Skip to main content
COSMICBYTEZLABS
NewsSecurityHOWTOsToolsStudyTraining
ProjectsNewsletterHire MeAbout
Subscribe

Press Enter to search or Esc to close

News
Security
HOWTOs
Tools
Study
Training
Projects
Newsletter
Hire Me
About
RSS Feed
Reading List
Subscribe

Stay in the Loop

Get the latest security alerts, tutorials, and tech insights delivered to your inbox.

Subscribe NowFree forever. No spam.
COSMICBYTEZLABS

Your trusted source for IT intelligence, cybersecurity insights, and hands-on technical guides.

1310+ Articles
157+ Guides

CONTENT

  • Latest News
  • Security Alerts
  • HOWTOs
  • Checklists
  • Projects
  • Exam Prep

RESOURCES

  • Search
  • Browse Tags
  • Newsletter Archive
  • Reading List
  • RSS Feed

COMPANY

  • About Us
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CosmicBytez Labs. All rights reserved.

System Status: Operational
All tags
62 articles

#Critical

All CosmicBytez Labs articles tagged #Critical, across news, security advisories, how-to guides, and projects.

  • SecurityMay 30, 2026

    CVE-2026-9558: Critical SSTI in Mautic Enables Authenticated RCE

    A Server-Side Template Injection flaw in Mautic's Twig-based theme engine allows authenticated users with theme upload permissions to execute arbitrary...

  • SecurityMay 28, 2026

    CVE-2025-12686: Synology BeeStation OS Critical Buffer Overflow RCE

    Buffer overflow in Synology BeeStation OS AdminCenter lets unauthenticated attackers execute code remotely (CVSS 9.8) — patch to 1.3.2-65648 now.

  • SecurityMay 27, 2026

    CVE-2026-44444: Lumiverse AI Plugin Install Scripts Enable RCE (CVSS 9.1)

    Critical Lumiverse <0.9.7 flaw lets malicious extensions execute arbitrary code via package.json lifecycle scripts run by the Spindle build pipeline.

  • SecurityMay 27, 2026

    CVE-2026-44451: Lumiverse AI Chat TSX Sandbox Escape (CVSS 9.3)

    Critical sandbox escape in Lumiverse <0.9.7 lets attackers bypass JS global shadowing via crafted TSX component overrides, enabling code execution.

  • SecurityMay 22, 2026

    CVE-2026-5433: Honeywell CNM Critical Command Injection RCE

    A CVSS 9.1 critical command injection vulnerability in Honeywell's Control Network Module web interface allows remote attackers to execute arbitrary...

  • SecurityMay 21, 2026

    CVE-2026-20223: Cisco Secure Workload REST API Auth Bypass

    A CVSS 10.0 authentication bypass in Cisco Secure Workload allows unauthenticated remote attackers to access internal REST APIs with full Site Admin privileges.

  • SecurityMay 19, 2026

    CVE-2026-7301: SGLang ROUTER Socket Exposes Unsafe

    A critical CVSS 9.8 vulnerability in SGLang's multimodal AI runtime scheduler binds its ROUTER socket to 0.0.0.0 by default and passes incoming messages...

  • SecurityMay 19, 2026

    CVE-2026-7302: SGLang Unauthenticated Path Traversal

    A critical CVSS 9.1 path traversal vulnerability in SGLang's multimodal AI runtime allows unauthenticated attackers to write arbitrary files anywhere the...

  • SecurityMay 16, 2026

    CVE-2026-41258: OpenMRS Velocity Template Injection Enables

    A critical unsandboxed Apache Velocity template injection vulnerability in OpenMRS Core allows authenticated attackers to execute arbitrary code on the...

  • SecurityMay 14, 2026

    CVE-2026-40621: ELECOM Wireless LAN Access Point

    Critical authentication bypass vulnerability in ELECOM wireless LAN access point devices allows unauthenticated attackers to access protected URLs and...

  • NewsMay 13, 2026

    New Critical Exim Mailer Flaw Allows Remote Code Execution

    A critical vulnerability in certain configurations of the Exim open-source mail transfer agent allows unauthenticated remote attackers to execute...

  • SecurityMay 9, 2026

    CVE-2026-25199: Apache CloudStack Proxmox Extension Allows

    A critical tenant isolation vulnerability in Apache CloudStack's Proxmox extension (CVSS 9.1) allows one tenant to access and control VM instances...

  • SecurityMay 2, 2026

    CVE-2026-42779: Critical Apache MINA Deserialization Class

    An incomplete fix for CVE-2026-41635 leaves Apache MINA 2.1.x and 2.2.x branches exposed to a critical deserialization bypass via...

  • SecurityApr 30, 2026

    CVE-2026-36841: TOTOLINK N200RE V5 Command Injection

    A critical CVSS 9.8 command injection vulnerability in TOTOLINK N200RE V5 allows unauthenticated remote code execution via the macstr and bandstr...

  • SecurityApr 27, 2026

    CVE-2026-7037: Unauthenticated OS Command Injection in

    A critical CVSS 9.8 OS command injection vulnerability in the Totolink A8000RU router allows unauthenticated remote attackers to execute arbitrary...

  • SecurityApr 23, 2026

    CVE-2026-4119: WordPress Create DB Tables Plugin

    A critical CVSS 9.1 authorization bypass in the WordPress Create DB Tables plugin (all versions up to 1.2.1) allows unauthenticated users to create or...

  • SecurityApr 22, 2026

    CVE-2026-6748: Critical Uninitialized Memory Flaw in

    A critical CVSS 9.8 uninitialized memory vulnerability in Firefox and Thunderbird's Audio/Video Web Codecs component allows remote code execution. Update...

  • SecurityApr 21, 2026

    CVE-2026-29646: OpenXiangShan NEMU RISC-V Hypervisor

    A critical privilege escalation flaw in OpenXiangShan NEMU's RISC-V hypervisor extension allows a VS-mode guest write to the supervisor interrupt-enable...

  • SecurityApr 21, 2026

    CVE-2026-32604: Spinnaker Clouddriver Remote Code Execution

    A critical unauthenticated RCE vulnerability in Spinnaker's clouddriver service allows attackers to execute arbitrary commands on clouddriver pods,...

  • SecurityApr 21, 2026

    CVE-2026-32613: Spinnaker Echo Spring Expression Language

    A critical code injection flaw in Spinnaker's Echo service allows unrestricted Spring Expression Language (SPeL) execution via artifact processing,...

  • SecurityApr 21, 2026

    CVE-2026-39918: Vvveb CMS Unauthenticated PHP Code

    Vvveb CMS versions prior to 1.0.8.1 allow unauthenticated attackers to inject arbitrary PHP code through the installation endpoint's unsanitized subdir...

  • SecurityApr 21, 2026

    CVE-2026-5965: NewSoftOA Critical OS Command Injection

    A critical OS command injection vulnerability in NewSoftOA by NewSoft allows unauthenticated local attackers to inject and execute arbitrary OS commands...

  • SecurityApr 12, 2026

    CVE-2026-6112: Totolink A7100RU OS Command Injection via

    A critical OS command injection vulnerability (CVSS 9.8) in Totolink A7100RU firmware allows unauthenticated remote attackers to execute arbitrary...

  • SecurityApr 12, 2026

    CVE-2026-6113: Totolink A7100RU OS Command Injection via

    A critical OS command injection flaw (CVSS 9.8) in Totolink A7100RU enables remote unauthenticated attackers to execute arbitrary commands by manipulating...

  • SecurityApr 12, 2026

    CVE-2026-6114: Totolink A7100RU OS Command Injection via

    CVE-2026-6114 is a critical OS command injection vulnerability (CVSS 9.8) in the Totolink A7100RU router's setNetworkCfg function, exploitable remotely...

  • SecurityApr 12, 2026

    CVE-2026-6115: Totolink A7100RU OS Command Injection via

    CVE-2026-6115 describes a critical OS command injection vulnerability (CVSS 9.8) in the Totolink A7100RU router, exploitable remotely and without...

  • SecurityApr 10, 2026

    CVE-2026-5977: TOTOLINK A7100RU Critical OS Command

    A critical OS command injection vulnerability (CVSS 9.8) in TOTOLINK A7100RU routers allows unauthenticated remote attackers to execute arbitrary system...

  • SecurityApr 10, 2026

    CVE-2026-5978: TOTOLINK A7100RU Critical OS Command

    A second critical OS command injection vulnerability (CVSS 9.8) in TOTOLINK A7100RU routers allows unauthenticated remote attackers to execute arbitrary...

  • NewsApr 5, 2026

    Fortinet Patches Actively Exploited CVE-2026-35616 in

    Fortinet has released emergency out-of-band patches for CVE-2026-35616, a critical pre-authentication API access bypass in FortiClient EMS that enables...

  • NewsApr 5, 2026

    New FortiClient EMS Flaw Exploited in Attacks, Emergency

    Fortinet has released an emergency weekend security update for CVE-2026-35616, a critical pre-authentication API access bypass in FortiClient EMS that is...

  • SecurityApr 5, 2026

    CVE-2016-20052: Snews CMS 1.7 Unrestricted File Upload

    Snews CMS 1.7 contains a critical unrestricted file upload vulnerability allowing unauthenticated attackers to upload PHP webshells to the snews_files...

  • SecurityMar 31, 2026

    CVE-2026-32714: Critical SQL Injection in SciTokens

    A critical SQL injection vulnerability in the SciTokens Python library allows attackers to manipulate authentication token validation via unsanitized...

  • SecurityMar 30, 2026

    CVE-2026-4176: Perl Compress::Raw::Zlib Critical

    Perl versions 5.9.4 through 5.43.8 ship a vulnerable Compress::Raw::Zlib core module that inherits CVE-2026-3381 from a vendored zlib dependency. CVSS 9.8...

  • SecurityMar 29, 2026

    CVE-2016-20049: JAD Java Decompiler Stack-Based Buffer

    JAD 1.5.8e-1kali1 and prior contains a critical stack-based buffer overflow vulnerability allowing attackers to execute arbitrary code by supplying input...

  • SecurityMar 29, 2026

    CVE-2017-20225: TiEmu TI Calculator Emulator Stack Buffer

    TiEmu 2.08 and prior contains a critical stack-based buffer overflow vulnerability that allows attackers to execute arbitrary code by passing oversized...

  • SecurityMar 29, 2026

    CVE-2026-32922: OpenClaw Privilege Escalation via Token

    A critical CVSS 9.9 privilege escalation vulnerability in OpenClaw allows operators with limited pairing scope to mint tokens with unrestricted admin...

  • SecurityMar 29, 2026

    CVE-2026-32924: OpenClaw Authorization Bypass via Feishu

    A critical CVSS 9.8 authorization bypass in OpenClaw allows attackers to circumvent groupAllowFrom and requireMention protections in group chats by...

  • SecurityMar 28, 2026

    CVE-2026-27876 — Grafana Critical RCE via SQL Expression

    A chained attack exploiting SQL Expressions combined with a Grafana Enterprise plugin can lead to remote arbitrary code execution. All Grafana users...

  • SecurityMar 23, 2026

    CVE-2026-4599: jsrsasign Private Key Recovery via DSA Nonce

    A critical flaw in jsrsasign versions 7.0.0 through 11.1.0 allows attackers to recover DSA private keys by exploiting biased nonce generation in the...

  • SecurityMar 21, 2026

    CVE-2026-22172: OpenClaw Critical Authorization Bypass via

    A critical CVSS 9.9 authorization bypass in OpenClaw allows authenticated users to self-declare elevated scopes over WebSocket connections without...

  • SecurityMar 18, 2026

    CVE-2026-25534: Spinnaker SSRF via URL Validation Bypass

    A critical SSRF vulnerability (CVSS 9.1) in Spinnaker's clouddriver and orca components bypasses the previous CVE-2025-61916 URL validation patch through...

  • SecurityMar 18, 2026

    CVE-2026-25769: Wazuh Critical RCE via Insecure

    A critical remote code execution vulnerability (CVSS 9.1) in Wazuh versions 4.0.0–4.14.2 allows an attacker with access to a worker node to achieve root...

  • SecurityMar 18, 2026

    CVE-2026-25770: Wazuh Privilege Escalation to Root via

    A critical privilege escalation vulnerability (CVSS 9.1) in Wazuh versions 3.9.0–4.14.2 allows authenticated cluster nodes to overwrite the manager...

  • SecurityMar 18, 2026

    CVE-2026-3564: ConnectWise ScreenConnect Auth Bypass via

    A critical authentication bypass vulnerability (CVSS 9.0) in ConnectWise ScreenConnect versions prior to 26.1 allows an actor with access to server-level...

  • SecurityMar 17, 2026

    CVE-2025-69902: Critical Command Injection in

    A critical command injection vulnerability in kubectl-mcp-server allows unauthenticated attackers to execute arbitrary OS commands through unsanitized...

  • SecurityMar 17, 2026

    CVE-2026-4177: YAML::Syck Heap Buffer Overflow Enables

    A critical heap buffer overflow in YAML::Syck for Perl allows remote code execution through crafted YAML input that exceeds the 512-byte class name...

  • SecurityMar 17, 2026

    CVE-2026-4312: DrangSoft GCB/FCB Audit Software Missing

    A critical missing authentication flaw (CVSS 9.8) in DrangSoft's GCB/FCB Audit Software allows unauthenticated remote attackers to directly access...

  • SecurityMar 16, 2026

    CVE-2016-20024: ZKTeco ZKTime.Net Insecure File Permissions

    ZKTeco ZKTime.Net 3.0.1.6 ships with world-writable directory permissions on its installation folder, allowing any local unprivileged user to replace...

  • SecurityMar 16, 2026

    CVE-2016-20026: ZKTeco ZKBioSecurity 3.0 Hardcoded Tomcat

    ZKTeco ZKBioSecurity 3.0 ships a bundled Apache Tomcat server with hardcoded credentials stored in tomcat-users.xml, granting unauthenticated attackers...

  • SecurityMar 16, 2026

    CVE-2016-20030: ZKTeco ZKBioSecurity 3.0 Username

    ZKTeco ZKBioSecurity 3.0 allows unauthenticated attackers to enumerate valid usernames by submitting partial character strings to the...

  • SecurityMar 12, 2026

    CVE-2025-68613: n8n Remote Code Execution via Improper

    CISA adds CVE-2025-68613 to the Known Exploited Vulnerabilities catalog — a CVSS 9.9 flaw in n8n's workflow expression evaluation system that enables...

  • SecurityMar 8, 2026

    ZITADEL Critical XSS in SAML Endpoint Enables 1-Click

    A critical cross-site scripting vulnerability in ZITADEL's login V2 /saml-post endpoint allows unauthenticated attackers to execute arbitrary JavaScript...

  • SecurityMar 4, 2026

    Mail2Shell: Zero-Click RCE in FreeScout Helpdesk

    A maximum-severity zero-click vulnerability dubbed Mail2Shell allows unauthenticated attackers to compromise FreeScout mail servers by simply sending a...

  • SecurityFeb 17, 2026

    BeyondTrust Remote Support Pre-Authentication RCE Under

    A critical pre-authentication OS command injection vulnerability in BeyondTrust Remote Support and Privileged Remote Access with CVSS 9.9 is being...

  • SecurityFeb 11, 2026

    Microsoft Patch Tuesday February 2026: 6 Actively Exploited

    Microsoft's February 2026 Patch Tuesday addresses 60 vulnerabilities including 6 actively exploited zero-days and 3 publicly disclosed issues, with...

  • SecurityFeb 7, 2026

    Eight Critical n8n Vulnerabilities — Sandbox Escape to

    Popular workflow automation platform n8n hit with eight high-to-critical CVEs including a CVSS 10.0 unauthenticated RCE and sandbox escape bypassing...

  • SecurityFeb 6, 2026

    Apache Struts Critical RCE via OGNL Injection Returns

    A new critical OGNL injection vulnerability in Apache Struts allows unauthenticated remote code execution, reminiscent of the 2017 Equifax breach vector....

  • SecurityFeb 6, 2026

    Critical Fortinet FortiClientEMS SQL Injection

    Fortinet patches a CVSS 9.8 SQL injection in FortiClientEMS 7.4.4 allowing unauthenticated remote code execution. Endpoint management servers across...

  • SecurityFeb 5, 2026

    SolarWinds Web Help Desk RCE Vulnerability Added to CISA KEV

    Critical deserialization vulnerability in SolarWinds Web Help Desk enables unauthenticated remote code execution. CISA confirms active exploitation.

  • SecurityFeb 4, 2026

    Critical Google Looker Vulnerabilities Allow Full System

    Two severe vulnerabilities in Google Looker, dubbed 'LookOut', could allow attackers to gain complete control of self-hosted deployments affecting 60,000+...

  • SecurityFeb 4, 2026

    Critical n8n Vulnerability (CVSS 10.0) Enables Complete

    A maximum-severity flaw dubbed 'Ni8mare' in the popular workflow automation platform n8n allows unauthenticated attackers to gain full control of...

  • SecurityFeb 2, 2026

    Critical Vulnerability Discovered in Popular Enterprise VPN

    Security researchers have identified a severe authentication bypass vulnerability affecting multiple enterprise VPN products. Immediate patching recommended.