| CVE-2026-4321 |
SQLi in Raera's Destekz |
03.07.2026 |
9.8 |
| CVE-2026-14544 |
Hplip: incomplete fix for cve-2026-8631 |
03.07.2026 |
9.8 |
| CVE-2026-9725 |
Printcart Web to Print Product Designer for WooCommerce <= 2.5.2 - Unauthenticated Arbitrary File Deletion |
03.07.2026 |
9.1 |
| CVE-2026-13768 |
Gardyn IoT Hub Use of Hard-coded Credentials |
02.07.2026 |
9.5 |
| CVE-2026-13368 |
WatchGuard Firebox Race Condition and Use-After-Free in Mobile VPN with IKEv2 LDAP Authentication |
02.07.2026 |
9.2 |
| CVE-2026-41106 |
Microsoft 365 Copilot Elevation of Privilege Vulnerability |
02.07.2026 |
9.3 |
| CVE-2026-45499 |
Azure OpenAI Elevation of Privilege Vulnerability |
02.07.2026 |
9.9 |
| CVE-2026-57100 |
Microsoft Entra Provisioning Service Elevation of Privilege Vulnerability |
02.07.2026 |
9.9 |
| CVE-2026-52830 |
fast-mcp-telegram: Bearer token path traversal bypasses reserved Telegram session protection |
02.07.2026 |
9.4 |
| CVE-2026-58466 |
AutoBangumi < 3.2.8 - Hard-coded Default Credentials via add_default_user() |
02.07.2026 |
9.3 |
| CVE-2026-59099 |
Apereo CAS 7.3.0 < 8.0.0-RC6 - AES-GCM Nonce Reuse Information Disclosure |
02.07.2026 |
9.3 |
| CVE-2022-50973 |
Yonyou KSOA 9.0 Unauthenticated File Upload RCE via ImageUpload Servlet |
02.07.2026 |
9.3 |
| CVE-2024-14037 |
Redsea Cloud eHR Unauthenticated File Upload RCE via PtFjk.mob |
02.07.2026 |
9.3 |
| CVE-2026-44935 |
Rancher Fleet vulnerable to cross namespace secret disclosure via unvalidated `valuesFrom` references in Helm Deployer |
03.07.2026 |
9.9 |
| CVE-2026-58455 |
Dockwatch 0.6.567 Unauthenticated OS Command Injection via ajax/compose.php |
02.07.2026 |
9.2 |
| CVE-2026-50746 |
|
02.07.2026 |
10 |
| CVE-2026-50747 |
|
02.07.2026 |
9.9 |
| CVE-2026-50748 |
|
02.07.2026 |
9.9 |
| CVE-2026-54400 |
|
02.07.2026 |
9.1 |
| CVE-2026-54402 |
|
02.07.2026 |
9.9 |
| CVE-2026-55115 |
|
02.07.2026 |
9.9 |
| CVE-2026-55116 |
|
02.07.2026 |
9 |
| CVE-2026-56004 |
obs-service-tar_scm: command injection via mercurial handler |
02.07.2026 |
10 |
| CVE-2026-4767 |
Improper Access Control in TR7's WAF-ASP |
02.07.2026 |
9.8 |
| CVE-2026-5524 |
Divi Form Builder <= 5.1.8 - Unauthenticated Arbitrary File Upload Leading to Remote Code Execution via 'acceptFileTypes' Parameter |
02.07.2026 |
9.8 |
| CVE-2026-27419 |
WordPress Zegen theme <= 1.1.9 - Arbitrary File Upload vulnerability |
02.07.2026 |
9.9 |
| CVE-2026-27436 |
WordPress Five Star Business Profile and Schema plugin <= 2.3.19 - Arbitrary Code Execution vulnerability |
02.07.2026 |
9.1 |
| CVE-2026-57621 |
WordPress Booktics plugin <= 1.0.21 - PHP Object Injection vulnerability |
02.07.2026 |
9.8 |
| CVE-2026-57623 |
WordPress W3 Total Cache plugin <= 2.9.4 - Arbitrary Code Execution vulnerability |
02.07.2026 |
9 |
| CVE-2026-57624 |
WordPress Blocksy Companion Pro plugin <= 2.1.46 - Remote Code Execution (RCE) vulnerability |
02.07.2026 |
10 |
| CVE-2026-57625 |
WordPress Admin and Site Enhancements (ASE) Pro plugin <= 8.8.5 - Cross Site Scripting (XSS) vulnerability |
02.07.2026 |
9.6 |
| CVE-2026-57677 |
WordPress Novalnet Payment Gateway for WooCommerce plugin <= 12.10.3 - PHP Object Injection vulnerability |
02.07.2026 |
9.8 |
| CVE-2026-57679 |
WordPress GeekyBot plugin <= 1.2.5 - SQL Injection vulnerability |
02.07.2026 |
9.3 |
| CVE-2026-57683 |
WordPress WP Fast Total Search plugin <= 1.80.280 - SQL Injection vulnerability |
02.07.2026 |
9.3 |
| CVE-2026-14439 |
Path Traversal in Altium Git Service Allows Remote Code Execution |
02.07.2026 |
9.4 |
| CVE-2026-58457 |
Shenzhen Aitemi M300 MT02 Unauthenticated OS Command Injection via protocol.csp |
01.07.2026 |
9.3 |
| CVE-2026-50160 |
Mass Assignment via Onboarding Endpoint Allows Unauthenticated JWT_SECRET Overwrite |
02.07.2026 |
10 |
| CVE-2026-34108 |
Guardian Language-System Unauthenticated OS Command Injection via id Parameter in text.php |
02.07.2026 |
9.3 |
| CVE-2026-34109 |
Guardian Language-System Unauthenticated OS Command Injection via id Parameter in speech.php |
01.07.2026 |
9.3 |
| CVE-2026-34110 |
Guardian Language-System Unauthenticated OS Command Injection via id Parameter in complex_start.php |
01.07.2026 |
9.3 |
| CVE-2026-34111 |
Guardian Language-System Unauthenticated OS Command Injection via id Parameter in speechmac_text.php |
01.07.2026 |
9.3 |
| CVE-2026-34112 |
Guardian Language-System Unauthenticated OS Command Injection via id Parameter in speechmac.php |
01.07.2026 |
9.3 |
| CVE-2026-34113 |
Guardian Language-System Unauthenticated OS Command Injection via id Parameter in speech_text.php |
01.07.2026 |
9.3 |
| CVE-2026-34114 |
Guardian Language-System Unauthenticated OS Command Injection via id Parameter in translate_text.php |
02.07.2026 |
9.3 |
| CVE-2026-34115 |
Guardian Language-System Unauthenticated OS Command Injection via id Parameter in transcribe_amazon.php |
01.07.2026 |
9.3 |
| CVE-2026-34116 |
Guardian Language-System Unauthenticated OS Command Injection via id Parameter in transcribe.php |
01.07.2026 |
9.3 |
| CVE-2026-34117 |
Guardian Language-System Unauthenticated OS Command Injection via id Parameter in text_to_subtitles.php |
01.07.2026 |
9.3 |
| CVE-2026-34099 |
Guardian Language-System Unauthenticated SQL Injection via id Parameter in job_info.php |
02.07.2026 |
9.3 |
| CVE-2026-34100 |
Guardian Language-System Unauthenticated SQL Injection via id Parameter in media.php |
01.07.2026 |
9.3 |
| CVE-2026-34101 |
Guardian Language-System Unauthenticated SQL Injection via id Parameter in text_file.php |
01.07.2026 |
9.3 |
| CVE-2026-34102 |
Guardian Language-System Unauthenticated SQL Injection via id Parameter in job_info_get.php |
01.07.2026 |
9.3 |
| CVE-2026-34103 |
Guardian Language-System Unauthenticated SQL Injection via id Parameter in subtitles.php |
01.07.2026 |
9.3 |
| CVE-2026-34104 |
Guardian Language-System Unauthenticated SQL Injection via name Parameter in designer.php |
01.07.2026 |
9.3 |
| CVE-2026-34105 |
Guardian Language-System Unauthenticated SQL Injection via id Parameter in translate_text.php |
02.07.2026 |
9.3 |
| CVE-2026-34106 |
Guardian Language-System Unauthenticated OS Command Injection via id Parameter in subtitles.php |
01.07.2026 |
9.3 |
| CVE-2026-34107 |
Guardian Language-System Unauthenticated OS Command Injection via id Parameter in translate.php |
01.07.2026 |
9.3 |
| CVE-2026-58453 |
JAIOTlink C492A-W6 4.8.30.57701411 Hard-coded Credentials via anyka_ipc |
01.07.2026 |
9.3 |
| CVE-2025-23350 |
|
01.07.2026 |
9 |
| CVE-2025-23351 |
|
01.07.2026 |
9 |
| CVE-2026-24270 |
|
01.07.2026 |
9.8 |
| CVE-2026-57517 |
Control Web Panel < 0.9.8.1225 Blind SQL Injection via userRes Parameter |
02.07.2026 |
9.3 |
| CVE-2026-58126 |
PACSgear PACS Scan 5.2.1 Unauthenticated RCE via .NET Remoting TCP Service |
01.07.2026 |
9.3 |
| CVE-2026-58127 |
PACSgear MediaWriter 5.2.1 Unauthenticated RCE via .NET Remoting TCP Service |
01.07.2026 |
9.3 |
| CVE-2026-23537 |
Feast: unauthenticated arbitrary file write |
02.07.2026 |
9.1 |
| CVE-2026-13603 |
SSRF with API key leak in pretix-oppwa |
01.07.2026 |
9 |
| CVE-2026-57692 |
WordPress PrivateContent plugin <= 9.9.2 - Privilege Escalation vulnerability |
01.07.2026 |
9.8 |
| CVE-2026-14198 |
@fastify/middie vulnerable to authorization bypass via encoded slash in path parameter values |
01.07.2026 |
9.1 |
| CVE-2026-10539 |
Unauthenticated command injection in Control-M/Server communication command |
01.07.2026 |
9.5 |
| CVE-2026-11387 |
SMS Alert <= 3.9.5 - Unauthenticated Privilege Escalation via Arbitrary Password Reset |
01.07.2026 |
9.8 |
| CVE-2026-6070 |
WP-BusinessDirectory <= 4.0.1 - Unauthenticated Arbitrary File Deletion via Path Traversal via '_filename' Parameter |
01.07.2026 |
9.1 |
| CVE-2026-7839 |
UltraVNC repeater ships hardcoded default admin password allowing unauthenticated admin access |
01.07.2026 |
9.1 |
| CVE-2026-7840 |
UltraVNC repeater HTTP server global buffer overflow via long URI (pre-auth RCE) |
01.07.2026 |
9.3 |
| CVE-2026-53488 |
containerd CRI plugin: — image-config `LABEL` flows to restart-monitor `binary://` logger: host-root command execution from an image pull |
03.07.2026 |
9.4 |
| CVE-2026-50110 |
Use of Hard-coded Credentials in StoneFly Storage Concentrator |
01.07.2026 |
9.3 |
| CVE-2026-55721 |
SQL Injection in StoneFly Storage Concentrator |
01.07.2026 |
9.2 |
| CVE-2026-56413 |
OS Command Injection in StoneFly Storage Concentrator |
01.07.2026 |
10 |
| CVE-2026-56415 |
OS Command Injection in StoneFly Storage Concentrator |
01.07.2026 |
10 |
| CVE-2026-56264 |
Crawl4AI - Arbitrary JavaScript Execution via /execute_js Endpoint |
01.07.2026 |
9.2 |
| CVE-2026-56278 |
Flowise - Session Hijacking via Weak Default Express Session Secret |
01.07.2026 |
9.3 |
| CVE-2026-56700 |
Grav - Multiple Remote Code Execution Vulnerabilities via Unsafe Unserialize and Command Injection |
01.07.2026 |
9.3 |
| CVE-2026-50003 |
OFFIS DCMTK Toolkit Path Traversal |
01.07.2026 |
9.3 |
| CVE-2026-58449 |
txtai - Unauthenticated Remote Code Execution via Unsafe Reflection in API /reindex function Parameter |
01.07.2026 |
9.3 |
| CVE-2026-10109 |
IBM® Db2® is vulnerable to remote code execution due to improper pre-auth DRDA handshake handling |
01.07.2026 |
9.8 |
| CVE-2026-10134 |
Unauthenticated Server-Side RCE via PythonCodeStructuredTool in Public Flows |
01.07.2026 |
10 |
| CVE-2026-10140 |
Cross-Tenant API Key Reuse and Billing Fraud in Langflow Voice Mode Subsystem |
02.07.2026 |
9.6 |
| CVE-2026-11708 |
IBM WebSphere Application Server is affected by a cross-site scripting vulnerability |
01.07.2026 |
9.3 |
| CVE-2026-11712 |
IBM WebSphere Application Server is affected by a cross-site scripting vulnerability |
01.07.2026 |
9.3 |
| CVE-2026-7663 |
Unauthenticated Cross-User MCP Resource Access and Tool Execution via Streamable Transport Authorization Bypass |
01.07.2026 |
9.1 |
| CVE-2026-7803 |
Flow Validation Bypass via Empty Component Type Field |
01.07.2026 |
9.8 |
| CVE-2026-7871 |
Insecure Deserialization in Redis Cache Backend |
01.07.2026 |
9.8 |
| CVE-2026-7873 |
Code Injection Vulnerability in Code Validation Endpoint |
01.07.2026 |
9.9 |
| CVE-2026-7874 |
Weak Cryptographic Key Derivation Exposed All Stored Credentials |
02.07.2026 |
9.1 |
| CVE-2026-58138 |
Orkes Conductor 3.21.21 < 3.30.2 Unauthenticated RCE via GraalVM Script Evaluators |
01.07.2026 |
9.3 |
| CVE-2026-58172 |
Ocelot - IP Allow/Block List Bypass for WebSocket Upgrade Requests |
02.07.2026 |
9.3 |
| CVE-2026-58370 |
Woodpecker < 3.15.0 - GitLab Approval Gate Bypass via Spoofable Commit Author Name |
02.07.2026 |
9.2 |
| CVE-2026-48276 |
ColdFusion | Unrestricted Upload of File with Dangerous Type (CWE-434) |
01.07.2026 |
10 |
| CVE-2026-48277 |
ColdFusion | Improper Input Validation (CWE-20) |
01.07.2026 |
10 |
| CVE-2026-48281 |
ColdFusion | Improper Input Validation (CWE-20) |
01.07.2026 |
10 |
| CVE-2026-48282 |
ColdFusion | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE-22) |
01.07.2026 |
10 |
| CVE-2026-48283 |
ColdFusion | Unrestricted Upload of File with Dangerous Type (CWE-434) |
01.07.2026 |
10 |
| CVE-2026-48286 |
Adobe Campaign Classic (ACC) | Incorrect Authorization (CWE-863) |
01.07.2026 |
10 |
| CVE-2026-48313 |
ColdFusion | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE-22) |
30.06.2026 |
9.3 |
| CVE-2026-48315 |
ColdFusion | Improper Input Validation (CWE-20) |
01.07.2026 |
9.3 |
| CVE-2026-58116 |
LLaMA-Factory 0.9.5 Remote Code Execution via WebUI Model Path |
30.06.2026 |
9.3 |
| CVE-2026-6556 |
@fastify/express vulnerable to middleware bypass via non-string mount paths in prefixed plugins |
30.06.2026 |
9.1 |
| CVE-2026-44946 |
SAML Authentication Replay in Rancher |
01.07.2026 |
9.5 |
| CVE-2026-14162 |
Advantech|Hospital Quering Management - Missing Authentication |
30.06.2026 |
9.3 |
| CVE-2026-53690 |
SQL Injection in Redeight CMS |
30.06.2026 |
9.3 |
| CVE-2026-8402 |
SQLi in Exagate's SYSGUARD 6001 |
30.06.2026 |
9.8 |
| CVE-2026-12076 |
SQL Injection in Raytha CMS |
30.06.2026 |
9.3 |
| CVE-2026-9711 |
EventON - WordPress Virtual Event Calendar Plugin <= 5.0.11 - Unauthenticated Blind SQL Injection via Search Parameter |
30.06.2026 |
9.8 |
| CVE-2026-12818 |
DVP-12SE Exposure of Sensitive Information Vulnerability |
30.06.2026 |
9.3 |
| CVE-2026-12819 |
DVP-12SE Missing Authentication and Unauthorized Write access Vulnerability |
30.06.2026 |
9.3 |
| CVE-2026-12073 |
ProfileGrid - User Profiles, Groups and Communities <= 5.9.9.5 - Unauthenticated Privilege Escalation via Email Overwrite |
30.06.2026 |
9.8 |
| CVE-2026-57498 |
Coolify Cross-Team IDOR: Livewire Components Accept Unscoped server_id and destination_uuid — Deploy to Other Teams' Servers |
30.06.2026 |
9.6 |
| CVE-2026-11720 |
Path Traversal in googleapis/mcp-toolbox HTTP Tool URL Builder |
29.06.2026 |
9.3 |
| CVE-2026-56782 |
Gorse - Unauthenticated Database Dump and Restore via /api/dump and /api/restore Endpoints |
30.06.2026 |
9.3 |
| CVE-2026-41052 |
Rancher Privilege Escalation from Project Owner to Host |
30.06.2026 |
9.4 |
| CVE-2026-56290 |
Joomla Extension - joomlack.fr - Unauthenticated file upload in Page Builder CK extension < 3.6.0 |
01.07.2026 |
10 |
| CVE-2026-57331 |
WordPress Paid Videochat Turnkey Site plugin <= 7.4.8 - Arbitrary File Deletion vulnerability |
29.06.2026 |
9.9 |
| CVE-2026-58053 |
Gitea act_runner - Container Hardening Bypass via Workflow Container Options |
30.06.2026 |
9.4 |
| CVE-2026-12415 |
Invoice Generator <= 1.0.0 - Unauthenticated Privilege Escalation via Account Takeover via 'user_id' Parameter |
29.06.2026 |
9.8 |
| CVE-2026-31928 |
Daktronics Controller Firmware Use of Hard-coded Credentials |
29.06.2026 |
9.3 |
| CVE-2026-28701 |
Daktronics Controller Firmware Path Traversal |
29.06.2026 |
9.3 |
| CVE-2026-49869 |
Kestra: Unauthenticated Remote Code Execution via Authentication Bypass in `AuthenticationFilter` |
29.06.2026 |
10 |
| CVE-2026-53576 |
Kestra: Unauthenticated RCE via /configs path-suffix auth-filter bypass |
29.06.2026 |
10 |
| CVE-2026-54350 |
Budibase: Anonymous NoSQL operator injection via published-app query templates |
30.06.2026 |
10 |
| CVE-2026-54352 |
Budibase: Arbitrary file read by workspace-builder via PWA-zip symlink upload |
27.06.2026 |
9.6 |
| CVE-2026-46386 |
OpenProject: Pre-authentication RCE in openproject/openproject Docker image via default `SECRET_KEY_BASE=OVERWRITE_ME` and `cookies_serializer = :marshal` |
29.06.2026 |
9.9 |
| CVE-2026-53309 |
ocfs2/dlm: fix off-by-one in dlm_match_regions() region comparison |
28.06.2026 |
9.8 |
| CVE-2026-52780 |
OpenProject: Cache store poisoning leads to Remote Code Execution (RCE) |
27.06.2026 |
9.6 |
| CVE-2026-52782 |
OpenProject: IDOR through /projects/<A>/settings/project_storages/<A_ps_id> via PATCH parameter "storages_project_storage[project_folder_id]" leads to Access to Unauthorized Resources |
29.06.2026 |
9.9 |
| CVE-2026-52785 |
OpenProject: SQL injection in timestamps functionality |
29.06.2026 |
9.9 |