fixed in version python-1.39.4. Users should upgrade this version or higher. As a workaround, avoid using InMemoryVectorStore for production scenarios.
• Remediation:
  • Microsoft Semantic Kernel InMemoryVectorStore filter functionality vulnerable to remote code execution
• More Info: NVD - CVE-2026-26030
• PoC:
  • https://github.com/mbanyamer/CVE-2026-26030-Microsoft-Semantic-Kernel-1.39.4-RCE

CVE-2026-25896 NEW

• Severity: 9.3 CRITICAL
• Impacted Products: fast-xml-parser 4.1.3 through 5.3.4
• Description: The fast-xml-parser library is affected by a cross-site scripting (XSS) vulnerability in versions 4.1.3 through 5.3.4 due to improper handling of DOCTYPE entity names. This flaw allows attackers to bypass entity encoding by shadowing built-in XML entities with arbitrary values, leading to the injection of malicious scripts.
• Remediation:
  • Entity encoding bypass via regex injection in DOCTYPE entity names · Advisory · NaturalIntelligence/fast-xml-parser · GitHub
• More Info: NVD - CVE-2026-25896
• PoC:
  • https://github.com/NaturalIntelligence/fast-xml-parser/security/advisories/GHSA-m7jm-9gc2-mpf2

CVE-2026-25242 NEW

• Severity: 5.3 MEDIUM
• Impacted Products: Gogs
• Description: Gogs is affected by a missing authorization vulnerability that allows unauthenticated remote users to upload arbitrary files to the server. This issue occurs because specific attachment endpoints do not enforce authentication by default.
• Remediation:
  • https://github.com/gogs/gogs/commit/628216d5889fcb838c471f4754f09b935d9cd9f3
  • security: require authentication for attachment uploads by unknwon · Pull Request #8128 · gogs/gogs · GitHub
  • Unauthenticated file upload
• More Info: NVD - CVE-2026-25242
• PoC:
  • https://github.com/mindkernel/CVE-2026-25242

CVE-2026-1405 NEW

• Severity: 9.8 CRITICAL
• Impacted Products: Slider Future plugin for WordPress, 1.0.5
• Description: The Slider Future plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the ‘slider_future_handle_image_upload’ function in all versions up to, and including, 1.0.5. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site’s server which may make remote code execution possible.
• Remediation: Follow vendor security advisories and apply the latest patches. Review affected systems and prioritize patching based on exploitability and business impact.
• More Info: NVD - CVE-2026-1405
• PoC:
  • https://github.com/Nxploited/CVE-2026-1405

CVE-2025-71243 NEW

• Severity: 9.8 CRITICAL
• Impacted Products: Saisies pour formulaire (Saisies) plugin for SPIP 5.4.0 through 5.11.0
• Description: The ‘Saisies pour formulaire’ (Saisies) plugin for SPIP versions 5.4.0 through 5.11.0 contains a critical Remote Code Execution (RCE) vulnerability. An attacker can exploit this vulnerability to execute arbitrary code on the server. Users should immediately update to version 5.11.1 or later.
• Remediation:
  • Mise à jour critique de sécurité pour le plugin « Saisies pour formulaire » - SPIP Blog
• More Info: NVD - CVE-2025-71243
• PoC:
  • https://github.com/Chocapikk/CVE-2025-71243

CVE-2025-70830

• Severity: 9.9 CRITICAL
• Impacted Products: Datart v1.0.0-rc.3
• Description: A Server-Side Template Injection (SSTI) vulnerability in the Freemarker template engine of Datart v1.0.0-rc.3 allows authenticated attackers to execute arbitrary code via injecting crafted Freemarker template syntax into the SQL script field.
• Remediation: Follow vendor security advisories and apply the latest patches. Review affected systems and prioritize patching based on exploitability and business impact.
• More Info: NVD - CVE-2025-70830
• PoC:
  • https://github.com/xiaoxiaoranxxx/CVE-2025-70830

CVE-2025-65791 NEW

• Severity: 9.8 CRITICAL
• Impacted Products: ZoneMinder v1.36.34
• Description: ZoneMinder v1.36.34 is vulnerable to Command Injection in web/views/image.php. The application passes unsanitized user input directly to the exec() function.
• Remediation: Follow vendor security advisories and apply the latest patches. Review affected systems and prioritize patching based on exploitability and business impact.
• More Info: NVD - CVE-2025-65791
• PoC:
  • https://github.com/rishavand1/CVE-2025-65791

CVE-2025-55853 NEW

• Severity: 9.1 CRITICAL
• Impacted Products: SoftVision webPDF before 10.0.2
• Description: SoftVision webPDF before 10.0.2 is vulnerable to Server-Side Request Forgery (SSRF). The PDF converter function does not check if internal or external resources are requested in the uploaded files and allows for protocols such as http:// and file:///. This allows an attacker to upload an XML or HTML file in the application, which when rendered to a PDF allows for internal port scanning and Local File Inclusion (LFI).
• Remediation: Follow vendor security advisories and apply the latest patches. Review affected systems and prioritize patching based on exploitability and business impact.
• More Info: NVD - CVE-2025-55853
• PoC:
  • https://github.com/Vivz13/CVE-2025-55853

CVE-2025-49113

• Severity: 9.9 CRITICAL
• Impacted Products: Roundcube Webmail
• Description: Roundcube Webmail is affected by a PHP object deserialization vulnerability that allows authenticated users to execute arbitrary code. This flaw exists because the application fails to properly validate the _from URL parameter within the program/actions/settings/upload.php component.
• Remediation:
  • USN-7584-1: Roundcube vulnerability | Ubuntu security notices | Ubuntu
  • roundcubemail-1.6.11-1.fc42
  • roundcubemail-1.6.11-1.fc41
• More Info: NVD - CVE-2025-49113
• PoC:
  • https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/multi/http/roundcube_auth_rce_cve_2025_49113.rb
  • https://github.com/AC8999/CVE-2025-49113/blob/main/exploit.py
  • https://github.com/B1ack4sh/Blackash-CVE-2025-49113

CVE-2025-15559 NEW

• Severity: 9.8 CRITICAL
• Impacted Products: NesterSoft WorkTime
• Description: An unauthenticated attacker can inject OS commands when calling a server API endpoint in NesterSoft WorkTime. The server API call to generate and download the WorkTime client from the WorkTime server is vulnerable in the “guid” parameter. This allows an attacker to execute arbitrary commands on the WorkTime server as NT Authority\SYSTEM with the highest privileges. Attackers are able to access or manipulate sensitive data and take over the whole server.
• Remediation: Follow vendor security advisories and apply the latest patches. Review affected systems and prioritize patching based on exploitability and business impact.
• More Info: NVD - CVE-2025-15559
• PoC:
  • https://sec-consult.com/vulnerability-lab/advisory/multiple-critical-vulnerabilities-in-nestersoft-worktime-on-prem-cloud

CVE-2019-25441 NEW

• Severity: 9.8 CRITICAL
• Impacted Products: thesystem 1.0
• Description: thesystem 1.0 contains a command injection vulnerability that allows unauthenticated attackers to execute arbitrary system commands by submitting malicious input to the run_command endpoint. Attackers can send POST requests with shell commands in the command parameter to execute arbitrary code on the server without authentication.
• Remediation: Follow vendor security advisories and apply the latest patches. Review affected systems and prioritize patching based on exploitability and business impact.
• More Info: NVD - CVE-2019-25441
• PoC:
  • https://www.exploit-db.com/exploits/47441

CVE-2019-25361 NEW

• Severity: 8.8 HIGH
• Impacted Products: Ayukov NFTP client 1.71
• Description: Ayukov NFTP client 1.71 contains a buffer overflow vulnerability in the SYST command handling that allows remote attackers to execute arbitrary code. Attackers can send a specially crafted SYST command with oversized payload to trigger a buffer overflow and execute a bind shell on port 5150.
• Remediation: Follow vendor security advisories and apply the latest patches. Review affected systems and prioritize patching based on exploitability and business impact.
• More Info: NVD - CVE-2019-25361
• PoC:
  • https://www.exploit-db.com/exploits/47576

CVE-2026-20127 NEW

• Severity: 10.0 CRITICAL
• Impacted Products: Cisco Catalyst SD-WAN Controller, Cisco Catalyst SD-WAN Manager
• Description: Cisco Catalyst SD-WAN Controller and Cisco Catalyst SD-WAN Manager are affected by an authentication bypass vulnerability in the peering authentication mechanism. This flaw allows an unauthenticated remote attacker to gain administrative privileges and manipulate network configurations by sending crafted requests to the system.
• Remediation:
  • Cisco Catalyst SD-WAN Controller Authentication Bypass Vulnerability
• More Info: NVD - CVE-2026-20127
• PoC:
  • https://github.com/Dimchuk/CVE-2026-20127-chain

References

This list was scraped from the quite amazing and highly recommended newsletters below:

• ~this week in security~
• Unsupervised Learning
• @RISK
• Hive Five
• Vulnerable U
• tl;dr sec

Thanks for reading! For corrections, omissions (e.g. newsletter recs) feel free to get in touch.