Happy Friday, y'all!
This week, our team published two original vulnerability breakdowns on the VulnCheck blog: FOSSBilling Auth Bypass and Twig SSTI to Unauthenticated RCE and NVIDIA GEN3C: Unauthenticated RCE via Pickle Deserialization in the Inference API. Additionally, two Initial Access Intelligence deliverables saw their first known exploitation in our canary network: CVE-2026-42589 (Gotenberg) and CVE-2026-0769 (Langflow).
Otherwise, here's what the team accomplished this week:
The team developed an exploit for CVE-2026-28496, a pre-authentication remote code execution chain in FOSSBilling, the open-source self-hosted billing and client-management platform. Perhaps not widely known software, it supports integrations with Stripe, PayPal, Mollie, and more. The team wrote a detailed breakdown of this vulnerability, and it has already surfaced in VulnCheck KEV.
Our exploit comes with a Docker target, encrypted and unencrypted PCAPs, Suricata and Snort rules, and a YARA rule.
This week the team developed an exploit for CVE-2026-44825, affecting Apache Solr 9.4.0-9.10.1 and 10.0.0. This vulnerability allows administrative access to affected targets using known default credentials. While not currently a KEV entry, Apache Solr is a popular search platform that has been targeted in the past.
Our coverage includes the exploit, version scanner, encrypted and unencrypted PCAPs, network rules, and ASM queries. Our Shodan query suggests at least 1,900 exposed instances on the Internet.
The team developed an exploit for CVE-2026-0769, an unauthenticated remote code execution vulnerability in Langflow, an open-source web portal for building AI-powered applications and workflows. The vulnerability is only publicly disclosed as affecting Langflow 1.7.3, but our research has confirmed additional impacted versions ranging from 1.0.0 to 1.8.0rc2, which our exploit's version scanner covers. There are approximately 33,000 Langflow instances on the public Internet according to our Shodan query. Additionally, we observed exploitation of CVE-2026-0769 in VulnCheck Canaries on June 24, 2026, and it was subsequently added to the VulnCheck KEV list. It has not yet appeared on the CISA KEV.
The exploit comes with a target Docker container, PCAPs, ASM queries, and Snort and Suricata detection rules.
The team developed an exploit for CVE-2025-62515, an unauthenticated remote code execution vulnerability affecting versions 0.3.1 and below of pyquokka, an open-source Python framework for big-data analytics. pyquokka bundles an Apache Arrow Flight server that deserializes attacker-supplied data with Python's pickle module without any authentication, allowing an attacker who can reach the service to run arbitrary commands as the service account. No threat actors have been observed exploiting this vulnerability in the wild, and it does not currently appear on any KEV catalog. The Arrow Flight gRPC service is not currently fingerprinted by Shodan or Censys, so no ASM queries ship with this release.
Our exploit comes with a target Docker container, a PCAP, and Suricata and Snort detection rules.
The team developed an exploit for CVE-2026-6279, an unauthenticated remote code execution vulnerability in the Avada Builder (Fusion Builder) WordPress plugin, which reportedly has more than one million active installations. Our FOFA query identified approximately 75,000 internet-exposed instances.
While this vulnerability is not yet known to be exploited in the wild, another Avada Builder vulnerability, CVE-2026-8713, was recently added to VulnCheck KEV, suggesting attackers are actively targeting this software. As a result, we believe exploitation of CVE-2026-6279 is highly likely.
The team delivered an exploit, version scanner, PCAPs, and Snort and Suricata detection rules.
The team also added coverage for CVE-2026-41679, a series of insufficient authorization checks that grant unauthenticated remote code execution in default installations of the AI agent orchestration platform, PaperclipAI. No evidence of in-the-wild exploitation has been observed to date, though that may change given the ease of exploitation of this vulnerability. Our Censys query returns just over 3,300 instances on the public Internet.
Coverage includes an exploit, Docker target, ASM queries, PCAPs, and a YARA rule.
The team developed an exploit for CVE-2025-26866, an unauthenticated deserialization vulnerability in Apache HugeGraph's Placement Driver (PD) server affecting versions 1.0.0 through 1.5.0. PD exposes its Raft RPC service over SOFABolt on TCP port 8610 with no authentication and deserializes incoming RPC bodies, enabling arbitrary code execution. Though the team has not yet observed exploitation of CVE-2025-26866 in the wild, multiple threat actors have been observed targeting Apache HugeGraph via CVE-2024-27348, which appears on both the VulnCheck KEV and CISA KEV lists and was first observed in VulnCheck Canaries data on October 17, 2025.
Our exploit ships with an unencrypted PCAP, a Docker target, and Suricata and Snort rules.