Critical for AI Builders
No AI-specific vulnerabilities appeared this week. The closest risk is a FAISS deserialization flaw in IBM Langflow that could affect vector database workflows.
- CVE-2026-3357 — IBM Langflow Desktop (8.8/HIGH) — Authenticated users can execute arbitrary code via insecure FAISS component deserialization — Update to version beyond 1.8.2
Critical for Vibe Coders
Axios HTTP client has a critical proxy bypass bug, and several WordPress development tools are compromised. Multiple CISA KEV additions target Windows and Office components actively exploited in the wild.
- CVE-2025-62718 — Axios HTTP client (9.9/CRITICAL) — Hostname normalization bypass allows proxy evasion via localhost with trailing dot — Update to 1.15.0+ or 0.31.0+
- CVE-2025-60710 — Microsoft Windows (KEV exploited) — Link following vulnerability enables privilege escalation — Apply January 2026 patches immediately
- CVE-2026-3499 — WooCommerce Product Feed PRO (8.8/HIGH) — CSRF allows unauthorized plugin modifications — Update beyond version 13.5.2.1
- CVE-2012-1854 — Microsoft VBA (KEV exploited) — Insecure library loading enables remote code execution — Disable VBA or apply security updates
- CVE-2020-9715 — Adobe Acrobat (KEV exploited) — Use-after-free allows code execution — Update Acrobat/Reader immediately
Critical for Open Source
Multiple WordPress plugins contain severe RCE and file upload vulnerabilities with public exploits available. Several router firmware packages are also compromised with command injection flaws.
- CVE-2026-1830 — Quick Playground WordPress plugin (9.8/CRITICAL) — Unauthenticated file upload and path traversal enables RCE — Disable plugin until patched beyond 1.3.1
- CVE-2026-3296 — Everest Forms WordPress plugin (9.8/CRITICAL) — PHP object injection via form metadata deserialization — Update beyond version 3.4.3
- CVE-2026-2942 — ProSolution WP Client plugin (9.8/CRITICAL) — Unauthenticated arbitrary file upload enables RCE — Remove plugin or update beyond 1.9.9
- CVE-2026-40189 — goshs SimpleHTTPServer (9.8/CRITICAL) — Authorization bypass allows unauthenticated file operations — Update to 2.0.0-beta.4 or later
- CVE-2026-34424 — Smart Slider 3 Pro (9.8/CRITICAL) — Compromised update system delivers multi-stage RCE toolkit — Audit installations and update from clean source
Run This Audit On Your Stack
This recipe runs against your repo, in your agent of choice (Claude, ChatGPT, Cursor, Copilot — anything with file access). It uses osv.dev as the source of truth, not a JSON from us. Run it once after every dependency bump, or wire it into your own weekly schedule — your call.
The recipe
List every dependency manifest in this repo (package.json, requirements.txt,
go.mod, Cargo.toml, pom.xml, Gemfile, composer.json — whichever apply). For
each declared package and version, query osv.dev for known vulnerabilities.
For every match, show the CVE id, severity, the affected version range, and
the fixed version. Draft the version bump and either open a PR (if you have
repo write access) or summarize the diff in a comment. If nothing matches,
reply: "Clean run — no advisories matched."