| CVE-2025-45868 |
|
16.07.2026 |
|
| CVE-2026-12379 |
URL Redirection to Untrusted Site ('Open Redirect') vulnerability in the Dashboard OAuth/OIDC implementation of Axivion |
16.07.2026 |
|
| CVE-2026-45695 |
Kopia: Unauthenticated RCE via SSH ProxyCommand Injection when --insecure --without-password is used |
16.07.2026 |
9.8 |
| CVE-2026-54568 |
Microsoft UFO: Missing Authorization in DEVICE_INFO_REQUEST Allows a DEVICE Client to Read Another Device's system_info |
16.07.2026 |
4.3 |
| CVE-2026-55440 |
Microsoft UFO: COMMAND_RESULTS handler creates unowned sessions, allowing authenticated session-squatting denial of service |
16.07.2026 |
6.5 |
| CVE-2026-63081 |
Perfect Support Ticketing System 1.7 Stored XSS via Ticket Notes Field |
16.07.2026 |
|
| CVE-2026-63082 |
Perfect Support Ticketing System 1.7 Broken Access Control via Agent Assignment |
16.07.2026 |
|
| CVE-2026-14890 |
CVE-2026-14890 |
16.07.2026 |
|
| CVE-2026-53597 |
Prompty: Arbitrary code execution via JavaScript frontmatter in TypeScript loader |
16.07.2026 |
|
| CVE-2026-53598 |
Prompty: Arbitrary File Read via ${file:path} Reference Expansion |
16.07.2026 |
7.5 |
| CVE-2026-54733 |
moodle-local_o365: Authentication bypass via unverified JWT signature in Teams SSO endpoint |
16.07.2026 |
|
| CVE-2026-57205 |
SimpleChat: Authenticated users can access other users' profile metadata through user IDOR endpoints |
16.07.2026 |
4.3 |
| CVE-2026-57206 |
SimpleChat plugin validation endpoints missing authentication and authorization |
16.07.2026 |
8.6 |
| CVE-2026-59864 |
Kiota: Path/URL injection into generated Copilot plugin manifest via x-ai-* extensions |
16.07.2026 |
|
| CVE-2026-59865 |
Kiota: Command injection via x-ms-kiota-info dependencyInstallCommand surfaced by `kiota info` |
16.07.2026 |
|
| CVE-2026-59866 |
Kiota: Arbitrary file write + code-injection via x-ms-kiota-info clientClassName and clientNamespaceName |
16.07.2026 |
|
| CVE-2026-59867 |
Kiota: Generation-time SSRF + remote/local file inclusion via unrestricted $ref |
16.07.2026 |
7.1 |
| CVE-2026-14254 |
Improper Restriction of Excessive Authentication Attempts in Delphix Continuous Data |
16.07.2026 |
|
| CVE-2026-59237 |
IDOR in Prospero Flow CRM Order API allows cross-tenant read and modification of orders |
16.07.2026 |
|
| CVE-2026-59859 |
Kiota: Code Generation Literal Injection in the PHP Generator |
16.07.2026 |
|
| CVE-2026-59860 |
Kiota: XML Doc-Comment Newline Breakout Code Injection |
16.07.2026 |
|
| CVE-2026-59861 |
Kiota: Code Generation Literal Injection in Kiota Ruby Generator |
16.07.2026 |
7.5 |
| CVE-2026-59862 |
Kiota: Code Generation Literal Injection in the Python Generator |
16.07.2026 |
7.5 |
| CVE-2026-59863 |
Kiota: Workspace-config poisoning: out-of-repo file write + generation-time SSRF |
16.07.2026 |
|
| CVE-2026-56456 |
HCL DFXAnalytics is affected by an Internal File Path Disclosure vulnerability. |
16.07.2026 |
5.3 |
| CVE-2026-5674 |
Pipewire: pipewire: sandbox escape and arbitrary code execution via malicious library loading |
16.07.2026 |
|
| CVE-2026-35140 |
HCL DFXAnalytics is affected by a Missing Secure Attribute in Encrypted Session (SSL) Cookie vulnerability |
16.07.2026 |
3 |
| CVE-2026-35141 |
HCL DFXAnalytics is affected by a Login Replay Attack vulnerability |
16.07.2026 |
2.6 |
| CVE-2026-35142 |
HCL DFXAnalytics is affected by an Internal IP Address Disclosure vulnerability. |
16.07.2026 |
2.6 |
| CVE-2026-35143 |
HCL DFXAnalytics is affected by a Missing SameSite Attribute vulnerability. |
16.07.2026 |
3 |
| CVE-2026-35145 |
HCL DFXAnalytics is affected by a Missing HTTP Strict-Transport-Security Header vulnerability. |
16.07.2026 |
3.1 |
| CVE-2026-56453 |
HCL DFXAnalytics is affected by an Account Takeover via Response Manipulation vulnerability. |
16.07.2026 |
5.5 |
| CVE-2026-56454 |
HCL DFXAnalytics is affected by a Deprecated Protocol vulnerability due to the use of TLS 1.0 and TLS 1.1. |
16.07.2026 |
5.9 |
| CVE-2026-56455 |
HCL DFXAnalytics is affected by a Buffer Overflow vulnerability that can lead to a Denial of Service (DoS). |
16.07.2026 |
5.3 |
| CVE-2024-58360 |
stoatchat before 0.7.8 Unrestricted Account Creation |
16.07.2026 |
|
| CVE-2025-71377 |
stoatchat before 20250210-1 Unrestricted Message History Fetch |
16.07.2026 |
|
| CVE-2025-71388 |
stoatchat 20241213-1 Webhook Token Disclosure via Read Permissions |
16.07.2026 |
|
| CVE-2026-11386 |
ubuntu-pro-client Input Validation Vulnerability Leading to Arbitrary APT Directive Injection and Remote Code Execution |
16.07.2026 |
9 |
| CVE-2026-12391 |
ubuntu-pro-client Local Privilege Escalation and Information Disclosure via Symlink Arbitrary File Read in collect-logs |
16.07.2026 |
5 |
| CVE-2026-63304 |
AVideo through 29.0 OS Command Injection via listFFmpegProcesses |
16.07.2026 |
|
| CVE-2026-63305 |
AVideo through 29.0 OS Command Injection via ffmpeg.json.php |
16.07.2026 |
|
| CVE-2026-63306 |
stoatchat before 0.13.5 Unauthenticated SSRF via proxy and embed endpoints |
16.07.2026 |
|
| CVE-2026-9494 |
ubuntu-pro-client Information Disclosure via Cleartext Bearer Token Exposure in Process Command Line |
16.07.2026 |
5.5 |
| CVE-2026-59249 |
Sign-tolerant HTTP/1 chunk-size parser in Mint enables response smuggling against strict intermediaries on pooled connections |
16.07.2026 |
|
| CVE-2026-35146 |
HCL DFXServer is affected by an Unencrypted Communication vulnerability. |
16.07.2026 |
6.3 |
| CVE-2026-35147 |
HCL DFXServer is affected by a Broken Authentication vulnerability via direct API access. |
16.07.2026 |
8.2 |
| CVE-2026-35148 |
HCL DFXServer is affected by a Missing Access Control vulnerability |
16.07.2026 |
6.3 |
| CVE-2026-35149 |
HCL DFXServer is affected by an Authentication Bypass vulnerability via server response manipulation. |
16.07.2026 |
8.2 |
| CVE-2023-49899 |
Origin Validation Error in X-Rite MA-T6 |
16.07.2026 |
9.8 |
| CVE-2023-49900 |
Origin Validation Error in X-Rite MA-T6 |
16.07.2026 |
9.8 |
| CVE-2026-22752 |
Spring Security Authorization Server Dynamic Client Registration endpoints perform insufficient validation of client metadata |
16.07.2026 |
9.6 |
| CVE-2026-13741 |
Digits: WordPress Mobile Number Signup and Login <= 9.1.0.5 - Authenticated (Subscriber+) Privilege Escalation via 'digits_reg_userrole' Parameter |
16.07.2026 |
8.8 |
| CVE-2026-13754 |
Tickera <= 3.6.0.0 - Authenticated (Staff+) SQL Injection via 's' Parameter |
16.07.2026 |
6.5 |
| CVE-2026-13755 |
Tickera <= 3.6.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'price_wrapper' Shortcode Attribute |
16.07.2026 |
6.4 |
| CVE-2026-13767 |
Quiz and Survey Master (QSM) <= 11.2.0 - Authenticated (Custom+) SQL Injection via 'pages' Parameter |
16.07.2026 |
6.5 |
| CVE-2026-15005 |
Loco Translate <= 2.8.5 - Cross-Site Request Forgery to Remote Code Execution via 'template' Parameter |
16.07.2026 |
8.8 |
| CVE-2026-15008 |
Uncanny Automator <= 7.3.1.4 - Unauthenticated PHP Object Injection to Arbitrary File Deletion via Forminator Submitted-Field Token |
16.07.2026 |
8.1 |
| CVE-2026-15021 |
wpForo Forum <= 3.1.1 - Authenticated (Subscriber+) Stored Cross-Site Scripting via 'location' Profile Field |
16.07.2026 |
6.4 |
| CVE-2026-15022 |
Tutor LMS <= 4.0.0 - Authenticated (Subscriber+) SQL Injection via Stored Quiz Answer Array |
16.07.2026 |
6.5 |
| CVE-2026-15099 |
WP Delicious <= 1.10.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'steps' Block Attribute |
16.07.2026 |
6.4 |
| CVE-2026-15103 |
WPFunnels <= 3.12.8 - Authenticated (Funnel Manager+) Privilege Escalation via 'group_id' Path Parameter |
16.07.2026 |
8.8 |
| CVE-2026-15106 |
WPBot <= 8.5.6 - Missing Authorization to Unauthenticated Arbitrary Chat Session Deletion via 'userid' Parameter |
16.07.2026 |
5.3 |
| CVE-2026-15324 |
SysBasics Customize My Account for WooCommerce <= 4.4.14 - Authenticated (Shop Manager+) Stored Cross-Site Scripting via 'row_type' Parameter |
16.07.2026 |
4.4 |
| CVE-2026-15350 |
The Cache Purger <= 2.3.20 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Log Deletion via 'the_log_purge' Parameter |
16.07.2026 |
4.3 |
| CVE-2026-15407 |
Themify Builder <= 7.7.7 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Post Stylesheet Write/Delete via tb_generate_on_fly AJAX Action |
16.07.2026 |
4.3 |
| CVE-2026-15610 |
WPBot <= 8.5.6 - Missing Authorization to Authenticated (Subscriber+) Arbitrary RAG Document Re-Sync via ajax_rag_manual_sync() Function |
16.07.2026 |
4.3 |
| CVE-2026-15651 |
WP TripAdvisor Review Slider <= 14.6 - Authenticated (Administrator+) SQL Injection via 'filtersource' Parameter |
16.07.2026 |
4.9 |
| CVE-2026-15727 |
WP Bulk Delete <= 1.4.2 - Authenticated (Administrator+) SQL Injection via 'delete_user_roles' Parameter |
16.07.2026 |
4.9 |
| CVE-2026-58078 |
Joomla Extension - themexpert.com - Unauthenticated SQL injection in Quix Page Builder Pro < 6.2.1 |
16.07.2026 |
|
| CVE-2026-6423 |
Local privilege escalation via unauthenticated ALPC in ESET Inspect Connector |
16.07.2026 |
|
| CVE-2026-6424 |
Use-after-free vulnerability in ESET security products for Linux |
16.07.2026 |
|
| CVE-2026-7543 |
Breakdance <= 2.7.1 - Unauthenticated Stored Cross-Site Scripting via Webhook Action Details |
16.07.2026 |
7.2 |
| CVE-2026-11371 |
BetterDocs < 4.5.5 - Unauthenticated Stored XSS via AI Doc Summarizer Prompt Injection |
16.07.2026 |
|
| CVE-2026-11866 |
LatePoint < 5.6.3 - Multiple Privileged Actions via CSRF |
16.07.2026 |
|
| CVE-2026-12395 |
WP Job Portal < 2.5.5 - Subscriber+ SQL Injection via Applied Resumes 'ta' Parameter |
16.07.2026 |
|
| CVE-2026-12492 |
Happy Coders OTP Login for WooCommerce < 2.8 - Unauthenticated Account Takeover via hcotp_auto_login_user |
16.07.2026 |
|
| CVE-2026-12510 |
AI Engine < 3.5.5 - Subscriber+Chatbot Discussion Disclosure and Takeover via IDOR |
16.07.2026 |
|
| CVE-2026-12525 |
Redux Framework < 4.5.13 - Subscriber+ Privilege Escalation to Administrator |
16.07.2026 |
|
| CVE-2026-12585 |
Abandoned Cart Lite for WooCommerce < 6.8.2 - Unauthenticated Account Takeover via Malleable Recovery-Link Token |
16.07.2026 |
|
| CVE-2026-12684 |
Customer Reviews for WooCommerce < 5.113.0 - Unauthenticated Arbitrary Media Upload via cr_upload_media |
16.07.2026 |
|
| CVE-2026-12869 |
Header Footer Builder for Elementor < 1.2.1 - Contributor+ Stored XSS via Template Import |
16.07.2026 |
|
| CVE-2026-12906 |
RTMKit Addons for Elementor < 2.0.9 - Contributor+ Private Post Title Disclosure |
16.07.2026 |
|
| CVE-2026-12907 |
RTMKit Addons for Elementor < 2.0.9 - Author+ Site-Wide Theme Builder Template Creation and Activation |
16.07.2026 |
|
| CVE-2026-12978 |
FunnelKit < 3.15.0.6 - Reflected XSS via Divi Optin Form |
16.07.2026 |
|
| CVE-2026-12979 |
FunnelKit < 3.15.0.6 - Admin+ Arbitrary File Deletion via Path Traversal in Template Importer |
16.07.2026 |
|
| CVE-2026-15925 |
Improper TLS Hostname Verification in Snowflake Connector for Python |
16.07.2026 |
|
| CVE-2026-53366 |
ipv4: account for fraggap on the paged allocation path |
16.07.2026 |
|
| CVE-2026-13042 |
RPB Chessboard <= 8.1.2 - Unauthenticated Stored Cross-Site Scripting via Comment Content |
16.07.2026 |
7.2 |
| CVE-2026-15013 |
SAML Single Sign On <= 5.4.3 - Unauthenticated Authentication Bypass via 'SAMLResponse' Parameter Signature Algorithm Confusion |
16.07.2026 |
9.8 |
| CVE-2026-15306 |
Product Feed Manager For WooCommerce <= 7.6.1 - Reflected Cross-Site Scripting via 's' Search Parameter |
16.07.2026 |
6.1 |
| CVE-2026-15445 |
SEO Booster <= 7.3.1 - Authenticated (Administrator+) SQL Injection via 'orderby' Parameter |
16.07.2026 |
4.9 |
| CVE-2026-15458 |
SEO Booster <= 7.3.1 - Authenticated (Administrator+) SQL Injection via 'sort_field' Parameter |
16.07.2026 |
4.9 |
| CVE-2026-12409 |
Landing Page Builder <= 1.5.3.6 - Cross-Site Request Forgery to ulpb_admin_data AJAX Action |
16.07.2026 |
4.3 |
| CVE-2026-12434 |
List category posts <= 0.95.0 - Missing Authorization to Authenticated (Contributor+) Sensitive Information Exposure via 'post_status' Shortcode Attribute |
16.07.2026 |
4.3 |
| CVE-2026-12753 |
Advance Product Search- Voice & Ajax Search for WooCommerce <= 1.4.4 - Unauthenticated SQL Injection via 's' and 'match' Parameter |
16.07.2026 |
7.5 |
| CVE-2026-12941 |
MultiVendorX <= 5.0.9 - Authenticated (Store Owner+) SQL Injection via 'order_by' Parameter |
16.07.2026 |
6.5 |
| CVE-2026-13005 |
MxChat <= 3.2.10 - Authenticated (Admin+) Stored Cross-Site Scripting via 'intro_message' Setting |
16.07.2026 |
4.4 |
| CVE-2026-14987 |
GiveWP <= 4.16.3 - Authenticated (Give Worker+) Stored Cross-Site Scripting via 'twitter_message' Sequoia Template Setting |
16.07.2026 |
6.4 |
| CVE-2026-15336 |
Catch Themes Demo Import <= 3.3 - Missing Authorization to Authenticated (Subscriber+) Single Plugin Installation via 'activate_plugin' Parameter |
16.07.2026 |
4.3 |
| CVE-2026-15652 |
Easy Accordion <= 3.1.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'align' Block Attribute |
16.07.2026 |
6.4 |
| CVE-2026-21729 |
Loki detected_fields query limits results in unbounded memory allocation |
16.07.2026 |
7.5 |
| CVE-2026-15909 |
RafyMrX TOKO-ONLINE-ROTI add.php authorization |
16.07.2026 |
|
| CVE-2026-1609 |
Org.keycloak/keycloak-quarkus-server: keycloak: unauthorized access via jwt authorization grant with disabled users |
16.07.2026 |
|
| CVE-2026-23538 |
Feast: resource exhaustion via websocket endpoint |
16.07.2026 |
|
| CVE-2026-3842 |
Qemu-kvm: hyperv/syndbg: missing mapped-length guard after cpu_physical_memory_map causes host oob write |
16.07.2026 |
|
| CVE-2026-48863 |
Libsolv: stack-based buffer overflow in libsolv eddsa pgp signature verification allows denial of service |
16.07.2026 |
|
| CVE-2026-15907 |
H3C SecPath F1000-C8300 g=log_fw_nbc_mail_jsondata sql injection |
16.07.2026 |
|
| CVE-2026-26718 |
|
15.07.2026 |
|
| CVE-2026-26719 |
|
15.07.2026 |
|
| CVE-2026-36590 |
|
15.07.2026 |
|
| CVE-2026-38974 |
|
15.07.2026 |
|
| CVE-2025-65720 |
|
15.07.2026 |
|
| CVE-2026-30618 |
|
16.07.2026 |
|
| CVE-2026-30623 |
|
16.07.2026 |
|
| CVE-2026-45313 |
Sandboxie-Plus: Sandboxie APC Injection Sandbox Escape |
16.07.2026 |
7.7 |
| CVE-2026-48795 |
Incomplete fix for CVE-2026-25754 in @adonisjs/bodyparser |
15.07.2026 |
8.6 |
| CVE-2026-54458 |
AVideo: Unauthenticated Stored DOM Cross-Site Scripting via Per-Client Metadata Broadcast in YPTSocket Plugin |
16.07.2026 |
9.6 |
| CVE-2026-55445 |
Qinglong: Incomplete fix for CVE-2026-3965: Improper Authentication |
15.07.2026 |
|
| CVE-2026-63175 |
Cross-Capture Session Data Leakage Due to Shared Mutable State in Looklyloo - PlaywrightCapture |
16.07.2026 |
|
| CVE-2026-15921 |
nvm path traversal via a malicious mirror's LTS codename writes outside the alias directory |
16.07.2026 |
|
| CVE-2026-38752 |
|
16.07.2026 |
|
| CVE-2026-38754 |
|
16.07.2026 |
|
| CVE-2026-38755 |
|
16.07.2026 |
|
| CVE-2026-49279 |
WWBN AVideo: Stored XSS via autoEvalCodeOnHTML Bypass in MessageSQLite WebSocket Handler (CVE-2026-43874 Bypass) |
15.07.2026 |
|
| CVE-2026-50182 |
AVideo Has Unauthenticated Reflected XSS via $_GET['search'] in YouTubeAPI Gallery Pagination |
15.07.2026 |
6.1 |
| CVE-2026-50183 |
WWBN AVideo: Stored XSS via Hostile YouTube Video Title in AVideo YouTubeAPI Gallery Section |
16.07.2026 |
4.7 |
| CVE-2026-52890 |
Wekan: Arbitrary file read and server DoS via attachment versions.original.path |
16.07.2026 |
7.1 |
| CVE-2026-52891 |
Wekan: Shell Injection via Avatar Upload |
15.07.2026 |
9.9 |
| CVE-2026-52892 |
Wekan: Read-only board members can create/modify/delete Custom Fields (privilege escalation via read-level authz on write ops) |
16.07.2026 |
6.5 |
| CVE-2026-52893 |
Wekan: OIDC Account Takeover via Unconditional Email-Based Account Merge in onCreateUser hook |
15.07.2026 |
|
| CVE-2026-53444 |
Wekan: Missing authorization on OIDC Meteor methods allows privilege escalation to admin |
15.07.2026 |
|
| CVE-2026-53445 |
Wekan: Authorization bypass in copyBoard DDP method allows any user to copy private boards |
16.07.2026 |
|
| CVE-2026-53446 |
Wekan: Server-Side Request Forgery (SSRF) via webhook integration URLs |
16.07.2026 |
|
| CVE-2026-53447 |
Wekan: `cloneBoard` Meteor method has no authorization check — any user can clone (read) any private board by ID |
15.07.2026 |
6.5 |
| CVE-2026-55234 |
Wekan: Broken access control: any authenticated user can move their Cards/Lists/Swimlanes into a private board they are not a member of (cross-board write via collection allow rule) |
16.07.2026 |
8.5 |
| CVE-2026-55576 |
MaaAssistantArknights: PR-title expression injection in release-preparation.yml |
15.07.2026 |
|
| CVE-2026-55652 |
Wekan: Header-login IP allowlist bypass via X-Forwarded-For spoofing in Wekan allows unauthenticated full account takeover (incl. admin) |
15.07.2026 |
9.8 |
| CVE-2026-62314 |
Anubis: Policy bypass via client controlled X-Original-URI header |
16.07.2026 |
5.8 |
| CVE-2026-33684 |
AVideo's Privilege AVideo: Escalation via Unguarded Permission Parameters in signUp API Allows Self-Granting Upload/Stream/Meet Permissions |
16.07.2026 |
5.3 |
| CVE-2026-38753 |
|
16.07.2026 |
|
| CVE-2026-46339 |
9Router: Unauthenticated Remote Code Execution via unprotected MCP custom plugin routes |
16.07.2026 |
10 |
| CVE-2026-49352 |
9Router: Hardcoded Default fallback JWT Secret Allows Authentication Bypass |
15.07.2026 |
9.8 |
| CVE-2026-49353 |
9Router: Local-Only Access Gate Bypass in 9router via Host Header SpoofING |
16.07.2026 |
7.5 |
| CVE-2026-51380 |
|
16.07.2026 |
|
| CVE-2026-54052 |
n8n-MCP: Cross-tenant access to workflow version backups in multi-tenant HTTP deployments |
15.07.2026 |
9.9 |
| CVE-2026-55608 |
n8n-MCP: Incorrect authorization can expose default-scope workflow version backups in multi-tenant HTTP mode |
15.07.2026 |
4.2 |
| CVE-2026-56678 |
9Router: Kiro region injection allows authenticated SSRF with Authorization header forwarding |
16.07.2026 |
6.4 |
| CVE-2026-56679 |
9Router: Mass assignment in PATCH /api/settings allows authenticated authorization downgrade |
16.07.2026 |
|
| CVE-2026-62312 |
9Router: Authenticated RCE via Unvalidated MCP Plugin Arguments |
15.07.2026 |
8.8 |
| CVE-2026-62361 |
listmonk: SQL Injection in `/api/subscribers/export` bypasses table access control, leaking admin password hashes and SMTP credentials |
16.07.2026 |
5.5 |
| CVE-2026-33444 |
Memory management vulnerability in Secure Access servers |
16.07.2026 |
|
| CVE-2026-33445 |
Memory management vulnerability in Secure Access servers |
16.07.2026 |
|
| CVE-2026-52887 |
NocoBase: SQL injection in /api/myInAppChannels:list filter to PG-superuser RCE |
15.07.2026 |
10 |
| CVE-2026-52888 |
NocoBase: Sensitive Data Exposure via SQL Blacklist Bypass |
16.07.2026 |
6.8 |
| CVE-2026-55398 |
Memory management vulnerability in Secure Access clients |
16.07.2026 |
|
| CVE-2026-55399 |
Resource exhaustion vulnerability in the Secure Access publisher |
16.07.2026 |
|
| CVE-2026-55410 |
NocoBase backup restore schema name allows command injection |
15.07.2026 |
6.7 |
| CVE-2026-59950 |
MCP Python SDK: WebSocket server transport does not support Host/Origin validation |
15.07.2026 |
|
| CVE-2026-33443 |
Memory management error in Secure Access servers prior to 14.55 |
16.07.2026 |
|
| CVE-2026-40954 |
Integer underflow in Secure Access clients prior to 14.55 |
16.07.2026 |
|
| CVE-2026-40955 |
Integer underflow vulnerability in Secure Access clients |
16.07.2026 |
|
| CVE-2026-40956 |
Memory disclosure in Secure Access Clients |
16.07.2026 |
|
| CVE-2026-40957 |
Frameable content vulnerability in the Secure Access server login page |
16.07.2026 |
|
| CVE-2026-40958 |
Input validation error in Secure Access clients prior to 14.55 |
16.07.2026 |
|
| CVE-2026-45737 |
Argo CD: Kubernetes Secret Extraction via ArgoCD ServerSideDiff via sensitive annotations |
15.07.2026 |
6.3 |
| CVE-2026-45738 |
Argo CD: Stored XSS in application link annotations enables developer-to-admin privilege escalation |
16.07.2026 |
7.3 |
| CVE-2026-49867 |
DataEase: Authenticated Stored XSS in DataEase Template Static Resources |
15.07.2026 |
|
| CVE-2026-50144 |
ncnn: Out-of-bounds heap write in ParamDict::load_param via unchecked negative parameter id |
15.07.2026 |
7.1 |
| CVE-2026-52869 |
MCP Python SDK: HTTP transports serve session requests without verifying the authenticated principal |
16.07.2026 |
7.1 |
| CVE-2026-52870 |
MCP Python SDK: Experimental task handlers allow any client to access and cancel other clients' tasks |
16.07.2026 |
7.6 |
| CVE-2026-40952 |
Privilge misconfiguration in Secure Access installers |
16.07.2026 |
|
| CVE-2026-40953 |
Heap overflow in Secure Access clients |
16.07.2026 |
|
| CVE-2026-45320 |
DataEase Data Dashboard SqlVariable transFilter Unfiltered SQL Injection |
15.07.2026 |
|
| CVE-2026-45533 |
DataEase: Path Traversal Vulnerability |
15.07.2026 |
|
| CVE-2026-45535 |
DataEase: Stored SQL Injection Vulnerability |
16.07.2026 |
|
| CVE-2026-46684 |
DataEase: Unauthorized Command Execution Vulnerability |
15.07.2026 |
|
| CVE-2026-50124 |
DataEase: Remote Code Execution (RCE) via Zip Protocol & File Dropper |
15.07.2026 |
|