Adobe Commerce
-
Google patches critical Gemini CLI flaw that could allow remote code execution
Google fixed a critical Gemini CLI flaw that could let attackers execute commands on host systems in headless CI workflows. The issue affected specific npm and GitHub Actions versions and required explicit folder trust after the update.
-
Critical SGLang flaw can enable remote code execution
A critical flaw in SGLang, tracked as CVE-2026-5760 and rated 9.8, could allow remote code execution through a crafted model file and the /v1/rerank endpoint, according to a CERT/CC advisory.
-
Critical protobuf.js flaw enables JavaScript code execution
A critical flaw in protobuf.js can let attackers execute JavaScript code through malicious schemas, with a proof-of-concept now public. The issue affects versions 8.0.0 and 7.5.4 and earlier, and patched releases are available.
-
CISA adds Apache ActiveMQ flaw CVE-2026-34197 to exploited list
CISA says a high-severity Apache ActiveMQ Classic flaw, CVE-2026-34197, is being exploited in the wild. The agency added it to its Known Exploited Vulnerabilities catalog and ordered federal fixes by April 30.
-
Oracle issues emergency fix for critical Identity Manager and Web Services Manager RCE
Oracle issued an out-of-schedule patch for CVE-2026-21992, a critical unauthenticated remote code execution flaw in Identity Manager and Web Services Manager with a CVSS score of 9.8. Customers are urged to patch immediately.
-
PolyShell flaw enables unauthenticated RCE and account takeover in Magento 2 stores
PolyShell affects Magento Open Source and Adobe Commerce version 2 installations, enabling unauthenticated code execution and stored XSS. Adobe published a fix only in a 2.4.9 alpha release while production versions remain vulnerable.
-
Two critical n8n flaws patched after researcher finds remote code execution risk
Two critical vulnerabilities in the n8n workflow platform were reported and patched in March 2026. A technical analysis and vendor advisories show flaws that can enable remote code execution and decryption of stored credentials.
-
Report: Claude Desktop Extensions run unsandboxed, enabling zero-click RCE
A LayerX Security technical analysis found Claude Desktop Extensions run unsandboxed with full system privileges, enabling zero-click remote code execution via a malicious Google Calendar entry when MCP permissions are granted.
-
SecurityScorecard: 135,000 plus internet-exposed OpenClaw instances found
SecurityScorecard’s STRIKE team found more than 135,000 internet-exposed OpenClaw instances and tens of thousands vulnerable to a known RCE bug. Users are urged to restrict network bindings and limit agent access.
-
BeyondTrust patches critical pre-auth RCE in Remote Support and Privileged Remote Access
BeyondTrust released patches for CVE-2026-1731, a critical pre-auth remote code execution flaw affecting Remote Support and older Privileged Remote Access versions. Self-hosted instances must apply updates or upgrade to reach patchable releases.
