CVE Field Guide

Critical CVEs

CVE Title Updated Score
CVE-2026-60090 PraisonAI before 4.6.78 SQL/CQL Injection via vector dimension 11.07.2026 9.3
CVE-2026-61445 PraisonAI before 4.6.78 Arbitrary File Write and Command Execution 11.07.2026 9.4
CVE-2026-61447 PraisonAI before 1.6.78 Remote Code Execution via CodeAgent 11.07.2026 10
CVE-2026-57827 Joomla Extension - rsjoomla.com - Unauthenticated file upload in RSFiles component < 1.17.12 11.07.2026 10
CVE-2026-57828 Joomla Extension - phoca.cz - Authenticated file upload in RSFiles component < 6.1.3 11.07.2026 9
CVE-2026-20744 Hydro-Québec Le Circuit Electrique charging station backend Improper Access Control 10.07.2026 9.3
CVE-2026-55884 Tilt: Missing authentication on the network-exposed Tilt HUD server 10.07.2026 9.2
CVE-2026-55879 OpenReplay: Unauthenticated stored XSS leads to dashboard account takeover 10.07.2026 9.3
CVE-2026-12761 miniOrange Social Login and Register (Discord, Google, Twitter, LinkedIn) <= 7.7.0 - Unauthenticated Authentication Bypass to Administrator Account Takeover via Profile Completion OTP Flow 10.07.2026 9.8
CVE-2026-57807 WordPress OAuth Single Sign On - SSO (OAuth Client) plugin <= 38.5.8 - Broken Authentication vulnerability 10.07.2026 9.8
CVE-2026-61459 MCP Server Kubernetes < 3.9.0 Argument Injection via kubectl Structured Tools 10.07.2026 9.3
CVE-2026-59151 Prowler: SAML Domain Claiming Enables Cross-Tenant Account Takeover 10.07.2026 9.6
CVE-2026-5801 SQLi in Semtek Informatics' SEM-PMP 10.07.2026 9.8
CVE-2026-2397 SQLi in AdamPOS' MobilMen 20T 10.07.2026 9.8
CVE-2026-58492 grav-plugin-database: SQL Injection in PDO::tableExists() due to Unsanitized Table Name Interpolation 10.07.2026 9.2
CVE-2026-15143 Guardrails-detectors: guardrails-detectors: ssrf and local file read via user-supplied xml schema (xml-with-schema:) 10.07.2026 9.3
CVE-2026-55500 9router: Exposure of Sensitive Information and Unprotected Database Import/Export Allows Complete Credential Theft and Database Takeover 10.07.2026 9.9
CVE-2026-56261 Crawl4AI - Server-Side Request Forgery via Webhook URLs 10.07.2026 9.2
CVE-2026-56765 Vikunja - Unauthenticated Instance-Wide Data Breach via Link Share Hash Disclosure Chained with Cross-Project Attachment IDOR 10.07.2026 9.3
CVE-2026-59792 10.07.2026 9.6
CVE-2026-61444 PraisonAI before 4.6.78 Code Injection via f-string 10.07.2026 9.4
CVE-2026-56688 10.07.2026 9.1
CVE-2026-15378 Guardrails-detectors: guardrails-detectors: ssrf and local file read via user-supplied xml schema (xml-with-schema:) 10.07.2026 9.3
CVE-2026-41880 OS Command Injection in R-SOFT DMS 10.07.2026 9
CVE-2026-15282 Instant Appointment <= 1.2 - Unauthenticated Arbitrary File Upload 10.07.2026 9.8
CVE-2026-15300 GEO my WP <= 4.5.4 - Unauthenticated SQL Injection via 'distance' / 'lat' / 'lng' Parameters 10.07.2026 9.1
CVE-2026-14894 Super Forms <= 6.3.313 - Unauthenticated Arbitrary File Upload via 'data' Parameter (datauristring / value) 10.07.2026 9.8
CVE-2026-54760 Langroid: SQLChatAgent dangerous-function blocklist can be bypassed with quoted or schema-qualified pg_read_file calls 10.07.2026 9.3
CVE-2026-54769 Langroid: Sandbox Escape to Remote Code Execution via Incomplete `eval()` Mitigation in TableChatAgent 10.07.2026 10
CVE-2026-55615 Langroid: Neo4jChatAgent executes LLM-generated Cypher without validation (prompt-to-Cypher injection; config-conditional RCE), mirroring the SQLChatAgent bug fixed in CVE-2026-25879 10.07.2026 9.2
CVE-2026-58122 Hermes WebUI < 0.51.307 Authentication Bypass via X-Forwarded-For Header Spoofing 10.07.2026 9.3
CVE-2026-58123 Hermes WebUI < 0.51.788 Unauthenticated RCE via Terminal API 10.07.2026 9.3
CVE-2026-54003 Kirby: External Initialization of the Panel on reverse proxy setups with the `Forwarded` header 09.07.2026 9.1
CVE-2026-59726 Ruflo: Unauthenticated RCE in MCP bridge default docker-compose deployment 09.07.2026 10
CVE-2026-59826 Metabase: Arbitrary Code Execution via Database Connection Detail Bypass 10.07.2026 9.1
CVE-2026-59827 Metabase: Unsafe Deserialization of H2 Query Results 09.07.2026 9.9
CVE-2025-27462 WinPVDrivers: Excessive permissions on user-exposed devices 09.07.2026 9.4
CVE-2025-27463 WinPVDrivers: Excessive permissions on user-exposed devices 09.07.2026 9.4
CVE-2025-27464 WinPVDrivers: Excessive permissions on user-exposed devices 09.07.2026 9.4
CVE-2025-58146 XAPI UTF-8 string handling 09.07.2026 9.4
CVE-2025-58151 varstored: TOCTOU issues with mapped guest memory 09.07.2026 9.4
CVE-2026-23556 oxenstored keeps quota related use counts across domain destruction 09.07.2026 9.4
CVE-2026-23559 Multiple RBAC issues in XAPI 09.07.2026 9.4
CVE-2026-23560 Multiple RBAC issues in XAPI 09.07.2026 9.4
CVE-2026-23561 Multiple RBAC issues in XAPI 10.07.2026 9.4
CVE-2026-23562 Multiple RBAC issues in XAPI 10.07.2026 9.4
CVE-2026-42486 Multiple RBAC issues in XAPI 10.07.2026 9.4
CVE-2026-56292 Joomla Extension - acymailing.com - SQL Injection in AcyMailing extension < 10.11.1 10.07.2026 9.2
CVE-2026-56291 Joomla Extension - balbooa.com - Unauthenticated file upload in Balbooa Forms extension < 2.4.1 11.07.2026 10
CVE-2026-15158 Blocksy Companion <= 2.1.46 - Unauthenticated Arbitrary File Upload via 'blc-review-images[]' Parameter 09.07.2026 9.8
CVE-2026-2342 XSS in Oceanicsoft's ValeApp 09.07.2026 9.3
CVE-2026-5955 SQLi in Inrove Software's BiEticaret 09.07.2026 9.8
CVE-2026-14245 miniOrange OTP Login, Verification and SMS Notifications <= 5.5.1 - Authentication Bypass to Administrator Account Takeover via 'username_b' Parameter 09.07.2026 9.8
CVE-2026-47646 Dynamics 365 Customer Voice Spoofing Vulnerability 09.07.2026 9.3
CVE-2026-54782 CoreWCF: Authentication bypass in CoreWCF SAML 1.1 / 2.0 token signature validation 10.07.2026 10
CVE-2026-44024 Fluentd: Remote Code Execution (RCE) via Arbitrary File Write in `${tag}` Placeholder 10.07.2026 9.8
CVE-2026-54527 JupyterLab Git: Stored XSS leading to RCE 09.07.2026 9.3
CVE-2026-60104 Bitwarden Server < 2026.6.0 Authorization Bypass via Admin Auth Request 09.07.2026 9.3
CVE-2026-59702 repomix - Server-Side Request Forgery via Unvalidated Repository URLs in POST /api/pack 08.07.2026 9.2
CVE-2026-59873 node-tar: Decompression/parse DoS via unlimited input 08.07.2026 9.2
CVE-2026-9074 IBM API Connect SQL Injection 09.07.2026 9.1
CVE-2026-15062 SQL Injection in Snowflake Snowpark Python SDK 08.07.2026 9.6
CVE-2026-54061 Dgraph Alpha group stores can be replaced via unauthenticated external snapshot import 08.07.2026 9.1
CVE-2026-58480 Blocksy Companion Pro < 2.1.47 Unauthenticated File Upload via save_attachments 08.07.2026 9.2
CVE-2026-8307 SQLi in Webbeyaz's Mediküm Web 09.07.2026 9.8
CVE-2026-56000 xorg-x11-server / xwayland GLX contextTags Use-After-Free in CommonMakeCurrent() 08.07.2026 9
CVE-2026-9695 Improper Authentication vulnerability affecting DELMIA Apriso from Release 2020 through Release 2026 08.07.2026 9.8
CVE-2026-12153 WP Learn Manager <= 1.1.8 - Missing Authorization to Unauthenticated Arbitrary Plugin Installation and Activation via jslearnmanager_ajax AJAX Action 08.07.2026 9.8
CVE-2026-14487 Simple Coherent Form <= 2.4.13 - Unauthenticated Arbitrary File Deletion via 'id' Parameter 08.07.2026 9.1
CVE-2026-9701 Eventer <= 4.4.2 - Insecure Password Reset Mechanism to Unauthenticated Privilege Escalation 08.07.2026 9.8
CVE-2026-56843 08.07.2026 9.9
CVE-2026-59705 mem0 - OpenMemory API Unauthenticated Access via Memory Endpoints 08.07.2026 9.3
CVE-2026-46354 Coder: PKCS#7 signature bypass in Azure instance identity allows unauthenticated agent token theft 08.07.2026 9.1
CVE-2026-59706 mem0 - Unauthenticated Config API Exposure and SSRF via ollama_base_url 09.07.2026 9.2
CVE-2026-58473 Cognee < 1.2.0 Unauthorized LLM Configuration Overwrite via /api/v1/settings 08.07.2026 9.3
CVE-2026-59707 LocalAI - Server-Side Request Forgery via POST /models/apply 09.07.2026 9.2
CVE-2026-59800 9Router < 0.4.44 - OS Command Injection via sudoPassword Parameter in Tailscale Install Endpoint 07.07.2026 9.2
CVE-2026-13019 Missing Authentication 08.07.2026 9.8
CVE-2026-53481 08.07.2026 9.8
CVE-2026-53483 08.07.2026 9.8
CVE-2026-14345 WPFunnels <= 3.12.7 - Unauthenticated Remote Code Execution via 'postData' Parameter 08.07.2026 9.8
CVE-2026-34037 Cross-Tenant Resource Cloning via Broken Object-Level Authorization in cloneTo() 07.07.2026 9.9
CVE-2026-34047 Coolify: WebSocket Endpoint Access Control Flaw Leading to Remote Code Execution 07.07.2026 9.9
CVE-2026-34048 Coolify: Missing authorization on terminal websocket bootstrap routes allows low-privileged members to execute commands on team servers 07.07.2026 9.9
CVE-2026-34038 Coolify authenticated remote command injection leading to RCE and secret exfiltration 07.07.2026 9.9
CVE-2026-42341 FOSSBilling has an unauthenticated payment bypass via IPN callback forgery 07.07.2026 9.2
CVE-2026-57571 Crawl4AI arbitrary file write via download filename path traversal 07.07.2026 9.6
CVE-2026-57572 Crawl4AI: Unauthenticated RCE via Chromium launch-argument injection in browser_config.extra_args 08.07.2026 10
CVE-2026-9181 Directory Traversal in ArcGIS Server 08.07.2026 9.8
CVE-2026-9182 Unvalidated File Upload vulnerability in ArcGIS Server. 08.07.2026 9.8
CVE-2026-48614 06.07.2026 9.9
CVE-2026-40138 Critical Pre-Authentication Vulnerability in BeyondTrust Remote Support and Privileged Remote Access 07.07.2026 9.2
CVE-2026-40139 Critical Pre-Authentication Vulnerability in BeyondTrust Remote Support and Privileged Remote Access 07.07.2026 9.2
CVE-2026-48316 ColdFusion | Improper Input Validation (CWE-20) 07.07.2026 10
CVE-2025-53827 ownCloud Core: Updater has an exposed dangerous method or function 08.07.2026 9.1
CVE-2025-53830 Anti-Virus for ownCloud 10 is vulnerable to Server-Side Request Forgery (SSRF) 08.07.2026 9.1
CVE-2026-12686 Incorrect authorisation in Adiss’s Biloop 06.07.2026 9.3
CVE-2026-6900 Improper Certificate Validation 06.07.2026 9.1
CVE-2026-14807 PROG MIS|ERP App - Use of Hard-coded Credentials 06.07.2026 9.3
CVE-2026-14808 PROG MIS|Prog Management System - Exposure of Sensitive Information 06.07.2026 9.3
CVE-2026-59509 Unauthenticated arbitrary MongoDB collection read in cve-search 06.07.2026 9.2

Latest Updates

CVE Title Updated Score
CVE-2026-56240 Capgo - Billing Authorization Bypass via Exhausted Usage Credits 11.07.2026
CVE-2026-56296 Cap-go - App Existence Oracle via Unauthenticated transfer_app RPC 11.07.2026
CVE-2026-56303 Capgo - Unauthenticated API Key Metadata Disclosure via SECURITY DEFINER RPC Function 11.07.2026
CVE-2026-56372 ImageMagick - Heap Buffer Overflow Read via Unrecognized Magnify Method 11.07.2026
CVE-2026-56763 Hono - Prototype Pollution via __proto__ Key in parseBody with dot Option 11.07.2026
CVE-2026-60088 PraisonAI before 4.6.78 Path Traversal via Custom Commands 11.07.2026
CVE-2026-60090 PraisonAI before 4.6.78 SQL/CQL Injection via vector dimension 11.07.2026
CVE-2026-61426 PraisonAI before 1.7.3 Unauthenticated Agent Access via Insecure Defaults 11.07.2026
CVE-2026-61428 PraisonAI AgentMail before 4.6.78 Message Injection via Webhook 11.07.2026
CVE-2026-61429 PraisonAI before 1.6.78 SSRF via Crawl4AI Chromium backend 11.07.2026
CVE-2026-61439 PraisonAI before 4.6.78 Prompt Injection Defense Bypass 11.07.2026
CVE-2026-61442 PraisonAI Platform before 0.1.9 Authorization Bypass via PATCH 11.07.2026
CVE-2026-61445 PraisonAI before 4.6.78 Arbitrary File Write and Command Execution 11.07.2026
CVE-2026-61447 PraisonAI before 1.6.78 Remote Code Execution via CodeAgent 11.07.2026
CVE-2026-61448 Parse Server 9.0.0 Stored XSS via malformed Content-Type 11.07.2026
CVE-2026-61454 Grav before 2.0.4 Information Disclosure via __GRAV_CONFIG__ 11.07.2026
CVE-2026-61465 ImageMagick before 7.1.2-26 Memory Allocation Policy Bypass 11.07.2026
CVE-2026-61857 ImageMagick before 7.1.2-26 Heap Use-After-Free via XMP 11.07.2026
CVE-2026-61858 ImageMagick before 7.1.2-26 Policy Bypass via APNG encoder 11.07.2026
CVE-2026-61861 ImageMagick before 7.1.2-26 Use-After-Free in FormatMagickCaption 11.07.2026
CVE-2026-61870 ImageMagick before 7.1.2-26 Memory Leak via VIFF Encoder 11.07.2026
CVE-2026-57827 Joomla Extension - rsjoomla.com - Unauthenticated file upload in RSFiles component < 1.17.12 11.07.2026
CVE-2026-57828 Joomla Extension - phoca.cz - Authenticated file upload in RSFiles component < 6.1.3 11.07.2026
CVE-2026-1359 Genolve – AI image AI video generation <= 5.0.5 - Authenticated (Contributor+) Incorrect Authorization to Privilege Escalation via theopt 11.07.2026 8.8
CVE-2026-15010 bbp style pack <= 6.4.5 - Authenticated (Subscriber+) Stored Cross-Site Scripting via Topic Form Additional Fields 11.07.2026 6.4
CVE-2026-9017 NEX-Forms <= 9.2.2 - Missing Authorization to Unauthenticated Arbitrary Form Entry Modification via nf_send_nf_email AJAX Action 11.07.2026 5.3
CVE-2026-9282 W3 Total Cache <= 2.9.4 - Unauthenticated Arbitrary File Read via 'f_array[]' Parameter 11.07.2026 7.5
CVE-2025-5017 Catalyst Connect Zoho CRM Client Portal <= 2.2.0 - Authenticated (Administrator+) SQL Injection via uid Parameter 11.07.2026 4.9
CVE-2025-6784 Code Engine <= 0.3.5 - Authenticated (Contributor+) Remote Code Execution 11.07.2026 8.8
CVE-2026-10041 WCFM – Frontend Manager for WooCommerce <= 6.7.27 - Authenticated (Subscriber+) Missing Authorization to Arbitrary Vendor Data Manipulation via Multiple AJAX Handlers 11.07.2026 4.3
CVE-2026-10865 Cost Calculator Builder <= 4.0.11 - Unauthenticated Sensitive Information Exposure of Payment Gateway Secret Keys 11.07.2026 5.3
CVE-2026-11591 Widgets for Google Reviews <= 13.3 - Authenticated (Editor+) Stored Cross-Site Scripting via 'fomo-title' and 'fomo-text' Parameters 11.07.2026 4.4
CVE-2026-11898 White Label CMS <= 2.7.12 - Authenticated (Administrator+) Stored Cross-Site Scripting via Import Settings 11.07.2026 4.4
CVE-2026-11901 WP Hotel Booking <= 2.3.1 - Unauthenticated Insufficient Verification of Data Authenticity to Payment Bypass via PayPal IPN Handler 11.07.2026 5.3
CVE-2026-12103 Wallet for WooCommerce <= 1.6.4 - Missing Authorization to Authenticated (Subscriber+) User/Email Enumeration via terawallet_export_user_search AJAX Action 11.07.2026 4.3
CVE-2026-12126 WCFM Marketplace <= 3.7.3 - Authenticated (Vendor+) Stored Cross-Site Scripting via Attachment 'post_title' 11.07.2026 6.4
CVE-2026-12738 WP Easy Pay <= 4.5.0 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Post Status Modification via wpep_draft_confirm AJAX Action 11.07.2026 4.3
CVE-2026-12994 WCFM – Frontend Manager for WooCommerce <= 6.7.27 - Missing Authorization to Unauthenticated Arbitrary Inquiry Reply Injection via wcfm-my-account-enquiry-manage Controller 11.07.2026 5.3
CVE-2026-15155 Essential Addons for Elementor <= 6.6.10 - Authenticated (Contributor+) Account Takeover via Email Header Injection 11.07.2026 8.8
CVE-2026-1382 fresh Podcaster <= 1.0.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'freshpodcaster' Shortcode Attributes 11.07.2026 6.4
CVE-2026-4661 WP CTA <= 2.2.2 - Unauthenticated Time-Based Blind SQL Injection via 'fildname' Parameter 11.07.2026 7.5
CVE-2026-6801 Context Blog <= 1.3.5 - Unauthenticated Sensitive Information Exposure via 'postID' Parameter 11.07.2026 5.3
CVE-2026-6939 CorvusPay WooCommerce Payment Gateway <= 2.7.4 - Unauthenticated Stored Cross-Site Scripting via 'approval_code' Parameter 11.07.2026 7.2
CVE-2026-13378 Form Vibes <= 1.5.2 - Unauthenticated Stored Cross-Site Scripting via Contact Form 7 Form Field 11.07.2026 7.2
CVE-2026-7655 SureCart <= 4.2.3 - Unauthenticated Linked WordPress Account Takeover via Forged customer.updated Webhook 11.07.2026 8.1
CVE-2025-13968 Starboard Suite Reservation Calendars <= 3.1.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes 11.07.2026 6.4
CVE-2026-12141 Premium Addons for Elementor <= 4.11.84 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'premium_tooltip_text' Parameter 11.07.2026 4.9
CVE-2026-13116 PDF Invoices & Packing Slips for WooCommerce <= 5.14.0 - Insecure Direct Object Reference to Authenticated (Contributor+) Sensitive Information Disclosure via 'order_id' Shortcode Attribute 11.07.2026 4.3
CVE-2026-13250 Solace Extra <= 1.5.3 - Missing Authorization to Unauthenticated Arbitrary Content Deletion via delete_previously_imported AJAX Action 11.07.2026 5.3
CVE-2026-14262 Simple JWT Login <= 3.6.6 - Authenticated (Subscriber+) Authentication Bypass to Privilege Escalation via 'payload' Parameter 11.07.2026 8.8
CVE-2026-15096 Themify Builder <= 7.7.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via Map Module 'b_width_map' Field 11.07.2026 6.4
CVE-2026-15097 Themify Builder <= 7.7.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'height_slider' Slider Module Field 11.07.2026 6.4
CVE-2026-15335 Booking Package <= 1.7.20 - Unauthenticated SQL Injection via 'email' Form Parameter 11.07.2026 7.5
CVE-2026-1832 ThriveDesk <= 2.1.7 - Missing Authorization to Authenticated (Subscriber+) Cache Deletion 11.07.2026 4.3
CVE-2026-2354 Swiss Toolkit For WP <= 1.4.6 - Authenticated (Author+) Arbitrary File Upload via upload_extension_files() 11.07.2026 8.8
CVE-2026-3552 SurfLink < 2.6.0 - Missing Authorization to Authenticated (Subscriber+) 410 Gone URL Import via 'surfl_import_410' AJAX Action 11.07.2026 4.3
CVE-2026-3576 Planyo online reservation system <= 3.0 - Unauthenticated Server-Side Request Forgery via 'ulap_url' Parameter 11.07.2026 7.2
CVE-2026-6803 AI Chatbot & Workflow Automation by AIWU <= 1.4.12 - Missing Authorization to Unauthenticated Arbitrary Data Deletion via AJAX Actions 'removeGroup' and 'clear' 11.07.2026 5.3
CVE-2026-6804 AI Chatbot & Workflow Automation by AIWU <= 1.4.12 - Missing Authorization to Unauthenticated Arbitrary Modification via 'publishTasks' and 'unpublishTasks' AJAX Actions 11.07.2026 5.3
CVE-2026-7559 Affilia <= 3.3.3 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Status Modification 11.07.2026 4.3
CVE-2026-7620 Notification for Telegram <= 3.5.1 - Missing Authorization to Authenticated (Subscriber+) Cron Modification via nftb_cron_action_set AJAX Action 11.07.2026 4.3
CVE-2026-9738 Print, PDF, Email by PrintFriendly <= 5.5.10 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'content_position_css' Parameter 11.07.2026 4.4
CVE-2026-10628 Points and Rewards for WooCommerce <= 2.10.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Modification via Multiple AJAX Actions 11.07.2026 4.3
CVE-2026-12426 Members <= 3.2.22 - Unauthenticated Sensitive Information Disclosure via REST API Pagination Side Channel 11.07.2026 5.3
CVE-2026-13114 Motors <= 1.4.112 - Unauthenticated Stored Cross-Site Scripting via Comment Content and User Biographical Info 11.07.2026 7.2
CVE-2026-13262 Majestic Support <= 1.1.9 - Authenticated (Subscriber+) SQL Injection via 'val' Parameter 11.07.2026 6.5
CVE-2026-13353 WP Ultimate CSV Importer <= 8.0.1 - Missing Authorization to Authenticated (Subscriber+) Remote Code Execution via 'MappedFields' Parameter 11.07.2026 8.8
CVE-2026-15072 KiviCare <= 4.5.0 - Authenticated (Doctor+) SQL Injection via 'orderby' Parameter in KCQueryBuilder 11.07.2026 6.5
CVE-2026-15073 KiviCare <= 4.5.0 - Authenticated (Doctor+) SQL Injection via 'orderby' Parameter in DoctorSessionController 11.07.2026 6.5
CVE-2026-15338 LA-Studio Element Kit for Elementor <= 1.6.1 - Authenticated (Contributor+) Local File Inclusion via 'progress_type' Widget Setting 11.07.2026 7.5
CVE-2026-3367 Lockme OAuth2 calendars integration <= 2.11.0 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'App ID' Setting 11.07.2026 4.4
CVE-2026-5743 Mixed Media Gallery Blocks <= 3.3.3.1 - Authenticated (Author+) Stored Cross-Site Scripting via sliderMaxHeight Block Attribute 11.07.2026 6.4
CVE-2026-7544 Mux Video Uploader <= 1.1.4 - Authenticated (Subscriber+) Information Exposure 11.07.2026 4.3
CVE-2026-8678 MyParcel <= 4.25.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Order Shipment Data Disclosure and Modification via wcmp_get_shipment_options and wcmp_save_shipment_options AJAX Actions 11.07.2026 4.3
CVE-2026-11426 UnderConstructionPage PRO <= 5.76 - Authenticated (Subscriber+) Arbitrary File Read via template_thumbnail Parameter 11.07.2026 6.5
CVE-2026-13756 WP Grid Builder <= 2.3.3 - Authenticated (Subscriber+) Privilege Escalation via 'key' Parameter 11.07.2026 8.8
CVE-2026-14286 10.07.2026
CVE-2026-14480 OpenPLC v3 External Control of File Name or Path 10.07.2026 9.9
CVE-2026-11913 Mother May I - Critical - Unsupported - SA-CONTRIB-2026-045 10.07.2026
CVE-2026-11914 Composer - Critical - Unsupported - SA-CONTRIB-2026-046 10.07.2026
CVE-2026-11915 Brute force attack protection - Critical - Unsupported - SA-CONTRIB-2026-047 10.07.2026
CVE-2026-15086 Raw Formatter [Meta Tag Formatter] - Critical - Unsupported - SA-CONTRIB-2026-077 10.07.2026
CVE-2026-15087 Clean RESTful - Critical - Unsupported - SA-CONTRIB-2026-078 10.07.2026
CVE-2026-15089 Commerce guest registration - Critical - Unsupported - SA-CONTRIB-2026-079 10.07.2026
CVE-2026-20744 Hydro-Québec Le Circuit Electrique charging station backend Improper Access Control 10.07.2026 9.8
CVE-2026-42952 Hydro-Québec Le Circuit Electrique charging station backend Improper Restriction of Excessive Authentication Attempts 10.07.2026 7.5
CVE-2026-44383 Hydro-Québec Le Circuit Electrique charging station backend Insufficient Session Expiration 10.07.2026 7.5
CVE-2026-55175 Spinnaker: Improper yaml processing on kustomize bake operations 10.07.2026 7.5
CVE-2026-10768 LocalGov Workflows - Moderately critical - Information disclosure - SA-CONTRIB-2026-039 10.07.2026
CVE-2026-10769 Commerce Core - Moderately critical - Cross site scripting - SA-CONTRIB-2026-041 10.07.2026
CVE-2026-10770 Anti-Spam by CleanTalk - Moderately critical - Cross site scripting - SA-CONTRIB-2026-042 10.07.2026
CVE-2026-11908 Tagify - Moderately critical - Cross-site scripting (XSS) - SA-CONTRIB-2026-043 10.07.2026
CVE-2026-11909 Examples for Developers - Moderately critical - Access bypass - SA-CONTRIB-2026-044 10.07.2026
CVE-2026-12535 Formatter Field - Critical - PHP object injection - SA-CONTRIB-2026-048 10.07.2026
CVE-2026-13231 Advanced Content Feedback (aka admin_feedback) - Moderately critical - Cross-site scripting - SA-CONTRIB-2026-051 10.07.2026
CVE-2026-13232 Advanced Content Feedback (aka admin_feedback) - Moderately critical - Access bypass / Insecure Direct Object Reference (IDOR) - SA-CONTRIB-2026-052 10.07.2026
CVE-2026-13233 OpenAI Provider - Moderately critical - Server-side Request Forgery - SA-CONTRIB-2026-053 10.07.2026
CVE-2026-13234 AI (Artificial Intelligence) - Moderately critical - Information Disclosure / Cross-site Scripting - SA-CONTRIB-2026-054 10.07.2026
CVE-2026-13235 AI (Artificial Intelligence) - Moderately critical - Access bypass - SA-CONTRIB-2026-055 10.07.2026
CVE-2026-13236 AI Agents - Less critical - Access bypass - SA-CONTRIB-2026-056 10.07.2026
CVE-2026-13237 AI Agents - Moderately critical - Information disclosure, Access bypass - SA-CONTRIB-2026-057 10.07.2026
CVE-2026-13238 Commerce Realex / Global Payments - Moderately critical - Access Bypass - SA-CONTRIB-2026-058 10.07.2026
CVE-2026-13239 WissKI - Critical - Access bypass - SA-CONTRIB-2026-059 10.07.2026
CVE-2026-13240 Paragraphs - Less critical - Access bypass - SA-CONTRIB-2026-060 10.07.2026
CVE-2026-13241 Paragraphs - Moderately critical - Access bypass - SA-CONTRIB-2026-061 10.07.2026
CVE-2026-13242 Geolocation Field - Critical - SQL Injection - SA-CONTRIB-2026-062 10.07.2026
CVE-2026-13243 Salesforce Suite - Moderately critical - Cross-site request forgery - SA-CONTRIB-2026-063 10.07.2026
CVE-2026-13244 Tealium iQ Tag Management - Critical - PHP object injection - SA-CONTRIB-2026-064 10.07.2026
CVE-2026-15079 Login Disable - Moderately critical - Access bypass - SA-CONTRIB-2026-070 10.07.2026
CVE-2026-15080 Ray Enterprise Translation - Moderately critical - Cross site request forgery - SA-CONTRIB-2026-071 10.07.2026
CVE-2026-15081 Location Selector - Critical - SQL Injection - SA-CONTRIB-2026-072 10.07.2026
CVE-2026-15082 Siteimprove Analytics - Moderately critical - Cross-site Scripting - SA-CONTRIB-2026-073 10.07.2026
CVE-2026-15083 ECA: Event - Condition - Action - Less critical - Information disclosure - SA-CONTRIB-2026-074 10.07.2026
CVE-2026-15084 UI Patterns (SDC in Drupal UI) - Moderately critical - Cross site scripting - SA-CONTRIB-2026-075 10.07.2026
CVE-2026-15085 AI SEO/GEO Analyzer - Moderately critical - Cross-site Scripting - SA-CONTRIB-2026-076 10.07.2026
CVE-2026-44795 Spinnaker: Non-safe yaml deserialization allowing RCE when using specific types 10.07.2026 8.8
CVE-2026-49213 TypeBot: SSRF protection bypass via IPv6 unspecified address in Typebot HTTP request execution 10.07.2026 8.1
CVE-2026-52747 ModSecurity: Multipart form-data parser silently strips embedded line breaks from form-field values, enabling request-body inspection bypass 10.07.2026 8.6
CVE-2026-52761 ModSecurity: Transformation utf8toUnicode produces wrong output on i386 architecture 10.07.2026 5.8
CVE-2026-55187 Mailpit: Incomplete SSRF protection in Link Check API via IPv6 transition mechanisms (follow-up to CVE-2026-27808) 10.07.2026 5.8
CVE-2026-55803 Drupal core - Critical - PHP object injection - SA-CORE-2026-005 10.07.2026
CVE-2026-55804 Drupal core - Moderately critical - Gadget chain - SA-CORE-2026-006 10.07.2026
CVE-2026-55806 Drupal core - Less critical - Cache poisoning and open redirect - SA-CORE-2026-007 10.07.2026
CVE-2026-55807 Drupal core - Moderately critical - Server-side request forgery - SA-CORE-2026-008 10.07.2026
CVE-2026-55808 Drupal core - Moderately critical - Improper validation - SA-CORE-2026-009 10.07.2026
CVE-2026-55809 Flag attendance field - Critical - PHP object injection - SA-CONTRIB-2026-049 10.07.2026
CVE-2026-55810 Plotly.js Graphing - Critical - PHP object injection - SA-CONTRIB-2026-050 10.07.2026
CVE-2026-55882 Tilt: Unauthenticated pprof debug endpoints on the Tilt HUD server 10.07.2026
CVE-2026-55883 Tilt: Cross-site WebSocket hijacking of the Tilt HUD stream 10.07.2026
CVE-2026-55884 Tilt: Missing authentication on the network-exposed Tilt HUD server 10.07.2026
CVE-2026-58587 Drupal Canvas - Moderately critical - Improper validation - SA-CONTRIB-2026-065 10.07.2026
CVE-2026-58588 Drupal Canvas - Moderately critical - Improper validation - SA-CONTRIB-2026-066 10.07.2026
CVE-2026-58589 FlowDrop - Moderately critical - Access bypass - SA-CONTRIB-2026-067 10.07.2026
CVE-2026-58590 FlowDrop - Moderately critical - Access bypass - SA-CONTRIB-2026-068 10.07.2026
CVE-2026-58591 Colorbox - Moderately critical - Cross-site scripting - SA-CONTRIB-2026-069 10.07.2026
CVE-2026-59155 Nezha Monitoring: DDNS and Notification credential exposure via unredacted list API 10.07.2026
CVE-2026-41482 Frappe: Possible Path Traversal and Local File Inclusion via Chrome PDF Generator 10.07.2026
CVE-2026-42219 Frappe: Path Traversal via /backups Route 10.07.2026
CVE-2026-47199 Frappe: check_safe_sql_query Permits SELECT INTO OUTFILE 10.07.2026
CVE-2026-47422 Frappe: Unrestricted API access to save_report 10.07.2026
CVE-2026-48127 Frappe: Arbitrary Attachment Injection via add_attachments and upload_file 10.07.2026
CVE-2026-49394 Frappe: Auth. bypass via update_page 10.07.2026
CVE-2026-49844 Apache Log4j API: Improper serialization of non-finite floating-point values in MapMessage.asJson() 10.07.2026
CVE-2026-54736 Phalcon: Non-constant-time HMAC verification in `Encryption\Crypt::decrypt` (timing side-channel) 10.07.2026
CVE-2026-55852 Frappe: TarSlip RCE in Package Import 10.07.2026
CVE-2026-57584 Phalcon: Catastrophic backtracking (ReDoS) in the default Phalcon Router route lead to remote unauthenticated DoS 10.07.2026
CVE-2026-58503 Frappe: Unauthenticated User Enumeration via reset_password 10.07.2026
CVE-2026-34196 GPU DDK - UAF read and/or write of arbitrary physical memory due to integer truncation in PMRDevPhysAddrOSMem 10.07.2026
CVE-2026-41154 GPU DDK - Incorrect Index Calculation in CMA Cleanup Path of AllocOSPages_Sparse 10.07.2026
CVE-2026-45196 GPU DDK - Arbitrary GPU register write in rgxfw_hwperf_hw due to unsanitized pointers from host kernel 10.07.2026
CVE-2026-45203 GPU DDK - rgxfw_hwperf_ufo() re-reads psCmdHeader->ui32CmdSize after initial check, TOCTOU 10.07.2026
CVE-2026-55213 h2o: musl libc stack overflow (QPACK) 10.07.2026 7.5
CVE-2026-55659 Grist: XSS through unsafe value interpolation in server-rendered pages 10.07.2026 7.7
CVE-2026-55664 Grist: Insufficient access control in the /forms endpoint exposes table metadata 10.07.2026 4.3
CVE-2026-55665 DOM-based XSS in Grist via unsanitized links, enabling privilege escalation 10.07.2026
CVE-2026-55879 OpenReplay: Unauthenticated stored XSS leads to dashboard account takeover 10.07.2026 9.3
CVE-2026-55880 OpenReplay: Cross-user IDOR in notes and dashboard widgets 10.07.2026 7.1
CVE-2026-55881 OpenReplay: Cross-tenant session replay disclosure via missing session ownership check in first-mob endpoint 10.07.2026
CVE-2026-57230 OpenReplay: Authenticated ClickHouse SQL injection via session search 10.07.2026 5.4
CVE-2026-57574 Misskey: TOTP tokens can be reused 10.07.2026
CVE-2026-57575 Misskey: SSRF bypass in URL Preview 10.07.2026
CVE-2026-58499 Path traversal in EverOS /api/v1/memory/add via unvalidated sender_id 10.07.2026 8.2
CVE-2026-7639 GPU DDK - Page UAF read in PMMETA_PROTECT heap memory 10.07.2026
CVE-2026-9726 Drupal AlternativeCommerce (Basket) - Highly critical - Arbitrary PHP code execution - SA-CONTRIB-2026-038 10.07.2026
CVE-2026-12761 miniOrange Social Login and Register (Discord, Google, Twitter, LinkedIn) <= 7.7.0 - Unauthenticated Authentication Bypass to Administrator Account Takeover via Profile Completion OTP Flow 10.07.2026 9.8
CVE-2026-13039 Eventin 4.0.26 - 4.1.15 - Missing Authorization to Unauthenticated Payment Bypass via REST API 10.07.2026 5.3
CVE-2026-55229 Gotenberg: SSRF via LibreOffice document processing 10.07.2026 7.5
CVE-2026-55233 OpenResty: Buffer overflow when writing PROXY protocol v2 header to upstream 10.07.2026 7.5
CVE-2026-55405 LangChain4j: SQL injection via metadata filters in langchain4j-mariadb and langchain4j-pgvector 10.07.2026 7.6
CVE-2026-57211 RabbitMQ: UNC SSRF affecting the management UI on Windows 10.07.2026 6.5
CVE-2026-57212 RabbitMQ management HTTP API accepts request bodies larger than configured max_http_body_size 10.07.2026
CVE-2026-57213 RabbitMQ: Stored XSS federation management plugin via unsanitized consumer_tag rendering 10.07.2026
CVE-2026-57214 RabbitMQ: Stored XSS in RabbitMQ management UI 10.07.2026
CVE-2026-57215 RabbitMQ: Direct-reply-to binding persistence can lead to unauthorized reply-channel injection and persistent phantom 10.07.2026
CVE-2026-57216 RabbitMQ: AMQP 1.0, AMQP 0-9-1, Stream Protocol loopback enforcement can lead to remote guest sessions due to listener-address loopback checks 10.07.2026 6.8
CVE-2026-57217 RabbitMQ: Topic authorization can lead to cross-tenant routing-key bypass 10.07.2026
CVE-2026-57218 RabbitMQ: AMQP 0-9-1 in combination with OAuth 2: consumer persistence can lead to post-revocation message disclosure 10.07.2026
CVE-2026-57219 RabbitMQ: Unauthenticated disclosure of OAuth client credentials via an HTTP API endpoint with certain less common OAuth 2 configurations 10.07.2026
CVE-2026-57220 RabbitMQ: Stream listener does not enforce configured frame-size limit during authentication, permitting unauth'd mem-exhaust DoS 10.07.2026 7.5
CVE-2026-57221 RabbitMQ: Passive queue/exchange declaration bypasses authorization checks, leaking queue metadata to unprivileged users 10.07.2026
CVE-2026-57807 WordPress OAuth Single Sign On - SSO (OAuth Client) plugin <= 38.5.8 - Broken Authentication vulnerability 10.07.2026 9.8
CVE-2026-15295 Ajax Load More <= 7.0.1 - Authenticated (Administrator+) Stored Cross-Site Scripting 10.07.2026 4.4
CVE-2026-54714 Logto: XSS via unescaped RelayState in SAML auto-submit form 10.07.2026 6.1
CVE-2026-55370 Logto: TOTP code can be replayed within the RFC 6238 validity window (one-time use violation) 10.07.2026 6.4
CVE-2026-55377 Logto: Account Center MFA management step-up bypass via WebAuthn registration verification 10.07.2026 8.1
CVE-2026-55452 Snipe-IT: CSV formula injection in Activity Report export 10.07.2026
CVE-2026-55461 Snipe-IT: Open Redirect After User Edit 10.07.2026 6.1
CVE-2026-55462 Snipe-IT: Authorization bypass on print inventory page 10.07.2026 4.3
CVE-2026-55466 Snipe-IT: Stored XSS via inline-served attachment 10.07.2026
CVE-2026-55469 Snipe-IT: Path traversal vulnerability via CSV import `image` field 10.07.2026 6.5
CVE-2026-55475 Snipe-IT: Import created_by can be overwritten 10.07.2026 5.7
CVE-2026-55479 Snipe-IT: Incorrect permission for legacy license checkin API 10.07.2026
CVE-2026-55481 Snipe-IT: CSS Injection via `header_color` Setting 10.07.2026
CVE-2026-55515 Snipe-IT: Cross-company deletion of pending checkout acceptances via unscoped report endpoint 10.07.2026 5
CVE-2026-55789 Logto: SAML IdP injects user-controlled profile attributes raw into signed assertions, allowing privilege escalation at relying Service Providers 10.07.2026 8.5
CVE-2026-55827 FreeRDP: Heap out-of-bounds write in RemoteFX (RFX) Cache Bitmap V3 decode 10.07.2026 7.5
CVE-2026-57156 FreeRDP: Integer overflow leading to heap buffer overflow in Orders Delta Points parsing 10.07.2026
CVE-2026-57157 Out-of-bounds read in the camera device enumerator server (rdpecam) via unterminated DeviceName / VirtualChannelName 10.07.2026 6.5
CVE-2026-57158 FreeRDP planar_decompress_plane_rle_only: heap OOB read — incomplete fix for CVE-2026-23530 10.07.2026
CVE-2026-57850 RustDesk before 1.4.9 Missing Session Scope Enforcement Allows Out-of-Scope Control Message Injection 10.07.2026
CVE-2026-11321 GLPI DataInjection Plugin Authenticated SQL Injection via CSV Import 10.07.2026
CVE-2026-15146 CVE-2026-15146 10.07.2026
CVE-2026-54329 Snipe-IT: Cross-Tenant Accessory Injection in Snipe-IT API 10.07.2026 8.5
CVE-2026-55460 Snipe-IT: Authorization bypass on bulk editing users 10.07.2026 7.1
CVE-2026-55464 Snipe-IT: Stored XSS via Markdown custom field 10.07.2026
CVE-2026-55472 Snipe-IT: API Location Creation Bypasses FMCS Parent-Child Company Boundary Validation 10.07.2026 4.3
CVE-2026-55474 Snipe-IT: Directory traversal in displaySig 10.07.2026
CVE-2026-55476 Snipe-IT: Unauthorized Asset Request Cancellation via Unguarded cancel_by_admin Parameter 10.07.2026
CVE-2026-55478 Snipe-IT: Missing object-level authorization in Kits API 10.07.2026
CVE-2026-55516 Snipe-IT: Cross-company asset maintenance re-parenting via API update 10.07.2026 7.7
CVE-2026-55843 Snipe-IT: Improper Privilege Management 10.07.2026
CVE-2026-61459 MCP Server Kubernetes < 3.9.0 Argument Injection via kubectl Structured Tools 10.07.2026
CVE-2026-61460 Krayin CRM Insecure Direct Object Reference via Controllers 10.07.2026
CVE-2026-6212 IDOR in Teracity's TeraMIS 10.07.2026 8.8
CVE-2025-30007 HestiaCP < 1.9.5 Authenticated OS Command Injection via DNS Record Management 10.07.2026
CVE-2025-30008 HestiaCP < 1.9.5 Stored XSS via DNS Record Management Interface 10.07.2026
CVE-2026-53448 Coturn: SQL Injection in HTTPS Admin Panel Delete Operations 10.07.2026 7.2
CVE-2026-53449 Coturn: Arbitrary File Write via CLI psd Command 10.07.2026 6
CVE-2026-53450 Coturn: IPv4-mapped 127.0.0.1 bypasses default loopback peer protection 10.07.2026 7.4
CVE-2026-59151 Prowler: SAML Domain Claiming Enables Cross-Tenant Account Takeover 10.07.2026 9.6
CVE-2026-5801 SQLi in Semtek Informatics' SEM-PMP 10.07.2026 9.8
CVE-2026-61461 Dify < 1.16.0-rc1 SQL Injection via MyScale Vector Store search_by_full_text 10.07.2026
CVE-2026-6872 10.07.2026
CVE-2026-2397 SQLi in AdamPOS' MobilMen 20T 10.07.2026 9.8
CVE-2026-53780 10.07.2026
CVE-2026-55670 ZITADEL: Cross-Tenant User Leakage via Recycled Identifiers 10.07.2026
CVE-2026-55671 ZITADEL: Server-Side Request Forgery (SSRF) and Denylist Bypass in Outgoing HTTP Components 10.07.2026
CVE-2026-55672 ZITADEL: Missing client_id binding in OIDC authorization code exchange and refresh token flows (RFC 6749 Section 4.1.3 violation) 10.07.2026 7.4
CVE-2026-56664 ZITADEL: Missing Token Lifecyle Validation (`exp` and `iat`) in JWT IdP Provider 10.07.2026 4.2
CVE-2026-56665 ZITADEL: Missing Token Expiration (`exp`) Validation in JWT IdP Provider 10.07.2026 4.2
CVE-2026-56666 ZITADEL: Auto-linking by email: IdP-side email verification is not checked 10.07.2026 4.8
CVE-2026-56667 ZITADEL: Stored XSS via Default URI Redirect in Login V2 10.07.2026 7.3
CVE-2026-56668 ZITADEL: Unauthorized Token Privilege Escalation in OAuth2 Token Exchange 10.07.2026 8.1
CVE-2026-57474 Deloitte AI Assist for Customer information disclosure 10.07.2026 5.3
CVE-2026-57475 Deloitte AI Assist for Customer unauthenticated configuration write 10.07.2026 5.3
CVE-2026-57476 Deloitte AI Assist for Customer unauthenticated RAG corpus read and write 10.07.2026 4.8
CVE-2025-70796 10.07.2026
CVE-2026-2398 IDOR in AdamPOS' MobilMen 20T 10.07.2026 8.8
CVE-2026-3251 XSS in Webremium's Mezunum Satiyorum 10.07.2026 6.4
CVE-2026-51119 10.07.2026
CVE-2026-55669 ZITADEL: Missing Token Audience Validation (`aud`) in JWT IdP Provider 10.07.2026 4.2
CVE-2026-55780 NanaZip: Uncaught exception / unbounded allocation in NanaZip .NET single-file Extract() via unvalidated entry Size 10.07.2026
CVE-2026-55781 NanaZip: Unbounded memory allocation (DoS) in NanaZip UFS parser via unvalidated fs_bsize/fs_fsize superblock fields 10.07.2026
CVE-2026-55782 NanaZip: Unbounded memory allocation (DoS) in NanaZip WebAssembly parser via attacker-controlled section/name length fields 10.07.2026
CVE-2026-55783 NanaZip: NULL pointer dereference in Extract() of all seven NanaZip custom archive handlers when extracting/testing the whole archive 10.07.2026