CVE Field Guide

Critical CVEs

CVE Title Updated Score
CVE-2026-59702 repomix - Server-Side Request Forgery via Unvalidated Repository URLs in POST /api/pack 08.07.2026 9.2
CVE-2026-59873 node-tar: Decompression/parse DoS via unlimited input 08.07.2026 9.2
CVE-2026-9074 IBM API Connect SQL Injection 08.07.2026 9.1
CVE-2026-15062 SQL Injection in Snowflake Snowpark Python SDK 08.07.2026 9.6
CVE-2026-54061 Dgraph Alpha group stores can be replaced via unauthenticated external snapshot import 08.07.2026 9.1
CVE-2026-58480 Blocksy Companion Pro < 2.1.47 Unauthenticated File Upload via save_attachments 08.07.2026 9.2
CVE-2026-8307 SQLi in Webbeyaz's Mediküm Web 08.07.2026 9.8
CVE-2026-56000 xorg-x11-server / xwayland GLX contextTags Use-After-Free in CommonMakeCurrent() 08.07.2026 9
CVE-2026-9695 Improper Authentication vulnerability affecting DELMIA Apriso from Release 2020 through Release 2026 08.07.2026 9.8
CVE-2026-12153 WP Learn Manager <= 1.1.8 - Missing Authorization to Unauthenticated Arbitrary Plugin Installation and Activation via jslearnmanager_ajax AJAX Action 08.07.2026 9.8
CVE-2026-14487 Simple Coherent Form <= 2.4.13 - Unauthenticated Arbitrary File Deletion via 'id' Parameter 08.07.2026 9.1
CVE-2026-9701 Eventer <= 4.4.2 - Insecure Password Reset Mechanism to Unauthenticated Privilege Escalation 08.07.2026 9.8
CVE-2026-56843 08.07.2026 9.9
CVE-2026-59705 mem0 - OpenMemory API Unauthenticated Access via Memory Endpoints 08.07.2026 9.3
CVE-2026-46354 Coder: PKCS#7 signature bypass in Azure instance identity allows unauthenticated agent token theft 08.07.2026 9.1
CVE-2026-59706 mem0 - Server-Side Request Forgery and Plaintext API Key Exposure via Unauthenticated Config Endpoints 08.07.2026 9.2
CVE-2026-58473 Cognee < 1.2.0 Unauthorized LLM Configuration Overwrite via /api/v1/settings 08.07.2026 9.3
CVE-2026-59707 LocalAI - Server-Side Request Forgery via POST /models/apply 07.07.2026 9.2
CVE-2026-59800 9Router < 0.4.44 - OS Command Injection via sudoPassword Parameter in Tailscale Install Endpoint 07.07.2026 9.2
CVE-2026-13019 Missing Authentication 08.07.2026 9.8
CVE-2026-53481 08.07.2026 9.8
CVE-2026-53483 08.07.2026 9.8
CVE-2026-14345 WPFunnels <= 3.12.7 - Unauthenticated Remote Code Execution via 'postData' Parameter 07.07.2026 9.8
CVE-2026-34037 Cross-Tenant Resource Cloning via Broken Object-Level Authorization in cloneTo() 07.07.2026 9.9
CVE-2026-34047 Coolify: WebSocket Endpoint Access Control Flaw Leading to Remote Code Execution 07.07.2026 9.9
CVE-2026-34048 Coolify: Missing authorization on terminal websocket bootstrap routes allows low-privileged members to execute commands on team servers 07.07.2026 9.9
CVE-2026-34038 Coolify authenticated remote command injection leading to RCE and secret exfiltration 07.07.2026 9.9
CVE-2026-42341 FOSSBilling has an unauthenticated payment bypass via IPN callback forgery 07.07.2026 9.2
CVE-2026-57571 Crawl4AI arbitrary file write via download filename path traversal 07.07.2026 9.6
CVE-2026-57572 Crawl4AI: Unauthenticated RCE via Chromium launch-argument injection in browser_config.extra_args 06.07.2026 10
CVE-2026-9181 Directory Traversal in ArcGIS Server 08.07.2026 9.8
CVE-2026-9182 Unvalidated File Upload vulnerability in ArcGIS Server. 08.07.2026 9.8
CVE-2026-48614 06.07.2026 9.9
CVE-2026-40138 Critical Pre-Authentication Vulnerability in BeyondTrust Remote Support and Privileged Remote Access 07.07.2026 9.2
CVE-2026-40139 Critical Pre-Authentication Vulnerability in BeyondTrust Remote Support and Privileged Remote Access 07.07.2026 9.2
CVE-2026-48316 ColdFusion | Improper Input Validation (CWE-20) 07.07.2026 10
CVE-2025-53827 ownCloud Core: Updater has an exposed dangerous method or function 08.07.2026 9.1
CVE-2025-53830 Anti-Virus for ownCloud 10 is vulnerable to Server-Side Request Forgery (SSRF) 08.07.2026 9.1
CVE-2026-12686 Incorrect authorisation in Adiss’s Biloop 06.07.2026 9.3
CVE-2026-6900 Improper Certificate Validation 06.07.2026 9.1
CVE-2026-14807 PROG MIS|ERP App - Use of Hard-coded Credentials 06.07.2026 9.3
CVE-2026-14808 PROG MIS|Prog Management System - Exposure of Sensitive Information 06.07.2026 9.3
CVE-2026-59509 Unauthenticated arbitrary MongoDB collection read in cve-search 06.07.2026 9.2
CVE-2026-58426 Gitea Actions Artifacts V4 signed URL HMAC ambiguity allows cross-repository artifact read and cross-task upload-state write 06.07.2026 9.6
CVE-2026-20896 Gitea Docker image trusts spoofable reverse-proxy headers by default 07.07.2026 9.8
CVE-2026-22874 Gitea webhook and migration allow-list filtering permits SSRF 07.07.2026 9.6
CVE-2026-58289 Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability 07.07.2026 9
CVE-2026-4321 SQLi in Raera's Destekz 06.07.2026 9.8
CVE-2026-14544 Hplip: incomplete fix for cve-2026-8631 06.07.2026 9.8
CVE-2026-9725 Printcart Web to Print Product Designer for WooCommerce <= 2.5.2 - Unauthenticated Arbitrary File Deletion 07.07.2026 9.1
CVE-2026-13768 Gardyn IoT Hub Use of Hard-coded Credentials 06.07.2026 9.5
CVE-2026-13368 WatchGuard Firebox Race Condition and Use-After-Free in Mobile VPN with IKEv2 LDAP Authentication 07.07.2026 9.2
CVE-2026-41106 Microsoft 365 Copilot Elevation of Privilege Vulnerability 07.07.2026 9.3
CVE-2026-45499 Azure OpenAI Elevation of Privilege Vulnerability 07.07.2026 9.9
CVE-2026-57100 Microsoft Entra Provisioning Service Elevation of Privilege Vulnerability 07.07.2026 9.9
CVE-2026-52830 fast-mcp-telegram: Bearer token path traversal bypasses reserved Telegram session protection 06.07.2026 9.4
CVE-2026-58466 AutoBangumi < 3.2.8 - Hard-coded Default Credentials via add_default_user() 06.07.2026 9.3
CVE-2026-59099 Apereo CAS 7.3.0 < 8.0.0-RC6 - AES-GCM Nonce Reuse Information Disclosure 06.07.2026 9.3
CVE-2022-50973 Yonyou KSOA 9.0 Unauthenticated File Upload RCE via ImageUpload Servlet 02.07.2026 9.3
CVE-2024-14037 Redsea Cloud eHR Unauthenticated File Upload RCE via PtFjk.mob 02.07.2026 9.3
CVE-2026-44935 Rancher Fleet vulnerable to cross namespace secret disclosure via unvalidated `valuesFrom` references in Helm Deployer 03.07.2026 9.9
CVE-2026-58455 Dockwatch 0.6.567 Unauthenticated OS Command Injection via ajax/compose.php 06.07.2026 9.2
CVE-2026-50746 02.07.2026 10
CVE-2026-50747 02.07.2026 9.9
CVE-2026-50748 02.07.2026 9.9
CVE-2026-54400 02.07.2026 9.1
CVE-2026-54402 02.07.2026 9.9
CVE-2026-55115 02.07.2026 9.9
CVE-2026-55116 02.07.2026 9
CVE-2026-56004 obs-service-tar_scm: command injection via mercurial handler 02.07.2026 10
CVE-2026-4767 Improper Access Control in TR7's WAF-ASP 02.07.2026 9.8
CVE-2026-5524 Divi Form Builder <= 5.1.8 - Unauthenticated Arbitrary File Upload Leading to Remote Code Execution via 'acceptFileTypes' Parameter 02.07.2026 9.8
CVE-2026-27419 WordPress Zegen theme <= 1.1.9 - Arbitrary File Upload vulnerability 02.07.2026 9.9
CVE-2026-27436 WordPress Five Star Business Profile and Schema plugin <= 2.3.19 - Arbitrary Code Execution vulnerability 02.07.2026 9.1
CVE-2026-57621 WordPress Booktics plugin <= 1.0.21 - PHP Object Injection vulnerability 02.07.2026 9.8
CVE-2026-57623 WordPress W3 Total Cache plugin <= 2.9.4 - Arbitrary Code Execution vulnerability 02.07.2026 9
CVE-2026-57624 WordPress Blocksy Companion Pro plugin <= 2.1.46 - Remote Code Execution (RCE) vulnerability 02.07.2026 10
CVE-2026-57625 WordPress Admin and Site Enhancements (ASE) Pro plugin <= 8.8.5 - Cross Site Scripting (XSS) vulnerability 02.07.2026 9.6
CVE-2026-57677 WordPress Novalnet Payment Gateway for WooCommerce plugin <= 12.10.3 - PHP Object Injection vulnerability 02.07.2026 9.8
CVE-2026-57679 WordPress GeekyBot plugin <= 1.2.5 - SQL Injection vulnerability 02.07.2026 9.3
CVE-2026-57683 WordPress WP Fast Total Search plugin <= 1.80.280 - SQL Injection vulnerability 02.07.2026 9.3
CVE-2026-14439 Path Traversal in Altium Git Service Allows Remote Code Execution 02.07.2026 9.4
CVE-2026-58457 Shenzhen Aitemi M300 MT02 Unauthenticated OS Command Injection via protocol.csp 06.07.2026 9.3
CVE-2026-50160 Mass Assignment via Onboarding Endpoint Allows Unauthenticated JWT_SECRET Overwrite 02.07.2026 10

Latest Updates

CVE Title Updated Score
CVE-2026-14966 Symlink guard bypass in unarchive module allows planting symlinks during extraction 08.07.2026 3.1
CVE-2026-14967 Path traversal in github_workflows allows writing artifacts outside output directory 08.07.2026 3.1
CVE-2026-15063 Trustyai-service-operator: trustyai service operator: gorch port bypass when auth is enabled 08.07.2026
CVE-2026-3144 IBM API Connect Default Credentials 08.07.2026 8.1
CVE-2026-49944 08.07.2026
CVE-2026-49945 08.07.2026
CVE-2026-49946 08.07.2026
CVE-2026-53951 Copier: trust-prefix bypass via path traversal runs tasks unprompted 08.07.2026
CVE-2026-54344 ToolJet GitHub Actions comment body shell injection exposes deployment secrets 08.07.2026 4.7
CVE-2026-55761 Portainer: Unauthenticated Restore Endpoint Allows Admin Takeover on Uninitialised Portainer Instances 08.07.2026
CVE-2026-57439 CyberChef: Prototype pollution in Series Chart operation 08.07.2026 5
CVE-2026-59262 AFFiNE - Unauthorized Document Edit History Access via GraphQL histories Field 08.07.2026
CVE-2026-59702 repomix - Server-Side Request Forgery via Unvalidated Repository URLs in POST /api/pack 08.07.2026
CVE-2026-59724 Socket.IO: Engine.IO WebTransport SID DoS 08.07.2026 7.5
CVE-2026-59725 Socket.IO: Engine.IO Polling Transport Connection Exhaustion 08.07.2026 7.5
CVE-2026-59868 js-yaml: YAML merge-key chains can force quadratic CPU consumption 08.07.2026 5.3
CVE-2026-59869 js-yaml: YAML merge-key chains can force quadratic CPU consumption 08.07.2026 7.5
CVE-2026-59870 js-yaml quadratic-complexity denial of service via YAML11_SCHEMA !!omap parsing 08.07.2026 5.3
CVE-2026-59871 node-tar: Process crash via PAX numeric path type confusion 08.07.2026 5.3
CVE-2026-59873 node-tar: Decompression/parse DoS via unlimited input 08.07.2026
CVE-2026-59874 node-tar: Negative tar entry size causes infinite loop in archive replace 08.07.2026
CVE-2026-59875 node-tar: Uncaught Exception DoS via NUL byte in PAX path/linkpath records 08.07.2026 5.3
CVE-2026-59876 protobufjs: Text Format string map parsing can mutate returned map object prototype 08.07.2026 4.8
CVE-2026-59877 protobufjs: Denial of Service via infinite loop in .proto option parsing 08.07.2026 5.3
CVE-2026-59880 Immutable.js: Hash-collision algorithmic complexity denial of service in Immutable.Map/Set 08.07.2026
CVE-2026-9074 IBM API Connect SQL Injection 08.07.2026 9.1
CVE-2026-10698 Table scope bypass vulnerability in custom reports 08.07.2026 7.2
CVE-2026-10699 Memory leak in SFTP service can result in a denial of service in MOVEit Transfer 08.07.2026 7.5
CVE-2026-10706 Exposure of Sensitive Information to an Unauthorized attacker 08.07.2026
CVE-2026-10708 Insufficiently Protected Credentials 08.07.2026
CVE-2026-11903 Stored XSS in MOVEit Transfer Ad Hoc module 08.07.2026 8
CVE-2026-15036 Harness gitspaces Endpoint list_all.go getAuthorizedSpaces authorization 08.07.2026
CVE-2026-15044 Trustyai-service-operator: trustyai service operator: unauthenticated access to ai guardrails and orchestrator apis 08.07.2026
CVE-2026-15062 SQL Injection in Snowflake Snowpark Python SDK 08.07.2026 9.6
CVE-2026-15067 Multiple Security Vulnerabilities in Terraform Provider for Snowflake Could Allow Privilege Escalation and Unauthorized Snowflake Account Takeover 08.07.2026 8.8
CVE-2026-24697 08.07.2026
CVE-2026-24698 08.07.2026
CVE-2026-24699 08.07.2026
CVE-2026-24700 08.07.2026
CVE-2026-49145 App::Ack versions through 3.10.0 for Perl read arbitrary files via --files-from in a project .ackrc 08.07.2026
CVE-2026-49146 App::Ack versions before 3.10.0 for Perl allow memory exhaustion via an unbounded context value in a project .ackrc 08.07.2026
CVE-2026-49147 App::Ack versions through 3.10.0 for Perl print unsanitised terminal escape sequences from filenames in several output modes 08.07.2026
CVE-2026-54652 Frigate viewer can read logs exposing admin and camera credentials 08.07.2026 8.1
CVE-2026-55668 File Browser: ScopedFs follows a dangling symlink on write, letting a scoped user create files outside their scope 08.07.2026 6.3
CVE-2026-55873 SeaweedFS: Improper authorization in the S3Tables / Iceberg REST management API lets a low-privileged S3 user enumerate administrator-owned table buckets 08.07.2026 4.3
CVE-2026-55874 SeaweedFS: Path traversal in the S3 gateway X-Amz-Copy-Source header allows cross-bucket object read 08.07.2026 7.7
CVE-2026-59703 repomix - Local File Inclusion via file:// URL Scheme in Git Clone Endpoint 08.07.2026
CVE-2026-15034 flask-dashboard Flask-MonitoringDashboard cross-site request forgery 08.07.2026
CVE-2026-15035 bentoml OpenLLM Model Repository Directory Name common.py async_run_command command injection 08.07.2026
CVE-2026-15053 Tanium addressed a denial of service vulnerability in Tanium Server. 08.07.2026 7.5
CVE-2026-22927 08.07.2026 7.8
CVE-2026-41122 08.07.2026 7.1
CVE-2026-44840 Dgraph Vulnerable to DQL Injection via checkUserPassword GraphQL Query 08.07.2026 7.5
CVE-2026-53480 08.07.2026 2.7
CVE-2026-53482 08.07.2026 7.5
CVE-2026-54061 Dgraph Alpha group stores can be replaced via unauthenticated external snapshot import 08.07.2026 9.1
CVE-2026-56086 08.07.2026 8.8
CVE-2026-56217 Capgo - Encrypted Bundle Policy Bypass via Direct PostgREST Update 08.07.2026
CVE-2026-56220 Capgo - Unauthorized Manifest Insertion via Read-Only Org Member 08.07.2026
CVE-2026-56226 Capgo - Unauthenticated Organization Data Disclosure via get_orgs_v6 RPC 08.07.2026
CVE-2026-56246 Capgo - Cross-Organization Authorization Bypass via Scoped API Key Privilege Inheritance 08.07.2026
CVE-2026-56250 Capgo - Arbitrary R2 Object Deletion via Mutable r2_path in app_versions 08.07.2026
CVE-2026-56273 Flowise - Path Traversal in Vector Store basePath Parameter 08.07.2026
CVE-2026-56283 Capgo - HTML Injection Leading to Open Redirection in Organization Settings 08.07.2026
CVE-2026-56284 Capgo - Unauthenticated Metrics Disclosure via get_total_metrics RPC 08.07.2026
CVE-2026-56293 Capgo - Stale Cross-Organization Authorization via Incomplete deploy_history Update in transfer_app() 08.07.2026
CVE-2026-56297 FreeRDP - Use-After-Free via Race Condition in DRDYNVC Channel Callback 08.07.2026
CVE-2026-56298 Capgo - EXIF Metadata Exposure in App Information Image Upload 08.07.2026
CVE-2026-56359 n8n - Cross-Site Scripting in Credential Management OAuth2 Authorization URL 08.07.2026
CVE-2026-56360 n8n - Webhook Forgery via Unsigned POST Requests in ZendeskTrigger 08.07.2026
CVE-2026-56362 ImageMagick - Heap-buffer-overflow Read in GetPixelIndex via OpenPixelCache Metadata Desynchronization 08.07.2026
CVE-2026-56374 ImageMagick - Heap Buffer Overflow in FTXT Encoder via format Parameter 08.07.2026
CVE-2026-56401 Wazuh - NULL Pointer Dereference in inventory_sync DataValue FlatBuffer Handling 08.07.2026
CVE-2026-56775 n8n - Incorrect OAuth Scope Validation in Evaluation Test Runs Endpoints 08.07.2026
CVE-2026-56776 n8n - Incorrect OAuth Scope Validation in Workflow Test Run Endpoint 08.07.2026
CVE-2026-56778 n8n - Authorization Bypass in Public API Execution Retry Endpoint 08.07.2026
CVE-2026-58654 Grav - Arbitrary File Upload via Avatar Endpoint 08.07.2026
CVE-2026-58656 Grav API Plugin - Cross-Origin Admin Account Takeover via CORS Wildcard and JWT Query Parameter 08.07.2026
CVE-2026-58657 Grav - Stored CSS Injection via Markdown Image resize() Action 08.07.2026
CVE-2026-59253 n8n - Improper Authorization in Workflow Assignment to Folders 08.07.2026
CVE-2026-59257 n8n - SQL Injection in MySQL v1 executeQuery Operation via Expression Interpolation 08.07.2026
CVE-2026-60092 AVideo - Stored Cross-Site Scripting via Unescaped User-Agent in Participants Panel 08.07.2026
CVE-2026-60124 MISP importModule missing authorization allows read-only users to modify events via misp_standard imports 08.07.2026
CVE-2026-60125 importModule function in MISP ignores per-organisation import module restrictions 08.07.2026
CVE-2026-15033 christopherthielen check-peer-dependencies peerDependencies packageUtils.js shelljs.exec os command injection 08.07.2026
CVE-2026-58480 Blocksy Companion Pro < 2.1.47 Unauthenticated File Upload via save_attachments 08.07.2026
CVE-2026-12002 Smash Balloon Social Photo Feed – Easy Social Feeds Plugin <= 6.11.1 - Cross-Site Request Forgery to oEmbed Access Token Overwrite via 'sbi_access_token' Parameter 08.07.2026 4.7
CVE-2026-14454 Imager versions before 1.033 for Perl treat unsigned EXIF IFD entry counts as signed 08.07.2026
CVE-2026-5356 LatePoint - Calendar Booking Plugin for Appointments and Events <= 5.4.0 - Unauthenticated Stripe PaymentIntent Amount-Binding Bypass 08.07.2026 7.5
CVE-2026-5459 User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration <= 4.3.1 - Unauthenticated Insecure Direct Object Reference to Arbitrary User Subscription Overwrite 08.07.2026 5.3
CVE-2026-6459 Essential Addons for Elementor <= 6.6.2 - Authenticated (Author+) Stored Cross-Site Scripting via Event Calendar Widget Popup 08.07.2026 6.4
CVE-2026-6740 Nexter Blocks <= 4.7.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'commentIcon' Block Attribute 08.07.2026 6.4
CVE-2026-6820 VikBooking Hotel Booking Engine & PMS <= 1.8.8 - Unauthenticated Stored Cross-Site Scripting via Booking Form Email Field 08.07.2026 7.2
CVE-2026-8307 SQLi in Webbeyaz's Mediküm Web 08.07.2026 9.8
CVE-2026-8310 Reflected XSS in Webbeyaz's Mediküm Web 08.07.2026 6.1
CVE-2026-8315 Stored XSS in Webbeyaz's Mediküm Web 08.07.2026 5.4
CVE-2025-14785 Website Builder by SeedProd - Theme Builder, Landing Page Builder, Coming Soon Page, Maintenance Mode <= 6.20.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'seedprodnestedmenuwidget' Shortcode 08.07.2026 6.4
CVE-2026-12936 Recurio <= 1.1.3 - Authenticated (Shop Manager+) SQL Injection via 'data' Parameter 08.07.2026 4.9
CVE-2026-14250 Themehunk Login Registration <= 1.0.2 - Unauthenticated Privilege Escalation via 'role' Parameter 08.07.2026 6.3
CVE-2026-3688 WCFM - WooCommerce Multivendor Membership <= 2.11.10 - Insecure Direct Object Reference to Limited Privilege Escalation via User Role Overwrite 08.07.2026 8.1
CVE-2026-41042 Apache Gravitino: Unauthenticated callers can supply a malicious H2 JDBC URL through the testConnection API, which executes arbitrary Java code on the server via H2's INIT parameter 08.07.2026
CVE-2026-6230 Tainacan <= 1.0.3 - Unauthenticated SQL Injection via 'geoquery' REST API Parameter 08.07.2026 7.5
CVE-2026-6371 Stored XSS in Limatek's LimRAD NAC 08.07.2026 4.8
CVE-2026-6742 Advanced iFrame <= 2026.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Gutenberg Block 'additional' Attribute 08.07.2026 6.4
CVE-2026-6818 VikBooking Hotel Booking Engine & PMS <= 1.8.8 - Unauthenticated Stored Cross-Site Scripting via 'special_requests' Parameter 08.07.2026 7.2
CVE-2026-6854 My Calendar <= 3.7.8 - Unauthenticated SQL Injection via 'mc_auth' and 'mc_host' Parameters 08.07.2026 7.5
CVE-2026-15041 389-ds-base: 389-ds-base: non-constant-time comparison in pbkdf2-sha256 password verification 08.07.2026
CVE-2026-56002 libXfont2 PCF Font Parsing Heap Buffer Overflow 08.07.2026 8.5
CVE-2026-56003 libXfont2 computeProps Property Buffer Heap Buffer Overflow 08.07.2026 8.5
CVE-2026-56001 libXfont2 BitmapScaleBitmaps Integer Overflow Heap Buffer Overflow 08.07.2026 8.5
CVE-2026-6280 Improper Access Control in Nomysoft Informatics' Nomysem 08.07.2026 6.5
CVE-2026-13126 Foxit PDF Editor/Reader Annotation Use-After-Free Remote Code Execution Vulnerability 08.07.2026 7.8
CVE-2026-13127 Foxit PDF Editor/Reader Annotation Use-After-Free Remote Code Execution Vulnerability 08.07.2026 7.8
CVE-2026-13128 Foxit PDF Editor/Reader Doc Object Use-After-Free Remote Code Execution Vulnerability 08.07.2026 7.8
CVE-2026-13129 Foxit PDF Editor/Reader Annotation Use-After-Free Remote Code Execution Vulnerability 08.07.2026 7.8
CVE-2026-55999 xorg-server / xwayland glamor font atlas Heap Buffer Overflow 08.07.2026 8.5
CVE-2026-56000 xorg-x11-server / xwayland GLX contextTags Use-After-Free in CommonMakeCurrent() 08.07.2026
CVE-2026-57237 Foxit PDF Editor/Reader Annotation Use-After-Free Remote Code Execution Vulnerability 08.07.2026 7.8
CVE-2026-57238 Foxit PDF Editor/Reader Annotation Use-After-Free Remote Code Execution Vulnerability 08.07.2026 7.8
CVE-2026-57239 Foxit PDF Editor/Reader Local Privilege Escalation 08.07.2026 8.2
CVE-2026-57240 Foxit PDF Editor/Reader Form Field Use-After-Free Remote Code Execution Vulnerability 08.07.2026 7.8
CVE-2026-57241 Foxit PDF Editor/Reader Page Out-of-bounds Read Vulnerability 08.07.2026 6.1
CVE-2026-57242 Foxit PDF Editor/Reader Page Use-After-Free Vulnerability 08.07.2026 7.8
CVE-2026-57243 Foxit PDF Editor/Reader Page Out-of-bounds Read Vulnerability 08.07.2026 6.1
CVE-2026-57244 Foxit PDF Editor/Reader Form Control Use-After-Free Vulnerability 08.07.2026 7.8
CVE-2026-57245 Foxit PDF Editor/Reader Signature Hyperlink Use-After-Free Vulnerability 08.07.2026 7.8
CVE-2026-57246 Foxit PDF Editor/Reader Signature Buffer Overflow Vulnerability 08.07.2026 7.8
CVE-2026-57247 Foxit PDF Editor/Reader Field Use-After-Free Vulnerability 08.07.2026 7.8
CVE-2026-57248 Foxit PDF Editor/Reader Annotation Improper Release Vulnerability 08.07.2026 7.8
CVE-2026-57249 Foxit PDF Editor/Reader Annotation Use-After-Free Vulnerability 08.07.2026 7.8
CVE-2026-57250 Foxit PDF Editor/Reader Form Field Use-After-Free Vulnerability 08.07.2026 7.8
CVE-2026-57251 Foxit PDF Editor/Reader Cloud Appearance Buffer Overflow Vulnerability 08.07.2026 7.8
CVE-2026-57252 Foxit PDF Editor/Reader AcroForm Use-After-Free Remote Code Execution Vulnerability 08.07.2026 7.8
CVE-2026-57253 Foxit PDF Editor/Reader PDF File Parsing Out-Of-Bounds Read Information Disclosure Vulnerability 08.07.2026 6.1
CVE-2026-57254 Foxit PDF Editor/Reader Annotation Type Confusion Vulnerability 08.07.2026 7.8
CVE-2026-57255 Security vulnerability in Foxit PDF Editor/Reader — OOB Read via NaN-Bypass Clamp 08.07.2026 6.1
CVE-2026-57256 Foxit Editor/Reader List Box Format Use-After-Free Vulnerability 08.07.2026 7.8
CVE-2026-57257 Security vulnerability in Foxit PDF Editor/Reader — PRC 3D BRep Renderer Heap OOB Read 08.07.2026 6.1
CVE-2026-57258 Foxit PDF Editor/Reader Crash via Malformed PRC 3D Stream 08.07.2026 6.1
CVE-2026-57259 Foxit PDF Editor/Reader XDP XFA XXE arbitrary local file read 08.07.2026 6.5
CVE-2026-57260 Security vulnerability in Foxit PDF Editor/Reader — U3D Adobe Mesh Decompression (Type Confusion / Invalid Pointer Dereference) 08.07.2026 7.8
CVE-2026-12378 BookingPress <= 1.1.28 - Unauthenticated PHP Object Injection 08.07.2026
CVE-2026-9695 Improper Authentication vulnerability affecting DELMIA Apriso from Release 2020 through Release 2026 08.07.2026 9.8
CVE-2026-10570 Sympl Repeater for ACF and Elementor <= 2.3 - Authenticated (Author+) Stored Cross-Site Scripting via ACF Repeater Field Values 08.07.2026 6.4
CVE-2026-11798 Social Share, Social Login and Social Comments Plugin <= 7.14.5 - Reflected Cross-Site Scripting via 'heateor_mastodon_share' Parameter 08.07.2026 6.1
CVE-2026-12041 Chatra Live Chat + ChatBot + Cart Saver <= 1.0.12 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'chatra-code' Setting 08.07.2026 4.4
CVE-2026-12097 User Management <= 1.2 - Missing Authorization to Unauthenticated Plugin Settings Modification 08.07.2026 5.3
CVE-2026-12153 WP Learn Manager <= 1.1.8 - Missing Authorization to Unauthenticated Arbitrary Plugin Installation and Activation via jslearnmanager_ajax AJAX Action 08.07.2026 9.8
CVE-2026-14489 WHMCS Bridge <= 6.9 - Unauthenticated Arbitrary File Upload via 'ccce' Parameter 08.07.2026 8.8
CVE-2026-14495 DoLogin Security <= 4.3 - Unauthenticated Authentication Bypass via Insufficient Randomness via 'dologin' Parameter Weak PRNG Token 08.07.2026 8.8
CVE-2026-14500 Bulk Order Update for WooCommerce <= 1.6 - Unauthenticated Arbitrary File Read via 'csv_url' Parameter 08.07.2026 5.3
CVE-2026-56437 08.07.2026
CVE-2026-57895 08.07.2026
CVE-2026-9700 Eventer <= 4.4.2 - Unauthenticated SQL Injection via 'code' Parameter 08.07.2026 7.5
CVE-2026-9731 Wp Js Detect <= 1.0.9 - Cross-Site Request Forgery to Plugin Settings Update 08.07.2026 4.3
CVE-2026-14158 Widget Logic Visual <= 1.52 - Authenticated (Subscriber+) Remote Code Execution via 'nwlv[cod-tag]' Parameter 08.07.2026 8.8
CVE-2026-14244 Jssor Slider by jssor.com <= 3.1.24 - Unauthenticated Arbitrary File Read via 'url' Parameter 08.07.2026 7.5
CVE-2026-14482 多说社会化评论框 <= 1.2 - Unauthenticated Privilege Escalation via api.php 'option'/'value' Parameters 08.07.2026 8.8
CVE-2026-14487 Simple Coherent Form <= 2.4.13 - Unauthenticated Arbitrary File Deletion via 'id' Parameter 08.07.2026 9.1
CVE-2026-9701 Eventer <= 4.4.2 - Insecure Password Reset Mechanism to Unauthenticated Privilege Escalation 08.07.2026 9.8
CVE-2026-9842 Backstage <= 1.4.2 - Unauthenticated Privilege Escalation via Permissive Demo Role Capabilities 08.07.2026 7.5
CVE-2026-55430 Coder's subdomain workspace app routing trusts unauthenticated X-Forwarded-Host header, enabling cross-app data access 08.07.2026 5.8
CVE-2026-55431 Coder's session token leaked to arbitrary hosts via `coder open app` for external workspace apps 08.07.2026 7.7
CVE-2026-55432 Coder's sub-agent app registration bypasses template port-sharing policy enforcement 08.07.2026 5.4
CVE-2026-55433 Coder: Devcontainer recreate endpoint missing write authorization allows read-only roles to destroy containers 08.07.2026 5.4
CVE-2026-55436 Coder's AI Bridge Proxy skips TLS certificate verification in default configuration 08.07.2026 7.4
CVE-2026-55437 Coder vulnerable to stored HTML injection via workspace agent logs in AgentLogLine component 08.07.2026 5.4
CVE-2026-55438 Coder's workspace app CORS origin check can be bypassed via UUID-based subdomain spoofing 08.07.2026 5.8
CVE-2026-56843 08.07.2026 9.9
CVE-2026-59995 08.07.2026 4.2
CVE-2026-59996 08.07.2026 4.2
CVE-2026-59997 08.07.2026 4.2
CVE-2026-59998 08.07.2026 4.8
CVE-2026-59999 08.07.2026 5.9
CVE-2026-60000 08.07.2026 3.7
CVE-2026-60001 08.07.2026 6.5
CVE-2026-60002 08.07.2026 7.7
CVE-2026-55079 Coder's unbounded memory allocation in provisioner file upload allows authenticated denial of service 08.07.2026 4.9
CVE-2026-55427 Coder vulnerable to SSH config injection via unsanitized server-supplied values in `coder config-ssh` 08.07.2026 8.3
CVE-2026-55428 Coder: Route hijacking through lack of validation of agent-supplied AllowedIPs in tailnet coordinator 08.07.2026 8.2
CVE-2026-55429 Coder's workspace app upsert allows cross-workspace agent rebinding via user-controlled app ID 08.07.2026 8.7
CVE-2026-37271 07.07.2026
CVE-2026-50810 07.07.2026
CVE-2026-50811 07.07.2026
CVE-2026-51937 08.07.2026
CVE-2026-55077 Coder: User-admin role can reset owner account password 07.07.2026 7.2
CVE-2026-55078 Coder: Zip upload decompression lacks aggregate size limit, enabling denial of service 08.07.2026 6.5
CVE-2026-14380 DBI versions before 1.650 for Perl are vulnerable to code injection via caller-influenced Profile 08.07.2026
CVE-2026-14739 DBI versions before 1.650 for Perl have a heap overflow when preparsing SQL statements with an extreme number of placeholders 08.07.2026
CVE-2026-14740 DBI versions before 1.650 for Perl read one byte out-of-bounds in preparse when deleting an initial SQL comment 08.07.2026
CVE-2026-14895 String::Util versions before 1.36 for Perl are susceptible to a regular expression denial of service 08.07.2026
CVE-2026-36162 08.07.2026
CVE-2026-36163 07.07.2026
CVE-2026-37270 07.07.2026
CVE-2026-55076 Coder's OIDC email_verified type coercion bypass enables account takeover via unverified email linking 08.07.2026 7.4
CVE-2026-59704 Cap - Missing Access Control in Video AI Metadata Endpoint 08.07.2026
CVE-2026-59705 mem0 - OpenMemory API Unauthenticated Access via Memory Endpoints 08.07.2026
CVE-2026-42953 Out-of-bounds write in Labcenter Proteus 08.07.2026
CVE-2026-42958 Use After Free in Labcenter Proteus 08.07.2026
CVE-2026-49033 Stack-Based Buffer Overflow in Labcenter Proteus 08.07.2026
CVE-2026-55075 Coder vulnerable to OIDC account takeover via email-based user matching and email_verified bypass 08.07.2026 7.4
CVE-2026-28378 Cross-Organization Public Dashboard Deletion via Missing Org Isolation 08.07.2026 3.1
CVE-2026-45796 Coder vulnerable to unauthenticated SSRF via Azure Instance Identity Endpoint 08.07.2026 6.5
CVE-2026-46354 Coder: PKCS#7 signature bypass in Azure instance identity allows unauthenticated agent token theft 08.07.2026 9.1
CVE-2026-49229 Actual: Disabled OpenID users keep access through existing session tokens 08.07.2026 8.3
CVE-2026-50179 Actual: CSV Formula Injection in Transaction Export via Imported Payee/Notes Fields 07.07.2026 4.2
CVE-2026-54601 FastGPT: reTrainingCollection allows server-owned datasetId override causing cross-tenant authorization confusion 08.07.2026 6.3
CVE-2026-54602 FastGPT: Cross-team LLM request/response disclosure (IDOR) via /api/core/ai/record/getRecord 08.07.2026
CVE-2026-54607 FastGPT: SSRF in HTTP-tool OpenAPI schema importer via SwaggerParser $ref (bypasses the isInternalAddress guard) 08.07.2026 7.7
CVE-2026-54698 Hasura: Row-level authorization bypass on table computed fields 08.07.2026
CVE-2026-55408 Koodo Reader: Remote code execution via malicious epub file 08.07.2026
CVE-2026-55418 FastGPT: S3 presign/read handlers do not bind the object key to the caller's team (cross-team file disclosure) 07.07.2026 8.6
CVE-2026-55490 OpenWrt: EAD Integer Underflow → Pre-Auth Denial of Service 08.07.2026 6.5
CVE-2026-58266 Anki: User scripts in iframes have access to the internal Anki API 08.07.2026 6.5
CVE-2026-59153 Anki's local HTTP server does not sufficiently validate requests 08.07.2026
CVE-2026-59706 mem0 - Server-Side Request Forgery and Plaintext API Key Exposure via Unauthenticated Config Endpoints 08.07.2026
CVE-2026-46672 Actual: CSV Formula Injection in `@actual-app/cli` `--format csv` Output via Custom `escapeCsv` Helper 08.07.2026 4.6
CVE-2026-46700 Actual: Missing authorization on GET /secret/:name allows non-admin OpenID users to enumerate admin-configured bank-sync secrets 08.07.2026 4.3
CVE-2026-49471 Serena: Unauthenticated Flask dashboard on fixed port enables DNS rebinding → memory poisoning → RCE 07.07.2026 8.3
CVE-2026-50007 Actual: Shared users can perform owner-only file management actions 08.07.2026
CVE-2026-50529 DataEase: Link Token Leakage Prior to Share Password/Ticket Validation 08.07.2026
CVE-2026-50530 DataEase: Token with Overly Broad Privileges in Share Mode: Access to Unshared Datasets 08.07.2026
CVE-2026-53511 calibre: Arbitrary Code Execution in Template Formatter via Book Metadata 08.07.2026
CVE-2026-53729 DataEase ExportCenter IDOR allows cross-user export task access 08.07.2026
CVE-2026-53730 DataEase: Unauthorized Access to Engine Database via previewSql Endpoint 07.07.2026
CVE-2026-53751 DataEase: H2 JDBC URL Filter Bypass Leads to Remote Code Execution (RCE) 08.07.2026
CVE-2026-53935 CiliumLocalRedirectPolicy addressMatcher allows cross-namespace service traffic hijacking and can break service translation 08.07.2026 6.9
CVE-2026-55592 Dashy: XSS in workspace url parameter 08.07.2026 3.9
CVE-2026-55631 DataEase: Path Traversal Leading to Arbitrary File Deletion via Font Management 08.07.2026
CVE-2026-55633 DataEase H2 RCE via Zip Protocol & File Dropper Fix bypass 08.07.2026
CVE-2026-55635 DataEase: Authenticated SQL Injection in Chart Quota Filters 07.07.2026
CVE-2026-55647 DataEase: authenticated stored XSS in the dashboard text components 08.07.2026
CVE-2026-57172 DataEase: Hardcoded JWT Signing Secret in ShareLink 08.07.2026
CVE-2026-58473 Cognee < 1.2.0 Unauthorized LLM Configuration Overwrite via /api/v1/settings 08.07.2026
CVE-2026-58583 FluxInk Color Management Driver local privilege escalation 07.07.2026 7.1
CVE-2026-59707 LocalAI - Server-Side Request Forgery via POST /models/apply 07.07.2026
CVE-2026-44454 Coder vulnerable to workspace auto-creation via crafted URL parameters without user consent 08.07.2026 8.1
CVE-2026-55417 Chevereto private profile setting leaks username on /json endpoint 08.07.2026
CVE-2026-55434 Coder vulnerable to denial of service via unbounded request body in AI Bridge provider endpoints 08.07.2026 6.5
CVE-2026-58469 GNU Wget 1.25.0 Heap Buffer Underread via Metalink URL Parsing 08.07.2026
CVE-2026-58470 GNU Wget 1.25.0 Integer Overflow via Content-Range Header Parsing 08.07.2026
CVE-2026-58471 GNU Wget 1.25.0 Heap Buffer Overflow via convert_fname() in url.c 07.07.2026
CVE-2026-58472 GNU Wget 1.25.0 Heap Buffer Overflow via HTML Attribute Encoding 08.07.2026
CVE-2026-44877 Unauthenticated Remote Disclosure of Cryptographic Secrets 07.07.2026 6.5
CVE-2026-58468 NocoBase 2.1.20 Server-Side Request Forgery via serverRequest wrapper 07.07.2026
CVE-2026-59708 Ghostfolio - Unauthorized Portfolio Data Exposure via Public Endpoint 08.07.2026
CVE-2026-59800 9Router < 0.4.44 - OS Command Injection via sudoPassword Parameter in Tailscale Install Endpoint 07.07.2026
CVE-2026-48947 Joomla! Core - [20260701] - Incorrect Access Control in com_media webservice endpoints 08.07.2026
CVE-2026-48948 Joomla! Core - [20260702] - Incorrect Access Control in com_contact vcf download 08.07.2026
CVE-2026-48949 Joomla! Core - [20260703] - XSS in MFA method management 08.07.2026
CVE-2026-48950 Joomla! Core - [20260704] - XSS in com_templates 08.07.2026
CVE-2026-48951 Joomla! Core - [20260705] - XSS in various modalreturn layouts 08.07.2026
CVE-2026-48952 Joomla! Core - [20260706] - XSS in com_installer 08.07.2026
CVE-2026-48953 Joomla! Core - [20260707] - XSS in the generic image output layout 08.07.2026
CVE-2026-48954 Joomla! Core - [20260708] - XSS through language overrides 08.07.2026
CVE-2026-48955 Joomla! Core - [20260709] - Incorrect Access Control in com_workflow 08.07.2026
CVE-2026-48956 Joomla! Core - [20260710] - Incorrect Access Control in com_modules 08.07.2026
CVE-2026-48957 Joomla! Core - [20260711] - Incorrect Access Control in com_privacy webservice endpoints 08.07.2026
CVE-2026-48958 Joomla! Core - [20260712] - Incorrect Access Control in com_fields webservice endpoints 08.07.2026
CVE-2026-55435 Suspended Coder users retain access to AI Bridge LLM proxy endpoints 07.07.2026 5.4
CVE-2026-7017 HTTP::Tiny versions before 0.095 for Perl forward credential headers to cross-origin redirect targets 07.07.2026