A public exploit for CVE-2026-5544 targets the UTT HiPER 1250GW /goform/formRemoteControl Profile argument, risking remote compromise; immediate inventory, isolation and vendor contact are essential.

CVE-2026-4896 in WCFM for WooCommerce allows vendor-level users to modify any order status and delete products or pages; patch, audit vendor roles and check logs immediately.

A path traversal bug in the Perfmatters WordPress plugin lets Subscriber-level accounts delete wp-config.php, forcing the install wizard and enabling full site takeover; patch or remove the plugin now.

An unauthenticated SQL injection in mbCONNECT24’s setinfo endpoint, CVE-2026-33615, is rated CRITICAL and can cause total loss of integrity and availability; patch or isolate the endpoint now.

Trojanised Axios npm releases (1.14.1 and 0.30.4) containing WAVESHAPER.V2 were linked to UNC1069, risking credential theft across builds and deployments.

A High severity buffer overflow in Core FTP/SFTP Server 1.2 can crash the service via a ~7000 byte domain field payload, risking immediate denial of service for file transfer workflows.

Anthropic reportedly left almost 3,000 CMS assets exposed, including material linked to an unreleased model called Claude Mythos; researcher Alexandre Pauwels found the cache.

CVE-2026-25099: Bludit API plugin allowed authenticated users to upload and execute any file; fix available in 3.18.4, rated HIGH.