Vulnerability intelligence

CVE-2026-42211 describes a vulnerability in React Router versions 7.0.0 through 7.14.1, specifically when the library is used in Framework Mode. This flaw can potentially lead to unauthorized remote code execution (RCE) through external requests. The vulnerability stems from a deserialization issue within React Router's vendored `turbo-stream` v2, which permits arbitrary constructor invocation via `TYPE_ERROR` deserialization. Exploiting CVE-2026-42211 is a two-step process. It first requires the application code to have an existing prototype pollution vulnerability, which can then be leveraged to trigger the unauthorized RCE on the remote server. Applications utilizing Declarative Mode (`<BrowserRouter>`) or Data Mode (`createBrowserRouter/<RouterProvider>`) are not affected by this vulnerability. The issue has been addressed in React Router version 7.14.2.

CVE-2026-20245 is a command injection vulnerability found in the command-line interface (CLI) of Cisco Catalyst SD-WAN Manager, previously known as SD-WAN vManage. This flaw arises from insufficient validation of user-supplied input, allowing an authenticated attacker with netadmin privileges to upload a specially crafted file. Upon successful exploitation, the attacker can execute arbitrary commands as root on the affected system. Cisco has observed limited instances of this vulnerability being exploited in the wild, with some cases resulting in configuration changes being pushed to edge devices. It is noted that the required netadmin privileges can be obtained either through valid credentials or by leveraging other vulnerabilities, such as CVE-2026-20182 or CVE-2026-20127.

CVE-2026-46243, dubbed "CIFSwitch," is a local privilege escalation vulnerability found in the Linux kernel's Common Internet File System (CIFS) client implementation. The flaw allows an unprivileged local user to forge `cifs.spnego` key descriptions. These descriptions, which typically contain authority-bearing fields like `pid`, `uid`, and `creduid`, are usually treated by the `cifs.upcall` helper as originating from the kernel. However, userspace can also create keys of this type, enabling an attacker to supply these fields without CIFS origin. The vulnerability arises because the kernel's CIFS subsystem fails to verify that `cifs.spnego` key requests originate from the kernel's CIFS client. This allows an unprivileged user to create a forged `cifs.spnego` request, triggering the normal authentication workflow and causing the root-privileged `cifs.upcall` helper to trust attacker-controlled data.

SolarWinds Serv-U is susceptible to specially crafted POST requests that crash the Serv-U service without authentication using Content-Encoding: deflate. Mitigation steps are provided to secure customer environments in the SolarWinds Trust Center if you are unable to deploy the update

Mirasvit Full Page Cache Warmer for Magento 2 before version 1.11.12 contains a PHP object injection vulnerability that allows unauthenticated attackers to achieve remote code execution by supplying a crafted serialized PHP object in the CacheWarmer cookie. Attackers can exploit the unrestricted call to PHP's native unserialize() function combined with gadget chains available in Magento and its dependencies to execute arbitrary code on the server.

Use-after-free vulnerability in Microsoft Internet Explorer 6, 6 SP1, 7, and 8 on Windows 2000 SP4; Windows XP SP2 and SP3; Windows Server 2003 SP2; Windows Vista Gold, SP1, and SP2; Windows Server 2008 Gold, SP2, and R2; and Windows 7 allows remote attackers to execute arbitrary code by accessing a pointer associated with a deleted object, related to incorrectly initialized memory and improper handling of objects in memory, as exploited in the wild in December 2009 and January 2010 during Operation Aurora, aka "HTML Object Memory Corruption Vulnerability."