The most featured CVEs in this week’s security newsletters, with public Proof-of-Concepts, ordered by mention count.

For the most up-to-date and accurate info, visit the NIST links. Always audit PoCs thoroughly before running them. I don’t vouch for any links in this list: follow them with caution.

CVE-2026-26030

• Severity: 9.9 CRITICAL
• Impacted Products: Semantic Kernel Python SDK, versions prior to 1.39.4
• Description: Semantic Kernel, Microsoft’s semantic kernel Python SDK, has a remote code execution vulnerability in versions prior to 1.39.4, specifically within the InMemoryVectorStore filter functionality. The problem has been fixed in version python-1.39.4. Users should upgrade this version or higher. As a workaround, avoid using InMemoryVectorStore for production scenarios.
• Remediation:
  • Microsoft Semantic Kernel InMemoryVectorStore filter functionality vulnerable to remote code execution
• More Info: NVD - CVE-2026-26030
• PoC:
  • https://github.com/mbanyamer/CVE-2026-26030-Microsoft-Semantic-Kernel-1.39.4-RCE

CVE-2026-3891 NEW

• Severity: 9.8 CRITICAL
• Impacted Products: Pix for WooCommerce plugin for WordPress, 1.5.0
• Description: The Pix for WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads due to missing capability check and missing file type validation in the ‘lkn_pix_for_woocommerce_c6_save_settings’ function in all versions up to, and including, 1.5.0. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site’s server which may make remote code execution possible.
• Remediation: Follow vendor security advisories and apply the latest patches. Review affected systems and prioritize patching based on exploitability and business impact.
• More Info: NVD - CVE-2026-3891
• PoC:
  • https://github.com/joshuavanderpoll/CVE-2026-3891

CVE-2026-32746 NEW

• Severity: 9.8 CRITICAL
• Impacted Products: GNU inetutils telnetd, version 2.7
• Description: GNU inetutils telnetd is affected by a buffer overflow vulnerability in the LINEMODE SLC (Set Local Characters) suboption handler that allows for remote code execution. This flaw exists because the application fails to perform boundary checks when processing SLC data, leading to an out-of-bounds write.
• Remediation:
  • #1130742 - inetutils: CVE-2026-32746 - Debian Bug report logs
• More Info: NVD - CVE-2026-32746
• PoC:
  • https://github.com/jeffaf/cve-2026-32746
  • https://github.com/chosenonehacks/CVE-2026-32746
  • https://github.com/danindiana/cve-2026-32746-mitigation

CVE-2026-30957

• Severity: 9.9 CRITICAL
• Impacted Products: OneUptime prior to version 10.0.21
• Description: OneUptime is affected by a remote code execution vulnerability in the oneuptime-probe component prior to version 10.0.21. This flaw allows an authenticated user to execute arbitrary commands on the server by leveraging exposed Playwright objects within the Synthetic Monitor environment.
• Remediation:
  • Synthetic Monitor RCE via exposed Playwright browser object #2 · Advisory · OneUptime/oneuptime · GitHub
• More Info: NVD - CVE-2026-30957
• PoC:
  • https://github.com/OneUptime/oneuptime/security/advisories/GHSA-jw8q-gjvg-8w4q

CVE-2026-30862

• Severity: 9.0 CRITICAL
• Impacted Products: Appsmith, 1.96
• Description: Appsmith is a platform to build admin panels, internal tools, and dashboards. Prior to 1.96, a Critical Stored XSS vulnerability exists in the Table Widget (TableWidgetV2). The root cause is a lack of HTML sanitization in the React component rendering pipeline, allowing malicious attributes to be interpolated into the DOM. By leveraging the “Invite Users” feature, an attacker with a regular user account (user@gmail.com) can force a System Administrator to execute a high-privileged API call (/…
• Remediation: Follow vendor security advisories and apply the latest patches. Review affected systems and prioritize patching based on exploitability and business impact.
• More Info: NVD - CVE-2026-30862
• PoC:
  • https://github.com/drkim-dev/CVE-2026-30862

CVE-2026-30741 NEW

• Severity: 9.8 CRITICAL
• Impacted Products: OpenClaw Agent Platform v2026.2.6
• Description: A remote code execution (RCE) vulnerability in OpenClaw Agent Platform v2026.2.6 allows attackers to execute arbitrary code via a Request-Side prompt injection attack.
• Remediation: Follow vendor security advisories and apply the latest patches. Review affected systems and prioritize patching based on exploitability and business impact.
• More Info: NVD - CVE-2026-30741
• PoC:
  • https://github.com/Named1ess/CVE-2026-30741

CVE-2026-2631 NEW

• Severity: 9.8 CRITICAL
• Impacted Products: Datalogics Ecommerce Delivery WordPress plugin before 2.6.60
• Description: The Datalogics Ecommerce Delivery WordPress plugin before 2.6.60 exposes an unauthenticated REST endpoint that allows any remote user to modify the option datalogics\_token without verification. This token is subsequently used for authentication in a protected endpoint that allows users to perform arbitrary WordPress update\_option() operations. Attackers can use this to enable registartion and to set the default role as Administrator.
• Remediation: Follow vendor security advisories and apply the latest patches. Review affected systems and prioritize patching based on exploitability and business impact.
• More Info: NVD - CVE-2026-2631
• PoC:
  • https://github.com/Nxploited/CVE-2026-2631

CVE-2026-21994 NEW

• Severity: 9.8 CRITICAL
• Impacted Products: Oracle Edge Cloud Infrastructure Designer and Visualisation Toolkit 0.3.0
• Description: Vulnerability in the Oracle Edge Cloud Infrastructure Designer and Visualisation Toolkit product of Oracle Open Source Projects (component: Desktop). The supported version that is affected is 0.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Edge Cloud Infrastructure Designer and Visualisation Toolkit. Successful attacks of this vulnerability can result in takeover of Oracle Edge Cloud Infrastructure Designer and Visualis…
• Remediation: Follow vendor security advisories and apply the latest patches. Review affected systems and prioritize patching based on exploitability and business impact.
• More Info: NVD - CVE-2026-21994
• PoC:
  • https://github.com/g0w6y/CVE-2026-21994
  • https://github.com/TEXploited/CVE-2026-21994

CVE-2025-32433

• Severity: 10 CRITICAL
• Impacted Products: OTP-27.3.3, OTP-26.2.5.11, and OTP-25.3.2.20
• Description: Erlang/OTP is a set of libraries for the Erlang programming language. Prior to versions OTP-27.3.3, OTP-26.2.5.11, and OTP-25.3.2.20, a SSH server may allow an attacker to perform unauthenticated remote code execution (RCE). By exploiting a flaw in SSH protocol message handling, a malicious actor could gain unauthorized access to affected systems and execute arbitrary commands without valid credentials. This issue is patched in versions OTP-27.3.3, OTP-26.2.5.11, and OTP-25.3.2.20. A temporary workaround involves disabling the SSH server or to prevent access via firewall rules.
• Remediation: Follow developer advice.
• More Info: NVD - CVE-2025-32433
• PoC: https://github.com/tobiasGuta/Erlang-OTP-CVE-2025-32433/

References

This list was scraped from the quite amazing and highly recommended newsletters below:

• ~this week in security~
• Unsupervised Learning
• @RISK
• Hive Five
• Vulnerable U
• tl;dr sec

Thanks for reading! For corrections, omissions (e.g. newsletter recs) feel free to get in touch.