This briefing covers the 24-hour period from June 2-3, 2026, revealing a concerning landscape dominated by critical authentication and code execution vulnerabilities. The period saw 30 new CVE entries including four CRITICAL-severity vulnerabilities and 26 HIGH-severity flaws, alongside 50 active malware distribution URLs tracked by abuse.ch. No KEV additions, RSS articles, or infrastructure seizure events were recorded during this period.
The most severe threats include CVE-2026-5076 (CVSS 9.8) affecting the ARMember Premium WordPress plugin with an insecure password reset mechanism, CVE-2026-49448 (CVSS 9.8) in authentik allowing authentication bypass, CVE-2026-32625 (CVSS 9.6) enabling environment variable exposure in LibreChat's MCP integration, and CVE-2026-42849 (CVSS 9.3) presenting XSS vulnerabilities in authentik's flow executor. Multiple products from Dräger medical systems, React Router framework components, and various web applications are affected.
Malware distribution activity centered on 45.148.120.78 hosting numerous ua-wget payloads (42 URLs), alongside Amadey dropper activity and Mozi botnet samples. Organizations should prioritize patching the critical authentication bypass and RCE vulnerabilities, particularly in widely-deployed WordPress plugins and identity providers, while monitoring for the observed malware distribution infrastructure.
Four CRITICAL-severity vulnerabilities demand immediate attention, affecting WordPress plugins, identity providers, and chat applications with authentication bypass and RCE potential.
The ARMember Premium plugin stores plaintext password reset keys in user meta fields, enabling attackers to reset arbitrary user passwords without authentication. All versions up to 7.3.1 affected.
The authentik identity provider's Source stage can be bypassed by sending empty POST requests, allowing unauthenticated access. Patched in versions 2025.12.6, 2026.2.4, and 2026.5.1.
LibreChat's Model Context Protocol integration resolves ${VAR} placeholders against server environment variables during user-supplied URL validation, exposing sensitive configuration. Affects versions through 0.8.3.
Cross-site scripting vulnerability in authentik's Simple Flow Executor AutosubmitStage allows attackers to execute malicious scripts. Patched in versions 2025.12.5 and 2026.2.3.
Attackers with source connection modification privileges can log into any account in configured identity sources. Affects versions prior to 2025.12.6, 2026.2.4, and 2026.5.1.
The /_log HTTP handler in BrowserStack Runner through 0.9.5 passes user-supplied JSON to vm.runInNewContext() without authentication, enabling network-adjacent RCE.
Authenticated administrators can escape the sandbox in alf.io's extension script engine to execute arbitrary OS commands. Affects versions prior to 2.0-M5-2606.
The Content Visibility for Divi Builder WordPress plugin allows authenticated contributors to execute code via the 'et_pb_text' shortcode. Affects versions through 4.02.
Multiple vulnerabilities discovered in Dräger medical systems spanning patient monitors, infusion pumps, and safety equipment, enabling DoS, code execution, and data tampering.
Dräger Infinity monitors (VG4.1.1, VG4.0.3 and lower) vulnerable to network message injection allowing remote data spoofing and denial-of-service attacks on hospital networks.
Crafted .gdt files trigger buffer overflow in Dräger CC-Vision Basic (before 7.5.3) and E-Cal (before 7.2.5.0), enabling application crash or malicious code execution.
Dräger SC monitoring devices (6002XL, 6802XL, 7000, 8000, 9000 XL) contain hard-coded plaintext credentials in source code across all software versions, allowing local and remote compromise.
Network-adjacent attackers can trigger high CPU load on Dräger Core 1.0.5 and M540 Converter Service 1.0.9 via specially crafted SDC discovery messages.
Dräger Protector Software prior to 6.4.2 contains insecure file system permissions allowing local attackers to replace binaries and execute arbitrary code with elevated privileges.
Multiple high-severity vulnerabilities in React Router, WordPress plugins, and content management systems enabling SQL injection, XSS, and remote code execution.
React Router 7.0.0-7.14.1 in Framework Mode vulnerable to remote code execution when combined with existing prototype pollution vulnerabilities, exploitable via external requests.
React Router 7.7.0-7.13.1 unstable React Server Components APIs vulnerable to client-side XSS via untrusted redirect sources in RSC redirect handling.
WordPress ARMember Premium plugin vulnerable to SQL injection via 'order' parameter in arm_directory_paging_action AJAX action due to insufficient escaping. Versions through 7.3.1 affected.
Multiple SQL injection vulnerabilities in DedeCMS 5.7.88 affecting /plus/carbuyaction.php (RemoveXSS function) and /plus/flink.php (dede_htmlspecialchars function). Exploits publicly available.
code-projects Student Admission System 1.0 vulnerable to remote SQL injection via eid/did parameters in /index.php. Exploit has been published.
sayan365 student-management-system (up to commit 7f3c9ce) contains improper authentication vulnerability exploitable remotely. Exploit publicly available.
Other notable vulnerabilities including IDOR, SSRF, DoS, and privilege escalation affecting various enterprise applications and systems.
authentik's SAML Source ACS endpoint vulnerable to XML Signature Wrapping attacks, allowing attackers with upstream IdP accounts to reuse valid assertions. Fixed in 2025.12.5, 2026.2.3, 2026.5.1.
Medplum before 5.1.14 vulnerable to server-side request forgery allowing authenticated users to perform unauthorized internal network requests via FHIR Subscription resources.
Insecure Direct Object Reference in LibreChat (through 0.7.6) API keys management endpoint allows unauthorized access due to JavaScript spread operator misuse.
Denial-of-service vulnerability in SolarWinds Web Help Desk can cause server crashes due to insufficient memory when exploited.
React Router 7.0.0-7.14.x vulnerable to resource exhaustion via unbounded path expansion in __manifest endpoint, causing disproportionate server resource consumption.
NI-PAL 26.3.0 and prior vulnerable to improper input validation allowing arbitrary system memory access and NULL pointer dereference DoS on Windows and Linux.
nextlevelbuilder GoClaw up to 3.11.3 contains missing authentication in resolveAuth function of webhook verification handler, allowing remote exploitation.
50 malicious URLs tracked distributing Amadey droppers, Mozi botnet samples, and ua-wget payloads from concentrated infrastructure.
Single IP address (45.148.120.78) hosting 42 distinct ua-wget malware payloads with randomized paths, indicating active botnet recruitment or lateral movement toolkit distribution. High-volume distribution suggests automated infection campaigns.
Amadey botnet dropper (d52f85 variant) distributed from 62.60.226.140/files/745127296/HUROhgh.bat, typically used for follow-on payload delivery including ransomware and information stealers.
Mozi botnet sample (32-bit ELF MIPS binary) hosted at 115.57.253.155:60990/i targeting IoT devices and routers. Mozi is known for persistent IoT compromise and DDoS capabilities.