| CVE-2026-56240 |
Capgo - Billing Authorization Bypass via Exhausted Usage Credits |
11.07.2026 |
|
| CVE-2026-56296 |
Cap-go - App Existence Oracle via Unauthenticated transfer_app RPC |
11.07.2026 |
|
| CVE-2026-56303 |
Capgo - Unauthenticated API Key Metadata Disclosure via SECURITY DEFINER RPC Function |
11.07.2026 |
|
| CVE-2026-56372 |
ImageMagick - Heap Buffer Overflow Read via Unrecognized Magnify Method |
11.07.2026 |
|
| CVE-2026-56763 |
Hono - Prototype Pollution via __proto__ Key in parseBody with dot Option |
11.07.2026 |
|
| CVE-2026-60088 |
PraisonAI before 4.6.78 Path Traversal via Custom Commands |
11.07.2026 |
|
| CVE-2026-60090 |
PraisonAI before 4.6.78 SQL/CQL Injection via vector dimension |
11.07.2026 |
|
| CVE-2026-61426 |
PraisonAI before 1.7.3 Unauthenticated Agent Access via Insecure Defaults |
11.07.2026 |
|
| CVE-2026-61428 |
PraisonAI AgentMail before 4.6.78 Message Injection via Webhook |
11.07.2026 |
|
| CVE-2026-61429 |
PraisonAI before 1.6.78 SSRF via Crawl4AI Chromium backend |
11.07.2026 |
|
| CVE-2026-61439 |
PraisonAI before 4.6.78 Prompt Injection Defense Bypass |
11.07.2026 |
|
| CVE-2026-61442 |
PraisonAI Platform before 0.1.9 Authorization Bypass via PATCH |
11.07.2026 |
|
| CVE-2026-61445 |
PraisonAI before 4.6.78 Arbitrary File Write and Command Execution |
11.07.2026 |
|
| CVE-2026-61447 |
PraisonAI before 1.6.78 Remote Code Execution via CodeAgent |
11.07.2026 |
|
| CVE-2026-61448 |
Parse Server 9.0.0 Stored XSS via malformed Content-Type |
11.07.2026 |
|
| CVE-2026-61454 |
Grav before 2.0.4 Information Disclosure via __GRAV_CONFIG__ |
11.07.2026 |
|
| CVE-2026-61465 |
ImageMagick before 7.1.2-26 Memory Allocation Policy Bypass |
11.07.2026 |
|
| CVE-2026-61857 |
ImageMagick before 7.1.2-26 Heap Use-After-Free via XMP |
11.07.2026 |
|
| CVE-2026-61858 |
ImageMagick before 7.1.2-26 Policy Bypass via APNG encoder |
11.07.2026 |
|
| CVE-2026-61861 |
ImageMagick before 7.1.2-26 Use-After-Free in FormatMagickCaption |
11.07.2026 |
|
| CVE-2026-61870 |
ImageMagick before 7.1.2-26 Memory Leak via VIFF Encoder |
11.07.2026 |
|
| CVE-2026-57827 |
Joomla Extension - rsjoomla.com - Unauthenticated file upload in RSFiles component < 1.17.12 |
11.07.2026 |
|
| CVE-2026-57828 |
Joomla Extension - phoca.cz - Authenticated file upload in RSFiles component < 6.1.3 |
11.07.2026 |
|
| CVE-2026-1359 |
Genolve – AI image AI video generation <= 5.0.5 - Authenticated (Contributor+) Incorrect Authorization to Privilege Escalation via theopt |
11.07.2026 |
8.8 |
| CVE-2026-15010 |
bbp style pack <= 6.4.5 - Authenticated (Subscriber+) Stored Cross-Site Scripting via Topic Form Additional Fields |
11.07.2026 |
6.4 |
| CVE-2026-9017 |
NEX-Forms <= 9.2.2 - Missing Authorization to Unauthenticated Arbitrary Form Entry Modification via nf_send_nf_email AJAX Action |
11.07.2026 |
5.3 |
| CVE-2026-9282 |
W3 Total Cache <= 2.9.4 - Unauthenticated Arbitrary File Read via 'f_array[]' Parameter |
11.07.2026 |
7.5 |
| CVE-2025-5017 |
Catalyst Connect Zoho CRM Client Portal <= 2.2.0 - Authenticated (Administrator+) SQL Injection via uid Parameter |
11.07.2026 |
4.9 |
| CVE-2025-6784 |
Code Engine <= 0.3.5 - Authenticated (Contributor+) Remote Code Execution |
11.07.2026 |
8.8 |
| CVE-2026-10041 |
WCFM – Frontend Manager for WooCommerce <= 6.7.27 - Authenticated (Subscriber+) Missing Authorization to Arbitrary Vendor Data Manipulation via Multiple AJAX Handlers |
11.07.2026 |
4.3 |
| CVE-2026-10865 |
Cost Calculator Builder <= 4.0.11 - Unauthenticated Sensitive Information Exposure of Payment Gateway Secret Keys |
11.07.2026 |
5.3 |
| CVE-2026-11591 |
Widgets for Google Reviews <= 13.3 - Authenticated (Editor+) Stored Cross-Site Scripting via 'fomo-title' and 'fomo-text' Parameters |
11.07.2026 |
4.4 |
| CVE-2026-11898 |
White Label CMS <= 2.7.12 - Authenticated (Administrator+) Stored Cross-Site Scripting via Import Settings |
11.07.2026 |
4.4 |
| CVE-2026-11901 |
WP Hotel Booking <= 2.3.1 - Unauthenticated Insufficient Verification of Data Authenticity to Payment Bypass via PayPal IPN Handler |
11.07.2026 |
5.3 |
| CVE-2026-12103 |
Wallet for WooCommerce <= 1.6.4 - Missing Authorization to Authenticated (Subscriber+) User/Email Enumeration via terawallet_export_user_search AJAX Action |
11.07.2026 |
4.3 |
| CVE-2026-12126 |
WCFM Marketplace <= 3.7.3 - Authenticated (Vendor+) Stored Cross-Site Scripting via Attachment 'post_title' |
11.07.2026 |
6.4 |
| CVE-2026-12738 |
WP Easy Pay <= 4.5.0 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Post Status Modification via wpep_draft_confirm AJAX Action |
11.07.2026 |
4.3 |
| CVE-2026-12994 |
WCFM – Frontend Manager for WooCommerce <= 6.7.27 - Missing Authorization to Unauthenticated Arbitrary Inquiry Reply Injection via wcfm-my-account-enquiry-manage Controller |
11.07.2026 |
5.3 |
| CVE-2026-15155 |
Essential Addons for Elementor <= 6.6.10 - Authenticated (Contributor+) Account Takeover via Email Header Injection |
11.07.2026 |
8.8 |
| CVE-2026-1382 |
fresh Podcaster <= 1.0.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'freshpodcaster' Shortcode Attributes |
11.07.2026 |
6.4 |
| CVE-2026-4661 |
WP CTA <= 2.2.2 - Unauthenticated Time-Based Blind SQL Injection via 'fildname' Parameter |
11.07.2026 |
7.5 |
| CVE-2026-6801 |
Context Blog <= 1.3.5 - Unauthenticated Sensitive Information Exposure via 'postID' Parameter |
11.07.2026 |
5.3 |
| CVE-2026-6939 |
CorvusPay WooCommerce Payment Gateway <= 2.7.4 - Unauthenticated Stored Cross-Site Scripting via 'approval_code' Parameter |
11.07.2026 |
7.2 |
| CVE-2026-13378 |
Form Vibes <= 1.5.2 - Unauthenticated Stored Cross-Site Scripting via Contact Form 7 Form Field |
11.07.2026 |
7.2 |
| CVE-2026-7655 |
SureCart <= 4.2.3 - Unauthenticated Linked WordPress Account Takeover via Forged customer.updated Webhook |
11.07.2026 |
8.1 |
| CVE-2025-13968 |
Starboard Suite Reservation Calendars <= 3.1.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes |
11.07.2026 |
6.4 |
| CVE-2026-12141 |
Premium Addons for Elementor <= 4.11.84 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'premium_tooltip_text' Parameter |
11.07.2026 |
4.9 |
| CVE-2026-13116 |
PDF Invoices & Packing Slips for WooCommerce <= 5.14.0 - Insecure Direct Object Reference to Authenticated (Contributor+) Sensitive Information Disclosure via 'order_id' Shortcode Attribute |
11.07.2026 |
4.3 |
| CVE-2026-13250 |
Solace Extra <= 1.5.3 - Missing Authorization to Unauthenticated Arbitrary Content Deletion via delete_previously_imported AJAX Action |
11.07.2026 |
5.3 |
| CVE-2026-14262 |
Simple JWT Login <= 3.6.6 - Authenticated (Subscriber+) Authentication Bypass to Privilege Escalation via 'payload' Parameter |
11.07.2026 |
8.8 |
| CVE-2026-15096 |
Themify Builder <= 7.7.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via Map Module 'b_width_map' Field |
11.07.2026 |
6.4 |
| CVE-2026-15097 |
Themify Builder <= 7.7.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'height_slider' Slider Module Field |
11.07.2026 |
6.4 |
| CVE-2026-15335 |
Booking Package <= 1.7.20 - Unauthenticated SQL Injection via 'email' Form Parameter |
11.07.2026 |
7.5 |
| CVE-2026-1832 |
ThriveDesk <= 2.1.7 - Missing Authorization to Authenticated (Subscriber+) Cache Deletion |
11.07.2026 |
4.3 |
| CVE-2026-2354 |
Swiss Toolkit For WP <= 1.4.6 - Authenticated (Author+) Arbitrary File Upload via upload_extension_files() |
11.07.2026 |
8.8 |
| CVE-2026-3552 |
SurfLink < 2.6.0 - Missing Authorization to Authenticated (Subscriber+) 410 Gone URL Import via 'surfl_import_410' AJAX Action |
11.07.2026 |
4.3 |
| CVE-2026-3576 |
Planyo online reservation system <= 3.0 - Unauthenticated Server-Side Request Forgery via 'ulap_url' Parameter |
11.07.2026 |
7.2 |
| CVE-2026-6803 |
AI Chatbot & Workflow Automation by AIWU <= 1.4.12 - Missing Authorization to Unauthenticated Arbitrary Data Deletion via AJAX Actions 'removeGroup' and 'clear' |
11.07.2026 |
5.3 |
| CVE-2026-6804 |
AI Chatbot & Workflow Automation by AIWU <= 1.4.12 - Missing Authorization to Unauthenticated Arbitrary Modification via 'publishTasks' and 'unpublishTasks' AJAX Actions |
11.07.2026 |
5.3 |
| CVE-2026-7559 |
Affilia <= 3.3.3 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Status Modification |
11.07.2026 |
4.3 |
| CVE-2026-7620 |
Notification for Telegram <= 3.5.1 - Missing Authorization to Authenticated (Subscriber+) Cron Modification via nftb_cron_action_set AJAX Action |
11.07.2026 |
4.3 |
| CVE-2026-9738 |
Print, PDF, Email by PrintFriendly <= 5.5.10 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'content_position_css' Parameter |
11.07.2026 |
4.4 |
| CVE-2026-10628 |
Points and Rewards for WooCommerce <= 2.10.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Modification via Multiple AJAX Actions |
11.07.2026 |
4.3 |
| CVE-2026-12426 |
Members <= 3.2.22 - Unauthenticated Sensitive Information Disclosure via REST API Pagination Side Channel |
11.07.2026 |
5.3 |
| CVE-2026-13114 |
Motors <= 1.4.112 - Unauthenticated Stored Cross-Site Scripting via Comment Content and User Biographical Info |
11.07.2026 |
7.2 |
| CVE-2026-13262 |
Majestic Support <= 1.1.9 - Authenticated (Subscriber+) SQL Injection via 'val' Parameter |
11.07.2026 |
6.5 |
| CVE-2026-13353 |
WP Ultimate CSV Importer <= 8.0.1 - Missing Authorization to Authenticated (Subscriber+) Remote Code Execution via 'MappedFields' Parameter |
11.07.2026 |
8.8 |
| CVE-2026-15072 |
KiviCare <= 4.5.0 - Authenticated (Doctor+) SQL Injection via 'orderby' Parameter in KCQueryBuilder |
11.07.2026 |
6.5 |
| CVE-2026-15073 |
KiviCare <= 4.5.0 - Authenticated (Doctor+) SQL Injection via 'orderby' Parameter in DoctorSessionController |
11.07.2026 |
6.5 |
| CVE-2026-15338 |
LA-Studio Element Kit for Elementor <= 1.6.1 - Authenticated (Contributor+) Local File Inclusion via 'progress_type' Widget Setting |
11.07.2026 |
7.5 |
| CVE-2026-3367 |
Lockme OAuth2 calendars integration <= 2.11.0 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'App ID' Setting |
11.07.2026 |
4.4 |
| CVE-2026-5743 |
Mixed Media Gallery Blocks <= 3.3.3.1 - Authenticated (Author+) Stored Cross-Site Scripting via sliderMaxHeight Block Attribute |
11.07.2026 |
6.4 |
| CVE-2026-7544 |
Mux Video Uploader <= 1.1.4 - Authenticated (Subscriber+) Information Exposure |
11.07.2026 |
4.3 |
| CVE-2026-8678 |
MyParcel <= 4.25.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Order Shipment Data Disclosure and Modification via wcmp_get_shipment_options and wcmp_save_shipment_options AJAX Actions |
11.07.2026 |
4.3 |
| CVE-2026-11426 |
UnderConstructionPage PRO <= 5.76 - Authenticated (Subscriber+) Arbitrary File Read via template_thumbnail Parameter |
11.07.2026 |
6.5 |
| CVE-2026-13756 |
WP Grid Builder <= 2.3.3 - Authenticated (Subscriber+) Privilege Escalation via 'key' Parameter |
11.07.2026 |
8.8 |
| CVE-2026-14286 |
|
10.07.2026 |
|
| CVE-2026-14480 |
OpenPLC v3 External Control of File Name or Path |
10.07.2026 |
9.9 |
| CVE-2026-11913 |
Mother May I - Critical - Unsupported - SA-CONTRIB-2026-045 |
10.07.2026 |
|
| CVE-2026-11914 |
Composer - Critical - Unsupported - SA-CONTRIB-2026-046 |
10.07.2026 |
|
| CVE-2026-11915 |
Brute force attack protection - Critical - Unsupported - SA-CONTRIB-2026-047 |
10.07.2026 |
|
| CVE-2026-15086 |
Raw Formatter [Meta Tag Formatter] - Critical - Unsupported - SA-CONTRIB-2026-077 |
10.07.2026 |
|
| CVE-2026-15087 |
Clean RESTful - Critical - Unsupported - SA-CONTRIB-2026-078 |
10.07.2026 |
|
| CVE-2026-15089 |
Commerce guest registration - Critical - Unsupported - SA-CONTRIB-2026-079 |
10.07.2026 |
|
| CVE-2026-20744 |
Hydro-Québec Le Circuit Electrique charging station backend Improper Access Control |
10.07.2026 |
9.8 |
| CVE-2026-42952 |
Hydro-Québec Le Circuit Electrique charging station backend Improper Restriction of Excessive Authentication Attempts |
10.07.2026 |
7.5 |
| CVE-2026-44383 |
Hydro-Québec Le Circuit Electrique charging station backend Insufficient Session Expiration |
10.07.2026 |
7.5 |
| CVE-2026-55175 |
Spinnaker: Improper yaml processing on kustomize bake operations |
10.07.2026 |
7.5 |
| CVE-2026-10768 |
LocalGov Workflows - Moderately critical - Information disclosure - SA-CONTRIB-2026-039 |
10.07.2026 |
|
| CVE-2026-10769 |
Commerce Core - Moderately critical - Cross site scripting - SA-CONTRIB-2026-041 |
10.07.2026 |
|
| CVE-2026-10770 |
Anti-Spam by CleanTalk - Moderately critical - Cross site scripting - SA-CONTRIB-2026-042 |
10.07.2026 |
|
| CVE-2026-11908 |
Tagify - Moderately critical - Cross-site scripting (XSS) - SA-CONTRIB-2026-043 |
10.07.2026 |
|
| CVE-2026-11909 |
Examples for Developers - Moderately critical - Access bypass - SA-CONTRIB-2026-044 |
10.07.2026 |
|
| CVE-2026-12535 |
Formatter Field - Critical - PHP object injection - SA-CONTRIB-2026-048 |
10.07.2026 |
|
| CVE-2026-13231 |
Advanced Content Feedback (aka admin_feedback) - Moderately critical - Cross-site scripting - SA-CONTRIB-2026-051 |
10.07.2026 |
|
| CVE-2026-13232 |
Advanced Content Feedback (aka admin_feedback) - Moderately critical - Access bypass / Insecure Direct Object Reference (IDOR) - SA-CONTRIB-2026-052 |
10.07.2026 |
|
| CVE-2026-13233 |
OpenAI Provider - Moderately critical - Server-side Request Forgery - SA-CONTRIB-2026-053 |
10.07.2026 |
|
| CVE-2026-13234 |
AI (Artificial Intelligence) - Moderately critical - Information Disclosure / Cross-site Scripting - SA-CONTRIB-2026-054 |
10.07.2026 |
|
| CVE-2026-13235 |
AI (Artificial Intelligence) - Moderately critical - Access bypass - SA-CONTRIB-2026-055 |
10.07.2026 |
|
| CVE-2026-13236 |
AI Agents - Less critical - Access bypass - SA-CONTRIB-2026-056 |
10.07.2026 |
|
| CVE-2026-13237 |
AI Agents - Moderately critical - Information disclosure, Access bypass - SA-CONTRIB-2026-057 |
10.07.2026 |
|
| CVE-2026-13238 |
Commerce Realex / Global Payments - Moderately critical - Access Bypass - SA-CONTRIB-2026-058 |
10.07.2026 |
|
| CVE-2026-13239 |
WissKI - Critical - Access bypass - SA-CONTRIB-2026-059 |
10.07.2026 |
|
| CVE-2026-13240 |
Paragraphs - Less critical - Access bypass - SA-CONTRIB-2026-060 |
10.07.2026 |
|
| CVE-2026-13241 |
Paragraphs - Moderately critical - Access bypass - SA-CONTRIB-2026-061 |
10.07.2026 |
|
| CVE-2026-13242 |
Geolocation Field - Critical - SQL Injection - SA-CONTRIB-2026-062 |
10.07.2026 |
|
| CVE-2026-13243 |
Salesforce Suite - Moderately critical - Cross-site request forgery - SA-CONTRIB-2026-063 |
10.07.2026 |
|
| CVE-2026-13244 |
Tealium iQ Tag Management - Critical - PHP object injection - SA-CONTRIB-2026-064 |
10.07.2026 |
|
| CVE-2026-15079 |
Login Disable - Moderately critical - Access bypass - SA-CONTRIB-2026-070 |
10.07.2026 |
|
| CVE-2026-15080 |
Ray Enterprise Translation - Moderately critical - Cross site request forgery - SA-CONTRIB-2026-071 |
10.07.2026 |
|
| CVE-2026-15081 |
Location Selector - Critical - SQL Injection - SA-CONTRIB-2026-072 |
10.07.2026 |
|
| CVE-2026-15082 |
Siteimprove Analytics - Moderately critical - Cross-site Scripting - SA-CONTRIB-2026-073 |
10.07.2026 |
|
| CVE-2026-15083 |
ECA: Event - Condition - Action - Less critical - Information disclosure - SA-CONTRIB-2026-074 |
10.07.2026 |
|
| CVE-2026-15084 |
UI Patterns (SDC in Drupal UI) - Moderately critical - Cross site scripting - SA-CONTRIB-2026-075 |
10.07.2026 |
|
| CVE-2026-15085 |
AI SEO/GEO Analyzer - Moderately critical - Cross-site Scripting - SA-CONTRIB-2026-076 |
10.07.2026 |
|
| CVE-2026-44795 |
Spinnaker: Non-safe yaml deserialization allowing RCE when using specific types |
10.07.2026 |
8.8 |
| CVE-2026-49213 |
TypeBot: SSRF protection bypass via IPv6 unspecified address in Typebot HTTP request execution |
10.07.2026 |
8.1 |
| CVE-2026-52747 |
ModSecurity: Multipart form-data parser silently strips embedded line breaks from form-field values, enabling request-body inspection bypass |
10.07.2026 |
8.6 |
| CVE-2026-52761 |
ModSecurity: Transformation utf8toUnicode produces wrong output on i386 architecture |
10.07.2026 |
5.8 |
| CVE-2026-55187 |
Mailpit: Incomplete SSRF protection in Link Check API via IPv6 transition mechanisms (follow-up to CVE-2026-27808) |
10.07.2026 |
5.8 |
| CVE-2026-55803 |
Drupal core - Critical - PHP object injection - SA-CORE-2026-005 |
10.07.2026 |
|
| CVE-2026-55804 |
Drupal core - Moderately critical - Gadget chain - SA-CORE-2026-006 |
10.07.2026 |
|
| CVE-2026-55806 |
Drupal core - Less critical - Cache poisoning and open redirect - SA-CORE-2026-007 |
10.07.2026 |
|
| CVE-2026-55807 |
Drupal core - Moderately critical - Server-side request forgery - SA-CORE-2026-008 |
10.07.2026 |
|
| CVE-2026-55808 |
Drupal core - Moderately critical - Improper validation - SA-CORE-2026-009 |
10.07.2026 |
|
| CVE-2026-55809 |
Flag attendance field - Critical - PHP object injection - SA-CONTRIB-2026-049 |
10.07.2026 |
|
| CVE-2026-55810 |
Plotly.js Graphing - Critical - PHP object injection - SA-CONTRIB-2026-050 |
10.07.2026 |
|
| CVE-2026-55882 |
Tilt: Unauthenticated pprof debug endpoints on the Tilt HUD server |
10.07.2026 |
|
| CVE-2026-55883 |
Tilt: Cross-site WebSocket hijacking of the Tilt HUD stream |
10.07.2026 |
|
| CVE-2026-55884 |
Tilt: Missing authentication on the network-exposed Tilt HUD server |
10.07.2026 |
|
| CVE-2026-58587 |
Drupal Canvas - Moderately critical - Improper validation - SA-CONTRIB-2026-065 |
10.07.2026 |
|
| CVE-2026-58588 |
Drupal Canvas - Moderately critical - Improper validation - SA-CONTRIB-2026-066 |
10.07.2026 |
|
| CVE-2026-58589 |
FlowDrop - Moderately critical - Access bypass - SA-CONTRIB-2026-067 |
10.07.2026 |
|
| CVE-2026-58590 |
FlowDrop - Moderately critical - Access bypass - SA-CONTRIB-2026-068 |
10.07.2026 |
|
| CVE-2026-58591 |
Colorbox - Moderately critical - Cross-site scripting - SA-CONTRIB-2026-069 |
10.07.2026 |
|
| CVE-2026-59155 |
Nezha Monitoring: DDNS and Notification credential exposure via unredacted list API |
10.07.2026 |
|
| CVE-2026-41482 |
Frappe: Possible Path Traversal and Local File Inclusion via Chrome PDF Generator |
10.07.2026 |
|
| CVE-2026-42219 |
Frappe: Path Traversal via /backups Route |
10.07.2026 |
|
| CVE-2026-47199 |
Frappe: check_safe_sql_query Permits SELECT INTO OUTFILE |
10.07.2026 |
|
| CVE-2026-47422 |
Frappe: Unrestricted API access to save_report |
10.07.2026 |
|
| CVE-2026-48127 |
Frappe: Arbitrary Attachment Injection via add_attachments and upload_file |
10.07.2026 |
|
| CVE-2026-49394 |
Frappe: Auth. bypass via update_page |
10.07.2026 |
|
| CVE-2026-49844 |
Apache Log4j API: Improper serialization of non-finite floating-point values in MapMessage.asJson() |
10.07.2026 |
|
| CVE-2026-54736 |
Phalcon: Non-constant-time HMAC verification in `Encryption\Crypt::decrypt` (timing side-channel) |
10.07.2026 |
|
| CVE-2026-55852 |
Frappe: TarSlip RCE in Package Import |
10.07.2026 |
|
| CVE-2026-57584 |
Phalcon: Catastrophic backtracking (ReDoS) in the default Phalcon Router route lead to remote unauthenticated DoS |
10.07.2026 |
|
| CVE-2026-58503 |
Frappe: Unauthenticated User Enumeration via reset_password |
10.07.2026 |
|
| CVE-2026-34196 |
GPU DDK - UAF read and/or write of arbitrary physical memory due to integer truncation in PMRDevPhysAddrOSMem |
10.07.2026 |
|
| CVE-2026-41154 |
GPU DDK - Incorrect Index Calculation in CMA Cleanup Path of AllocOSPages_Sparse |
10.07.2026 |
|
| CVE-2026-45196 |
GPU DDK - Arbitrary GPU register write in rgxfw_hwperf_hw due to unsanitized pointers from host kernel |
10.07.2026 |
|
| CVE-2026-45203 |
GPU DDK - rgxfw_hwperf_ufo() re-reads psCmdHeader->ui32CmdSize after initial check, TOCTOU |
10.07.2026 |
|
| CVE-2026-55213 |
h2o: musl libc stack overflow (QPACK) |
10.07.2026 |
7.5 |
| CVE-2026-55659 |
Grist: XSS through unsafe value interpolation in server-rendered pages |
10.07.2026 |
7.7 |
| CVE-2026-55664 |
Grist: Insufficient access control in the /forms endpoint exposes table metadata |
10.07.2026 |
4.3 |
| CVE-2026-55665 |
DOM-based XSS in Grist via unsanitized links, enabling privilege escalation |
10.07.2026 |
|
| CVE-2026-55879 |
OpenReplay: Unauthenticated stored XSS leads to dashboard account takeover |
10.07.2026 |
9.3 |
| CVE-2026-55880 |
OpenReplay: Cross-user IDOR in notes and dashboard widgets |
10.07.2026 |
7.1 |
| CVE-2026-55881 |
OpenReplay: Cross-tenant session replay disclosure via missing session ownership check in first-mob endpoint |
10.07.2026 |
|
| CVE-2026-57230 |
OpenReplay: Authenticated ClickHouse SQL injection via session search |
10.07.2026 |
5.4 |
| CVE-2026-57574 |
Misskey: TOTP tokens can be reused |
10.07.2026 |
|
| CVE-2026-57575 |
Misskey: SSRF bypass in URL Preview |
10.07.2026 |
|
| CVE-2026-58499 |
Path traversal in EverOS /api/v1/memory/add via unvalidated sender_id |
10.07.2026 |
8.2 |
| CVE-2026-7639 |
GPU DDK - Page UAF read in PMMETA_PROTECT heap memory |
10.07.2026 |
|
| CVE-2026-9726 |
Drupal AlternativeCommerce (Basket) - Highly critical - Arbitrary PHP code execution - SA-CONTRIB-2026-038 |
10.07.2026 |
|
| CVE-2026-12761 |
miniOrange Social Login and Register (Discord, Google, Twitter, LinkedIn) <= 7.7.0 - Unauthenticated Authentication Bypass to Administrator Account Takeover via Profile Completion OTP Flow |
10.07.2026 |
9.8 |
| CVE-2026-13039 |
Eventin 4.0.26 - 4.1.15 - Missing Authorization to Unauthenticated Payment Bypass via REST API |
10.07.2026 |
5.3 |
| CVE-2026-55229 |
Gotenberg: SSRF via LibreOffice document processing |
10.07.2026 |
7.5 |
| CVE-2026-55233 |
OpenResty: Buffer overflow when writing PROXY protocol v2 header to upstream |
10.07.2026 |
7.5 |
| CVE-2026-55405 |
LangChain4j: SQL injection via metadata filters in langchain4j-mariadb and langchain4j-pgvector |
10.07.2026 |
7.6 |
| CVE-2026-57211 |
RabbitMQ: UNC SSRF affecting the management UI on Windows |
10.07.2026 |
6.5 |
| CVE-2026-57212 |
RabbitMQ management HTTP API accepts request bodies larger than configured max_http_body_size |
10.07.2026 |
|
| CVE-2026-57213 |
RabbitMQ: Stored XSS federation management plugin via unsanitized consumer_tag rendering |
10.07.2026 |
|
| CVE-2026-57214 |
RabbitMQ: Stored XSS in RabbitMQ management UI |
10.07.2026 |
|
| CVE-2026-57215 |
RabbitMQ: Direct-reply-to binding persistence can lead to unauthorized reply-channel injection and persistent phantom |
10.07.2026 |
|
| CVE-2026-57216 |
RabbitMQ: AMQP 1.0, AMQP 0-9-1, Stream Protocol loopback enforcement can lead to remote guest sessions due to listener-address loopback checks |
10.07.2026 |
6.8 |
| CVE-2026-57217 |
RabbitMQ: Topic authorization can lead to cross-tenant routing-key bypass |
10.07.2026 |
|
| CVE-2026-57218 |
RabbitMQ: AMQP 0-9-1 in combination with OAuth 2: consumer persistence can lead to post-revocation message disclosure |
10.07.2026 |
|
| CVE-2026-57219 |
RabbitMQ: Unauthenticated disclosure of OAuth client credentials via an HTTP API endpoint with certain less common OAuth 2 configurations |
10.07.2026 |
|
| CVE-2026-57220 |
RabbitMQ: Stream listener does not enforce configured frame-size limit during authentication, permitting unauth'd mem-exhaust DoS |
10.07.2026 |
7.5 |
| CVE-2026-57221 |
RabbitMQ: Passive queue/exchange declaration bypasses authorization checks, leaking queue metadata to unprivileged users |
10.07.2026 |
|
| CVE-2026-57807 |
WordPress OAuth Single Sign On - SSO (OAuth Client) plugin <= 38.5.8 - Broken Authentication vulnerability |
10.07.2026 |
9.8 |
| CVE-2026-15295 |
Ajax Load More <= 7.0.1 - Authenticated (Administrator+) Stored Cross-Site Scripting |
10.07.2026 |
4.4 |
| CVE-2026-54714 |
Logto: XSS via unescaped RelayState in SAML auto-submit form |
10.07.2026 |
6.1 |
| CVE-2026-55370 |
Logto: TOTP code can be replayed within the RFC 6238 validity window (one-time use violation) |
10.07.2026 |
6.4 |
| CVE-2026-55377 |
Logto: Account Center MFA management step-up bypass via WebAuthn registration verification |
10.07.2026 |
8.1 |
| CVE-2026-55452 |
Snipe-IT: CSV formula injection in Activity Report export |
10.07.2026 |
|
| CVE-2026-55461 |
Snipe-IT: Open Redirect After User Edit |
10.07.2026 |
6.1 |
| CVE-2026-55462 |
Snipe-IT: Authorization bypass on print inventory page |
10.07.2026 |
4.3 |
| CVE-2026-55466 |
Snipe-IT: Stored XSS via inline-served attachment |
10.07.2026 |
|
| CVE-2026-55469 |
Snipe-IT: Path traversal vulnerability via CSV import `image` field |
10.07.2026 |
6.5 |
| CVE-2026-55475 |
Snipe-IT: Import created_by can be overwritten |
10.07.2026 |
5.7 |
| CVE-2026-55479 |
Snipe-IT: Incorrect permission for legacy license checkin API |
10.07.2026 |
|
| CVE-2026-55481 |
Snipe-IT: CSS Injection via `header_color` Setting |
10.07.2026 |
|
| CVE-2026-55515 |
Snipe-IT: Cross-company deletion of pending checkout acceptances via unscoped report endpoint |
10.07.2026 |
5 |
| CVE-2026-55789 |
Logto: SAML IdP injects user-controlled profile attributes raw into signed assertions, allowing privilege escalation at relying Service Providers |
10.07.2026 |
8.5 |
| CVE-2026-55827 |
FreeRDP: Heap out-of-bounds write in RemoteFX (RFX) Cache Bitmap V3 decode |
10.07.2026 |
7.5 |
| CVE-2026-57156 |
FreeRDP: Integer overflow leading to heap buffer overflow in Orders Delta Points parsing |
10.07.2026 |
|
| CVE-2026-57157 |
Out-of-bounds read in the camera device enumerator server (rdpecam) via unterminated DeviceName / VirtualChannelName |
10.07.2026 |
6.5 |
| CVE-2026-57158 |
FreeRDP planar_decompress_plane_rle_only: heap OOB read — incomplete fix for CVE-2026-23530 |
10.07.2026 |
|
| CVE-2026-57850 |
RustDesk before 1.4.9 Missing Session Scope Enforcement Allows Out-of-Scope Control Message Injection |
10.07.2026 |
|
| CVE-2026-11321 |
GLPI DataInjection Plugin Authenticated SQL Injection via CSV Import |
10.07.2026 |
|
| CVE-2026-15146 |
CVE-2026-15146 |
10.07.2026 |
|
| CVE-2026-54329 |
Snipe-IT: Cross-Tenant Accessory Injection in Snipe-IT API |
10.07.2026 |
8.5 |
| CVE-2026-55460 |
Snipe-IT: Authorization bypass on bulk editing users |
10.07.2026 |
7.1 |
| CVE-2026-55464 |
Snipe-IT: Stored XSS via Markdown custom field |
10.07.2026 |
|
| CVE-2026-55472 |
Snipe-IT: API Location Creation Bypasses FMCS Parent-Child Company Boundary Validation |
10.07.2026 |
4.3 |
| CVE-2026-55474 |
Snipe-IT: Directory traversal in displaySig |
10.07.2026 |
|
| CVE-2026-55476 |
Snipe-IT: Unauthorized Asset Request Cancellation via Unguarded cancel_by_admin Parameter |
10.07.2026 |
|
| CVE-2026-55478 |
Snipe-IT: Missing object-level authorization in Kits API |
10.07.2026 |
|
| CVE-2026-55516 |
Snipe-IT: Cross-company asset maintenance re-parenting via API update |
10.07.2026 |
7.7 |
| CVE-2026-55843 |
Snipe-IT: Improper Privilege Management |
10.07.2026 |
|
| CVE-2026-61459 |
MCP Server Kubernetes < 3.9.0 Argument Injection via kubectl Structured Tools |
10.07.2026 |
|
| CVE-2026-61460 |
Krayin CRM Insecure Direct Object Reference via Controllers |
10.07.2026 |
|
| CVE-2026-6212 |
IDOR in Teracity's TeraMIS |
10.07.2026 |
8.8 |
| CVE-2025-30007 |
HestiaCP < 1.9.5 Authenticated OS Command Injection via DNS Record Management |
10.07.2026 |
|
| CVE-2025-30008 |
HestiaCP < 1.9.5 Stored XSS via DNS Record Management Interface |
10.07.2026 |
|
| CVE-2026-53448 |
Coturn: SQL Injection in HTTPS Admin Panel Delete Operations |
10.07.2026 |
7.2 |
| CVE-2026-53449 |
Coturn: Arbitrary File Write via CLI psd Command |
10.07.2026 |
6 |
| CVE-2026-53450 |
Coturn: IPv4-mapped 127.0.0.1 bypasses default loopback peer protection |
10.07.2026 |
7.4 |
| CVE-2026-59151 |
Prowler: SAML Domain Claiming Enables Cross-Tenant Account Takeover |
10.07.2026 |
9.6 |
| CVE-2026-5801 |
SQLi in Semtek Informatics' SEM-PMP |
10.07.2026 |
9.8 |
| CVE-2026-61461 |
Dify < 1.16.0-rc1 SQL Injection via MyScale Vector Store search_by_full_text |
10.07.2026 |
|
| CVE-2026-6872 |
|
10.07.2026 |
|
| CVE-2026-2397 |
SQLi in AdamPOS' MobilMen 20T |
10.07.2026 |
9.8 |
| CVE-2026-53780 |
|
10.07.2026 |
|
| CVE-2026-55670 |
ZITADEL: Cross-Tenant User Leakage via Recycled Identifiers |
10.07.2026 |
|
| CVE-2026-55671 |
ZITADEL: Server-Side Request Forgery (SSRF) and Denylist Bypass in Outgoing HTTP Components |
10.07.2026 |
|
| CVE-2026-55672 |
ZITADEL: Missing client_id binding in OIDC authorization code exchange and refresh token flows (RFC 6749 Section 4.1.3 violation) |
10.07.2026 |
7.4 |
| CVE-2026-56664 |
ZITADEL: Missing Token Lifecyle Validation (`exp` and `iat`) in JWT IdP Provider |
10.07.2026 |
4.2 |
| CVE-2026-56665 |
ZITADEL: Missing Token Expiration (`exp`) Validation in JWT IdP Provider |
10.07.2026 |
4.2 |
| CVE-2026-56666 |
ZITADEL: Auto-linking by email: IdP-side email verification is not checked |
10.07.2026 |
4.8 |
| CVE-2026-56667 |
ZITADEL: Stored XSS via Default URI Redirect in Login V2 |
10.07.2026 |
7.3 |
| CVE-2026-56668 |
ZITADEL: Unauthorized Token Privilege Escalation in OAuth2 Token Exchange |
10.07.2026 |
8.1 |
| CVE-2026-57474 |
Deloitte AI Assist for Customer information disclosure |
10.07.2026 |
5.3 |
| CVE-2026-57475 |
Deloitte AI Assist for Customer unauthenticated configuration write |
10.07.2026 |
5.3 |
| CVE-2026-57476 |
Deloitte AI Assist for Customer unauthenticated RAG corpus read and write |
10.07.2026 |
4.8 |
| CVE-2025-70796 |
|
10.07.2026 |
|
| CVE-2026-2398 |
IDOR in AdamPOS' MobilMen 20T |
10.07.2026 |
8.8 |
| CVE-2026-3251 |
XSS in Webremium's Mezunum Satiyorum |
10.07.2026 |
6.4 |
| CVE-2026-51119 |
|
10.07.2026 |
|
| CVE-2026-55669 |
ZITADEL: Missing Token Audience Validation (`aud`) in JWT IdP Provider |
10.07.2026 |
4.2 |
| CVE-2026-55780 |
NanaZip: Uncaught exception / unbounded allocation in NanaZip .NET single-file Extract() via unvalidated entry Size |
10.07.2026 |
|
| CVE-2026-55781 |
NanaZip: Unbounded memory allocation (DoS) in NanaZip UFS parser via unvalidated fs_bsize/fs_fsize superblock fields |
10.07.2026 |
|
| CVE-2026-55782 |
NanaZip: Unbounded memory allocation (DoS) in NanaZip WebAssembly parser via attacker-controlled section/name length fields |
10.07.2026 |
|
| CVE-2026-55783 |
NanaZip: NULL pointer dereference in Extract() of all seven NanaZip custom archive handlers when extracting/testing the whole archive |
10.07.2026 |
|