CVE Field Guide

Critical CVEs

CVE Title Updated Score
CVE-2026-60121 Vitec Flamingo 4.12.2 Unauthenticated OS Command Injection via ping.php 13.07.2026 9.3
CVE-2026-61498 Vitec Flamingo 4.12.2 Unauthenticated OS Command Injection via gen_graphs.php 13.07.2026 9.3
CVE-2026-6847 Unauthenticated Remote Code Execution in ThemisNETPanel 13.07.2026 9.3
CVE-2026-12257 Remote code execution in Mura Software’s CMS 13.07.2026 9.3
CVE-2026-14934 Cross-Tenant Repository Takeover via Improper Access Control in BigQuery, Dataform and Colab Enterprise 13.07.2026 9.4
CVE-2026-13014 Remote Code Execution vulnerability in "Suspicious" application 13.07.2026 9.2
CVE-2026-22093 Adversary-in-the-Middle (AitM) attack vulnerability in EVbee Service app 13.07.2026 9.5
CVE-2026-22095 Command injection in diagnosis web endpoint 13.07.2026 9.3
CVE-2026-22096 Missing authentication for webserver endpoints 13.07.2026 9.3
CVE-2026-22097 Missing firmware validation allows remote code execution 13.07.2026 9.3
CVE-2026-22098 Sensitive information is written to logs 13.07.2026 9.2
CVE-2026-22102 Arbitrary file overwrite through certificate update functionality 13.07.2026 9.3
CVE-2026-22103 Command injection in NPC start web endpoint 13.07.2026 9.3
CVE-2026-57401 WordPress SureDash plugin <= 1.8.0 - Arbitrary File Deletion vulnerability 13.07.2026 9.9
CVE-2026-57702 WordPress Amelia plugin <= 2.4.2 - SQL Injection vulnerability 13.07.2026 9.3
CVE-2026-57707 WordPress Simple Business Directory Pro plugin <= 15.9.4 - SQL Injection vulnerability 13.07.2026 9.3
CVE-2026-57710 WordPress WoowBot Pro Max plugin <= 14.1.7 - Arbitrary File Upload vulnerability 13.07.2026 9.9
CVE-2026-57714 WordPress LatePoint plugin <= 5.6.3 - SQL Injection vulnerability 13.07.2026 9.3
CVE-2026-57719 WordPress Aimogen Pro plugin <= 2.8.3 - Arbitrary File Upload vulnerability 13.07.2026 10
CVE-2026-57724 WordPress Kirki plugin <= 6.0.12 - PHP Object Injection vulnerability 13.07.2026 9.8
CVE-2026-57726 WordPress Kirki plugin <= 6.0.12 - SQL Injection vulnerability 13.07.2026 9.3
CVE-2026-57738 WordPress 777 theme <= 1.13.0 - PHP Object Injection vulnerability 13.07.2026 9.8
CVE-2026-57739 WordPress AcyMailing SMTP Newsletter plugin <= 10.11.0 - SQL Injection vulnerability 13.07.2026 9.3
CVE-2026-57744 WordPress RT-Theme 18 | Extensions plugin <= 2.5 - PHP Object Injection vulnerability 13.07.2026 9.8
CVE-2026-57770 WordPress Grand Photography theme <= 5.7.8 - PHP Object Injection vulnerability 13.07.2026 9.8
CVE-2026-57811 WordPress Realtyna Organic IDX plugin plugin <= 5.2.0 - Remote Code Execution (RCE) vulnerability 13.07.2026 10
CVE-2026-57813 WordPress MailOptin plugin <= 1.2.77.3 - Privilege Escalation vulnerability 13.07.2026 9.8
CVE-2026-59515 WordPress AIWU plugin <= 1.5.4 - SQL Injection vulnerability 13.07.2026 9.3
CVE-2026-59518 WordPress Directorist plugin <= 8.8.2 - PHP Object Injection vulnerability 13.07.2026 9.8
CVE-2026-14453 A user with low privileges can inject SSTI templates that can lead to RCE in open-tickets 13.07.2026 9.6
CVE-2026-4769 Unauthenticated Access to Internal Diagnostic Interface 13.07.2026 9.3
CVE-2026-15511 Comfast CF-WR631AX V3 FastCGI Backend webmgnt system_wl_upload_pic_file os command injection 12.07.2026 9.3
CVE-2026-56271 Flowise - Weak Default JWT Secrets in Authentication Middleware 12.07.2026 9.3
CVE-2026-61876 LuCI DHCPv6 Lease Hostname Stored Cross-Site Scripting 12.07.2026 9.4
CVE-2026-60090 PraisonAI before 4.6.78 SQL/CQL Injection via vector dimension 11.07.2026 9.3
CVE-2026-61445 PraisonAI before 4.6.78 Arbitrary File Write and Command Execution 11.07.2026 9.4
CVE-2026-61447 PraisonAI before 1.6.78 Remote Code Execution via CodeAgent 13.07.2026 10
CVE-2026-57827 Joomla Extension - rsjoomla.com - Unauthenticated file upload in RSFiles component < 1.17.12 11.07.2026 10
CVE-2026-57828 Joomla Extension - phoca.cz - Authenticated file upload in RSFiles component < 6.1.3 11.07.2026 9
CVE-2026-20744 Hydro-Québec Le Circuit Electrique charging station backend Improper Access Control 10.07.2026 9.3
CVE-2026-55884 Tilt: Missing authentication on the network-exposed Tilt HUD server 10.07.2026 9.2
CVE-2026-55879 OpenReplay: Unauthenticated stored XSS leads to dashboard account takeover 10.07.2026 9.3
CVE-2026-12761 miniOrange Social Login and Register (Discord, Google, Twitter, LinkedIn) <= 7.7.0 - Unauthenticated Authentication Bypass to Administrator Account Takeover via Profile Completion OTP Flow 13.07.2026 9.8
CVE-2026-57807 WordPress OAuth Single Sign On - SSO (OAuth Client) plugin <= 38.5.8 - Broken Authentication vulnerability 13.07.2026 9.8
CVE-2026-61459 MCP Server Kubernetes < 3.9.0 Argument Injection via kubectl Structured Tools 13.07.2026 9.3
CVE-2026-59151 Prowler: SAML Domain Claiming Enables Cross-Tenant Account Takeover 10.07.2026 9.6
CVE-2026-5801 SQLi in Semtek Informatics' SEM-PMP 10.07.2026 9.8
CVE-2026-2397 SQLi in AdamPOS' MobilMen 20T 10.07.2026 9.8
CVE-2026-58492 grav-plugin-database: SQL Injection in PDO::tableExists() due to Unsanitized Table Name Interpolation 10.07.2026 9.2
CVE-2026-15143 Guardrails-detectors: guardrails-detectors: ssrf and local file read via user-supplied xml schema (xml-with-schema:) 10.07.2026 9.3
CVE-2026-55500 9router: Exposure of Sensitive Information and Unprotected Database Import/Export Allows Complete Credential Theft and Database Takeover 10.07.2026 9.9
CVE-2026-56261 Crawl4AI - Server-Side Request Forgery via Webhook URLs 10.07.2026 9.2
CVE-2026-56765 Vikunja - Unauthenticated Instance-Wide Data Breach via Link Share Hash Disclosure Chained with Cross-Project Attachment IDOR 10.07.2026 9.3
CVE-2026-59792 10.07.2026 9.6
CVE-2026-61444 PraisonAI before 4.6.78 Code Injection via f-string 10.07.2026 9.4
CVE-2026-56688 10.07.2026 9.1
CVE-2026-15378 Guardrails-detectors: guardrails-detectors: ssrf and local file read via user-supplied xml schema (xml-with-schema:) 10.07.2026 9.3
CVE-2026-41880 OS Command Injection in R-SOFT DMS 10.07.2026 9
CVE-2026-15282 Instant Appointment <= 1.2 - Unauthenticated Arbitrary File Upload 10.07.2026 9.8
CVE-2026-15300 GEO my WP <= 4.5.4 - Unauthenticated SQL Injection via 'distance' / 'lat' / 'lng' Parameters 10.07.2026 9.1
CVE-2026-14894 Super Forms <= 6.3.313 - Unauthenticated Arbitrary File Upload via 'data' Parameter (datauristring / value) 10.07.2026 9.8
CVE-2026-54760 Langroid: SQLChatAgent dangerous-function blocklist can be bypassed with quoted or schema-qualified pg_read_file calls 10.07.2026 9.3
CVE-2026-54769 Langroid: Sandbox Escape to Remote Code Execution via Incomplete `eval()` Mitigation in TableChatAgent 10.07.2026 10
CVE-2026-55615 Langroid: Neo4jChatAgent executes LLM-generated Cypher without validation (prompt-to-Cypher injection; config-conditional RCE), mirroring the SQLChatAgent bug fixed in CVE-2026-25879 10.07.2026 9.2
CVE-2026-58122 Hermes WebUI < 0.51.307 Authentication Bypass via X-Forwarded-For Header Spoofing 10.07.2026 9.3
CVE-2026-58123 Hermes WebUI < 0.51.788 Unauthenticated RCE via Terminal API 10.07.2026 9.3
CVE-2026-54003 Kirby: External Initialization of the Panel on reverse proxy setups with the `Forwarded` header 09.07.2026 9.1
CVE-2026-59726 Ruflo: Unauthenticated RCE in MCP bridge default docker-compose deployment 09.07.2026 10
CVE-2026-59826 Metabase: Arbitrary Code Execution via Database Connection Detail Bypass 10.07.2026 9.1
CVE-2026-59827 Metabase: Unsafe Deserialization of H2 Query Results 09.07.2026 9.9
CVE-2025-27462 WinPVDrivers: Excessive permissions on user-exposed devices 09.07.2026 9.4
CVE-2025-27463 WinPVDrivers: Excessive permissions on user-exposed devices 09.07.2026 9.4
CVE-2025-27464 WinPVDrivers: Excessive permissions on user-exposed devices 09.07.2026 9.4
CVE-2025-58146 XAPI UTF-8 string handling 09.07.2026 9.4
CVE-2025-58151 varstored: TOCTOU issues with mapped guest memory 09.07.2026 9.4
CVE-2026-23556 oxenstored keeps quota related use counts across domain destruction 09.07.2026 9.4
CVE-2026-23559 Multiple RBAC issues in XAPI 09.07.2026 9.4
CVE-2026-23560 Multiple RBAC issues in XAPI 09.07.2026 9.4
CVE-2026-23561 Multiple RBAC issues in XAPI 10.07.2026 9.4
CVE-2026-23562 Multiple RBAC issues in XAPI 10.07.2026 9.4
CVE-2026-42486 Multiple RBAC issues in XAPI 10.07.2026 9.4
CVE-2026-56292 Joomla Extension - acymailing.com - SQL Injection in AcyMailing extension < 10.11.1 10.07.2026 9.2
CVE-2026-56291 Joomla Extension - balbooa.com - Unauthenticated file upload in Balbooa Forms extension < 2.4.1 11.07.2026 10
CVE-2026-15158 Blocksy Companion <= 2.1.46 - Unauthenticated Arbitrary File Upload via 'blc-review-images[]' Parameter 09.07.2026 9.8
CVE-2026-2342 XSS in Oceanicsoft's ValeApp 09.07.2026 9.3
CVE-2026-5955 SQLi in Inrove Software's BiEticaret 09.07.2026 9.8
CVE-2026-14245 miniOrange OTP Login, Verification and SMS Notifications <= 5.5.1 - Authentication Bypass to Administrator Account Takeover via 'username_b' Parameter 09.07.2026 9.8
CVE-2026-47646 Dynamics 365 Customer Voice Spoofing Vulnerability 09.07.2026 9.3
CVE-2026-54782 CoreWCF: Authentication bypass in CoreWCF SAML 1.1 / 2.0 token signature validation 10.07.2026 10
CVE-2026-44024 Fluentd: Remote Code Execution (RCE) via Arbitrary File Write in `${tag}` Placeholder 10.07.2026 9.8
CVE-2026-54527 JupyterLab Git: Stored XSS leading to RCE 09.07.2026 9.3
CVE-2026-60104 Bitwarden Server < 2026.6.0 Authorization Bypass via Admin Auth Request 09.07.2026 9.3
CVE-2026-59702 repomix - Server-Side Request Forgery via Unvalidated Repository URLs in POST /api/pack 08.07.2026 9.2
CVE-2026-59873 node-tar: Decompression/parse DoS via unlimited input 08.07.2026 9.2
CVE-2026-9074 IBM API Connect SQL Injection 09.07.2026 9.1
CVE-2026-15062 SQL Injection in Snowflake Snowpark Python SDK 08.07.2026 9.6
CVE-2026-54061 Dgraph Alpha group stores can be replaced via unauthenticated external snapshot import 08.07.2026 9.1
CVE-2026-58480 Blocksy Companion Pro < 2.1.47 Unauthenticated File Upload via save_attachments 08.07.2026 9.2
CVE-2026-8307 SQLi in Webbeyaz's Mediküm Web 09.07.2026 9.8
CVE-2026-56000 xorg-x11-server / xwayland GLX contextTags Use-After-Free in CommonMakeCurrent() 08.07.2026 9
CVE-2026-9695 Improper Authentication vulnerability affecting DELMIA Apriso from Release 2020 through Release 2026 08.07.2026 9.8
CVE-2026-12153 WP Learn Manager <= 1.1.8 - Missing Authorization to Unauthenticated Arbitrary Plugin Installation and Activation via jslearnmanager_ajax AJAX Action 08.07.2026 9.8
CVE-2026-14487 Simple Coherent Form <= 2.4.13 - Unauthenticated Arbitrary File Deletion via 'id' Parameter 08.07.2026 9.1
CVE-2026-9701 Eventer <= 4.4.2 - Insecure Password Reset Mechanism to Unauthenticated Privilege Escalation 08.07.2026 9.8
CVE-2026-56843 08.07.2026 9.9
CVE-2026-59705 mem0 - OpenMemory API Unauthenticated Access via Memory Endpoints 08.07.2026 9.3
CVE-2026-46354 Coder: PKCS#7 signature bypass in Azure instance identity allows unauthenticated agent token theft 08.07.2026 9.1
CVE-2026-59706 mem0 - Unauthenticated Config API Exposure and SSRF via ollama_base_url 09.07.2026 9.2
CVE-2026-58473 Cognee < 1.2.0 Unauthorized LLM Configuration Overwrite via /api/v1/settings 08.07.2026 9.3
CVE-2026-59707 LocalAI - Server-Side Request Forgery via POST /models/apply 09.07.2026 9.2
CVE-2026-59800 9Router < 0.4.44 - OS Command Injection via sudoPassword Parameter in Tailscale Install Endpoint 07.07.2026 9.2
CVE-2026-13019 Missing Authentication 08.07.2026 9.8
CVE-2026-53481 08.07.2026 9.8
CVE-2026-53483 08.07.2026 9.8
CVE-2026-14345 WPFunnels <= 3.12.7 - Unauthenticated Remote Code Execution via 'postData' Parameter 08.07.2026 9.8
CVE-2026-34037 Cross-Tenant Resource Cloning via Broken Object-Level Authorization in cloneTo() 07.07.2026 9.9
CVE-2026-34047 Coolify: WebSocket Endpoint Access Control Flaw Leading to Remote Code Execution 07.07.2026 9.9
CVE-2026-34048 Coolify: Missing authorization on terminal websocket bootstrap routes allows low-privileged members to execute commands on team servers 07.07.2026 9.9

Latest Updates

CVE Title Updated Score
CVE-2026-58065 Apache Airflow Git provider: Git provider hook defaults to StrictHostKeyChecking=no, disabling SSH host-key verification 13.07.2026
CVE-2026-59245 Apache Airflow FAB provider: FAB auth manager: a DAG named "DAGs" hijacks the global all-DAGs permission (access_control privilege escalation via resource_name() collision) 13.07.2026
CVE-2026-61692 13.07.2026
CVE-2026-60121 Vitec Flamingo 4.12.2 Unauthenticated OS Command Injection via ping.php 13.07.2026
CVE-2026-61498 Vitec Flamingo 4.12.2 Unauthenticated OS Command Injection via gen_graphs.php 13.07.2026
CVE-2026-6847 Unauthenticated Remote Code Execution in ThemisNETPanel 13.07.2026
CVE-2026-15559 CodeAstro Simple Online Leave Management System POST accept.php sql injection 13.07.2026
CVE-2026-15584 Redhatinsights/incluster-checks: incluster-checks: privileged host-chroot debug pods created in shared default namespace enable privilege escalation to node root 13.07.2026
CVE-2026-40467 Use after free in gawk 13.07.2026
CVE-2026-40468 Heap buffer overflow in gawk 13.07.2026
CVE-2026-40469 Heap buffer overflow in gawk 13.07.2026
CVE-2026-40553 Stack-based buffer overflow in gawk 13.07.2026
CVE-2026-12257 Remote code execution in Mura Software’s CMS 13.07.2026
CVE-2026-15558 CodeAstro Simple Online Leave Management System deletemp.php sql injection 13.07.2026
CVE-2026-62147 Tempo-operator: tempo operator: query rbac bypass 13.07.2026
CVE-2026-14934 Cross-Tenant Repository Takeover via Improper Access Control in BigQuery, Dataform and Colab Enterprise 13.07.2026
CVE-2026-4765 Stored Cross-Site Scripting (XSS) in Tallos Chat by RD Station Conversas 13.07.2026
CVE-2026-6541 Unscoped updates to other playbooks' metric configuration 13.07.2026 4.3
CVE-2026-9820 Mattermost schemes teams endpoint exposes private team invite IDs 13.07.2026 3.8
CVE-2026-9824 Remote cluster metadata enumeration via /share-channel autocomplete 13.07.2026 4.3
CVE-2026-13014 Remote Code Execution vulnerability in "Suspicious" application 13.07.2026
CVE-2026-14846 Incorrect neutralisation in the PrestaShop firmware 13.07.2026
CVE-2026-15548 Shibby Tomato DNS List Rendering httpd sub_407220 stack-based overflow 13.07.2026
CVE-2026-15557 waooAI waoowaoo Internal Task Header api-auth.ts requireProjectAuthLight improper authentication 13.07.2026
CVE-2026-22093 Adversary-in-the-Middle (AitM) attack vulnerability in EVbee Service app 13.07.2026
CVE-2026-22095 Command injection in diagnosis web endpoint 13.07.2026
CVE-2026-22096 Missing authentication for webserver endpoints 13.07.2026
CVE-2026-22097 Missing firmware validation allows remote code execution 13.07.2026
CVE-2026-22098 Sensitive information is written to logs 13.07.2026
CVE-2026-22099 Missing authentication for Bluetooth communication 13.07.2026
CVE-2026-22100 Comnand injection in OCPP ReserveLogin message 13.07.2026
CVE-2026-22102 Arbitrary file overwrite through certificate update functionality 13.07.2026
CVE-2026-22103 Command injection in NPC start web endpoint 13.07.2026
CVE-2026-41041 Apache Gravitino: URL path injection via unencoded user-supplied identifiers in MCP REST client f-string URL construction, enabling path traversal to unintended API endpoints. 13.07.2026
CVE-2026-49876 Apache Gravitino: Authenticated SSRF in Gravitino JobManager allows server-side HTTP requests to internal network and cloud metadata endpoints via unvalidated job template URIs 13.07.2026
CVE-2026-57363 WordPress ChatBot plugin <= 8.3.7 - Cross Site Scripting (XSS) vulnerability 13.07.2026 7.1
CVE-2026-57364 WordPress Better Payment – Instant Payments, Donations, Fundraising with Subscriptions & More plugin <= 2.2.0 - Other Vulnerability Type vulnerability 13.07.2026 6.5
CVE-2026-57365 WordPress reCAPTCHA (v2 & v3) for Asgaros Forum plugin <= 1.1.0 - Cross Site Scripting (XSS) vulnerability 13.07.2026 6.5
CVE-2026-57368 WordPress Jobmonster theme <= 4.8.5 - Reflected Cross Site Scripting (XSS) vulnerability 13.07.2026 7.1
CVE-2026-57369 WordPress Themify Builder plugin <= 7.7.4 - Cross Site Scripting (XSS) vulnerability 13.07.2026 7.1
CVE-2026-57371 WordPress WPJAM Basic plugin <= 7.0 - PHP Object Injection vulnerability 13.07.2026 8.8
CVE-2026-57372 WordPress WPJAM Basic plugin <= 7.0 - Server Side Request Forgery (SSRF) vulnerability 13.07.2026 7.2
CVE-2026-57375 WordPress MStore API plugin <= 4.18.4 - Broken Access Control vulnerability 13.07.2026 6.5
CVE-2026-57376 WordPress ElementInvader Addons for Elementor plugin <= 1.4.3 - Cross Site Scripting (XSS) vulnerability 13.07.2026 7.1
CVE-2026-57377 WordPress WowAddons plugin <= 1.6.8 - Broken Access Control vulnerability 13.07.2026 6.5
CVE-2026-57378 WordPress Advanced Forms plugin <= 1.9.3.7 - Broken Access Control vulnerability 13.07.2026 7.5
CVE-2026-57379 WordPress FormyChat plugin <= 2.15.3 - Cross Site Scripting (XSS) vulnerability 13.07.2026 7.1
CVE-2026-57380 WordPress Extensions for Leaflet Map plugin <= 5.1 - Cross Site Scripting (XSS) vulnerability 13.07.2026 7.1
CVE-2026-57381 WordPress PropertyHive plugin <= 2.2.3 - Cross Site Scripting (XSS) vulnerability 13.07.2026 7.1
CVE-2026-57382 WordPress Simple File List plugin <= 6.3.8 - Reflected Cross Site Scripting (XSS) vulnerability 13.07.2026 7.1
CVE-2026-57383 WordPress JobSearch plugin <= 3.2.9 - Cross Site Scripting (XSS) vulnerability 13.07.2026 7.1
CVE-2026-57385 WordPress Vitepos plugin <= 3.4.2 - SQL Injection vulnerability 13.07.2026 8.5
CVE-2026-57386 WordPress aBlocks plugin < 2.9.1 - Privilege Escalation vulnerability 13.07.2026 8.8
CVE-2026-57387 WordPress picu plugin <= 3.5.1 - Cross Site Scripting (XSS) vulnerability 13.07.2026 7.1
CVE-2026-57388 WordPress Hydra Booking plugin <= 1.1.44 - Cross Site Scripting (XSS) vulnerability 13.07.2026 7.1
CVE-2026-57389 WordPress Groundhogg plugin <= 4.4.1 - Arbitrary File Deletion vulnerability 13.07.2026 8.6
CVE-2026-57390 WordPress Extra Product Options Builder for WooCommerce plugin <= 1.2.167 - Broken Access Control vulnerability 13.07.2026 6.5
CVE-2026-57391 WordPress Loops & Logic plugin <= 4.2.3 - Cross Site Scripting (XSS) vulnerability 13.07.2026 6.5
CVE-2026-57392 WordPress Tourfic plugin <= 2.22.5 - Broken Access Control vulnerability 13.07.2026 6.5
CVE-2026-57393 WordPress WooCommerce PDF Invoice Builder plugin <= 2.0.8 - Sensitive Data Exposure vulnerability 13.07.2026 6.5
CVE-2026-57394 WordPress Newsletters plugin <= 4.14 - Cross Site Scripting (XSS) vulnerability 13.07.2026 7.1
CVE-2026-57395 WordPress Tourfic plugin <= 2.22.5 - Broken Access Control vulnerability 13.07.2026 6.5
CVE-2026-57396 WordPress Free Gifts for WooCommerce plugin <= 13.1.0 - Cross Site Scripting (XSS) vulnerability 13.07.2026 7.1
CVE-2026-57398 WordPress Real Estate Manager Pro plugin <= 12.8.3 - Cross Site Scripting (XSS) vulnerability 13.07.2026 7.1
CVE-2026-57399 WordPress Proxy & VPN Blocker plugin <= 3.5.8 - Cross Site Scripting (XSS) vulnerability 13.07.2026 7.1
CVE-2026-57400 WordPress Event Tickets Manager for WooCommerce plugin <= 1.5.5 - Broken Access Control vulnerability 13.07.2026 6.5
CVE-2026-57401 WordPress SureDash plugin <= 1.8.0 - Arbitrary File Deletion vulnerability 13.07.2026 9.9
CVE-2026-57402 WordPress Flexible Refund and Return Order for WooCommerce plugin <= 1.0.51 - Cross Site Scripting (XSS) vulnerability 13.07.2026 6.5
CVE-2026-57403 WordPress GD Security Headers plugin <= 1.8 - Cross Site Scripting (XSS) vulnerability 13.07.2026 7.1
CVE-2026-57404 WordPress Booking and Rental Manager plugin <= 2.6.9 - Broken Access Control vulnerability 13.07.2026 6.5
CVE-2026-57405 WordPress Open Shop theme <= 1.7.1 - Broken Access Control vulnerability 13.07.2026 7.1
CVE-2026-57406 WordPress FundEngine plugin <= 1.7.6 - Broken Access Control vulnerability 13.07.2026 6.5
CVE-2026-57407 WordPress PDF Generator for WordPress plugin <= 1.6.2 - Server Side Request Forgery (SSRF) vulnerability 13.07.2026 7.2
CVE-2026-57408 WordPress Peach Payments Gateway plugin <= 4.0.2 - Broken Access Control vulnerability 13.07.2026 6.5
CVE-2026-57409 WordPress Active Products Tables for WooCommerce plugin <= 1.1.0 - Cross Site Scripting (XSS) vulnerability 13.07.2026 7.1
CVE-2026-57410 WordPress MailerPress plugin <= 2.0.2 - Privilege Escalation vulnerability 13.07.2026 8.8
CVE-2026-57411 WordPress CF7 Views – Complete Entry Management for Contact Form 7 plugin <= 3.2.2 - Cross Site Scripting (XSS) vulnerability 13.07.2026 7.1
CVE-2026-57412 WordPress Gift Vouchers plugin <= 4.6.9 - Broken Access Control vulnerability 13.07.2026 6.5
CVE-2026-57413 WordPress Instant Image Generator plugin <= 2.1.4 - Server Side Request Forgery (SSRF) vulnerability 13.07.2026 6.4
CVE-2026-57414 WordPress ChatBot for eCommerce – WoowBot plugin <= 4.6.1 - Cross Site Scripting (XSS) vulnerability 13.07.2026 6.5
CVE-2026-57415 WordPress Gift Vouchers plugin <= 4.7.0 - Cross Site Scripting (XSS) vulnerability 13.07.2026 7.1
CVE-2026-57416 WordPress SiteGround Email Marketing plugin <= 1.7.5 - Cross Site Scripting (XSS) vulnerability 13.07.2026 7.1
CVE-2026-57417 WordPress Cart Lift plugin <= 3.1.57 - Cross Site Scripting (XSS) vulnerability 13.07.2026 7.1
CVE-2026-57418 WordPress Client Invoicing by Sprout Invoices plugin <= 20.8.13 - Broken Access Control vulnerability 13.07.2026 6.5
CVE-2026-57419 WordPress Stock Locations for WooCommerce plugin <= 3.1.8 - Broken Access Control vulnerability 13.07.2026 6.5
CVE-2026-57420 WordPress Author Box WP Lens plugin <= 2.1.5 - Cross Site Scripting (XSS) vulnerability 13.07.2026 6.5
CVE-2026-57421 WordPress CRM Perks Forms plugin <= 1.1.7 - Cross Site Scripting (XSS) vulnerability 13.07.2026 7.1
CVE-2026-57422 WordPress Bopo – WooCommerce Product Bundle Builder plugin <= 1.2.0 - Reflected Cross Site Scripting (XSS) vulnerability 13.07.2026 7.1
CVE-2026-57423 WordPress Message Filter for Contact Form 7 plugin <= 1.6.3.8 - Reflected Cross Site Scripting (XSS) vulnerability 13.07.2026 7.1
CVE-2026-57424 WordPress Razorpay Payment Links for WooCommerce plugin <= 2.1.4 - Broken Access Control vulnerability 13.07.2026 6.5
CVE-2026-57668 WordPress NEX-Forms plugin <= 9.2.2 - Cross Site Scripting (XSS) vulnerability 13.07.2026 7.1
CVE-2026-57691 WordPress Anti-Malware Security and Brute-Force Firewall plugin <= 4.23.89 - Cross Site Scripting (XSS) vulnerability 13.07.2026 5.8
CVE-2026-57693 WordPress Ad Inserter plugin <= 2.8.11 - Cross Site Scripting (XSS) vulnerability 13.07.2026 6.5
CVE-2026-57694 WordPress Tutor LMS plugin <= 3.9.13 - Insecure Direct Object References (IDOR) vulnerability 13.07.2026 6.5
CVE-2026-57695 WordPress Document Gallery plugin <= 5.1.0 - Cross Site Scripting (XSS) vulnerability 13.07.2026 7.1
CVE-2026-57697 WordPress ProfileGrid plugin <= 5.9.9.6 - Broken Authentication vulnerability 13.07.2026 7.5
CVE-2026-57698 WordPress Abandoned Cart Recovery for WooCommerce plugin <= 1.1.12 - Broken Authentication vulnerability 13.07.2026 6.5
CVE-2026-57702 WordPress Amelia plugin <= 2.4.2 - SQL Injection vulnerability 13.07.2026 9.3
CVE-2026-57705 WordPress Event Tickets plugin <= 5.28.5 - Broken Access Control vulnerability 13.07.2026 7.5
CVE-2026-57706 WordPress Dokan plugin <= 5.0.6 - Cross Site Scripting (XSS) vulnerability 13.07.2026 7.1
CVE-2026-57707 WordPress Simple Business Directory Pro plugin <= 15.9.4 - SQL Injection vulnerability 13.07.2026 9.3
CVE-2026-57708 WordPress Contact Form Entries plugin <= 1.5.2 - Cross Site Scripting (XSS) vulnerability 13.07.2026 7.1
CVE-2026-57709 WordPress Membership For WooCommerce plugin <= 3.1.0 - Arbitrary File Deletion vulnerability 13.07.2026 8.6
CVE-2026-57710 WordPress WoowBot Pro Max plugin <= 14.1.7 - Arbitrary File Upload vulnerability 13.07.2026 9.9
CVE-2026-57711 WordPress SupportCandy plugin <= 3.4.8 - Cross Site Scripting (XSS) vulnerability 13.07.2026 6.5
CVE-2026-57712 WordPress WPZOOM Portfolio plugin <= 1.4.29 - Cross Site Scripting (XSS) vulnerability 13.07.2026 7.1
CVE-2026-57713 WordPress Events Manager plugin <= 7.3.6 - PHP Object Injection vulnerability 13.07.2026 8.8
CVE-2026-57714 WordPress LatePoint plugin <= 5.6.3 - SQL Injection vulnerability 13.07.2026 9.3
CVE-2026-57715 WordPress Fluent CRM plugin <= 3.1.7 - Cross Site Scripting (XSS) vulnerability 13.07.2026 7.1
CVE-2026-57718 WordPress Unlimited Elements For Elementor (Free Widgets, Addons, Templates) plugin <= 2.0.12 - Cross Site Scripting (XSS) vulnerability 13.07.2026 7.1
CVE-2026-57719 WordPress Aimogen Pro plugin <= 2.8.3 - Arbitrary File Upload vulnerability 13.07.2026 10
CVE-2026-57724 WordPress Kirki plugin <= 6.0.12 - PHP Object Injection vulnerability 13.07.2026 9.8
CVE-2026-57725 WordPress Kirki plugin <= 6.0.11 - Cross Site Scripting (XSS) vulnerability 13.07.2026 7.1
CVE-2026-57726 WordPress Kirki plugin <= 6.0.12 - SQL Injection vulnerability 13.07.2026 9.3
CVE-2026-57727 WordPress Kirki plugin <= 6.0.13 - Broken Access Control vulnerability 13.07.2026 7.5
CVE-2026-57728 WordPress Flatsome theme <= 3.20.5 - Reflected Cross Site Scripting (XSS) vulnerability 13.07.2026 7.1
CVE-2026-57729 WordPress Flatsome theme <= 3.20.5 - Broken Access Control vulnerability 13.07.2026 7.5
CVE-2026-57732 WordPress tagDiv Opt-In Builder plugin <= 1.7.4 - Cross Site Scripting (XSS) vulnerability 13.07.2026 7.1
CVE-2026-57733 WordPress tagDiv Cloud Library plugin <= 3.9.4 - Cross Site Scripting (XSS) vulnerability 13.07.2026 7.1
CVE-2026-57734 WordPress tagDiv Composer plugin <= 5.4.3 - Reflected Cross Site Scripting (XSS) vulnerability 13.07.2026 7.1
CVE-2026-57738 WordPress 777 theme <= 1.13.0 - PHP Object Injection vulnerability 13.07.2026 9.8
CVE-2026-57739 WordPress AcyMailing SMTP Newsletter plugin <= 10.11.0 - SQL Injection vulnerability 13.07.2026 9.3
CVE-2026-57740 WordPress AcyMailing SMTP Newsletter plugin <= 10.11.1 - Broken Access Control vulnerability 13.07.2026 7.1
CVE-2026-57741 WordPress AcyMailing SMTP Newsletter plugin <= 10.11.0 - Cross Site Scripting (XSS) vulnerability 13.07.2026 7.1
CVE-2026-57743 WordPress RT-Theme 18 | Extensions plugin <= 2.5 - Local File Inclusion vulnerability 13.07.2026 8.1
CVE-2026-57744 WordPress RT-Theme 18 | Extensions plugin <= 2.5 - PHP Object Injection vulnerability 13.07.2026 9.8
CVE-2026-57745 WordPress RT-Theme 18 | Extensions plugin <= 2.5 - Reflected Cross Site Scripting (XSS) vulnerability 13.07.2026 7.1
CVE-2026-57768 WordPress Houzez Login Register plugin <= 3.3.3 - Privilege Escalation vulnerability 13.07.2026 8.2
CVE-2026-57770 WordPress Grand Photography theme <= 5.7.8 - PHP Object Injection vulnerability 13.07.2026 9.8
CVE-2026-57771 WordPress GD Rating System plugin <= 3.7 - SQL Injection vulnerability 13.07.2026 8.5
CVE-2026-57772 WordPress WP Inventory Manager plugin <= 2.4.0 - SQL Injection vulnerability 13.07.2026 8.5
CVE-2026-57773 WordPress Advanced Shipment Tracking for WooCommerce plugin <= 4.0 - SQL Injection vulnerability 13.07.2026 7.6
CVE-2026-57774 WordPress VW Food Corner theme <= 1.1.0 - Broken Access Control vulnerability 13.07.2026 5.3
CVE-2026-57776 WordPress VW Wedding theme <= 1.3.7 - Broken Access Control vulnerability 13.07.2026 5.3
CVE-2026-57778 WordPress Booking calendar, Appointment Booking System plugin <= 3.2.36 - Broken Access Control vulnerability 13.07.2026 5.3
CVE-2026-57779 WordPress Fascinate theme <= 1.1.5 - Broken Access Control vulnerability 13.07.2026 5.3
CVE-2026-57780 WordPress Envision Page Builder plugin <= 0.22 - Cross Site Scripting (XSS) vulnerability 13.07.2026 6.5
CVE-2026-57781 WordPress MeetingHub plugin <= 1.25.10 - Broken Access Control vulnerability 13.07.2026 5.3
CVE-2026-57782 WordPress Universal Clocks plugin <= 1.2.0 - Broken Access Control vulnerability 13.07.2026 5.3
CVE-2026-57783 WordPress Speaker plugin <= 4.1.13 - Cross Site Scripting (XSS) vulnerability 13.07.2026 6.5
CVE-2026-57786 WordPress WorkScout-Core plugin <= 1.7.08 - Cross Site Request Forgery (CSRF) to Broken Authentication vulnerability 13.07.2026 8.8
CVE-2026-57787 WordPress CWS SVGicons plugin <= 1.5.5 - SQL Injection vulnerability 13.07.2026 8.5
CVE-2026-57788 WordPress Aalto theme <= 1.8 - Local File Inclusion vulnerability 13.07.2026 7.5
CVE-2026-57789 WordPress Aqua theme <= 5.1.2 - Local File Inclusion vulnerability 13.07.2026 7.5
CVE-2026-57790 WordPress Billey theme <= 2.1.8 - Local File Inclusion vulnerability 13.07.2026 7.5
CVE-2026-57791 WordPress Brook theme <= 2.9.0 - Local File Inclusion vulnerability 13.07.2026 7.5
CVE-2026-57792 WordPress Dør theme <= 2.4.1 - Local File Inclusion vulnerability 13.07.2026 7.5
CVE-2026-57793 WordPress Flow theme <= 1.8 - Local File Inclusion vulnerability 13.07.2026 7.5
CVE-2026-57794 WordPress Golo Framework plugin <= 1.7.3 - Local File Inclusion vulnerability 13.07.2026 7.5
CVE-2026-57795 WordPress Kitchor theme <= 1.4.3 - Local File Inclusion vulnerability 13.07.2026 7.5
CVE-2026-57796 WordPress Leedo theme <= 3.0.0 - Local File Inclusion vulnerability 13.07.2026 7.5
CVE-2026-57797 WordPress EduMall theme <= 4.5.1 - Broken Access Control vulnerability 13.07.2026 4.3
CVE-2026-57798 WordPress NewsPlus Shortcodes plugin <= 4.2.0 - Local File Inclusion vulnerability 13.07.2026 7.5
CVE-2026-57799 WordPress Nuss theme <= 1.3.6 - Local File Inclusion vulnerability 13.07.2026 7.5
CVE-2026-57800 WordPress Overworld theme <= 1.5 - Local File Inclusion vulnerability 13.07.2026 7.5
CVE-2026-57801 WordPress SetSail theme <= 2.1 - Local File Inclusion vulnerability 13.07.2026 7.5
CVE-2026-57802 WordPress Struktur theme <= 2.5.1 - Local File Inclusion vulnerability 13.07.2026 7.5
CVE-2026-57803 WordPress Struktur Core plugin <= 2.5.1 - Local File Inclusion vulnerability 13.07.2026 7.5
CVE-2026-57804 WordPress TheGem theme Elements (for Elementor) plugin <= 5.11.1 - Local File Inclusion vulnerability 13.07.2026 7.5
CVE-2026-57805 WordPress Tonda theme <= 2.5 - Local File Inclusion vulnerability 13.07.2026 7.5
CVE-2026-57810 WordPress APIExperts Square for WooCommerce plugin <= 4.7.4 - SQL Injection vulnerability 13.07.2026 8.5
CVE-2026-57811 WordPress Realtyna Organic IDX plugin plugin <= 5.2.0 - Remote Code Execution (RCE) vulnerability 13.07.2026 10
CVE-2026-57812 WordPress Simply Schedule Appointments plugin <= 1.6.12.4 - Broken Access Control vulnerability 13.07.2026 6.5
CVE-2026-57813 WordPress MailOptin plugin <= 1.2.77.3 - Privilege Escalation vulnerability 13.07.2026 9.8
CVE-2026-57814 WordPress Forminator plugin <= 1.55.0.1 - Cross Site Scripting (XSS) vulnerability 13.07.2026 7.1
CVE-2026-57815 WordPress Forminator plugin <= 1.55.0.2 - Arbitrary File Download vulnerability 13.07.2026 7.5
CVE-2026-57816 WordPress Funnel Builder by FunnelKit plugin <= 3.15.0.8 - Cross Site Scripting (XSS) vulnerability 13.07.2026 7.1
CVE-2026-59515 WordPress AIWU plugin <= 1.5.4 - SQL Injection vulnerability 13.07.2026 9.3
CVE-2026-59516 WordPress ICS Calendar plugin <= 12.1.1 - Cross Site Scripting (XSS) vulnerability 13.07.2026 7.1
CVE-2026-59518 WordPress Directorist plugin <= 8.8.2 - PHP Object Injection vulnerability 13.07.2026 9.8
CVE-2026-59521 WordPress Real Testimonials plugin <= 3.1.15 - PHP Object Injection vulnerability 13.07.2026 7.2
CVE-2026-59523 WordPress Simply Schedule Appointments plugin <= 1.6.11.11 - Broken Access Control vulnerability 13.07.2026 6.5
CVE-2026-61952 WordPress WooCommerce Bulk Edit Products – WP Sheet Editor plugin <= 1.8.21 - Broken Access Control vulnerability 13.07.2026 4.9
CVE-2026-61955 WordPress گرویتی فرم فارسی plugin <= 3.0.2 - SQL Injection vulnerability 13.07.2026 7.6
CVE-2026-61956 WordPress ووسلام – همگام سازی ووکامرس و باسلام plugin <= 1.9.1 - Cross Site Request Forgery (CSRF) vulnerability 13.07.2026 7.1
CVE-2026-61958 WordPress License Manager for WooCommerce plugin <= 3.0.17 - Arbitrary Content Deletion vulnerability 13.07.2026 5.4
CVE-2026-61968 WordPress myCred plugin <= 3.1.2 - Broken Access Control vulnerability 13.07.2026 5.4
CVE-2026-61970 WordPress Auto Featured Image (Auto Post Thumbnail) plugin <= 5.0.4 - Server Side Request Forgery (SSRF) vulnerability 13.07.2026 4.9
CVE-2026-61971 WordPress User Profile Picture plugin <= 2.6.3 - Insecure Direct Object References (IDOR) vulnerability 13.07.2026 2.7
CVE-2026-61975 WordPress JetReviews plugin <= 3.0.1 - Sensitive Data Exposure vulnerability 13.07.2026 5.3
CVE-2026-61976 WordPress JetBlocks For Elementor plugin <= 1.5.0 - Sensitive Data Exposure vulnerability 13.07.2026 5.3
CVE-2026-61977 WordPress JetSearch plugin <= 3.6.1.2 - Sensitive Data Exposure vulnerability 13.07.2026 5.3
CVE-2026-61983 WordPress Church Admin plugin <= 5.0.30 - Broken Access Control vulnerability 13.07.2026 5.3
CVE-2026-61985 WordPress Car Rental Manager plugin <= 1.3.7 - Broken Access Control vulnerability 13.07.2026 5.3
CVE-2026-10085 Ordinary group/direct message member can enable group_constrained and remove all channel participants 13.07.2026 5.4
CVE-2026-10103 Authenticated remote cluster can modify or delete posts it does not own in Mattermost Connected Workspaces shared channels 13.07.2026 4.3
CVE-2026-10106 Unauthorized users can trigger interactive post actions in private channels via action cookie channel mismatch in Mattermost 13.07.2026 6.5
CVE-2026-14453 A user with low privileges can inject SSTI templates that can lead to RCE in open-tickets 13.07.2026 9.6
CVE-2026-15545 Shibby Tomato apcupsd tomatodata.cgi main out-of-bounds write 13.07.2026
CVE-2026-15546 Shibby Tomato start_jffs2 sub_2D568 os command injection 13.07.2026
CVE-2026-15547 Shibby Tomato CIFS Mount sub_2D048 os command injection 13.07.2026
CVE-2026-15574 Vllm-orchestrator-gateway: vllm-orchestrator-gateway: authorization header and full chat payloads logged at hard-coded debug default 13.07.2026
CVE-2026-62143 Server-Side Request Forgery protection bypass in misp-modules html_to_markdown via IPv4-mapped IPv6 addresses 13.07.2026
CVE-2026-6850 Crafted message attachment causes client-side denial of service via markdown parser regex backtracking in Mattermost 13.07.2026 6.5
CVE-2026-9571 Deactivated user accounts can continue to obtain valid OAuth access tokens via refresh token grant in Mattermost 13.07.2026 5.9
CVE-2026-9597 Deactivated guest accounts can authenticate via magic-link token in Mattermost REST API login endpoint 13.07.2026 5.4
CVE-2026-9708 Incoming webhook user attribution via unvalidated webhook owner 13.07.2026 4.9
CVE-2026-14165 Authorization Bypass Through User-Controlled Key vulnerability affecting Tuleap Enterprise Edition from 17.0 through 17.5 13.07.2026 7.5
CVE-2026-15540 SourceCodester Online Book Store System Administrative index.php php file inclusion 13.07.2026
CVE-2026-15541 will-moss Isaiah Master Websocket server.go Server.Handle authorization 13.07.2026
CVE-2026-15542 will-moss Isaiah Websocket Connection Authentication main.go improper authentication 13.07.2026
CVE-2026-15543 Tenda CH22 CertListInfo formCertListInfo buffer overflow 13.07.2026
CVE-2026-15544 Shibby Tomato apcupsd tomatodata.cgi getupsvar stack-based overflow 13.07.2026
CVE-2026-4769 Unauthenticated Access to Internal Diagnostic Interface 13.07.2026
CVE-2026-57829 Joomla Extension - joomshaper.com - Unauthenticated stored XSS in Helix Ultimate < 2.2.7 13.07.2026
CVE-2026-57830 Joomla Extension - joomshaper.com - Unauthenticated arbitrary file deletion < 2.2.7 13.07.2026
CVE-2026-10551 Breeze Cache < 2.5.6 - Unauthenticated Stored XSS via Minify Library 13.07.2026
CVE-2026-11963 User Registration & Membership < 5.2.2 - Subscriber+ Cross-User Role and Membership Tier Modification via IDOR 13.07.2026
CVE-2026-11964 User Registration & Membership < 5.2.2 - Unauthenticated PayPal Webhook Signature Verification Bypass Leading to Membership Activation 13.07.2026
CVE-2026-12081 Database for Contact Form 7, WPforms, Elementor forms < 1.5.2 - Unauthenticated PHP Object Injection via Entry File Field 13.07.2026
CVE-2026-12271 Tutor LMS < 3.9.13 - Subscriber+ Arbitrary Quiz Attempt Modification via IDOR 13.07.2026
CVE-2026-12273 Tutor LMS < 3.9.13 - Subscriber+ Arbitrary Auto-Approved Comment Creation 13.07.2026
CVE-2026-12274 Tutor LMS < 3.9.13 - Instructor+ Arbitrary Post Overwrite via IDOR 13.07.2026
CVE-2026-12275 Tutor LMS < 3.9.13 - Subscriber+ Unauthorized Course Enrollment and Private Course Content Disclosure via Droip/Kirki Integration 13.07.2026
CVE-2026-12396 WP Job Portal < 2.5.5 - Subscriber+ Arbitrary Job Approval, Featuring and Rejection 13.07.2026
CVE-2026-12397 WP Job Portal < 2.5.5 - Subscriber+ Employer Email Disclosure via IDOR 13.07.2026
CVE-2026-12582 Library Management System < 3.5.8 - Unauthenticated SQL Injection via book_id 13.07.2026
CVE-2026-15536 itsourcecode Hospital Management System patviewprescription.php sql injection 13.07.2026
CVE-2026-15537 SourceCodester Online Book Store System login.php sql injection 13.07.2026
CVE-2026-15538 primefaces primereact API ObjectUtils.mutateFieldData prototype pollution 13.07.2026
CVE-2026-15539 SourceCodester Online Book Store System Book Image Upload Feature index.php books unrestricted upload 13.07.2026
CVE-2026-15530 WuzhiCMS Attachment API index.php listimage information disclosure 13.07.2026
CVE-2026-15531 yashbhalgat HashNeRF-pytorch Checkpoint File run_nerf.py torch.load deserialization 13.07.2026
CVE-2026-15532 SourceCodester Online Book Store System User Management cross site scripting 13.07.2026
CVE-2026-15533 DedeCMS Column Management search.php code injection 13.07.2026
CVE-2026-15535 AkariAsai self-rag retrieval_lm index.py Indexer.deserialize_from deserialization 13.07.2026
CVE-2026-15526 augmnt augments-mcp-server scan_project_deps scan-project-deps.ts scanProjectDeps path traversal 13.07.2026
CVE-2026-15527 better-auth better-icons scan_project_icons/sync_icon path traversal 13.07.2026
CVE-2026-15528 lamaalrajih kicad-mcp path_validator.py protection mechanism 13.07.2026
CVE-2026-15529 yzhao062 pyod persistence.py pyod.utils.persistence.load deserialization 13.07.2026
CVE-2026-15552 Ragic|Enterprise Cloud Database - Stored Cross-Site Scripting 13.07.2026
CVE-2026-15553 Ragic|Enterprise Cloud Database - Arbitrary File Upload 13.07.2026
CVE-2026-7162 13.07.2026 7.8
CVE-2026-9492 GIGABYTE|Gigabyte Control Center - Improper Access Control 13.07.2026
CVE-2026-15522 tugcantopaloglu godot-mcp run_project index.js validatePath path traversal 13.07.2026
CVE-2026-15523 CodeAstro Simple Online Leave Management System dashboard.php sql injection 13.07.2026
CVE-2026-15524 alioshr memory-bank-mcp list-project-files-validation-factory.ts path traversal 13.07.2026
CVE-2026-15525 kLOsk adloop write.py _validate_urls server-side request forgery 13.07.2026
CVE-2026-15519 usestrix PyPI system_prompt.jinja inclusion of functionality from untrusted control sphere 13.07.2026
CVE-2026-15520 GNU LibreDWG R2004 Section Decompression decode.c decompress_R2004_section heap-based overflow 13.07.2026
CVE-2026-15521 makafeli n8n-workflow-builder update_node_from_file server.cjs path traversal 13.07.2026
CVE-2026-15517 Jinher OA PlanGiveOut.aspx sql injection 13.07.2026
CVE-2026-15518 AREA 17 Twill CMS Media Library Insert FileLibraryController.php storeFile unrestricted upload 13.07.2026
CVE-2026-15515 Tencent PC Manager QMUDisk Driver qmudisk64.sys uncontrolled search path 13.07.2026
CVE-2026-15516 MacCMS Pro Installation Index.php step5 authorization 13.07.2026
CVE-2026-15551 Samsung rlottie: Numeric truncation in gray_hline() leads to heap-based buffer overflow when rendering a crafted Lottie animation at native canvas size 13.07.2026 5.5
CVE-2026-15514 Metasoft 美特软件 MetaCRM PHPRPC Remote Call rpc.jsp RPCService.query sql injection 12.07.2026
CVE-2026-15512 pig-mesh Pig pig-codegen GeneratorServiceImpl.java code injection 12.07.2026
CVE-2026-15513 Wavlink WL-NU516U1 adm.cgi wlink_uci_set_value os command injection 13.07.2026
CVE-2026-15511 Comfast CF-WR631AX V3 FastCGI Backend webmgnt system_wl_upload_pic_file os command injection 12.07.2026
CVE-2026-15510 Leantime API saveSetting improper authorization 12.07.2026
CVE-2026-15509 Leantime JSON-RPC Endpoint addUser improper authorization 12.07.2026