Fourteen CVEs disclosed May 26, 2026 span npm, PyPI, and AI/ML package ecosystems including SAP CAP framework libraries (@cap-js/sqlite, @cap-js/postgres, @cap-js/db-service), Hugging Face Diffusers, lmdeploy, and the qs query-string parser. The most severe issues include worm-capable credential harvesting in SAP CAP dependencies and unauthenticated remote code execution in AI model deployment tooling. CVE-to-package mappings are unconfirmed in NVD and OSV as of analysis time; all specific mappings are LOW confidence and must be verified against npmjs.com advisories, PyPI.org, and upstream GitHub repositories before emergency patching.