ScanForge Security Digest 2626-01

June 22, 202694 items

11 critical28 high10 news

This week's security digest includes 0 actively exploited vulnerabilities (CISA KEV), 11 critical CVEs, and 28 high-severity CVEs. Review the details below and prioritize patching for any affected systems.

Critical

10.0 A vulnerability in the iCagenda extension for Joomla allows the upload of arbitrary files in the fil CVE-2026-48939

10.0 A vulnerability in the SP Page Builder for Joomla allows the upload of arbitrary files for unauthent CVE-2026-48908

9.5 SP LMS (com_splms) < 4.1.4 by JoomShaper deserializes user-controlled cookie data without validation CVE-2026-48909

9.4 SiYuan 2 CVEs

CVE-2026-56397, CVE-2026-56395

9.3 Crawl4AI before 0.8.7 contains an authentication bypass vulnerability due to a hardcoded default JWT CVE-2026-56265

9.3 Flowise before 2.1.4 allows configuration to be injected into the Chainflow during execution via the CVE-2024-58351

9.3 WooCommerce 7.1.0 contains a remote code execution vulnerability that allows attackers to execute ar CVE-2022-50972

9.3 WordPress Ultimate Addons for Beaver Builder 1.2.4.1 contains an authentication bypass vulnerability CVE-2019-25763

9.3 Worksnaps before version 1.6.20260201 contains hardcoded cloud credentials and related secret materi CVE-2025-10560

9.2 AVideo through 29.0 contains an authorization bypass vulnerability in the Meet plugin's uploadRecord CVE-2026-56345

High Severity

8.8 Joomla! Component J-BusinessDirectory 4.9.7 contains an SQL injection vulnerabil CVE-2019-25752

8.8 In the Airoha Bluetooth audio SDK, there is a possible way to pair Bluetooth aud CVE-2025-20701

8.7 phpMyFAQ before 4.1.4 contains missing authorization vulnerabilities in editUser CVE-2026-56396

8.7 Capgo 5 CVEs CVE-2026-56253, CVE-2026-56242, CVE-2026-56239, CVE-2026-56229 +1

8.7 AVideo through version 26.0 contains multiple unauthenticated list.json.php endp CVE-2026-56341

8.7 vLLM versions >= 0.10.2 and < 0.13.0 are missing sparse tensor validation in mul CVE-2026-56340

8.7 WordPress Time Capsule Plugin 1.21.16 contains an authentication bypass vulnerab CVE-2020-37255

8.7 syracom AG Secure Login (2FA) for Atlassian Jira, Confluence, and Bitbucket 3.4. CVE-2026-12225

8.6 Craft CMS (composer package craftcms/cms) versions >= 5.5.0 and <= 5.9.13 contai CVE-2026-56382

7.6 picklescan 4 CVEs CVE-2025-71378, CVE-2025-71357, CVE-2025-71351, CVE-2025-71348

+9 more products affected

Security News

More Cybersecurity Firms Disclose Impact From Klue Hack SecurityWeek

HackerOne, Huntress, Jamf, OneTrust, Recorded Future, Snyk, and Tanium are among the affected Klue customers. The post M

AryStinger Malware Infects 4,300 Legacy Routers to Build Reconnaissance Proxy Network The Hacker News

A new malware family is turning forgotten home routers into a distributed reconnaissance and proxy network, not the DDoS

INTERPOL Warns Phishing, Ransomware, and AI Scams Are Rising Across Asia-Pacific The Hacker News

A new report from INTERPOL has revealed a "dramatic increase" in cybercrime in Asia and the South Pacific, fueled by rap

Texas Parks & Wildlife Data Breach Affects 3 Million Individuals SecurityWeek

Hackers stole personal information after breaching the systems of a third-party license vendor serving TPWD. The post Te

AryStinger botnet infected thousands of D-Link routers worldwide Bleeping Computer

A previously undocumented malware botnet named AryStinger has compromised more than 4,000 outdated routers to turn them

New Prinz Eugen ransomware prioritizes recent files for encryption Bleeping Computer

A new ransomware operation named 'Prinz Eugen' prioritizes recently modified files for encryption and leaves no ransom n

Microsoft links Mastra AI supply chain attack to North Korean hackers Bleeping Computer

Microsoft has attributed a recent Mastra AI supply chain attack that compromised more than 140 npm packages to the North

Hackers Exploit Gravity SMTP WordPress Plugin Bug to Expose API Keys The Hacker News

Threat actors are exploiting a recently patched security flaw impacting Gravity SMTP, a WordPress plugin that's installe