ScanForge Security Digest 2619-01

May 4, 2026200 items

28 critical111 high10 news

This week saw 28 critical vulnerabilities published with no actively exploited threats, offering a brief window for remediation planning. Notable issues include an IDOR vulnerability in Comet Backup affecting multiple versions, buffer overflow flaws in JS8Call radio software, and privilege escalation vulnerabilities in surveillance and backup systems. While no zero-day exploits are currently in the wild, organizations should prioritize patching Comet Backup and GeoVision devices, and monitor backup/surveillance infrastructure closely given the frequency of targeting in this period. Industry news highlights increased M&A activity, certificate revocations at DigiCert, and emerging AI-assisted attack vectors as persistent threats. Teams should review their patch management timelines and consider whether current backup and surveillance solutions remain within supported versions.

Critical

10.0 GV-VMS V20 is a Video Monitoring Software used to gather the feeds of many surveillance cameras and CVE-2026-42369

10.0 JS8Call through 2.3.1 and JS8Call-improved before 3.0 have a stack-based buffer overflow via a radio CVE-2026-42996

10.0 DocsGPT is a GPT-powered chat for documentation. From version 0.15.0 to before version 0.16.0, an at CVE-2026-26015

9.9 A critical IDOR vulnerability has been discovered in Comet Backup affecting all versions from 20.11. CVE-2026-29200

9.9 A privilege escalation vulnerability exists in the Web Interface functionality of GeoVision LPC2011/ CVE-2026-42368

9.9 An os command injection vulnerability exists in the DdnsSetting.cgi functionality of GeoVision LPC20 CVE-2026-42364

9.8 Improper neutralization of input during web page generation ('cross-site scripting') vulnerability i CVE-2025-14320

9.8 The User Verification by PickPlugins plugin for WordPress is vulnerable to authentication bypass in CVE-2026-7458

9.8 The User Registration Advanced Fields plugin for WordPress is vulnerable to arbitrary file uploads d CVE-2026-4882

9.8 Integer underflow vulnerability in Open-SAE-J1939 thru commit b6caf884df46435e539b1ecbf92b6c29b345bd CVE-2026-37534

9.8 AGL app-framework-main thru 17.1.12 contains a Zip Slip path traversal vulnerability (CWE-22) combin CVE-2026-37531

9.8 In the Linux kernel, the following vulnerability 6 CVEs

CVE-2026-43039, CVE-2026-43038, CVE-2026-43037, CVE-2026-43011, CVE-2026-31718 +1 more

High Severity

111

8.9 A security flaw 2 CVEs CVE-2026-7747, CVE-2026-7719

8.9 Insufficient Verification of Data Authenticity vulnerability in hexpm hex (Hex.R CVE-2026-32148

8.8 Ollama before 0.17.1 contains a heap out-of-bounds read vulnerability in the GGU CVE-2026-7482

8.8 The Widget Options – Advanced Conditional Visibility for Gutenberg Blocks & Clas CVE-2026-2052

8.8 The Import and export users and customers plugin for WordPress is vulnerable to CVE-2026-7641

8.8 The WP Mail Gateway plugin for WordPress is vulnerable to unauthorized access du CVE-2026-6963

8.8 miaofng/uds-c commit e506334e270d77b20c0bc259ac6c7d8c9b702b7a (2016-10-05) conta CVE-2026-37536

8.8 In the Linux kernel, the following vulnerability 40 CVEs CVE-2026-43048, CVE-2026-43018, CVE-2026-31773, CVE-2026-31739 +36

8.8 IBM Langflow Desktop 1.0.0 through 1.8.4 Langflow allows an attacker to execute CVE-2026-6543

8.8 IBM Turbonomic prometurbo agent 8.16.0 through 8.17.6 IBM Turbonomic Application CVE-2026-6389

+48 more products affected

Security News

Cybersecurity M&A Roundup: 33 Deals Announced in April 2026 SecurityWeek

Significant cybersecurity M&A deals announced by Airbus, Cyera, Fortra, Palo Alto Networks, Silverfort, and Socket.

DigiCert Revokes Certificates After Support Portal Hack SecurityWeek

Hackers delivered malware via a customer chat channel, infected an analyst’s system, and accessed the internal support p

Progress warns of critical MOVEit Automation auth bypass flaw Bleeping Computer

Progress Software warned customers to patch a critical authentication bypass vulnerability in its MOVEit Automation ente

Webinar: Why MSPs must rethink security and backup strategies Bleeping Computer

Security breaches don't just test your defenses—they test your recovery. Join Kaseya in our upcoming webinar to learn ho

2026: The Year of AI-Assisted Attacks The Hacker News

On December 4, 2025, a 17-year-old was arrested in Osaka under Japan’s Unauthorized Access Prohibition Act. The young ma

Silver Fox Deploys ABCDoor Malware via Tax-Themed Phishing in India and Russia The Hacker News

The China-based cybercrime group known as Silver Fox has been linked to a new campaign targeting organizations in Russia

CISA says ‘Copy Fail’ flaw now exploited to root Linux systems Bleeping Computer

CISA has warned that threat actors have started exploiting the "Copy Fail" Linux security vulnerability in the wild, one

How Dark Reading Lifted Off the Launchpad in 2006 Dark Reading

Twenty years ago, this media brand didn't have a print edition to attract eyeballs and sponsors. Top-notch content and e

Exploits & Threats

[local] Windows 11 24H2 - Local Privilege Escalation

[webapps] MindsDB 25.9.1.1 - Path Traversal

[webapps] Traccar GPS Tracking System 6.11.1 - Cross-Site WebSocket Hijacking (CSWSH)