| CVE-2026-56271 |
Flowise - Weak Default JWT Secrets in Authentication Middleware |
12.07.2026 |
9.3 |
| CVE-2026-61876 |
LuCI DHCPv6 Lease Hostname Stored Cross-Site Scripting |
12.07.2026 |
9.4 |
| CVE-2026-60090 |
PraisonAI before 4.6.78 SQL/CQL Injection via vector dimension |
11.07.2026 |
9.3 |
| CVE-2026-61445 |
PraisonAI before 4.6.78 Arbitrary File Write and Command Execution |
11.07.2026 |
9.4 |
| CVE-2026-61447 |
PraisonAI before 1.6.78 Remote Code Execution via CodeAgent |
11.07.2026 |
10 |
| CVE-2026-57827 |
Joomla Extension - rsjoomla.com - Unauthenticated file upload in RSFiles component < 1.17.12 |
11.07.2026 |
10 |
| CVE-2026-57828 |
Joomla Extension - phoca.cz - Authenticated file upload in RSFiles component < 6.1.3 |
11.07.2026 |
9 |
| CVE-2026-20744 |
Hydro-Québec Le Circuit Electrique charging station backend Improper Access Control |
10.07.2026 |
9.3 |
| CVE-2026-55884 |
Tilt: Missing authentication on the network-exposed Tilt HUD server |
10.07.2026 |
9.2 |
| CVE-2026-55879 |
OpenReplay: Unauthenticated stored XSS leads to dashboard account takeover |
10.07.2026 |
9.3 |
| CVE-2026-12761 |
miniOrange Social Login and Register (Discord, Google, Twitter, LinkedIn) <= 7.7.0 - Unauthenticated Authentication Bypass to Administrator Account Takeover via Profile Completion OTP Flow |
10.07.2026 |
9.8 |
| CVE-2026-57807 |
WordPress OAuth Single Sign On - SSO (OAuth Client) plugin <= 38.5.8 - Broken Authentication vulnerability |
10.07.2026 |
9.8 |
| CVE-2026-61459 |
MCP Server Kubernetes < 3.9.0 Argument Injection via kubectl Structured Tools |
10.07.2026 |
9.3 |
| CVE-2026-59151 |
Prowler: SAML Domain Claiming Enables Cross-Tenant Account Takeover |
10.07.2026 |
9.6 |
| CVE-2026-5801 |
SQLi in Semtek Informatics' SEM-PMP |
10.07.2026 |
9.8 |
| CVE-2026-2397 |
SQLi in AdamPOS' MobilMen 20T |
10.07.2026 |
9.8 |
| CVE-2026-58492 |
grav-plugin-database: SQL Injection in PDO::tableExists() due to Unsanitized Table Name Interpolation |
10.07.2026 |
9.2 |
| CVE-2026-15143 |
Guardrails-detectors: guardrails-detectors: ssrf and local file read via user-supplied xml schema (xml-with-schema:) |
10.07.2026 |
9.3 |
| CVE-2026-55500 |
9router: Exposure of Sensitive Information and Unprotected Database Import/Export Allows Complete Credential Theft and Database Takeover |
10.07.2026 |
9.9 |
| CVE-2026-56261 |
Crawl4AI - Server-Side Request Forgery via Webhook URLs |
10.07.2026 |
9.2 |
| CVE-2026-56765 |
Vikunja - Unauthenticated Instance-Wide Data Breach via Link Share Hash Disclosure Chained with Cross-Project Attachment IDOR |
10.07.2026 |
9.3 |
| CVE-2026-59792 |
|
10.07.2026 |
9.6 |
| CVE-2026-61444 |
PraisonAI before 4.6.78 Code Injection via f-string |
10.07.2026 |
9.4 |
| CVE-2026-56688 |
|
10.07.2026 |
9.1 |
| CVE-2026-15378 |
Guardrails-detectors: guardrails-detectors: ssrf and local file read via user-supplied xml schema (xml-with-schema:) |
10.07.2026 |
9.3 |
| CVE-2026-41880 |
OS Command Injection in R-SOFT DMS |
10.07.2026 |
9 |
| CVE-2026-15282 |
Instant Appointment <= 1.2 - Unauthenticated Arbitrary File Upload |
10.07.2026 |
9.8 |
| CVE-2026-15300 |
GEO my WP <= 4.5.4 - Unauthenticated SQL Injection via 'distance' / 'lat' / 'lng' Parameters |
10.07.2026 |
9.1 |
| CVE-2026-14894 |
Super Forms <= 6.3.313 - Unauthenticated Arbitrary File Upload via 'data' Parameter (datauristring / value) |
10.07.2026 |
9.8 |
| CVE-2026-54760 |
Langroid: SQLChatAgent dangerous-function blocklist can be bypassed with quoted or schema-qualified pg_read_file calls |
10.07.2026 |
9.3 |
| CVE-2026-54769 |
Langroid: Sandbox Escape to Remote Code Execution via Incomplete `eval()` Mitigation in TableChatAgent |
10.07.2026 |
10 |
| CVE-2026-55615 |
Langroid: Neo4jChatAgent executes LLM-generated Cypher without validation (prompt-to-Cypher injection; config-conditional RCE), mirroring the SQLChatAgent bug fixed in CVE-2026-25879 |
10.07.2026 |
9.2 |
| CVE-2026-58122 |
Hermes WebUI < 0.51.307 Authentication Bypass via X-Forwarded-For Header Spoofing |
10.07.2026 |
9.3 |
| CVE-2026-58123 |
Hermes WebUI < 0.51.788 Unauthenticated RCE via Terminal API |
10.07.2026 |
9.3 |
| CVE-2026-54003 |
Kirby: External Initialization of the Panel on reverse proxy setups with the `Forwarded` header |
09.07.2026 |
9.1 |
| CVE-2026-59726 |
Ruflo: Unauthenticated RCE in MCP bridge default docker-compose deployment |
09.07.2026 |
10 |
| CVE-2026-59826 |
Metabase: Arbitrary Code Execution via Database Connection Detail Bypass |
10.07.2026 |
9.1 |
| CVE-2026-59827 |
Metabase: Unsafe Deserialization of H2 Query Results |
09.07.2026 |
9.9 |
| CVE-2025-27462 |
WinPVDrivers: Excessive permissions on user-exposed devices |
09.07.2026 |
9.4 |
| CVE-2025-27463 |
WinPVDrivers: Excessive permissions on user-exposed devices |
09.07.2026 |
9.4 |
| CVE-2025-27464 |
WinPVDrivers: Excessive permissions on user-exposed devices |
09.07.2026 |
9.4 |
| CVE-2025-58146 |
XAPI UTF-8 string handling |
09.07.2026 |
9.4 |
| CVE-2025-58151 |
varstored: TOCTOU issues with mapped guest memory |
09.07.2026 |
9.4 |
| CVE-2026-23556 |
oxenstored keeps quota related use counts across domain destruction |
09.07.2026 |
9.4 |
| CVE-2026-23559 |
Multiple RBAC issues in XAPI |
09.07.2026 |
9.4 |
| CVE-2026-23560 |
Multiple RBAC issues in XAPI |
09.07.2026 |
9.4 |
| CVE-2026-23561 |
Multiple RBAC issues in XAPI |
10.07.2026 |
9.4 |
| CVE-2026-23562 |
Multiple RBAC issues in XAPI |
10.07.2026 |
9.4 |
| CVE-2026-42486 |
Multiple RBAC issues in XAPI |
10.07.2026 |
9.4 |
| CVE-2026-56292 |
Joomla Extension - acymailing.com - SQL Injection in AcyMailing extension < 10.11.1 |
10.07.2026 |
9.2 |
| CVE-2026-56291 |
Joomla Extension - balbooa.com - Unauthenticated file upload in Balbooa Forms extension < 2.4.1 |
11.07.2026 |
10 |
| CVE-2026-15158 |
Blocksy Companion <= 2.1.46 - Unauthenticated Arbitrary File Upload via 'blc-review-images[]' Parameter |
09.07.2026 |
9.8 |
| CVE-2026-2342 |
XSS in Oceanicsoft's ValeApp |
09.07.2026 |
9.3 |
| CVE-2026-5955 |
SQLi in Inrove Software's BiEticaret |
09.07.2026 |
9.8 |
| CVE-2026-14245 |
miniOrange OTP Login, Verification and SMS Notifications <= 5.5.1 - Authentication Bypass to Administrator Account Takeover via 'username_b' Parameter |
09.07.2026 |
9.8 |
| CVE-2026-47646 |
Dynamics 365 Customer Voice Spoofing Vulnerability |
09.07.2026 |
9.3 |
| CVE-2026-54782 |
CoreWCF: Authentication bypass in CoreWCF SAML 1.1 / 2.0 token signature validation |
10.07.2026 |
10 |
| CVE-2026-44024 |
Fluentd: Remote Code Execution (RCE) via Arbitrary File Write in `${tag}` Placeholder |
10.07.2026 |
9.8 |
| CVE-2026-54527 |
JupyterLab Git: Stored XSS leading to RCE |
09.07.2026 |
9.3 |
| CVE-2026-60104 |
Bitwarden Server < 2026.6.0 Authorization Bypass via Admin Auth Request |
09.07.2026 |
9.3 |
| CVE-2026-59702 |
repomix - Server-Side Request Forgery via Unvalidated Repository URLs in POST /api/pack |
08.07.2026 |
9.2 |
| CVE-2026-59873 |
node-tar: Decompression/parse DoS via unlimited input |
08.07.2026 |
9.2 |
| CVE-2026-9074 |
IBM API Connect SQL Injection |
09.07.2026 |
9.1 |
| CVE-2026-15062 |
SQL Injection in Snowflake Snowpark Python SDK |
08.07.2026 |
9.6 |
| CVE-2026-54061 |
Dgraph Alpha group stores can be replaced via unauthenticated external snapshot import |
08.07.2026 |
9.1 |
| CVE-2026-58480 |
Blocksy Companion Pro < 2.1.47 Unauthenticated File Upload via save_attachments |
08.07.2026 |
9.2 |
| CVE-2026-8307 |
SQLi in Webbeyaz's Mediküm Web |
09.07.2026 |
9.8 |
| CVE-2026-56000 |
xorg-x11-server / xwayland GLX contextTags Use-After-Free in CommonMakeCurrent() |
08.07.2026 |
9 |
| CVE-2026-9695 |
Improper Authentication vulnerability affecting DELMIA Apriso from Release 2020 through Release 2026 |
08.07.2026 |
9.8 |
| CVE-2026-12153 |
WP Learn Manager <= 1.1.8 - Missing Authorization to Unauthenticated Arbitrary Plugin Installation and Activation via jslearnmanager_ajax AJAX Action |
08.07.2026 |
9.8 |
| CVE-2026-14487 |
Simple Coherent Form <= 2.4.13 - Unauthenticated Arbitrary File Deletion via 'id' Parameter |
08.07.2026 |
9.1 |
| CVE-2026-9701 |
Eventer <= 4.4.2 - Insecure Password Reset Mechanism to Unauthenticated Privilege Escalation |
08.07.2026 |
9.8 |
| CVE-2026-56843 |
|
08.07.2026 |
9.9 |
| CVE-2026-59705 |
mem0 - OpenMemory API Unauthenticated Access via Memory Endpoints |
08.07.2026 |
9.3 |
| CVE-2026-46354 |
Coder: PKCS#7 signature bypass in Azure instance identity allows unauthenticated agent token theft |
08.07.2026 |
9.1 |
| CVE-2026-59706 |
mem0 - Unauthenticated Config API Exposure and SSRF via ollama_base_url |
09.07.2026 |
9.2 |
| CVE-2026-58473 |
Cognee < 1.2.0 Unauthorized LLM Configuration Overwrite via /api/v1/settings |
08.07.2026 |
9.3 |
| CVE-2026-59707 |
LocalAI - Server-Side Request Forgery via POST /models/apply |
09.07.2026 |
9.2 |
| CVE-2026-59800 |
9Router < 0.4.44 - OS Command Injection via sudoPassword Parameter in Tailscale Install Endpoint |
07.07.2026 |
9.2 |
| CVE-2026-13019 |
Missing Authentication |
08.07.2026 |
9.8 |
| CVE-2026-53481 |
|
08.07.2026 |
9.8 |
| CVE-2026-53483 |
|
08.07.2026 |
9.8 |
| CVE-2026-14345 |
WPFunnels <= 3.12.7 - Unauthenticated Remote Code Execution via 'postData' Parameter |
08.07.2026 |
9.8 |
| CVE-2026-34037 |
Cross-Tenant Resource Cloning via Broken Object-Level Authorization in cloneTo() |
07.07.2026 |
9.9 |
| CVE-2026-34047 |
Coolify: WebSocket Endpoint Access Control Flaw Leading to Remote Code Execution |
07.07.2026 |
9.9 |
| CVE-2026-34048 |
Coolify: Missing authorization on terminal websocket bootstrap routes allows low-privileged members to execute commands on team servers |
07.07.2026 |
9.9 |
| CVE-2026-34038 |
Coolify authenticated remote command injection leading to RCE and secret exfiltration |
07.07.2026 |
9.9 |
| CVE-2026-42341 |
FOSSBilling has an unauthenticated payment bypass via IPN callback forgery |
07.07.2026 |
9.2 |
| CVE-2026-57571 |
Crawl4AI arbitrary file write via download filename path traversal |
07.07.2026 |
9.6 |
| CVE-2026-57572 |
Crawl4AI: Unauthenticated RCE via Chromium launch-argument injection in browser_config.extra_args |
08.07.2026 |
10 |
| CVE-2026-9181 |
Directory Traversal in ArcGIS Server |
08.07.2026 |
9.8 |
| CVE-2026-9182 |
Unvalidated File Upload vulnerability in ArcGIS Server. |
08.07.2026 |
9.8 |
| CVE-2026-48614 |
|
06.07.2026 |
9.9 |
| CVE-2026-40138 |
Critical Pre-Authentication Vulnerability in BeyondTrust Remote Support and Privileged Remote Access |
07.07.2026 |
9.2 |
| CVE-2026-40139 |
Critical Pre-Authentication Vulnerability in BeyondTrust Remote Support and Privileged Remote Access |
07.07.2026 |
9.2 |
| CVE-2026-48316 |
ColdFusion | Improper Input Validation (CWE-20) |
07.07.2026 |
10 |
| CVE-2025-53827 |
ownCloud Core: Updater has an exposed dangerous method or function |
08.07.2026 |
9.1 |
| CVE-2025-53830 |
Anti-Virus for ownCloud 10 is vulnerable to Server-Side Request Forgery (SSRF) |
08.07.2026 |
9.1 |
| CVE-2026-12686 |
Incorrect authorisation in Adiss’s Biloop |
06.07.2026 |
9.3 |
| CVE-2026-6900 |
Improper Certificate Validation |
06.07.2026 |
9.1 |
| CVE-2026-14807 |
PROG MIS|ERP App - Use of Hard-coded Credentials |
06.07.2026 |
9.3 |
| CVE-2026-14808 |
PROG MIS|Prog Management System - Exposure of Sensitive Information |
06.07.2026 |
9.3 |