## Critical Zero-Day Alert: 3 New CVEs with CVSS 9.8+ Scores Target Webkul Krayin, Jellyfin, and Talend
A critical daily CVE report for April 15, 2026, reveals three new vulnerabilities with maximum-severity CVSS scores of 9.8 and 9.9, despite zero total new CVEs being published in the last 24 hours. This indicates the active circulation of high-risk, unpatched exploits in the wild. The highest threat is a CVSS 9.9 flaw in Webkul Krayin CRM v2.2.x, where an authenticated arbitrary file upload via the `/admin/tinymce/upload` endpoint allows attackers to execute arbitrary code by uploading a crafted PHP file.

The second critical vulnerability, also scoring 9.9, affects the open-source media server Jellyfin in versions prior to 10.11.7. The flaw is a vulnerability chain within the subtitle upload endpoint (`POST /Videos/{itemId}/Subtitles`), specifically involving the `Format` field, which could lead to remote code execution. A third critical CVE, CVE-2026-6264 with a CVSS score of 9.8, impacts Talend JobServer and Talend Runtime, allowing unauthenticated attackers to compromise systems.

These vulnerabilities present immediate and severe risks to organizations using these specific software versions. The Webkul Krayin flaw enables authenticated attackers to gain full server control, while the Jellyfin chain threatens any publicly accessible media server instance. The incomplete description for the Talend vulnerability suggests a widespread attack surface for enterprise data integration platforms. Security teams must treat these as active exploitation risks, prioritizing patch application, endpoint monitoring, and network segmentation for affected systems.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: CVE, Zero-Day, Critical Vulnerability, Remote Code Execution, Cybersecurity
- **Credibility**: unverified
- **Published**: 2026-04-15 02:22:28
- **ID**: 64689
- **URL**: https://whisperx.ai/en/intel/64689