Vulnerability Management Critical Redis vulnerability CVE-2026-23479 allows remote code execution June 4, 2026 Share By SC Staff A critical remote code execution vulnerability, tracked as CVE-2026-23479, has been discovered in Redis, a popular in-memory data structure store. This flaw, present since Redis version 7.2.0, remained undetected for over two years before being publicly disclosed, according to a recent report by The Hacker News. The vulnerability, rated 8.8 by CVSS 3.1 and 7.7 by CVSS 4.0, resides in the unblockClientOnKey() function within src/blocked.c. It's a use-after-free flaw that occurs when a client pointer is used after it has been freed as a side effect of processing a command. This issue was introduced through two commits in early 2023 and made its way into stable releases. The exploit chain, demonstrated by Team Xint Code, begins with a Lua script to leak a heap pointer, followed by manipulating client memory to achieve a use-after-free. Subsequently, it overwrites a function pointer in the Global Offset Table to redirect execution to system(), enabling remote code execution. The vulnerability requires an authenticated session with specific ACL privileges, which are often granted to default users in many cloud deployments. Wiz's analysis highlights that Redis is prevalent in cloud environments, with many instances running without passwords, increasing the attack surface. Redis has released patches, including versions 7.2.14, 7.4.9, 8.2.6, 8.4.3, and 8.6.3, urging users to upgrade immediately. Mitigation strategies include restricting public internet access, tightening ACLs, and denying scripting if Lua is not in use. Source: The Hacker News SC Staff Related Vulnerability Management Critical vulnerability in Hugging Face Transformers library allowed arbitrary code execution SC Staff June 4, 2026 The vulnerability, tracked as CVE-2026-4372, was exploitable through a standard model-loading command, even when Hugging Face’s recommended security setting "trust_remote_code=False" was enabled. Vulnerability Management 9.8 Mirasvit bug actively exploited on Magento servers Steve Zurier June 4, 2026 CISA warns of an actively exploited Magento extension flaw that enables remote code execution. Vulnerability Management WordPress Kirki plugin vulnerability allows account takeover SC Staff June 4, 2026 The vulnerability, present in Kirki versions 6.0.0 through 6.0.6, stems from an unauthenticated REST API endpoint that allows attackers to reset any user's password. Get daily email updates SC Media's daily must-read of the most current and pressing daily news Business Email By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy . Subscribe Related Terms Bug Buffer Overflow Disassembly You can skip this ad in 5 seconds