ShapedPlugin Pro WordPress update channel backdoored (CVE-2026-10735)

ShapedPlugin Pro WordPress update channel backdoored (CVE-2026-10735)

ShapedPlugin Pro WordPress update channel backdoored

Identifiers: CVE-2026-10735, CVE-2026-49777.

Licensed ShapedPlugin Pro update channels are reported to have distributed backdoored plugin builds tied to credential theft, 2FA capture, persistence, arbitrary file writes, and webshell capability. WordPress owners should hunt for the reported command-and-control indicator 194.76.217[.]28:2871 and rotate affected WordPress, database, mail, and 2FA secrets.

Treat this as a supply-chain compromise: the malicious code arrived through a trusted update channel, so inventory ShapedPlugin Pro installs, verify update integrity, and assume credential exposure on affected sites until proven otherwise.

Sources: [The Hacker News: ShapedPlugin Pro plugins](https://thehackernews.com/2026/06/shapedplugin-wordpress-pro-plugins.html)

Apache NiFi WID-SEC-2026-2029 multi-CVE batch

Identifiers: CVE-2026-44911, CVE-2026-44913, CVE-2026-44914, CVE-2026-54665, WID-SEC-2026-2029.

CERT-Bund describes file/data manipulation, SQL injection, and security-bypass conditions in NiFi. Map clusters, exposed processors, and upgrade windows.

Send this to the application owner with two questions: is the service exposed, and does it handle credentials, customer data, privileged workflows, or internal files that would raise impact?

Sources: [CERT-Bund WID-SEC-2026-2029](https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-2029)

IceWarp EPOS WID-SEC-2026-2021 information-disclosure advisory

Identifiers: WID-SEC-2026-2021.

BSI published WID-SEC-2026-2021 for IceWarp EPOS information disclosure. Route to messaging/collaboration owners for vendor-version confirmation.

Send this to the application owner with two questions: is the service exposed, and does it handle credentials, customer data, privileged workflows, or internal files that would raise impact?

Sources: [CERT-Bund WID-SEC-2026-2021](https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-2021)

Flowise WID-SEC-2026-0626 multi-CVE AI workflow batch

Identifiers: CVE-2026-30820, CVE-2026-30821, CVE-2026-30822, CVE-2026-30823, CVE-2026-30824, CVE-2026-56267, CVE-2026-56276, WID-SEC-2026-0626.

BSI lists privilege escalation, security bypass, data manipulation, and confidential-information exposure paths. Route to Flowise owners and validate tenant/workspace boundary exposure.

Treat this as AI platform ownership work. Check exposed builder endpoints, tenant or workspace boundaries, workflow secrets, and authentication paths before assuming the issue is only a developer-tool concern.

Sources: [CERT-Bund WID-SEC-2026-0626](https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-0626)

Flowise CVE-2026-12821 unpatched file-manipulation advisory

Identifiers: CVE-2026-12821, WID-SEC-2026-2023.

CERT-Bund labels WID-SEC-2026-2023 unpatched and describes authenticated remote file manipulation. Reduce exposure, monitor file writes, and track the vendor fix.

Treat this as AI platform ownership work. Check exposed builder endpoints, tenant or workspace boundaries, workflow secrets, and authentication paths before assuming the issue is only a developer-tool concern.

Sources: [CERT-Bund WID-SEC-2026-2023](https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-2023)

Langflow WID-SEC-2026-2030 multi-CVE batch

Identifiers: CVE-2026-12822, CVE-2026-55255, CVE-2026-55423, CVE-2026-55446, CVE-2026-55447, WID-SEC-2026-2030.

CERT-Bund describes code execution, security bypass, data manipulation, information disclosure, and denial-of-service impact across Langflow. Inventory builder endpoints, workflow secrets, and patch status.

Treat this as AI platform ownership work. Check exposed builder endpoints, tenant or workspace boundaries, workflow secrets, and authentication paths before assuming the issue is only a developer-tool concern.

Sources: [CERT-Bund WID-SEC-2026-2030](https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-2030)

vLLM CVE-2026-56340 denial-of-service advisory

Identifiers: CVE-2026-56340.

CERT-Bund lists a remotely reachable authenticated denial-of-service issue in vLLM. Check model-serving exposure, authentication boundaries, and fixed-version route.

Treat this as AI platform ownership work. Check exposed builder endpoints, tenant or workspace boundaries, workflow secrets, and authentication paths before assuming the issue is only a developer-tool concern.

Sources: [CERT-Bund WID-SEC-2026-2024](https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-2024)

Gitea WID-SEC-2026-2027 source-control multi-CVE batch

Identifiers: CVE-2026-20779, CVE-2026-20896, CVE-2026-22874, CVE-2026-24451, CVE-2026-25038, CVE-2026-27761, CVE-2026-27775, CVE-2026-28740, WID-SEC-2026-2027.

CERT-Bund describes privilege gain, user impersonation, security bypass, data manipulation, and information disclosure in source-control infrastructure. Inventory self-hosted Gitea, repo secrets, CI integrations, and admin exposure.

Treat this as control-plane exposure work. Check where the tool is used in CI, source-control, build, or runtime paths, then attach version and mitigation checks to the owning team.

Sources: [CERT-Bund WID-SEC-2026-2027](https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-2027)

QEMU CVE-2024-7730 re-enters EU code-execution and DoS routing

Identifiers: CVE-2024-7730, WID-SEC-2024-1851.

BSI updated WID-SEC-2024-1851 for remote anonymous code execution and denial-of-service risk in QEMU. Route to virtualization/platform owners and verify affected builds and fixed-build status.

Prioritise hosts where virtualisation or monitoring tooling has elevated access. Confirm affected builds, fixed-version availability, and who can create or alter the relevant virtual machine or monitoring inputs.

Sources: [CERT-Bund WID-SEC-2024-1851](https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2024-1851)

Glances CVE-2026-46606 command injection via KVM/QEMU domain names

Identifiers: CVE-2026-46606.

Users able to create or rename libvirt domains can inject commands into Glances virsh monitoring paths. Inventory Glances on KVM/QEMU hosts and restrict libvirt domain-management rights.

Prioritise hosts where virtualisation or monitoring tooling has elevated access. Confirm affected builds, fixed-version availability, and who can create or alter the relevant virtual machine or monitoring inputs.

Sources: [GitHub Advisory GHSA-v5r2-qh84-fjx5](https://github.com/advisories/GHSA-v5r2-qh84-fjx5)

ILIAS CVE-2026-12789 unpatched SQL-injection advisory

Identifiers: CVE-2026-12789, WID-SEC-2026-2016.

BSI published WID-SEC-2026-2016 marked unpatched for authenticated remote SQL injection. Route to ILIAS owners for exposure restriction, monitoring, and vendor-fix tracking.

Send this to the application owner with two questions: is the service exposed, and does it handle credentials, customer data, privileged workflows, or internal files that would raise impact?

Sources: [CERT-Bund WID-SEC-2026-2016](https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-2016)

• Also tracked
• Cacti CVE-2026-49442 information-disclosure advisory · CVE-2026-49442
• XWiki Pro Macros CVE-2026-44179 RCE through excerpt-include macro · CVE-2026-44179
• Gogs self-hosted Git control-plane cluster · CVE-2026-47267
• Spinnaker CVE-2026-44795 unsafe YAML deserialization RCE · CVE-2026-44795
• Buildah CVE-2026-44517 remote build-context breakout · CVE-2026-44517
• runc CVE-2026-41579 malicious-image /dev symlink host-integrity issue · CVE-2026-41579
• Glances CVE-2026-46608 XML-RPC CORS incomplete fix · CVE-2026-46608
• OpenDJ CVE-2026-46495 pre-auth JMX RMI deserialization RCE · CVE-2026-46495
• Paymenter CVE-2025-58048 RCE via ticket attachments · CVE-2025-58048
• Budibase cloud and datasource exposure cluster · CVE-2026-48153
• Gravity SMTP CVE-2026-4020 WordPress plugin bug · CVE-2026-4020
• Apple Usbliter8 boot-defense exploit handling
• FortiBleed custom FortiGate sniffer credential theft
• Mastra/Sapphire Sleet npm supply-chain reach
• Splunk Enterprise CVE-2026-20253 patch-validation pressure · CVE-2026-20253
• Mise CVE-2026-33646 code execution via malicious .tool-versions · CVE-2026-33646

New Exploit Bypasses Apple’s Boot Defenses, Affects Millions of iPhones

The vulnerability exploited by the Usbliter8 exploit cannot be patched and a PoC exploit has been released by researchers. The post New Exploit Bypasses Apple’s Boot Defenses, Affects Millions of iPhones appeared first on SecurityWeek .

Sources: https://www.securityweek.com/new-exploit-bypasses-apples-boot-defenses-affects-millions-of-iphones/

FortiBleed campaign used custom FortiGate sniffer to steal credentials

Security firm SOCRadar says the large-scale FortiBleed campaign targeting Fortinet FortiGate devices used custom sniffers to harvest authentication secrets from compromised firewalls and steal credentials. [...]

Sources: https://www.bleepingcomputer.com/news/security/fortibleed-campaign-used-custom-fortigate-sniffer-to-steal-credentials/