SGLang RCE, WordPress Plugins, Casdoor SAML Flaws
Critical RCE in SGLang, numerous WordPress plugin flaws, and multiple Casdoor SAML/SSO vulnerabilities disclosed.

A critical remote code execution flaw in SGLang's reranking endpoint, CVE-2026-5760, allows attackers to achieve RCE by loading a model file with a malicious tokenizer.chat_template. The vulnerability stems from the Jinja2 chat templates being rendered using an unsandboxed jinja2.Environment(), as reported by The Hacker News. This could enable attackers to execute arbitrary code on systems running vulnerable SGLang versions.
WordPress users face a significant risk with the disclosure of 25 plugin and theme vulnerabilities, including the critical insecure password reset mechanism in ARMember Premium plugin, CVE-2026-5076. As detailed by Vypr Intelligence, all versions up to 7.3.1 are affected, with the plugin storing a plaintext copy of the password reset key. This could allow attackers to hijack user accounts by exploiting the reset process.
Multiple critical vulnerabilities have been disclosed in Casdoor, impacting its SAML and SSO functionalities. CVE-2026-9093, CVE-2026-9094, and CVE-2026-9097 are among the nine flaws detailed by Vypr Intelligence. Versions prior to 2.362.0 are affected, with issues including the failure to validate JWTs for token exchange and cross-organization token exchange, potentially leading to unauthorized access and privilege escalation.
Synology products are affected by ten disclosed CVEs, including a critical buffer overflow in Synology BeeStation OS, CVE-2025-12686. Vypr Intelligence reports that this vulnerability in AdminCenter, affecting versions before 1.3.2-65648, could allow remote attackers to execute arbitrary code. Other vulnerabilities impact NAS and backup products, highlighting a broad risk to Synology users.
Dokploy, a self-hostable PaaS, has ten critical flaws, including path traversal and RCE, as reported by Vypr Intelligence. CVE-2026-45632, affecting version 0.26.7 and earlier, allows any authenticated user to manipulate schedules belonging to other organizations due to a lack of proper organization and role checks in the schedule router. This could lead to unauthorized data access or modification.