Red Hot Cyber
Cybersecurity, Cybercrime News and Vulnerability Analysis

Most Critical CVE List from the Last 3 Days

Below are the critical vulnerabilities published in recent days by the National Vulnerability Database (NVD). Exercise maximum caution to prevent potential exploitation.
Single vulnerability search

10/07/2026

Unknown

HIGH (8.5)
CVE-2026-55789
Logto is the modern, open-source auth infrastructure for SaaS and AI apps. Prior to 1.41.0, Logto's self-hosted SAML application IdP...
Vendor/s:

Full Description

Logto is the modern, open-source auth infrastructure for SaaS and AI apps. Prior to 1.41.0, Logto's self-hosted SAML application IdP built the signed SAML response and assertion by string-substituting user-controlled profile attributes such as name, email, and custom attribute-mapping values into element-text placeholders of a SAML XML template using samlify 2.10.0, which left those placeholders unescaped. An authenticated low-privilege user could place XML markup in a profile attribute so Logto signed a forged SAML attribute, such as an arbitrary role, allowing privilege escalation at relying Service Providers that authorize on SAML attributes. This issue is fixed in version 1.41.0.

CVSS Metrics v3.1

  • Impact: Confid.: LOW, Integ.: HIGH, Avail.: NONE
  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Interaction/Privileges: NONE / LOW
  • Scope: CHANGED
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:N
  • Exploitability/Impact Score: 3.1 / 4.7
CRITICAL (9.8)
CVE-2026-5801
Improper neutralization of special elements used in an SQL command ('SQL injection') vulnerability in Semtek Informatics Software Consulting Trade Ltd....
Vendor/s:

Full Description

Improper neutralization of special elements used in an SQL command ('SQL injection') vulnerability in Semtek Informatics Software Consulting Trade Ltd. Co. SEM-PMP allows Command Line Execution through SQL Injection. This issue affects SEM-PMP: through 23042026.

CVSS Metrics v3.1

  • Impact: Confid.: HIGH, Integ.: HIGH, Avail.: HIGH
  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Interaction/Privileges: NONE / NONE
  • Scope: UNCHANGED
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Exploitability/Impact Score: 3.9 / 5.9

Additional Information

Published on: 10/07/2026 19:17:27
Last Modified: 10/07/2026 20:16:48

Sources and References

HIGH (8.8)
CVE-2026-61460
Krayin CRM through 2.2.3 contains an insecure direct object reference vulnerability in LeadController, PersonController, OrganizationController, QuoteController, and ActivityController that allows...
Vendor/s:

Full Description

Krayin CRM through 2.2.3 contains an insecure direct object reference vulnerability in LeadController, PersonController, OrganizationController, QuoteController, and ActivityController that allows authenticated users to edit, update, or delete records owned by other users. Attackers can modify CRM records and reassign ownership by exploiting missing record-level ownership validation in edit, update, and destroy methods.

CVSS Metrics v3.1

  • Impact: Confid.: HIGH, Integ.: HIGH, Avail.: HIGH
  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Interaction/Privileges: NONE / LOW
  • Scope: UNCHANGED
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
  • Exploitability/Impact Score: 2.8 / 5.9
HIGH (8.8)
CVE-2026-61461
Dify before 1.16.0-rc1 contains a SQL injection vulnerability in the MyScale vector store backend that allows attackers to execute arbitrary...
Vendor/s:

Full Description

Dify before 1.16.0-rc1 contains a SQL injection vulnerability in the MyScale vector store backend that allows attackers to execute arbitrary SQL by supplying unsanitized search parameters to the search_by_full_text method without escaping or parameterization. Attackers can inject malicious SQL through the search parameters to read, modify, or delete data in the underlying ClickHouse database.

CVSS Metrics v3.1

  • Impact: Confid.: HIGH, Integ.: HIGH, Avail.: HIGH
  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Interaction/Privileges: NONE / LOW
  • Scope: UNCHANGED
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
  • Exploitability/Impact Score: 2.8 / 5.9
HIGH (8.8)
CVE-2026-6212
Authorization bypass through User-Controlled key vulnerability in Teracity Software Technologies Inc. TeraMIS allows Privilege Abuse. This issue affects TeraMIS: from V03.26.01.14...
Vendor/s:

Full Description

Authorization bypass through User-Controlled key vulnerability in Teracity Software Technologies Inc. TeraMIS allows Privilege Abuse. This issue affects TeraMIS: from V03.26.01.14 through 30.04.2026.

CVSS Metrics v3.1

  • Impact: Confid.: HIGH, Integ.: HIGH, Avail.: HIGH
  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Interaction/Privileges: NONE / LOW
  • Scope: UNCHANGED
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
  • Exploitability/Impact Score: 2.8 / 5.9

Additional Information

Published on: 10/07/2026 19:17:27
Last Modified: 10/07/2026 20:16:49

Sources and References

CRITICAL (9.6)
CVE-2026-59151
Prowler is a cloud security platform. Prior to 5.30.3, Prowler's SAML authentication flow trusted the email domain asserted in a...
Vendor/s:

Full Description

Prowler is a cloud security platform. Prior to 5.30.3, Prowler's SAML authentication flow trusted the email domain asserted in a SAMLResponse when deciding which tenant should receive the final token, and the ACS finish logic in api/src/backend/api/v1/views.py recalculated the tenant from user.email instead of binding token issuance to the validated SAML configuration. An authenticated attacker with a controlled SAML IdP could complete a valid SAML flow for an attacker-controlled domain while asserting an email address from another configured domain, causing a SAMLToken and tenant-scoped JWT to be issued for the wrong tenant and enabling cross-tenant account takeover. This issue is fixed in version 5.30.3.

CVSS Metrics v3.1

  • Impact: Confid.: HIGH, Integ.: HIGH, Avail.: NONE
  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Interaction/Privileges: NONE / LOW
  • Scope: CHANGED
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
  • Exploitability/Impact Score: 3.1 / 5.8
HIGH (8.8)
CVE-2025-30007
HestiaCP before 1.9.5 contains an authenticated OS command injection vulnerability that allows low-privilege authenticated users to execute arbitrary commands as...
Vendor/s:

Full Description

HestiaCP before 1.9.5 contains an authenticated OS command injection vulnerability that allows low-privilege authenticated users to execute arbitrary commands as root by injecting a single-quote character into unvalidated DNS record types. Attackers can exploit insufficient input validation in is_dns_record_format_valid() combined with unsafe eval-based parsing in update_domain_zone() to prematurely close a variable assignment string and achieve full root code execution on the underlying host in a single DNS record creation step.

CVSS Metrics v3.1

  • Impact: Confid.: HIGH, Integ.: HIGH, Avail.: HIGH
  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Interaction/Privileges: NONE / LOW
  • Scope: UNCHANGED
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
  • Exploitability/Impact Score: 2.8 / 5.9
CRITICAL (9.8)
CVE-2026-2397
Improper neutralization of special elements used in an SQL command ('SQL injection') vulnerability in Adam Retail Automation Ltd. MobilMen 20T...
Vendor/s:

Full Description

Improper neutralization of special elements used in an SQL command ('SQL injection') vulnerability in Adam Retail Automation Ltd. MobilMen 20T allows SQL Injection. This issue affects MobilMen 20T: from v3 through 10072026. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

CVSS Metrics v3.1

  • Impact: Confid.: HIGH, Integ.: HIGH, Avail.: HIGH
  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Interaction/Privileges: NONE / NONE
  • Scope: UNCHANGED
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Exploitability/Impact Score: 3.9 / 5.9

Additional Information

Published on: 10/07/2026 18:16:20
Last Modified: 10/07/2026 19:17:22

Sources and References

HIGH (8.6)
CVE-2026-55638
9Router is an AI router & token saver. Prior to 0.5.2, 9router protects /v1, /v1beta, /api/v1, and /api/v1beta in src/dashboardGuard.js...
Vendor/s:

Full Description

9Router is an AI router & token saver. Prior to 0.5.2, 9router protects /v1, /v1beta, /api/v1, and /api/v1beta in src/dashboardGuard.js but omits /codex before next.config.mjs rewrites /codex/* to /api/v1/responses. A remote unauthenticated attacker can send requests to /codex/* to bypass the API-key gate and cause the server to make upstream provider calls using operator-stored LLM provider credentials. This issue is fixed in version 0.5.2.

CVSS Metrics v3.1

  • Impact: Confid.: LOW, Integ.: LOW, Avail.: HIGH
  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Interaction/Privileges: NONE / NONE
  • Scope: UNCHANGED
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H
  • Exploitability/Impact Score: 3.9 / 4.7
CRITICAL (9.1)
CVE-2026-51119
An issue in Invixium IXM WEB v.2.3.85.25 allows an attacker to escalate privileges via the /SystemUsers/CreateAppUser components
Vendor/s:

Full Description

An issue in Invixium IXM WEB v.2.3.85.25 allows an attacker to escalate privileges via the /SystemUsers/CreateAppUser components

CVSS Metrics v3.1

  • Impact: Confid.: HIGH, Integ.: HIGH, Avail.: NONE
  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Interaction/Privileges: NONE / NONE
  • Scope: UNCHANGED
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
  • Exploitability/Impact Score: 3.9 / 5.2

Additional Information

Published on: 10/07/2026 17:16:57
Last Modified: 10/07/2026 19:17:23

Sources and References

HIGH (8.8)
CVE-2026-2398
Authorization bypass through User-Controlled key vulnerability in Adam Retail Automation Ltd. MobilMen 20T allows Privilege Escalation. This issue affects MobilMen 20T:...
Vendor/s:

Full Description

Authorization bypass through User-Controlled key vulnerability in Adam Retail Automation Ltd. MobilMen 20T allows Privilege Escalation. This issue affects MobilMen 20T: from v3 through 10072026. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

CVSS Metrics v3.1

  • Impact: Confid.: HIGH, Integ.: HIGH, Avail.: HIGH
  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Interaction/Privileges: NONE / LOW
  • Scope: UNCHANGED
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
  • Exploitability/Impact Score: 2.8 / 5.9

Additional Information

Published on: 10/07/2026 17:16:56
Last Modified: 10/07/2026 18:16:20

Sources and References

CRITICAL (9.9)
CVE-2026-55500
9Router is an AI router & token saver. Prior to 0.4.80, the /api/settings/database endpoint allows full database export (containing all...
Vendor/s:

Full Description

9Router is an AI router & token saver. Prior to 0.4.80, the /api/settings/database endpoint allows full database export (containing all credentials, API keys, OAuth tokens, and settings) and full database import (complete overwrite) without any authentication requirement beyond the ALWAYS_PROTECTED middleware check, which only validates JWT or CLI token. This issue is fixed in version 0.4.80.

CVSS Metrics v3.1

  • Impact: Confid.: HIGH, Integ.: HIGH, Avail.: HIGH
  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Interaction/Privileges: NONE / LOW
  • Scope: CHANGED
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
  • Exploitability/Impact Score: 3.1 / 6
HIGH (8.8)
CVE-2026-54149
MaxKB is an open-source AI assistant for enterprise. Prior to 2.10.0-lts, MaxKB tool import functionality in apps/tools/serializers/tool.py and MCP referencing...
Vendor/s:

Full Description

MaxKB is an open-source AI assistant for enterprise. Prior to 2.10.0-lts, MaxKB tool import functionality in apps/tools/serializers/tool.py and MCP referencing mode in apps/application/chat_pipeline/step/chat_step/impl/base_chat_step.py do not consistently validate MCP transport type, allowing an authenticated user to import a .tool file containing stdio transport with malicious commands and trigger the configuration through an AI Chat node so MultiServerMCPClient executes arbitrary system commands. This issue is fixed in version 2.10.0-lts.

CVSS Metrics v3.1

  • Impact: Confid.: HIGH, Integ.: HIGH, Avail.: HIGH
  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Interaction/Privileges: NONE / LOW
  • Scope: UNCHANGED
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
  • Exploitability/Impact Score: 2.8 / 5.9
CRITICAL (9.3)
CVE-2026-15143
A flaw was found in the file_type content detector of guardrails-detectors. This vulnerability allows a remote attacker to supply an...
Vendor/s:

Full Description

A flaw was found in the file_type content detector of guardrails-detectors. This vulnerability allows a remote attacker to supply an arbitrary XML Schema Definition (XSD) string, which is processed without proper restrictions. This can lead to server-side requests to arbitrary URLs or local file reads, potentially resulting in sensitive information disclosure, such as cloud provider credentials or access to internal network services.

CVSS Metrics v3.1

  • Impact: Confid.: HIGH, Integ.: LOW, Avail.: NONE
  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Interaction/Privileges: NONE / NONE
  • Scope: CHANGED
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N
  • Exploitability/Impact Score: 3.9 / 4.7

Additional Information

Published on: 10/07/2026 16:16:25
Last Modified: 10/07/2026 17:49:57

Sources and References

HIGH (8.8)
CVE-2026-61434
PraisonAI versions before 4.6.78 contain an allowlist bypass vulnerability in shell command execution that allows attackers to execute restricted commands...
Vendor/s:

Full Description

PraisonAI versions before 4.6.78 contain an allowlist bypass vulnerability in shell command execution that allows attackers to execute restricted commands via find's built-in -exec, -execdir, and -delete actions. Attackers can craft find commands with these built-in actions to read blocked files, delete files, or execute non-allowlisted binaries without triggering shell metacharacter filters.

CVSS Metrics v3.1

  • Impact: Confid.: HIGH, Integ.: HIGH, Avail.: HIGH
  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Interaction/Privileges: NONE / LOW
  • Scope: UNCHANGED
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
  • Exploitability/Impact Score: 2.8 / 5.9
CRITICAL (9.1)
CVE-2026-61444
PraisonAI versions before 4.6.78 contain a code injection vulnerability in deploy/api.py where the agents_file parameter is directly interpolated into an...
Vendor/s:

Full Description

PraisonAI versions before 4.6.78 contain a code injection vulnerability in deploy/api.py where the agents_file parameter is directly interpolated into an f-string without sanitization. Attackers can inject arbitrary Python code that executes when the generated server code runs via subprocess.Popen().

CVSS Metrics v3.1

  • Impact: Confid.: HIGH, Integ.: HIGH, Avail.: HIGH
  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Interaction/Privileges: NONE / HIGH
  • Scope: CHANGED
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
  • Exploitability/Impact Score: 2.3 / 6

Additional Information

Published on: 10/07/2026 15:16:50
Last Modified: 10/07/2026 17:41:47

Sources and References

CRITICAL (9.8)
CVE-2026-56765
Vikunja before 2.2.1 contains an authorization flaw where the LinkSharing.ReadAll endpoint exposes share hashes to users with read access, enabling...
Vendor/s:

Full Description

Vikunja before 2.2.1 contains an authorization flaw where the LinkSharing.ReadAll endpoint exposes share hashes to users with read access, enabling permission escalation to admin-level shares. The GetTaskAttachment endpoint performs permission checks against user-supplied task IDs but fetches attachments by sequential ID without verifying ownership, allowing attackers to download and delete all file attachments across all projects instance-wide.

CVSS Metrics v3.1

  • Impact: Confid.: HIGH, Integ.: HIGH, Avail.: HIGH
  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Interaction/Privileges: NONE / NONE
  • Scope: UNCHANGED
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Exploitability/Impact Score: 3.9 / 5.9
CRITICAL (10.0)
CVE-2026-54769
Langroid is a framework for building large-language-model-powered applications. Versions prior to 0.65.2 are vulnerable to a critical Sandbox Escape leading...
Vendor/s:

Full Description

Langroid is a framework for building large-language-model-powered applications. Versions prior to 0.65.2 are vulnerable to a critical Sandbox Escape leading to Remote Code Execution (RCE) in its `TableChatAgent` and `VectorStore` capabilities. When these agents evaluate LLM-generated tool messages with `full_eval=True`, they attempt to sandbox the execution by explicitly setting `locals` to an empty dictionary `{}` inside Python's `eval()` function. However, this relies on an incomplete understanding of Python's execution model. Because `__builtins__` is not explicitly scrubbed from the `globals` dictionary mapping, Python implicitly injects all built-ins during execution, granting full access to functions like `__import__('os').system()`. Since `TableChatAgent.pandas_eval()` executes external LLM outputs natively, this bypass permits any attacker providing prompt payload to achieve unauthenticated RCE on the host system. Version 0.65.2 patches the issue.

CVSS Metrics v3.1

  • Impact: Confid.: HIGH, Integ.: HIGH, Avail.: HIGH
  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Interaction/Privileges: NONE / NONE
  • Scope: CHANGED
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
  • Exploitability/Impact Score: 3.9 / 6

Additional Information

Published on: 10/07/2026 00:16:33
Last Modified: 10/07/2026 15:49:19

Sources and References

WordPress

CRITICAL (9.1)
CVE-2026-15300
The GEO my WP plugin for WordPress was vulnerable to SQL Injection via the 'distance', 'lat', and 'lng' parameters in...
Vendor/s: WordPress

Full Description

The GEO my WP plugin for WordPress was vulnerable to SQL Injection via the 'distance', 'lat', and 'lng' parameters in versions up to, and including, 4.5.4. The values were read from $_SERVER['QUERY_STRING'] via parse_str() (bypassing wp_magic_quotes, which does not cover $_SERVER), then passed through bare esc_sql() before being interpolated into unquoted numeric positions in the proximity-search query (HAVING/SELECT clause distance math, BETWEEN bounding-box pre-filter) built by gmw_locations_query() in plugins/posts-locator/includes/class-gmw-wp-query.php. Because esc_sql() only escapes string delimiters and these positions are numeric, payloads such as `1 OR SLEEP(3)` survived sanitization. Fixed in 4.5.5 by adding an upstream is_numeric() guard that short-circuits the WHERE clause to `AND 1 = 0` when either coordinate is non-numeric, and by replacing the three esc_sql() calls with (float) casts.

CRITICAL (9.8)
CVE-2026-15282
The Instant Appointment plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the...
Vendor/s: WordPress

Full Description

The Instant Appointment plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'insapp_upload_image_as_attachment' function in all versions up to, and including, 1.2. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.

CVSS Metrics v3.1

  • Impact: Confid.: HIGH, Integ.: HIGH, Avail.: HIGH
  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Interaction/Privileges: NONE / NONE
  • Scope: UNCHANGED
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Exploitability/Impact Score: 3.9 / 5.9
CRITICAL (9.8)
CVE-2026-14894
The Super Forms – Drag & Drop Form Builder plugin for WordPress is vulnerable to Arbitrary File Upload in all...
Vendor/s: WordPress

Full Description

The Super Forms – Drag & Drop Form Builder plugin for WordPress is vulnerable to Arbitrary File Upload in all versions up to, and including, 6.3.313 via the submit_form function. This is due to missing file type validation and the absence of any capability check on the submit_form nopriv AJAX handler, whose only barrier is a session nonce freely obtainable by unauthenticated visitors via a separate nopriv endpoint. This makes it possible for unauthenticated attackers to upload files that may be executable, which makes remote code execution possible. The nonce requirement is trivially bypassed because the super_create_nonce nopriv AJAX action allows any unauthenticated visitor to mint a valid sf_nonce and session cookie in a single prior request, reducing exploitation to two unauthenticated HTTP requests.

CVSS Metrics v3.1

  • Impact: Confid.: HIGH, Integ.: HIGH, Avail.: HIGH
  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Interaction/Privileges: NONE / NONE
  • Scope: UNCHANGED
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Exploitability/Impact Score: 3.9 / 5.9
HIGH (8.8)
CVE-2026-15070
The Salon Booking System – Free Version plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up...
Vendor/s: WordPress, php

Full Description

The Salon Booking System – Free Version plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 10.30.32. This is due to missing or incorrect nonce validation on the setCustomText function. This makes it possible for unauthenticated attackers to inject arbitrary PHP code into the web-accessible translate-constants.php file within the plugin directory, enabling remote code execution on the server via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. sanitize_text_field() is applied to the POST 'value' parameter but does not neutralize the characters — single quotes, parentheses, semicolons, $, and [] — required to break out of the PHP string literal into which the value is interpolated before being written to disk via file_put_contents().

php

HIGH (8.8)
CVE-2026-15070
The Salon Booking System – Free Version plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up...
Vendor/s: WordPress, php

Full Description

The Salon Booking System – Free Version plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 10.30.32. This is due to missing or incorrect nonce validation on the setCustomText function. This makes it possible for unauthenticated attackers to inject arbitrary PHP code into the web-accessible translate-constants.php file within the plugin directory, enabling remote code execution on the server via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. sanitize_text_field() is applied to the POST 'value' parameter but does not neutralize the characters — single quotes, parentheses, semicolons, $, and [] — required to break out of the PHP string literal into which the value is interpolated before being written to disk via file_put_contents().

Apache

CRITICAL (9.1)
CVE-2026-40005
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apache IoTDB. An attacker can write arbitrary files...
Vendor/s: Apache

Full Description

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apache IoTDB. An attacker can write arbitrary files anywhere the IoTDB process has write permissions with unsafe API. This issue affects Apache IoTDB: from 1.0.0 before 2.0.10. Users are recommended to upgrade to version 2.0.10, which fixes the issue.

CVSS Metrics v3.1

  • Impact: Confid.: HIGH, Integ.: HIGH, Avail.: NONE
  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Interaction/Privileges: NONE / NONE
  • Scope: UNCHANGED
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
  • Exploitability/Impact Score: 3.9 / 5.2

Additional Information

Published on: 10/07/2026 08:16:22
Last Modified: 10/07/2026 16:16:29

Sources and References

CRITICAL (9.8)
CVE-2026-40008
Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') vulnerability in Apache IoTDB. The pipe processor reads a fully qualified...
Vendor/s: Apache

Full Description

Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') vulnerability in Apache IoTDB. The pipe processor reads a fully qualified Java class name and instantiates it using Class.forName().newInstance() without any validation or allowlisting. This issue affects Apache IoTDB: from 1.0.0 before 2.0.10. Users are recommended to upgrade to version 2.0.10, which fixes the issue.

CVSS Metrics v3.1

  • Impact: Confid.: HIGH, Integ.: HIGH, Avail.: HIGH
  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Interaction/Privileges: NONE / NONE
  • Scope: UNCHANGED
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Exploitability/Impact Score: 3.9 / 5.9

Additional Information

Published on: 10/07/2026 08:16:22
Last Modified: 10/07/2026 16:16:30

Sources and References

CRITICAL (9.8)
CVE-2026-28564
Insufficient Session Expiration, Authentication Bypass by Capture-replay vulnerability in Apache IoTDB. REST Basic Authentication Accepts Stale Cached Credentials This issue affects Apache...
Vendor/s: Apache

Full Description

Insufficient Session Expiration, Authentication Bypass by Capture-replay vulnerability in Apache IoTDB. REST Basic Authentication Accepts Stale Cached Credentials This issue affects Apache IoTDB: from 1.0.0 before 2.0.10. Users are recommended to upgrade to version 2.0.10, which fixes the issue.

CVSS Metrics v3.1

  • Impact: Confid.: HIGH, Integ.: HIGH, Avail.: HIGH
  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Interaction/Privileges: NONE / NONE
  • Scope: UNCHANGED
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Exploitability/Impact Score: 3.9 / 5.9

Additional Information

Published on: 10/07/2026 08:16:21
Last Modified: 10/07/2026 16:16:28

Sources and References

Kubernetes

CRITICAL (9.8)
CVE-2026-61459
MCP Server Kubernetes before 3.9.0 contains an argument injection vulnerability in structured tools (kubectl_get, kubectl_describe, kubectl_delete) that allows attackers to...
Vendor/s: Kubernetes

Full Description

MCP Server Kubernetes before 3.9.0 contains an argument injection vulnerability in structured tools (kubectl_get, kubectl_describe, kubectl_delete) that allows attackers to bypass the assertNoDangerousFlags security check by supplying resourceType and name parameters with leading dashes. Attackers can inject the --server flag to redirect kubectl commands to an attacker-controlled API server, causing the operator's bearer token to be transmitted externally and enabling full cluster compromise.

CVSS Metrics v3.1

  • Impact: Confid.: HIGH, Integ.: HIGH, Avail.: HIGH
  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Interaction/Privileges: NONE / NONE
  • Scope: UNCHANGED
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Exploitability/Impact Score: 3.9 / 5.9
CRITICAL (9.3)
CVE-2026-15378
A flaw was found in the `guardrails-detectors` component. This vulnerability allows a remote attacker to perform a blind Server-Side Request...
Vendor/s: Kubernetes

Full Description

A flaw was found in the `guardrails-detectors` component. This vulnerability allows a remote attacker to perform a blind Server-Side Request Forgery (SSRF) by submitting a specially crafted XML Schema Definition (XSD) string. This can lead to unauthorized access to sensitive information, including credentials from cloud metadata services, Kubernetes API, internal MinIO, and other internal network endpoints. Additionally, it enables local file reads of critical data such as service account tokens and pod secrets.

CVSS Metrics v3.1

  • Impact: Confid.: HIGH, Integ.: LOW, Avail.: NONE
  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Interaction/Privileges: NONE / NONE
  • Scope: CHANGED
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N
  • Exploitability/Impact Score: 3.9 / 4.7

Additional Information

Published on: 10/07/2026 10:16:23
Last Modified: 10/07/2026 17:49:57

Sources and References

Dell

HIGH (8.8)
CVE-2026-54469
Dell Unisphere for PowerMax, version(s) 10.3.0.5 and prior, contain(s) a Deserialization of Untrusted Data vulnerability. A low privileged attacker with...
Vendor/s: Dell

Full Description

Dell Unisphere for PowerMax, version(s) 10.3.0.5 and prior, contain(s) a Deserialization of Untrusted Data vulnerability. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to arbitrary command execution with root privileges.

CVSS Metrics v3.1

  • Impact: Confid.: HIGH, Integ.: HIGH, Avail.: HIGH
  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Interaction/Privileges: NONE / LOW
  • Scope: UNCHANGED
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
  • Exploitability/Impact Score: 2.8 / 5.9
CRITICAL (9.1)
CVE-2026-56688
Dell PowerFlex Manager, Version prior to 5.1.0.1, contain(s) an Improper Neutralization of Special Elements used in an OS Command ('OS...
Vendor/s: Dell

Full Description

Dell PowerFlex Manager, Version prior to 5.1.0.1, contain(s) an Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability. A high privileged attacker with remote access could potentially exploit this vulnerability during OS Repository processing to achieve arbitrary command execution as root, potentially leading to full appliance compromise and lateral movement into managed infrastructure.

CVSS Metrics v3.1

  • Impact: Confid.: HIGH, Integ.: HIGH, Avail.: HIGH
  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Interaction/Privileges: NONE / HIGH
  • Scope: CHANGED
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
  • Exploitability/Impact Score: 2.3 / 6

Additional Information

Published on: 10/07/2026 12:17:23
Last Modified: 10/07/2026 17:17:01

Sources and References

HIGH (8.5)
CVE-2026-56690
Dell PowerFlex Manager, Version prior to 5.1.0.1, contain(s) an Improper Neutralization of Special Elements used in an SQL Command ('SQL...
Vendor/s: Dell

Full Description

Dell PowerFlex Manager, Version prior to 5.1.0.1, contain(s) an Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to Information disclosure, Information exposure, and Unauthorized access.

CVSS Metrics v3.1

  • Impact: Confid.: HIGH, Integ.: LOW, Avail.: NONE
  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Interaction/Privileges: NONE / LOW
  • Scope: CHANGED
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N
  • Exploitability/Impact Score: 3.1 / 4.7

Additional Information

Published on: 10/07/2026 12:17:23
Last Modified: 10/07/2026 15:45:33

Sources and References

Docker

HIGH (8.6)
CVE-2026-56261
Crawl4AI before 0.8.7 contains a server-side request forgery (SSRF) vulnerability in the Docker API server's /crawl/job and /llm/job endpoints, which...
Vendor/s: Docker

Full Description

Crawl4AI before 0.8.7 contains a server-side request forgery (SSRF) vulnerability in the Docker API server's /crawl/job and /llm/job endpoints, which accept webhook URLs without destination validation. An attacker can supply webhook URLs pointing to private or internal IP ranges, Docker networks, or cloud metadata endpoints (e.g. 169.254.169.254), causing the server to make requests to internal services and potentially expose cloud metadata.

CVSS Metrics v3.1

  • Impact: Confid.: HIGH, Integ.: NONE, Avail.: NONE
  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Interaction/Privileges: NONE / NONE
  • Scope: CHANGED
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
  • Exploitability/Impact Score: 3.9 / 4

Jetbrains

CRITICAL (9.6)
CVE-2026-59792
In JetBrains IntelliJ IDEA before 2026.1.4, 2026.2 code execution via path traversal in project workspace ID handling was possible
Vendor/s: Jetbrains

Full Description

In JetBrains IntelliJ IDEA before 2026.1.4, 2026.2 code execution via path traversal in project workspace ID handling was possible

CVSS Metrics v3.1

  • Impact: Confid.: HIGH, Integ.: HIGH, Avail.: LOW
  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Interaction/Privileges: REQUIRED / NONE
  • Scope: CHANGED
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:L
  • Exploitability/Impact Score: 2.8 / 6

Additional Information

Published on: 10/07/2026 15:16:48
Last Modified: 10/07/2026 18:51:28

Sources and References

HIGH (8.8)
CVE-2026-59793
In JetBrains TeamCity before 2026.1.2 arbitrary file access was possible via the Perforce VCS integration
Vendor/s: Jetbrains

Full Description

In JetBrains TeamCity before 2026.1.2 arbitrary file access was possible via the Perforce VCS integration

CVSS Metrics v3.1

  • Impact: Confid.: HIGH, Integ.: HIGH, Avail.: HIGH
  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Interaction/Privileges: NONE / LOW
  • Scope: UNCHANGED
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
  • Exploitability/Impact Score: 2.8 / 5.9

Additional Information

Published on: 10/07/2026 15:16:48
Last Modified: 10/07/2026 18:49:40

Sources and References

Snipeitapp

HIGH (8.5)
CVE-2026-54329
Snipe-IT is an IT asset/license management system. Prior to 8.6.2, the Accessories API create path mass-assigns request parameters to the...
Vendor/s: Snipeitapp

Full Description

Snipe-IT is an IT asset/license management system. Prior to 8.6.2, the Accessories API create path mass-assigns request parameters to the Accessory model while company_id is mass assignable, allowing a low-privileged authenticated user in one company to create accessory records under another company when Full Multiple Companies Support is enabled. This issue is fixed in version 8.6.2.

CVSS Metrics v3.1

  • Impact: Confid.: NONE, Integ.: HIGH, Avail.: LOW
  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Interaction/Privileges: NONE / LOW
  • Scope: CHANGED
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:L
  • Exploitability/Impact Score: 3.1 / 4.7

09/07/2026

Microsoft

CRITICAL (9.3)
CVE-2026-47646
Improper neutralization of input during web page generation ('cross-site scripting') in Dynamics 365 Customer Voice allows an unauthorized attacker to...
Vendor/s: Microsoft

Full Description

Improper neutralization of input during web page generation ('cross-site scripting') in Dynamics 365 Customer Voice allows an unauthorized attacker to perform spoofing over a network.

CVSS Metrics v3.1

  • Impact: Confid.: HIGH, Integ.: HIGH, Avail.: NONE
  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Interaction/Privileges: REQUIRED / NONE
  • Scope: CHANGED
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
  • Exploitability/Impact Score: 2.8 / 5.8

Additional Information

Published on: 09/07/2026 00:17:23
Last Modified: 09/07/2026 19:17:05

Sources and References

WordPress

HIGH (8.8)
CVE-2026-13492
The UsersWP plugin for WordPress is vulnerable to Arbitrary File Deletion in versions up to, and including, 1.2.65. This is...
Vendor/s: WordPress

Full Description

The UsersWP plugin for WordPress is vulnerable to Arbitrary File Deletion in versions up to, and including, 1.2.65. This is due to insufficient validation of file-field values in the UsersWP_Validation::validate_fields() function (which falls through to sanitize_text_field() for fields of type 'file', leaving directory-traversal sequences intact) combined with the UsersWP_Forms::upload_file_remove() AJAX handler building the deletion target from the uploads basedir concatenated with the attacker-controlled metadata value without any realpath canonicalization or uploads-directory boundary check before calling unlink(). This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the affected site's server, including wp-config.

HIGH (8.8)
CVE-2026-4275
The Divi Torque Lite – Divi Theme, Divi Builder & Extra Theme plugin for WordPress is vulnerable to Cross-Site Request...
Vendor/s: WordPress

Full Description

The Divi Torque Lite – Divi Theme, Divi Builder & Extra Theme plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.2.3. This is due to the use of '__return_true' as the permission_callback for the /install_plugin and /activate_plugin REST API endpoints, which bypasses WordPress's built-in REST API nonce verification. Although the endpoint callbacks contain internal current_user_can() checks, the absence of nonce verification means that a forged cross-site request from a logged-in administrator's browser will pass the capability check via the admin's session cookies. This makes it possible for unauthenticated attackers to install arbitrary plugins from WordPress.

CRITICAL (9.8)
CVE-2026-15158
The Blocksy Companion plugin for WordPress is vulnerable to Arbitrary File Upload in all versions up to, and including, 2.1.46...
Vendor/s: WordPress

Full Description

The Blocksy Companion plugin for WordPress is vulnerable to Arbitrary File Upload in all versions up to, and including, 2.1.46 via the save_attachments function. This is due to the Custom Fonts extension registering a wp_check_filetype_and_ext filter that approves any filename containing .woff2 or .ttf as a substring via strpos() rather than validating that those strings appear as the final extension via PATHINFO_EXTENSION — allowing double-extension filenames such as shell.woff2.php to pass MIME validation and be handled as permitted font files. This makes it possible for unauthenticated attackers to upload files that may be executable, which makes remote code execution possible. This vulnerability is only exploitable when the premium version of the plugin (blocksy-companion-pro) is installed with both the WooCommerce Extra (Advanced Reviews) and Custom Fonts extensions active; the free blocksy-companion plugin does not contain the vulnerable code paths.

CVSS Metrics v3.1

  • Impact: Confid.: HIGH, Integ.: HIGH, Avail.: HIGH
  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Interaction/Privileges: NONE / NONE
  • Scope: UNCHANGED
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Exploitability/Impact Score: 3.9 / 5.9
CRITICAL (9.8)
CVE-2026-14245
The miniOrange OTP Login, Verification and SMS Notifications plugin for WordPress is vulnerable to Authentication Bypass leading to Administrator Account...
Vendor/s: WordPress

Full Description

The miniOrange OTP Login, Verification and SMS Notifications plugin for WordPress is vulnerable to Authentication Bypass leading to Administrator Account Takeover in all versions up to, and including, 5.5.1. This is due to the `um_reset_password_process_hook()` function performing no server-side verification that the OTP validation step was completed, and relying solely on a public `form_nonce` nonce that the plugin itself emits to unauthenticated visitors via the `moumprvar` JavaScript object on the Ultimate Member password reset page, while still accepting the attacker-controlled `username_b` parameter to target any WordPress user without role restriction or any binding to a previously validated OTP session. This makes it possible for unauthenticated attackers to obtain a freshly generated password-reset URL for an arbitrary Administrator account — returned in a 302 `Location` header — and use it to take full control of that account. Exploitation requires the Ultimate Member Password Reset Form integration to be active and the plugin to not be configured for phone-only reset.

CVSS Metrics v3.1

  • Impact: Confid.: HIGH, Integ.: HIGH, Avail.: HIGH
  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Interaction/Privileges: NONE / NONE
  • Scope: UNCHANGED
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Exploitability/Impact Score: 3.9 / 5.9
HIGH (8.8)
CVE-2026-5523
The Divi Form Builder plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 5.1.8. This...
Vendor/s: WordPress

Full Description

The Divi Form Builder plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 5.1.8. This is due to the update_user() function accepting a user ID parameter from form submissions without verifying that the authenticated user has permission to edit that specific user account, and the handle_register_submission() function only checking if any user is logged in rather than validating permissions for the target user. This makes it possible for authenticated attackers, with subscriber-level access and above, to change the email address and password of any user account, including administrators, resulting in complete account takeover.

CVSS Metrics v3.1

  • Impact: Confid.: HIGH, Integ.: HIGH, Avail.: HIGH
  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Interaction/Privileges: NONE / LOW
  • Scope: UNCHANGED
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
  • Exploitability/Impact Score: 2.8 / 5.9

Additional Information

Published on: 09/07/2026 06:16:21
Last Modified: 09/07/2026 16:20:12

Sources and References

Unknown

CRITICAL (9.1)
CVE-2026-58122
Hermes WebUI before 0.51.307 contains an authentication bypass vulnerability that allows unauthenticated remote attackers to circumvent local-origin IP restrictions on...
Vendor/s:

Full Description

Hermes WebUI before 0.51.307 contains an authentication bypass vulnerability that allows unauthenticated remote attackers to circumvent local-origin IP restrictions on onboarding endpoints by supplying a spoofed X-Forwarded-For header with a loopback address. Attackers can exploit this bypass to perform server-side request forgery against internal services including cloud metadata endpoints, overwrite LLM provider configuration and API keys with attacker-controlled values, or initiate OAuth device-code flows to obtain persistent access tokens stored in auth.json.

CVSS Metrics v3.1

  • Impact: Confid.: HIGH, Integ.: HIGH, Avail.: NONE
  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Interaction/Privileges: NONE / NONE
  • Scope: UNCHANGED
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
  • Exploitability/Impact Score: 3.9 / 5.2
CRITICAL (9.8)
CVE-2026-58123
Hermes WebUI before 0.51.788 contains an unauthenticated remote code execution vulnerability that allows remote attackers to execute arbitrary shell commands...
Vendor/s:

Full Description

Hermes WebUI before 0.51.788 contains an unauthenticated remote code execution vulnerability that allows remote attackers to execute arbitrary shell commands by accessing the embedded terminal API endpoints without credentials. Attackers can create a session, attach a PTY shell, and write arbitrary commands through the terminal input endpoint to achieve full command execution as the server process user via four sequential unauthenticated HTTP requests.

CVSS Metrics v3.1

  • Impact: Confid.: HIGH, Integ.: HIGH, Avail.: HIGH
  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Interaction/Privileges: NONE / NONE
  • Scope: UNCHANGED
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Exploitability/Impact Score: 3.9 / 5.9
HIGH (8.6)
CVE-2026-55604
DeepSeek MCP Server is an MCP server for DeepSeek V4. Starting in version 1.4.2 and prior to version 1.7.0, the...
Vendor/s:

Full Description

DeepSeek MCP Server is an MCP server for DeepSeek V4. Starting in version 1.4.2 and prior to version 1.7.0, the process-global `SessionStore` accepts caller-supplied `session_id` values without binding them to any authenticated principal or transport session. An attacker can enumerate active session IDs via `deepseek_sessions`, then reuse a victim-controlled `session_id` in `deepseek_chat` to retrieve and continue the victim's conversation context. Version 1.7.0 contains a patch.

CVSS Metrics v3.1

  • Impact: Confid.: HIGH, Integ.: LOW, Avail.: LOW
  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Interaction/Privileges: NONE / NONE
  • Scope: UNCHANGED
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
  • Exploitability/Impact Score: 3.9 / 4.7
HIGH (8.8)
CVE-2026-55207
Pimcore is an Open Source Data & Experience Management Platform. Prior to 2025.4.6 and 2026.1.6, an unauthenticated attacker who knows...
Vendor/s:

Full Description

Pimcore is an Open Source Data & Experience Management Platform. Prior to 2025.4.6 and 2026.1.6, an unauthenticated attacker who knows a valid admin username can take over any Pimcore admin account by sending a password reset request with an attacker-controlled resetPasswordUrl. The server generates a real cryptographic recovery token, appends it to the supplied URL, and emails the link to the victim; when the victim clicks the link, the token is sent to the attacker and can be used with POST /pimcore-studio/api/login/token to authenticate with full admin privileges while bypassing two-factor authentication. This issue is fixed in versions 2025.4.6 and 2026.1.6.

CVSS Metrics v3.1

  • Impact: Confid.: HIGH, Integ.: HIGH, Avail.: HIGH
  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Interaction/Privileges: REQUIRED / NONE
  • Scope: UNCHANGED
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
  • Exploitability/Impact Score: 2.8 / 5.9
HIGH (8.8)
CVE-2026-59148
Mockoon provides way to design and run mock APIs. Prior to 9.7.0, Mockoon's admin API in commons-server/src/libs/server/admin-api.ts is mounted on...
Vendor/s:

Full Description

Mockoon provides way to design and run mock APIs. Prior to 9.7.0, Mockoon's admin API in commons-server/src/libs/server/admin-api.ts is mounted on the same Express listener as user-defined mock routes, enabled by default in shipped runtimes, serves Access-Control-Allow-Origin: * with write methods allowed, and has no authentication. Any unauthenticated caller who can reach the mock server port can read MOCKOON_* environment variables, write arbitrary process environment variables through /mockoon-admin/env-vars, rewrite mock route bodies, statuses, and headers through PUT /mockoon-admin/environment, read transaction logs and SSE streams, and purge state. This issue is fixed in version 9.7.0.

CVSS Metrics v3.1

  • Impact: Confid.: HIGH, Integ.: HIGH, Avail.: HIGH
  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Interaction/Privileges: REQUIRED / NONE
  • Scope: UNCHANGED
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
  • Exploitability/Impact Score: 2.8 / 5.9
HIGH (8.8)
CVE-2026-59734
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.469, Coolify's app/Jobs/ApplicationDeploymentJob.php generate_healthcheck_commands() function...
Vendor/s:

Full Description

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.469, Coolify's app/Jobs/ApplicationDeploymentJob.php generate_healthcheck_commands() function directly interpolated the health_check_host, health_check_method, and health_check_path parameters into shell commands without proper sanitization, allowing authenticated users to execute arbitrary commands inside deployment containers. This issue is fixed in version 4.0.0-beta.469.

CVSS Metrics v3.1

  • Impact: Confid.: HIGH, Integ.: HIGH, Avail.: HIGH
  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Interaction/Privileges: NONE / LOW
  • Scope: UNCHANGED
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
  • Exploitability/Impact Score: 2.8 / 5.9
CRITICAL (9.1)
CVE-2026-59826
Metabase is an open-source business intelligence and embedded analytics tool. From 1.55.0 until 1.58.15.1, 1.59.12, 1.60.6.3, and 1.61.2, Metabase did...
Vendor/s:

Full Description

Metabase is an open-source business intelligence and embedded analytics tool. From 1.55.0 until 1.58.15.1, 1.59.12, 1.60.6.3, and 1.61.2, Metabase did not validate unsafe H2 connection properties on one database-creation code path, allowing an authenticated administrator to register a crafted H2 database connection and execute arbitrary Java code on the Metabase server. This issue is fixed in versions 1.58.15.1, 1.59.12, 1.60.6.3, and 1.61.2.

CVSS Metrics v3.1

  • Impact: Confid.: HIGH, Integ.: HIGH, Avail.: HIGH
  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Interaction/Privileges: NONE / HIGH
  • Scope: CHANGED
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
  • Exploitability/Impact Score: 2.3 / 6
CRITICAL (9.9)
CVE-2026-59827
Metabase is an open-source business intelligence and embedded analytics tool. Prior to 1.58.15, 1.59.12, 1.60.6.3, and 1.61.1.4, Metabase instances with...
Vendor/s:

Full Description

Metabase is an open-source business intelligence and embedded analytics tool. Prior to 1.58.15, 1.59.12, 1.60.6.3, and 1.61.1.4, Metabase instances with an H2 database connection, including the default sample database, deserialize arbitrary Java objects returned in H2 native query result columns of type OTHER without validation, allowing an authenticated user who can run native H2 queries to execute code on the Metabase server. This issue is fixed in versions 1.58.15, 1.59.12, 1.60.6.3, and 1.61.1.4.

CVSS Metrics v3.1

  • Impact: Confid.: HIGH, Integ.: HIGH, Avail.: HIGH
  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Interaction/Privileges: NONE / LOW
  • Scope: CHANGED
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
  • Exploitability/Impact Score: 3.1 / 6
HIGH (8.8)
CVE-2026-58378
Allwinner H616 TV Box TV98 has ADB enabled and exposed to the network on production. An attacker could request for...
Vendor/s:

Full Description

Allwinner H616 TV Box TV98 has ADB enabled and exposed to the network on production. An attacker could request for ADB authorization and gain root level privileges if the victim allows access.

CVSS Metrics v3.1

  • Impact: Confid.: HIGH, Integ.: HIGH, Avail.: HIGH
  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Interaction/Privileges: REQUIRED / NONE
  • Scope: UNCHANGED
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
  • Exploitability/Impact Score: 2.8 / 5.9

Additional Information

Published on: 09/07/2026 18:16:54
Last Modified: 09/07/2026 19:19:56

Sources and References

CRITICAL (9.1)
CVE-2026-51597
MERCURY MIPC252W IP camera v1.0.5 Build 230306 Rel.79931n does not implement nonce expiration in RTSP Digest authentication. An adjacent network...
Vendor/s:

Full Description

MERCURY MIPC252W IP camera v1.0.5 Build 230306 Rel.79931n does not implement nonce expiration in RTSP Digest authentication. An adjacent network attacker can capture a legitimate authentication exchange and replay the nonce and response values in a new connection to bypass authentication without knowledge of the device credentials, gaining unauthorized access to the live video stream.

CVSS Metrics v3.1

  • Impact: Confid.: HIGH, Integ.: HIGH, Avail.: NONE
  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Interaction/Privileges: NONE / NONE
  • Scope: UNCHANGED
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
  • Exploitability/Impact Score: 3.9 / 5.2
CRITICAL (9.8)
CVE-2026-51599
An insufficient input validation vulnerability in the RTSP service of MERCURY MIPC252W v1.0.5 Build 230306 Rel.79931n allows an unauthenticated remote...
Vendor/s:

Full Description

An insufficient input validation vulnerability in the RTSP service of MERCURY MIPC252W v1.0.5 Build 230306 Rel.79931n allows an unauthenticated remote attacker to render an individual TCP connection temporarily unusable via sending an RTSP request with a Content-Length header but no corresponding message body. The affected RTSP parser enters a body-waiting state instead of rejecting the malformed request, causing all subsequent data on the connection to be silently consumed as body content until a server-side timeout closes the connection.

CVSS Metrics v3.1

  • Impact: Confid.: HIGH, Integ.: HIGH, Avail.: HIGH
  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Interaction/Privileges: NONE / NONE
  • Scope: UNCHANGED
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Exploitability/Impact Score: 3.9 / 5.9
CRITICAL (9.1)
CVE-2026-14261
A vulnerability in the Xerte Online Tools allows for authentication bypass and remote code execution via reinstallation through the /setup/...
Vendor/s:

Full Description

A vulnerability in the Xerte Online Tools allows for authentication bypass and remote code execution via reinstallation through the /setup/ folder, enabling attackers to reinstall the service to a remote database they control.

CVSS Metrics v3.1

  • Impact: Confid.: HIGH, Integ.: HIGH, Avail.: NONE
  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Interaction/Privileges: NONE / NONE
  • Scope: UNCHANGED
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
  • Exploitability/Impact Score: 3.9 / 5.2
CRITICAL (9.8)
CVE-2026-5955
Improper neutralization of special elements used in an SQL command ('SQL injection') vulnerability in Inrove Software and Internet Services BiEticaret...
Vendor/s:

Full Description

Improper neutralization of special elements used in an SQL command ('SQL injection') vulnerability in Inrove Software and Internet Services BiEticaret allows SQL Injection. This issue affects BiEticaret: before v3.3.57.

CVSS Metrics v3.1

  • Impact: Confid.: HIGH, Integ.: HIGH, Avail.: HIGH
  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Interaction/Privileges: NONE / NONE
  • Scope: UNCHANGED
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Exploitability/Impact Score: 3.9 / 5.9

Additional Information

Published on: 09/07/2026 10:16:27
Last Modified: 09/07/2026 16:21:30

Sources and References

CRITICAL (9.3)
CVE-2026-2342
Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in OceanicSoft Informatics Systems Ltd. ValeApp allows Stored XSS. This...
Vendor/s:

Full Description

Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in OceanicSoft Informatics Systems Ltd. ValeApp allows Stored XSS. This issue affects ValeApp: through 09072026. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

CVSS Metrics v3.1

  • Impact: Confid.: HIGH, Integ.: HIGH, Avail.: NONE
  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Interaction/Privileges: REQUIRED / NONE
  • Scope: CHANGED
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
  • Exploitability/Impact Score: 2.8 / 5.8

Additional Information

Published on: 09/07/2026 10:16:25
Last Modified: 09/07/2026 16:21:30

Sources and References

HIGH (8.8)
CVE-2026-47830
Incorrect Permission Assignment in BOSH.Utils.psm1 in BOSH-Ecosystem bosh-windows-stemcell-builder allows low-privilege authenticated users to overwrite C:\bosh\service_wrapper.exe or C:\bosh\bosh-agent.exe and gain NT...
Vendor/s:

Full Description

Incorrect Permission Assignment in BOSH.Utils.psm1 in BOSH-Ecosystem bosh-windows-stemcell-builder allows low-privilege authenticated users to overwrite C:\bosh\service_wrapper.exe or C:\bosh\bosh-agent.exe and gain NT AUTHORITY\SYSTEM on the next service restart or reboot. This can lead to full host control. Affected versions: bosh-windows-stemcell-builder versions prior to v2019.98.

CVSS Metrics v3.0

  • Impact: Confid.: HIGH, Integ.: HIGH, Avail.: HIGH
  • Attack Vector: LOCAL
  • Attack Complexity: LOW
  • Interaction/Privileges: NONE / LOW
  • Scope: CHANGED
  • Vector String: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
  • Exploitability/Impact Score: 2 / 6

Additional Information

Published on: 09/07/2026 07:16:24
Last Modified: 09/07/2026 16:39:17

Sources and References

HIGH (8.8)
CVE-2026-47826
The blobs.yml path key traversal vulnerability in the BOSH CLI tool allows an attacker to write arbitrary files and exfiltrate...
Vendor/s:

Full Description

The blobs.yml path key traversal vulnerability in the BOSH CLI tool allows an attacker to write arbitrary files and exfiltrate sensitive information. Affected versions: BOSH CLI tool versions prior to v7.10.4.

CVSS Metrics v3.0

  • Impact: Confid.: HIGH, Integ.: HIGH, Avail.: HIGH
  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Interaction/Privileges: REQUIRED / NONE
  • Scope: UNCHANGED
  • Vector String: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
  • Exploitability/Impact Score: 2.8 / 5.9

Additional Information

Published on: 09/07/2026 07:16:23
Last Modified: 09/07/2026 16:39:17

Sources and References

Balbooa

CRITICAL (9.8)
CVE-2026-56291
The Joomla extension Balbooa Forms is vulnerable to an unauthenticated arbitrary file upload that allows uploading executable files and leads...
Vendor/s: Balbooa

Full Description

The Joomla extension Balbooa Forms is vulnerable to an unauthenticated arbitrary file upload that allows uploading executable files and leads to full RCE.

CVSS Metrics v3.1

  • Impact: Confid.: HIGH, Integ.: HIGH, Avail.: HIGH
  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Interaction/Privileges: NONE / NONE
  • Scope: UNCHANGED
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Exploitability/Impact Score: 3.9 / 5.9

php

HIGH (8.8)
CVE-2026-58143
Cotonti Siena 0.9.26 and earlier contains a cross-site request forgery vulnerability that allows unauthenticated attackers to modify administrator configuration by...
Vendor/s: php

Full Description

Cotonti Siena 0.9.26 and earlier contains a cross-site request forgery vulnerability that allows unauthenticated attackers to modify administrator configuration by tricking a logged-in administrator into submitting a forged POST request to the admin.php config update handler, which never invokes the application's CSRF validation function. Attackers can disable the PFS module's file extension whitelist by setting pfsfilecheck to 0, enabling any user with PFS access to upload and execute arbitrary PHP files on the server.

CVSS Metrics v3.1

  • Impact: Confid.: HIGH, Integ.: HIGH, Avail.: HIGH
  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Interaction/Privileges: REQUIRED / NONE
  • Scope: UNCHANGED
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
  • Exploitability/Impact Score: 2.8 / 5.9

Additional Information

Published on: 09/07/2026 22:17:09
Last Modified: 10/07/2026 17:56:00

Sources and References

CRITICAL (9.8)
CVE-2026-12116
A vulnerability in the Xerte Online Tools allows for RCE through the antivirus binary path in the tools server settings,...
Vendor/s: php

Full Description

A vulnerability in the Xerte Online Tools allows for RCE through the antivirus binary path in the tools server settings, which can be changed to a PHP interpreter, allowing an attacker to upload PHP data that will then be executed.

CVSS Metrics v3.1

  • Impact: Confid.: HIGH, Integ.: HIGH, Avail.: HIGH
  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Interaction/Privileges: NONE / NONE
  • Scope: UNCHANGED
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Exploitability/Impact Score: 3.9 / 5.9

Docker

CRITICAL (10.0)
CVE-2026-59726
Ruflo is an agent meta-harness for Claude Code and Codex. Prior to 3.16.3, ruflo's default docker-compose deployment exposed the MCP...
Vendor/s: Docker

Full Description

Ruflo is an agent meta-harness for Claude Code and Codex. Prior to 3.16.3, ruflo's default docker-compose deployment exposed the MCP bridge POST /mcp and POST /mcp/:group endpoints without authentication, allowing an unauthenticated network attacker to invoke tools/call to terminal_execute, obtain a shell in the bridge container, read provider API keys, and poison AgentDB learning-store patterns. This issue is fixed in version 3.16.3.

CVSS Metrics v3.1

  • Impact: Confid.: HIGH, Integ.: HIGH, Avail.: HIGH
  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Interaction/Privileges: NONE / NONE
  • Scope: CHANGED
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
  • Exploitability/Impact Score: 3.9 / 6

08/07/2026

Coder

HIGH (8.7)
CVE-2026-55429
Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, `UpsertWorkspaceApp` overwrites...
Vendor/s: Coder

Full Description

Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, `UpsertWorkspaceApp` overwrites an existing app's `agent_id` on a primary-key conflict and `insertAgentApp` accepts the app ID from the provisioner's `CompleteJob` payload without verifying it belongs to the workspace being built. `CompleteJob` runs under `dbauthz.AsProvisionerd` so the authorization layer does not block the cross-workspace upsert. Exploitation requires elevated access as a template author or external provisioner operator. The fix in versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2 verifies that any existing `workspace_apps` row matching the supplied ID belongs to the workspace being built and rejects cross-workspace agent reassignment. No known workarounds are available.

CVSS Metrics v3.1

  • Impact: Confid.: HIGH, Integ.: HIGH, Avail.: NONE
  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Interaction/Privileges: NONE / HIGH
  • Scope: CHANGED
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N
  • Exploitability/Impact Score: 2.3 / 5.8

Unknown

CRITICAL (10.0)
CVE-2026-54782
CoreWCF is a port of the service side of Windows Communication Foundation (WCF) to .NET Core. Prior to 1.8.1 and...
Vendor/s:

Full Description

CoreWCF is a port of the service side of Windows Communication Foundation (WCF) to .NET Core. Prior to 1.8.1 and 1.9.1, CoreWCF SAML 1.1 and SAML 2.0 token validation does not correctly resolve the issuer signing key or require signed tokens when IdentityConfiguration is used with federated bindings, allowing an unauthenticated remote attacker to impersonate any principal the trusted STS could issue. This issue is fixed in versions 1.8.1 and 1.9.1.

CVSS Metrics v3.1

  • Impact: Confid.: HIGH, Integ.: HIGH, Avail.: NONE
  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Interaction/Privileges: NONE / NONE
  • Scope: CHANGED
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N
  • Exploitability/Impact Score: 3.9 / 5.8
HIGH (8.8)
CVE-2026-59723
Cline is an autonomous coding agent as an SDK, IDE extension, or CLI assistant. Prior to 3.0.30, the Cline Hub...
Vendor/s:

Full Description

Cline is an autonomous coding agent as an SDK, IDE extension, or CLI assistant. Prior to 3.0.30, the Cline Hub dashboard server launched by the cline dashboard command accepts WebSocket connections on the /browser endpoint without validating the Origin header, and when ROOM_SECRET is unset for local 127.0.0.1 binds, isAuthorizedBrowserRequest() allows attacker-controlled websites to send desktopCommand frames that read workspace state, mutate MCP and provider settings, and trigger command execution when a provider or model is configured. This issue is fixed in version 3.0.30.

CVSS Metrics v3.1

  • Impact: Confid.: HIGH, Integ.: HIGH, Avail.: HIGH
  • Attack Vector: ADJACENT_NETWORK
  • Attack Complexity: LOW
  • Interaction/Privileges: REQUIRED / NONE
  • Scope: CHANGED
  • Vector String: CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
  • Exploitability/Impact Score: 2.1 / 6
CRITICAL (9.8)
CVE-2026-52200
An issue in Generic OEM UZ801_v2.1 4G LTE Router V3.4.3 allows a remote attacker to execute arbitrary code via the...
Vendor/s:

Full Description

An issue in Generic OEM UZ801_v2.1 4G LTE Router V3.4.3 allows a remote attacker to execute arbitrary code via the /ajax web management API endpoint in MifiService.apk

CVSS Metrics v3.1

  • Impact: Confid.: HIGH, Integ.: HIGH, Avail.: HIGH
  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Interaction/Privileges: NONE / NONE
  • Scope: UNCHANGED
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Exploitability/Impact Score: 3.9 / 5.9

Additional Information

Published on: 08/07/2026 22:17:15
Last Modified: 09/07/2026 17:02:37

Sources and References

CRITICAL (9.8)
CVE-2026-44024
Fluentd collects events from various data sources and writes them to files, RDBMS, NoSQL, IaaS, SaaS, Hadoop and so on....
Vendor/s:

Full Description

Fluentd collects events from various data sources and writes them to files, RDBMS, NoSQL, IaaS, SaaS, Hadoop and so on. Prior to 1.19.3, Fluentd allows dynamically constructing file paths using the ${tag} placeholder, and insufficient validation of ${tag} in file configurations such as the path parameter of the out_file plugin allows attackers sending untrusted tags containing path traversal characters to write or overwrite arbitrary files and potentially achieve remote code execution. This issue is fixed in version 1.19.3.

CVSS Metrics v3.1

  • Impact: Confid.: HIGH, Integ.: HIGH, Avail.: HIGH
  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Interaction/Privileges: NONE / NONE
  • Scope: UNCHANGED
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Exploitability/Impact Score: 3.9 / 5.9
HIGH (8.6)
CVE-2026-60105
Monsta FTP before 2.14.5 contains a server-side request forgery vulnerability in the fetchRemoteFile action caused by an incomplete IP blocklist...
Vendor/s:

Full Description

Monsta FTP before 2.14.5 contains a server-side request forgery vulnerability in the fetchRemoteFile action caused by an incomplete IP blocklist check in the isBlockedIP() function, which fails to detect embedded IPv4 addresses within IPv4-mapped IPv6 addresses. An unauthenticated attacker can obtain a CSRF token from the public getSystemVars endpoint and submit a fetchRemoteFile request with a source URL resolving to an IPv4-mapped address, causing the server to issue HTTP requests to internal services and write responses to an attacker-controlled FTP destination, enabling retrieval of cloud instance metadata credentials.

CVSS Metrics v3.1

  • Impact: Confid.: HIGH, Integ.: NONE, Avail.: NONE
  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Interaction/Privileges: NONE / NONE
  • Scope: CHANGED
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
  • Exploitability/Impact Score: 3.9 / 4

Additional Information

Published on: 08/07/2026 21:16:54
Last Modified: 10/07/2026 18:46:32

Sources and References

HIGH (8.6)
CVE-2026-58192
Appium is a cross-platform automation framework for all kinds of apps, built on top of the W3C WebDriver protocol. Prior...
Vendor/s:

Full Description

Appium is a cross-platform automation framework for all kinds of apps, built on top of the W3C WebDriver protocol. Prior to 1.1.6, the Appium storage plugin exposes POST /storage/delete, whose handler passes the user-supplied name value directly into path.join(storageRoot, name) and fs.rimraf() without path sanitization, allowing an unauthenticated remote client to escape the storage root with ../ sequences and recursively delete arbitrary writable files or directories. This issue is fixed in version 1.1.6.

CVSS Metrics v3.1

  • Impact: Confid.: NONE, Integ.: HIGH, Avail.: NONE
  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Interaction/Privileges: NONE / NONE
  • Scope: CHANGED
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N
  • Exploitability/Impact Score: 3.9 / 4
HIGH (8.7)
CVE-2026-55596
Plate is a rich-text editor with AI and shadcn/ui. From 53.0.0 until 53.1.4, the media embed renderer trusts serialized provider...
Vendor/s:

Full Description

Plate is a rich-text editor with AI and shadcn/ui. From 53.0.0 until 53.1.4, the media embed renderer trusts serialized provider or sourceUrl metadata in useMediaState and skips parseMediaUrl protocol validation, allowing a crafted Plate document to set a known video provider while keeping url as a javascript: iframe source that the registry MediaEmbedElement renders directly as an iframe src when a victim opens the document. This issue is fixed in version 53.1.4.

CVSS Metrics v3.1

  • Impact: Confid.: HIGH, Integ.: HIGH, Avail.: NONE
  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Interaction/Privileges: REQUIRED / LOW
  • Scope: CHANGED
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
  • Exploitability/Impact Score: 2.3 / 5.8
HIGH (8.7)
CVE-2026-60104
Bitwarden Server before 2026.6.0 does not verify that the email in a POST /auth-requests/admin-request body belongs to the authenticated caller,...
Vendor/s:

Full Description

Bitwarden Server before 2026.6.0 does not verify that the email in a POST /auth-requests/admin-request body belongs to the authenticated caller, allowing a low-privileged organization member to obtain another user's vault key and a victim-scoped access token by creating a Trusted Device Encryption authentication request, bound to an attacker-controlled public key, that is readable from an unauthenticated endpoint once approved resulting in disclosure of the victim's vault key and account takeover.

CVSS Metrics v3.1

  • Impact: Confid.: HIGH, Integ.: HIGH, Avail.: NONE
  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Interaction/Privileges: REQUIRED / LOW
  • Scope: CHANGED
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
  • Exploitability/Impact Score: 2.3 / 5.8
HIGH (8.8)
CVE-2026-58253
NATS Server is a high-performance server for NATS.io, the cloud and edge native messaging system. Prior to 2.14.0, 2.12.7, and...
Vendor/s:

Full Description

NATS Server is a high-performance server for NATS.io, the cloud and edge native messaging system. Prior to 2.14.0, 2.12.7, and 2.11.16, when no_auth_user was configured, a parser fast path intended for ordinary client connections could also apply to route or leafnode listeners, allowing an unauthenticated peer to bypass inter-server CONNECT authentication and operate with the privileges associated with that connection type. This issue is fixed in versions 2.14.0, 2.12.7, and 2.11.16.

CVSS Metrics v3.1

  • Impact: Confid.: LOW, Integ.: HIGH, Avail.: LOW
  • Attack Vector: ADJACENT_NETWORK
  • Attack Complexity: LOW
  • Interaction/Privileges: NONE / NONE
  • Scope: CHANGED
  • Vector String: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:L
  • Exploitability/Impact Score: 2.8 / 5.3
HIGH (8.8)
CVE-2026-60102
Horde Virtual File System (VFS) API before 3.0.1 contains an OS command injection vulnerability in the Horde_Vfs_Smb driver where the...
Vendor/s:

Full Description

Horde Virtual File System (VFS) API before 3.0.1 contains an OS command injection vulnerability in the Horde_Vfs_Smb driver where the _escapeShellCommand() method fails to sanitize command substitution sequences, allowing authenticated attackers to inject arbitrary shell commands through user-controlled filenames. Attackers can supply malicious filenames containing unescaped command substitution payloads through operations such as file upload, folder creation, rename, or deletion, which are interpolated into a double-quoted shell context and executed via proc_open() through /bin/sh -c before smbclient runs, resulting in arbitrary command execution on the underlying system.

CVSS Metrics v3.1

  • Impact: Confid.: HIGH, Integ.: HIGH, Avail.: HIGH
  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Interaction/Privileges: NONE / LOW
  • Scope: UNCHANGED
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
  • Exploitability/Impact Score: 2.8 / 5.9
CRITICAL (9.3)
CVE-2026-59702
repomix contains a server-side request forgery vulnerability in the POST /api/pack endpoint that allows unauthenticated attackers to make arbitrary outbound...
Vendor/s:

Full Description

repomix contains a server-side request forgery vulnerability in the POST /api/pack endpoint that allows unauthenticated attackers to make arbitrary outbound requests. The endpoint fails to properly validate http://, https://, and file:// URLs before passing them to git clone, enabling attackers to access private network addresses, GCP metadata services, or local filesystem paths.

CVSS Metrics v3.1

  • Impact: Confid.: HIGH, Integ.: LOW, Avail.: NONE
  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Interaction/Privileges: NONE / NONE
  • Scope: CHANGED
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N
  • Exploitability/Impact Score: 3.9 / 4.7
CRITICAL (9.6)
CVE-2026-15062
SQL injection vulnerabilities in the Snowflake Snowpark Python SDK (snowpark-python) versions prior to 1.53.0 could allow authenticated low-privilege users to...
Vendor/s:

Full Description

SQL injection vulnerabilities in the Snowflake Snowpark Python SDK (snowpark-python) versions prior to 1.53.0 could allow authenticated low-privilege users to execute SQL beyond their authorization scope. An attacker could exploit these vulnerabilities by embedding SQL payloads in source database column names to escalate privileges via the DataFrameReader.dbapi() API by supplying a specially crafted location parameter to DataFrameWriter write methods to redirect a COPY INTO to an arbitrary source query, or by including a backslash-single-quote sequence in an export path to defeat the normalize_path() sanitizer and inject SQL via DataFrame.to_csv(). Successful exploitation may result in source database compromise, unauthorized cross-tenant data exfiltration, or unauthorized read of Snowflake account data.

CVSS Metrics v3.1

  • Impact: Confid.: HIGH, Integ.: HIGH, Avail.: NONE
  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Interaction/Privileges: NONE / LOW
  • Scope: CHANGED
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
  • Exploitability/Impact Score: 3.1 / 5.8

Additional Information

Published on: 08/07/2026 15:16:26
Last Modified: 09/07/2026 16:39:17

Sources and References

HIGH (8.8)
CVE-2026-15067
Snowflake Terraform Provider versions prior to 2.18.0 contain several security vulnerabilities, including SQL injection via an unsanitized data source input...
Vendor/s:

Full Description

Snowflake Terraform Provider versions prior to 2.18.0 contain several security vulnerabilities, including SQL injection via an unsanitized data source input could result in arbitrary SQL execution under the provider's privileged Snowflake session, potentially enabling sensitive data exfiltration and minting of long-lived access credentials. Exploitation requires the ability for an attacker to influence a workspace variable in a pipeline where this data source was enabled. Improper neutralization of identifier content in user resource inputs could allow DDL injection into user management statements, potentially causing accounts to be created with attacker-controlled credentials and without the security controls configured by the operator. The fix is available in Snowflake Terraform Provider version 2.18.0. Users must manually upgrade.

CVSS Metrics v3.1

  • Impact: Confid.: HIGH, Integ.: HIGH, Avail.: HIGH
  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Interaction/Privileges: NONE / LOW
  • Scope: UNCHANGED
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
  • Exploitability/Impact Score: 2.8 / 5.9

Additional Information

Published on: 08/07/2026 15:16:26
Last Modified: 09/07/2026 16:39:17

Sources and References

CRITICAL (9.1)
CVE-2026-54061
Dgraph is an open source distributed GraphQL database. Prior to version 25.3.5, Dgraph Alpha exposes the RPCs used for external...
Vendor/s:

Full Description

Dgraph is an open source distributed GraphQL database. Prior to version 25.3.5, Dgraph Alpha exposes the RPCs used for external snapshot import on the public gRPC port `:9080` without authentication or authorization. As a result, an unauthenticated network client can open `StreamExtSnapshot` and send Badger stream data to the target group’s store. In addition, the receiver calls `Prepare()` before processing the stream. This operation deletes and replaces the existing DB data. Version 25.3.5 patches the issue.

CVSS Metrics v3.1

  • Impact: Confid.: NONE, Integ.: HIGH, Avail.: HIGH
  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Interaction/Privileges: NONE / NONE
  • Scope: UNCHANGED
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
  • Exploitability/Impact Score: 3.9 / 5.2
CRITICAL (9.8)
CVE-2026-8307
Improper neutralization of special elements used in an SQL command ('SQL injection') vulnerability in Webbeyaz Web Design Mediküm Web allows...
Vendor/s:

Full Description

Improper neutralization of special elements used in an SQL command ('SQL injection') vulnerability in Webbeyaz Web Design Mediküm Web allows SQL Injection. This issue affects Mediküm Web: through 08072026. NOTE: The vendor was contacted and it was learned that the product is not supported.

CVSS Metrics v3.1

  • Impact: Confid.: HIGH, Integ.: HIGH, Avail.: HIGH
  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Interaction/Privileges: NONE / NONE
  • Scope: UNCHANGED
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Exploitability/Impact Score: 3.9 / 5.9

Additional Information

Published on: 08/07/2026 13:16:57
Last Modified: 09/07/2026 10:16:27

Sources and References

HIGH (8.5)
CVE-2026-56002
A heap bufferflow in pcfReadFont() due to missing glyph bounds checking in libXfont2 before 2.0.8  allows attackers authenticated as X client...
Vendor/s:

Full Description

A heap bufferflow in pcfReadFont() due to missing glyph bounds checking in libXfont2 before 2.0.8  allows attackers authenticated as X client to execute code within the X server.

CVSS Metrics v3.1

  • Impact: Confid.: HIGH, Integ.: HIGH, Avail.: HIGH
  • Attack Vector: NETWORK
  • Attack Complexity: HIGH
  • Interaction/Privileges: NONE / LOW
  • Scope: CHANGED
  • Vector String: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
  • Exploitability/Impact Score: 1.8 / 6

Additional Information

Published on: 08/07/2026 10:16:23
Last Modified: 09/07/2026 16:39:17

Sources and References

CRITICAL (9.8)
CVE-2026-9695
An Improper Authentication vulnerability affecting DELMIA Apriso from Release 2020 through Release 2026 could allow an attacker to gain privileged...
Vendor/s:

Full Description

An Improper Authentication vulnerability affecting DELMIA Apriso from Release 2020 through Release 2026 could allow an attacker to gain privileged access to the server.

CVSS Metrics v3.1

  • Impact: Confid.: HIGH, Integ.: HIGH, Avail.: HIGH
  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Interaction/Privileges: NONE / NONE
  • Scope: UNCHANGED
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Exploitability/Impact Score: 3.9 / 5.9

Additional Information

Published on: 08/07/2026 07:16:46
Last Modified: 08/07/2026 15:30:04

Sources and References

CRITICAL (9.9)
CVE-2026-56843
Incorrect authorization in the XML-RPC API of WebPros Plesk before 18.0.78.4 allows a low-privileged authenticated customer to look up domains...
Vendor/s:

Full Description

Incorrect authorization in the XML-RPC API of WebPros Plesk before 18.0.78.4 allows a low-privileged authenticated customer to look up domains they do not own, because ownership is enforced only for certain lookup filters and schema validation is bypassed for legacy protocol versions. This results in cross-tenant disclosure of other tenants' FTP credentials stored in cleartext, which can be leveraged to execute code as another tenant's system user.

CVSS Metrics v3.1

  • Impact: Confid.: HIGH, Integ.: HIGH, Avail.: HIGH
  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Interaction/Privileges: NONE / LOW
  • Scope: CHANGED
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
  • Exploitability/Impact Score: 3.1 / 6

Additional Information

Published on: 08/07/2026 01:16:28
Last Modified: 10/07/2026 18:57:22

Sources and References

WordPress

CRITICAL (9.8)
CVE-2026-58480
Blocksy Companion Pro plugin for WordPress before 2.1.47 contains an unauthenticated arbitrary file upload vulnerability that allows attackers to upload...
Vendor/s: WordPress

Full Description

Blocksy Companion Pro plugin for WordPress before 2.1.47 contains an unauthenticated arbitrary file upload vulnerability that allows attackers to upload executable files by bypassing extension validation in the save_attachments function exposed through the Advanced Reviews feature. Attackers can exploit the Custom Fonts extension's flawed strpos() substring check by uploading double-extension filenames such as shell.woff2.php, causing the validation to pass on the substring match while the web server executes the file as PHP, achieving remote code execution.

CVSS Metrics v3.1

  • Impact: Confid.: HIGH, Integ.: HIGH, Avail.: HIGH
  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Interaction/Privileges: NONE / NONE
  • Scope: UNCHANGED
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Exploitability/Impact Score: 3.9 / 5.9
CRITICAL (9.8)
CVE-2026-12153
The WP Learn Manager plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.1.8....
Vendor/s: WordPress

Full Description

The WP Learn Manager plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.1.8. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to install and activate arbitrary plugins from the WordPress.org repository on the vulnerable site.

CVSS Metrics v3.1

  • Impact: Confid.: HIGH, Integ.: HIGH, Avail.: HIGH
  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Interaction/Privileges: NONE / NONE
  • Scope: UNCHANGED
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Exploitability/Impact Score: 3.9 / 5.9
HIGH (8.8)
CVE-2026-14489
The WHMCS Bridge plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the...
Vendor/s: WordPress

Full Description

The WHMCS Bridge plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the connect() function in all versions up to, and including, 6.9. This makes it possible for authenticated attackers, with Custom-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.

CVSS Metrics v3.1

  • Impact: Confid.: HIGH, Integ.: HIGH, Avail.: HIGH
  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Interaction/Privileges: NONE / LOW
  • Scope: UNCHANGED
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
  • Exploitability/Impact Score: 2.8 / 5.9
HIGH (8.8)
CVE-2026-14495
The DoLogin Security plugin for WordPress is vulnerable to Authentication Bypass via Insufficient Randomness in all versions up to, and...
Vendor/s: WordPress

Full Description

The DoLogin Security plugin for WordPress is vulnerable to Authentication Bypass via Insufficient Randomness in all versions up to, and including, 4.3. The vulnerability exists because `dologin\s::rrand()` seeds the Mersenne Twister with `mt_srand((double) microtime() * 1000000)` — discarding the integer-seconds component of `microtime()` and constraining the seed to a range of approximately 10^6 values (~20 bits of entropy) — after which every character of the 32-character magic-link token is drawn sequentially with `mt_rand()`, making the entire token a deterministic function of that seed. Because `Pswdless::try_login()` is registered on the unauthenticated `init` hook, resolves the target account by the auto-increment numeric ID embedded in the `?dologin=.` parameter, performs the hash comparison using a non-constant-time `!=` operator, and then calls `wp_set_auth_cookie()` directly — never passing through `wp_authenticate()` and therefore never triggering the plugin's own `Auth::_has_login_err()` lockout — an unauthenticated attacker can brute-force the ~10^6-candidate seed space to reconstruct an active passwordless login token and authenticate as any targeted user, including administrators, without a password. Exploitation requires that a valid, unexpired passwordless login link (active for up to 7 days) exists for the target account at the time of the attack, and that the numeric link ID is known or guessable from the auto-increment primary key.

CVSS Metrics v3.1

  • Impact: Confid.: HIGH, Integ.: HIGH, Avail.: HIGH
  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Interaction/Privileges: NONE / LOW
  • Scope: UNCHANGED
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
  • Exploitability/Impact Score: 2.8 / 5.9
CRITICAL (9.8)
CVE-2026-9701
The Eventer plugin for WordPress is vulnerable to an insecure password reset mechanism in all versions up to, and including,...
Vendor/s: WordPress, php

Full Description

The Eventer plugin for WordPress is vulnerable to an insecure password reset mechanism in all versions up to, and including, 4.4.2. The plugin stores a plaintext copy of the password reset key in the `eventer_verification_code` user meta field when a user requests a password reset. The plaintext key stored in `wp_usermeta` can be used with the plugin's custom reset action to set a new password for any user. Combined with another vulnerability such as SQL Injection (CVE-2026-9700), this makes it possible for unauthenticated attackers to extract the plaintext reset key and take over any user account, including administrators. Note: The password reset function only works up to PHP version 7.4.

CVSS Metrics v3.1

  • Impact: Confid.: HIGH, Integ.: HIGH, Avail.: HIGH
  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Interaction/Privileges: NONE / NONE
  • Scope: UNCHANGED
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Exploitability/Impact Score: 3.9 / 5.9
HIGH (8.8)
CVE-2026-14158
The Widget Logic Visual plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including,...
Vendor/s: WordPress

Full Description

The Widget Logic Visual plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.52 via the widget_logic_visual_check_visibility function. This is due to missing capability check and nonce verification on the widget-logic-update-conditional-tags AJAX action combined with insufficient sanitization of the 'nwlv[cod-tag]' parameter before storage and subsequent use in an eval() call. This makes it possible for authenticated attackers, with subscriber-level access and above, to execute code on the server.

CVSS Metrics v3.1

  • Impact: Confid.: HIGH, Integ.: HIGH, Avail.: HIGH
  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Interaction/Privileges: NONE / LOW
  • Scope: UNCHANGED
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
  • Exploitability/Impact Score: 2.8 / 5.9
HIGH (8.8)
CVE-2026-14482
The 多说社会化评论框 plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.2. The vulnerability...
Vendor/s: WordPress

Full Description

The 多说社会化评论框 plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.2. The vulnerability exists due to a missing capability and nonce check on a directly web-accessible API endpoint, combined with a trivially forgeable HMAC-SHA1 signature keyed on an always-empty WordPress option, which allows the endpoint's `update_option` handler to pass attacker-controlled `option` and `value` parameters directly to WordPress's `update_option` function without any allowlist or sanitization. This makes it possible for unauthenticated attackers to update arbitrary WordPress options — such as setting `default_role` to `administrator` and enabling open registration — and subsequently register an account with full administrator privileges.

CVSS Metrics v3.1

  • Impact: Confid.: HIGH, Integ.: HIGH, Avail.: HIGH
  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Interaction/Privileges: NONE / LOW
  • Scope: UNCHANGED
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
  • Exploitability/Impact Score: 2.8 / 5.9
CRITICAL (9.1)
CVE-2026-14487
The Simple Coherent Form plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in...
Vendor/s: WordPress

Full Description

The Simple Coherent Form plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the removeUploadDir function in all versions up to, and including, 2.4.13. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). The scf_get_id_upload endpoint freely issues a valid scf_upload_file_removal nonce to any unauthenticated visitor, and the removal endpoint's secondary hash check is forgeable offline because it relies on a hardcoded salt embedded in the plugin source, meaning neither control presents a real authorization boundary.

php

CRITICAL (9.8)
CVE-2026-9701
The Eventer plugin for WordPress is vulnerable to an insecure password reset mechanism in all versions up to, and including,...
Vendor/s: WordPress, php

Full Description

The Eventer plugin for WordPress is vulnerable to an insecure password reset mechanism in all versions up to, and including, 4.4.2. The plugin stores a plaintext copy of the password reset key in the `eventer_verification_code` user meta field when a user requests a password reset. The plaintext key stored in `wp_usermeta` can be used with the plugin's custom reset action to set a new password for any user. Combined with another vulnerability such as SQL Injection (CVE-2026-9700), this makes it possible for unauthenticated attackers to extract the plaintext reset key and take over any user account, including administrators. Note: The password reset function only works up to PHP version 7.4.

CVSS Metrics v3.1

  • Impact: Confid.: HIGH, Integ.: HIGH, Avail.: HIGH
  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Interaction/Privileges: NONE / NONE
  • Scope: UNCHANGED
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Exploitability/Impact Score: 3.9 / 5.9

X.org

HIGH (8.5)
CVE-2026-55999
Local attackers with a X connection able to provide PCX fonts to the X server xorg-server before 21.2.24 and xwayland...
Vendor/s: X.org

Full Description

Local attackers with a X connection able to provide PCX fonts to the X server xorg-server before 21.2.24 and xwayland before 24.1.13 could cause a heap buffer overflow via SetFont due to missing glyph boundary checks.

CVSS Metrics v3.1

  • Impact: Confid.: HIGH, Integ.: HIGH, Avail.: HIGH
  • Attack Vector: NETWORK
  • Attack Complexity: HIGH
  • Interaction/Privileges: NONE / LOW
  • Scope: CHANGED
  • Vector String: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
  • Exploitability/Impact Score: 1.8 / 6

Additional Information

Published on: 08/07/2026 09:16:29
Last Modified: 09/07/2026 19:49:51

Sources and References

X

HIGH (8.5)
CVE-2026-56003
A heap buffer overflow due to missing size checking in the property buffer when parsing PCF files in libXfont2 ComputeScaledProperties()...
Vendor/s: X

Full Description

A heap buffer overflow due to missing size checking in the property buffer when parsing PCF files in libXfont2 ComputeScaledProperties() before libXfont2 before 2.0.8 could be used by attackers using authenticated X clients to execute code within the X server.

CVSS Metrics v3.1

  • Impact: Confid.: HIGH, Integ.: HIGH, Avail.: HIGH
  • Attack Vector: NETWORK
  • Attack Complexity: HIGH
  • Interaction/Privileges: NONE / LOW
  • Scope: CHANGED
  • Vector String: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
  • Exploitability/Impact Score: 1.8 / 6

Additional Information

Published on: 08/07/2026 10:16:23
Last Modified: 09/07/2026 19:50:11

Sources and References

HIGH (8.5)
CVE-2026-56001
A heap buffer overflow in BitmapScaleBitmaps in libXfont2 before 2.0.8 due to an overflowing 32bit size could be used by...
Vendor/s: X

Full Description

A heap buffer overflow in BitmapScaleBitmaps in libXfont2 before 2.0.8 due to an overflowing 32bit size could be used by attackers able to access the X Server to execute code within the X server cont

CVSS Metrics v3.1

  • Impact: Confid.: HIGH, Integ.: HIGH, Avail.: HIGH
  • Attack Vector: NETWORK
  • Attack Complexity: HIGH
  • Interaction/Privileges: NONE / LOW
  • Scope: CHANGED
  • Vector String: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
  • Exploitability/Impact Score: 1.8 / 6

Additional Information

Published on: 08/07/2026 09:16:30
Last Modified: 09/07/2026 19:46:32

Sources and References

Apache

CRITICAL (9.1)
CVE-2026-41042
Unauthenticated callers can supply a malicious H2 JDBC URL through the testConnection API, which executes arbitrary Java code on the...
Vendor/s: Apache

Full Description

Unauthenticated callers can supply a malicious H2 JDBC URL through the testConnection API, which executes arbitrary Java code on the server via H2's INIT parameter. Vulnerability in Apache Gravitino. This issue affects Apache Gravitino: before 1.2.1. Users are recommended to upgrade to version 1.2.1, which fixes the issue. This issue only happens when using H2, and H2 is mainly used for testing and local development. Also, Gravitino is typically deployed in the internal environment, so the severity is low.

CVSS Metrics v3.1

  • Impact: Confid.: HIGH, Integ.: HIGH, Avail.: NONE
  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Interaction/Privileges: NONE / NONE
  • Scope: UNCHANGED
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
  • Exploitability/Impact Score: 3.9 / 5.2

Additional Information

Published on: 08/07/2026 12:17:20
Last Modified: 08/07/2026 20:16:49

Sources and References

Tonycoz

CRITICAL (9.8)
CVE-2026-14454
Imager versions before 1.033 for Perl treat unsigned EXIF IFD entry counts as signed. Imager mishandled large EXIF IFD entry count...
Vendor/s: Tonycoz

Full Description

Imager versions before 1.033 for Perl treat unsigned EXIF IFD entry counts as signed. Imager mishandled large EXIF IFD entry count values, treating them as negative numbers. This could lead to an attempt to allocate a block nearly the size of the address space, which fails and kills the process. An attacker could craft an image with EXIF data that terminates a worker process.

CVSS Metrics v3.1

  • Impact: Confid.: HIGH, Integ.: HIGH, Avail.: HIGH
  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Interaction/Privileges: NONE / NONE
  • Scope: UNCHANGED
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Exploitability/Impact Score: 3.9 / 5.9

Dell

HIGH (8.8)
CVE-2026-56086
Dell PowerProtect Data Domain, versions 7.7.1.0 through 8.6, LTS2026 release version 8.6.1.0 through 8.6.1.10, LTS2025 release version 8.3.1.0 through 8.3.1.30,...
Vendor/s: Dell

Full Description

Dell PowerProtect Data Domain, versions 7.7.1.0 through 8.6, LTS2026 release version 8.6.1.0 through 8.6.1.10, LTS2025 release version 8.3.1.0 through 8.3.1.30, LTS2024 release versions 7.13.1.0 through 7.13.1.70 contain an Incorrect Authorization vulnerability. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to unauthorized access.

CVSS Metrics v3.1

  • Impact: Confid.: HIGH, Integ.: HIGH, Avail.: HIGH
  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Interaction/Privileges: NONE / LOW
  • Scope: UNCHANGED
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
  • Exploitability/Impact Score: 2.8 / 5.9

N8n

HIGH (8.8)
CVE-2026-59257
n8n before 1.123.61, 2.x before 2.27.4, and 2.28.x before 2.28.1 contains a SQL injection vulnerability in the legacy MySQL v1...
Vendor/s: N8n, Mysql

Full Description

n8n before 1.123.61, 2.x before 2.27.4, and 2.28.x before 2.28.1 contains a SQL injection vulnerability in the legacy MySQL v1 node's executeQuery operation. The operation substitutes evaluated {{ ... }} expression values directly into the raw SQL string without parameterization. When a workflow uses this operation with expression-sourced values and is connected to an externally-reachable trigger (such as a Webhook node), attacker-controlled input reaching those expressions results in SQL injection, allowing execution of arbitrary SQL with the configured MySQL credentials' privileges. The MySQL v2 node, which uses parameterized queries, is not affected.

CVSS Metrics v3.1

  • Impact: Confid.: HIGH, Integ.: HIGH, Avail.: HIGH
  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Interaction/Privileges: NONE / LOW
  • Scope: UNCHANGED
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
  • Exploitability/Impact Score: 2.8 / 5.9

Mysql

HIGH (8.8)
CVE-2026-59257
n8n before 1.123.61, 2.x before 2.27.4, and 2.28.x before 2.28.1 contains a SQL injection vulnerability in the legacy MySQL v1...
Vendor/s: N8n, Mysql

Full Description

n8n before 1.123.61, 2.x before 2.27.4, and 2.28.x before 2.28.1 contains a SQL injection vulnerability in the legacy MySQL v1 node's executeQuery operation. The operation substitutes evaluated {{ ... }} expression values directly into the raw SQL string without parameterization. When a workflow uses this operation with expression-sourced values and is connected to an externally-reachable trigger (such as a Webhook node), attacker-controlled input reaching those expressions results in SQL injection, allowing execution of arbitrary SQL with the configured MySQL credentials' privileges. The MySQL v2 node, which uses parameterized queries, is not affected.

CVSS Metrics v3.1

  • Impact: Confid.: HIGH, Integ.: HIGH, Avail.: HIGH
  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Interaction/Privileges: NONE / LOW
  • Scope: UNCHANGED
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
  • Exploitability/Impact Score: 2.8 / 5.9

Ibm

CRITICAL (9.1)
CVE-2026-9074
IBM API Connect 10.0.8.0 through 10.0.8.9 and 12.1.0.0 through 12.1.0.3 contains an unauthenticated SQL injection vulnerability in the password reset functionality.
Vendor/s: Ibm

Full Description

IBM API Connect 10.0.8.0 through 10.0.8.9 and 12.1.0.0 through 12.1.0.3 contains an unauthenticated SQL injection vulnerability in the password reset functionality.

CVSS Metrics v3.1

  • Impact: Confid.: HIGH, Integ.: HIGH, Avail.: NONE
  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Interaction/Privileges: NONE / NONE
  • Scope: UNCHANGED
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
  • Exploitability/Impact Score: 3.9 / 5.2

Additional Information

Published on: 08/07/2026 16:16:35
Last Modified: 10/07/2026 16:59:16

Sources and References

Docker

HIGH (8.7)
CVE-2026-14891
HashiCorp Nomad and Nomad Enterprise are vulnerable to a sandbox escape in the Docker task driver that may allow a...
Vendor/s: Docker, Hashicorp

Full Description

HashiCorp Nomad and Nomad Enterprise are vulnerable to a sandbox escape in the Docker task driver that may allow a job submitter to bind-mount a host path into a container even when volume bind mounts are disabled, potentially leading to reading and writing files on the host. This vulnerability, CVE-2026-14891, is fixed in Nomad Community Edition 2.0.4 and Nomad Enterprise 2.0.4, 1.11.8, and 1.10.14.

CVSS Metrics v3.1

  • Impact: Confid.: HIGH, Integ.: HIGH, Avail.: NONE
  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Interaction/Privileges: NONE / HIGH
  • Scope: CHANGED
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N
  • Exploitability/Impact Score: 2.3 / 5.8

Additional Information

Published on: 08/07/2026 20:16:48
Last Modified: 09/07/2026 16:29:14

Sources and References

Hashicorp

HIGH (8.7)
CVE-2026-14891
HashiCorp Nomad and Nomad Enterprise are vulnerable to a sandbox escape in the Docker task driver that may allow a...
Vendor/s: Docker, Hashicorp

Full Description

HashiCorp Nomad and Nomad Enterprise are vulnerable to a sandbox escape in the Docker task driver that may allow a job submitter to bind-mount a host path into a container even when volume bind mounts are disabled, potentially leading to reading and writing files on the host. This vulnerability, CVE-2026-14891, is fixed in Nomad Community Edition 2.0.4 and Nomad Enterprise 2.0.4, 1.11.8, and 1.10.14.

CVSS Metrics v3.1

  • Impact: Confid.: HIGH, Integ.: HIGH, Avail.: NONE
  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Interaction/Privileges: NONE / HIGH
  • Scope: CHANGED
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N
  • Exploitability/Impact Score: 2.3 / 5.8

Additional Information

Published on: 08/07/2026 20:16:48
Last Modified: 09/07/2026 16:29:14

Sources and References

Gitlab

HIGH (8.7)
CVE-2026-6896
GitLab has remediated an issue in GitLab EE affecting all versions from 13.11 before 18.11.7, 19.0 before 19.0.4, and 19.1...
Vendor/s: Gitlab

Full Description

GitLab has remediated an issue in GitLab EE affecting all versions from 13.11 before 18.11.7, 19.0 before 19.0.4, and 19.1 before 19.1.2 that under certain conditions could have allowed an authenticated user with developer-role permissions to execute arbitrary scripts in another user's browser session due to improper sanitization of user-supplied input.

CVSS Metrics v3.1

  • Impact: Confid.: HIGH, Integ.: HIGH, Avail.: NONE
  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Interaction/Privileges: REQUIRED / LOW
  • Scope: CHANGED
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
  • Exploitability/Impact Score: 2.3 / 5.8

Ubuntu

HIGH (8.8)
CVE-2026-10037
A sandbox escape vulnerability exists in the OpenJDK packages provided in Ubuntu. The .jar MIME handlers installed by these packages...
Vendor/s: Ubuntu

Full Description

A sandbox escape vulnerability exists in the OpenJDK packages provided in Ubuntu. The .jar MIME handlers installed by these packages execute files marked as executable when the mailcap package is installed. A compromised or malicious sandboxed application with access to the OpenURI portal via xdg-desktop-portal-gtk can write a malicious .jar file to the host file system, set its executable bit, and trigger the handler to execute arbitrary code outside of the sandbox environment.

CVSS Metrics v3.1

  • Impact: Confid.: HIGH, Integ.: HIGH, Avail.: HIGH
  • Attack Vector: LOCAL
  • Attack Complexity: LOW
  • Interaction/Privileges: NONE / LOW
  • Scope: CHANGED
  • Vector String: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
  • Exploitability/Impact Score: 2 / 6

Additional Information

Published on: 08/07/2026 22:17:12
Last Modified: 10/07/2026 05:16:27

Sources and References

Google

HIGH (8.8)
CVE-2026-15129
Use after free in Views in Google Chrome prior to 150.0.7871.115 allowed a remote attacker to potentially exploit heap corruption...
Vendor/s: Google, Chrome

Full Description

Use after free in Views in Google Chrome prior to 150.0.7871.115 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Critical)

CVSS Metrics v3.1

  • Impact: Confid.: HIGH, Integ.: HIGH, Avail.: HIGH
  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Interaction/Privileges: REQUIRED / NONE
  • Scope: UNCHANGED
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
  • Exploitability/Impact Score: 2.8 / 5.9

Additional Information

Published on: 08/07/2026 23:16:54
Last Modified: 10/07/2026 05:16:30

Sources and References

HIGH (8.8)
CVE-2026-15132
Uninitialized Use in V8 in Google Chrome prior to 150.0.7871.115 allowed a remote attacker to execute arbitrary code inside a...
Vendor/s: Google, Chrome

Full Description

Uninitialized Use in V8 in Google Chrome prior to 150.0.7871.115 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

CVSS Metrics v3.1

  • Impact: Confid.: HIGH, Integ.: HIGH, Avail.: HIGH
  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Interaction/Privileges: REQUIRED / NONE
  • Scope: UNCHANGED
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
  • Exploitability/Impact Score: 2.8 / 5.9

Additional Information

Published on: 08/07/2026 23:16:54
Last Modified: 10/07/2026 05:16:30

Sources and References

HIGH (8.8)
CVE-2026-15133
Use after free in InterestGroups in Google Chrome prior to 150.0.7871.115 allowed a remote attacker to execute arbitrary code inside...
Vendor/s: Google, Chrome

Full Description

Use after free in InterestGroups in Google Chrome prior to 150.0.7871.115 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

CVSS Metrics v3.1

  • Impact: Confid.: HIGH, Integ.: HIGH, Avail.: HIGH
  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Interaction/Privileges: REQUIRED / NONE
  • Scope: UNCHANGED
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
  • Exploitability/Impact Score: 2.8 / 5.9

Additional Information

Published on: 08/07/2026 23:16:54
Last Modified: 10/07/2026 05:16:30

Sources and References

HIGH (8.8)
CVE-2026-15121
Use after free in WebRTC in Google Chrome prior to 150.0.7871.115 allowed a remote attacker to execute arbitrary code inside...
Vendor/s: Google, Chrome

Full Description

Use after free in WebRTC in Google Chrome prior to 150.0.7871.115 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

CVSS Metrics v3.1

  • Impact: Confid.: HIGH, Integ.: HIGH, Avail.: HIGH
  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Interaction/Privileges: REQUIRED / NONE
  • Scope: UNCHANGED
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
  • Exploitability/Impact Score: 2.8 / 5.9

Additional Information

Published on: 08/07/2026 23:16:53
Last Modified: 10/07/2026 05:16:29

Sources and References

HIGH (8.8)
CVE-2026-15123
Inappropriate implementation in DOM in Google Chrome prior to 150.0.7871.115 allowed a remote attacker to potentially exploit heap corruption via...
Vendor/s: Google, Chrome

Full Description

Inappropriate implementation in DOM in Google Chrome prior to 150.0.7871.115 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

CVSS Metrics v3.1

  • Impact: Confid.: HIGH, Integ.: HIGH, Avail.: HIGH
  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Interaction/Privileges: REQUIRED / NONE
  • Scope: UNCHANGED
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
  • Exploitability/Impact Score: 2.8 / 5.9

Additional Information

Published on: 08/07/2026 23:16:53
Last Modified: 10/07/2026 05:16:29

Sources and References

HIGH (8.8)
CVE-2026-15125
Inappropriate implementation in Forms in Google Chrome prior to 150.0.7871.115 allowed a remote attacker to execute arbitrary code inside a...
Vendor/s: Google, Chrome

Full Description

Inappropriate implementation in Forms in Google Chrome prior to 150.0.7871.115 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

CVSS Metrics v3.1

  • Impact: Confid.: HIGH, Integ.: HIGH, Avail.: HIGH
  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Interaction/Privileges: REQUIRED / NONE
  • Scope: UNCHANGED
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
  • Exploitability/Impact Score: 2.8 / 5.9

Additional Information

Published on: 08/07/2026 23:16:53
Last Modified: 10/07/2026 05:16:30

Sources and References

HIGH (8.8)
CVE-2026-15126
Use after free in Forms in Google Chrome prior to 150.0.7871.115 allowed a remote attacker to execute arbitrary code inside...
Vendor/s: Google, Chrome

Full Description

Use after free in Forms in Google Chrome prior to 150.0.7871.115 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

CVSS Metrics v3.1

  • Impact: Confid.: HIGH, Integ.: HIGH, Avail.: HIGH
  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Interaction/Privileges: REQUIRED / NONE
  • Scope: UNCHANGED
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
  • Exploitability/Impact Score: 2.8 / 5.9

Additional Information

Published on: 08/07/2026 23:16:53
Last Modified: 10/07/2026 05:16:30

Sources and References

HIGH (8.8)
CVE-2026-15110
Use after free in Extensions in Google Chrome prior to 150.0.7871.115 allowed an attacker who convinced a user to install...
Vendor/s: Google, Chrome

Full Description

Use after free in Extensions in Google Chrome prior to 150.0.7871.115 allowed an attacker who convinced a user to install a malicious extension to potentially exploit heap corruption via a crafted Chrome Extension. (Chromium security severity: High)

CVSS Metrics v3.1

  • Impact: Confid.: HIGH, Integ.: HIGH, Avail.: HIGH
  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Interaction/Privileges: REQUIRED / NONE
  • Scope: UNCHANGED
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
  • Exploitability/Impact Score: 2.8 / 5.9

Additional Information

Published on: 08/07/2026 23:16:52
Last Modified: 09/07/2026 17:15:35

Sources and References

HIGH (8.8)
CVE-2026-15112
Use after free in Ozone in Google Chrome prior to 150.0.7871.115 allowed a remote attacker to potentially exploit heap corruption...
Vendor/s: Google, Chrome

Full Description

Use after free in Ozone in Google Chrome prior to 150.0.7871.115 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Critical)

CVSS Metrics v3.1

  • Impact: Confid.: HIGH, Integ.: HIGH, Avail.: HIGH
  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Interaction/Privileges: REQUIRED / NONE
  • Scope: UNCHANGED
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
  • Exploitability/Impact Score: 2.8 / 5.9

Additional Information

Published on: 08/07/2026 23:16:52
Last Modified: 10/07/2026 05:16:28

Sources and References

CRITICAL (9.6)
CVE-2026-15113
Use after free in Autofill in Google Chrome on Android prior to 150.0.7871.115 allowed a remote attacker to potentially perform...
Vendor/s: Google, Android, Chrome

Full Description

Use after free in Autofill in Google Chrome on Android prior to 150.0.7871.115 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

CVSS Metrics v3.1

  • Impact: Confid.: HIGH, Integ.: HIGH, Avail.: HIGH
  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Interaction/Privileges: REQUIRED / NONE
  • Scope: CHANGED
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
  • Exploitability/Impact Score: 2.8 / 6

Additional Information

Published on: 08/07/2026 23:16:52
Last Modified: 10/07/2026 05:16:28

Sources and References

HIGH (8.8)
CVE-2026-15114
Out of bounds read and write in Codecs in Google Chrome prior to 150.0.7871.115 allowed a remote attacker to potentially...
Vendor/s: Google, Chrome

Full Description

Out of bounds read and write in Codecs in Google Chrome prior to 150.0.7871.115 allowed a remote attacker to potentially exploit heap corruption via a crafted video file. (Chromium security severity: High)

CVSS Metrics v3.1

  • Impact: Confid.: HIGH, Integ.: HIGH, Avail.: HIGH
  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Interaction/Privileges: REQUIRED / NONE
  • Scope: UNCHANGED
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
  • Exploitability/Impact Score: 2.8 / 5.9

Additional Information

Published on: 08/07/2026 23:16:52
Last Modified: 10/07/2026 05:16:28

Sources and References

HIGH (8.8)
CVE-2026-15116
Use after free in Actor in Google Chrome prior to 150.0.7871.115 allowed a remote attacker to execute arbitrary code inside...
Vendor/s: Google, Chrome

Full Description

Use after free in Actor in Google Chrome prior to 150.0.7871.115 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

CVSS Metrics v3.1

  • Impact: Confid.: HIGH, Integ.: HIGH, Avail.: HIGH
  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Interaction/Privileges: REQUIRED / NONE
  • Scope: UNCHANGED
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
  • Exploitability/Impact Score: 2.8 / 5.9

Additional Information

Published on: 08/07/2026 23:16:52
Last Modified: 10/07/2026 05:16:28

Sources and References

HIGH (8.8)
CVE-2026-15118
Use after free in Input in Google Chrome prior to 150.0.7871.115 allowed a remote attacker to execute arbitrary code inside...
Vendor/s: Google, Chrome

Full Description

Use after free in Input in Google Chrome prior to 150.0.7871.115 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

CVSS Metrics v3.1

  • Impact: Confid.: HIGH, Integ.: HIGH, Avail.: HIGH
  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Interaction/Privileges: REQUIRED / NONE
  • Scope: UNCHANGED
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
  • Exploitability/Impact Score: 2.8 / 5.9

Additional Information

Published on: 08/07/2026 23:16:52
Last Modified: 10/07/2026 05:16:29

Sources and References

HIGH (8.8)
CVE-2026-15107
Use after free in IndexedDB in Google Chrome prior to 150.0.7871.115 allowed a remote attacker to execute arbitrary code inside...
Vendor/s: Google, Chrome

Full Description

Use after free in IndexedDB in Google Chrome prior to 150.0.7871.115 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Medium)

CVSS Metrics v3.1

  • Impact: Confid.: HIGH, Integ.: HIGH, Avail.: HIGH
  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Interaction/Privileges: REQUIRED / NONE
  • Scope: UNCHANGED
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
  • Exploitability/Impact Score: 2.8 / 5.9

Additional Information

Published on: 08/07/2026 23:16:51
Last Modified: 10/07/2026 05:16:28

Sources and References

Chrome

HIGH (8.8)
CVE-2026-15129
Use after free in Views in Google Chrome prior to 150.0.7871.115 allowed a remote attacker to potentially exploit heap corruption...
Vendor/s: Google, Chrome

Full Description

Use after free in Views in Google Chrome prior to 150.0.7871.115 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Critical)

CVSS Metrics v3.1

  • Impact: Confid.: HIGH, Integ.: HIGH, Avail.: HIGH
  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Interaction/Privileges: REQUIRED / NONE
  • Scope: UNCHANGED
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
  • Exploitability/Impact Score: 2.8 / 5.9

Additional Information

Published on: 08/07/2026 23:16:54
Last Modified: 10/07/2026 05:16:30

Sources and References

HIGH (8.8)
CVE-2026-15132
Uninitialized Use in V8 in Google Chrome prior to 150.0.7871.115 allowed a remote attacker to execute arbitrary code inside a...
Vendor/s: Google, Chrome

Full Description

Uninitialized Use in V8 in Google Chrome prior to 150.0.7871.115 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

CVSS Metrics v3.1

  • Impact: Confid.: HIGH, Integ.: HIGH, Avail.: HIGH
  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Interaction/Privileges: REQUIRED / NONE
  • Scope: UNCHANGED
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
  • Exploitability/Impact Score: 2.8 / 5.9

Additional Information

Published on: 08/07/2026 23:16:54
Last Modified: 10/07/2026 05:16:30

Sources and References

HIGH (8.8)
CVE-2026-15133
Use after free in InterestGroups in Google Chrome prior to 150.0.7871.115 allowed a remote attacker to execute arbitrary code inside...
Vendor/s: Google, Chrome

Full Description

Use after free in InterestGroups in Google Chrome prior to 150.0.7871.115 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

CVSS Metrics v3.1

  • Impact: Confid.: HIGH, Integ.: HIGH, Avail.: HIGH
  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Interaction/Privileges: REQUIRED / NONE
  • Scope: UNCHANGED
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
  • Exploitability/Impact Score: 2.8 / 5.9

Additional Information

Published on: 08/07/2026 23:16:54
Last Modified: 10/07/2026 05:16:30

Sources and References

HIGH (8.8)
CVE-2026-15121
Use after free in WebRTC in Google Chrome prior to 150.0.7871.115 allowed a remote attacker to execute arbitrary code inside...
Vendor/s: Google, Chrome

Full Description

Use after free in WebRTC in Google Chrome prior to 150.0.7871.115 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

CVSS Metrics v3.1

  • Impact: Confid.: HIGH, Integ.: HIGH, Avail.: HIGH
  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Interaction/Privileges: REQUIRED / NONE
  • Scope: UNCHANGED
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
  • Exploitability/Impact Score: 2.8 / 5.9

Additional Information

Published on: 08/07/2026 23:16:53
Last Modified: 10/07/2026 05:16:29

Sources and References

HIGH (8.8)
CVE-2026-15123
Inappropriate implementation in DOM in Google Chrome prior to 150.0.7871.115 allowed a remote attacker to potentially exploit heap corruption via...
Vendor/s: Google, Chrome

Full Description

Inappropriate implementation in DOM in Google Chrome prior to 150.0.7871.115 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

CVSS Metrics v3.1

  • Impact: Confid.: HIGH, Integ.: HIGH, Avail.: HIGH
  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Interaction/Privileges: REQUIRED / NONE
  • Scope: UNCHANGED
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
  • Exploitability/Impact Score: 2.8 / 5.9

Additional Information

Published on: 08/07/2026 23:16:53
Last Modified: 10/07/2026 05:16:29

Sources and References

HIGH (8.8)
CVE-2026-15125
Inappropriate implementation in Forms in Google Chrome prior to 150.0.7871.115 allowed a remote attacker to execute arbitrary code inside a...
Vendor/s: Google, Chrome

Full Description

Inappropriate implementation in Forms in Google Chrome prior to 150.0.7871.115 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

CVSS Metrics v3.1

  • Impact: Confid.: HIGH, Integ.: HIGH, Avail.: HIGH
  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Interaction/Privileges: REQUIRED / NONE
  • Scope: UNCHANGED
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
  • Exploitability/Impact Score: 2.8 / 5.9

Additional Information

Published on: 08/07/2026 23:16:53
Last Modified: 10/07/2026 05:16:30

Sources and References

HIGH (8.8)
CVE-2026-15126
Use after free in Forms in Google Chrome prior to 150.0.7871.115 allowed a remote attacker to execute arbitrary code inside...
Vendor/s: Google, Chrome

Full Description

Use after free in Forms in Google Chrome prior to 150.0.7871.115 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

CVSS Metrics v3.1

  • Impact: Confid.: HIGH, Integ.: HIGH, Avail.: HIGH
  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Interaction/Privileges: REQUIRED / NONE
  • Scope: UNCHANGED
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
  • Exploitability/Impact Score: 2.8 / 5.9

Additional Information

Published on: 08/07/2026 23:16:53
Last Modified: 10/07/2026 05:16:30

Sources and References

HIGH (8.8)
CVE-2026-15110
Use after free in Extensions in Google Chrome prior to 150.0.7871.115 allowed an attacker who convinced a user to install...
Vendor/s: Google, Chrome

Full Description

Use after free in Extensions in Google Chrome prior to 150.0.7871.115 allowed an attacker who convinced a user to install a malicious extension to potentially exploit heap corruption via a crafted Chrome Extension. (Chromium security severity: High)

CVSS Metrics v3.1

  • Impact: Confid.: HIGH, Integ.: HIGH, Avail.: HIGH
  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Interaction/Privileges: REQUIRED / NONE
  • Scope: UNCHANGED
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
  • Exploitability/Impact Score: 2.8 / 5.9

Additional Information

Published on: 08/07/2026 23:16:52
Last Modified: 09/07/2026 17:15:35

Sources and References

HIGH (8.8)
CVE-2026-15112
Use after free in Ozone in Google Chrome prior to 150.0.7871.115 allowed a remote attacker to potentially exploit heap corruption...
Vendor/s: Google, Chrome

Full Description

Use after free in Ozone in Google Chrome prior to 150.0.7871.115 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Critical)

CVSS Metrics v3.1

  • Impact: Confid.: HIGH, Integ.: HIGH, Avail.: HIGH
  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Interaction/Privileges: REQUIRED / NONE
  • Scope: UNCHANGED
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
  • Exploitability/Impact Score: 2.8 / 5.9

Additional Information

Published on: 08/07/2026 23:16:52
Last Modified: 10/07/2026 05:16:28

Sources and References

CRITICAL (9.6)
CVE-2026-15113
Use after free in Autofill in Google Chrome on Android prior to 150.0.7871.115 allowed a remote attacker to potentially perform...
Vendor/s: Google, Android, Chrome

Full Description

Use after free in Autofill in Google Chrome on Android prior to 150.0.7871.115 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

CVSS Metrics v3.1

  • Impact: Confid.: HIGH, Integ.: HIGH, Avail.: HIGH
  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Interaction/Privileges: REQUIRED / NONE
  • Scope: CHANGED
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
  • Exploitability/Impact Score: 2.8 / 6

Additional Information

Published on: 08/07/2026 23:16:52
Last Modified: 10/07/2026 05:16:28

Sources and References

HIGH (8.8)
CVE-2026-15114
Out of bounds read and write in Codecs in Google Chrome prior to 150.0.7871.115 allowed a remote attacker to potentially...
Vendor/s: Google, Chrome

Full Description

Out of bounds read and write in Codecs in Google Chrome prior to 150.0.7871.115 allowed a remote attacker to potentially exploit heap corruption via a crafted video file. (Chromium security severity: High)

CVSS Metrics v3.1

  • Impact: Confid.: HIGH, Integ.: HIGH, Avail.: HIGH
  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Interaction/Privileges: REQUIRED / NONE
  • Scope: UNCHANGED
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
  • Exploitability/Impact Score: 2.8 / 5.9

Additional Information

Published on: 08/07/2026 23:16:52
Last Modified: 10/07/2026 05:16:28

Sources and References

HIGH (8.8)
CVE-2026-15116
Use after free in Actor in Google Chrome prior to 150.0.7871.115 allowed a remote attacker to execute arbitrary code inside...
Vendor/s: Google, Chrome

Full Description

Use after free in Actor in Google Chrome prior to 150.0.7871.115 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

CVSS Metrics v3.1

  • Impact: Confid.: HIGH, Integ.: HIGH, Avail.: HIGH
  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Interaction/Privileges: REQUIRED / NONE
  • Scope: UNCHANGED
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
  • Exploitability/Impact Score: 2.8 / 5.9

Additional Information

Published on: 08/07/2026 23:16:52
Last Modified: 10/07/2026 05:16:28

Sources and References

HIGH (8.8)
CVE-2026-15118
Use after free in Input in Google Chrome prior to 150.0.7871.115 allowed a remote attacker to execute arbitrary code inside...
Vendor/s: Google, Chrome

Full Description

Use after free in Input in Google Chrome prior to 150.0.7871.115 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

CVSS Metrics v3.1

  • Impact: Confid.: HIGH, Integ.: HIGH, Avail.: HIGH
  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Interaction/Privileges: REQUIRED / NONE
  • Scope: UNCHANGED
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
  • Exploitability/Impact Score: 2.8 / 5.9

Additional Information

Published on: 08/07/2026 23:16:52
Last Modified: 10/07/2026 05:16:29

Sources and References

HIGH (8.8)
CVE-2026-15107
Use after free in IndexedDB in Google Chrome prior to 150.0.7871.115 allowed a remote attacker to execute arbitrary code inside...
Vendor/s: Google, Chrome

Full Description

Use after free in IndexedDB in Google Chrome prior to 150.0.7871.115 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Medium)

CVSS Metrics v3.1

  • Impact: Confid.: HIGH, Integ.: HIGH, Avail.: HIGH
  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Interaction/Privileges: REQUIRED / NONE
  • Scope: UNCHANGED
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
  • Exploitability/Impact Score: 2.8 / 5.9

Additional Information

Published on: 08/07/2026 23:16:51
Last Modified: 10/07/2026 05:16:28

Sources and References

Android

CRITICAL (9.6)
CVE-2026-15113
Use after free in Autofill in Google Chrome on Android prior to 150.0.7871.115 allowed a remote attacker to potentially perform...
Vendor/s: Google, Android, Chrome

Full Description

Use after free in Autofill in Google Chrome on Android prior to 150.0.7871.115 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

CVSS Metrics v3.1

  • Impact: Confid.: HIGH, Integ.: HIGH, Avail.: HIGH
  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Interaction/Privileges: REQUIRED / NONE
  • Scope: CHANGED
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
  • Exploitability/Impact Score: 2.8 / 6

Additional Information

Published on: 08/07/2026 23:16:52
Last Modified: 10/07/2026 05:16:28

Sources and References

07/07/2026

Unknown

CRITICAL (9.8)
CVE-2026-59705
mem0's openmemory/api component contains an unauthenticated access vulnerability that allows unauthenticated attackers to read, write, and delete arbitrary user memories...
Vendor/s:

Full Description

mem0's openmemory/api component contains an unauthenticated access vulnerability that allows unauthenticated attackers to read, write, and delete arbitrary user memories by accessing API routers registered without authentication middleware. Attackers can supply arbitrary user_id parameters or directly access memory retrieval endpoints to expose private memory content, or invoke pause endpoints with global_pause=true to cause denial-of-service across all users.

CVSS Metrics v3.1

  • Impact: Confid.: HIGH, Integ.: HIGH, Avail.: HIGH
  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Interaction/Privileges: NONE / NONE
  • Scope: UNCHANGED
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Exploitability/Impact Score: 3.9 / 5.9
CRITICAL (9.8)
CVE-2026-37270
Trueview Security camera T18161- AF v4.9.60.0 contains an authentication bypass vulnerability caused by improper password validation and the presence of...
Vendor/s:

Full Description

Trueview Security camera T18161- AF v4.9.60.0 contains an authentication bypass vulnerability caused by improper password validation and the presence of hard-coded credentials in the firmware.

CVSS Metrics v3.1

  • Impact: Confid.: HIGH, Integ.: HIGH, Avail.: HIGH
  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Interaction/Privileges: NONE / NONE
  • Scope: UNCHANGED
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Exploitability/Impact Score: 3.9 / 5.9

Additional Information

Published on: 07/07/2026 23:16:54
Last Modified: 10/07/2026 18:48:55

Sources and References

CRITICAL (9.8)
CVE-2026-37271
Fire-Boltt Smartwatch FB BGS001 Firmware: MOY-JS14-2.0.4 is vulnerable to Improper Authentication, The device accepts GATT Write Request commands without sufficient...
Vendor/s:

Full Description

Fire-Boltt Smartwatch FB BGS001 Firmware: MOY-JS14-2.0.4 is vulnerable to Improper Authentication, The device accepts GATT Write Request commands without sufficient authentication or strong session validation. Under specific conditions, previously captured BLE packets can be replayed from a nearby device to trigger functionality on the smartwatch.

CVSS Metrics v3.1

  • Impact: Confid.: HIGH, Integ.: HIGH, Avail.: HIGH
  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Interaction/Privileges: NONE / NONE
  • Scope: UNCHANGED
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Exploitability/Impact Score: 3.9 / 5.9

Additional Information

Published on: 07/07/2026 23:16:54
Last Modified: 10/07/2026 18:48:55

Sources and References

CRITICAL (9.3)
CVE-2026-59706
mem0 contains unauthenticated config API endpoints that expose LLM API keys in plaintext and allow server-side request forgery via attacker-controlled...
Vendor/s:

Full Description

mem0 contains unauthenticated config API endpoints that expose LLM API keys in plaintext and allow server-side request forgery via attacker-controlled ollama_base_url parameter. Unauthenticated attackers can retrieve stored secrets like OpenAI API keys via GET /api/v1/config/ or trigger SSRF attacks by setting ollama_base_url to internal addresses like cloud IMDS via PUT /api/v1/config/mem0/llm endpoint.

CVSS Metrics v3.1

  • Impact: Confid.: HIGH, Integ.: LOW, Avail.: NONE
  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Interaction/Privileges: NONE / NONE
  • Scope: CHANGED
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N
  • Exploitability/Impact Score: 3.9 / 4.7
HIGH (8.6)
CVE-2026-55418
FastGPT is an open source AI knowledge base platform. Prior to v4.15.0-beta5, two FastGPT file handlers authorize an unrelated resource...
Vendor/s:

Full Description

FastGPT is an open source AI knowledge base platform. Prior to v4.15.0-beta5, two FastGPT file handlers authorize an unrelated resource and then sign or read an S3 object using a key taken directly from the request, without checking that the key belongs to the caller's team. Because S3 object keys are global within the bucket and carry the tenant id only as a path segment, an attacker can supply another team's key and obtain its file contents through the chat-file presign endpoint or dataset preview endpoint. This issue is fixed in version v4.15.0-beta5.

CVSS Metrics v3.1

  • Impact: Confid.: HIGH, Integ.: NONE, Avail.: NONE
  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Interaction/Privileges: NONE / NONE
  • Scope: CHANGED
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
  • Exploitability/Impact Score: 3.9 / 4
CRITICAL (9.1)
CVE-2026-58473
Cognee before 1.2.0 contains an improper access control vulnerability that allows unauthenticated attackers to overwrite the global LLM provider configuration...
Vendor/s:

Full Description

Cognee before 1.2.0 contains an improper access control vulnerability that allows unauthenticated attackers to overwrite the global LLM provider configuration by self-registering an account and calling the settings endpoint, which performs no admin or superuser check. Attackers can redirect all LLM operations instance-wide to an attacker-controlled endpoint by exploiting the process-wide singleton configuration cache, enabling exfiltration of prompts, uploaded documents, extracted entities, and knowledge graph content from all users.

CVSS Metrics v3.1

  • Impact: Confid.: HIGH, Integ.: HIGH, Avail.: NONE
  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Interaction/Privileges: NONE / NONE
  • Scope: UNCHANGED
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
  • Exploitability/Impact Score: 3.9 / 5.2
HIGH (8.6)
CVE-2026-59707
LocalAI contains an unauthenticated server-side request forgery vulnerability in the POST /models/apply endpoint that allows attackers to fetch arbitrary internal...
Vendor/s:

Full Description

LocalAI contains an unauthenticated server-side request forgery vulnerability in the POST /models/apply endpoint that allows attackers to fetch arbitrary internal URLs. The endpoint passes unsanitized gallery URL fields directly to gallery.GetGalleryConfigFromURLWithContext without proper validation, enabling attackers to force the server to issue HTTP GET requests to private and loopback ranges with partial response content leaked through error messages.

CVSS Metrics v3.1

  • Impact: Confid.: HIGH, Integ.: NONE, Avail.: NONE
  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Interaction/Privileges: NONE / NONE
  • Scope: CHANGED
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
  • Exploitability/Impact Score: 3.9 / 4
CRITICAL (9.8)
CVE-2026-59800
9Router before 0.4.44 contains an OS command injection vulnerability in the unauthenticated POST /api/tunnel/tailscale-install endpoint (this route is not covered...
Vendor/s:

Full Description

9Router before 0.4.44 contains an OS command injection vulnerability in the unauthenticated POST /api/tunnel/tailscale-install endpoint (this route is not covered by the dashboard middleware matcher, so no authorization check is applied). The sudoPassword field from the request body is written to the stdin of a 'sudo -S sh' child process. When sudo does not prompt for a password (the process runs as root, NOPASSWD is configured, or a recent sudo timestamp cache exists), the sudoPassword value is interpreted by sh as a shell command, allowing a remote unauthenticated attacker to execute arbitrary OS commands. Exploitation evidence was first observed by the Shadowserver Foundation on 2026-07-04 (UTC).

CVSS Metrics v3.1

  • Impact: Confid.: HIGH, Integ.: HIGH, Avail.: HIGH
  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Interaction/Privileges: NONE / NONE
  • Scope: UNCHANGED
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Exploitability/Impact Score: 3.9 / 5.9
HIGH (8.8)
CVE-2026-44938
A vulnerability has been identified in Fleet's agent-side deployer, which did not filter security-sensitive keys from namespaceLabels in fleet.yaml (or...
Vendor/s:

Full Description

A vulnerability has been identified in Fleet's agent-side deployer, which did not filter security-sensitive keys from namespaceLabels in fleet.yaml (or BundleDeployment.spec.options.namespaceLabels) when applying them to the target namespace. An attacker with git push access to a Fleet-monitored repository could overwrite Pod Security Standards (PSS) enforcement labels on a target namespace. This allows the attacker to weaken admission controls and deploy workloads that PSS policies would otherwise block.

CVSS Metrics v3.1

  • Impact: Confid.: HIGH, Integ.: HIGH, Avail.: HIGH
  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Interaction/Privileges: NONE / LOW
  • Scope: UNCHANGED
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
  • Exploitability/Impact Score: 2.8 / 5.9

Additional Information

Published on: 07/07/2026 14:16:30
Last Modified: 08/07/2026 05:16:27

Sources and References

HIGH (8.8)
CVE-2026-13696
Improper neutralization of special elements used in an LDAP query ('LDAP injection') vulnerability in HAVELSAN Inc. Liman MYS allows LDAP...
Vendor/s:

Full Description

Improper neutralization of special elements used in an LDAP query ('LDAP injection') vulnerability in HAVELSAN Inc. Liman MYS allows LDAP Injection. This issue affects Liman MYS: before release.Master.1107.

CVSS Metrics v3.1

  • Impact: Confid.: HIGH, Integ.: HIGH, Avail.: HIGH
  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Interaction/Privileges: NONE / LOW
  • Scope: UNCHANGED
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
  • Exploitability/Impact Score: 2.8 / 5.9

Additional Information

Published on: 07/07/2026 12:16:32
Last Modified: 07/07/2026 14:16:28

Sources and References

CRITICAL (9.8)
CVE-2011-10043
Module::Load versions before 0.22 for Perl allow arbitrary modules outside of @INC to be loaded. Module names starting with "::" could...
Vendor/s:

Full Description

Module::Load versions before 0.22 for Perl allow arbitrary modules outside of @INC to be loaded. Module names starting with "::" could be passed to the load function to specify arbitrary module paths. Attackers able to influence module names passed to load could use that bug to execute arbitrary code.

CVSS Metrics v3.1

  • Impact: Confid.: HIGH, Integ.: HIGH, Avail.: HIGH
  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Interaction/Privileges: NONE / NONE
  • Scope: UNCHANGED
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Exploitability/Impact Score: 3.9 / 5.9
HIGH (8.8)
CVE-2026-11610
A heap buffer overflow flaw was found in the SASL I/O layer of 389 Directory Server (389-ds-base). After a successful SASL...
Vendor/s:

Full Description

A heap buffer overflow flaw was found in the SASL I/O layer of 389 Directory Server (389-ds-base). After a successful SASL bind with integrity protection (SSF > 0), an authenticated attacker can send a specially crafted oversized LDAP UNBIND packet that is copied into a 512-byte heap receive buffer without a bounds check in sasl_io_recv() in sasl_io.c. This allows up to approximately 2 megabytes of attacker-controlled data to overflow the buffer, causing a denial of service (server crash). In FreeIPA and Red Hat Identity Management deployments, any domain user with a valid Kerberos ticket, any enrolled host, or any service account can trigger this vulnerability over the network after authenticating via GSSAPI. The vulnerable code path has existed since approximately 2013 (389-ds-base 1.3.2) and was not addressed by the CVE-2025-14905 fix, which patched a separate heap overflow in schema.c only.

HIGH (8.8)
CVE-2026-14474
A flaw was found in SSSD's LDAP sudo provider. When the ldap_sudo_search_base option is not explicitly configured, SSSD searches the...
Vendor/s:

Full Description

A flaw was found in SSSD's LDAP sudo provider. When the ldap_sudo_search_base option is not explicitly configured, SSSD searches the entire LDAP directory tree for sudoRole objects. An authenticated attacker with write access to any subtree can inject a sudoRole object granting root-level sudo privileges on all SSSD-enrolled hosts.

CVSS Metrics v3.1

  • Impact: Confid.: HIGH, Integ.: HIGH, Avail.: HIGH
  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Interaction/Privileges: NONE / LOW
  • Scope: UNCHANGED
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
  • Exploitability/Impact Score: 2.8 / 5.9

Additional Information

Published on: 07/07/2026 10:16:39
Last Modified: 07/07/2026 14:16:28

Sources and References

HIGH (8.8)
CVE-2026-42143
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, user-controlled persistent volume names...
Vendor/s:

Full Description

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, user-controlled persistent volume names are interpolated into shell commands executed on managed servers without escaping or validation, allowing an authenticated member to inject shell metacharacters and execute commands as root when volume operations are triggered. This issue appears to be fixed in version 4.0.0-beta.471.

CVSS Metrics v3.1

  • Impact: Confid.: HIGH, Integ.: HIGH, Avail.: HIGH
  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Interaction/Privileges: NONE / LOW
  • Scope: UNCHANGED
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
  • Exploitability/Impact Score: 2.8 / 5.9
HIGH (8.8)
CVE-2026-34152
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, pre-deployment and post-deployment commands...
Vendor/s:

Full Description

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, pre-deployment and post-deployment commands are single-quote escaped but then sent through SSH heredoc transport that preserves newlines, allowing an authenticated user to inject additional shell statements that execute on the remote server during deployment. This issue is fixed in version 4.0.0-beta.471.

CVSS Metrics v3.1

  • Impact: Confid.: HIGH, Integ.: HIGH, Avail.: HIGH
  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Interaction/Privileges: NONE / LOW
  • Scope: UNCHANGED
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
  • Exploitability/Impact Score: 2.8 / 5.9
HIGH (8.8)
CVE-2026-34058
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, the Livewire component Server\Resources...
Vendor/s:

Full Description

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, the Livewire component Server\Resources exposes public methods (startUnmanaged, stopUnmanaged, restartUnmanaged) that accept a container ID parameter directly from the browser without any sanitization or escaping. This parameter is interpolated directly into shell commands executed via SSH on managed servers, enabling any authenticated team member to execute arbitrary OS commands on remote servers. This issue is fixed in version 4.0.0-beta.471.

CVSS Metrics v3.1

  • Impact: Confid.: HIGH, Integ.: HIGH, Avail.: HIGH
  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Interaction/Privileges: NONE / LOW
  • Scope: UNCHANGED
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
  • Exploitability/Impact Score: 2.8 / 5.9
CRITICAL (9.9)
CVE-2026-34037
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.464, the cloneTo() Livewire action...
Vendor/s:

Full Description

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.464, the cloneTo() Livewire action in ResourceOperations.php authorizes the source resource but resolves destination resources with unscoped Eloquent lookups, allowing an authenticated user to clone resources into destinations owned by other teams and access cross-tenant resources. This issue is fixed in version 4.0.0-beta.464.

CVSS Metrics v3.1

  • Impact: Confid.: HIGH, Integ.: HIGH, Avail.: LOW
  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Interaction/Privileges: NONE / LOW
  • Scope: CHANGED
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L
  • Exploitability/Impact Score: 3.1 / 6
CRITICAL (9.9)
CVE-2026-34047
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, terminal WebSocket bootstrap routes...
Vendor/s:

Full Description

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, terminal WebSocket bootstrap routes did not enforce the expected authorization middleware, allowing an authenticated user to access terminal functionality for resources outside the authorized scope and potentially execute commands. This issue is fixed in version 4.0.0-beta.471.

CVSS Metrics v3.1

  • Impact: Confid.: HIGH, Integ.: HIGH, Avail.: HIGH
  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Interaction/Privileges: NONE / LOW
  • Scope: CHANGED
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
  • Exploitability/Impact Score: 3.1 / 6
CRITICAL (9.9)
CVE-2026-34048
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, terminal websocket bootstrap routes...
Vendor/s:

Full Description

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, terminal websocket bootstrap routes only check authentication and do not enforce terminal authorization, allowing a low-privileged team member to connect to terminal routes and execute commands on team servers. This issue is fixed in version 4.0.0-beta.471.

CVSS Metrics v3.1

  • Impact: Confid.: HIGH, Integ.: HIGH, Avail.: HIGH
  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Interaction/Privileges: NONE / LOW
  • Scope: CHANGED
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
  • Exploitability/Impact Score: 3.1 / 6
HIGH (8.8)
CVE-2026-34057
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, the database import Livewire...
Vendor/s:

Full Description

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, the database import Livewire component (app/Livewire/Project/Database/Import.php) allows client-controlled container and server properties to reach shell commands without locking or validation, allowing an authenticated user to inject commands through a database import container name. This issue is fixed in version 4.0.0-beta.471.

CVSS Metrics v3.1

  • Impact: Confid.: HIGH, Integ.: HIGH, Avail.: HIGH
  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Interaction/Privileges: NONE / LOW
  • Scope: UNCHANGED
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
  • Exploitability/Impact Score: 2.8 / 5.9
HIGH (8.8)
CVE-2026-34034
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.466, the sentinel_token setting is...
Vendor/s:

Full Description

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.466, the sentinel_token setting is used in shell commands without sufficient validation, allowing an authenticated user with access to server Sentinel settings to inject shell syntax and execute commands on the host when Sentinel is restarted. This issue is fixed in version 4.0.0-beta.466.

CVSS Metrics v3.1

  • Impact: Confid.: HIGH, Integ.: HIGH, Avail.: HIGH
  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Interaction/Privileges: NONE / LOW
  • Scope: UNCHANGED
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
  • Exploitability/Impact Score: 2.8 / 5.9
HIGH (8.8)
CVE-2026-34035
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.466, log drain secret and...
Vendor/s:

Full Description

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.466, log drain secret and environment values were interpolated into shell commands without sufficient encoding, allowing an authenticated user to inject commands executed on the host. This issue is fixed in version 4.0.0-beta.466.

CVSS Metrics v3.1

  • Impact: Confid.: HIGH, Integ.: HIGH, Avail.: HIGH
  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Interaction/Privileges: NONE / LOW
  • Scope: UNCHANGED
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
  • Exploitability/Impact Score: 2.8 / 5.9

Docker

HIGH (8.8)
CVE-2026-34158
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.469, the executeInDocker() helper wraps...
Vendor/s: Docker

Full Description

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.469, the executeInDocker() helper wraps user-controlled commands in single quotes without escaping embedded single quotes. Attackers who can edit application settings can inject a single quote into docker_compose_custom_build_command or docker_compose_custom_start_command to break out of the quoted context and execute arbitrary commands on the managed server host during deployments, escaping the intended Docker container confinement. This issue is fixed in version 4.0.0-beta.469.

CVSS Metrics v3.1

  • Impact: Confid.: HIGH, Integ.: HIGH, Avail.: HIGH
  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Interaction/Privileges: NONE / LOW
  • Scope: UNCHANGED
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
  • Exploitability/Impact Score: 2.8 / 5.9

Additional Information

Published on: 07/07/2026 05:16:50
Last Modified: 07/07/2026 14:16:30

Sources and References

HIGH (8.8)
CVE-2026-34168
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, the LocalPersistentVolume.name field is...
Vendor/s: Docker

Full Description

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, the LocalPersistentVolume.name field is interpolated directly into docker volume shell commands without shell argument escaping, allowing an authenticated user to set a storage name containing shell metacharacters and execute commands on managed servers when the resource is deleted. This issue is fixed in version 4.0.0-beta.471.

CVSS Metrics v3.1

  • Impact: Confid.: HIGH, Integ.: HIGH, Avail.: HIGH
  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Interaction/Privileges: NONE / LOW
  • Scope: UNCHANGED
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
  • Exploitability/Impact Score: 2.8 / 5.9

Postgresql

HIGH (8.8)
CVE-2026-42200
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.474, PostgreSQL initialization script (generate_init_scripts()...
Vendor/s: Postgresql

Full Description

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.474, PostgreSQL initialization script (generate_init_scripts() method in app/Actions/Database/StartPostgresql.php) filename handling did not sufficiently restrict paths, allowing an authenticated user to write files outside the intended directory and achieve command execution through database initialization. This issue is fixed in version 4.0.0-beta.474.

CVSS Metrics v3.1

  • Impact: Confid.: HIGH, Integ.: HIGH, Avail.: HIGH
  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Interaction/Privileges: NONE / LOW
  • Scope: UNCHANGED
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
  • Exploitability/Impact Score: 2.8 / 5.9

WordPress

CRITICAL (9.8)
CVE-2026-12375
The uncanny-automator-pro WordPress plugin before 7.3.0.6 was distributed with malicious code after the vendor's uncanny-automator-pro WordPress plugin before 7.3.0.6 update/distribution...
Vendor/s: WordPress

Full Description

The uncanny-automator-pro WordPress plugin before 7.3.0.6 was distributed with malicious code after the vendor's uncanny-automator-pro WordPress plugin before 7.3.0.6 update/distribution infrastructure was compromised; the injected backdoor grants unauthenticated attackers an administrator session on affected sites and beacons the site's secret keys and administrator details to attacker-controlled servers.

CVSS Metrics v3.1

  • Impact: Confid.: HIGH, Integ.: HIGH, Avail.: HIGH
  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Interaction/Privileges: NONE / NONE
  • Scope: UNCHANGED
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Exploitability/Impact Score: 3.9 / 5.9

Additional Information

Published on: 07/07/2026 06:16:22
Last Modified: 07/07/2026 14:16:28

Sources and References

CRITICAL (9.8)
CVE-2026-14345
The WPFunnels – Funnel Builder for WooCommerce with Checkout & One Click Upsell plugin for WordPress is vulnerable to Remote...
Vendor/s: WordPress

Full Description

The WPFunnels – Funnel Builder for WooCommerce with Checkout & One Click Upsell plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 3.12.7 via the 'postData' parameter parameter. This is due to unsanitized write of attacker-controlled postData values into a PHP-includeable .log file combined with the use of include_once to render that file in wpfnl_show_log. This makes it possible for unauthenticated attackers to execute code on the server. Exploitation requires that the Log Settings "Enable Logs" toggle is on and that an administrator subsequently opens the polluted log file via the plugin's Log Settings View UI; however, the nonce required to reach the optin endpoint is publicly emitted on every funnel step page, so the injection step itself is fully unauthenticated.

CVSS Metrics v3.1

  • Impact: Confid.: HIGH, Integ.: HIGH, Avail.: HIGH
  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Interaction/Privileges: NONE / NONE
  • Scope: UNCHANGED
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Exploitability/Impact Score: 3.9 / 5.9
CRITICAL (9.0)
CVE-2026-4375
The DoLeads Integrator WordPress plugin through 0.65, wp2epub WordPress plugin through 0.65 have been seen to be used to achieve...
Vendor/s: WordPress

Full Description

The DoLeads Integrator WordPress plugin through 0.65, wp2epub WordPress plugin through 0.65 have been seen to be used to achieve RCE, once they are added adding to a blog, for example using a vulnerability where unclosed extensions from wordpress.org can be installed by unauthorized users.

CVSS Metrics v3.1

  • Impact: Confid.: HIGH, Integ.: HIGH, Avail.: HIGH
  • Attack Vector: NETWORK
  • Attack Complexity: HIGH
  • Interaction/Privileges: NONE / NONE
  • Scope: CHANGED
  • Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
  • Exploitability/Impact Score: 2.2 / 6

Additional Information

Published on: 07/07/2026 06:16:22
Last Modified: 07/07/2026 14:16:32

Sources and References

HIGH (8.7)
CVE-2026-12277
The Frontend File Manager Plugin WordPress plugin through 23.6 does not validate a file path derived from user input before...
Vendor/s: WordPress

Full Description

The Frontend File Manager Plugin WordPress plugin through 23.6 does not validate a file path derived from user input before deleting the referenced file, allowing unauthenticated users to delete arbitrary files on the server (such as wp-config.php) when guest upload mode is enabled. Deleting wp-config.php forces the site into its setup routine, which can be leveraged toward a full site takeover.

CVSS Metrics v3.1

  • Impact: Confid.: NONE, Integ.: HIGH, Avail.: HIGH
  • Attack Vector: NETWORK
  • Attack Complexity: HIGH
  • Interaction/Privileges: NONE / NONE
  • Scope: CHANGED
  • Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:H
  • Exploitability/Impact Score: 2.2 / 5.8

Additional Information

Published on: 07/07/2026 06:16:21
Last Modified: 07/07/2026 16:16:37

Sources and References

Apache

HIGH (8.8)
CVE-2026-23697
Vtiger CRM before 8.4.0 contains an authenticated file upload vulnerability that allows low-privileged users to achieve remote code execution by...
Vendor/s: Apache, php

Full Description

Vtiger CRM before 8.4.0 contains an authenticated file upload vulnerability that allows low-privileged users to achieve remote code execution by uploading a .phar file containing arbitrary PHP code through the Documents module, bypassing the extension denylist in config.inc.php which omits the .phar extension. The uploaded file is stored with its original .phar extension under the web-accessible storage directory, and a misconfigured .htaccess using Apache 2.2 syntax is silently ignored on Apache 2.4 deployments, allowing unauthenticated HTTP requests to directly execute the uploaded PHP payload.

CVSS Metrics v3.1

  • Impact: Confid.: HIGH, Integ.: HIGH, Avail.: HIGH
  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Interaction/Privileges: NONE / LOW
  • Scope: UNCHANGED
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
  • Exploitability/Impact Score: 2.8 / 5.9
CRITICAL (9.8)
CVE-2026-33264
A bug in `BaseSerialization.deserialize()` allowed unrestricted `import_string()` of attacker-controlled class paths when the Scheduler / API Server loaded a serialized...
Vendor/s: Apache

Full Description

A bug in `BaseSerialization.deserialize()` allowed unrestricted `import_string()` of attacker-controlled class paths when the Scheduler / API Server loaded a serialized DAG: a DAG author could embed a malicious trigger into a DAG to gain remote code execution on the API Server / Scheduler process, crossing the Airflow security boundary that DAG-author code must never execute in those processes. Users are advised to upgrade to `apache-airflow` 3.3.0 or later. As a defense-in-depth mitigation, deployments where DAG-author trust is limited can restrict the `[core] allowed_deserialization_classes` config to a narrow allowlist.

CVSS Metrics v3.1

  • Impact: Confid.: HIGH, Integ.: HIGH, Avail.: HIGH
  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Interaction/Privileges: NONE / NONE
  • Scope: UNCHANGED
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Exploitability/Impact Score: 3.9 / 5.9

Dell

CRITICAL (9.8)
CVE-2026-53481
Dell PowerProtect Data Domain, versions 7.7.1.0 through 8.7, LTS2026 release version 8.6.1.0 through 8.6.1.10, LTS2025 release version 8.3.1.0 through 8.3.1.30,...
Vendor/s: Dell

Full Description

Dell PowerProtect Data Domain, versions 7.7.1.0 through 8.7, LTS2026 release version 8.6.1.0 through 8.6.1.10, LTS2025 release version 8.3.1.0 through 8.3.1.30, LTS2024 release versions 7.13.1.0 through 7.13.1.70 contain an improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability. An unauthenticated attacker with remote access could potentially exploit this vulnerability, leading to unauthorized access to the system. This is a critical severity vulnerability as it allows an attacker to take complete control of system; so Dell recommends customers to upgrade at the earliest opportunity.

CVSS Metrics v3.1

  • Impact: Confid.: HIGH, Integ.: HIGH, Avail.: HIGH
  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Interaction/Privileges: NONE / NONE
  • Scope: UNCHANGED
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Exploitability/Impact Score: 3.9 / 5.9

Additional Information

Published on: 07/07/2026 13:16:31
Last Modified: 08/07/2026 19:57:35

Sources and References

CRITICAL (9.8)
CVE-2026-53483
Dell PowerProtect Data Domain, versions 7.7.1.0 through 8.7, LTS2026 release version 8.6.1.0 through 8.6.1.10, LTS2025 release version 8.3.1.0 through 8.3.1.30,...
Vendor/s: Dell

Full Description

Dell PowerProtect Data Domain, versions 7.7.1.0 through 8.7, LTS2026 release version 8.6.1.0 through 8.6.1.10, LTS2025 release version 8.3.1.0 through 8.3.1.30, LTS2024 release versions 7.13.1.0 through 7.13.1.70 an improper authentication vulnerability. An unauthenticated attacker with remote access could potentially exploit this vulnerability, leading to unauthorized access. This is a critical severity vulnerability as it allows an attacker to take complete control of system; so Dell recommends customers to upgrade at the earliest opportunity.

CVSS Metrics v3.1

  • Impact: Confid.: HIGH, Integ.: HIGH, Avail.: HIGH
  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Interaction/Privileges: NONE / NONE
  • Scope: UNCHANGED
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Exploitability/Impact Score: 3.9 / 5.9

Additional Information

Published on: 07/07/2026 13:16:31
Last Modified: 08/07/2026 19:57:04

Sources and References

Esri

CRITICAL (9.8)
CVE-2026-13019
Esri Portal for ArcGIS versions 12.1 and earlier on Windows, Linux and Kubernetes have a missing authentication for critical function...
Vendor/s: Esri, Kubernetes, Linux, Microsoft

Full Description

Esri Portal for ArcGIS versions 12.1 and earlier on Windows, Linux and Kubernetes have a missing authentication for critical function vulnerability allows a remote, unauthenticated attacker to access an unprotected API.

CVSS Metrics v3.1

  • Impact: Confid.: HIGH, Integ.: HIGH, Avail.: HIGH
  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Interaction/Privileges: NONE / NONE
  • Scope: UNCHANGED
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Exploitability/Impact Score: 3.9 / 5.9

Additional Information

Published on: 07/07/2026 17:16:35
Last Modified: 09/07/2026 14:40:59

Sources and References

Kubernetes

CRITICAL (9.8)
CVE-2026-13019
Esri Portal for ArcGIS versions 12.1 and earlier on Windows, Linux and Kubernetes have a missing authentication for critical function...
Vendor/s: Esri, Kubernetes, Linux, Microsoft

Full Description

Esri Portal for ArcGIS versions 12.1 and earlier on Windows, Linux and Kubernetes have a missing authentication for critical function vulnerability allows a remote, unauthenticated attacker to access an unprotected API.

CVSS Metrics v3.1

  • Impact: Confid.: HIGH, Integ.: HIGH, Avail.: HIGH
  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Interaction/Privileges: NONE / NONE
  • Scope: UNCHANGED
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Exploitability/Impact Score: 3.9 / 5.9

Additional Information

Published on: 07/07/2026 17:16:35
Last Modified: 09/07/2026 14:40:59

Sources and References

Linux

CRITICAL (9.8)
CVE-2026-13019
Esri Portal for ArcGIS versions 12.1 and earlier on Windows, Linux and Kubernetes have a missing authentication for critical function...
Vendor/s: Esri, Kubernetes, Linux, Microsoft

Full Description

Esri Portal for ArcGIS versions 12.1 and earlier on Windows, Linux and Kubernetes have a missing authentication for critical function vulnerability allows a remote, unauthenticated attacker to access an unprotected API.

CVSS Metrics v3.1

  • Impact: Confid.: HIGH, Integ.: HIGH, Avail.: HIGH
  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Interaction/Privileges: NONE / NONE
  • Scope: UNCHANGED
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Exploitability/Impact Score: 3.9 / 5.9

Additional Information

Published on: 07/07/2026 17:16:35
Last Modified: 09/07/2026 14:40:59

Sources and References

Microsoft

CRITICAL (9.8)
CVE-2026-13019
Esri Portal for ArcGIS versions 12.1 and earlier on Windows, Linux and Kubernetes have a missing authentication for critical function...
Vendor/s: Esri, Kubernetes, Linux, Microsoft

Full Description

Esri Portal for ArcGIS versions 12.1 and earlier on Windows, Linux and Kubernetes have a missing authentication for critical function vulnerability allows a remote, unauthenticated attacker to access an unprotected API.

CVSS Metrics v3.1

  • Impact: Confid.: HIGH, Integ.: HIGH, Avail.: HIGH
  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Interaction/Privileges: NONE / NONE
  • Scope: UNCHANGED
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Exploitability/Impact Score: 3.9 / 5.9

Additional Information

Published on: 07/07/2026 17:16:35
Last Modified: 09/07/2026 14:40:59

Sources and References

php

HIGH (8.8)
CVE-2026-23697
Vtiger CRM before 8.4.0 contains an authenticated file upload vulnerability that allows low-privileged users to achieve remote code execution by...
Vendor/s: Apache, php

Full Description

Vtiger CRM before 8.4.0 contains an authenticated file upload vulnerability that allows low-privileged users to achieve remote code execution by uploading a .phar file containing arbitrary PHP code through the Documents module, bypassing the extension denylist in config.inc.php which omits the .phar extension. The uploaded file is stored with its original .phar extension under the web-accessible storage directory, and a misconfigured .htaccess using Apache 2.2 syntax is silently ignored on Apache 2.4 deployments, allowing unauthenticated HTTP requests to directly execute the uploaded PHP payload.

CVSS Metrics v3.1

  • Impact: Confid.: HIGH, Integ.: HIGH, Avail.: HIGH
  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Interaction/Privileges: NONE / LOW
  • Scope: UNCHANGED
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
  • Exploitability/Impact Score: 2.8 / 5.9

Joomla

HIGH (8.8)
CVE-2026-48957
An improper access check allows unauthorized users to access com_privacy datasets.
Vendor/s: Joomla

Full Description

An improper access check allows unauthorized users to access com_privacy datasets.

CVSS Metrics v3.1

  • Impact: Confid.: HIGH, Integ.: HIGH, Avail.: HIGH
  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Interaction/Privileges: NONE / LOW
  • Scope: UNCHANGED
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
  • Exploitability/Impact Score: 2.8 / 5.9

Additional Information

Published on: 07/07/2026 19:16:54
Last Modified: 09/07/2026 16:57:34

Sources and References

HIGH (8.8)
CVE-2026-48958
An improper access check allows unauthorized users to create custom fields via webservices endpoints.
Vendor/s: Joomla

Full Description

An improper access check allows unauthorized users to create custom fields via webservices endpoints.

CVSS Metrics v3.1

  • Impact: Confid.: HIGH, Integ.: HIGH, Avail.: HIGH
  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Interaction/Privileges: NONE / LOW
  • Scope: UNCHANGED
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
  • Exploitability/Impact Score: 2.8 / 5.9

Additional Information

Published on: 07/07/2026 19:16:54
Last Modified: 09/07/2026 16:55:31

Sources and References

HIGH (8.8)
CVE-2026-48948
An improper access check allows user to download vcard exports of com_contact contacts that are inaccessible.
Vendor/s: Joomla

Full Description

An improper access check allows user to download vcard exports of com_contact contacts that are inaccessible.

CVSS Metrics v3.1

  • Impact: Confid.: HIGH, Integ.: HIGH, Avail.: HIGH
  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Interaction/Privileges: NONE / LOW
  • Scope: UNCHANGED
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
  • Exploitability/Impact Score: 2.8 / 5.9

Additional Information

Published on: 07/07/2026 19:16:52
Last Modified: 09/07/2026 14:20:16

Sources and References

Coder

CRITICAL (9.1)
CVE-2026-46354
Coder allows organizations to provision remote development environments via Terraform. In versions prior tp 2.24.5, 2.29.13, 2.30.8, 2.31.12, 2.32.2, and...
Vendor/s: Coder, Azure

Full Description

Coder allows organizations to provision remote development environments via Terraform. In versions prior tp 2.24.5, 2.29.13, 2.30.8, 2.31.12, 2.32.2, and 2.33.3, `azureidentity.Validate()` verifies that the PKCS#7 signer certificate chains to a trusted Azure CA but never verifies the PKCS#7 signature itself. An attacker can embed a legitimate Azure certificate alongside arbitrary content e.g. `{"vmId":""}` and the forged `vmId` will be accepted returning the victim workspace agent's session token. No authentication is required. The attacker only needs to know a target VM's `vmId` which is a `UUIDv4`. That's a practical limitation which would typically require prior access to be exploited. Versions 2.24.5, 2.29.13, 2.30.8, 2.31.12, 2.32.2, and 2.33.3 patch the issue. As a workaround, reconfigure any Azure templates to use token authentication rather than `azure-instance-identity`.

CVSS Metrics v3.1

  • Impact: Confid.: HIGH, Integ.: HIGH, Avail.: NONE
  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Interaction/Privileges: NONE / NONE
  • Scope: UNCHANGED
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
  • Exploitability/Impact Score: 3.9 / 5.2

Azure

CRITICAL (9.1)
CVE-2026-46354
Coder allows organizations to provision remote development environments via Terraform. In versions prior tp 2.24.5, 2.29.13, 2.30.8, 2.31.12, 2.32.2, and...
Vendor/s: Coder, Azure

Full Description

Coder allows organizations to provision remote development environments via Terraform. In versions prior tp 2.24.5, 2.29.13, 2.30.8, 2.31.12, 2.32.2, and 2.33.3, `azureidentity.Validate()` verifies that the PKCS#7 signer certificate chains to a trusted Azure CA but never verifies the PKCS#7 signature itself. An attacker can embed a legitimate Azure certificate alongside arbitrary content e.g. `{"vmId":""}` and the forged `vmId` will be accepted returning the victim workspace agent's session token. No authentication is required. The attacker only needs to know a target VM's `vmId` which is a `UUIDv4`. That's a practical limitation which would typically require prior access to be exploited. Versions 2.24.5, 2.29.13, 2.30.8, 2.31.12, 2.32.2, and 2.33.3 patch the issue. As a workaround, reconfigure any Azure templates to use token authentication rather than `azure-instance-identity`.

CVSS Metrics v3.1

  • Impact: Confid.: HIGH, Integ.: HIGH, Avail.: NONE
  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Interaction/Privileges: NONE / NONE
  • Scope: UNCHANGED
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
  • Exploitability/Impact Score: 3.9 / 5.2

Perl

CRITICAL (9.8)
CVE-2026-14739
DBI versions before 1.650 for Perl have a heap overflow when preparsing SQL statements with an extreme number of placeholders. The...
Vendor/s: Perl

Full Description

DBI versions before 1.650 for Perl have a heap overflow when preparsing SQL statements with an extreme number of placeholders. The fix for CVE-2026-10879 did not allocate enough memory to handle approximately 1.2-million placeholders. DBI version 1.650 sets a hard limit of 99,999 placeholders.

CVSS Metrics v3.1

  • Impact: Confid.: HIGH, Integ.: HIGH, Avail.: HIGH
  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Interaction/Privileges: NONE / NONE
  • Scope: UNCHANGED
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Exploitability/Impact Score: 3.9 / 5.9
CRITICAL (9.1)
CVE-2026-14740
DBI versions before 1.650 for Perl read one byte out-of-bounds in preparse when deleting an initial SQL comment. The preparse method...
Vendor/s: Perl

Full Description

DBI versions before 1.650 for Perl read one byte out-of-bounds in preparse when deleting an initial SQL comment. The preparse method normalises SQL and removes comments. When the SQL starts with a comment line, the deletion of that line during normalisation led to an out-of-bounds read by one byte. The result is a fault on memory-hardened builds and nondeterministic newline retention on normal builds.

CVSS Metrics v3.1

  • Impact: Confid.: HIGH, Integ.: NONE, Avail.: HIGH
  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Interaction/Privileges: NONE / NONE
  • Scope: UNCHANGED
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
  • Exploitability/Impact Score: 3.9 / 5.2
HIGH (8.8)
CVE-2026-14380
DBI versions before 1.650 for Perl are vulnerable to code injection via caller-influenced Profile. When a string is assigned to a...
Vendor/s: Perl

Full Description

DBI versions before 1.650 for Perl are vulnerable to code injection via caller-influenced Profile. When a string is assigned to a DBI handle's Profile attribute, DBI splits it into path, package and arguments, and interpolates the package part in a string eval with no validation of the package name. Any caller-influenced value that reaches the Profile attribute is therefore arbitrary Perl code execution, including calls to run system commands. The Profile attribute can be set from three different sources that can carry untrusted data: the DBI_PROFILE environment variable, a direct attribute assignment, and a DSN driver-attribute clause dbi:Driver(Profile=>SPEC):db. An attacker controlling any of those inputs runs arbitrary Perl in the host process. The strongest remote position is a network-exposed DBI::Gofer / DBI::ProxyServer whose per-request DSN reaches the Profile attribute, letting a client execute code on the broker host.

CVSS Metrics v3.1

  • Impact: Confid.: HIGH, Integ.: HIGH, Avail.: HIGH
  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Interaction/Privileges: NONE / LOW
  • Scope: UNCHANGED
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
  • Exploitability/Impact Score: 2.8 / 5.9