ScanForge Security Digest 2613-02

March 27, 2026200 items

45 critical36 high10 news

This week brought a significant vulnerability influx with 45 critical CVEs requiring immediate attention, though no actively exploited vulnerabilities were reported by CISA. Notable threats include unauthenticated remote code execution in CLI interfaces (CVE-2026-3587), path traversal vulnerabilities in popular frameworks like Mesop and ApostropheCMS, and deserialization flaws affecting CMS platforms. Organizations should prioritize patching CVE-2026-3587 and updating Mesop to version 1.2.3+ and ApostropheCMS to 3.5.3+ to prevent device compromise and file system access. Additionally, the disclosure of vulnerabilities in AI frameworks like LangChain highlights emerging risks in modern development stacks that warrant immediate security reviews.

Critical

10.0 An unauthenticated remote attacker can exploit a hidden function in the CLI prompt to escape the res CVE-2026-3587

10.0 Mesop 2 CVEs

CVE-2026-33054, CVE-2026-33057

9.9 ApostropheCMS is an open-source content management framework. Prior to version 3.5.3 of `@apostrophe CVE-2026-32731

9.9 Authorization Bypass Through User-Controlled Key vulnerability in CB Project Ltd. Co. CVLand allows CVE-2025-0987

9.8 Deserialization of Untrusted Data vulnerability in AncoraThemes Beelove beelove allows Object Inject CVE-2026-22507

9.8 Deserialization of Untrusted Data vulnerability in axiomthemes m2 | Construction and Tools Store m2- CVE-2026-22500

9.8 node-tesseract-ocr is an npm package that provides a Node.js wrapper for Tesseract OCR. In all versi CVE-2026-26832

9.8 pdf-image (npm package) through version 2.0.0 allows OS command injection via the pdfFilePath parame CVE-2026-26830

9.8 In N2W 2 CVEs

CVE-2025-59707, CVE-2025-59706

9.8 A buffer overflow was addressed with improved bounds checking. This issue is fixed in iOS 26.4 and i CVE-2026-28858

9.8 Incorrect boundary conditions in the Audio/Video component. This vulnerability affects Firefox < 149 CVE-2026-4710

9.8 Use-after-free in the JavaScript Engine component. This vulnerability affects Firefox < 149, Firefox CVE-2026-4701

High Severity

8.9 flatted is a circular JSON parser. Prior to version 3.4.2, the parse() function CVE-2026-33228

8.8 OpenCart Core 4.0.2.3 contains a SQL injection vulnerability that allows unauthe CVE-2024-58341

8.8 A logic issue was addressed with improved checks. This issue is fixed in macOS T CVE-2026-20631

8.8 pyLoad is a free and open-source download manager written in Python. From versio CVE-2026-33511

8.8 NGINX Open Source and NGINX Plus have a vulnerability in the ngx_http_dav_module CVE-2026-27654

8.8 Out-of-bounds Write vulnerability in MolotovCherry Android-ImageMagick7.This iss CVE-2026-33854

8.8 i-doit CMDB 1.12 contains an SQL injection vulnerability that allows unauthentic CVE-2019-25581

8.8 phpTransformer 2016.9 contains an SQL injection vulnerability that allows remote CVE-2019-25578

8.8 The Terrapack software, from ASTER TEC / ASTER S.p.A., with the indicated compon CVE-2025-67260

8.8 SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (C CVE-2026-29099

+20 more products affected

Security News

CISA Flags Critical PTC Vulnerability That Had German Police Mobilized SecurityWeek

Police in Germany physically warned organizations about the critical PTC Windchill vulnerability tracked as CVE-2026-468

Windows 11 KB5079391 update rolls out Smart App Control improvements Bleeping Computer

Microsoft has released the KB5079391 preview cumulative update for Windows 11 24H2 and 25H2, which includes 29 changes,

Dutch Police discloses security breach after phishing attack Bleeping Computer

The Dutch National Police (Politie) says a security breach resulting from a successful phishing attack has had a limited

LangChain, LangGraph Flaws Expose Files, Secrets, Databases in Widely Used AI Frameworks The Hacker News

Cybersecurity researchers have disclosed three security vulnerabilities impacting LangChain and LangGraph that, if succe

Ajax football club hack exposed fan data, enabled ticket hijack Bleeping Computer

Dutch professional football club Ajax Amsterdam (AFC Ajax) disclosed that a hacker exploited vulnerabilities in its IT s

Is the FCC's Router Ban the Wrong Fix? Dark Reading

The agency put foreign-made consumer routers on its list of prohibited communications devices, but the ban could create

Automotive Cybersecurity Threats Grow in Era of Connected, Autonomous Vehicles Dark Reading

More than a decade since the 2015 Jeep hack, the cybersecurity of vehicles remains of the utmost importance.

CISA: New Langflow flaw actively exploited to hijack AI workflows Bleeping Computer

The Cybersecurity and Infrastructure Security Agency (CISA) is warning that hackers are actively exploiting a critical v