Critical for AI Builders
No specific AI/ML stack vulnerabilities this week, though Apache ActiveMQ (often used in ML pipelines) is seeing active exploitation.
- CVE-2026-34197 — Apache ActiveMQ (KEV - exploited in wild) — Code injection through improper input validation — Patch immediately and audit message queue security
Critical for Vibe Coders
Multiple development tools are under attack, with Microsoft VBA and Adobe products seeing active exploitation while WordPress plugins expose backdoors.
- CVE-2012-1854 — Microsoft VBA (KEV - exploited in wild) — Insecure library loading enables remote code execution — Update Office/VBA components and review macro policies
- CVE-2026-34621 — Adobe Acrobat and Reader (KEV - exploited in wild) — Prototype pollution leads to arbitrary code execution — Update Adobe products immediately
- CVE-2026-6443 — WordPress Accordion plugin (CVSS 9.8) — Injected backdoor in version 1.4.6 after malicious acquisition — Remove plugin immediately if installed
- CVE-2026-1555 — WebStack WordPress theme (CVSS 9.8) — Unauthenticated arbitrary file upload in io_img_upload() function — Update theme or remove if using version 1.2024 or earlier
- CVE-2026-40189 — goshs SimpleHTTPServer (CVSS 9.8) — Bypasses ACL/auth for file operations via PUT/POST — Update to 2.0.0-beta.4 or later
Critical for Open Source
Supply chain attacks hit learning management systems and WordPress ecosystem, while network infrastructure shows widespread command injection vulnerabilities.
- CVE-2026-33698 — Chamilo LMS (CVSS 9.8) — Chained attack enables PHP code execution via main/install/ directory — Update to 1.11.38 and remove install directory
- CVE-2026-33707 — Chamilo LMS (CVSS 9.4) — Predictable password reset tokens using sha1(email) — Update to 1.11.38 and force password resets
- CVE-2026-40044 — Pachno project management (CVSS 9.8) — Deserialization vulnerability allows unauthenticated code execution — Update beyond 1.0.6 immediately
- CVE-2026-40504 — Creolabs Gravity (CVSS 9.8) — Heap buffer overflow in gravity_vm_exec function — Update to 0.9.6 or later
- CVE-2026-6388 — ArgoCD Image Updater (CVSS 9.1) — Cross-namespace privilege escalation in multi-tenant environments — Audit ImageUpdater resources and apply namespace restrictions
Run This Audit On Your Stack
This recipe runs against your repo, in your agent of choice (Claude, ChatGPT, Cursor, Copilot — anything with file access). It uses osv.dev as the source of truth, not a JSON from us. Run it once after every dependency bump, or wire it into your own weekly schedule — your call.
The recipe
List every dependency manifest in this repo (package.json, requirements.txt,
go.mod, Cargo.toml, pom.xml, Gemfile, composer.json — whichever apply). For
each declared package and version, query osv.dev for known vulnerabilities.
For every match, show the CVE id, severity, the affected version range, and
the fixed version. Draft the version bump and either open a PR (if you have
repo write access) or summarize the diff in a comment. If nothing matches,
reply: "Clean run — no advisories matched."