CVE Field Guide

Critical CVEs

CVE Title Updated Score
CVE-2026-4321 SQLi in Raera's Destekz 03.07.2026 9.8
CVE-2026-14544 Hplip: incomplete fix for cve-2026-8631 03.07.2026 9.8
CVE-2026-9725 Printcart Web to Print Product Designer for WooCommerce <= 2.5.2 - Unauthenticated Arbitrary File Deletion 03.07.2026 9.1
CVE-2026-13768 Gardyn IoT Hub Use of Hard-coded Credentials 02.07.2026 9.5
CVE-2026-13368 WatchGuard Firebox Race Condition and Use-After-Free in Mobile VPN with IKEv2 LDAP Authentication 02.07.2026 9.2
CVE-2026-41106 Microsoft 365 Copilot Elevation of Privilege Vulnerability 02.07.2026 9.3
CVE-2026-45499 Azure OpenAI Elevation of Privilege Vulnerability 02.07.2026 9.9
CVE-2026-57100 Microsoft Entra Provisioning Service Elevation of Privilege Vulnerability 02.07.2026 9.9
CVE-2026-52830 fast-mcp-telegram: Bearer token path traversal bypasses reserved Telegram session protection 02.07.2026 9.4
CVE-2026-58466 AutoBangumi < 3.2.8 - Hard-coded Default Credentials via add_default_user() 02.07.2026 9.3
CVE-2026-59099 Apereo CAS 7.3.0 < 8.0.0-RC6 - AES-GCM Nonce Reuse Information Disclosure 02.07.2026 9.3
CVE-2022-50973 Yonyou KSOA 9.0 Unauthenticated File Upload RCE via ImageUpload Servlet 02.07.2026 9.3
CVE-2024-14037 Redsea Cloud eHR Unauthenticated File Upload RCE via PtFjk.mob 02.07.2026 9.3
CVE-2026-44935 Rancher Fleet vulnerable to cross namespace secret disclosure via unvalidated `valuesFrom` references in Helm Deployer 03.07.2026 9.9
CVE-2026-58455 Dockwatch 0.6.567 Unauthenticated OS Command Injection via ajax/compose.php 02.07.2026 9.2
CVE-2026-50746 02.07.2026 10
CVE-2026-50747 02.07.2026 9.9
CVE-2026-50748 02.07.2026 9.9
CVE-2026-54400 02.07.2026 9.1
CVE-2026-54402 02.07.2026 9.9
CVE-2026-55115 02.07.2026 9.9
CVE-2026-55116 02.07.2026 9
CVE-2026-56004 obs-service-tar_scm: command injection via mercurial handler 02.07.2026 10
CVE-2026-4767 Improper Access Control in TR7's WAF-ASP 02.07.2026 9.8
CVE-2026-5524 Divi Form Builder <= 5.1.8 - Unauthenticated Arbitrary File Upload Leading to Remote Code Execution via 'acceptFileTypes' Parameter 02.07.2026 9.8
CVE-2026-27419 WordPress Zegen theme <= 1.1.9 - Arbitrary File Upload vulnerability 02.07.2026 9.9
CVE-2026-27436 WordPress Five Star Business Profile and Schema plugin <= 2.3.19 - Arbitrary Code Execution vulnerability 02.07.2026 9.1
CVE-2026-57621 WordPress Booktics plugin <= 1.0.21 - PHP Object Injection vulnerability 02.07.2026 9.8
CVE-2026-57623 WordPress W3 Total Cache plugin <= 2.9.4 - Arbitrary Code Execution vulnerability 02.07.2026 9
CVE-2026-57624 WordPress Blocksy Companion Pro plugin <= 2.1.46 - Remote Code Execution (RCE) vulnerability 02.07.2026 10
CVE-2026-57625 WordPress Admin and Site Enhancements (ASE) Pro plugin <= 8.8.5 - Cross Site Scripting (XSS) vulnerability 02.07.2026 9.6
CVE-2026-57677 WordPress Novalnet Payment Gateway for WooCommerce plugin <= 12.10.3 - PHP Object Injection vulnerability 02.07.2026 9.8
CVE-2026-57679 WordPress GeekyBot plugin <= 1.2.5 - SQL Injection vulnerability 02.07.2026 9.3
CVE-2026-57683 WordPress WP Fast Total Search plugin <= 1.80.280 - SQL Injection vulnerability 02.07.2026 9.3
CVE-2026-14439 Path Traversal in Altium Git Service Allows Remote Code Execution 02.07.2026 9.4
CVE-2026-58457 Shenzhen Aitemi M300 MT02 Unauthenticated OS Command Injection via protocol.csp 01.07.2026 9.3
CVE-2026-50160 Mass Assignment via Onboarding Endpoint Allows Unauthenticated JWT_SECRET Overwrite 02.07.2026 10
CVE-2026-34108 Guardian Language-System Unauthenticated OS Command Injection via id Parameter in text.php 02.07.2026 9.3
CVE-2026-34109 Guardian Language-System Unauthenticated OS Command Injection via id Parameter in speech.php 01.07.2026 9.3
CVE-2026-34110 Guardian Language-System Unauthenticated OS Command Injection via id Parameter in complex_start.php 01.07.2026 9.3
CVE-2026-34111 Guardian Language-System Unauthenticated OS Command Injection via id Parameter in speechmac_text.php 01.07.2026 9.3
CVE-2026-34112 Guardian Language-System Unauthenticated OS Command Injection via id Parameter in speechmac.php 01.07.2026 9.3
CVE-2026-34113 Guardian Language-System Unauthenticated OS Command Injection via id Parameter in speech_text.php 01.07.2026 9.3
CVE-2026-34114 Guardian Language-System Unauthenticated OS Command Injection via id Parameter in translate_text.php 02.07.2026 9.3
CVE-2026-34115 Guardian Language-System Unauthenticated OS Command Injection via id Parameter in transcribe_amazon.php 01.07.2026 9.3
CVE-2026-34116 Guardian Language-System Unauthenticated OS Command Injection via id Parameter in transcribe.php 01.07.2026 9.3
CVE-2026-34117 Guardian Language-System Unauthenticated OS Command Injection via id Parameter in text_to_subtitles.php 01.07.2026 9.3
CVE-2026-34099 Guardian Language-System Unauthenticated SQL Injection via id Parameter in job_info.php 02.07.2026 9.3
CVE-2026-34100 Guardian Language-System Unauthenticated SQL Injection via id Parameter in media.php 01.07.2026 9.3
CVE-2026-34101 Guardian Language-System Unauthenticated SQL Injection via id Parameter in text_file.php 01.07.2026 9.3
CVE-2026-34102 Guardian Language-System Unauthenticated SQL Injection via id Parameter in job_info_get.php 01.07.2026 9.3
CVE-2026-34103 Guardian Language-System Unauthenticated SQL Injection via id Parameter in subtitles.php 01.07.2026 9.3
CVE-2026-34104 Guardian Language-System Unauthenticated SQL Injection via name Parameter in designer.php 01.07.2026 9.3
CVE-2026-34105 Guardian Language-System Unauthenticated SQL Injection via id Parameter in translate_text.php 02.07.2026 9.3
CVE-2026-34106 Guardian Language-System Unauthenticated OS Command Injection via id Parameter in subtitles.php 01.07.2026 9.3
CVE-2026-34107 Guardian Language-System Unauthenticated OS Command Injection via id Parameter in translate.php 01.07.2026 9.3
CVE-2026-58453 JAIOTlink C492A-W6 4.8.30.57701411 Hard-coded Credentials via anyka_ipc 01.07.2026 9.3
CVE-2025-23350 01.07.2026 9
CVE-2025-23351 01.07.2026 9
CVE-2026-24270 01.07.2026 9.8
CVE-2026-57517 Control Web Panel < 0.9.8.1225 Blind SQL Injection via userRes Parameter 02.07.2026 9.3
CVE-2026-58126 PACSgear PACS Scan 5.2.1 Unauthenticated RCE via .NET Remoting TCP Service 01.07.2026 9.3
CVE-2026-58127 PACSgear MediaWriter 5.2.1 Unauthenticated RCE via .NET Remoting TCP Service 01.07.2026 9.3
CVE-2026-23537 Feast: unauthenticated arbitrary file write 02.07.2026 9.1
CVE-2026-13603 SSRF with API key leak in pretix-oppwa 01.07.2026 9
CVE-2026-57692 WordPress PrivateContent plugin <= 9.9.2 - Privilege Escalation vulnerability 01.07.2026 9.8
CVE-2026-14198 @fastify/middie vulnerable to authorization bypass via encoded slash in path parameter values 01.07.2026 9.1
CVE-2026-10539 Unauthenticated command injection in Control-M/Server communication command 01.07.2026 9.5
CVE-2026-11387 SMS Alert <= 3.9.5 - Unauthenticated Privilege Escalation via Arbitrary Password Reset 01.07.2026 9.8
CVE-2026-6070 WP-BusinessDirectory <= 4.0.1 - Unauthenticated Arbitrary File Deletion via Path Traversal via '_filename' Parameter 01.07.2026 9.1
CVE-2026-7839 UltraVNC repeater ships hardcoded default admin password allowing unauthenticated admin access 01.07.2026 9.1
CVE-2026-7840 UltraVNC repeater HTTP server global buffer overflow via long URI (pre-auth RCE) 01.07.2026 9.3
CVE-2026-53488 containerd CRI plugin: — image-config `LABEL` flows to restart-monitor `binary://` logger: host-root command execution from an image pull 03.07.2026 9.4
CVE-2026-50110 Use of Hard-coded Credentials in StoneFly Storage Concentrator 01.07.2026 9.3
CVE-2026-55721 SQL Injection in StoneFly Storage Concentrator 01.07.2026 9.2
CVE-2026-56413 OS Command Injection in StoneFly Storage Concentrator 01.07.2026 10
CVE-2026-56415 OS Command Injection in StoneFly Storage Concentrator 01.07.2026 10
CVE-2026-56264 Crawl4AI - Arbitrary JavaScript Execution via /execute_js Endpoint 01.07.2026 9.2
CVE-2026-56278 Flowise - Session Hijacking via Weak Default Express Session Secret 01.07.2026 9.3
CVE-2026-56700 Grav - Multiple Remote Code Execution Vulnerabilities via Unsafe Unserialize and Command Injection 01.07.2026 9.3
CVE-2026-50003 OFFIS DCMTK Toolkit Path Traversal 01.07.2026 9.3
CVE-2026-58449 txtai - Unauthenticated Remote Code Execution via Unsafe Reflection in API /reindex function Parameter 01.07.2026 9.3
CVE-2026-10109 IBM® Db2® is vulnerable to remote code execution due to improper pre-auth DRDA handshake handling 01.07.2026 9.8
CVE-2026-10134 Unauthenticated Server-Side RCE via PythonCodeStructuredTool in Public Flows 01.07.2026 10
CVE-2026-10140 Cross-Tenant API Key Reuse and Billing Fraud in Langflow Voice Mode Subsystem 02.07.2026 9.6
CVE-2026-11708 IBM WebSphere Application Server is affected by a cross-site scripting vulnerability 01.07.2026 9.3
CVE-2026-11712 IBM WebSphere Application Server is affected by a cross-site scripting vulnerability 01.07.2026 9.3
CVE-2026-7663 Unauthenticated Cross-User MCP Resource Access and Tool Execution via Streamable Transport Authorization Bypass 01.07.2026 9.1
CVE-2026-7803 Flow Validation Bypass via Empty Component Type Field 01.07.2026 9.8
CVE-2026-7871 Insecure Deserialization in Redis Cache Backend 01.07.2026 9.8
CVE-2026-7873 Code Injection Vulnerability in Code Validation Endpoint 01.07.2026 9.9
CVE-2026-7874 Weak Cryptographic Key Derivation Exposed All Stored Credentials 02.07.2026 9.1
CVE-2026-58138 Orkes Conductor 3.21.21 < 3.30.2 Unauthenticated RCE via GraalVM Script Evaluators 01.07.2026 9.3
CVE-2026-58172 Ocelot - IP Allow/Block List Bypass for WebSocket Upgrade Requests 02.07.2026 9.3
CVE-2026-58370 Woodpecker < 3.15.0 - GitLab Approval Gate Bypass via Spoofable Commit Author Name 02.07.2026 9.2
CVE-2026-48276 ColdFusion | Unrestricted Upload of File with Dangerous Type (CWE-434) 01.07.2026 10
CVE-2026-48277 ColdFusion | Improper Input Validation (CWE-20) 01.07.2026 10
CVE-2026-48281 ColdFusion | Improper Input Validation (CWE-20) 01.07.2026 10
CVE-2026-48282 ColdFusion | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE-22) 01.07.2026 10
CVE-2026-48283 ColdFusion | Unrestricted Upload of File with Dangerous Type (CWE-434) 01.07.2026 10
CVE-2026-48286 Adobe Campaign Classic (ACC) | Incorrect Authorization (CWE-863) 01.07.2026 10
CVE-2026-48313 ColdFusion | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE-22) 30.06.2026 9.3
CVE-2026-48315 ColdFusion | Improper Input Validation (CWE-20) 01.07.2026 9.3
CVE-2026-58116 LLaMA-Factory 0.9.5 Remote Code Execution via WebUI Model Path 30.06.2026 9.3
CVE-2026-6556 @fastify/express vulnerable to middleware bypass via non-string mount paths in prefixed plugins 30.06.2026 9.1
CVE-2026-44946 SAML Authentication Replay in Rancher 01.07.2026 9.5
CVE-2026-14162 Advantech|Hospital Quering Management - Missing Authentication 30.06.2026 9.3
CVE-2026-53690 SQL Injection in Redeight CMS 30.06.2026 9.3
CVE-2026-8402 SQLi in Exagate's SYSGUARD 6001 30.06.2026 9.8
CVE-2026-12076 SQL Injection in Raytha CMS 30.06.2026 9.3
CVE-2026-9711 EventON - WordPress Virtual Event Calendar Plugin <= 5.0.11 - Unauthenticated Blind SQL Injection via Search Parameter 30.06.2026 9.8
CVE-2026-12818 DVP-12SE Exposure of Sensitive Information Vulnerability 30.06.2026 9.3
CVE-2026-12819 DVP-12SE Missing Authentication and Unauthorized Write access Vulnerability 30.06.2026 9.3
CVE-2026-12073 ProfileGrid - User Profiles, Groups and Communities <= 5.9.9.5 - Unauthenticated Privilege Escalation via Email Overwrite 30.06.2026 9.8
CVE-2026-57498 Coolify Cross-Team IDOR: Livewire Components Accept Unscoped server_id and destination_uuid — Deploy to Other Teams' Servers 30.06.2026 9.6
CVE-2026-11720 Path Traversal in googleapis/mcp-toolbox HTTP Tool URL Builder 29.06.2026 9.3
CVE-2026-56782 Gorse - Unauthenticated Database Dump and Restore via /api/dump and /api/restore Endpoints 30.06.2026 9.3
CVE-2026-41052 Rancher Privilege Escalation from Project Owner to Host 30.06.2026 9.4
CVE-2026-56290 Joomla Extension - joomlack.fr - Unauthenticated file upload in Page Builder CK extension < 3.6.0 01.07.2026 10
CVE-2026-57331 WordPress Paid Videochat Turnkey Site plugin <= 7.4.8 - Arbitrary File Deletion vulnerability 29.06.2026 9.9
CVE-2026-58053 Gitea act_runner - Container Hardening Bypass via Workflow Container Options 30.06.2026 9.4
CVE-2026-12415 Invoice Generator <= 1.0.0 - Unauthenticated Privilege Escalation via Account Takeover via 'user_id' Parameter 29.06.2026 9.8
CVE-2026-31928 Daktronics Controller Firmware Use of Hard-coded Credentials 29.06.2026 9.3
CVE-2026-28701 Daktronics Controller Firmware Path Traversal 29.06.2026 9.3
CVE-2026-49869 Kestra: Unauthenticated Remote Code Execution via Authentication Bypass in `AuthenticationFilter` 29.06.2026 10
CVE-2026-53576 Kestra: Unauthenticated RCE via /configs path-suffix auth-filter bypass 29.06.2026 10
CVE-2026-54350 Budibase: Anonymous NoSQL operator injection via published-app query templates 30.06.2026 10
CVE-2026-54352 Budibase: Arbitrary file read by workspace-builder via PWA-zip symlink upload 27.06.2026 9.6
CVE-2026-46386 OpenProject: Pre-authentication RCE in openproject/openproject Docker image via default `SECRET_KEY_BASE=OVERWRITE_ME` and `cookies_serializer = :marshal` 29.06.2026 9.9
CVE-2026-53309 ocfs2/dlm: fix off-by-one in dlm_match_regions() region comparison 28.06.2026 9.8
CVE-2026-52780 OpenProject: Cache store poisoning leads to Remote Code Execution (RCE) 27.06.2026 9.6
CVE-2026-52782 OpenProject: IDOR through /projects/<A>/settings/project_storages/<A_ps_id> via PATCH parameter "storages_project_storage[project_folder_id]" leads to Access to Unauthorized Resources 29.06.2026 9.9
CVE-2026-52785 OpenProject: SQL injection in timestamps functionality 29.06.2026 9.9

Latest Updates

CVE Title Updated Score
CVE-2026-14612 Freeipa: ipa: idm: freeipa: off-by-one buffer overflows in ipa-otpd oauth2.c during oauth2 device authorization 03.07.2026
CVE-2026-14613 Keycloak-services: keycloak-services: keycloak: fgap v2 role groups endpoint discloses hidden group metadata without group view permission 03.07.2026
CVE-2026-14459 Argument Injection in TUBITAK BILGEM's pardus-software 03.07.2026 8.8
CVE-2026-14460 Missing Authorization in TUBITAK BILGEM's pardus-software 03.07.2026 8.8
CVE-2026-49813 03.07.2026 6.7
CVE-2026-49814 03.07.2026 7.2
CVE-2026-49815 03.07.2026 7.2
CVE-2026-53478 03.07.2026 7.2
CVE-2026-46463 03.07.2026 6.5
CVE-2026-46464 03.07.2026 4.9
CVE-2026-46465 03.07.2026 5.5
CVE-2026-46466 03.07.2026 2.7
CVE-2026-26355 03.07.2026 6.5
CVE-2026-41123 03.07.2026 4.3
CVE-2026-46467 03.07.2026 5.8
CVE-2026-46468 03.07.2026 4.4
CVE-2026-46730 03.07.2026 4.2
CVE-2026-54483 03.07.2026 6.7
CVE-2026-56015 Net::IP::LPM versions through 1.10 for Perl allow a heap out-of-bounds read via an unbounded prefix length 03.07.2026
CVE-2026-56085 03.07.2026 3.3
CVE-2026-59234 Authorization Bypass Through User-Controlled Key in Prospero Flow CRM calendar event deletion 03.07.2026
CVE-2026-41124 03.07.2026 2.3
CVE-2026-44268 03.07.2026 4.4
CVE-2026-44269 03.07.2026 4.4
CVE-2026-10054 03.07.2026 8.8
CVE-2026-10055 03.07.2026 8.5
CVE-2026-13341 Prompt Injection and Credential Exposure via Untrusted Analytics Data in Kong Konnect MCP 03.07.2026 7.4
CVE-2026-50238 03.07.2026
CVE-2026-4321 SQLi in Raera's Destekz 03.07.2026 9.8
CVE-2026-4322 XSS in Raera's Destekz 03.07.2026 6.1
CVE-2026-5137 RTMKit <= 2.0.7 - Authenticated (Contributor+) Limited Local File Inclusion via 'template' Parameter 03.07.2026 4.3
CVE-2026-11398 LatePoint <= 5.6.1 - Missing Authorization to Unauthenticated Arbitrary Customer Data Modification via process_step_customer() Booking Form Customer Step 03.07.2026 5.3
CVE-2026-11778 CURCY <= 2.2.14 - Unauthenticated Arbitrary Shortcode Execution via 'exchange' Parameter 03.07.2026 5.4
CVE-2026-11900 Ad Inserter <= 2.8.16 - Insecure Direct Object Reference to Authenticated (Contributor+) Arbitrary Post Content Disclosure via 'data' Shortcode Attribute 03.07.2026 4.3
CVE-2026-35159 03.07.2026 5.3
CVE-2026-47896 Apache Lucene.Net: Unauthenticated arbitrary file read on the Lucene.Net.Replicator replication server 03.07.2026
CVE-2026-4804 Zakra <= 4.2.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Post Meta REST API 03.07.2026 6.4
CVE-2026-9756 GenerateBlocks <= 2.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Headline Block 'linkMetaFieldType' Dynamic Link Attribute 03.07.2026 6.4
CVE-2026-14544 Hplip: incomplete fix for cve-2026-8631 03.07.2026
CVE-2026-47897 Apache Lucene.Net: Arbitrary file write from malicious server to Lucene.Net.Replicator client 03.07.2026
CVE-2026-47898 Apache Lucene.Net: XXE vulnerability in Lucene.Net.Analysis.Common PatternParser 03.07.2026
CVE-2026-8351 RTMKit <= 2.0.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via Advanced Heading Widget 'Background Text' Parameter 03.07.2026 6.4
CVE-2026-8804 Cleartext Storage of Sensitive Information for Puppet Resource API 03.07.2026
CVE-2026-9148 Comments <= 7.6.56 - Unauthenticated Stored Cross-Site Scripting via 'Website' Field 03.07.2026 7.2
CVE-2026-9230 Quiz and Survey Master (QSM) <= 11.1.4 - Missing Authorization to Authenticated (Contributor+) Arbitrary Quiz Modification and Email Reroute via Leaked Nonce from /quiz/structure 03.07.2026 4.3
CVE-2026-10536 HTTP/2 stream-dependency tree UAF 03.07.2026
CVE-2026-11352 QUIC zero-length UDP datagrams busy-loop 03.07.2026
CVE-2026-11564 Native CA trust persist 03.07.2026
CVE-2026-11586 WS Auto-PONG memory exhaustion 03.07.2026
CVE-2026-11856 cross-origin Digest auth state leak 03.07.2026
CVE-2026-12064 proto-default skips SSH verification 03.07.2026
CVE-2026-4967 03.07.2026 7.5
CVE-2026-8286 wrong STARTTLS connection reuse 03.07.2026
CVE-2026-8458 wrong reuse for different services 03.07.2026
CVE-2026-8924 trailing dot domain super cookie 03.07.2026
CVE-2026-8925 SASL double-free 03.07.2026
CVE-2026-8926 password leak with netrc and user in URL 03.07.2026
CVE-2026-8927 env-set cross-proxy Digest auth state leak 03.07.2026
CVE-2026-8932 incomplete mTLS config matching in conn reuse 03.07.2026
CVE-2026-9079 stale proxy password leak 03.07.2026
CVE-2026-9080 UAF after pause in socket callback 03.07.2026
CVE-2026-9545 exposing HTTP/3 early data 03.07.2026
CVE-2026-9546 sending old referer 03.07.2026
CVE-2026-9547 SSH improper host validation 03.07.2026
CVE-2026-11397 WP Import Export Lite <= 3.9.30 - Authenticated (Administrator+) Server-Side Request Forgery via 'file_url' Parameter 03.07.2026 5.5
CVE-2026-12557 Ninja Forms - File Uploads <= 3.3.29 - Missing Authorization to Unauthenticated Log Disclosure and Deletion via debug-log/delete-all and debug-log/get-all REST Endpoints 03.07.2026 5.3
CVE-2026-13040 NEX-Forms <= 9.2.2 - Unauthenticated Stored Cross-Site Scripting via 'real_val__' Parameter 03.07.2026 7.2
CVE-2026-14352 AR for WooCommerce <= 8.40 - Unauthenticated Path Traversal to Arbitrary File Read via 'file' Parameter 03.07.2026 7.5
CVE-2026-8489 Ultimate Member <= 2.11.4 - Authenticated (Subscriber+) Stored Cross-Site Scripting via Non-HTML Custom Textarea Profile Field 03.07.2026 6.4
CVE-2026-8892 CM Business Directory <= 1.5.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via Business Address Meta Fields 03.07.2026 6.4
CVE-2026-9180 MotoPress Appointment Booking <= 2.4.4 - Unauthenticated Insecure Direct Object Reference to 'payment_details.booking_id' Parameter 03.07.2026 5.3
CVE-2026-9626 JSON API User <= 4.1.0 - Authenticated (Subscriber+) Stored Cross-Site Scripting via 'content' Parameter 03.07.2026 6.4
CVE-2026-9725 Printcart Web to Print Product Designer for WooCommerce <= 2.5.2 - Unauthenticated Arbitrary File Deletion 03.07.2026 9.1
CVE-2022-4989 03.07.2026
CVE-2022-4990 03.07.2026
CVE-2026-12960 03.07.2026
CVE-2026-8921 03.07.2026
CVE-2026-12729 weDocs: AI Powered Knowledge Base, Docs, Documentation, Wiki & AI Chatbot <= 2.3.0 - Missing Authorization to Authenticated (Subscriber+) Data Migration via wedocs_migrate_betterdocs_to_wedocs AJAX Action 03.07.2026 4.3
CVE-2026-12731 weDocs: AI Powered Knowledge Base, Docs, Documentation, Wiki & AI Chatbot <= 2.3.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'sectionTitleTag' and 'articleTitleTag' Block Attributes 03.07.2026 6.4
CVE-2026-12734 weDocs: AI Powered Knowledge Base, Docs, Documentation, Wiki & AI Chatbot <= 2.3.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'connectorWidth' Block Attribute 03.07.2026 6.4
CVE-2026-12920 Cookie Banner for GDPR / CCPA <= 4.3.5 - Authenticated (Administrator+) SQL Injection via 's' Parameter 03.07.2026 4.9
CVE-2026-14327 AR for WordPress <= 8.40 - Unauthenticated Arbitrary File Read via 'file' Parameter 03.07.2026 7.5
CVE-2026-54477 Gardyn IoT Hub Improper Neutralization of HTTP Headers for Scripting Syntax 02.07.2026 5.4
CVE-2026-55726 Gardyn IoT Hub Exposure of Sensitive System Information to an Unauthorized Control Sphere 02.07.2026 5.3
CVE-2026-13768 Gardyn IoT Hub Use of Hard-coded Credentials 02.07.2026 10
CVE-2026-13050 WatchGuard Firebox networkd Out of Bounds Write Vulnerability 02.07.2026
CVE-2026-13053 WatchGuard Firebox Authenticated Out of Bounds Write in Management CLI Command Handler 02.07.2026
CVE-2026-13054 WatchGuard Firebox Arbitrary File Write via Path Traversal in Management Web UI 02.07.2026
CVE-2026-13079 WatchGuard Mobile VPN with SSL Windows Client Local Privilege Escalation 02.07.2026
CVE-2026-13084 Null Pointer Dereference in WatchGuard Fireware OS iked Process 02.07.2026
CVE-2026-13368 WatchGuard Firebox Race Condition and Use-After-Free in Mobile VPN with IKEv2 LDAP Authentication 02.07.2026
CVE-2026-13371 WatchGuard Firebox Management Web UI Denial of Service via Unsafe Deserialization 02.07.2026
CVE-2026-13373 WatchGuard Firebox Stored Cross-Site-Scripting (XSS) Vulnerability in Tigerpaw Technology Integration Configuration 02.07.2026
CVE-2026-13374 WatchGuard Firebox Stored Cross-Site-Scripting (XSS) Vulnerability in ConnectWise Technology Integration Configuration 03.07.2026
CVE-2026-13375 WatchGuard Firebox Stored Cross-Site-Scripting (XSS) Vulnerability in Autotask Technology Integration Configuration 02.07.2026
CVE-2026-13376 WatchGuard Firebox Stored Cross-Site-Scripting (XSS) Vulnerability in spamBlocker Module 02.07.2026
CVE-2026-13377 WatchGuard Firebox Stored Cross-Site-Scripting (XSS) Vulnerability in SIP Proxy Configuration 02.07.2026
CVE-2026-13383 WatchGuard Firebox ikestubd Out of Bounds Write Vulnerability 02.07.2026
CVE-2026-13384 WatchGuard Firebox wgagent Out of Bounds Write Vulnerability 02.07.2026
CVE-2026-13722 WatchGuard Firebox Firmware Image Validation Bypass in WatchGuard Fireware OS 02.07.2026
CVE-2026-13728 WatchGuard Firebox Hardcoded Fallback Encryption Key in Access Portal Resource Credential Database 02.07.2026
CVE-2026-8247 WatchGuard Firebox admd Out of Bounds Write Vulnerability 02.07.2026
CVE-2026-26145 Microsoft Azure Synapse Elevation of Privilege Vulnerability 02.07.2026 4.8
CVE-2026-41106 Microsoft 365 Copilot Elevation of Privilege Vulnerability 02.07.2026 9.3
CVE-2026-45499 Azure OpenAI Elevation of Privilege Vulnerability 02.07.2026 9.9
CVE-2026-54998 Microsoft Exchange Online Elevation of Privilege Vulnerability 02.07.2026 8.8
CVE-2026-57100 Microsoft Entra Provisioning Service Elevation of Privilege Vulnerability 02.07.2026 9.9
CVE-2026-50721 IKEv1 Denial of Service via RSA-SHA1 (PKCS#1 Version 1.5 Encrypted) authentication payload 02.07.2026 7.5
CVE-2026-50722 IKEv2 Denial of Service via RSA-SHA1 (PKCS#1 RSASSA-PKCS1-v1_5) authentication payload 02.07.2026 7.5
CVE-2026-12413 IKEv2 Denial of Service via malformed fragmentation 02.07.2026 7.5
CVE-2026-38969 02.07.2026
CVE-2026-38970 02.07.2026
CVE-2026-38972 02.07.2026
CVE-2026-52830 fast-mcp-telegram: Bearer token path traversal bypasses reserved Telegram session protection 02.07.2026 9.4
CVE-2026-38968 02.07.2026
CVE-2026-38971 02.07.2026
CVE-2026-52188 02.07.2026
CVE-2026-52189 02.07.2026
CVE-2026-52191 02.07.2026
CVE-2026-52192 02.07.2026
CVE-2026-58460 react-native-receive-sharing-intent Path Traversal via _display_name 02.07.2026
CVE-2025-71385 Netdata < 2.3.1 - Reflected Cross-Site Scripting via love Parameter in ilove.svg Endpoint 02.07.2026 6.1
CVE-2026-52187 02.07.2026
CVE-2026-58381 Gimp: gimp: double-free in read_layer_block() 02.07.2026
CVE-2026-58466 AutoBangumi < 3.2.8 - Hard-coded Default Credentials via add_default_user() 02.07.2026 9.8
CVE-2026-58467 Cockpit CMS < 364 - Path Traversal Local File Inclusion via index.php 02.07.2026
CVE-2026-58578 LobeChat < 2.2.10-canary.15 - Regular Expression Denial of Service in GitHub Skill Import 02.07.2026 6.5
CVE-2026-58579 RAGFlow < 0.26.3 - Stored Cross-Site Scripting via Agent Pipeline Node Name 02.07.2026 5.4
CVE-2026-58580 LobeChat 2.2.9 - Broken Object-Level Authorization in Message Sub-Resource Writes 02.07.2026 5.9
CVE-2026-59092 JuiceFS - Authentication Bypass via pprof and metrics Endpoints 02.07.2026 7.7
CVE-2026-59093 Weaviate < 1.38.0 - Privilege Escalation via Unchecked Permissions in RBAC Role Assignment 02.07.2026 8.8
CVE-2026-59094 Pathway - Unauthenticated Denial of Service via Exponential Glob Pattern Matching in Document Store 02.07.2026 7.5
CVE-2026-59095 LobeChat < 2.2.10-canary.18 - SSRF via importFromUrl and fetchImageFromUrl 02.07.2026 7.7
CVE-2026-59096 Dapr - OIDC Discovery Issuer and JWKS URI Injection via Unvalidated X-Forwarded-Host 02.07.2026 7.5
CVE-2026-59097 Taiga < 6.10.2 - Unauthorized Due-Date Creation via API Viewsets 02.07.2026 5.3
CVE-2026-59098 LobeChat 2.2.9 - Cross-User Document Disclosure via Unscoped RAG Semantic Search 02.07.2026 6.5
CVE-2026-59099 Apereo CAS 7.3.0 < 8.0.0-RC6 - AES-GCM Nonce Reuse Information Disclosure 02.07.2026 9.1
CVE-2026-59100 LobeChat 2.2.9 - Broken Object Level Authorization via Chat-Group Agent Operations 02.07.2026 5
CVE-2026-59101 AutoBangumi < 3.2.8 - SSRF via /api/v1/setup/test-downloader 02.07.2026 5.8
CVE-2026-59102 Forgejo < 15.0.3 - Stored XSS via Actions Run Full Name Rendering 02.07.2026 5.4
CVE-2026-13743 Improper verification of cryptographic signature in CubeSpace CW0057 Reaction Wheel 02.07.2026
CVE-2026-7311 TinyPNG <= 3.6.13 - Authenticated (Author+) Arbitrary File Deletion via 'convert.path' in 'tiny_compress_images' Post Meta 02.07.2026 8.1
CVE-2026-58465 Eclipse Wakaama CoAP Block1 Handler Unbounded Memory Allocation DoS 02.07.2026
CVE-2022-50973 Yonyou KSOA 9.0 Unauthenticated File Upload RCE via ImageUpload Servlet 02.07.2026
CVE-2024-14037 Redsea Cloud eHR Unauthenticated File Upload RCE via PtFjk.mob 02.07.2026
CVE-2024-58352 Landray OA Unauthenticated HQL Injection via wechatLoginHelper.do 02.07.2026