CVE Field Guide

Critical CVEs

CVE Title Updated Score
CVE-2024-23564 17.07.2026 9.1
CVE-2026-15982 Aimogen Pro - All-in-One AI Content Writer, Editor, ChatBot & Automation Toolkit <= 2.8.4 - Unauthenticated Privilege Escalation via 'aiomatic_call_google_ai_function' 17.07.2026 9.8
CVE-2026-14956 Bricksforge <= 3.1.8.6 - Unauthenticated Privilege Escalation via Pro Forms fieldIds Parameter 17.07.2026 9.8
CVE-2026-62232 Grav < 2.0.4 2FA Bypass via Secret Regeneration 17.07.2026 9.1
CVE-2026-62241 clawvet < 0.7.5 Hard-coded JWT Secret Session Forgery 17.07.2026 9.3
CVE-2026-44181 Jupyter Enterprise Gateway: Jinja2 Template Server Side Template Injection results in Remote Code Execution 17.07.2026 10
CVE-2026-44182 Jupyter Enterprise Gateway Has Kubernetes Manifest Injection via Jinja2 Template Rendering 17.07.2026 10
CVE-2026-44180 Jupyter Enterprise Gateway: ContainerProcessProxy._enforce_prohibited_ids can be Bypassed 17.07.2026 9.8
CVE-2026-53412 Zoom Workplace VDI Plugin for Windows - Improper Input Validation 17.07.2026 9.8
CVE-2026-15422 SCTP needs to better-check INIT ACK chunk parameters 17.07.2026 9.1
CVE-2026-63089 WireGuard Easy Weak Token Generation Information Disclosure via OTL Route 16.07.2026 9
CVE-2026-46512 Frogman: Dialplan template parameters interpolated into extensions_custom.conf without escaping 16.07.2026 9.9
CVE-2026-46515 Frogman: Multiple read-tier tools expose admin-grade data and arbitrary GraphQL execution 16.07.2026 9.3
CVE-2026-45336 HireFlow: Use of Hard-coded Credentials 16.07.2026 10
CVE-2026-45568 zrok Python ProxyShare can be used as an SSRF proxy through absolute URL paths 17.07.2026 9.9
CVE-2026-44632 Yamcs: Server-Side Code Injection (RCE) via Janino Expression Engine in `JavaExprAlgorithmExecutionFactory` 16.07.2026 9.1
CVE-2026-46562 Yamcs: Remote Code Execution via Mission Database algorithm override 16.07.2026 9.8
CVE-2026-46621 Yamcs: Authenticated Remote Code Execution (RCE) via Jython Algorithm Code Injection 16.07.2026 9.1
CVE-2026-63087 Grafana OnCall 1.16.11 Unauthenticated Token Hijack via Plugin Install Endpoint 17.07.2026 9.3
CVE-2026-45695 Kopia: Unauthenticated RCE via SSH ProxyCommand Injection when --insecure --without-password is used 16.07.2026 9.8
CVE-2026-54733 moodle-local_o365: Authentication bypass via unverified JWT signature in Teams SSO endpoint 16.07.2026 9.3
CVE-2026-59864 Kiota: Path/URL injection into generated Copilot plugin manifest via x-ai-* extensions 17.07.2026 9.3
CVE-2026-59865 Kiota: Command injection via x-ms-kiota-info dependencyInstallCommand surfaced by `kiota info` 17.07.2026 9.3
CVE-2026-59866 Kiota: Arbitrary file write + code-injection via x-ms-kiota-info clientClassName and clientNamespaceName 17.07.2026 9.3
CVE-2026-11386 ubuntu-pro-client Input Validation Vulnerability Leading to Arbitrary APT Directive Injection and Remote Code Execution 16.07.2026 9
CVE-2026-63304 AVideo through 29.0 OS Command Injection via listFFmpegProcesses 16.07.2026 9.2
CVE-2026-63305 AVideo through 29.0 OS Command Injection via ffmpeg.json.php 17.07.2026 9.2
CVE-2026-63306 stoatchat before 0.13.5 Unauthenticated SSRF via proxy and embed endpoints 16.07.2026 9.2
CVE-2023-49899 Origin Validation Error in X-Rite MA-T6 16.07.2026 9.8
CVE-2023-49900 Origin Validation Error in X-Rite MA-T6 16.07.2026 9.8
CVE-2026-22752 Spring Security Authorization Server Dynamic Client Registration endpoints perform insufficient validation of client metadata 16.07.2026 9.6
CVE-2026-15925 Improper TLS Hostname Verification in Snowflake Connector for Python 16.07.2026 9.2
CVE-2026-15013 SAML Single Sign On <= 5.4.3 - Unauthenticated Authentication Bypass via 'SAMLResponse' Parameter Signature Algorithm Confusion 16.07.2026 9.8
CVE-2026-54458 AVideo: Unauthenticated Stored DOM Cross-Site Scripting via Per-Client Metadata Broadcast in YPTSocket Plugin 16.07.2026 9.6
CVE-2026-55445 Qinglong: Incomplete fix for CVE-2026-3965: Improper Authentication 15.07.2026 9.3
CVE-2026-52891 Wekan: Shell Injection via Avatar Upload 15.07.2026 9.9
CVE-2026-52893 Wekan: OIDC Account Takeover via Unconditional Email-Based Account Merge in onCreateUser hook 15.07.2026 9.2
CVE-2026-55652 Wekan: Header-login IP allowlist bypass via X-Forwarded-For spoofing in Wekan allows unauthenticated full account takeover (incl. admin) 17.07.2026 9.8
CVE-2026-46339 9Router: Unauthenticated Remote Code Execution via unprotected MCP custom plugin routes 16.07.2026 10
CVE-2026-49352 9Router: Hardcoded Default fallback JWT Secret Allows Authentication Bypass 16.07.2026 9.8
CVE-2026-54052 n8n-MCP: Cross-tenant access to workflow version backups in multi-tenant HTTP deployments 15.07.2026 9.9
CVE-2026-52887 NocoBase: SQL injection in /api/myInAppChannels:list filter to PG-superuser RCE 15.07.2026 10
CVE-2026-45534 DataEase: RCE Vulnerability 16.07.2026 9
CVE-2026-46684 DataEase: Unauthorized Command Execution Vulnerability 15.07.2026 9.5
CVE-2026-49445 Cilium: Sensitive information disclosure and cluster disruption via local Envoy admin socket access 16.07.2026 9.2
CVE-2026-46421 Supply chain compromise via malicious package versions (@cap-js/sqlite, @cap-js/postgres, @cap-js/db-service) 15.07.2026 9.3
CVE-2026-62948 OpenWrt odhcpd/LuCI: unauthenticated DHCPv6 client can inject lease-file lines via FQDN hostname → stored XSS in the LuCI admin UI 15.07.2026 9.6
CVE-2026-50562 FastGPT: Untrusted PR artifacts are pushed and deployed by privileged preview workflows 15.07.2026 9.3
CVE-2026-53512 Better Auth: OAuth refresh-token replay via missing client authentication on oidc-provider and mcp plugins 15.07.2026 9.1
CVE-2026-53513 Better Auth: Server-side request forgery via unvalidated OIDC endpoints on @better-auth/sso provider registration 15.07.2026 9.6
CVE-2026-62378 RustFS Console: Critical Stored XSS in Preview Modal leading to Administrative Account Takeover 16.07.2026 9
CVE-2026-52842 Lightpanda:URL parser misidentifies page origin for URLs containing @ in the path - Same-Origin Policy bypass 15.07.2026 9.3
CVE-2026-52843 Lightpanda: fetch() and XMLHttpRequest attach session cookies to cross-origin requests regardless of credentials mode 15.07.2026 9.3
CVE-2026-44986 Penpot: Pre-authenticated account takeover via team-invitation token + prepare-register-profile 15.07.2026 9.9
CVE-2026-50148 Metabase: Remote Code Execution via Snowflake JDBC Driver Arbitrary File Write 15.07.2026 10
CVE-2026-42533 NGINX Map directive and Regex matching vulnerability 16.07.2026 9.2
CVE-2026-61736 LightRAG: CORS Wildcard + Credentials Enables Any-Origin Credentialed Requests 15.07.2026 9.3
CVE-2026-61740 LightRAG: Authentication bypass: hardcoded DEFAULT_TOKEN_SECRET and public /auth-status defeat LIGHTRAG_API_KEY protection 15.07.2026 9.3
CVE-2026-56400 open-webui - Remote Code Execution via CORS Misconfiguration and Session Validation 15.07.2026 9
CVE-2026-56699 Wazuh Manager - NDJSON Injection in inventory_sync via Agent-Controlled DataValue.index 15.07.2026 10
CVE-2026-61451 Grav before 1.0.4 Password Reset Token Poisoning via admin_base_url 15.07.2026 9.4
CVE-2026-13385 16.07.2026 9.5
CVE-2026-45363 `jwt` (Ruby gem) - empty-key HMAC bypass 15.07.2026 9.1
CVE-2026-48334 Illustrator | Improper Input Validation (CWE-20) 15.07.2026 9.3
CVE-2026-48284 ColdFusion | Improper Input Validation (CWE-20) 15.07.2026 9.6
CVE-2026-48318 ColdFusion | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE-22) 15.07.2026 9.9
CVE-2026-48319 ColdFusion | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE-22) 15.07.2026 9.1
CVE-2026-48321 ColdFusion | Incorrect Authorization (CWE-863) 16.07.2026 9.3
CVE-2026-48322 ColdFusion | Improper Control of Generation of Code ('Code Injection') (CWE-94) 15.07.2026 9.6
CVE-2026-48324 ColdFusion | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') (CWE-89) 15.07.2026 9.1
CVE-2026-48325 ColdFusion | Missing Authentication for Critical Function (CWE-306) 15.07.2026 9.3
CVE-2026-48327 ColdFusion | Incorrect Authorization (CWE-863) 15.07.2026 9
CVE-2026-15643 AWS HealthLake MCP Server SSRF via Pagination URL 15.07.2026 9.2
CVE-2026-53486 decompress: Archive extraction can create files and links outside the target directory 15.07.2026 9.1
CVE-2026-13001 Podlove Podcast Publisher <= 4.5.1 - Unauthenticated Arbitrary File Upload via podlove_image_cache_url Parameter 14.07.2026 9.8
CVE-2026-47428 Vitest browser mode serves unsanitized otelCarrier query parameter as inline script 15.07.2026 9.6
CVE-2026-48356 Adobe Commerce | Unrestricted Upload of File with Dangerous Type (CWE-434) 15.07.2026 9.6
CVE-2026-48358 Adobe Commerce | Improper Encoding or Escaping of Output (CWE-116) 15.07.2026 9.1
CVE-2026-53633 Vitest: Exposed Browser Mode API Can Proxy CDP and Overwrite Config Files, Leading to RCE 16.07.2026 9.8
CVE-2026-47429 Vitest: Arbitrary file can be read and executed when Vitest UI server is listening 14.07.2026 9.8
CVE-2026-48259 Adobe Experience Manager | Server-Side Request Forgery (SSRF) (CWE-918) 15.07.2026 9.6
CVE-2026-48359 Adobe Experience Manager | Improper Restriction of XML External Entity Reference ('XXE') (CWE-611) 15.07.2026 9.6
CVE-2026-45063 Symfony: Identity Spoofing via Unanchored DN Regex in X509Authenticator 14.07.2026 9.1
CVE-2026-50380 Windows GDI+ Remote Code Execution Vulnerability 16.07.2026 9.6
CVE-2026-50447 Windows Message Queuing Service (MSMQ) Remote Code Execution Vulnerability 16.07.2026 9.8
CVE-2026-50518 Windows DHCP Server Remote Code Execution Vulnerability 16.07.2026 9.8
CVE-2026-55010 Minecraft Bedrock Dedicated Server Remote Code Execution Vulnerability 16.07.2026 9.8
CVE-2026-55040 Microsoft SharePoint Server Security Feature Bypass Vulnerability 16.07.2026 9.1
CVE-2026-55944 Microsoft Dynamics NAV and Microsoft Dynamics 365 Business Central (On Premises) Remote Code Execution Vulnerability 16.07.2026 9.8
CVE-2026-56159 DHCP Server Service Remote Code Execution Vulnerability 16.07.2026 9.8
CVE-2026-56188 Windows Server Network driver Remote Code Execution Vulnerability 16.07.2026 9.8
CVE-2026-56190 Remote Desktop Protocol Remote Code Execution Vulnerability 16.07.2026 9.8
CVE-2026-57092 Microsoft Windows VMSwitch Elevation of Privilege Vulnerability 16.07.2026 9.9
CVE-2026-42990 SQL Server ODBC driver Elevation of Privilege Vulnerability 16.07.2026 9.8
CVE-2026-48561 Microsoft Copilot Remote Code Execution Vulnerability 16.07.2026 9.6
CVE-2026-49172 Windows FTP Service Remote Code Execution Vulnerability 16.07.2026 9.8
CVE-2026-49798 Windows Kernel Elevation of Privilege Vulnerability 16.07.2026 9.3
CVE-2026-50522 Microsoft SharePoint Remote Code Execution Vulnerability 16.07.2026 9.8
CVE-2026-54990 Remote Desktop Client Remote Code Execution Vulnerability 16.07.2026 9.8
CVE-2026-55008 Microsoft Exchange Server Spoofing Vulnerability 16.07.2026 9.6
CVE-2026-58644 Microsoft SharePoint Remote Code Execution Vulnerability 17.07.2026 9.8
CVE-2026-59891 Credential confusion in  @sigstore/oci  can leak registry credentials to an attacker-controlled registry 14.07.2026 9.6
CVE-2026-15701 Totolink NR1800X lighttpd formLogout.htm Form_Logout stack-based overflow 15.07.2026 9.3
CVE-2025-11698 CompactLogix ®, ControlLogix ®, Compact GuardLogix ® and GuardLogix ® Buffer Overflow 14.07.2026 9.2
CVE-2026-55954 Missing ID token claim validation in ueberauth_apple allows account takeover 15.07.2026 9.1
CVE-2025-12011 CompactLogix ®, ControlLogix ®, Compact GuardLogix ® and GuardLogix ® Buffer Overflow 14.07.2026 9.2
CVE-2025-12012 CompactLogix ®, ControlLogix ®, Compact GuardLogix ® and GuardLogix ® Buffer Overflow 14.07.2026 9.2
CVE-2026-15265 Tenable Agent Path Traversal Leading to Remote Code Execution 14.07.2026 9.3
CVE-2026-58479 Sustainable Irrigation Platform 5.2.16 RCE via cli_control Plugin Command Injection 14.07.2026 9.2
CVE-2026-10577 Rockwell Automation 1715 Redundant IO – Access Control Vulnerability 14.07.2026 10
CVE-2026-62422 15.07.2026 10
CVE-2026-56451 14.07.2026 10
CVE-2026-15183 Input Validation Vulnerabilities in Snowflake Spark Connector 14.07.2026 9.2
CVE-2026-57898 14.07.2026 9
CVE-2026-27690 HTTP Request Smuggling in SAP Approuter 14.07.2026 9.1
CVE-2026-44747 Memory Corruption vulnerability in SAP NetWeaver Application Server ABAP 15.07.2026 9.9
CVE-2026-44761 Insecure Sample Credentials in SAP Commerce Cloud 15.07.2026 9.1
CVE-2026-59801 9Router 0.4.41 - Unauthenticated API Exposure via /api/providers 14.07.2026 9.3
CVE-2026-62327 9Router 0.4.41 - Unauthenticated API Key Exposure via /api/usage/stats 14.07.2026 9.3
CVE-2026-58409 ChurchCRM: Authenticated Remote Code Execution (RCE) via Malicious Plugin Upload 14.07.2026 9.1
CVE-2026-6875 Sandbox Escape in ServiceNow AI Platform 14.07.2026 9.5
CVE-2026-61462 mcp-gitlab Path Traversal via job_id Parameter 13.07.2026 9.2
CVE-2026-61500 Rejetto HFS < 3.2.1 Session Forgery via Predictable Signing Key 15.07.2026 9.3
CVE-2026-60121 Vitec Flamingo 4.12.2 Unauthenticated OS Command Injection via ping.php 13.07.2026 9.3
CVE-2026-61498 Vitec Flamingo 4.12.2 Unauthenticated OS Command Injection via gen_graphs.php 14.07.2026 9.3
CVE-2026-6847 Unauthenticated Remote Code Execution in ThemisNETPanel 14.07.2026 9.3
CVE-2026-12257 Remote code execution in Mura Software’s CMS 13.07.2026 9.3
CVE-2026-14934 Cross-Tenant Repository Takeover via Improper Access Control in BigQuery, Dataform and Colab Enterprise 13.07.2026 9.4
CVE-2026-13014 Remote Code Execution vulnerability in "Suspicious" application 13.07.2026 9.2
CVE-2026-22093 Adversary-in-the-Middle (AitM) attack vulnerability in EVbee Service app 16.07.2026 9.5
CVE-2026-22095 Command injection in diagnosis web endpoint 16.07.2026 9.3
CVE-2026-22096 Missing authentication for webserver endpoints 16.07.2026 9.3
CVE-2026-22097 Missing firmware validation allows remote code execution 16.07.2026 9.3
CVE-2026-22098 Sensitive information is written to logs 16.07.2026 9.2
CVE-2026-22102 Arbitrary file overwrite through certificate update functionality 16.07.2026 9.3
CVE-2026-22103 Command injection in NPC start web endpoint 16.07.2026 9.3
CVE-2026-57401 WordPress SureDash plugin <= 1.8.0 - Arbitrary File Deletion vulnerability 13.07.2026 9.9
CVE-2026-57702 WordPress Amelia plugin <= 2.4.2 - SQL Injection vulnerability 13.07.2026 9.3
CVE-2026-57707 WordPress Simple Business Directory Pro plugin <= 15.9.4 - SQL Injection vulnerability 13.07.2026 9.3
CVE-2026-57710 WordPress WoowBot Pro Max plugin <= 14.1.7 - Arbitrary File Upload vulnerability 13.07.2026 9.9
CVE-2026-57714 WordPress LatePoint plugin <= 5.6.3 - SQL Injection vulnerability 13.07.2026 9.3
CVE-2026-57719 WordPress Aimogen Pro plugin <= 2.8.3 - Arbitrary File Upload vulnerability 13.07.2026 10
CVE-2026-57724 WordPress Kirki plugin <= 6.0.12 - PHP Object Injection vulnerability 13.07.2026 9.8
CVE-2026-57726 WordPress Kirki plugin <= 6.0.12 - SQL Injection vulnerability 13.07.2026 9.3
CVE-2026-57738 WordPress 777 theme <= 1.13.0 - PHP Object Injection vulnerability 13.07.2026 9.8
CVE-2026-57739 WordPress AcyMailing SMTP Newsletter plugin <= 10.11.0 - SQL Injection vulnerability 13.07.2026 9.3
CVE-2026-57744 WordPress RT-Theme 18 | Extensions plugin <= 2.5 - PHP Object Injection vulnerability 13.07.2026 9.8
CVE-2026-57770 WordPress Grand Photography theme <= 5.7.8 - PHP Object Injection vulnerability 13.07.2026 9.8
CVE-2026-57811 WordPress Realtyna Organic IDX plugin plugin <= 5.2.0 - Remote Code Execution (RCE) vulnerability 13.07.2026 10
CVE-2026-57813 WordPress MailOptin plugin <= 1.2.77.3 - Privilege Escalation vulnerability 13.07.2026 9.8
CVE-2026-59515 WordPress AIWU plugin <= 1.5.4 - SQL Injection vulnerability 13.07.2026 9.3
CVE-2026-59518 WordPress Directorist plugin <= 8.8.2 - PHP Object Injection vulnerability 13.07.2026 9.8
CVE-2026-14453 A user with low privileges can inject SSTI templates that can lead to RCE in open-tickets 13.07.2026 9.6
CVE-2026-4769 Unauthenticated Access to Internal Diagnostic Interface 13.07.2026 9.3
CVE-2026-15511 Comfast CF-WR631AX V3 FastCGI Backend webmgnt system_wl_upload_pic_file os command injection 14.07.2026 9.3
CVE-2026-56271 Flowise - Weak Default JWT Secrets in Authentication Middleware 13.07.2026 9.3
CVE-2026-61876 LuCI DHCPv6 Lease Hostname Stored Cross-Site Scripting 14.07.2026 9.4
CVE-2026-60090 PraisonAI before 4.6.78 SQL/CQL Injection via vector dimension 14.07.2026 9.3
CVE-2026-61445 PraisonAI before 4.6.78 Arbitrary File Write and Command Execution 14.07.2026 9.4
CVE-2026-61447 PraisonAI before 1.6.78 Remote Code Execution via CodeAgent 13.07.2026 10
CVE-2026-57827 Joomla Extension - rsjoomla.com - Unauthenticated file upload in RSFiles component < 1.17.12 15.07.2026 10
CVE-2026-57828 Joomla Extension - phoca.cz - Authenticated file upload in RSFiles component < 6.1.3 15.07.2026 9
CVE-2026-20744 Hydro-Québec Le Circuit Electrique charging station backend Improper Access Control 14.07.2026 9.3
CVE-2026-55884 Tilt: Missing authentication on the network-exposed Tilt HUD server 15.07.2026 9.2
CVE-2026-55879 OpenReplay: Unauthenticated stored XSS leads to dashboard account takeover 13.07.2026 9.3
CVE-2026-12761 miniOrange Social Login and Register (Discord, Google, Twitter, LinkedIn) <= 7.7.0 - Unauthenticated Authentication Bypass to Administrator Account Takeover via Profile Completion OTP Flow 13.07.2026 9.8
CVE-2026-57807 WordPress OAuth Single Sign On - SSO (OAuth Client) plugin <= 38.5.8 - Broken Authentication vulnerability 13.07.2026 9.8

Latest Updates

CVE Title Updated Score
CVE-2026-14741 HTTP::Date versions before 6.08 for Perl allow CPU exhaustion via polynomial regex backtracking in parse_date 17.07.2026
CVE-2026-15007 Denial of service vulnerability in GitHub Enterprise Server allowed service disruption via deeply nested YAML in release notes configuration 17.07.2026
CVE-2026-15343 Path traversal vulnerability in GitHub Enterprise Server allowed writing files to arbitrary repository paths, including GitHub Actions workflow files, via unchecked Dependabot dependency-file paths 17.07.2026
CVE-2026-15783 Missing Authorization vulnerability was identified in GitHub Enterprise Server that allowed reading private repository metadata via delegated bypass rule suites 17.07.2026
CVE-2026-58148 Joomla Extension - chronoengine.com - Stored XSS in ChronoForms extension for Joomla < 8.0.53 17.07.2026
CVE-2026-58149 Joomla Extension - joomdonation.com - User enumeration in Events Booking < 5.8.0 17.07.2026
CVE-2026-60024 Joomla Extension - joomdonation.com - Insecure default configuration Events Booking < 5.8.0 17.07.2026
CVE-2026-60025 Joomla Extension - joomdonation.com - User enumeration in Events Booking < 5.8.0 17.07.2026
CVE-2026-63095 Dendrite 0.13.8 Improper Authorization via POST account/3pid/delete Endpoint 17.07.2026
CVE-2026-63096 Dendrite 0.13.8 SSRF via Unauthenticated Legacy Media Download Endpoint 17.07.2026
CVE-2026-63097 Dendrite 0.13.8 syncapi /context Endpoint Post-Leave State Exposure 17.07.2026
CVE-2026-63098 TheHive 4.1.24 Unauthenticated Information Disclosure via /api/status Endpoint 17.07.2026
CVE-2026-63099 TheHive 4.1.24 Broken Object Level Authorization via Attachment Download Endpoints 17.07.2026
CVE-2026-63100 Maybe 0.6.0 Missing Authorization via HostingsController show/update 17.07.2026
CVE-2026-9537 Mojo::JWT versions before 1.02 for Perl verify HMAC signatures with a non-constant-time string comparison 17.07.2026
CVE-2026-12715 Missing Authorization in Firebase Studio allows Cross-Tenant Source Code Theft 17.07.2026
CVE-2026-14871 osTicket v1.18.3 - v1.17.7 - BOLA/IDOR in ticket field viewing allows cross-department data disclosure 17.07.2026
CVE-2026-12705 Integrity mechanism of KNX-device FW-files can be bypassed in ABB Update Tool 17.07.2026 6.4
CVE-2026-16017 mosaxiv clawlet cron Chat Tool tool_cron.go remove authorization 17.07.2026
CVE-2026-16089 Keycloak-services: keycloak-services: authorization codes can be retargeted to another client session 17.07.2026
CVE-2026-51081 17.07.2026
CVE-2026-51082 17.07.2026
CVE-2026-51083 17.07.2026
CVE-2026-63093 Cursor for Windows 3.2.16 RCE via Malicious git.exe in Workspace 17.07.2026
CVE-2026-63094 SigNoz 0.133.0 SSO OAuth State Manipulation Session Token Theft 17.07.2026
CVE-2024-23565 17.07.2026 5.3
CVE-2024-23566 17.07.2026 6.5
CVE-2024-23568 17.07.2026 5.3
CVE-2024-23569 17.07.2026 4.3
CVE-2024-23570 17.07.2026 4.3
CVE-2024-23571 17.07.2026 4.3
CVE-2024-23572 17.07.2026 4.2
CVE-2024-23573 17.07.2026 3.7
CVE-2024-23574 17.07.2026 5.3
CVE-2024-23575 17.07.2026 5.3
CVE-2024-23577 17.07.2026 4.3
CVE-2024-23578 17.07.2026 4.2
CVE-2024-42214 17.07.2026 5.3
CVE-2025-60357 17.07.2026
CVE-2026-16016 poco-ai poco-claw task.py run_task server-side request forgery 17.07.2026
CVE-2026-16072 Keycloak-services: keycloak-services: organization invitation link exposure allows unauthorized member creation 17.07.2026
CVE-2026-51080 17.07.2026
CVE-2026-9592 Sensitive Information Disclosure in HTTP header 17.07.2026
CVE-2024-23564 17.07.2026 9.1
CVE-2024-23567 17.07.2026 4.3
CVE-2026-16015 poco-ai poco-claw executor_manager API tasks.py create_task missing authentication 17.07.2026
CVE-2026-7488 Sensitive Data Exposure in IKAS Technologies' E-Commerce 17.07.2026 7.5
CVE-2026-13082 GD::SecurityImage versions through 1.75 for Perl use rand to generate secrets 17.07.2026
CVE-2026-13410 Dancer::Plugin::Auth::Google versions through 0.07 for Perl have TLS verification disabled 17.07.2026
CVE-2026-16014 code-projects Hospital Bed Management System Login Form sql injection 17.07.2026
CVE-2026-7189 Sensitive Data Exposure in Proliz's OBS 17.07.2026 7.5
CVE-2026-8396 XXE in Netcad's NetGIS 17.07.2026 7.5
CVE-2026-15943 Keycloak-services: keycloak-services: oidc idp update reuses masked client secret after token url change 17.07.2026
CVE-2026-16013 liftoff-sr CIPster cipepath.cc deserialize_symbolic out-of-bounds 17.07.2026
CVE-2026-16009 itsourcecode Hospital Management System prescriptionorderdetail.php sql injection 17.07.2026
CVE-2026-16008 sagold json-schema-library propertyDependencies.ts parsePropertyDependencies prototype pollution 17.07.2026
CVE-2026-59252 Missing gas_limit validation in mpp Tempo fee-payer enables wallet drain 17.07.2026
CVE-2026-59694 Unbounded access list in mpp Tempo fee-payer inflates gas cost per payment 17.07.2026
CVE-2026-59695 Unbounded max_fee_per_gas in mpp Tempo fee-payer enables single-request wallet drain 17.07.2026
CVE-2026-8075 Posting a malicious markdown image crashes the Mattermost Desktop App 17.07.2026 6.5
CVE-2026-9602 Mattermost Desktop App crashes when malformed arguments are provided to some exposed IPC methods 17.07.2026 5.7
CVE-2026-22104 Improper access control in Hashtopolis server chunk activity component 17.07.2026
CVE-2026-62764 Apache Accumulo: A user can trigger a graceful shutdown of services without the relevant system permissions 17.07.2026
CVE-2026-15379 Arbitrary File Read as SYSTEM in Symantec ITMS 17.07.2026
CVE-2026-15380 Local privilege escalation in Symantec ITMS 17.07.2026
CVE-2026-9656 HubSpot All-In-One Marketing <= 11.3.62 - Authenticated (Contributor+) Sensitive Information Exposure via Block Editor Localized Script 17.07.2026 4.3
CVE-2019-25764 17.07.2026
CVE-2026-10525 NEX-Forms < 9.2.3 - Unauthenticated Stored XSS via Form Submission 17.07.2026
CVE-2026-11575 PhonePe Payment Solutions < 3.1.0 - Unauthenticated Payment Bypass via Forged Callback 17.07.2026
CVE-2026-11961 User Registration & Membership < 5.2.3 - Unauthenticated Privilege Escalation via Unbound members_data Membership ID 17.07.2026
CVE-2026-11966 User Registration & Membership < 5.2.3 - Unauthenticated Limited User Deletion via Stripe Subscription Handler 17.07.2026
CVE-2026-12393 WPS Bookings for WooCommerce < 3.11.7 - Subscriber+ Arbitrary Booking Order Cancellation via IDOR 17.07.2026
CVE-2026-13402 Royal Elementor Addons < 1.7.1063 - Unauthenticated Private Mega Menu Template Disclosure 17.07.2026
CVE-2026-9810 AI Chatbot & Workflow Automation by AIWU < 1.5.4 - Unauthenticated Privilege Escalation via MCP OAuth 17.07.2026
CVE-2026-15094 WP Hotel Booking <= 2.3.2 - Reflected Cross-Site Scripting via 'check_in_date' Parameter 17.07.2026 6.1
CVE-2026-15982 Aimogen Pro - All-in-One AI Content Writer, Editor, ChatBot & Automation Toolkit <= 2.8.4 - Unauthenticated Privilege Escalation via 'aiomatic_call_google_ai_function' 17.07.2026 9.8
CVE-2026-13352 Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content <= 4.16.18 - Authenticated (Author+) Limited Unsafe File Upload via upload_mimes Filter Expansion 17.07.2026 8.8
CVE-2026-13765 LearnPress <= 4.4.1 - Missing Authorization to Unauthenticated Sensitive Information Exposure via /lp/v1/users/check-answer and /start-quiz REST Endpoints 17.07.2026 7.5
CVE-2026-14503 pCloud WP Backup <= 2.0.3 - Missing Authorization on the 'start_backup' AJAX Method to Authenticated (Subscriber+) Arbitrary File Read 17.07.2026 6.5
CVE-2026-15161 Ninja Forms - Excel Export <= 3.3.6 - Authenticated (Subscriber+) Stored Cross-Site Scripting via 'filter' Parameter 17.07.2026 6.4
CVE-2026-15349 ERP: Complete HR, Accounting & CRM Suite Built for WooCommerce <= 1.17.6 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Company Location Creation via wp_ajax_erp-company-location AJAX Handler 17.07.2026 4.3
CVE-2026-15457 Kirki <= 6.0.13 - Authenticated (Editor+) Path Traversal to Arbitrary Directory Deletion via 'family' Parameter 17.07.2026 4.9
CVE-2026-15759 ChatHelp <= 3.5.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'number' and 'group' Shortcode Attributes 17.07.2026 6.4
CVE-2026-21770 HCL Traveler for Microsoft Outlook (HTMO) is susceptible to DLL hijacking 17.07.2026 6.5
CVE-2026-41993 17.07.2026 4.4
CVE-2026-58317 17.07.2026
CVE-2026-60060 17.07.2026
CVE-2026-11324 WooCommerce Placetopay Gateway <= 3.2.2 - Reflected Cross-Site Scripting via 'redirect-url' 17.07.2026 6.1
CVE-2026-15159 Ninja Forms - Excel Export <= 3.3.6 - Insecure Direct Object Reference to Authenticated (Subscriber+) Sensitive Data Disclosure via 'spreadsheet_export_form_id' Parameter 17.07.2026 4.3
CVE-2026-15160 Ninja Forms - Excel Export <= 3.3.6 - Missing Authorization to Authenticated (Subscriber+) XLS Write via Path Traversal 17.07.2026 4.3
CVE-2026-15395 Kali Forms <= 2.4.18 - Unauthenticated Stored Cross-Site Scripting via 'digitalSignature' Field Value 17.07.2026 7.2
CVE-2026-8616 Fense Proxy & VPN Blocker <= 3.0.1 - Missing Authorization to Unauthenticated Plugin Option/Transient Deletion via fense_bpvt_save_settings AJAX Action 17.07.2026 5.3
CVE-2026-14956 Bricksforge <= 3.1.8.6 - Unauthenticated Privilege Escalation via Pro Forms fieldIds Parameter 17.07.2026 9.8
CVE-2026-2594 Smart Custom Fields <= 5.0.7 - Authenticated (Author+) Stored Cross-Site Scripting via Attachment Title 17.07.2026 6.4
CVE-2026-40106 Wazuh: Heap-based Buffer Overflow in syscheck Registry Wildcard Expansion (LPE / DoS) 17.07.2026 4.7
CVE-2026-44251 Wazuh : size_t underflow in msgs.c ReadSecMSG causes wazuh-remoted DoS and potential heap overflow via crafted agent message 17.07.2026 6.5
CVE-2026-62201 OpenClaw < 2026.6.6 Network Policy Bypass via exec-server 17.07.2026
CVE-2026-62202 OpenClaw 2026.6.1 < 2026.6.9 Privilege Escalation via Cron 17.07.2026
CVE-2026-62203 OpenClaw < 2026.6.6 Environment Variable Injection via rustup 17.07.2026
CVE-2026-62205 OpenClaw 2026.4.12-beta.1 < 2026.6.6 Authorization Bypass via message actions 17.07.2026
CVE-2026-62206 OpenClaw < 2026.6.9 Authentication Bypass via Moderation Actions 17.07.2026
CVE-2026-62207 OpenClaw < 2026.6.5 Authentication Bypass via Admin Tools 17.07.2026
CVE-2026-62208 OpenClaw < 2026.6.5 Authorization Header Forwarding via SSE 17.07.2026
CVE-2026-62209 OpenClaw 2026.5.10-beta.1 < 2026.6.5 Authorization Bypass via agent-mode dispatch 17.07.2026
CVE-2026-62210 OpenClaw < 2026.6.1 Denial of Service via Remote Media URLs 17.07.2026
CVE-2026-62211 OpenClaw < 2026.6.1 Credential Redaction Bypass via Trajectory Export 17.07.2026
CVE-2026-62212 OpenClaw < 2026.5.28 Authentication Bypass via safeFetch 17.07.2026
CVE-2026-62213 OpenClaw < 2026.5.27 Token Leakage via MS Teams Outbound Requests 17.07.2026
CVE-2026-62214 OpenClaw < 2026.5.28 Bot Framework SSRF via serviceUrl Parameter Validation 17.07.2026
CVE-2026-62215 OpenClaw < 2026.6.5 Authentication Bypass via HTTP Canvas 17.07.2026
CVE-2026-62216 OpenClaw 2026.4.20 < 2026.5.28 Policy Bypass via Media Upload 17.07.2026
CVE-2026-62217 OpenClaw 2026.5.14-beta.1 < 2026.5.27 Authentication Bypass via exec approvals 17.07.2026
CVE-2026-62218 OpenClaw 2026.1.20 < 2026.5.27 Authorization Bypass via device.pair.approve 17.07.2026
CVE-2026-62219 OpenClaw 2026.2.12 < 2026.5.26 Authorization Bypass via Blank Agent IDs 17.07.2026
CVE-2026-62220 OpenClaw 2026.2.25 < 2026.5.26 WebSocket Rate Limit Bypass 17.07.2026
CVE-2026-62221 OpenClaw 2026.5.12 < 2026.5.26 Authorization Bypass via allowFrom 17.07.2026
CVE-2026-62222 OpenClaw < 2026.5.22 Untrusted Plugin Loading via Setup-mode 17.07.2026
CVE-2026-62223 OpenClaw < 2026.5.18 Authorization Bypass via Device-pair 17.07.2026
CVE-2026-62224 OpenClaw MS Teams < 2026.5.12 Authorization Bypass 17.07.2026
CVE-2026-62225 OpenClaw < 2026.5.18 Authorization Bypass via Skill Command Dispatch 17.07.2026
CVE-2026-62226 OpenClaw 2026.3.28 < 2026.5.19 Authorization Bypass via Browser Act Route 17.07.2026
CVE-2026-62227 OpenClaw 2026.4.14 < 2026.5.26 SSRF via Browser Snapshot 17.07.2026
CVE-2026-62228 OpenClaw < 2026.6.5 Authorization Bypass via Node Exec Approvals 17.07.2026
CVE-2026-62229 OpenClaw < 2026.5.18 Authorization Bypass via Glob Matching 17.07.2026
CVE-2026-62230 Grav < 2.0.4 File Access Bypass via Case Variation 17.07.2026
CVE-2026-62231 Grav < 1.0.6 API Key Scope Bypass via ApiKeyAuthenticator 17.07.2026
CVE-2026-62232 Grav < 2.0.4 2FA Bypass via Secret Regeneration 17.07.2026
CVE-2026-62233 grav-plugin-api < 1.0.6 Privilege Escalation via createApiKey 17.07.2026
CVE-2026-62234 Grav < 2.0.4 SSRF via Unrestricted cURL Protocols 17.07.2026
CVE-2026-62235 Grav Flex-Objects < 1.4.3 Authorization Bypass via API 17.07.2026
CVE-2026-62236 grav-plugin-login < 3.8.11 CSRF via regenerate2FASecret 17.07.2026
CVE-2026-62237 Grav < 2.0.4 ReDoS via regex_replace in Sandbox 17.07.2026
CVE-2026-62238 OpenRemote < 1.26.0 SQL Injection via Crosstab Export 17.07.2026
CVE-2026-62241 clawvet < 0.7.5 Hard-coded JWT Secret Session Forgery 17.07.2026
CVE-2026-62386 Grav < 1.0.0-rc.16 Authentication Bypass via token URL Parameter 17.07.2026
CVE-2026-62387 Grav < 1.0.0-rc.16 CORS Misconfiguration via API Plugin 17.07.2026
CVE-2026-33434 Wazuh: Rate Limit Bypass via /events Endpoint 16.07.2026 4.3
CVE-2026-33754 Wazuh: Unauthenticated cluster packet length leads to uncontrolled memory allocation (remote DoS) 17.07.2026 6.5
CVE-2026-34150 Wazuh: Heap buffer overflow in wazuh-analysisd via rootcheck event parsing 17.07.2026 7.5
CVE-2026-39359 Wazuh: Unauthenticated Path Traversal in authd via Agent Group Name 17.07.2026 7.5
CVE-2026-54340 h2o has HTTP/2 state amplification 16.07.2026 7.5
CVE-2026-44452 h2o is vulnerable to heap overrun 17.07.2026 5.9
CVE-2026-44453 h2o is vulnerable to musl libc stack overflow 17.07.2026 7.5
CVE-2026-44434 Quicly is vulnerable to stateless reset injection 16.07.2026 5.3
CVE-2026-44435 Quicly: Remote Denial of Service via assertion failure when CRYPTO stream handshake data exceeds 32KB 17.07.2026 7.5
CVE-2026-44436 Quicly is vulnerable to connection state corruption 17.07.2026 7.5
CVE-2026-11740 16.07.2026
CVE-2026-14253 16.07.2026
CVE-2026-15997 Native ARM SHA3 / SHAKE `restoreFullState` fails to detect size_t underflow in a crafted encoded state 17.07.2026
CVE-2026-43977 wger IDOR: Authenticated Users Can Read Others' Private Workout Session Data via Template Routine API 17.07.2026 7.5
CVE-2026-43978 wger: Privilege escalation via trainer-login session chaining allows gym trainers to impersonate gym managers 17.07.2026 8.1
CVE-2026-44181 Jupyter Enterprise Gateway: Jinja2 Template Server Side Template Injection results in Remote Code Execution 17.07.2026
CVE-2026-44182 Jupyter Enterprise Gateway Has Kubernetes Manifest Injection via Jinja2 Template Rendering 17.07.2026
CVE-2026-44433 Quicly is vulnerable to memory exhaustion 16.07.2026 5.3
CVE-2026-44180 Jupyter Enterprise Gateway: ContainerProcessProxy._enforce_prohibited_ids can be Bypassed 17.07.2026 9.8
CVE-2026-45334 Kirby: Content locks disclose IDs and emails of inaccessible users from `users.access/list` permissions 16.07.2026
CVE-2026-45368 Kirby: Cross-site scripting (XSS) from links in KirbyTags and image blocks in the site frontend 16.07.2026
CVE-2026-57075 YAML::Syck versions before 1.47 for Perl allow an out-of-bounds read via a signed-char lookup-table index in syck_base64dec 17.07.2026
CVE-2026-57076 YAML::Syck versions before 1.47 for Perl allow a heap use-after-free via an anchor name reused as an anchors-table key in syck_hdlr_add_anchor 17.07.2026
CVE-2026-57077 YAML::Syck versions before 1.47 for Perl allow an out-of-bounds read via an unbounded newline scan in newline_len 17.07.2026
CVE-2026-58598 Windows Backup Service Elevation of Privilege Vulnerability 16.07.2026 7
CVE-2026-58643 Windows Admin Center Spoofing Vulnerability 16.07.2026 6.1
CVE-2026-59117 Windows Terminal Remote Code Execution Vulnerability 17.07.2026 7.5
CVE-2026-62826 Microsoft SharePoint Server Spoofing Vulnerability 17.07.2026 4.6
CVE-2026-13713 YAML::Syck versions before 1.47 for Perl allow a use-after-free and double-free via an anchor node freed while still on the parser value stack 17.07.2026
CVE-2026-14782 Booking for Appointments and Events Calendar – Amelia <= 2.4.3 - Authenticated (Custom+) SQL Injection via Customer Import 17.07.2026 4.9
CVE-2026-44174 Kirby: Arbitrary Method Call via REST API search and collection query endpoints 16.07.2026
CVE-2026-44175 Kirby: Cross-site scripting (XSS) from list field content in the site frontend 17.07.2026
CVE-2026-44176 Kirby: `pages.access` permission is not checked during rendering of page drafts 17.07.2026
CVE-2026-44177 Kirby: Pre-authentication path traversal and PHP file inclusion during user lookup 17.07.2026
CVE-2026-53411 Zoom Workplace VDI Plugin for Windows - Improper Input Validation 17.07.2026 7.8
CVE-2026-53412 Zoom Workplace VDI Plugin for Windows - Improper Input Validation 17.07.2026 9.8
CVE-2024-32385 17.07.2026 4.3
CVE-2024-32386 17.07.2026 7.3
CVE-2024-32387 17.07.2026 5.7
CVE-2024-32389 17.07.2026 3.5
CVE-2024-34268 17.07.2026 7.1
CVE-2026-38158 17.07.2026
CVE-2026-44019 Docling Core has insufficient validation of image reference URIs 16.07.2026 8.1
CVE-2026-44023 Docling Core has unsafe remote filename resolution 16.07.2026 8.6
CVE-2026-53409 17.07.2026 7.8
CVE-2026-53410 Zoom Clients for Windows - Race Condition 17.07.2026 7
CVE-2026-11889 SALTO ProAccess Space Authorization Bypass Through User-Controlled Key 17.07.2026 6.5
CVE-2026-33692 AVideo Has Unauthenticated .env File Exposure via Official Docker Compose Configuration 17.07.2026 7.5
CVE-2026-33731 AVideo has an Authorize.Net Webhook Signature Bypass that Enables Wallet Balance Inflation via Forged Payment Data 17.07.2026 6.5
CVE-2026-36425 17.07.2026
CVE-2026-55173 AVideo incomplete fix for CVE-2026-33482: sanitizeFFmpegCommand still allows a single '&' (background operator), giving OS command execution at the same execAsync sh -c sink 17.07.2026 8.1
CVE-2026-61378 AutomationDirect Productivity Suite Divide By Zero 17.07.2026 5.5
CVE-2026-57896 AutomationDirect Productivity Suite Out-of-bounds Read 17.07.2026 6.1
CVE-2026-60073 AutomationDirect Productivity Suite Out-of-bounds Read 17.07.2026 5.9
CVE-2026-60063 AutomationDirect Productivity Suite Out-of-bounds Write 17.07.2026 7
CVE-2026-60140 AutomationDirect Productivity Suite Out-of-bounds Read 17.07.2026 6.1
CVE-2026-61389 AutomationDirect Productivity Suite Out-of-bounds Write 17.07.2026 7