MITRE ATT&CK CVE list for this attack path. Use risk scores and timeline to decide what to patch first and what to track next.
| CVE | Description | Max CVSS | EPSS % | Published | Updated |
|---|---|---|---|---|---|
| CVE-2026-49286 | PhpWeasyPrint is a PHP library allowing PDF generation from a URL or an HTML page. Prior to version 2.6.0, `pontedilana/php-weasyprint` guarded the output filename against the `phar://` stream wrapper with a case-sensitive blacklist. PHP stream wrappers are case-insensitive, so `PHAR://`, `Phar://`, etc. bypass the check and reach `fileExists()` (`file_exists()`) in `prepareOutput()`. On PHP 7 (which the library still supports — PHP 7.4+), this triggers deserialization of a crafted PHAR archive' | 8.1 | N/A | 2026-06-19 | 2026-06-19 |
| CVE-2026-12046 | Two state-mutating endpoints in pgAdmin 4's SQL Editor blueprint -- DELETE /sqleditor/close/<trans_id> and POST /sqleditor/initialize/sqleditor/update_connection/<sgid>/<sid>/<did> -- were the only routes in the module missing the @pga_login_required decorator. Both reach a pickle.loads sink on session['gridData'][<trans_id>]['command_obj']: the close endpoint via close_sqleditor_session(), and update_sqleditor_connection via check_transaction_status(). In server mode these endpoints were reacha | 9.5 | N/A | 2026-06-19 | 2026-06-19 |
| CVE-2025-27511 | GeoServer is an open source server that allows users to share and edit geospatial data. Prior to version 2.27.0 of the GeoServer DB2 DataStore Extension, an administrator can perform a JNDI attack through specially crafted DB2 jdbc url leading to to Remote Code Execution (RCE). Version 2.27.0 fixes the issue. | 7.2 | 0.36% | 2026-06-18 | 2026-06-18 |
| CVE-2026-8024 | A remote, unauthenticated attacker may exploit a deserialization of untrusted data vulnerability in ibaPDA or ibaDatCoordinator to gain full access to the affected systems. | 9.3 | 0.55% | 2026-06-18 | 2026-06-18 |
| CVE-2026-12569 | A critical remote code execution (RCE) vulnerability has been reported in PTC Windchill PDMlink and PTC FlexPLM. The vulnerability may be exploited through the deserialization of untrusted data. * This advisory also applies to all CPS versions * The identified vulnerability also impacts Windchill and FlexPLM releases prior to 11.0 M030 | 9.3 | 0.50% | 2026-06-18 | 2026-06-18 |
| CVE-2026-35300 | Vulnerability in the WebLogic Server product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 12.2.1.4.0, 14.1.1.0.0, 14.1.2.0.0 and 15.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via TCP to compromise WebLogic Server. Successful attacks of this vulnerability can result in takeover of WebLogic Server. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV | 9.8 | 0.55% | 2026-06-17 | 2026-06-18 |
| CVE-2026-48775 | LangGraph SQLite Checkpoint is an implementation of LangGraph CheckpointSaver that uses SQLite DB (both sync and async, via aiosqlite). In versions 4.1.0 and prior, the JsonPlusSerializer can reconstruct Python objects from JSON checkpoint payloads. Under conditions where someone could modify checkpoint bytes at rest in the backing store, the deserialization path could reconstruct objects beyond what the application expects, which could in turn result in code execution at checkpoint load time. T | 6.8 | 0.23% | 2026-06-16 | 2026-06-16 |
| CVE-2026-10748 | An authenticated user with the nx-licensing-create privilege can upload a specially crafted license file to execute arbitrary operating system commands as the Nexus process user in Sonatype Nexus Repository 3 versions before 3.92.0. | 8.6 | 0.30% | 2026-06-16 | 2026-06-16 |
| CVE-2026-24228 | NVIDIA NeMo Framework for Linux contains a vulnerability where an attacker may cause deserialization of untrusted data. A successful exploit of this vulnerability may lead to code execution, escalation of privileges, data tampering, and information disclosure. | 7.8 | 0.16% | 2026-06-16 | 2026-06-16 |
| CVE-2026-48853 | Deserialization of Untrusted Data and Allocation of Resources Without Limits or Throttling vulnerabilities in elixir-grpc grpc allow unauthenticated attackers to crash the BEAM node via atom table exhaustion and, when a decoded term flows into a call site that invokes it, achieve remote code execution on the server. 'Elixir.GRPC.Codec.Erlpack':decode/2 (lib/grpc/codec/erlpack.ex) calls :erlang.binary_to_term/1 on the raw gRPC message body without the :safe option, no size bound, and no type gua | 9.2 | 0.57% | 2026-06-15 | 2026-06-16 |
| CVE-2026-9691 | Unauthenticated PHP Object Injection in Integration for ActiveCampaign and Contact Form 7, WPForms, Elementor, Ninja Forms <= 1.1.1 versions. | 9.8 | 0.38% | 2026-06-15 | 2026-06-15 |
| CVE-2026-49781 | Unauthenticated PHP Object Injection in OttoKit <= 1.1.27 versions. | 9.8 | 0.38% | 2026-06-15 | 2026-06-15 |
| CVE-2026-49770 | Unauthenticated PHP Object Injection in WP Travel Engine <= 6.7.12 versions. | 9.8 | 0.38% | 2026-06-15 | 2026-06-15 |
| CVE-2026-49769 | Unauthenticated PHP Object Injection in wpForo Forum <= 3.1.0 versions. | 9.8 | 0.38% | 2026-06-15 | 2026-06-15 |
| CVE-2026-49768 | Unauthenticated PHP Object Injection in Happyforms <= 1.26.13 versions. | 9.8 | 0.55% | 2026-06-15 | 2026-06-15 |
| CVE-2026-49765 | Unauthenticated PHP Object Injection in Integration for Mailchimp and Contact Form 7, WPForms, Elementor, Ninja Forms <= 1.1.8 versions. | 9.8 | 0.38% | 2026-06-15 | 2026-06-15 |
| CVE-2026-49763 | Unauthenticated PHP Object Injection in Integration for Contact Form 7 HubSpot <= 1.3.7 versions. | 9.8 | 0.38% | 2026-06-15 | 2026-06-15 |
| CVE-2026-49109 | Unauthenticated PHP Object Injection in Integration for Salesforce and Contact Form 7, WPForms, Elementor, Formidable, Ninja Forms <= 1.4.3 versions. | 9.8 | 0.38% | 2026-06-15 | 2026-06-15 |
| CVE-2026-49106 | Unauthenticated PHP Object Injection in Integration for Contact Form 7 and Constant Contact <= 1.1.6 versions. | 9.8 | 0.38% | 2026-06-15 | 2026-06-15 |
| CVE-2026-49105 | Unauthenticated PHP Object Injection in WP Zendesk for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms <= 1.1.4 versions. | 9.8 | 0.38% | 2026-06-15 | 2026-06-15 |