Daily briefing · June 25, 2026

Three CVSS 10.0 Flaws Lead a Heavy Day: Apache Kvrocks, Flowise, and WordPress Under Fire

Automated Vexday summary · sources: NVD, CISA KEV, EPSS

June 25, 2026 brought 434 new CVEs, including 21 criticals, with no confirmed active exploitation yet — but the severity profile demands immediate attention. Three vulnerabilities scored a perfect CVSS 10.0, targeting Apache Kvrocks, the Flowise AI platform, and a WordPress plugin, while Flowise alone accounts for four critical entries covering remote code execution, path traversal, and arbitrary file upload. Defenders managing these platforms should treat today's disclosures as urgent patching events.

Today’s brief
  • Three CVSS 10.0 vulnerabilities disclosed today across Apache Kvrocks, Flowise, and the OMGF Pro WordPress plugin.
  • Flowise dominates the day with four critical CVEs spanning RCE, path traversal, and unauthenticated file upload — patch to 3.0.6 or later immediately.
  • Dell Wyse Management Suite and ToolJet also carry critical RCE flaws exploitable by low-privileged or authenticated users.
  • No KEV-confirmed active exploitation yet, but the attack surface is wide and unauthenticated vectors lower the bar significantly.
434 new21 critical0 actively exploited
Critical highlights
1
CVE-2026-46752CVSS 10affects Apache Kvrocks
A heap overflow in the cjson library's Lua integration within Apache Kvrocks (versions 2.0.4 through 2.15.0) scores a perfect 10.0 — this class of memory corruption flaw can enable arbitrary code execution on the server hosting the Redis-compatible database. Upgrade to 2.16.0 without delay.
2
CVE-2025-71338CVSS 10affects Flowise
Unauthenticated attackers can exploit unsanitized fileName parameters in Flowise's document-store endpoint to write arbitrary files — including overwriting package.json — and achieve remote code execution upon application restart. The unauthenticated attack vector makes this a critical priority for any internet-exposed Flowise instance.
3
CVE-2026-57700CVSS 10affects OMGF Pro
The OMGF Pro WordPress plugin (through version 5.2.6) allows unrestricted upload of dangerous file types, giving unauthenticated or low-privilege attackers a straightforward path to plant malicious files and potentially execute code on the web server. Sites running this plugin should update or disable it immediately.
4
CVE-2026-54823CVSS 9.9affects Widget Options
Widget Options for WordPress (versions up to 4.2.3) allows users with only Contributor-level access to achieve remote code execution, drastically lowering the privilege bar needed for a full server compromise on affected WordPress installations. Any multi-author or open-registration site is especially exposed.
5
CVE-2026-41120CVSS 9.8affects Wyse Management Suite
Dell Wyse Management Suite versions prior to WMS 5.5 HF1 accept untrusted data mixed with trusted data, allowing a remote low-privileged attacker to escalate to remote code execution. Endpoint management platforms are high-value targets; exploitation here could affect entire managed device fleets.
6
CVE-2026-41566CVSS 9.4affects Apache Kvrocks
Apache Kvrocks 2.8.0 improperly handles insufficient permissions, potentially allowing privilege escalation or unauthorized operations within the data store. Administrators pinned to this specific version must upgrade to 2.16.0, which resolves both Kvrocks vulnerabilities disclosed today.
7
CVE-2026-55413CVSS 9.4affects ToolJet
Any authenticated ToolJet user with a free-tier builder role can overwrite a globally shared marketplace plugin with arbitrary JavaScript that runs server-side with full Node.js privileges, affecting all platform users. In multi-tenant or shared ToolJet deployments, this is effectively a supply-chain attack vector from within.
8
CVE-2025-71336CVSS 9.3affects Flowise
Flowise's Custom MCP feature executes OS commands by design, but prior to 3.0.6 it does so without sandboxing and without meaningful role-based access control — meaning any authenticated user can run arbitrary OS commands server-side. Default installations without authentication enforcement are fully exposed to unauthenticated exploitation.
9
CVE-2025-71334CVSS 9.3affects Flowise
In Flowise versions through 2.2.8, missing UUID validation on chatflowId and chatId parameters allows unauthenticated path traversal via the chatflows API endpoint, enabling arbitrary file read or access across the server filesystem. Sensitive configuration files, credentials, and internal data are all at risk.
10
CVE-2025-71333CVSS 9.3affects Flowise
Flowise through 2.2.4 exposes an unauthenticated file upload endpoint that, when local storage is configured, can be exploited via path traversal in chatId and chatflowId parameters to drop malicious files into arbitrary directories and achieve remote code execution. This is a low-complexity, high-impact vector requiring no credentials whatsoever.
Today’s recommendation: Prioritize immediate upgrades for Apache Kvrocks (to 2.16.0), Flowise (to 3.0.6 or later), Dell Wyse Management Suite (to WMS 5.5 HF1), and ToolJet (to 3.20.178-lts or later); for WordPress environments, update or deactivate Widget Options and OMGF Pro without waiting for a maintenance window. Where patching cannot be applied immediately, restrict network access to affected services and enforce authentication on all exposed API endpoints.
With multiple unauthenticated and low-privilege RCE vectors disclosed today, now is the moment to validate which of these platforms are reachable from your external or internal attack surface before threat actors do.Every CVE above is a possible door — find out which ones are open in your environment with a free attack-surface check.Meet the Autonomous AI Pentest Agent →
Previous briefings
June 24, 2026Ten KEV Vulnerabilities in Active Exploitation Demand Immediate Attention Across Enterprise and Consumer StacksJune 23, 2026FOSSBilling Auth Bypass and Router Hardcoded Keys Headline 9 Critical CVEs on June 23view full archive →