CVE-2026-45247: Mirasvit Magento RCE, Patch Now
CVE-2026-45247 Mirasvit Magento RCE via PHP deserialization in the Cache Warmer extension. CVSS 9.8. Active exploitation confirmed. Patch to 1.11.12.
7 articles tagged #rce
CVE-2026-45247 Mirasvit Magento RCE via PHP deserialization in the Cache Warmer extension. CVSS 9.8. Active exploitation confirmed. Patch to 1.11.12.
CVE-2025-34291 in Langflow is a CVSS 9.4 chain that hands an attacker your entire SaaS stack — API keys, OAuth tokens, database credentials — from a single page visit. CISA added it to KEV on May 21 with a June 4 federal deadline.
Docker Engine 29.5.1 patches three vulnerabilities in docker cp, including one that let a malicious container execute arbitrary code as root on the host by hijacking the decompression binary lookup.
CVE-2026-9082 is an unauthenticated SQL injection in Drupal core affecting all PostgreSQL-backed installations from 8.9 through 11.3.9. CISA added it to the KEV catalog on May 22 — active exploitation confirmed.
HPLIP 3.26.4 patches CVE-2026-8631 (CVSS 9.3): unauthenticated remote command injection via the HP printer driver daemon. No interaction required — update now.
CVE-2026-45434 (CVSS 9.8) in Apache OFBiz chains auth bypass to Groovy RCE. Default password 'ofbiz' ships on 10+ demo accounts. Fixed in 24.09.06.
CVE-2026-42945 is a critical heap buffer overflow in NGINX's rewrite module, present since 2008. Unauthenticated remote attackers can crash worker processes or achieve RCE. Patch now.