What you need to know today.

CISA adds a 15-year-old VxWorks debug backdoor to KEV, while a wave of critical flaws hits Oracle REST Data Services, WordPress plugins, and open-source RAG engines. CVE-2010-2965 (CVSS 9.8, EPSS 0.92) is a remote code execution vulnerability in the WDB target agent debug service of Wind River VxWorks 6.x/5.x and earlier, as used in Rockwell Automation 1756-ENBT series A controllers and other industrial products. An unauthenticated attacker can read or write arbitrary memory over the network — effectively a backdoor left in production firmware. With a 0.92 EPSS score indicating active exploitation, this is the highest-signal item in today's bundle. Organizations running affected Rockwell or VxWorks-based equipment should immediately isolate those devices from untrusted networks and apply vendor mitigations.

Oracle REST Data Services ships three critical unauthenticated and low-privilege RCE flaws affecting versions 24.2.0 through 26.1.0. CVE-2026-46840 (CVSS 10.0) allows an unauthenticated attacker with network access via HTTPS to fully compromise Oracle REST Data Services. CVE-2026-46839 and CVE-2026-46775 (both CVSS 9.9) require low privileges but also enable complete takeover via the Core component. Given the widespread deployment of Oracle REST Data Services as a backend for Oracle Database applications, these vulnerabilities present a significant supply-chain risk. Oracle has not yet released patches; administrators should review exposure and restrict network access to the affected services.

Two critical vulnerabilities in Mautic, the open-source marketing automation platform, enable full server compromise via campaign imports and theme uploads. CVE-2026-9559 (CVSS 9.9) is a path traversal in the campaign import ZIP extraction logic that allows arbitrary file writes. CVE-2026-9558 (CVSS 9.9) is a Server-Side Template Injection in the theme engine that lets authenticated users execute arbitrary code via unsandboxed Twig templates. Together, an attacker with campaign or theme creation privileges can achieve RCE. Mautic instances should be updated immediately and user permissions audited.

The WP Maps Pro WordPress plugin (versions up to 6.1.0) contains a privilege escalation vulnerability affecting an estimated 15,000 sites. CVE-2026-8732 (CVSS 9.8) allows unauthenticated attackers to create administrator accounts via the wpgmp_temp_access_ajax AJAX action, which is registered with wp_ajax_nopriv_, making it accessible without authentication. As Wordfence reported, this is a straightforward account-creation bug that can lead to full site takeover. Site administrators should update the plugin or disable it immediately.

A cluster of critical flaws in Acer and Kerio Technologies products expose SOHO and edge devices to remote compromise. CVE-2026-49201 involves a hardcoded AES encryption key in the upload.cgi backup mechanism, allowing attackers to decrypt, modify, and re-encrypt system backups for persistent backdoor injection. CVE-2026-49200 exposes cleartext credentials for web and Telnet access via an unauthenticated log file. CVE-2026-49199 enables root-level command injection via crafted MQTT messages. CVE-2026-49197 (Kerio Technologies) involves improper HTTP Authorization header validation in Acer Connect app endpoints. These four CVEs collectively paint a picture of deeply flawed IoT/edge firmware where authentication, encryption, and input validation are all broken.

RAGFlow, the open-source RAG engine, contains a Jinja2 template injection vulnerability allowing authenticated RCE. CVE-2026-45312 (CVSS 9.9) affects RAGFlow 0.24.0 and earlier in the prompt generator (rag/prompts/generator.py). Any authenticated user can inject Jinja2 template expressions that execute arbitrary OS commands. Given RAGFlow's growing adoption in enterprise AI pipelines, this vulnerability could enable lateral movement from a low-privileged AI application account to the underlying host. Organizations running RAGFlow should restrict user registration and apply the vendor patch as soon as it becomes available.