Vulnerability Summary for the Week of May 11, 2026

2026-05-18 22:05

High Vulnerabilities

Primary Vendor — Product	Description	Published	CVSS Score	Source Info	Patch Info
acl–ACL Analytics	ACL Analytics versions 11.x through 13.0.0.579 contain an arbitrary code execution vulnerability that allows attackers to execute arbitrary commands by leveraging the EXECUTE function. Attackers can use bitsadmin to download malicious PowerShell scripts and execute them with system privileges to establish reverse shells and gain complete system control.	2026-05-17	9.8	CVE-2018-25320	ExploitDB-44281 Official Product Homepage Product Reference VulnCheck Advisory: ACL Analytics 11.x – 13.0.0.579 Arbitrary Code Execution
gitbucket–GitBucket	GitBucket 4.23.1 contains an unauthenticated remote code execution vulnerability that allows attackers to execute arbitrary commands by exploiting weak secret token generation and insecure file upload functionality. Attackers can brute-force the Blowfish encryption key, upload a malicious JAR plugin via the git-lfs endpoint, and execute system commands through an exposed exploit endpoint.	2026-05-17	9.8	CVE-2018-25332	ExploitDB-44668 Official Product Homepage Product Reference VulnCheck Advisory: GitBucket 4.23.1 Unauthenticated Remote Code Execution
peugeot-music-plugin–Peugeot Music	WordPress Plugin Peugeot Music 1.0 contains an arbitrary file upload vulnerability that allows unauthenticated attackers to upload malicious files by sending POST requests to the upload.php endpoint. Attackers can upload files with arbitrary extensions by manipulating the ‘name’ parameter to execute code from the uploads directory.	2026-05-17	9.8	CVE-2018-25335	ExploitDB-44737 VulnCheck Advisory: WordPress Plugin Peugeot Music 1.0 Arbitrary File Upload
Paiement–Ecommerce Systempay	Ecommerce Systempay 1.0 contains a weak cryptographic implementation vulnerability that allows attackers to brute force the 16-character production secret key used for payment signature generation. Attackers can extract payment form data and signatures from POST requests to the payment endpoint, then use SHA1 hash comparison to iteratively test key candidates until discovering the correct production key, enabling them to forge valid payment signatures and manipulate transaction amounts.	2026-05-13	9.8	CVE-2020-37168	ExploitDB-48017 Official Product Homepage Product Reference VulnCheck Advisory: Ecommerce Systempay 1.0 Production Key Brute Force
Yerootech–iDS6 DSSPro Digital Signage System	iDS6 DSSPro Digital Signage System 6.2 contains a CAPTCHA se […] Content was cut in order to protect the source.Please visit the source for the rest of the article. This article has been indexed from Bulletins Read the original article: Vulnerability Summary for the Week of May 11, 2026 Share this: Facebook X LinkedIn Like this: Like Loading… Related Tags: Bulletins EN Post navigation ← OpenClaw Vulnerabilities Could Enable Full AI Agent Takeover 10 Top OSINT Tools Every Investigator Should Know in 2026 → Search for: Pages Advertising Contact Legal and Contact information Opt-out preferences Privacy Policy Social Media Telegram Channel Recent Posts Securing Everything: Mapping the Right Identity and Access Protocol (OIDC, OAuth2, and SAML) to the Right Identity May 18, 2026 CISA Admin Leaked AWS GovCloud Keys on Github May 18, 2026 TeamPCP Supply Chain Campaign: Activity Through 2026-05-17, (Mon, May 18th) May 18, 2026 CVE-2026-42945: Mitigating a Critical Heap Buffer Overflow Vulnerability in NGINX May 18, 2026 10 Top OSINT Tools Every Investigator Should Know in 2026 May 18, 2026 Vulnerability Summary for the Week of May 11, 2026 May 18, 2026 OpenClaw Vulnerabilities Could Enable Full AI Agent Takeover May 18, 2026 NYC Health + Hospitals says hackers stole medical data and fingerprints during breach affecting at least 1.8 million people May 18, 2026 Grafana confirms GitHub token breach cybercrime group claims the attack May 18, 2026 New Reaper Malware Uses Fake Microsoft Domain to Steal macOS Passwords May 18, 2026 Banned Nvidia AI Chips Keep Reaching China Despite US Crackdown May 18, 2026 Apple’s Siri Revamp May Add Auto-Deleting Chats May 18, 2026 Device Code Phishing Targets Microsoft 365 Users May 18, 2026 Hackers Actively Exploiting Critical NGINX RCE Vulnerability in the Wild May 18, 2026 AI is drowning software maintainers in junk security reports May 18, 2026 INTERPOL Operation Ramz Disrupts MENA Cybercrime Networks with 201 Arrests May 18, 2026 The 6 Best Enterprise Password Managers You’ll Actually Trust in 2026 May 18, 2026 Secure, Fast, Reliable: The Best Cloud Storage Providers for Businesses in 2026 May 18, 2026 How to better protect your growing business in an AI-powered world May 18, 2026 Game over for 74 suspected scammers after Dutch cops plastered their faces on billboards May 18, 2026 Copyright © 2026 IT Security News. All Rights Reserved. The Magazine Basic Theme by bavotasan.com. Manage Consent To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions. Functional Functional Always active The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network. Preferences Preferences The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user. Statistics Statistics The technical storage or access that is used exclusively for statistical purposes. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you. Marketing Marketing The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes. Manage options Manage services Manage {vendor_count} vendors Read more about these purposes View preferences {title} {title} {title}