What you need to know today.

CISA has added CVE-2026-45247, a critical PHP object injection vulnerability in Mirasvit's Full Page Cache Warmer for Magento 2, to its Known Exploited Vulnerabilities (KEV) catalog. This flaw, affecting versions prior to 1.11.12, allows unauthenticated attackers to achieve remote code execution by supplying a crafted serialized PHP object in the cache. The vulnerability has been actively exploited, as reported by multiple security outlets including The Hacker News and Cyber Security News. Patches are available, and organizations using Magento should prioritize updating this extension.

Oracle REST Data Services (ORDS) is facing multiple critical vulnerabilities, with CVE-2026-46840, CVE-2026-46839, and CVE-2026-46775 all carrying a CVSS score of 9.9. These flaws, affecting versions 24.2.0 through 26.1.0, allow unauthenticated or low-privileged attackers with network access to compromise the service. The vulnerabilities stem from issues within the Core and Backend-as-a-Service components of ORDS. While specific attack vectors are not detailed, the high CVSS scores indicate a significant risk of remote code execution or data compromise.

Progress Sitefinity, a web content management system, is impacted by several critical vulnerabilities, including CVE-2026-7312 and CVE-2026-7198. CVE-2026-7312, rated with a CVSS score of 10.0, involves insufficiently protected credentials in web services across multiple versions. CVE-2026-7198, a critical improper access control flaw, allows unauthenticated remote attackers to access restricted content. These issues, detailed by Vypr Intelligence, highlight a significant risk for organizations using Progress Sitefinity, emphasizing the need for prompt patching and security reviews.

OpenStack Mistral, a workflow execution engine, has a critical remote code execution vulnerability, CVE-2026-41283, that allows arbitrary code execution when its API is exposed. This vulnerability, affecting Mistral up to version 22.0.0, can lead to the exfiltration of service credentials. Vypr Intelligence also noted multiple Ironic flaws alongside this RCE, indicating a broader security concern within OpenStack deployments. Administrators should ensure their Mistral instances are secured and updated.

Several other critical vulnerabilities have been disclosed, including an SEH-based buffer overflow in Mobatek MobaXterm (CVE-2019-25741) allowing arbitrary code execution, and an OS command injection flaw in openlabs docker-wkhtmltopdf-aas (CVE-2026-36576). Additionally, a hardcoded default password vulnerability (CVE-2026-35075) could grant full access to affected devices, and an authorization bypass via SQL injection in Akmer Informatics Automation Industry and Trade Ltd. Co. TeknoPass (CVE-2026-4104) poses a significant risk.