CVE Field Guide

Critical CVEs

CVE Title Updated Score
CVE-2025-23350 01.07.2026 9
CVE-2025-23351 01.07.2026 9
CVE-2026-24270 01.07.2026 9.8
CVE-2026-57517 Control Web Panel < 0.9.8.1225 Blind SQL Injection via userRes Parameter 01.07.2026 9.3
CVE-2026-58126 PACSgear PACS Scan 5.2.1 Unauthenticated RCE via .NET Remoting TCP Service 01.07.2026 9.3
CVE-2026-58127 PACSgear MediaWriter 5.2.1 Unauthenticated RCE via .NET Remoting TCP Service 01.07.2026 9.3
CVE-2026-23537 Feast: unauthenticated arbitrary file write 01.07.2026 9.1
CVE-2026-13603 SSRF with API key leak in pretix-oppwa 01.07.2026 9
CVE-2026-57692 WordPress PrivateContent plugin <= 9.9.2 - Privilege Escalation vulnerability 01.07.2026 9.8
CVE-2026-14198 @fastify/middie vulnerable to authorization bypass via encoded slash in path parameter values 01.07.2026 9.1
CVE-2026-10539 Unauthenticated command injection in Control-M/Server communication command 01.07.2026 9.5
CVE-2026-11387 SMS Alert <= 3.9.5 - Unauthenticated Privilege Escalation via Arbitrary Password Reset 01.07.2026 9.8
CVE-2026-6070 WP-BusinessDirectory <= 4.0.1 - Unauthenticated Arbitrary File Deletion via Path Traversal via '_filename' Parameter 01.07.2026 9.1
CVE-2026-7839 UltraVNC repeater ships hardcoded default admin password allowing unauthenticated admin access 01.07.2026 9.1
CVE-2026-7840 UltraVNC repeater HTTP server global buffer overflow via long URI (pre-auth RCE) 01.07.2026 9.3
CVE-2026-53488 containerd CRI plugin: — image-config `LABEL` flows to restart-monitor `binary://` logger: host-root command execution from an image pull 01.07.2026 9.4
CVE-2026-50110 Use of Hard-coded Credentials in StoneFly Storage Concentrator 01.07.2026 9.3
CVE-2026-55721 SQL Injection in StoneFly Storage Concentrator 30.06.2026 9.2
CVE-2026-56413 OS Command Injection in StoneFly Storage Concentrator 01.07.2026 10
CVE-2026-56415 OS Command Injection in StoneFly Storage Concentrator 01.07.2026 10
CVE-2026-56264 Crawl4AI - Arbitrary JavaScript Execution via /execute_js Endpoint 01.07.2026 9.2
CVE-2026-56278 Flowise - Session Hijacking via Weak Default Express Session Secret 01.07.2026 9.3
CVE-2026-56700 Grav - Multiple Remote Code Execution Vulnerabilities via Unsafe Unserialize and Command Injection 01.07.2026 9.3
CVE-2026-50003 OFFIS DCMTK Toolkit Path Traversal 30.06.2026 9.3
CVE-2026-58449 txtai - Unauthenticated Remote Code Execution via Unsafe Reflection in API /reindex function Parameter 01.07.2026 9.3
CVE-2026-10109 IBM® Db2® is vulnerable to remote code execution due to improper pre-auth DRDA handshake handling 01.07.2026 9.8
CVE-2026-10134 Unauthenticated Server-Side RCE via PythonCodeStructuredTool in Public Flows 01.07.2026 10
CVE-2026-10140 Cross-Tenant API Key Reuse and Billing Fraud in Langflow Voice Mode Subsystem 01.07.2026 9.6
CVE-2026-11708 IBM WebSphere Application Server is affected by a cross-site scripting vulnerability 01.07.2026 9.3
CVE-2026-11712 IBM WebSphere Application Server is affected by a cross-site scripting vulnerability 01.07.2026 9.3
CVE-2026-7663 Unauthenticated Cross-User MCP Resource Access and Tool Execution via Streamable Transport Authorization Bypass 01.07.2026 9.1
CVE-2026-7803 Flow Validation Bypass via Empty Component Type Field 01.07.2026 9.8
CVE-2026-7871 Insecure Deserialization in Redis Cache Backend 01.07.2026 9.8
CVE-2026-7873 Code Injection Vulnerability in Code Validation Endpoint 01.07.2026 9.9
CVE-2026-7874 Weak Cryptographic Key Derivation Exposed All Stored Credentials 30.06.2026 9.1
CVE-2026-58138 Orkes Conductor 3.21.21 < 3.30.2 Unauthenticated RCE via GraalVM Script Evaluators 01.07.2026 9.3
CVE-2026-58172 Ocelot - IP Allow/Block List Bypass for WebSocket Upgrade Requests 01.07.2026 9.3
CVE-2026-58370 Woodpecker < 3.15.0 - GitLab Approval Gate Bypass via Spoofable Commit Author Name 30.06.2026 9.2
CVE-2026-48276 ColdFusion | Unrestricted Upload of File with Dangerous Type (CWE-434) 01.07.2026 10
CVE-2026-48277 ColdFusion | Improper Input Validation (CWE-20) 01.07.2026 10
CVE-2026-48281 ColdFusion | Improper Input Validation (CWE-20) 01.07.2026 10
CVE-2026-48282 ColdFusion | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE-22) 01.07.2026 10
CVE-2026-48283 ColdFusion | Unrestricted Upload of File with Dangerous Type (CWE-434) 01.07.2026 10
CVE-2026-48286 Adobe Campaign Classic (ACC) | Incorrect Authorization (CWE-863) 30.06.2026 10
CVE-2026-48313 ColdFusion | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE-22) 30.06.2026 9.3
CVE-2026-48315 ColdFusion | Improper Input Validation (CWE-20) 01.07.2026 9.3
CVE-2026-58116 LLaMA-Factory 0.9.5 Remote Code Execution via WebUI Model Path 30.06.2026 9.3
CVE-2026-6556 @fastify/express vulnerable to middleware bypass via non-string mount paths in prefixed plugins 30.06.2026 9.1
CVE-2026-44946 SAML Authentication Replay in Rancher 01.07.2026 9.5
CVE-2026-14162 Advantech|Hospital Quering Management - Missing Authentication 30.06.2026 9.3
CVE-2026-53690 SQL Injection in Redeight CMS 30.06.2026 9.3
CVE-2026-8402 SQLi in Exagate's SYSGUARD 6001 30.06.2026 9.8
CVE-2026-12076 SQL Injection in Raytha CMS 30.06.2026 9.3
CVE-2026-9711 EventON - WordPress Virtual Event Calendar Plugin <= 5.0.11 - Unauthenticated Blind SQL Injection via Search Parameter 30.06.2026 9.8
CVE-2026-12818 DVP-12SE Exposure of Sensitive Information Vulnerability 30.06.2026 9.3
CVE-2026-12819 DVP-12SE Missing Authentication and Unauthorized Write access Vulnerability 30.06.2026 9.3
CVE-2026-12073 ProfileGrid - User Profiles, Groups and Communities <= 5.9.9.5 - Unauthenticated Privilege Escalation via Email Overwrite 30.06.2026 9.8
CVE-2026-57498 Coolify Cross-Team IDOR: Livewire Components Accept Unscoped server_id and destination_uuid — Deploy to Other Teams' Servers 30.06.2026 9.6
CVE-2026-11720 Path Traversal in googleapis/mcp-toolbox HTTP Tool URL Builder 29.06.2026 9.3
CVE-2026-56782 Gorse - Unauthenticated Database Dump and Restore via /api/dump and /api/restore Endpoints 30.06.2026 9.3
CVE-2026-41052 Rancher Privilege Escalation from Project Owner to Host 30.06.2026 9.4
CVE-2026-56290 Joomla Extension - joomlack.fr - Unauthenticated file upload in Page Builder CK extension < 3.6.0 01.07.2026 10
CVE-2026-57331 WordPress Paid Videochat Turnkey Site plugin <= 7.4.8 - Arbitrary File Deletion vulnerability 29.06.2026 9.9
CVE-2026-58053 Gitea act_runner - Container Hardening Bypass via Workflow Container Options 30.06.2026 9.4
CVE-2026-12415 Invoice Generator <= 1.0.0 - Unauthenticated Privilege Escalation via Account Takeover via 'user_id' Parameter 29.06.2026 9.8
CVE-2026-31928 Daktronics Controller Firmware Use of Hard-coded Credentials 29.06.2026 9.3
CVE-2026-28701 Daktronics Controller Firmware Path Traversal 29.06.2026 9.3
CVE-2026-49869 Kestra: Unauthenticated Remote Code Execution via Authentication Bypass in `AuthenticationFilter` 29.06.2026 10
CVE-2026-53576 Kestra: Unauthenticated RCE via /configs path-suffix auth-filter bypass 29.06.2026 10
CVE-2026-54350 Budibase: Anonymous NoSQL operator injection via published-app query templates 30.06.2026 10
CVE-2026-54352 Budibase: Arbitrary file read by workspace-builder via PWA-zip symlink upload 27.06.2026 9.6
CVE-2026-46386 OpenProject: Pre-authentication RCE in openproject/openproject Docker image via default `SECRET_KEY_BASE=OVERWRITE_ME` and `cookies_serializer = :marshal` 29.06.2026 9.9
CVE-2026-53309 ocfs2/dlm: fix off-by-one in dlm_match_regions() region comparison 28.06.2026 9.8
CVE-2026-52780 OpenProject: Cache store poisoning leads to Remote Code Execution (RCE) 27.06.2026 9.6
CVE-2026-52782 OpenProject: IDOR through /projects/<A>/settings/project_storages/<A_ps_id> via PATCH parameter "storages_project_storage[project_folder_id]" leads to Access to Unauthorized Resources 29.06.2026 9.9
CVE-2026-52785 OpenProject: SQL injection in timestamps functionality 29.06.2026 9.9
CVE-2026-33646 mise: Arbitrary Code Execution via Tera Templates in .tool-versions Files (Trust Bypass) 29.06.2026 9.6
CVE-2026-45405 Dokku: Arbitrary File Write via Tar Symlink Traversal in git:from-archive and certs:add 26.06.2026 9
CVE-2026-45406 Dokku: Host RCE via Maliciously Named OpenResty Include Files Injected Through eval 26.06.2026 9
CVE-2026-45408 Dokku: OS Command Injection via App Name in Git Pre-Receive Hook 26.06.2026 9
CVE-2026-54636 Dokku: OS Command Injection via app.json managed Cron 29.06.2026 9
CVE-2026-54820 WordPress JetBooking plugin <= 4.0.4.1 - SQL Injection vulnerability 26.06.2026 9.3
CVE-2026-54825 WordPress wpDataTables plugin <= 7.4 - SQL Injection vulnerability 26.06.2026 9.3
CVE-2026-54827 WordPress Real Estate 7 theme <= 3.5.9 - SQL Injection vulnerability 26.06.2026 9.3
CVE-2026-54831 WordPress GeoDirectory plugin <= 2.8.162 - SQL Injection vulnerability 26.06.2026 9.3
CVE-2026-56027 WordPress Booster for WooCommerce plugin <= 8.0.1 - Arbitrary File Upload vulnerability 26.06.2026 9.9
CVE-2026-56028 WordPress Easy Elements for Elementor – Addons & Website Templates plugin <= 1.4.9 - Privilege Escalation vulnerability 29.06.2026 9.8
CVE-2026-56030 WordPress Paytium plugin <= 5.0.2 - Privilege Escalation vulnerability 26.06.2026 9.8
CVE-2026-56032 WordPress Buddyboss Platform plugin <= 3.0.4 - PHP Object Injection vulnerability 26.06.2026 9.8
CVE-2026-56033 WordPress Dokan Pro plugin <= 5.0.4 - Privilege Escalation vulnerability 26.06.2026 9.8
CVE-2026-56034 WordPress Library Management System plugin <= 3.5.7 - SQL Injection vulnerability 29.06.2026 9.3
CVE-2026-56036 WordPress 워드프레스 결제 심플페이 plugin <= 5.5.6 - SQL Injection vulnerability 26.06.2026 9.3
CVE-2026-56057 WordPress Uncanny Automator Pro plugin <= 7.3.0.6 - PHP Object Injection vulnerability 26.06.2026 9.8
CVE-2026-56058 WordPress Quform plugin <= 2.23.0 - Arbitrary File Upload vulnerability 26.06.2026 9.9
CVE-2026-56059 WordPress Travel Booking theme <= 2.2.5 - Arbitrary File Upload vulnerability 26.06.2026 9.9
CVE-2026-56062 WordPress Quotes llama plugin <= 3.1.5 - SQL Injection vulnerability 26.06.2026 9.3
CVE-2026-56067 WordPress JetSmartFilters plugin <= 3.8.3 - SQL Injection vulnerability 26.06.2026 9.3
CVE-2026-56068 WordPress JetEngine plugin <= 3.8.10.2 - SQL Injection vulnerability 29.06.2026 9.3
CVE-2026-56070 WordPress Advance Product Search plugin <= 1.4.4 - SQL Injection vulnerability 26.06.2026 9.3
CVE-2026-57658 WordPress TemplateSpare plugin <= 4.2.0 - Arbitrary File Upload vulnerability 26.06.2026 9.1
CVE-2026-57878 GV-LPC2011/LPC2211 - unauthorized buffer overflow vulnerability (thttpd) 26.06.2026 9.8
CVE-2026-57879 GV-LPC2011/LPC2211 - unauthorized buffer overflow via AuthMode/AuthValue path (ssvr) 26.06.2026 9.8
CVE-2026-57880 GV-LPC2011/LPC2211 - unauthorized buffer overflow via RTSP Digest username (ssvr) 26.06.2026 9.8
CVE-2026-57881 GV-LPC2011/LPC2211 - unauthorized stack-based buffer overflow vulnerability (vlsvr) 26.06.2026 9.8
CVE-2026-9222 Setracker2 Children's Smartwatch Ecosystem Use of password hash instead of password for authentication 26.06.2026 9.2
CVE-2025-71327 Flowise - Authentication Bypass via Unprotected Registration Endpoint 26.06.2026 9.3
CVE-2025-71333 Flowise - Arbitrary File Upload via Unauthenticated /api/v1/attachments Endpoint 27.06.2026 9.3
CVE-2025-71334 Flowise - Arbitrary File Access via Missing Chat Flow ID Validation 26.06.2026 9.3
CVE-2025-71336 Flowise - Unsandboxed Remote Code Execution via Custom MCP 30.06.2026 9.3
CVE-2025-71338 Flowise - Arbitrary File Write to Remote Code Execution via document-store API 26.06.2026 10
CVE-2026-40702 EVoke Systems EVoke CSMS Missing Authentication for Critical Function 26.06.2026 9.3
CVE-2026-50548 Cursor Desktop sandbox escape via agent-controlled working directory 25.06.2026 9.3
CVE-2026-50549 Cursor Desktop sandbox escape via symlink and failed path canonicalization 25.06.2026 9.3
CVE-2026-54088 File Browser: Command Injection via Authentication Hook Shell Substitution (Pre-Authentication RCE) 25.06.2026 9.3
CVE-2026-54089 File Browser: Authentication Bypass via Proxy Auth Header Forgery 25.06.2026 9.1
CVE-2026-56786 RTKLIB 2.4.3 - Out-of-bounds Write in decode_type1033 via Crafted RTCM3 Message 25.06.2026 9.3
CVE-2026-57700 WordPress OMGF Pro plugin <= 5.2.6 - Arbitrary File Upload vulnerability 29.06.2026 10
CVE-2026-55413 ToolJet - Marketplace Plugin Poisoning Enables Instance-Wide Remote Code Execution 25.06.2026 9.4
CVE-2026-56123 socat 1.8.0.0 - 1.8.1.1 Heap Buffer Overflow via SOCKS5 Reply Parser 26.06.2026 9.2
CVE-2026-41120 26.06.2026 9.8
CVE-2026-54823 WordPress Widget Options plugin <= 4.2.3 - Remote Code Execution (RCE) vulnerability 25.06.2026 9.9
CVE-2026-54836 WordPress Filter & Grids plugin <= 3.11.5 - SQL Injection vulnerability 25.06.2026 9.3
CVE-2026-54843 WordPress MDTF plugin <= 1.3.7 - SQL Injection vulnerability 25.06.2026 9.3
CVE-2026-54849 WordPress Premmerce Wishlist for WooCommerce plugin <= 1.1.11 - SQL Injection vulnerability 25.06.2026 9.3
CVE-2026-41566 Apache Kvrocks: Improper permission for the APPLYBATCH command 25.06.2026 9.4
CVE-2026-46752 Apache Kvrocks: Stack buffer overflow in Lua bit.tohex() 25.06.2026 10
CVE-2026-53131 netfilter: require Ethernet MAC header before using eth_hdr() 29.06.2026 9.4
CVE-2026-53151 rxrpc: Fix the ACK parser to extract the SACK table for parsing 28.06.2026 9.8
CVE-2026-53175 inet: frags: fix use-after-free caused by the fqdir_pre_exit() flush 30.06.2026 9.8
CVE-2026-53176 IB/isert: Reject login PDUs shorter than ISER_HEADERS_LEN 30.06.2026 9.8
CVE-2026-53186 RDMA/srp: bound SRP_RSP sense copy by the received length 28.06.2026 9.1
CVE-2026-53215 net: mvpp2: refill RX buffers before XDP or skb use 28.06.2026 9.8
CVE-2026-53216 net: mvpp2: limit XDP frame size to the RX buffer 28.06.2026 9.8
CVE-2026-53221 ip6_vti: fix incorrect tunnel matching in vti6_tnl_lookup() 28.06.2026 9.8
CVE-2026-53224 sctp: validate embedded INIT chunk and address list lengths in cookie 28.06.2026 9.1
CVE-2026-53225 sctp: fix uninit-value in __sctp_rcv_asconf_lookup() 28.06.2026 9.1
CVE-2026-53228 ipv6: sit: reload inner IPv6 header after GSO offloads 28.06.2026 9.8
CVE-2026-53246 sctp: validate cached peer INIT chunk length in COOKIE_ECHO processing 28.06.2026 9.8
CVE-2026-53247 net: ethernet: mtk_eth_soc: Fix use-after-free in metadata dst teardown 28.06.2026 9.8
CVE-2026-53260 tcp: Add preempt_{disable,enable}_nested() in reqsk_queue_hash_req(). 28.06.2026 9.8
CVE-2026-39948 Cacti has SQL Injection via rfilter parameter in RLIKE clauses 26.06.2026 9.3
CVE-2026-39955 Cacti has Pre-Authentication SQL Injection via unanchored FILTER_VALIDATE_REGEXP in graph_view.php 26.06.2026 9.8
CVE-2026-39938 Cacti: Unauthenticated RCE on Graph Image 26.06.2026 9.8
CVE-2026-39893 Cacti: Pre-authentication SQL injection via rfilter RLIKE clause in graph_view.php 26.06.2026 9.8
CVE-2026-50551 SiYuan: Stored XSS to RCE via Unsanitized Attribute View Asset Cell Content 25.06.2026 9.9
CVE-2026-54067 SiYuan: Stored XSS to RCE via CSS-snippet <style> breakout in renderSnippet() 25.06.2026 9.9
CVE-2026-54069 SiYuan: Unauthenticated Admin API Access via Blanket chrome-extension:// Origin Allowlist 25.06.2026 9.2
CVE-2026-54158 SiYuan: Stored XSS to RCE via attribute-view cell rendering in genAVValueHTML() 25.06.2026 9.9
CVE-2026-55454 Appsmith: Caddy admin API exposed without authentication 25.06.2026 9.9
CVE-2026-55570 SiYuan: Stored XSS results to Electron RCE in SiYuan marketplace via unescaped `data-obj` attribute (Bypass for CVE-2026-45375's patch) 25.06.2026 9
CVE-2026-55666 Rocket.Chat: Email Parameter Fallback Leads To Account Takeover Within Apple OAuth 29.06.2026 9.3
CVE-2026-33543 FOSSBilling: Authentication bypass allows unauthenticated administrator creation 25.06.2026 9.3
CVE-2026-45688 Rocket.Chat: Pre-Auth NoSQL Injection in CAS Login Handler leading to Arbitrary CAS/SAML User Session Hijack 26.06.2026 9.1
CVE-2026-45689 Rocket.Chat: Pre-Auth NoSQL Injection in OAuth2 Token Endpoint leading to Arbitrary User ATO 26.06.2026 9.1
CVE-2026-46423 Rocket.Chat: SAML signature validation skipped when IdP certificate field is empty 26.06.2026 9.3
CVE-2026-52811 Gogs: UploadRepoFiles writes outside repo working tree via committed parent sym 26.06.2026 9
CVE-2026-52813 Gogs: Path Traversal in organization name results in RCE through Git hooks 26.06.2026 10
CVE-2026-52806 Gogs: RCE via git rebase --exec argument injection in pull request merge 26.06.2026 9.9
CVE-2026-49980 Rclone: Unauthenticated command execution in `rclone rcd --rc-serve` via inline remote instantiation, bypassing CVE-2026-41179 fix 01.07.2026 9.8
CVE-2026-53943 Ghost: Cache-poisoning XSS in Ghost frontend via x-ghost-preview header 24.06.2026 9.6

Latest Updates

CVE Title Updated Score
CVE-2025-15646 HTML::Gumbo versions before 0.19 for Perl disclose heap memory via type confusion 01.07.2026
CVE-2025-23350 01.07.2026 9
CVE-2025-23351 01.07.2026 9
CVE-2026-13706 UrlShortener extension url validation can be bypassed due to difference between php url parsing and WHATWG 01.07.2026
CVE-2026-13707 Session fixation attacks on improperly configured OAuth 1.0a tools 01.07.2026
CVE-2026-24240 01.07.2026 7.8
CVE-2026-24242 01.07.2026 7.8
CVE-2026-24243 01.07.2026 7.8
CVE-2026-24244 01.07.2026 7.8
CVE-2026-24245 01.07.2026 7.8
CVE-2026-24246 01.07.2026 7.8
CVE-2026-24247 01.07.2026 7.8
CVE-2026-24248 01.07.2026 7.8
CVE-2026-24249 01.07.2026 7.8
CVE-2026-24250 01.07.2026 7.8
CVE-2026-24251 01.07.2026 7.8
CVE-2026-24260 01.07.2026 8.5
CVE-2026-24264 01.07.2026 7.5
CVE-2026-24266 01.07.2026 5.9
CVE-2026-24270 01.07.2026 9.8
CVE-2026-57517 Control Web Panel < 0.9.8.1225 Blind SQL Injection via userRes Parameter 01.07.2026
CVE-2026-58024 API identification of users on private wikis 01.07.2026
CVE-2026-58025 Remote Code Execution via Unsafe Deserialization in LogItem Import 01.07.2026
CVE-2026-58026 $wgNonincludableNamespaces can be bypassed by embedding redirect in other namespaces 01.07.2026
CVE-2026-58027 QueryAbuseFilter API can be used to see the hit count of private filters, which is hidden in the UI 01.07.2026
CVE-2026-58028 Pretty-printed API output combined with centralauthtoken allows XSS with certain gadgets 01.07.2026
CVE-2026-58029 Full Account Takeover from BotPasswords and OAuth via action=changeauthenticationdata 01.07.2026
CVE-2026-58030 SyntaxHighlight stored XSS via unsanitized 'linelinks' attribute 01.07.2026
CVE-2026-58032 mw.Api.getErrorMessage() may return injected HTML if used without errorformat=html 01.07.2026
CVE-2026-58033 "Total number of distinct authors" statistic at action=info does not exclude revisions where the author name was deleted 01.07.2026
CVE-2026-58036 Users API leaks whether privileged users have their user groups disabled for lack of 2FA 01.07.2026
CVE-2026-58037 Core log entries for exceptions and XSS issues in log entry formatting code that may be caused by user-controlled input 01.07.2026
CVE-2026-58038 Stored XSS through javascript URLs in SVGs generated by EasyTimeline 01.07.2026
CVE-2026-58126 PACSgear PACS Scan 5.2.1 Unauthenticated RCE via .NET Remoting TCP Service 01.07.2026
CVE-2026-58127 PACSgear MediaWriter 5.2.1 Unauthenticated RCE via .NET Remoting TCP Service 01.07.2026
CVE-2026-8480 Connection possible to the Administration portal with a revoked certificate 01.07.2026 4.3
CVE-2026-8857 Full RCE using EasyTimeline Extension 01.07.2026
CVE-2026-12374 Improper XPC caller certificate validation and TOCTOU race condition in macOS PrivilegedHelperTool 01.07.2026
CVE-2026-13602 Session takeover vulnerability 01.07.2026
CVE-2026-14324 Pipewire: raop rtsp null deref 01.07.2026
CVE-2026-14330 Pipewire: pulse server alloca stack overflow 01.07.2026
CVE-2026-23537 Feast: unauthenticated arbitrary file write 01.07.2026
CVE-2026-2891 Poly Voice Devices (CCX, Trio, Edge E) – Potential Denial of Service 01.07.2026
CVE-2026-58031 Stored i18n XSS in Special:ApiSandbox when a deprecated module is selected 01.07.2026
CVE-2026-58034 Stored XSS through a system message when blocking a temporary account that's related to other temporary accounts 01.07.2026
CVE-2026-58035 Stored XSS through a system message in the codex version of Special:Block 01.07.2026
CVE-2026-58399 @acastellon/auth has an authentication bypass via spoofable headers in validateToken() 01.07.2026
CVE-2026-5135 Foreman: foreman: unauthorized modification of host configurations via broken access control 01.07.2026
CVE-2026-5138 Foreman: foreman: information disclosure via improper validation of nested request parameters 01.07.2026
CVE-2026-5142 Foreman: foreman: cross-tenant private ssh key disclosure via taxonomy scoping bypass 01.07.2026
CVE-2026-5220 Stored XSS in DivvyDrive Information Technologies' DivvyDrive 01.07.2026 6.4
CVE-2026-6283 Stored XSS in DivvyDrive Information Technologies' DivvyDrive 01.07.2026 5.4
CVE-2026-6682 FatFs Integer Overflow in FAT32 Volume Mount 01.07.2026 7.6
CVE-2026-6683 FatFs Divide-by-Zero in exFAT Sync 01.07.2026 4.6
CVE-2026-6684 FatFs Infinite Loop in GPT Partition Scan 01.07.2026 4.6
CVE-2026-6685 FatFs Integer Underflow in Dirty-Sector Cache Flush 01.07.2026 6.1
CVE-2026-6686 FatFs Use of Uninitialized Clusters After Seek Past EOF 01.07.2026 4.6
CVE-2026-6687 FatFs Stack Buffer Overflow via Uncapped exFAT Label Length 01.07.2026 7.6
CVE-2026-6688 FatFs Buffer Overflow via Unbounded LFN Filename Copy 01.07.2026 7.6
CVE-2026-13603 SSRF with API key leak in pretix-oppwa 01.07.2026
CVE-2026-53326 debugobjects: Don't call fill_pool() in early boot hardirq context 01.07.2026
CVE-2026-53327 debugobjects: Do not fill_pool() if pi_blocked_on 01.07.2026
CVE-2026-53328 sched_ext: Don't warn on NULL cgrp_moving_from in scx_cgroup_move_task() 01.07.2026
CVE-2026-53329 drm/amd/display: Use krealloc_array() in dal_vector_reserve() 01.07.2026
CVE-2026-53330 drm/amd/display: Fix out-of-bounds read in dp_get_eq_aux_rd_interval() 01.07.2026
CVE-2026-53331 slimbus: qcom-ngd-ctrl: Avoid ABBA on tx_lock/ctrl->lock 01.07.2026
CVE-2026-53332 slimbus: qcom-ngd-ctrl: Register callbacks after creating the ngd 01.07.2026
CVE-2026-53333 mm/mincore: handle non-swap entries before !CONFIG_SWAP guard 01.07.2026
CVE-2026-53334 mm/damon/reclaim: handle ctx allocation failure 01.07.2026
CVE-2026-53335 mm/damon/lru_sort: handle ctx allocation failure 01.07.2026
CVE-2026-53336 nvmem: layouts: onie-tlv: fix hang on unknown types 01.07.2026
CVE-2026-53337 net: bonding: fix NULL pointer dereference in bond_do_ioctl() 01.07.2026
CVE-2026-53338 net: airoha: Add NULL check for of_reserved_mem_lookup() in airoha_qdma_init_hfwd_queues() 01.07.2026
CVE-2026-53339 i2c: qcom-cci: Fix NULL pointer dereference in cci_remove() 01.07.2026
CVE-2026-53340 i2c: imx: fix clock and pinctrl state inconsistency in runtime PM 01.07.2026
CVE-2026-53341 fhandle: fix UAF due to unlocked ->mnt_ns read in may_decode_fh() 01.07.2026
CVE-2026-53342 arm64: mm: call pagetable dtor when freeing hot-removed page tables 01.07.2026
CVE-2026-53343 ARM: 9475/1: entry: use byte load for KASAN VMAP stack shadow 01.07.2026
CVE-2026-53344 pinctrl: mcp23s08: Initialize mcp->dev and mcp->addr before regmap init 01.07.2026
CVE-2026-53345 KVM: Don't WARN if memory is dirtied without a vCPU when the VM is dying 01.07.2026
CVE-2026-53346 rust: arm64: set uwtable llvm module flag for CONFIG_UNWIND_TABLES 01.07.2026
CVE-2026-53347 drm/virtio: Fix driver removal with disabled KMS 01.07.2026
CVE-2026-53348 ASoC: SDCA: fix NULL pointer dereference in sdca_dev_unregister_functions 01.07.2026
CVE-2026-53349 netfilter: nf_conntrack: destroy stale expectfn expectations on unregister 01.07.2026
CVE-2026-53350 ASoC: wm_adsp: Fix NULL dereference when removing firmware controls 01.07.2026
CVE-2026-53351 riscv/ptrace: Use USER_REGSET_NOTE_TYPE for REGSET_CFI 01.07.2026
CVE-2026-53352 signal: clear JOBCTL_PENDING_MASK for caller in zap_other_threads() 01.07.2026
CVE-2026-53353 hsr: Remove WARN_ONCE() in hsr_addr_is_self(). 01.07.2026
CVE-2026-53354 arm64: errata: Mitigate TLBI errata on various Arm CPUs 01.07.2026
CVE-2026-53355 net: rds: clear i_sends on setup unwind 01.07.2026
CVE-2026-53356 drm/i915/gem: Fix phys BO pread/pwrite with offset 01.07.2026
CVE-2026-57692 WordPress PrivateContent plugin <= 9.9.2 - Privilege Escalation vulnerability 01.07.2026 9.8
CVE-2026-5136 Foreman: foreman: privilege escalation to administrator-level access via usergroup role assignment manipulation 01.07.2026
CVE-2026-53902 Privilege Escalation in MCO 01.07.2026
CVE-2026-53903 Insecure Direct Object Reference in MCO 01.07.2026
CVE-2026-53904 Account Denial of Service in MCO 01.07.2026
CVE-2026-53905 Unauthorized Access to Administrator ACL View in MCO 01.07.2026
CVE-2026-53906 Path Disclosure and Path Traversal in MCO 01.07.2026
CVE-2026-53907 Stored Cross‑Site Scripting in MCO 01.07.2026
CVE-2026-53908 User Enumeration in MCO 01.07.2026
CVE-2026-53909 Arbitrary File Upload in MCO 01.07.2026
CVE-2026-5120 Race Condition vulnerability affecting BIOVIA Workbook from Release 2021 through Release 2026 01.07.2026 8.1
CVE-2026-8387 Relative Path Traversal in allegroai/clearml 01.07.2026
CVE-2026-13323 01.07.2026 4.1
CVE-2026-14181 @fastify/middie standalone engine vulnerable to Denial of Service via malformed percent-encoded paths 01.07.2026 7.5
CVE-2026-14198 @fastify/middie vulnerable to authorization bypass via encoded slash in path parameter values 01.07.2026 9.1
CVE-2026-10095 WP Photo Album Plus <= 9.1.13.005 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'subtext' Shortcode Attribute 01.07.2026 6.4
CVE-2026-12142 NEX-Forms <= 9.2.2 - Unauthenticated Stored Cross-Site Scripting via '_name[]' Array Parameter 01.07.2026 7.2
CVE-2026-13228 LatePoint <= 5.6.3 - Authenticated (Custom+) Privilege Escalation to Administrator via 'order[customer_id]' Parameter 01.07.2026 8.8
CVE-2026-14258 Dhcpcd: dhcpcd infinite loop and out-of-bounds read via zero-length ipv6 nd option in router advertisement handling 01.07.2026
CVE-2026-12754 VikBooking Hotel Booking Engine & PMS <= 1.8.12 - Reflected Cross-Site Scripting via 'layoutstyle' Parameter 01.07.2026 6.1
CVE-2026-13454 MotoPress Appointment Booking <= 2.4.5 - Authenticated (Staff+) SQL Injection via 's' Parameter 01.07.2026 6.5
CVE-2026-27435 WordPress Woffice theme < 5.4.33 - Broken Access Control vulnerability 01.07.2026 5.3
CVE-2026-10096 Qi Blocks <= 1.4.9 - Insecure Direct Object Reference to Authenticated (Author+) Arbitrary Style Modification via 'page_id' Parameter 01.07.2026 4.3
CVE-2026-10538 Improper deserialization handling in Control-M Components 01.07.2026
CVE-2026-10539 Unauthenticated command injection in Control-M/Server communication command 01.07.2026
CVE-2026-10540 Weak password hash protection in Control-M/Entreprise Manager 01.07.2026
CVE-2026-11387 SMS Alert <= 3.9.5 - Unauthenticated Privilege Escalation via Arbitrary Password Reset 01.07.2026 9.8
CVE-2026-12158 RegistrationMagic <= 6.0.9.1 - Cross-Site Request Forgery to Privilege Escalation via 'rmc_assign_user_role_action' Parameter 01.07.2026 8.8
CVE-2026-12224 Dokan Pro <= 5.0.4 - Authenticated (Vendor+) Privilege Escalation via update_capabilities REST Endpoint 01.07.2026 8.8
CVE-2026-12408 Slim SEO <= 4.9.8 - Authenticated (Contributor+) Insufficient Authorization to Private Content Disclosure via 'object.ID' Parameter 01.07.2026 4.3
CVE-2026-12435 Motors <= 1.4.111 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Post Meta Modification via 'stm_mark_as_sold_car' Parameter 01.07.2026 4.3
CVE-2026-12575 DVP80ES3 Improper Resource Shutdown or Release Vulnerability 01.07.2026 7.5
CVE-2026-12576 DVP80ES3 Improper Enforcement of Message Integrity During Transmission in a Communication Channel vulnerability 01.07.2026 7.5
CVE-2026-12577 DVP80ES3 Improperly Implemented Security Check for Standard vulnerability 01.07.2026
CVE-2026-12732 LearnPress <= 4.4.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'class_wrapper_form' Shortcode Attribute 01.07.2026 6.4
CVE-2026-13733 Download Manager <= 3.3.60 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'no_data_msg' Shortcode Attribute 01.07.2026 6.4
CVE-2026-50043 01.07.2026
CVE-2026-56016 CGI::Session::ID::md5 versions before 4.49 for Perl generate predictable session ids from low-entropy sources 01.07.2026
CVE-2025-15666 Open Asset Import Library Assimp Model File SceneCombiner.cpp Copy heap-based overflow 01.07.2026
CVE-2026-10750 Royal MCP < 1.4.26 - Subscriber+ Insufficient Authorization in MCP Tools 01.07.2026
CVE-2026-11562 WS Form LITE < 1.11.8 - Subscriber+ Arbitrary Settings Update 01.07.2026
CVE-2026-11568 Product Configurator for WooCommerce < 1.7.3 - Unauthenticated Private/Draft Product Data Disclosure via pc_get_data 01.07.2026
CVE-2026-11570 User Submitted Posts < 20260608 - Unauthenticated Stored XSS via Author Name 01.07.2026
CVE-2026-11794 Advanced Form Integration < 2.1.1 - Unauthenticated Privilege Escalation via Breakdance Form Role Mapping 01.07.2026
CVE-2026-11823 BookingPress Appointment Booking Pro <= 5.7.1 - Unauthenticated SQL Injection via 'store_service_date' Parameter 01.07.2026 7.5
CVE-2026-11880 Fluent Forms < 6.2.1 - Subscriber+ Subscription Cancellation via IDOR 01.07.2026
CVE-2026-11883 WebAuthn Provider for Two Factor < 2.5.6 - 2FA Bypass 01.07.2026
CVE-2026-11887 Salon Booking System < 10.30.20 - Subscriber+ Booking Approval Bypass 01.07.2026
CVE-2026-12579 AS228T - Authentication Bypass Vulnerability 01.07.2026 7.4
CVE-2026-14193 DVP80ES300T - Improper Validation of Array Index Vulnerability 01.07.2026 7.5
CVE-2026-1239 Ninja Forms <= 3.14.1 - Missing Authorization to Unauthenticated Sensitive Information Disclosure via token/refresh REST Endpoint 01.07.2026 7.5
CVE-2026-11380 JetWidgets For Elementor <= 1.0.21 - Authenticated (Author+) Stored Cross-Site Scripting via Animated Box 'animation_effect' Setting 01.07.2026 6.4
CVE-2026-11981 GiveWP <= 4.15.3 - Cross-Site Request Forgery 01.07.2026 4.3
CVE-2026-11988 LearnPress <= 4.3.9.1 - Insecure Direct Object Reference to Authenticated (Subscriber+) Sensitive Information Disclosure via 'userId' Parameter 01.07.2026 6.5
CVE-2026-12090 Taskbuilder <= 5.0.8 - Authenticated (Subscriber+) SQL Injection via 'wppm_proj_filter' Parameter 01.07.2026 6.5
CVE-2026-12110 Taskbuilder <= 5.0.8 - Authenticated (Subscriber+) SQL Injection via 'task_search' Parameter 01.07.2026 6.5
CVE-2026-12113 Appointment Booking Calendar <= 1.4.02 - Missing Authorization to Authenticated (Contributor+) Sensitive Information Disclosure 01.07.2026 4.3
CVE-2026-12127 WPForms <= 1.10.2 - Improper Neutralization of CRLF Sequences to Unauthenticated Email Header Injection via Reply-To Display Name 01.07.2026 5.3
CVE-2026-12133 JoomSport <= 5.7.8 - Authenticated (Subscriber+) Missing Authorization to Arbitrary Group Deletion via season_groupdel AJAX action 01.07.2026 4.3
CVE-2026-12135 FV Flowplayer Video Player <= 7.5.51.7212 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'video_player' Shortcode 01.07.2026 6.4
CVE-2026-12902 Kadence Blocks <= 3.7.7 - Missing Authorization to Authenticated (Contributor+) Arbitrary Media Attachment Creation via kadence_import_process_pattern/kadence_import_process_data AJAX Actions 01.07.2026 4.3
CVE-2026-12904 Kadence Blocks <= 3.7.7 - Insecure Direct Object Reference to Authenticated (Contributor+) Arbitrary Optimizer Data Deletion/Read/Modification via 'post_path' Parameter 01.07.2026 4.3
CVE-2026-12923 Video Gallery <= 4.0.3 - Authenticated (Subscriber+) Arbitrary Function Call via 'path' Parameter 01.07.2026 7.5
CVE-2026-13015 WP Google Review Slider <= 18.1 - Reflected Cross-Site Scripting via 'place' Parameter 01.07.2026 6.1
CVE-2026-13246 GiveWP <= 4.16.0 - Authenticated (Author+) Stored Cross-Site Scripting via 'block_id' Shortcode Attribute 01.07.2026 6.4
CVE-2026-13443 Tutor LMS <= 3.9.13 - Authenticated (Author+) Stored Cross-Site Scripting via Lesson Attachment Title 01.07.2026 6.4
CVE-2026-13468 Visualizer <= 4.0.3 - Missing Authorization to Unauthenticated Sensitive Information Disclosure via /visualizer/v1/action/{chart}/{type}/ REST Endpoint 01.07.2026 7.5
CVE-2026-13731 WPBot <= 8.4.9 - Unauthenticated Stored Cross-Site Scripting via 'conversation' Parameter 01.07.2026 7.2
CVE-2026-2387 Event Organiser <= 3.12.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via eo_events Shortcode 01.07.2026 6.4
CVE-2026-44040 UltraVNC vncauth.c uses time-seeded libc rand() to generate VNC authentication challenge bytes 01.07.2026 4.8
CVE-2026-44041 UltraVNC vncWc2Mb calls wcslen() before validating that the wide string is NUL-terminated 01.07.2026 4.3
CVE-2026-44042 UltraVNC repeater wi_uudecode off-by-one in base64 decode boundary check 01.07.2026 3.7
CVE-2026-58518 01.07.2026
CVE-2026-58519 Stored XSS through Cargo's map format 01.07.2026
CVE-2026-6070 WP-BusinessDirectory <= 4.0.1 - Unauthenticated Arbitrary File Deletion via Path Traversal via '_filename' Parameter 01.07.2026 9.1
CVE-2026-7517 Custom Payment Gateways for WooCommerce <= 2.1.0 - Unauthenticated Stored Cross-Site Scripting via 'alg_wc_cpg_input_fields' Parameter 01.07.2026 7.2
CVE-2026-7828 UltraVNC repeater integer overflow in win_log malloc leading to heap overflow 01.07.2026 5.3
CVE-2026-7829 UltraVNC repeater authenticated out-of-bounds write in rule parser via oversized token 01.07.2026 7.2
CVE-2026-7830 UltraVNC MS-Logon II uses 64-bit Diffie-Hellman and seeded libc rand() enabling credential interception 01.07.2026 7.4
CVE-2026-7831 UltraVNC viewer off-by-one stack overflow in ServerInit desktop name parsing 01.07.2026 7.5
CVE-2026-7838 UltraVNC viewer heap buffer overflow via integer overflow in RFB connection-failure reason length 01.07.2026 8.8
CVE-2026-7839 UltraVNC repeater ships hardcoded default admin password allowing unauthenticated admin access 01.07.2026 9.1
CVE-2026-7840 UltraVNC repeater HTTP server global buffer overflow via long URI (pre-auth RCE) 01.07.2026 9.8
CVE-2026-9107 Kali Forms <= 2.4.13 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'kaliforms_field_components' Parameter 01.07.2026 6.4
CVE-2026-14191 WinRAR / UnRAR RAR5 recovery-volume (.rev) out-of-bounds heap write in RecVolumes5::ReadHeader 01.07.2026 7.8
CVE-2026-20457 01.07.2026
CVE-2026-20458 01.07.2026
CVE-2026-20459 01.07.2026
CVE-2026-20460 01.07.2026
CVE-2026-20461 01.07.2026
CVE-2026-20462 01.07.2026
CVE-2026-20463 01.07.2026
CVE-2026-41579 runc: Malicious image with /dev symlink can trigger limited host filesystem integrity violations 01.07.2026 3.3
CVE-2026-53488 containerd CRI plugin: — image-config `LABEL` flows to restart-monitor `binary://` logger: host-root command execution from an image pull 01.07.2026
CVE-2026-57962 Denial-of-service via malicious LDAP address-book server 01.07.2026
CVE-2026-57963 Chat UI manipulation by injection 01.07.2026
CVE-2026-54901 Oj: Use-After-Free in Oj::Parser array_class/hash_class GC Marking 01.07.2026
CVE-2026-54902 Oj: Use-After-Free in Oj::Parser SAJ Long Key Callback 01.07.2026
CVE-2026-54903 Oj: Integer Overflow in Oj.load 2GB String Handling 01.07.2026
CVE-2026-54500 Oj: intern.c form_attr has an uninitialized stack read 01.07.2026 5.3
CVE-2026-54502 Oj: Stack Buffer Overflow in Oj.dump via Large Indent 30.06.2026
CVE-2026-54592 Oj: Stack Buffer Overflow in Oj::Doc#each_child via Deeply Nested Input 01.07.2026 7.5
CVE-2026-54896 Oj: Heap Buffer Overflow in Oj.dump Exception Serialization via Large Indent 01.07.2026
CVE-2026-54897 Oj : Use-After-Free in Oj::Doc Iterators via Reentrant Close 01.07.2026
CVE-2026-54898 Oj: Use-After-Free in Oj::Parser SAJ Callback via Input Mutation 01.07.2026
CVE-2026-54899 Oj: Use-After-Free in Oj::Parser Symbol Key Cache Toggle 01.07.2026
CVE-2026-54900 Oj: Negative-Size memcpy in Oj::Parser create_id Attribute Handling 30.06.2026
CVE-2026-13774 01.07.2026
CVE-2026-13775 30.06.2026
CVE-2026-13776 30.06.2026
CVE-2026-13777 30.06.2026
CVE-2026-13778 01.07.2026
CVE-2026-13779 01.07.2026
CVE-2026-13780 30.06.2026
CVE-2026-13781 30.06.2026
CVE-2026-13782 30.06.2026
CVE-2026-13783 30.06.2026
CVE-2026-13784 30.06.2026
CVE-2026-13785 30.06.2026
CVE-2026-13786 01.07.2026
CVE-2026-13787 01.07.2026
CVE-2026-13788 01.07.2026
CVE-2026-13789 30.06.2026
CVE-2026-13790 30.06.2026
CVE-2026-13791 01.07.2026
CVE-2026-13792 30.06.2026
CVE-2026-13793 30.06.2026
CVE-2026-13794 01.07.2026
CVE-2026-13795 30.06.2026
CVE-2026-13796 30.06.2026
CVE-2026-13797 30.06.2026
CVE-2026-13798 30.06.2026
CVE-2026-13799 30.06.2026
CVE-2026-13800 01.07.2026
CVE-2026-13801 30.06.2026
CVE-2026-13802 01.07.2026
CVE-2026-13803 01.07.2026
CVE-2026-13804 01.07.2026
CVE-2026-13805 01.07.2026
CVE-2026-13806 30.06.2026
CVE-2026-13807 01.07.2026
CVE-2026-13808 01.07.2026
CVE-2026-13809 30.06.2026
CVE-2026-13810 01.07.2026
CVE-2026-13811 01.07.2026
CVE-2026-13812 01.07.2026
CVE-2026-13813 01.07.2026
CVE-2026-13814 01.07.2026
CVE-2026-13815 01.07.2026
CVE-2026-13816 30.06.2026
CVE-2026-13817 01.07.2026
CVE-2026-13818 30.06.2026
CVE-2026-13819 01.07.2026
CVE-2026-13820 01.07.2026
CVE-2026-13821 01.07.2026
CVE-2026-13822 01.07.2026
CVE-2026-13823 01.07.2026
CVE-2026-13824 01.07.2026
CVE-2026-13825 01.07.2026
CVE-2026-13826 01.07.2026
CVE-2026-13827 01.07.2026
CVE-2026-13828 01.07.2026
CVE-2026-13829 01.07.2026
CVE-2026-13830 01.07.2026
CVE-2026-13831 01.07.2026
CVE-2026-13832 01.07.2026
CVE-2026-13833 01.07.2026
CVE-2026-13834 01.07.2026
CVE-2026-13835 01.07.2026
CVE-2026-13836 01.07.2026
CVE-2026-13837 01.07.2026
CVE-2026-13838 01.07.2026
CVE-2026-13839 01.07.2026
CVE-2026-13840 01.07.2026
CVE-2026-13841 01.07.2026
CVE-2026-13842 01.07.2026
CVE-2026-13843 01.07.2026
CVE-2026-13844 01.07.2026
CVE-2026-13845 01.07.2026
CVE-2026-13846 01.07.2026
CVE-2026-13847 01.07.2026
CVE-2026-13848 01.07.2026
CVE-2026-13849 01.07.2026
CVE-2026-13850 01.07.2026
CVE-2026-13851 01.07.2026
CVE-2026-13852 01.07.2026
CVE-2026-13853 01.07.2026
CVE-2026-13854 01.07.2026
CVE-2026-13855 01.07.2026
CVE-2026-13856 01.07.2026
CVE-2026-13857 01.07.2026
CVE-2026-13858 01.07.2026
CVE-2026-13859 01.07.2026
CVE-2026-13860 01.07.2026
CVE-2026-13861 01.07.2026
CVE-2026-13862 01.07.2026
CVE-2026-13863 01.07.2026
CVE-2026-13864 01.07.2026
CVE-2026-13865 01.07.2026
CVE-2026-13866 01.07.2026
CVE-2026-13867 01.07.2026
CVE-2026-13868 01.07.2026
CVE-2026-13869 01.07.2026
CVE-2026-13870 01.07.2026
CVE-2026-13871 01.07.2026
CVE-2026-13872 01.07.2026
CVE-2026-13873 01.07.2026
CVE-2026-13874 01.07.2026
CVE-2026-13875 01.07.2026
CVE-2026-13876 01.07.2026
CVE-2026-13877 01.07.2026
CVE-2026-13878 01.07.2026
CVE-2026-13879 01.07.2026
CVE-2026-13880 01.07.2026
CVE-2026-13881 01.07.2026
CVE-2026-13882 01.07.2026
CVE-2026-13883 01.07.2026
CVE-2026-13884 01.07.2026
CVE-2026-13885 01.07.2026
CVE-2026-13886 01.07.2026
CVE-2026-13887 01.07.2026
CVE-2026-13888 01.07.2026
CVE-2026-13889 01.07.2026
CVE-2026-13890 01.07.2026
CVE-2026-13891 01.07.2026
CVE-2026-13892 01.07.2026
CVE-2026-13893 01.07.2026
CVE-2026-13894 30.06.2026
CVE-2026-13895 01.07.2026
CVE-2026-13896 30.06.2026
CVE-2026-13897 01.07.2026
CVE-2026-13898 01.07.2026
CVE-2026-13899 01.07.2026
CVE-2026-13900 30.06.2026
CVE-2026-13901 01.07.2026
CVE-2026-13902 01.07.2026
CVE-2026-13903 01.07.2026
CVE-2026-13904 30.06.2026
CVE-2026-13905 01.07.2026
CVE-2026-13906 01.07.2026
CVE-2026-13907 01.07.2026
CVE-2026-13908 30.06.2026
CVE-2026-13909 01.07.2026
CVE-2026-13910 01.07.2026
CVE-2026-13911 01.07.2026
CVE-2026-13912 01.07.2026
CVE-2026-13913 01.07.2026
CVE-2026-13914 01.07.2026
CVE-2026-13915 01.07.2026
CVE-2026-13916 01.07.2026
CVE-2026-13917 30.06.2026
CVE-2026-13918 01.07.2026
CVE-2026-13919 30.06.2026
CVE-2026-13920 30.06.2026
CVE-2026-13921 30.06.2026
CVE-2026-13922 30.06.2026
CVE-2026-13923 01.07.2026
CVE-2026-13924 30.06.2026
CVE-2026-13925 01.07.2026
CVE-2026-13926 30.06.2026
CVE-2026-13927 01.07.2026
CVE-2026-13928 01.07.2026
CVE-2026-13929 30.06.2026
CVE-2026-13930 30.06.2026
CVE-2026-13931 01.07.2026
CVE-2026-13932 01.07.2026
CVE-2026-13933 01.07.2026
CVE-2026-13934 30.06.2026
CVE-2026-13935 30.06.2026
CVE-2026-13936 01.07.2026
CVE-2026-13937 30.06.2026
CVE-2026-13938 30.06.2026
CVE-2026-13939 30.06.2026
CVE-2026-13940 01.07.2026
CVE-2026-13941 30.06.2026
CVE-2026-13942 30.06.2026
CVE-2026-13943 01.07.2026
CVE-2026-13944 30.06.2026
CVE-2026-13945 30.06.2026
CVE-2026-13946 30.06.2026
CVE-2026-13947 01.07.2026
CVE-2026-13948 30.06.2026
CVE-2026-13949 01.07.2026
CVE-2026-13950 01.07.2026
CVE-2026-13951 30.06.2026
CVE-2026-13952 30.06.2026
CVE-2026-13953 30.06.2026
CVE-2026-13954 01.07.2026
CVE-2026-13955 30.06.2026
CVE-2026-13956 01.07.2026
CVE-2026-13957 30.06.2026
CVE-2026-13958 01.07.2026
CVE-2026-13959 30.06.2026
CVE-2026-13960 30.06.2026
CVE-2026-13961 01.07.2026
CVE-2026-13962 30.06.2026
CVE-2026-13963 30.06.2026
CVE-2026-13964 30.06.2026
CVE-2026-13965 01.07.2026
CVE-2026-13966 30.06.2026
CVE-2026-13967 01.07.2026
CVE-2026-13968 01.07.2026
CVE-2026-13969 01.07.2026
CVE-2026-13970 01.07.2026
CVE-2026-13971 01.07.2026
CVE-2026-13972 30.06.2026
CVE-2026-13973 01.07.2026
CVE-2026-13974 30.06.2026
CVE-2026-13975 01.07.2026
CVE-2026-13976 30.06.2026
CVE-2026-13977 30.06.2026
CVE-2026-13978 30.06.2026
CVE-2026-13979 30.06.2026
CVE-2026-13980 30.06.2026
CVE-2026-13981 30.06.2026
CVE-2026-13982 30.06.2026
CVE-2026-13983 01.07.2026
CVE-2026-13984 30.06.2026
CVE-2026-13985 30.06.2026
CVE-2026-13986 01.07.2026
CVE-2026-13987 30.06.2026
CVE-2026-13988 30.06.2026
CVE-2026-13989 30.06.2026
CVE-2026-13990 30.06.2026
CVE-2026-13991 30.06.2026
CVE-2026-13992 01.07.2026
CVE-2026-13993 01.07.2026
CVE-2026-13994 30.06.2026
CVE-2026-13995 30.06.2026
CVE-2026-13996 30.06.2026
CVE-2026-13997 01.07.2026
CVE-2026-13998 01.07.2026
CVE-2026-13999 01.07.2026
CVE-2026-14000 30.06.2026
CVE-2026-14001 30.06.2026
CVE-2026-14002 01.07.2026
CVE-2026-14003 30.06.2026
CVE-2026-14004 30.06.2026
CVE-2026-14005 30.06.2026
CVE-2026-14006 01.07.2026
CVE-2026-14007 30.06.2026
CVE-2026-14008 01.07.2026
CVE-2026-14009 01.07.2026
CVE-2026-14010 01.07.2026
CVE-2026-14011 01.07.2026
CVE-2026-14012 01.07.2026
CVE-2026-14013 01.07.2026
CVE-2026-14014 01.07.2026
CVE-2026-14015 01.07.2026
CVE-2026-14016 01.07.2026
CVE-2026-14017 30.06.2026
CVE-2026-14018 01.07.2026
CVE-2026-14019 01.07.2026
CVE-2026-14020 01.07.2026
CVE-2026-14021 01.07.2026
CVE-2026-14022 01.07.2026
CVE-2026-14023 01.07.2026
CVE-2026-14024 01.07.2026
CVE-2026-14025 01.07.2026
CVE-2026-14026 01.07.2026
CVE-2026-14027 01.07.2026
CVE-2026-14028 01.07.2026
CVE-2026-14030 01.07.2026
CVE-2026-14031 01.07.2026
CVE-2026-14032 01.07.2026
CVE-2026-14033 01.07.2026
CVE-2026-14034 01.07.2026
CVE-2026-14035 01.07.2026
CVE-2026-14036 01.07.2026
CVE-2026-14037 01.07.2026
CVE-2026-14038 01.07.2026
CVE-2026-14039 01.07.2026
CVE-2026-14040 01.07.2026
CVE-2026-14041 01.07.2026
CVE-2026-14042 01.07.2026
CVE-2026-14043 01.07.2026
CVE-2026-14044 01.07.2026
CVE-2026-14045 01.07.2026
CVE-2026-14046 01.07.2026
CVE-2026-14047 01.07.2026
CVE-2026-14048 01.07.2026
CVE-2026-14049 01.07.2026
CVE-2026-14050 01.07.2026
CVE-2026-14051 01.07.2026
CVE-2026-14052 01.07.2026
CVE-2026-14053 01.07.2026
CVE-2026-14054 01.07.2026
CVE-2026-14055 01.07.2026
CVE-2026-14056 01.07.2026
CVE-2026-14057 01.07.2026
CVE-2026-14058 01.07.2026
CVE-2026-14059 01.07.2026
CVE-2026-14060 01.07.2026
CVE-2026-14061 01.07.2026
CVE-2026-14062 01.07.2026
CVE-2026-14063 01.07.2026
CVE-2026-14064 01.07.2026
CVE-2026-14065 01.07.2026
CVE-2026-14066 01.07.2026
CVE-2026-14067 01.07.2026
CVE-2026-14068 01.07.2026
CVE-2026-14069 01.07.2026
CVE-2026-14070 01.07.2026
CVE-2026-14071 01.07.2026
CVE-2026-14072 01.07.2026
CVE-2026-14073 01.07.2026
CVE-2026-14074 01.07.2026
CVE-2026-14075 01.07.2026
CVE-2026-14076 01.07.2026
CVE-2026-14077 01.07.2026
CVE-2026-14078 01.07.2026
CVE-2026-14079 30.06.2026
CVE-2026-14080 30.06.2026
CVE-2026-14081 01.07.2026
CVE-2026-14082 30.06.2026
CVE-2026-14083 30.06.2026
CVE-2026-14084 30.06.2026
CVE-2026-14085 30.06.2026
CVE-2026-14086 01.07.2026
CVE-2026-14087 30.06.2026
CVE-2026-14088 01.07.2026
CVE-2026-14089 01.07.2026
CVE-2026-14090 30.06.2026
CVE-2026-14091 01.07.2026
CVE-2026-14092 30.06.2026
CVE-2026-14093 30.06.2026
CVE-2026-14094 01.07.2026
CVE-2026-14095 30.06.2026
CVE-2026-14096 30.06.2026
CVE-2026-14097 30.06.2026
CVE-2026-14098 30.06.2026
CVE-2026-14099 30.06.2026
CVE-2026-14100 30.06.2026
CVE-2026-14101 30.06.2026
CVE-2026-14102 30.06.2026
CVE-2026-14103 01.07.2026
CVE-2026-14104 01.07.2026
CVE-2026-14105 30.06.2026
CVE-2026-14106 30.06.2026
CVE-2026-14107 01.07.2026
CVE-2026-14108 01.07.2026
CVE-2026-14109 01.07.2026
CVE-2026-14110 01.07.2026
CVE-2026-14111 01.07.2026
CVE-2026-14112 01.07.2026
CVE-2026-14113 01.07.2026
CVE-2026-14114 01.07.2026
CVE-2026-14115 01.07.2026
CVE-2026-14116 01.07.2026
CVE-2026-14117 01.07.2026
CVE-2026-14118 01.07.2026
CVE-2026-14119 01.07.2026
CVE-2026-14120 01.07.2026
CVE-2026-14121 01.07.2026
CVE-2026-14122 01.07.2026
CVE-2026-14123 01.07.2026
CVE-2026-14124 01.07.2026
CVE-2026-14125 01.07.2026
CVE-2026-14126 01.07.2026
CVE-2026-14127 01.07.2026
CVE-2026-14128 01.07.2026
CVE-2026-14129 01.07.2026
CVE-2026-14130 01.07.2026
CVE-2026-14131 01.07.2026
CVE-2026-14132 01.07.2026
CVE-2026-14133 01.07.2026
CVE-2026-14134 01.07.2026
CVE-2026-14135 01.07.2026
CVE-2026-14136 01.07.2026
CVE-2026-14137 01.07.2026
CVE-2026-14138 01.07.2026
CVE-2026-14139 01.07.2026
CVE-2026-14140 01.07.2026
CVE-2026-14141 01.07.2026
CVE-2026-14142 01.07.2026
CVE-2026-14143 01.07.2026
CVE-2026-14144 01.07.2026
CVE-2026-14145 01.07.2026
CVE-2026-14146 01.07.2026
CVE-2026-14147 01.07.2026
CVE-2026-14148 01.07.2026
CVE-2026-14149 01.07.2026
CVE-2026-14150 01.07.2026
CVE-2026-14151 01.07.2026
CVE-2026-14152 01.07.2026
CVE-2026-14153 01.07.2026
CVE-2026-14154 01.07.2026
CVE-2026-14155 01.07.2026
CVE-2026-14156 01.07.2026
CVE-2026-50110 Use of Hard-coded Credentials in StoneFly Storage Concentrator 01.07.2026
CVE-2026-52193 30.06.2026
CVE-2026-52198 30.06.2026
CVE-2026-55223 c3p0 exposes a deserialization "sink" via JDBC DataSource bean properties 01.07.2026
CVE-2026-55721 SQL Injection in StoneFly Storage Concentrator 30.06.2026
CVE-2026-56413 OS Command Injection in StoneFly Storage Concentrator 01.07.2026
CVE-2026-56415 OS Command Injection in StoneFly Storage Concentrator 01.07.2026
CVE-2025-71349 picklescan - Arbitrary Code Execution via Undetected trace.Trace.run in Pickle Files 01.07.2026
CVE-2025-71350 picklescan - Undetected Remote Code Execution via torch.utils.collect_env.run 01.07.2026
CVE-2025-71352 picklescan - Remote Code Execution via Undetected trace.Trace.runctx in Pickle Files 01.07.2026
CVE-2025-71355 Picklescan - Arbitrary Code Execution via Unsafe Numpy Function Detection Bypass 01.07.2026
CVE-2025-71363 picklescan - Arbitrary Code Execution via Undetected cProfile.run in Pickle Deserialization 01.07.2026
CVE-2025-71368 picklescan - Arbitrary Code Execution via Undetected doctest.debug_script 01.07.2026
CVE-2025-71371 picklescan - Remote Code Execution via code.InteractiveInterpreter Detection Bypass 01.07.2026
CVE-2025-71374 picklescan - Arbitrary Code Execution via Undetected profile.Profile.run 01.07.2026
CVE-2025-71381 Hono - Vary Header Injection in CORS Middleware 01.07.2026
CVE-2026-28322 SolarWinds Database Performance Analyzer Stored Cross-Site Scripting Vulnerability 30.06.2026 5.6
CVE-2026-50040 Cross-site Scripting in StoneFly Storage Concentrator 30.06.2026
CVE-2026-52195 01.07.2026
CVE-2026-52197 01.07.2026
CVE-2026-54672 electron-updater: Uncontrolled search path elements within `AppImage` built by `app-builder-lib` 01.07.2026 7.8
CVE-2026-54673 electron-updater: Cross-origin redirect leaks `PRIVATE-TOKEN` and mixed-case `Authorization` credentials in `builder-util-runtime` 01.07.2026
CVE-2026-54696 Ruby JSON: JSON generator heap buffer overflow when streaming to an IO 01.07.2026 3.7
CVE-2026-56219 Capgo - Unauthenticated RBAC Bindings and Email Disclosure via get_org_user_access_rbac NULL-auth Bypass 01.07.2026
CVE-2026-56224 Capgo - Login CSRF and Session Fixation via URL Query Parameters 01.07.2026
CVE-2026-56230 Capgo - Broken Object Level Authorization via x-limited-key-id Header 01.07.2026
CVE-2026-56233 Capgo - SSRF and Privilege Escalation via Path Traversal in Builder Upload Proxy 01.07.2026
CVE-2026-56247 Capgo - Privilege Escalation via Cross-Scope RBAC Role Assignment 01.07.2026
CVE-2026-56249 Capgo - Unauthorized Channel Overwrite and Ownership Takeover via POST /channel Name Collision 01.07.2026
CVE-2026-56264 Crawl4AI - Arbitrary JavaScript Execution via /execute_js Endpoint 01.07.2026
CVE-2026-56277 Flowise - Hardcoded CORS Wildcard in TTS Endpoint 01.07.2026
CVE-2026-56278 Flowise - Session Hijacking via Weak Default Express Session Secret 01.07.2026
CVE-2026-56286 Capgo - Account Deletion Without Password Confirmation 01.07.2026
CVE-2026-56300 Capgo - Unauthenticated API Key Validity and Permission Oracle via RPC Functions 01.07.2026
CVE-2026-56318 Capgo - Information Disclosure via /private/validate_password_compliance Endpoint 01.07.2026
CVE-2026-56320 Capgo - Org/App Scope Mismatch in Device Creation Endpoint 01.07.2026
CVE-2026-56327 Capgo - Unauthenticated Organization Existence Oracle via public.invite_user_to_org RPC 01.07.2026
CVE-2026-56328 Capgo - Integrity Issue in Release Routing via Multiple Public Channels 01.07.2026
CVE-2026-56331 Capgo - Improper Error Handling in Accept Invitation Endpoint via Invalid Magic String 01.07.2026
CVE-2026-56333 Capgo - Server-Side Validation Bypass via Direct Browser-Side Organization Security Settings Updates 01.07.2026
CVE-2026-56334 Capgo - Missing UPDATE RLS Policy for Build Status Persistence 01.07.2026
CVE-2026-56350 n8n - SSO Enforcement Bypass via API 01.07.2026
CVE-2026-56356 n8n - Stored Cross-Site Scripting in Chat Trigger Node Custom CSS Field 01.07.2026
CVE-2026-56361 ImageMagick - Heap Buffer Overflow via Off-by-One in Morphology Processing 01.07.2026
CVE-2026-56363 ImageMagick - Division by Zero in Binomial Kernel Processing 01.07.2026
CVE-2026-56364 ImageMagick - Memory Leak in LoadOpenCLDeviceBenchmark() via Malformed XML 01.07.2026
CVE-2026-56365 ImageMagick - Memory Leak in PNG Encoder via MNG Image Writing 01.07.2026
CVE-2026-56369 ImageMagick - Information Disclosure via AES-CTR Nonce Reuse in PasskeyEncipherImage 01.07.2026
CVE-2026-56377 ImageMagick - Policy Bypass via Incorrect Path Validation 01.07.2026
CVE-2026-56399 Open WebUI - Server-Side Request Forgery via Location Redirect in /api/v1/retrieval/process/web 01.07.2026
CVE-2026-56700 Grav - Multiple Remote Code Execution Vulnerabilities via Unsafe Unserialize and Command Injection 01.07.2026
CVE-2026-56777 n8n - AST Validator Bypass in Python Code Node 01.07.2026
CVE-2026-57995 phpMyFAQ - Privilege Escalation via Missing Self-Rights Constraint in GroupController::updatePermissions 01.07.2026
CVE-2026-10585 Stored cross-site scripting vulnerability in GitHub Enterprise Server allowed arbitrary JavaScript execution via crafted Discussion titles in the Q&A category 01.07.2026
CVE-2026-37106 01.07.2026
CVE-2026-52196 01.07.2026
CVE-2026-57204 pypdf: Missing stream length values ignore defined limits 01.07.2026
CVE-2026-57585 MessagePack: Out-of-bounds read/crash on Unpacker reuse after caught error 01.07.2026 7.5
CVE-2026-11541 IBM WebSphere Application Server and WebSphere Application Server Liberty are affected by HTTP request smuggling 01.07.2026 7.4
CVE-2026-35505 OFFIS DCMTK Toolkit Missing Release of Memory after Effective Lifetime 30.06.2026
CVE-2026-50003 OFFIS DCMTK Toolkit Path Traversal 30.06.2026
CVE-2026-50254 OFFIS DCMTK Toolkit Missing Release of Memory after Effective Lifetime 30.06.2026
CVE-2026-52868 OFFIS DCMTK Toolkit Path Traversal 30.06.2026
CVE-2026-58446 Presenton < 0.8.8-beta - Authentication Bypass of Session Auth via Unprotected MCP Endpoint 01.07.2026 6.5
CVE-2026-58447 Invidious - Cross-User Playlist Video Deletion via Missing Ownership Check 01.07.2026 6.5
CVE-2026-58448 yudao-cloud < 2026.06 - BPM Module Broken Access Control via process-instance API 01.07.2026 6.5
CVE-2026-58449 txtai - Unauthenticated Remote Code Execution via Unsafe Reflection in API /reindex function Parameter 01.07.2026 9.8
CVE-2026-58450 Invoice Ninja 5.13.26 - Open Redirect in Client Portal Login via intended Parameter 01.07.2026 4.3
CVE-2025-12530 Vulnerabilities found in Watson Data Intelligence 01.07.2026 5.9
CVE-2025-36319 Vulnerabilities found in Watson Data Intelligence 30.06.2026 4.3
CVE-2025-36320 Vulnerabilities found in Watson Data Intelligence 01.07.2026 6.4
CVE-2025-36321 Vulnerabilities found in Watson Data Intelligence 01.07.2026 5.7
CVE-2025-36323 Vulnerabilities found in Watson Data Intelligence 01.07.2026 5.4
CVE-2025-36324 Vulnerabilities found in Watson Data Intelligence 01.07.2026 4.3
CVE-2025-36327 Vulnerabilities found in Watson Data Intelligence 01.07.2026 6.5
CVE-2025-36328 Error Message Containing Sensitive Information found in Watson Data Intelligence 30.06.2026 4.3
CVE-2025-36333 Vulnerabilities found in Watson Data Intelligence 01.07.2026 4.3
CVE-2025-36336 Transmission of Sensitive Information found in Watson Data Intelligence 01.07.2026 5.9
CVE-2025-36359 IBM DevOps Loop is susceptible to an Insufficient Session Expiration vulnerability. 01.07.2026 8.1
CVE-2026-10562 Unauthenticated Open Redirect Vulnerability on TP-Link Archer AX20 Web Interface 30.06.2026
CVE-2026-11594 IBM WebSphere Application Server is affected by multiple cross-site scripting vulnerabilities 01.07.2026 8.5
CVE-2026-13207 Frangoteam FUXA SCADA/HMI Authentication Bypass by Spoofing 30.06.2026
CVE-2026-44628 OFFIS DCMTK Toolkit Type Confusion 30.06.2026
CVE-2026-9106 UI misrepresentation vulnerability in GitHub Enterprise Server allowed unauthorized organization runner management via undisclosed OAuth scope on consent screen 01.07.2026
CVE-2026-9132 Missing authorization vulnerability in GitHub Enterprise Server allowed disclosure of private repository contents via the Copilot pull request diff summary endpoint 30.06.2026
CVE-2025-36372 IBM® Db2® could disclose sensitive information to an authenticated user from the monitoring and event tables 01.07.2026 5.5
CVE-2026-10109 IBM® Db2® is vulnerable to remote code execution due to improper pre-auth DRDA handshake handling 01.07.2026 9.8
CVE-2026-10129 SSRF via HTTP Redirect Following in Langflow API Request Component 30.06.2026 8.5
CVE-2026-10134 Unauthenticated Server-Side RCE via PythonCodeStructuredTool in Public Flows 01.07.2026 10
CVE-2026-10140 Cross-Tenant API Key Reuse and Billing Fraud in Langflow Voice Mode Subsystem 01.07.2026 9.6
CVE-2026-10546 DNS Rebinding TOCTOU Bypass of SSRF Protection in Langflow OSS URL Component 01.07.2026 7.1
CVE-2026-10560 Unauthenticated Access to Private Flow Build Events and Cancellation in Langflow OSS 01.07.2026 8.2
CVE-2026-10564 SSRF Vulnerability in Langflow OSS Legacy Components Bypasses Protection 01.07.2026 8.2
CVE-2026-11546 IBM WebSphere Application Server Liberty is affected by a server-side request forgery vulnerability 30.06.2026 7.1
CVE-2026-11595 IBM WebSphere Application Server is affected by a Path Traversal vulnerability 01.07.2026 4.3
CVE-2026-11708 IBM WebSphere Application Server is affected by a cross-site scripting vulnerability 01.07.2026 9.3
CVE-2026-11712 IBM WebSphere Application Server is affected by a cross-site scripting vulnerability 01.07.2026 9.3
CVE-2026-11714 IBM WebSphere Application Server Liberty is affected by an authorization bypass vulnerability 01.07.2026 8.5
CVE-2026-11806 IBM WebSphere Application Server Liberty is affected by a an arbitrary file read vulnerability 01.07.2026 7.2
CVE-2026-11906 IBM® Db2® federated server is vulnerable to a denial of service due to improper neutralization of special elements in the data query logic of XMLTable-derived columns by autheticated user 30.06.2026 6.5
CVE-2026-12084 IBM DevOps Deploy / IBM UrbanCode Deploy (UCD) is susceptible to a Permissive Cross-domain Security Policy with Untrusted Domains 01.07.2026 5.4
CVE-2026-12085 IBM DevOps Deploy / IBM UrbanCode Deploy (UCD) is susceptable to an Insertion of Sensitive Information Into Sent Data vulnerability 01.07.2026 6.5
CVE-2026-12086 IBM DevOps Deploy / IBM UrbanCode Deploy (UCD) is susceptible to a Insertion of Sensitive Information into Log File Vulnerability 01.07.2026 6.2
CVE-2026-13449 XXE attack in IBM Business Automation Manager Open Editions 01.07.2026 7.6
CVE-2026-13759 IBM WebSphere eXtreme Scale is affected by Insecure Deserilization 01.07.2026 7.5
CVE-2026-13772 IBM WebSphere eXtreme Scale's OQL is affected by remote code execution 30.06.2026 7.5
CVE-2026-13773 IBM WebSphere eXtreme Scale is affected by server side request forgery when ORB is used as Transport Protocol 30.06.2026 6
CVE-2026-3602 IBM App Connect Enterprise and IBM Integration Bus for z/OS toolkit is vulnerable to an sql injection 30.06.2026 4.7
CVE-2026-7663 Unauthenticated Cross-User MCP Resource Access and Tool Execution via Streamable Transport Authorization Bypass 01.07.2026 9.1
CVE-2026-7803 Flow Validation Bypass via Empty Component Type Field 01.07.2026 9.8
CVE-2026-7871 Insecure Deserialization in Redis Cache Backend 01.07.2026 9.8
CVE-2026-7873 Code Injection Vulnerability in Code Validation Endpoint 01.07.2026 9.9
CVE-2026-7874 Weak Cryptographic Key Derivation Exposed All Stored Credentials 30.06.2026 9.1
CVE-2026-9002 IBM WebSphere eXtremes Scale is affected by uncontrolled resource consumption when XDF is enabled 30.06.2026 6.5
CVE-2026-9836 IBM DataStage Flow Designer application is affected by an information disclosure vulnerability 30.06.2026 3.5
CVE-2026-10513 Webmention <= 5.8.0 - Unauthenticated Stored Cross-Site Scripting via MF2 'photo'/'url' Author Properties 01.07.2026 7.2
CVE-2026-58138 Orkes Conductor 3.21.21 < 3.30.2 Unauthenticated RCE via GraalVM Script Evaluators 01.07.2026