CVSS: 6.5EPSS: %CPEs: 1EXPL: 0CVE-2026-2582 – Germanized for WooCommerce <= 3.20.5 - Unauthenticated Arbitrary Shortcode Execution
https://notcve.org/view.php?id=CVE-2026-2582
14 Apr 2026 — The The Germanized for WooCommerce plugin for WordPress is vulnerable to arbitrary shortcode execution via 'account_holder' parameter in all versions up to, and including, 3.20.5. ... This makes it possible for unauthenticated attackers to execute arbitrary shortcodes. • https://plugins.trac.wordpress.org/browser/woocommerce-germanized/tags/3.20.5/includes/gateways/direct-debit/class-wc-gzd-gateway-direct-debit.php#L214 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.8EPSS: %CPEs: 2EXPL: 0CVE-2026-40288 – PraisonAI: Critical RCE via `type: job` workflow YAML
https://notcve.org/view.php?id=CVE-2026-40288
14 Apr 2026 — In versions below 4.5.139 of PraisonAI and 1.5.140 of praisonaiagents, the workflow engine is vulnerable to arbitrary command and code execution through untrusted YAML files. When praisonai workflow run
CVSS: 8.4EPSS: %CPEs: 2EXPL: 0CVE-2026-40287 – PraisonAI has RCE via Automatic tools.py Import
https://notcve.org/view.php?id=CVE-2026-40287
14 Apr 2026 — Versions 4.5.138 and below are vulnerable to arbitrary code execution through automatic, unsanitized import of a tools.py file from the current working directory. ... An attacker who can place a malicious tools.py in the directory where PraisonAI is launched (such as through a shared project, cloned repository, or writable workspace) achieves immediate arbitrary Python code execution in the host environment. • https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-g985-wjh9-qxxc • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-426: Untrusted Search Path •
CVSS: 5.3EPSS: %CPEs: 1EXPL: 0CVE-2026-39424 – MaxKB has CSV Injection in its Application Chat Export Functionality
https://notcve.org/view.php?id=CVE-2026-39424
14 Apr 2026 — Opening this file in spreadsheet applications like Microsoft Excel can lead to Arbitrary Code Execution (RCE) on the administrator's workstation via Dynamic Data Exchange (DDE). • https://github.com/1Panel-dev/MaxKB/commit/24cd68acae5f726eed828e2ac801827a2a70536f • CWE-1236: Improper Neutralization of Formula Elements in a CSV File •
CVSS: 6.3EPSS: %CPEs: 1EXPL: 0CVE-2026-39421 – MaxKB: Sandbox escape via ctypes and unhooked SYS_pkey_mprotect
https://notcve.org/view.php?id=CVE-2026-39421
14 Apr 2026 — By leveraging Python's ctypes library to execute raw system calls, an authenticated attacker with workspace privileges can bypass the LD_PRELOAD-based sandbox.so module to achieve arbitrary code execution via direct kernel system calls, enabling full network exfiltration and container compromise. • https://github.com/1Panel-dev/MaxKB/commit/479701a4d2e6059506bad0057a66bed91abb5aef • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-693: Protection Mechanism Failure •
CVSS: 6.3EPSS: %CPEs: 1EXPL: 0CVE-2026-39420 – MaxKB: Sandbox escape via LD_PRELOAD bypass
https://notcve.org/view.php?id=CVE-2026-39420
14 Apr 2026 — In versions 2.7.1 and below, an incomplete sandbox protection mechanism allows an authenticated user with tool execution privileges to escape the LD_PRELOAD-based sandbox. By env command the attacker can clear the environment variables and drop the sandbox.so hook, leading to unrestricted Remote Code Execution (RCE) and network access. MaxKB restricts untrusted Python code execution via the Tool Debug API by injecting sandbox.so through the LD_P... • https://github.com/1Panel-dev/MaxKB/commit/2d17b08e6b060329803754a05e806d0ddecf3fa8 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') CWE-693: Protection Mechanism Failure •
CVSS: 2.0EPSS: %CPEs: 7EXPL: 0CVE-2026-27675 – Code Injection vulnerability in SAP Landscape Transformation
https://notcve.org/view.php?id=CVE-2026-27675
14 Apr 2026 — SAP Landscape Transformation contains a vulnerability in an RFC-exposed function module that could allow a high privileged adversary to inject arbitrary ABAP code and operating system commands. • https://me.sap.com/notes/3723097 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 6.1EPSS: %CPEs: -EXPL: 0CVE-2026-27674 – Code Injection vulnerability in SAP NetWeaver Application Server Java (Web Dynpro Java)
https://notcve.org/view.php?id=CVE-2026-27674
14 Apr 2026 — Due to a Code Injection vulnerability in SAP NetWeaver Application Server Java (Web Dynpro Java), an unauthenticated attacker could supply crafted input that is interpreted by the application and causes it to reference attacker-controlled content. ... This could allow the attacker to execute arbitrary client-side code, impacting the confidentiality and integrity of the application, with no impact to availability. • https://me.sap.com/notes/3719397 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 4.6EPSS: %CPEs: 1EXPL: 0CVE-2026-39417 – MaxKB: RCE via MCP stdio command injection in workflow engine
https://notcve.org/view.php?id=CVE-2026-39417
14 Apr 2026 — Versions 2.7.1 and below contain an incomplete fix for CVE-2025-53928, where a Remote Code Execution vulnerability still exists in the MCP node of the workflow engine. MaxKB only restricts the referencing code path (loading MCP config from the database). ... By calling the workflow creation API directly with a crafted JSON payload, an attacker can inject a complete MCP node configuration with stdio transport, arbitrary command, and args — achieving RCE when <... • https://github.com/1Panel-dev/MaxKB/commit/50e96002ee5dca34c68d3d9333b64ea358c92304 • CWE-20: Improper Input Validation CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 9.8EPSS: %CPEs: 2EXPL: 0CVE-2026-22562
https://notcve.org/view.php?id=CVE-2026-22562
13 Apr 2026 — A malicious actor with access to the UniFi Play network could exploit a Path Traversal vulnerability found in the device firmware to write files on the system that could be used for a remote code execution (RCE). Affected Products: UniFi Play PowerAmp (Version 1.0.35 and earlier) UniFi Play Audio Port (Version 1.0.24 and earlier) Mitigation: Update UniFi Play PowerAmp to Version 1.0.38 or later Update UniFi Play Audio Port to Version 1.1.9 or later • https://community.ui.com/releases/Security-Advisory-Bulletin-063/e468dd4b-5090-4ef8-89d8-939903c08e83 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •