Critical vulnerabilities 2026: CVEs affecting your stack
> TL;DR: Laravel, WordPress, Supabase, Node.js — critical vulnerabilities identified in 2026.
The 2026 threat landscape
35 CVEs attributed to AI code in March 2026. Applications built with Cursor, Lovable and Bolt are particularly affected.
WordPress
Plugins remain the weak link. ACF, WPForms, Elementor vulnerabilities exposed millions of sites.
Laravel
Ziggy route exposure, Debugbar in production, API endpoints without auth middleware.
Supabase
RLS errors remain vulnerability #1. Tables without policies, USING(true), unprotected RPC functions.
Node.js & n8n
n8n had 6 critical CVEs in 3 months early 2026.
Key Takeaways
Building HR, payroll, or recruiting software? CleanIssue performs security audits for HR SaaS in real-world conditions, no source code access needed. For a first read of your exposure, start with an external review of your application.
Related articles
Three adjacent analyses to keep exploring the same attack surface.
Dangerous CVEs by Ecosystem: the 2026 guide for Java, PHP, JavaScript, Python, Go, .NET, and more
A clustered view of the most important CVEs by software ecosystem, with links to each detailed analysis. A cornerstone page designed around broader search intent.
CVE-2026-32541: Next.js middleware bypass — analysis and fix
A critical vulnerability in Next.js middleware allowed authentication bypass. Technical analysis of the flaw and fix guide for HR SaaS vendors.
Cybersecurity review Q1 2026: the most exploited flaws in France
Data breach summary, most exploited CVEs, affected sectors, and vibe coding impact in Q1 2026.
Sources
Editorial analysis based on official vendor, project, and regulator documentation.
Related services
If this topic maps to a real risk in your stack, these are the most relevant CleanIssue audits.