What you need to know today.

CVE-2026-46495 (critical, risk 0.59) — OpenDJ's JMX RMI connector exposes an unauthenticated Java deserialization vulnerability that allows a remote attacker to execute arbitrary code on the server. The flaw, classified as CWE-502 (Deserialization of Untrusted Data), requires no authentication and can be triggered over the network. OpenDJ is a widely deployed LDAP directory server and identity store; this is a drop-in RCE for any internet-facing instance. No patch details were included in the bundle, but operators should immediately restrict network access to the JMX RMI port or disable the connector if not required.

CVE-2026-46488 (critical, risk 0.59) — Motioneye, an open-source video surveillance and motion-detection platform, ships an authentication bypass via client-controlled cookies. The application trusts user-supplied cookie values containing a username and a password-hash-derived value as sufficient proof of identity, allowing an attacker to forge a valid session for any user. Motioneye is commonly deployed on Raspberry Pi and embedded Linux devices for home and small-business security cameras, often exposed to the internet without additional reverse-proxy authentication. Users should upgrade to the latest patched release immediately.

CVE-2026-54352 (critical, risk 0.59) — Budibase, the open-source low-code platform, suffers from a path-traversal-to-RCE in its /api/pwa/process-zip endpoint. The route accepts a builder-uploaded .zip archive, extracts it with extract-zip@2.0.1, then validates only the entries listed in icons.json — leaving unlisted files free to overwrite arbitrary paths on the server. An authenticated builder user can craft a zip that places a malicious file outside the intended temp directory, achieving remote code execution. This is the most severe of five Budibase flaws disclosed today (alongside CVE-2026-54353, CVE-2026-54351, CVE-2026-50137, CVE-2026-50136, and CVE-2026-50132), making a coordinated patch cycle urgent for any organization running Budibase.

CVE-2026-44203 (critical, risk 0.59) — An OAuth 2.0 / OpenID Connect authorization endpoint fails to sanitize user-supplied parameters before embedding them into the HTML response generated for the form_post response mode. This enables stored or reflected cross-site scripting (XSS) in the authorization flow, potentially allowing an attacker to steal authorization codes or tokens. Because the flaw sits in the OIDC handshake itself, it affects every relying party application configured to use the vulnerable identity provider. No specific vendor or product name was provided in the bundle, so security teams should audit their OIDC provider's form_post response mode handling.

CVE-2026-44179 (critical, risk 0.59) — XWiki's excerpt-include macro does not properly escape the title of the included page, leading to XWiki syntax injection that executes the content of the excerpt with the macro's rights. An attacker who can create or rename pages with a crafted title can achieve privilege escalation or remote code execution within the XWiki instance. XWiki is used by enterprises for collaborative documentation and intranet portals; this flaw should be prioritized for patching given the critical severity and the pre-authentication attack surface in many deployments.

CVE-2026-33646 (critical, risk 0.59) — Mise (a dev-tool version manager) processes .tool-versions files through the Tera template engine with the exec() function registered, enabling arbitrary command execution when a user runs mise in a directory containing a malicious .tool-versions file. Unlike .mise.toml files, .tool-versions files are not subject to a trust policy, so simply cloning a repository and running mise install or mise use can trigger code execution. This is a supply-chain risk for any development team using Mise — an attacker needs only to contribute a malicious .tool-versions file to a shared repository to compromise all contributors' machines.