Langflow Flaws Hit KEV, LiteSpeed Root Bug Exploited
CISA flags two exploited Langflow bugs as attackers weaponize one in under 20 hours, while a LiteSpeed cPanel root-escalation flaw is exploited in the wild.

CISA adds two exploited Langflow flaws to KEV, including one abused in the wild within 20 hours of disclosure. CVE-2025-34291 (CVSS 8.8) is a chained vulnerability in Langflow versions up to 1.6.9 combining an overly permissive CORS configuration with a reflected cross-site scripting vector that enables account takeover and remote code execution. As The Hacker News reported, CISA added it alongside a Trend Micro Apex One bug. Separately, CVE-2026-33017 (CVSS 9.8) affects Langflow versions prior to 1.9.0 — the POST /api/v1/build_public_tmp/{flow_id}/flow endpoint allows unauthenticated building of public flows. Infosecurity Magazine noted attackers weaponized this flaw within 20 hours of public disclosure, and Check Point Research flagged active exploitation in their threat intelligence report. Both CVEs carry a risk score above 0.65. Organizations running Langflow should immediately upgrade to version 1.9.0 or later and audit any exposed public-flow endpoints.
LiteSpeed cPanel plugin CVE-2026-48172 is being actively exploited in the wild to achieve root-level privilege escalation on WordPress hosting servers. The vulnerability affects the LiteSpeed User-End cPanel Plugin before version 2.4.5, and as The Hacker News reported, detection is best performed via grep -rE "cpanel_jsonapi_func=redisAble" against /var/cpanel/logs and /usr/local/cpanel/logs directories. The flaw allows an unauthenticated attacker to escalate privileges potentially to root, and exploitation was observed in the wild in May 2026. With a CVSS of 10.0 and a risk score of 0.65, this is an emergency-patch situation for any hosting provider or WordPress administrator running the LiteSpeed cPanel plugin. Update to version 2.4.5 immediately and scan logs for the indicator of compromise.
Three critical-severity vulnerabilities in Ubiquiti UniFi OS — CVE-2026-34908, CVE-2026-34909, and CVE-2026-34910 — each carry a CVSS 10.0 and require immediate patching. As BleepingComputer reported, all three flaws are exploitable by a malicious actor with network access. CVE-2026-34908 is an improper access control bug enabling unauthorized system changes; CVE-2026-34909 is a path traversal allowing file access that could lead to account compromise; and CVE-2026-34910 is a command injection vulnerability. While no active exploitation has been confirmed yet, the combination of max CVSS scores, network-based attack vectors, and the widespread deployment of UniFi OS in enterprise and SMB networks makes this a high-priority patching event. Ubiquiti has released patches — administrators should check the UniFi OS update channel and apply immediately.
Microsoft disclosed five critical-severity vulnerabilities across Azure and Entra ID services, all carrying CVSS 10.0 scores and risk scores of 0.65. CVE-2026-42822 affects Azure Local Disconnected Operations via improper authentication leading to network-based privilege escalation. CVE-2026-47280 targets Azure Resource Manager (ARM) with a similar improper-authentication privilege-escalation vector. CVE-2026-41104 is a deserialization-of-untrusted-data flaw in Microsoft Planetary Computer Pro enabling information disclosure. CVE-2026-42901 is an origin-validation error in Microsoft Entra ID allowing privilege escalation. CVE-2026-40412 is an unrestricted file upload in Azure Orbital Spatio enabling remote code execution. Additionally, CVE-2026-40411 (CVSS 9.9) affects Azure Virtual Network Gateway with an improper input validation bug allowing code execution for an authorized attacker. While no public exploitation has been reported, the breadth of Azure services affected and the critical severity ratings demand attention from cloud security teams.
ScadaBR version 1.2.0 ships with two critical vulnerabilities — CVE-2026-8603 (OS command injection) and CVE-2026-8605 (hard-coded credentials) — that could give attackers root-level access to industrial control systems. As detailed in CISA's ICS advisory, CVE-2026-8603 allows an attacker to execute arbitrary OS commands as root, while CVE-2026-8605 exposes hard-coded credentials that could grant administrative access to the SCADA system. Both carry CVSS 9.8 and a risk score of 0.64. ScadaBR is an open-source SCADA platform widely deployed in industrial environments; organizations using version 1.2.0 should treat these as critical and either apply vendor patches or isolate affected systems from untrusted networks immediately.
Additional critical vulnerabilities to track include a Linux kernel use-after-free, an HP printer driver integer overflow, a Ruby zlib buffer overflow, and a credential-harvesting mechanism in PyTorch Lightning. CVE-2026-43402 (CVSS 9.8) is a Linux kernel kthread use-after-free that could enable privilege escalation or code execution. CVE-2026-8631 (CVSS 9.8) affects HP Linux Imaging and Printing Software (hpcups) via an integer overflow — The Hacker News flagged this in their ThreatsDay roundup alongside Linux rootkit activity. CVE-2026-27820 (CVSS 9.8) is a buffer overflow in Ruby's zlib GzipReader affecting versions 3.2.1 and earlier. CVE-2026-44484 (CVSS 9.8) in PyTorch Lightning versions 2.6.2 contains functionality consistent with credential harvesting. CVE-2026-6960 (CVSS 9.8) is an arbitrary file upload in WordPress BookingPress Pro up to version 5.6. CVE-2026-33816 is a memory-safety vulnerability in the Go pgx PostgreSQL driver. Teams should prioritize based on their technology stack exposure.