ScanForge Security Digest 2622-01

May 25, 2026200 items

56 critical50 high10 news

This week's security digest includes 0 actively exploited vulnerabilities (CISA KEV), 56 critical CVEs, and 50 high-severity CVEs. Review the details below and prioritize patching for any affected systems.

Critical

10.0 LiteSpeed User-End cPanel Plugin before 2.4.5 allows privilege escalation (possibly to root), as exp CVE-2026-48172

9.9 Kitty is a cross-platform GPU based terminal. In versions 0.46.2 and below, the handle_compose_comma CVE-2026-33642

9.8 The BookingPress Pro plugin for WordPress is vulnerable to arbitrary file uploads due to missing fil CVE-2026-6960

9.8 A vulnerability in the Trend Micro Apex One management conso 2 CVEs

CVE-2025-71211, CVE-2025-71210

9.8 In the Linux kernel, the following vulnerability has been resolved: crypto: pcrypt - Fix handling o CVE-2026-43493

9.8 Heap-based buffer overflow in Microsoft Graphics Component allows an unauthorized attacker to execut CVE-2025-60724

9.8 Heap-based buffer overflow in Windows GDI+ allows an unauthorized attacker to execute code over a ne CVE-2025-53766

9.8 Improper Neutralization of Special Elements used in an SQL C 31 CVEs

CVE-2023-3631, CVE-2023-3377, CVE-2023-2889, CVE-2023-35071, CVE-2023-3616 +26 more

9.8 Incomplete List of Disallowed Inputs vulnerability in Unisign Bookreen allows Privilege Escalation. CVE-2023-3374

9.8 Authorization Bypass 3 CVEs

CVE-2023-2958, CVE-2023-3048, CVE-2023-2713

9.8 Reliance on Cookies without Validation and Integrity Checking in a Security Decision vulnerability i CVE-2023-3050

9.8 Unrestricted Upload of File with Dangerous Type vulnerabilit 3 CVEs

CVE-2023-3049, CVE-2023-2712, CVE-2023-1728

High Severity

8.9 Concrete CMS 9.5.0 and below is vulnerable to Remote Code Execution due to inse CVE-2026-8135

8.8 The ConnectWise Automate™ Agent does not fully verify the authenticity of compon CVE-2026-9089

8.8 In the Linux kernel, the following vulnerability 7 CVEs CVE-2026-43490, CVE-2026-31433, CVE-2026-43481, CVE-2026-43476 +3

8.8 Authorization Bypass 3 CVEs CVE-2023-2883, CVE-2023-2065, CVE-2023-2702

8.8 CVE-2020-9493 identified a deserialization issue that was present in Apache Chai CVE-2022-23307

8.8 JMSSink in all versions of Log4j 1.x is vulnerable to deserialization of untrust CVE-2022-23302

8.7 LiteLLM prior to 1.83.10 allows a user to modify their own user_role via the /us CVE-2026-47102

8.7 LiteLLM prior to 1.83.14 allows an authenticated internal_user to create API key CVE-2026-47101

8.7 Uncontrolled Resource Consumption vulnerability in ninenines cowlib (cow_http_te CVE-2026-7790

8.7 Inefficient Algorithmic Complexity vulnerability in absinthe-graphql absinthe al CVE-2026-43967

+16 more products affected

Security News

Ghost CMS SQL injection flaw exploited in large-scale ClickFix campaign Bleeping Computer

A large-scale campaign is exploiting a critical SQL injection vulnerability (CVE-2026-26980) in Ghost CMS to inject mali

Laravel Lang packages hijacked to deploy credential-stealing malware Bleeping Computer

A supply chain attack targeting the Laravel Lang localization packages has exposed developers to a sophisticated credent

npm Adds 2FA-Gated Publishing and Package Install Controls Against Supply Chain Attacks The Hacker News

GitHub has rolled out new controls for npm to improve the security of the software supply chain, giving maintainers the

Packagist Supply Chain Attack Infects 8 Packages Using GitHub-Hosted Linux Malware The Hacker News

A new "coordinated" supply chain attack campaign has impacted eight packages on Packagist including malicious code desig

Italy disrupts CINEMAGOAL piracy app that stole streaming auth codes Bleeping Computer

Italian authorities have dismantled a piracy ecosystem centered around the CINEMAGOAL app that provided access to variou

Claude Mythos AI Finds 10,000 High-Severity Flaws in Widely Used Software The Hacker News

Anthropic on Friday disclosed that Project Glasswing has helped uncover more than 10,000 high- or critical-severity vuln

‘Underminr’ Vulnerability Lets Attackers Hide Malicious Connections Behind Trusted Domains SecurityWeek

The stealthy vulnerability impacts roughly 88 million domains and can be exploited to bypass DNS filtering and hide comm

Laravel-Lang PHP Packages Compromised to Deliver Cross-Platform Credential Stealer The Hacker News

Cybersecurity researchers have flagged a fresh software supply chain attack campaign that has targeted multiple PHP pack