Critical RCE Flaws Hit Veeam and Spring AI
Critical RCE vulnerabilities in Veeam Backup and Spring AI join a wave of legacy WordPress plugin exploits and memory-safety flaws in PHP and Mozilla.
VMware has disclosed two critical and high-severity vulnerabilities in Spring AI. CVE-2026-22738 is a critical SpEL injection flaw in the SimpleVectorStore component that allows unauthenticated attackers to execute arbitrary code. Additionally, CVE-2026-22742 is a high-severity Server-Side Request Forgery (SSRF) vulnerability in the BedrockProxyChatModel that occurs when processing multimodal messages with user-supplied media URLs. Organizations using these Spring AI components should prioritize updates to mitigate potential remote code execution and unauthorized data access risks.
A series of critical vulnerabilities affecting various WordPress plugins and platforms highlights the ongoing risk of legacy code exploitation. CVE-2021-47940 and CVE-2021-47933 involve arbitrary file upload flaws in the Download From Files and MStore API plugins, respectively, which allow unauthenticated attackers to execute arbitrary code. Furthermore, CVE-2021-47932 in TheCartPress allows for unauthenticated privilege escalation to administrator status. As noted in the Wordfence Intelligence Weekly Report, these flaws underscore the necessity of auditing third-party extensions for insecure AJAX and REST API implementations.
Veeam Backup & Replication is impacted by multiple critical vulnerabilities that could lead to remote code execution. CVE-2026-21708 allows a Backup Viewer to achieve RCE as the postgres user, while CVE-2026-21669 permits an authenticated domain user to execute arbitrary code on the Backup Server. Additionally, CVE-2026-21671 affects high availability deployments, allowing an authenticated Backup Administrator to perform RCE. These vulnerabilities present significant risks to backup infrastructure, necessitating immediate patch application to prevent lateral movement and system compromise.
Critical vulnerabilities in PHP and Mozilla products demand urgent attention due to their potential for widespread impact. CVE-2026-6722 in the PHP SOAP extension involves an object deduplication flaw that could lead to memory corruption and potential code execution. Simultaneously, Mozilla has addressed a critical use-after-free vulnerability in the JavaScript Engine, tracked as CVE-2026-2786, which affects Firefox and Thunderbird. Users and administrators should ensure their environments are updated to the latest patched versions to defend against these memory-safety issues.
Several other high-risk vulnerabilities have been disclosed across various platforms, including OpenCATS, OpenCart, and ArchiveBox. CVE-2021-47936 in OpenCATS allows unauthenticated RCE via malicious PHP file uploads disguised as resumes. OpenCart 3.0.3.8 is affected by CVE-2021-47923, a session fixation vulnerability that enables attackers to hijack user sessions. Finally, ArchiveBox versions 0.8.6rc0 and prior are susceptible to CVE-2026-42601, where an unvalidated JSON config field in the /add/ endpoint can be exploited to compromise the system.