CVE-2026-25099: Bludit API plugin allowed authenticated users to upload and execute any file; fix available in 3.18.4, rated HIGH.

Small HTTP Server 3.06.36 has an unquoted service path (C:\Program Files (x86)\shttps_mg\http.exe service) that allows local code execution, severity 8.5 HIGH; quote paths, restrict writes and monitor process launches now.

TeamPCP backdoored LiteLLM 1.82.7–1.82.8, likely through a Trivy CI/CD compromise; attackers reportedly stole credentials and gained Kubernetes persistence.

A critical WP DSGVO Tools flaw allows unauthenticated attackers to permanently anonymise non-admin WordPress accounts via the super-unsubscribe action.

Hard-coded FTP credentials in KlinikaXP allowed an attacker to upload a malicious update to the vendor update server, possibly distributing it to client machines; vendors rotated credentials and removed the hard-coded secrets.

A supply chain incident involving Trivy and a self‑propagating CanisterWorm has infected npm packages, giving persistent backdoor access to developer systems.

CVE-2026-33134: authenticated time-based blind SQL injection in WeGIA’s restaurar_produto.php via id_produto, fixed in 3.6.6 — urgent patch and audit required