MITRE ATT&CK CVE list for this attack path. Use risk scores and timeline to decide what to patch first and what to track next.
| CVE | 描述 | 最高 CVSS | EPSS % | 公开时间 | 更新时间 |
|---|---|---|---|---|---|
| CVE-2026-48775 | LangGraph SQLite Checkpoint is an implementation of LangGraph CheckpointSaver that uses SQLite DB (both sync and async, via aiosqlite). In versions 4.1.0 and prior, the JsonPlusSerializer can reconstruct Python objects from JSON checkpoint payloads. Under conditions where someone could modify checkpoint bytes at rest in the backing store, the deserialization path could reconstruct objects beyond what the application expects, which could in turn result in code execution at checkpoint load time. T | 6.8 | 0.23% | 2026-06-16 | 2026-06-16 |
| CVE-2026-10748 | An authenticated user with the nx-licensing-create privilege can upload a specially crafted license file to execute arbitrary operating system commands as the Nexus process user in Sonatype Nexus Repository 3 versions before 3.92.0. | 8.6 | 0.30% | 2026-06-16 | 2026-06-16 |
| CVE-2026-24228 | NVIDIA NeMo Framework for Linux contains a vulnerability where an attacker may cause deserialization of untrusted data. A successful exploit of this vulnerability may lead to code execution, escalation of privileges, data tampering, and information disclosure. | 7.8 | 0.16% | 2026-06-16 | 2026-06-16 |
| CVE-2026-48853 | Deserialization of Untrusted Data and Allocation of Resources Without Limits or Throttling vulnerabilities in elixir-grpc grpc allow unauthenticated attackers to crash the BEAM node via atom table exhaustion and, when a decoded term flows into a call site that invokes it, achieve remote code execution on the server. 'Elixir.GRPC.Codec.Erlpack':decode/2 (lib/grpc/codec/erlpack.ex) calls :erlang.binary_to_term/1 on the raw gRPC message body without the :safe option, no size bound, and no type gua | 9.2 | 0.57% | 2026-06-15 | 2026-06-16 |
| CVE-2026-9691 | Unauthenticated PHP Object Injection in Integration for ActiveCampaign and Contact Form 7, WPForms, Elementor, Ninja Forms <= 1.1.1 versions. | 9.8 | 0.38% | 2026-06-15 | 2026-06-15 |
| CVE-2026-49781 | Unauthenticated PHP Object Injection in OttoKit <= 1.1.27 versions. | 9.8 | 0.38% | 2026-06-15 | 2026-06-15 |
| CVE-2026-49770 | Unauthenticated PHP Object Injection in WP Travel Engine <= 6.7.12 versions. | 9.8 | 0.38% | 2026-06-15 | 2026-06-15 |
| CVE-2026-49769 | Unauthenticated PHP Object Injection in wpForo Forum <= 3.1.0 versions. | 9.8 | 0.38% | 2026-06-15 | 2026-06-15 |
| CVE-2026-49768 | Unauthenticated PHP Object Injection in Happyforms <= 1.26.13 versions. | 9.8 | 0.55% | 2026-06-15 | 2026-06-15 |
| CVE-2026-49765 | Unauthenticated PHP Object Injection in Integration for Mailchimp and Contact Form 7, WPForms, Elementor, Ninja Forms <= 1.1.8 versions. | 9.8 | 0.38% | 2026-06-15 | 2026-06-15 |
| CVE-2026-49763 | Unauthenticated PHP Object Injection in Integration for Contact Form 7 HubSpot <= 1.3.7 versions. | 9.8 | 0.38% | 2026-06-15 | 2026-06-15 |
| CVE-2026-49109 | Unauthenticated PHP Object Injection in Integration for Salesforce and Contact Form 7, WPForms, Elementor, Formidable, Ninja Forms <= 1.4.3 versions. | 9.8 | 0.38% | 2026-06-15 | 2026-06-15 |
| CVE-2026-49106 | Unauthenticated PHP Object Injection in Integration for Contact Form 7 and Constant Contact <= 1.1.6 versions. | 9.8 | 0.38% | 2026-06-15 | 2026-06-15 |
| CVE-2026-49105 | Unauthenticated PHP Object Injection in WP Zendesk for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms <= 1.1.4 versions. | 9.8 | 0.38% | 2026-06-15 | 2026-06-15 |
| CVE-2026-49104 | Unauthenticated PHP Object Injection in Integration for Keap/infusionsoft and Contact Form 7, WPForms, Elementor, Formidable, Ninja Forms <= 1.2.1 versions. | 9.8 | 0.38% | 2026-06-15 | 2026-06-15 |
| CVE-2026-49085 | Unauthenticated PHP Object Injection in WP Insightly for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms <= 1.1.4 versions. | 9.8 | 0.38% | 2026-06-15 | 2026-06-15 |
| CVE-2026-42687 | Unauthenticated PHP Object Injection in EventPrime <= 4.3.2.1 versions. | 8.1 | 0.32% | 2026-06-15 | 2026-06-15 |
| CVE-2026-39532 | Contributor PHP Object Injection in Events Calendar for GeoDirectory <= 2.3.25 versions. | 8.8 | 0.34% | 2026-06-15 | 2026-06-15 |
| CVE-2026-39499 | Shop manager PHP Object Injection in Advanced Product Fields (Product Addons) for WooCommerce <= 1.6.19 versions. | 7.2 | 0.45% | 2026-06-15 | 2026-06-15 |
| CVE-2026-39498 | Shop manager PHP Object Injection in YayMail <= 4.3.3 versions. | 7.2 | 0.36% | 2026-06-15 | 2026-06-15 |