VulncastBriefing archive

Daily Brief - 2026-06-29

· 4 vulnerabilities · 5 min listen

▶ Listen to this briefing

CVE-2026-49048

joomla JoomCCK

The Joomla extension JoomCCK exposes a front-end controller task, that builds two SQL statements by directly concatenating a user-supplied request parameter into the query string without escaping or parameterisation.

  • SQL Injection
  • php
  • web application

CVE-2026-58050

high · CVSS 7 · libssh2 libssh2

libssh2 through 1.11.1 reads an attacker-controlled 32-bit attribute count from a publickey-subsystem response and uses it in the allocation num_attrs * sizeof(libssh2_publickey_attribute) without bounds checking, so on 32-bit platforms the multiplication overflows to an undersized buffer. A malicious SSH server can then drive the attribute-parsing loop to write past the allocation, causing a heap buffer overflow in a connecting libssh2 client.

  • Heap Buffer Overflow
  • Integer Overflow
  • c
  • ssh
  • cryptography

CVE-2026-58053

critical · CVSS 9.9 · gitea act_runner

Gitea act_runner with the Docker backend (through act 0.262.0) passes a workflow's container.options string to the Docker job container's HostConfig and, when configured with privileged: false, forces only the Privileged flag off while merging options such as --pid=host, --cap-add, and --security-opt unchanged. A user who can run a workflow on a Docker-backed runner can create a job container with host namespaces and broad capabilities and escape to the host as root despite privileged mode being disabled.

  • Privilege Escalation
  • Container Escape
  • docker
  • container
  • workflow automation

CVE-2026-8095

high · CVSS 8.1 · wordpress Frontend File Manager Plugin

The Frontend File Manager Plugin plugin for WordPress is vulnerable to Authenticated Arbitrary File Deletion in versions up to and including 23.6. This is due to a case-sensitive bypass of the wpfm_dir_path parameter sanitization in the wpfm_file_meta_update AJAX handler, where supplying WPFM_DIR_PATH in uppercase evades the unset check and is normalized to wpfm_dir_path by sanitize_key() during update_post_meta(), allowing an attacker to overwrite the stored file path with an arbitrary filesystem path that is then passed directly to unlink() in delete_file_locally() without any directory containment validation. This makes it possible for authenticated attackers with Subscriber-level access to delete arbitrary files on the server, including sensitive files such as wp-config.php, potentially leading to full site takeover.

  • Arbitrary File Deletion
  • Authentication Bypass
  • php
  • web application
  • wordpress plugin