What you need to know today.
Critical flaws hit industrial control systems, identity platforms, and enterprise software, with Moxa, Casdoor, and Rockwell Automation among affected vendors.
A wave of critical vulnerabilities impacting industrial control systems and enterprise software dominated today's disclosures. Moxa NPort devices are affected by a critical flaw (CVE-2016-9361) that could allow remote attackers to gain control. Rockwell Automation devices face similar risks due to improper user authentication and firmware upload vulnerabilities (CVE-2012-6437). Omron CX-One and PLC devices are also susceptible to information disclosure via cleartext password transmission (CVE-2015-0987). Additionally, critical RCEs were found in Spacelabs Healthcare Sentinel systems (CVE-2026-0611) and Synology BeeStation OS (CVE-2025-12686), alongside an authentication bypass in SiteOmat (CVE-2017-14728).
Multiple critical vulnerabilities have been disclosed in the Casdoor identity and access management platform, with versions prior to 2.362.0 being affected. These include issues with JWT validation for token exchange (CVE-2026-9097), cross-organization token exchange (CVE-2026-9094), and a failure to validate the AudienceRestriction element in SAML assertions (CVE-2026-9093). These flaws could allow attackers to bypass authentication and gain unauthorized access to sensitive information and user accounts, as detailed in reports from Vypr Intelligence.
Critical vulnerabilities impacting web applications and development tools were also disclosed. Dokploy, a self-hostable PaaS, suffers from authorization bypasses allowing unauthorized schedule management (CVE-2026-45632), as reported by Vypr Intelligence. WordPress users should be aware of an insecure password reset mechanism in the ARMember Premium plugin (CVE-2026-5076), and Shopify's Ruby LSP has a vulnerability in its VS Code workspace setting interpolation (CVE-2026-34060).
Several other critical vulnerabilities were detailed across various platforms. Grup Arge Energy and Control Systems' Smartpower software is vulnerable to SQL injection (CVE-2024-0851). The SGLang reranking endpoint can be exploited for RCE via malicious tokenizer templates (CVE-2026-5760), a vulnerability highlighted by The Hacker News. Thingino firmware contains an unauthenticated OS command injection flaw in its WiFi captive portal (CVE-2026-26213), and ABB T-MAC Plus has a file access vulnerability (CVE-2025-14771). Authentik, an open-source identity provider, has a bypass vulnerability in its Source stage (CVE-2026-49448).