HiddenLayer has disclosed a maximum-severity unauthenticated remote-code-execution vulnerability, CVE-2026-45829, in ChromaDB's Python FastAPI server. ChromaDB is one of the most popular vector databases backing retrieval-augmented-generation pipelines, with about 14 million monthly PyPI downloads. A vulnerable endpoint marked as authenticated lets an attacker embed model settings before authentication is checked, so a crafted request makes ChromaDB load a malicious model from Hugging Face and execute it locally. The auth check fires only after the payload has already run. The bug was introduced in 1.0.0 and was still present in 1.5.8. HiddenLayer's Shodan sweep shows ~73% of internet-exposed Chroma instances are vulnerable.
Researchers have disclosed a chain of vulnerabilities in SEPPmail Secure Email Gateway that lets an attacker turn unauthenticated web requests into remote code execution by inflating the SEPPMaillog file past its 10,000 KB limit, which forces newsyslog to rotate logs and signal syslogd to reload its configuration. Combined with the other flaws in the chain, the attacker reads all mail traffic on the appliance and persists indefinitely. SEPPmail has patched CVE-2026-44128 in version 15.0.2.1, CVE-2026-44126 in 15.0.3, and the rest in 15.0.4. The disclosure follows last month's CVE-2026-27441 (CVSS 9.5) OS command-execution fix in the same appliance.
The 18-year-old heap overflow in NGINX's rewrite module, CVE-2026-42945, disclosed last week as part of the 'Rift' bug cluster, is now seeing real exploitation attempts. AI-native security firm VulnCheck says its honeypot networks have caught attackers probing the flaw, though the goal of the campaigns is not yet clear. The vulnerability lets an unauthenticated attacker crash NGINX worker processes by sending crafted HTTP requests. Turning that crash into remote code execution requires the target host to have Address Space Layout Randomization (ASLR) disabled, which is uncommon by default, but the worker-crash denial-of-service is exploitable on its own and rated urgent.
VulnCheck says attackers are chaining three critical bugs (CVE-2026-28515, CVE-2026-28517, CVE-2026-28516) in openDCIM, an open-source data center management web app, to drop PHP web shells on exposed installs. All three rate CVSS 9.3 and cover missing authorization, OS command injection, and SQL injection. They can be combined over five HTTP requests to land a reverse shell. The activity comes from a single Chinese IP using what VulnCheck describes as a customized version of Vulnhuntr, a public AI-driven vulnerability discovery tool. The campaign is one of the first publicly documented cases of an open-source AI vuln scanner being repurposed for real-world exploitation.
An AI-discovered bug hidden in NGINX since 2008 lets anyone on the internet crash NGINX worker processes or, with ASLR disabled, run code on the server using a single crafted HTTP request. The flaw, named NGINX Rift (CVE-2026-42945, CVSS 9.2), sits in the rewrite module that powers URL rewriting in almost every NGINX deployment. It triggers when a config uses a rewrite directive with unnamed regex captures and a question mark, followed by another rewrite, if, or set directive - a common pattern in API gateway setups. NGINX runs roughly a third of the websites on the public internet.
Researchers at Cyera disclosed a critical bug in Ollama, the open-source tool that runs large language models locally on laptops and servers. The flaw, called Bleeding Llama (CVE-2026-7482), lets anyone with network access send a malformed model file and read raw process memory back - which typically contains API keys, environment variables, system prompts, and other users' chat history. Ollama ships without authentication by default, so an estimated 300,000 instances are exposed on the internet. Ollama 0.17.1 fixes it. Separately, Striga disclosed two unpatched Ollama Windows desktop flaws (CVE-2026-42248 and CVE-2026-42249) that chain into persistent code execution at login.
Apache patched a double-free vulnerability in mod_http2 yesterday. CVE-2026-23918 (CVSS 8.8) lets a remote attacker crash the server immediately, with a path to remote code execution under specific memory-layout conditions. The bug is in the stream cleanup code in h2_mplx.c and is triggered by a crafted sequence of HTTP/2 frames including an early stream reset. mod_http2 ships in default Apache builds and HTTP/2 is widely enabled in production. The MPM prefork worker is not affected. Researchers warn practical RCE requires an info leak and probabilistic heap spray, but in lab conditions execution lands in minutes.
Google patched a critical flaw in Gemini CLI, the command-line tool developers use to interact with Gemini models from CI pipelines and dev workstations. CVSS 10.0. The bug let an attacker execute arbitrary code on the developer's machine by feeding crafted input to the CLI - specifically through the same pattern that compromised LiteLLM and several other AI tools recently. A separate but related set of flaws in Cursor, the AI-powered IDE, also enables code execution. The pattern across all these AI dev tools is the same: input validation gaps where attacker-controlled prompts or model output reach a shell or code execution path.
Update on the GitHub flaw covered yesterday: Wiz, who found the bug, published its full disclosure showing 88% of self-hosted GitHub Enterprise Servers were still unpatched at public disclosure on April 28. The bug let any user with push access to one repository run code on the GitHub server itself with a single 'git push'. On GitHub.com, the same bug exposed millions of public and private repositories belonging to other users sharing the same storage node. GitHub.com was patched within 75 minutes, but Enterprise Server installs need patching manually. Wiz found the bug using AI-augmented reverse engineering on closed-source GitHub binaries.
Researchers disclosed CVE-2026-3854, a critical GitHub Enterprise Server flaw that lets anyone with push access execute arbitrary commands on the GitHub server with a single git push. The bug is in how Enterprise Server handles repository hooks during push operations - a crafted commit message or filename bypasses the sanitization that normally prevents shell injection. GitHub patched it last week, but self-hosted instances need to apply the patch manually, and telemetry shows most haven't yet. Anyone with developer-level access to a vulnerable Enterprise Server can take over the entire instance, then pivot into every repository and CI/CD secret it hosts.