ScanForge Security Digest 2622-02

May 28, 2026200 items

65 critical40 high10 news

This week's security digest includes 0 actively exploited vulnerabilities (CISA KEV), 65 critical CVEs, and 40 high-severity CVEs. Review the details below and prioritize patching for any affected systems.

Critical

10.0 Improper authentication in Azure Resource Manager (ARM) allows an unauthorized attacker to elevate p CVE-2026-47280

10.0 Origin validation error in Microsoft Entra ID allows an unauthorized attacker to elevate privileges CVE-2026-42901

10.0 Deserialization of untrusted data in Microsoft Planetary Computer Pro allows an unauthorized attacke CVE-2026-41104

10.0 Unrestricted upload of file with dangerous type in Azure Orbital Spatio allows an unauthorized attac CVE-2026-40412

10.0 Improper neutralization of special elements used in a comman 2 CVEs

CVE-2026-23652, CVE-2026-41090

10.0 Dongsheng Logistics Software exposes an unauthenticated endpoint at /CommMng/Print/UploadMailFile th CVE-2025-34163

10.0 Cyclope Employee Surveillance Solution versions 6.x are vulnerable to a SQL injection flaw in its lo CVE-2012-10047

10.0 The RC4 algorithm, as used in the TLS protocol and SSL protocol, does not properly combine state dat CVE-2015-2808

9.9 Lumiverse 3 CVEs

CVE-2026-44450, CVE-2026-44449, CVE-2026-44444

9.9 Twenty is an open source CRM. From 1.7.7 through 1.16.7, a critical Remote Code Execution (RCE) vuln CVE-2026-46624

9.9 A flaw was found in KubeVirt's virt-handler component. This vulnerability allows an authenticated Op CVE-2026-7374

9.9 Improper input validation in Azure Virtual Network Gateway allows an authorized attacker to execute CVE-2026-40411

High Severity

8.8 Joomla! Component EkRishta 2.10 2 CVEs CVE-2018-25351, CVE-2018-25348

8.8 Smartshop 1 3 CVEs CVE-2018-25342, CVE-2018-25341, CVE-2018-25340

8.8 Deserialization of untrusted data in Microsoft Office SharePoint allows an autho CVE-2026-45659

8.8 Authorization bypass through user-controlled key in Azure Privileged Identity Ma CVE-2026-35430

8.8 RT is an open source, enterprise-grade issue and ticket tracking system. Version CVE-2026-41075

8.8 Memory safety bugs present in Firefox ESR 115.35, Firefox ESR 140.10 and Firefox CVE-2026-8975

8.8 Memory safety bugs present in Firefox ESR 140.10 and Firefox 150. Some of these CVE-2026-8974

8.8 Memory safety bugs present in Firefox 150. Some of these bugs showed evidence of CVE-2026-8973

8.8 Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability CVE-2026-45495

8.8 JupyterLab is an extensible environment for interactive and reproducible computi CVE-2026-42266

+22 more products affected

Security News

Nordic CISOs Handle Rising Cyber Threats Remarkably Well Dark Reading

Artificial intelligence notwithstanding, the vast majority of CISOs in northern Europe say they're facing no more seriou

GPU mining malware spreads via SEO poisoning, AI chatbots Bleeping Computer

Threat actors are targeting systems with high-performance computers in an ongoing cryptojacking campaign spread through

Ransomware Actors Show Up In Person to Steal Law Firm Data Dark Reading

The FBI warned that the extortion gang Silent Ransom Group is targeting law firms and socially engineering its way into

UK Cyberspying Chief Calls AI ‘an Unstoppable Force’ and Warns About Russia SecurityWeek

The speech is the latest in a string of warnings from intelligence experts that Russia is stepping up hostile activity i

Latin American Cybercriminals Hoover Up Government Data Dark Reading

A purported leak exposing 5.8 million records of Uruguayan citizens is the latest incident where cybercriminals targeted

AI-Assisted Exploit Development Outpaces Scanner Detection Dark Reading

Attackers are using AI to dramatically reduce the time they need to develop a working exploit for a CVE, according to ne

Grandoreiro Malware and BTMOB RAT Campaigns Target Windows and Android Users The Hacker News

Latin America and Europe become the target of two banking trojan campaigns that are designed to infect Windows and Andro

Malicious npm Package Stole Files From Claude AI User Directory via GitHub The Hacker News

Cybersecurity researchers have discovered a new malicious package on the npm registry that comes with information steali

Exploits & Threats

[hardware] MeiG Smart FORGE_SLT711 - OS Command Injection

[webapps] scramble - Remote Code Execution

[webapps] Casdoor 3.54.1 - Arbitrary File Write via Path Traversal

[local] Realtek rtl819x - Local Privilege

[webapps] EspoCRM 9.3.3 - SSRF