CVE Field Guide

Critical CVEs

CVE Title Updated Score
CVE-2025-11698 CompactLogix ®, ControlLogix ®, Compact GuardLogix ® and GuardLogix ® Buffer Overflow 14.07.2026 9.2
CVE-2026-55954 Missing ID token claim validation in ueberauth_apple allows account takeover 14.07.2026 9.1
CVE-2025-12011 CompactLogix ®, ControlLogix ®, Compact GuardLogix ® and GuardLogix ® Buffer Overflow 14.07.2026 9.2
CVE-2025-12012 CompactLogix ®, ControlLogix ®, Compact GuardLogix ® and GuardLogix ® Buffer Overflow 14.07.2026 9.2
CVE-2026-15265 Tenable Agent Path Traversal Leading to Remote Code Execution 14.07.2026 9.3
CVE-2026-58479 Sustainable Irrigation Platform 5.2.16 RCE via cli_control Plugin Command Injection 14.07.2026 9.2
CVE-2026-10577 Rockwell Automation 1715 Redundant IO – Access Control Vulnerability 14.07.2026 10
CVE-2026-62422 14.07.2026 10
CVE-2026-56451 14.07.2026 10
CVE-2026-15183 Input Validation Vulnerabilities in Snowflake Spark Connector 14.07.2026 9.2
CVE-2026-57898 14.07.2026 9
CVE-2026-27690 HTTP Request Smuggling in SAP Approuter 14.07.2026 9.1
CVE-2026-44747 Memory Corruption vulnerability in SAP NetWeaver Application Server ABAP 14.07.2026 9.9
CVE-2026-44761 Insecure Sample Credentials in SAP Commerce Cloud 14.07.2026 9.1
CVE-2026-59801 9Router 0.4.41 - Unauthenticated API Exposure via /api/providers 14.07.2026 9.3
CVE-2026-62327 9Router 0.4.41 - Unauthenticated API Key Exposure via /api/usage/stats 14.07.2026 9.3
CVE-2026-58409 ChurchCRM: Authenticated Remote Code Execution (RCE) via Malicious Plugin Upload 14.07.2026 9.1
CVE-2026-6875 Sandbox Escape in ServiceNow AI Platform 14.07.2026 9.5
CVE-2026-61462 mcp-gitlab Path Traversal via job_id Parameter 13.07.2026 9.2
CVE-2026-61500 Rejetto HFS < 3.2.1 Session Forgery via Predictable Signing Key 14.07.2026 9.3
CVE-2026-60121 Vitec Flamingo 4.12.2 Unauthenticated OS Command Injection via ping.php 13.07.2026 9.3
CVE-2026-61498 Vitec Flamingo 4.12.2 Unauthenticated OS Command Injection via gen_graphs.php 14.07.2026 9.3
CVE-2026-6847 Unauthenticated Remote Code Execution in ThemisNETPanel 14.07.2026 9.3
CVE-2026-12257 Remote code execution in Mura Software’s CMS 13.07.2026 9.3
CVE-2026-14934 Cross-Tenant Repository Takeover via Improper Access Control in BigQuery, Dataform and Colab Enterprise 13.07.2026 9.4
CVE-2026-13014 Remote Code Execution vulnerability in "Suspicious" application 13.07.2026 9.2
CVE-2026-22093 Adversary-in-the-Middle (AitM) attack vulnerability in EVbee Service app 13.07.2026 9.5
CVE-2026-22095 Command injection in diagnosis web endpoint 13.07.2026 9.3
CVE-2026-22096 Missing authentication for webserver endpoints 13.07.2026 9.3
CVE-2026-22097 Missing firmware validation allows remote code execution 13.07.2026 9.3
CVE-2026-22098 Sensitive information is written to logs 13.07.2026 9.2
CVE-2026-22102 Arbitrary file overwrite through certificate update functionality 13.07.2026 9.3
CVE-2026-22103 Command injection in NPC start web endpoint 13.07.2026 9.3
CVE-2026-57401 WordPress SureDash plugin <= 1.8.0 - Arbitrary File Deletion vulnerability 13.07.2026 9.9
CVE-2026-57702 WordPress Amelia plugin <= 2.4.2 - SQL Injection vulnerability 13.07.2026 9.3
CVE-2026-57707 WordPress Simple Business Directory Pro plugin <= 15.9.4 - SQL Injection vulnerability 13.07.2026 9.3
CVE-2026-57710 WordPress WoowBot Pro Max plugin <= 14.1.7 - Arbitrary File Upload vulnerability 13.07.2026 9.9
CVE-2026-57714 WordPress LatePoint plugin <= 5.6.3 - SQL Injection vulnerability 13.07.2026 9.3
CVE-2026-57719 WordPress Aimogen Pro plugin <= 2.8.3 - Arbitrary File Upload vulnerability 13.07.2026 10
CVE-2026-57724 WordPress Kirki plugin <= 6.0.12 - PHP Object Injection vulnerability 13.07.2026 9.8
CVE-2026-57726 WordPress Kirki plugin <= 6.0.12 - SQL Injection vulnerability 13.07.2026 9.3
CVE-2026-57738 WordPress 777 theme <= 1.13.0 - PHP Object Injection vulnerability 13.07.2026 9.8
CVE-2026-57739 WordPress AcyMailing SMTP Newsletter plugin <= 10.11.0 - SQL Injection vulnerability 13.07.2026 9.3
CVE-2026-57744 WordPress RT-Theme 18 | Extensions plugin <= 2.5 - PHP Object Injection vulnerability 13.07.2026 9.8
CVE-2026-57770 WordPress Grand Photography theme <= 5.7.8 - PHP Object Injection vulnerability 13.07.2026 9.8
CVE-2026-57811 WordPress Realtyna Organic IDX plugin plugin <= 5.2.0 - Remote Code Execution (RCE) vulnerability 13.07.2026 10
CVE-2026-57813 WordPress MailOptin plugin <= 1.2.77.3 - Privilege Escalation vulnerability 13.07.2026 9.8
CVE-2026-59515 WordPress AIWU plugin <= 1.5.4 - SQL Injection vulnerability 13.07.2026 9.3
CVE-2026-59518 WordPress Directorist plugin <= 8.8.2 - PHP Object Injection vulnerability 13.07.2026 9.8
CVE-2026-14453 A user with low privileges can inject SSTI templates that can lead to RCE in open-tickets 13.07.2026 9.6
CVE-2026-4769 Unauthenticated Access to Internal Diagnostic Interface 13.07.2026 9.3
CVE-2026-15511 Comfast CF-WR631AX V3 FastCGI Backend webmgnt system_wl_upload_pic_file os command injection 14.07.2026 9.3
CVE-2026-56271 Flowise - Weak Default JWT Secrets in Authentication Middleware 13.07.2026 9.3
CVE-2026-61876 LuCI DHCPv6 Lease Hostname Stored Cross-Site Scripting 14.07.2026 9.4
CVE-2026-60090 PraisonAI before 4.6.78 SQL/CQL Injection via vector dimension 14.07.2026 9.3
CVE-2026-61445 PraisonAI before 4.6.78 Arbitrary File Write and Command Execution 14.07.2026 9.4
CVE-2026-61447 PraisonAI before 1.6.78 Remote Code Execution via CodeAgent 13.07.2026 10
CVE-2026-57827 Joomla Extension - rsjoomla.com - Unauthenticated file upload in RSFiles component < 1.17.12 13.07.2026 10
CVE-2026-57828 Joomla Extension - phoca.cz - Authenticated file upload in RSFiles component < 6.1.3 13.07.2026 9
CVE-2026-20744 Hydro-Québec Le Circuit Electrique charging station backend Improper Access Control 14.07.2026 9.3
CVE-2026-55884 Tilt: Missing authentication on the network-exposed Tilt HUD server 13.07.2026 9.2
CVE-2026-55879 OpenReplay: Unauthenticated stored XSS leads to dashboard account takeover 13.07.2026 9.3
CVE-2026-12761 miniOrange Social Login and Register (Discord, Google, Twitter, LinkedIn) <= 7.7.0 - Unauthenticated Authentication Bypass to Administrator Account Takeover via Profile Completion OTP Flow 13.07.2026 9.8
CVE-2026-57807 WordPress OAuth Single Sign On - SSO (OAuth Client) plugin <= 38.5.8 - Broken Authentication vulnerability 13.07.2026 9.8
CVE-2026-61459 MCP Server Kubernetes < 3.9.0 Argument Injection via kubectl Structured Tools 13.07.2026 9.3
CVE-2026-59151 Prowler: SAML Domain Claiming Enables Cross-Tenant Account Takeover 13.07.2026 9.6
CVE-2026-5801 SQLi in Semtek Informatics' SEM-PMP 10.07.2026 9.8
CVE-2026-2397 SQLi in AdamPOS' MobilMen 20T 10.07.2026 9.8
CVE-2026-58492 grav-plugin-database: SQL Injection in PDO::tableExists() due to Unsanitized Table Name Interpolation 10.07.2026 9.2
CVE-2026-15143 Guardrails-detectors: guardrails-detectors: ssrf and local file read via user-supplied xml schema (xml-with-schema:) 10.07.2026 9.3
CVE-2026-55500 9router: Exposure of Sensitive Information and Unprotected Database Import/Export Allows Complete Credential Theft and Database Takeover 10.07.2026 9.9
CVE-2026-56261 Crawl4AI - Server-Side Request Forgery via Webhook URLs 10.07.2026 9.2
CVE-2026-56765 Vikunja - Unauthenticated Instance-Wide Data Breach via Link Share Hash Disclosure Chained with Cross-Project Attachment IDOR 10.07.2026 9.3
CVE-2026-59792 14.07.2026 9.6
CVE-2026-61444 PraisonAI before 4.6.78 Code Injection via f-string 10.07.2026 9.4
CVE-2026-56688 10.07.2026 9.1
CVE-2026-15378 Guardrails-detectors: guardrails-detectors: ssrf and local file read via user-supplied xml schema (xml-with-schema:) 14.07.2026 9.3
CVE-2026-41880 OS Command Injection in R-SOFT DMS 10.07.2026 9
CVE-2026-15282 Instant Appointment <= 1.2 - Unauthenticated Arbitrary File Upload 14.07.2026 9.8
CVE-2026-15300 GEO my WP <= 4.5.4 - Unauthenticated SQL Injection via 'distance' / 'lat' / 'lng' Parameters 10.07.2026 9.1
CVE-2026-14894 Super Forms <= 6.3.313 - Unauthenticated Arbitrary File Upload via 'data' Parameter (datauristring / value) 10.07.2026 9.8
CVE-2026-54760 Langroid: SQLChatAgent dangerous-function blocklist can be bypassed with quoted or schema-qualified pg_read_file calls 10.07.2026 9.3
CVE-2026-54769 Langroid: Sandbox Escape to Remote Code Execution via Incomplete `eval()` Mitigation in TableChatAgent 10.07.2026 10
CVE-2026-55615 Langroid: Neo4jChatAgent executes LLM-generated Cypher without validation (prompt-to-Cypher injection; config-conditional RCE), mirroring the SQLChatAgent bug fixed in CVE-2026-25879 10.07.2026 9.2
CVE-2026-58122 Hermes WebUI < 0.51.307 Authentication Bypass via X-Forwarded-For Header Spoofing 10.07.2026 9.3
CVE-2026-58123 Hermes WebUI < 0.51.788 Unauthenticated RCE via Terminal API 10.07.2026 9.3
CVE-2026-54003 Kirby: External Initialization of the Panel on reverse proxy setups with the `Forwarded` header 09.07.2026 9.1
CVE-2026-59726 Ruflo: Unauthenticated RCE in MCP bridge default docker-compose deployment 09.07.2026 10
CVE-2026-59826 Metabase: Arbitrary Code Execution via Database Connection Detail Bypass 10.07.2026 9.1
CVE-2026-59827 Metabase: Unsafe Deserialization of H2 Query Results 09.07.2026 9.9
CVE-2025-27462 WinPVDrivers: Excessive permissions on user-exposed devices 09.07.2026 9.4
CVE-2025-27463 WinPVDrivers: Excessive permissions on user-exposed devices 09.07.2026 9.4
CVE-2025-27464 WinPVDrivers: Excessive permissions on user-exposed devices 09.07.2026 9.4
CVE-2025-58146 XAPI UTF-8 string handling 09.07.2026 9.4
CVE-2025-58151 varstored: TOCTOU issues with mapped guest memory 09.07.2026 9.4
CVE-2026-23556 oxenstored keeps quota related use counts across domain destruction 09.07.2026 9.4
CVE-2026-23559 Multiple RBAC issues in XAPI 09.07.2026 9.4
CVE-2026-23560 Multiple RBAC issues in XAPI 09.07.2026 9.4
CVE-2026-23561 Multiple RBAC issues in XAPI 10.07.2026 9.4
CVE-2026-23562 Multiple RBAC issues in XAPI 10.07.2026 9.4
CVE-2026-42486 Multiple RBAC issues in XAPI 10.07.2026 9.4
CVE-2026-56292 Joomla Extension - acymailing.com - SQL Injection in AcyMailing extension < 10.11.1 10.07.2026 9.2
CVE-2026-56291 Joomla Extension - balbooa.com - Unauthenticated file upload in Balbooa Forms extension < 2.4.1 11.07.2026 10
CVE-2026-15158 Blocksy Companion <= 2.1.46 - Unauthenticated Arbitrary File Upload via 'blc-review-images[]' Parameter 09.07.2026 9.8
CVE-2026-2342 XSS in Oceanicsoft's ValeApp 09.07.2026 9.3
CVE-2026-5955 SQLi in Inrove Software's BiEticaret 09.07.2026 9.8
CVE-2026-14245 miniOrange OTP Login, Verification and SMS Notifications <= 5.5.1 - Authentication Bypass to Administrator Account Takeover via 'username_b' Parameter 09.07.2026 9.8
CVE-2026-47646 Dynamics 365 Customer Voice Spoofing Vulnerability 09.07.2026 9.3
CVE-2026-54782 CoreWCF: Authentication bypass in CoreWCF SAML 1.1 / 2.0 token signature validation 10.07.2026 10
CVE-2026-44024 Fluentd: Remote Code Execution (RCE) via Arbitrary File Write in `${tag}` Placeholder 10.07.2026 9.8
CVE-2026-54527 JupyterLab Git: Stored XSS leading to RCE 09.07.2026 9.3
CVE-2026-60104 Bitwarden Server < 2026.6.0 Authorization Bypass via Admin Auth Request 09.07.2026 9.3
CVE-2026-59702 repomix - Server-Side Request Forgery via Unvalidated Repository URLs in POST /api/pack 08.07.2026 9.2
CVE-2026-59873 node-tar: Decompression/parse DoS via unlimited input 08.07.2026 9.2
CVE-2026-9074 IBM API Connect SQL Injection 09.07.2026 9.1
CVE-2026-15062 SQL Injection in Snowflake Snowpark Python SDK 08.07.2026 9.6
CVE-2026-54061 Dgraph Alpha group stores can be replaced via unauthenticated external snapshot import 08.07.2026 9.1
CVE-2026-58480 Blocksy Companion Pro < 2.1.47 Unauthenticated File Upload via save_attachments 08.07.2026 9.2
CVE-2026-8307 SQLi in Webbeyaz's Mediküm Web 09.07.2026 9.8
CVE-2026-56000 xorg-x11-server / xwayland GLX contextTags Use-After-Free in CommonMakeCurrent() 08.07.2026 9
CVE-2026-9695 Improper Authentication vulnerability affecting DELMIA Apriso from Release 2020 through Release 2026 08.07.2026 9.8
CVE-2026-12153 WP Learn Manager <= 1.1.8 - Missing Authorization to Unauthenticated Arbitrary Plugin Installation and Activation via jslearnmanager_ajax AJAX Action 08.07.2026 9.8
CVE-2026-14487 Simple Coherent Form <= 2.4.13 - Unauthenticated Arbitrary File Deletion via 'id' Parameter 08.07.2026 9.1
CVE-2026-9701 Eventer <= 4.4.2 - Insecure Password Reset Mechanism to Unauthenticated Privilege Escalation 08.07.2026 9.8
CVE-2026-56843 08.07.2026 9.9
CVE-2026-59705 mem0 - OpenMemory API Unauthenticated Access via Memory Endpoints 08.07.2026 9.3
CVE-2026-46354 Coder: PKCS#7 signature bypass in Azure instance identity allows unauthenticated agent token theft 08.07.2026 9.1
CVE-2026-59706 mem0 - Unauthenticated Config API Exposure and SSRF via ollama_base_url 09.07.2026 9.2
CVE-2026-58473 Cognee < 1.2.0 Unauthorized LLM Configuration Overwrite via /api/v1/settings 08.07.2026 9.3
CVE-2026-59707 LocalAI - Server-Side Request Forgery via POST /models/apply 09.07.2026 9.2

Latest Updates

CVE Title Updated Score
CVE-2025-11698 CompactLogix ®, ControlLogix ®, Compact GuardLogix ® and GuardLogix ® Buffer Overflow 14.07.2026
CVE-2025-43892 14.07.2026 4.1
CVE-2025-53379 14.07.2026 7
CVE-2025-62675 14.07.2026 3.4
CVE-2025-62826 14.07.2026 3.1
CVE-2026-11403 Nexus Repository Manager - Insufficient Entropy in Format-Specific API Key Generation 14.07.2026
CVE-2026-11917 ThinManager® - Path Traversal via API 14.07.2026
CVE-2026-11944 openSIS Classic 9.3 - Authenticated path traversal in SentMail attachment download 14.07.2026
CVE-2026-12659 Rockwell Automation Flex 5000® Adapter - Denial of Service 14.07.2026
CVE-2026-12707 Unbounded path event queue growth in quiche via peer-driven source connection ID rotation 14.07.2026 7.5
CVE-2026-15392 DBD::File versions before 1.651 for Perl do not ensure the table file is not a symlink to an untrusted location 14.07.2026
CVE-2026-15697 svgdotjs svg.js npm Package API EventTarget.on prototype pollution 14.07.2026
CVE-2026-15698 kofrasa mingo Update API updateMany prototype pollution 14.07.2026
CVE-2026-23573 14.07.2026 6.1
CVE-2026-52838 Easy!Appointments disable_booking_message rendered as raw HTML on public booking page — Stored XSS 14.07.2026 2.6
CVE-2026-52839 Easy!Appointments appointments/store and appointments/update allow cross-provider appointment injection — Authorization Bypass 14.07.2026 3.3
CVE-2026-52840 Easy!Appointments has server-side request forgery in CalDAV connection test that exposes the deployment's internal network 14.07.2026 2.7
CVE-2026-52841 Easy!Appointments: Authorization bypass in Google OAuth provider binding lets any backend user rebind a peer provider's Google sync 14.07.2026 3.1
CVE-2026-55651 Easy!Appointments Vulnerable to Appointments Takeover via Excessive Data Exposure 14.07.2026 7.1
CVE-2026-55954 Missing ID token claim validation in ueberauth_apple allows account takeover 14.07.2026
CVE-2026-59204 Pillow JPEG2000 tiled decode retains a growing scratch buffer and can be used for denial of service 14.07.2026
CVE-2026-59835 14.07.2026 7.7
CVE-2026-59836 14.07.2026 6.7
CVE-2026-59837 14.07.2026 5.9
CVE-2026-59839 14.07.2026 5
CVE-2026-59840 14.07.2026 4.1
CVE-2026-59841 14.07.2026 6.9
CVE-2026-60081 DBI::ProfileData versions before 1.651 for Perl do not limit the path index 14.07.2026
CVE-2026-60082 DBI versions before 1.651 for Perl do not enforce statement handle consistency with the row 14.07.2026
CVE-2026-9108 Studio 5000 Logix Designer® – Multiple Vulnerabilities 14.07.2026
CVE-2026-9127 Studio 5000 Logix Designer® – Multiple Vulnerabilities 14.07.2026
CVE-2026-9128 Studio 5000 Logix Designer® – Multiple Vulnerabilities 14.07.2026
CVE-2026-9292 Rockwell Automation FactoryTalk® DataMosaix™ Private Cloud - Stored Cross-Site Scripting 14.07.2026
CVE-2026-9636 Rockwell Automation CompactLogix® 5380 ControlLogix® 5580 / 1756-EN4 Communications Module – Certificate Revocation List Vulnerability 14.07.2026
CVE-2025-12011 CompactLogix ®, ControlLogix ®, Compact GuardLogix ® and GuardLogix ® Buffer Overflow 14.07.2026
CVE-2025-12012 CompactLogix ®, ControlLogix ®, Compact GuardLogix ® and GuardLogix ® Buffer Overflow 14.07.2026
CVE-2026-10573 1734 POINT I/OTM - Denial of Service via Malformed Inputs on CIP Object 14.07.2026
CVE-2026-10669 Xtensa MPU `arch_buffer_validate()` integer-overflow lets a user thread bypass syscall pointer validation 14.07.2026 7.8
CVE-2026-10670 User-triggerable kernel NULL-pointer dereference (DoS) in `k_thread_name_copy()` syscall verifier 14.07.2026 5.5
CVE-2026-10671 User thread can re-initialize an in-use `k_pipe`, corrupting kernel wait queues (`CONFIG_USERSPACE`) 14.07.2026 7.1
CVE-2026-10672 Unterminated URI buffer causes out-of-bounds read in LwM2M firmware pull (Package URI) 14.07.2026 8.2
CVE-2026-10714 Rockwell Automation FactoryTalk® Services Platform FTSP - Weak Authentication via JWT Validation Bypass 14.07.2026
CVE-2026-15265 Tenable Agent Path Traversal Leading to Remote Code Execution 14.07.2026 9.1
CVE-2026-15695 Tenda BE12 Pro DhcpListClient fromDhcpListClient stack-based overflow 14.07.2026
CVE-2026-15696 Tenda BE12 Pro VirtualSer fromVirtualSer stack-based overflow 14.07.2026
CVE-2026-52837 Easy!Appointments has unauthenticated customer PII disclosure on booking reschedule page 14.07.2026
CVE-2026-58477 Sustainable Irrigation Platform 5.2.16 Mass Assignment via HTTP Parameters 14.07.2026
CVE-2026-58478 Sustainable Irrigation Platform 5.2.16 SSRF via Node-RED Callback URL 14.07.2026
CVE-2026-58479 Sustainable Irrigation Platform 5.2.16 RCE via cli_control Plugin Command Injection 14.07.2026
CVE-2026-60114 Sustainable Irrigation Platform 5.2.16 Path Traversal via JSON Backup Restore 14.07.2026
CVE-2026-9140 1718-AENTR/1719-AENTR - Denial of Service 14.07.2026
CVE-2026-9653 1756-EN2, 1756-EN3, and 1756-ENBT - Denial of Service via CIP Connection ID 14.07.2026
CVE-2026-14902 14.07.2026 4
CVE-2026-14903 14.07.2026 7.7
CVE-2026-15694 Tenda BE12 Pro SetIpBind fromSetIpBind stack-based overflow 14.07.2026
CVE-2026-15736 Multiple SQL/DDL Injection and Arbitrary File Read Vulnerabilities in snowflake-sqlalchemy 14.07.2026 8.3
CVE-2026-51105 14.07.2026
CVE-2026-58475 Sustainable Irrigation Platform 5.2.16 Stored XSS via Program Name 14.07.2026
CVE-2026-58476 Sustainable Irrigation Platform 5.2.16 CSRF via Administrative GET Requests 14.07.2026
CVE-2026-8590 Spotfire OAuth2 PKCE Bypass for public clients 14.07.2026
CVE-2026-15693 Tenda BE12 Pro SafeMacFilter fromSafeMacFilter stack-based overflow 14.07.2026
CVE-2026-53566 Out-of-bounds memory read 14.07.2026
CVE-2026-10577 Rockwell Automation 1715 Redundant IO – Access Control Vulnerability 14.07.2026
CVE-2026-12588 14.07.2026
CVE-2026-15305 TYPO3 CMS - Unrestricted File Upload in Form Framework 14.07.2026
CVE-2026-53565 Local Privilege escalation allows a low-privileged user to gain SYSTEM privileges 14.07.2026
CVE-2026-8085 Rockwell Automation Arena® - Memory Corruption Vulnerability 14.07.2026
CVE-2026-8312 Rockwell Automation Arena® - Memory Corruption Vulnerability 14.07.2026
CVE-2026-8313 Rockwell Automation Arena® - Memory Corruption Vulnerability 14.07.2026
CVE-2026-8314 Rockwell Automation Arena® - Memory Corruption Vulnerability 14.07.2026
CVE-2026-15691 Tenda BE12 Pro SafeClientFilter fromSafeClientFilter stack-based overflow 14.07.2026
CVE-2026-15692 Tenda BE12 Pro SafeUrlFilter fromSafeUrlFilter stack-based overflow 14.07.2026
CVE-2026-15718 Invalid pointer in the JavaScript: WebAssembly component 14.07.2026
CVE-2026-15719 Site isolation in the DOM: Navigation component 14.07.2026
CVE-2026-49488 Apache OpenMeetings: Arbitrary File Read 14.07.2026
CVE-2026-62390 Apache Kylin: SQL Injection Vulnerability in Catalog Cache Refresh API 14.07.2026
CVE-2026-62392 Apache Kylin: OS Command Injection via Async Query API 14.07.2026
CVE-2026-62393 Apache Kylin: Improper authorization in job information retrieval 14.07.2026
CVE-2026-15690 open62541 Shared Client ua_client_connect.c responseReadNamespacesArray null pointer dereference 14.07.2026
CVE-2026-9341 Academy LMS <= 3.8.0 - Authenticated (Subscriber+) Insecure Direct Object Reference via 'user_id' Parameter 14.07.2026 4.3
CVE-2026-15389 Inadequate access control in Sesame Time session management 14.07.2026
CVE-2026-62422 14.07.2026 10
CVE-2025-40945 14.07.2026 6.7
CVE-2026-12478 Libsoup: incomplete fix for cve-2026-0716: out-of-bounds read in libsoup websocket frame processing (unmasked path) 14.07.2026
CVE-2026-14852 mk_sap_hana: Privilege escalation via crafted sapstartsrv process name 14.07.2026
CVE-2026-15043 DBI::SQL::Nano versions from 1.42 before 1.651 for Perl have inverted <= and >= SQL operators on text 14.07.2026
CVE-2026-3014 Remote Code Execution by administrative user on the Management Server 14.07.2026
CVE-2026-54429 14.07.2026 7.4
CVE-2026-56451 14.07.2026 10
CVE-2026-58319 Apache Doris: Improper Authentication in Frontend HTTP API 14.07.2026
CVE-2024-7708 14.07.2026 7.5
CVE-2026-10051 14.07.2026
CVE-2026-12606 14.07.2026
CVE-2026-15183 Input Validation Vulnerabilities in Snowflake Spark Connector 14.07.2026
CVE-2026-15416 Argo-cd: argo cd unauthenticated remote code execution in repo-server via generatemanifest grpc endpoint 14.07.2026
CVE-2026-58229 Unbounded HTTP/1 response-header and chunked-trailer accumulation in Mint causes memory-exhaustion DoS 14.07.2026
CVE-2026-59084 Apache Tomcat: EncryptInterceptor requirements not clearly documented 14.07.2026
CVE-2026-59246 Zero-length HTTP/2 CONTINUATION frames bypass Mint's header-block byte-size cap and exhaust client memory 14.07.2026
CVE-2026-6790 14.07.2026 5.3
CVE-2026-8384 14.07.2026 5.3
CVE-2025-8412 VMDP: Potential buffer overflow in the RtlQueryRegistryValues function 14.07.2026
CVE-2026-13699 Databroker 0.6.1 PublishValue missing data_point panic 14.07.2026 4.3
CVE-2026-15075 14.07.2026
CVE-2026-15076 14.07.2026
CVE-2026-57898 14.07.2026 9
CVE-2026-59083 Apache Tomcat: Incorrect URL decoding in RewriteValve may allow security control bypass 14.07.2026
CVE-2026-9561 14.07.2026
CVE-2026-59674 LPE from suricata user to root due to chown in %post in suricata packaging 14.07.2026
CVE-2026-6851 Improper link resolution before file access in Bitdefender Total Security via Link Following (VA-13681) 14.07.2026
CVE-2026-15677 code-projects Online Job Portal JobSeekerInsert.php unrestricted upload 14.07.2026
CVE-2026-15678 code-projects Online Job Portal DetailJob.php cross site scripting 14.07.2026
CVE-2025-15665 BEAF < 4.7.1 - Admin+ Stored XSS via Widget Shortcode Field 14.07.2026
CVE-2026-11563 Word Count and Social Shares <= 1.0 - Subscriber+ Arbitrary File Deletion via Path Traversal 14.07.2026
CVE-2026-11567 SureForms < 2.11.1 - Unauthenticated Payment Amount Bypass 14.07.2026
CVE-2026-12511 AI Engine < 3.5.5 - Editor+ Arbitrary File Write via Path Traversal 14.07.2026
CVE-2026-12583 Newsletters < 4.15 - Unauthenticated PHP Object Injection via Subscriber Custom Field 14.07.2026
CVE-2026-12988 WP 2FA < 3.1.1.2 - Account Takeover via 2FA Setup Email Binding 14.07.2026
CVE-2026-15672 itsourcecode Electronic Judging System add_judges.php sql injection 14.07.2026
CVE-2026-15675 code-projects Online Job Portal EditUser.php sql injection 14.07.2026
CVE-2026-15676 code-projects Online Job Portal DeleteUser.php sql injection 14.07.2026
CVE-2026-12482 Path Traversal via Symlink Name Validation Bypass in keras-team/keras 14.07.2026
CVE-2026-15669 louisho5 picobot exec Tool exec.go ExecTool.Execute os command injection 14.07.2026
CVE-2026-15629 louisho5 picobot Workspace filesystem.go GetSkill link following 14.07.2026
CVE-2026-15668 louisho5 picobot web Tool web.go WebTool.Execute server-side request forgery 14.07.2026
CVE-2026-15626 nextlevelbuilder GoClaw ACP ToolBridge Workspace tool_bridge.go writeFile path traversal 14.07.2026
CVE-2026-15627 nextlevelbuilder GoClaw tool.go handleNavigate information disclosure 14.07.2026
CVE-2026-15628 zhayujie chatgpt-on-wechat CowAgent Vision Tool vision.py Vision._download_to_data_url server-side request forgery 14.07.2026
CVE-2026-11390 News Kit Addons For Elementor <= 1.4.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via Site Logo Title and Single Author Box Widgets 14.07.2026 6.4
CVE-2026-11802 FoodBook Lite <= 1.5.6 - Missing Authorization to Unauthenticated User Registration via 'registration_action' AJAX Action 14.07.2026 5.3
CVE-2026-15624 nextlevelbuilder GoClaw invoke Endpoint create_video_byteplus.go bytePlusDownloadVideo server-side request forgery 14.07.2026
CVE-2026-15625 nextlevelbuilder GoClaw exec_approval.go ExecApprovalManager.CheckCommand incomplete blacklist 14.07.2026
CVE-2026-7640 WP Customer Area <= 8.3.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'type' Shortcode Attribute 14.07.2026 6.4
CVE-2026-15622 poco-ai poco-claw Workspace API workspace.py get_workspace_file authorization 14.07.2026
CVE-2026-0487 DLL Hijacking vulnerability in SAProuter on Microsoft Windows 14.07.2026 8.4
CVE-2026-15620 mosaxiv clawlet tool_web_fetch.go tools.webFetch server-side request forgery 14.07.2026
CVE-2026-15621 mosaxiv clawlet File Tools fs_ops.go edit_file link following 14.07.2026
CVE-2026-27690 HTTP Request Smuggling in SAP Approuter 14.07.2026 9.1
CVE-2026-44745 Open Redirect vulnerability in SAP Approuter 14.07.2026 8.1
CVE-2026-44747 Memory Corruption vulnerability in SAP NetWeaver Application Server ABAP 14.07.2026 9.9
CVE-2026-44752 Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Application Server Java(Configuration Wizard) 14.07.2026 8.2
CVE-2026-44753 Information Disclosure vulnerability in SAP HANA Extended Application Services classic model (User Self Service) 14.07.2026 3.7
CVE-2026-44759 Cross Site Scripting (XSS) vulnerability in SAP NetWeaver Enterprise Portal 14.07.2026 6.1
CVE-2026-44760 Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Application Server ABAP (applications based on Business Server Pages) 14.07.2026 4.7
CVE-2026-44761 Insecure Sample Credentials in SAP Commerce Cloud 14.07.2026 9.1
CVE-2026-44767 Allowlist Bypass in setThemeRoot() Enables Cross-Origin CSS Injection 14.07.2026 6.1
CVE-2026-44768 Security misconfiguration in SAP CRM (WebClient UI) 14.07.2026 4.1
CVE-2026-44769 SQL Injection vulnerability in SAP S/4HANA Project Management (PPM-PRO) 14.07.2026 5.5
CVE-2026-44770 Missing Authorization check in SAP S/4 HANA (Create Single Payment) 14.07.2026 4.3
CVE-2026-44771 Missing Authorization check in SAP S/4HANA (Draft operation) 14.07.2026 4.3
CVE-2026-58233 Remote Code Execution vulnerability in SAP Change and Transport System Attach Tool (ctsattach) 14.07.2026 7.6
CVE-2026-15619 mosaxiv clawlet IPv4 tool_web_fetch.go web_fetch server-side request forgery 14.07.2026
CVE-2026-15618 mosaxiv clawlet exec Safety Guard tool_exec.go guardExecCommand protection mechanism 14.07.2026
CVE-2026-15607 tanstack db Alias Path select.ts select prototype pollution 13.07.2026
CVE-2026-15605 wandb Artifact Integrity Validation hashutil.py ArtifactManifestEntry.download weak hash 14.07.2026
CVE-2026-57855 Cockpit CMS Missing Authorization in Bucket File Storage API 14.07.2026
CVE-2026-57856 Cockpit CMS Path Traversal via Bucket Name in Bucket File Storage API 14.07.2026
CVE-2026-58489 HedgeDoc: CSRF in GitHub Gist export callback 14.07.2026
CVE-2026-58101 Crypt::OpenSSL::X509 versions before 2.1.3 for Perl allow denial of service via NULL pointer dereference 14.07.2026
CVE-2026-58102 Crypt::OpenSSL::X509 versions before 2.1.3 for Perl allow a heap out-of-bounds read via a long certificate extension OID in hv_exts 14.07.2026
CVE-2026-58486 HedgeDoc: Denial-of-service via YAML alias expansion in note frontmatter 14.07.2026
CVE-2026-15597 SourceCodester Class and Exam Timetabling System edit_exam2.php sql injection 14.07.2026
CVE-2026-15598 antv layout object.js setNestedValue prototype pollution 14.07.2026
CVE-2026-39042 13.07.2026
CVE-2026-51540 13.07.2026
CVE-2026-56877 14.07.2026 6.3
CVE-2026-58487 HedgeDoc: Stored HTML injection via email local-part 13.07.2026
CVE-2026-58488 HedgeDoc: Rate-limit bypass via CF-Connecting-IP header spoofing 14.07.2026
CVE-2026-15596 SourceCodester Class and Exam Timetabling System subject.php cross site scripting 13.07.2026
CVE-2026-15680 Lorex 2K Indoor Wi-Fi Security Camera CDeviceOperator Format String Remote Code Execution Vulnerability 14.07.2026
CVE-2026-15681 AnyDesk Screen Recording Link Following Denial-of-Service Vulnerability 14.07.2026
CVE-2026-15682 AnyDesk Support Information Link Following Denial-of-Service Vulnerability 14.07.2026
CVE-2026-15683 Lorex 2K Indoor Wi-Fi Security Camera Device Management Server Improper Certificate Validation Vulnerability 14.07.2026
CVE-2026-15684 Glarysoft Glary Utilities Link Following Local Privilege Escalation Vulnerability 14.07.2026
CVE-2026-15685 Ollama downloadBlob Improper Validation of Array Index Denial-of-Service Vulnerability 14.07.2026
CVE-2026-51536 14.07.2026
CVE-2026-51537 14.07.2026
CVE-2026-51538 14.07.2026
CVE-2026-51539 14.07.2026
CVE-2026-51541 14.07.2026
CVE-2026-51821 13.07.2026
CVE-2026-59801 9Router 0.4.41 - Unauthenticated API Exposure via /api/providers 14.07.2026
CVE-2026-61458 PasswordPusher < 2.9.2 Passphrase Brute-Force via Unthrottled Endpoint 14.07.2026
CVE-2026-62184 luci-app-banip Log Monitor IP Extraction Bypass 14.07.2026
CVE-2026-62185 Argo CD Helm Chart < 10.0.0 Missing Network Policy RCE 14.07.2026
CVE-2026-62186 OpenClaw < 2026.6.8 Authorization Bypass via HTTP Model Override 14.07.2026
CVE-2026-62187 OpenClaw < 2026.6.9 Feishu tools Authorization Bypass 13.07.2026
CVE-2026-62188 OpenClaw < 2026.6.9 Feishu Authorization Bypass 14.07.2026
CVE-2026-62189 OpenClaw < 2026.6.9 Symlink Following via Mirror Sync 14.07.2026
CVE-2026-62190 OpenClaw < 2026.6.9 Authorization Bypass via flock wrapper 13.07.2026
CVE-2026-62191 OpenClaw 2026.6.6 < 2026.6.9 Authorization Bypass via Message Mutations 14.07.2026
CVE-2026-62192 OpenClaw 2026.6.6 < 2026.6.9 Authorization Bypass 14.07.2026
CVE-2026-62193 OpenClaw 2026.6.5 < 2026.6.9 Authentication Bypass via Plugin Install 13.07.2026
CVE-2026-62194 OpenClaw 2026.5.20 < 2026.6.9 Privilege Escalation via Plugin Install 14.07.2026
CVE-2026-62195 OpenClaw 2026.5.20 < 2026.6.6 Authorization Bypass via MCP loopback 14.07.2026
CVE-2026-62196 OpenClaw 2026.3.22 < 2026.6.6 Authorization Bypass via WhatsApp Group IDs 13.07.2026
CVE-2026-62197 OpenClaw < 2026.6.6 Policy Bypass via CDP Discovery 14.07.2026
CVE-2026-62198 OpenClaw 2026.5.28 < 2026.6.6 Authorization Bypass via Web Search 14.07.2026
CVE-2026-62199 OpenClaw < 2026.6.6 Authentication Bypass via Environment Filtering 13.07.2026
CVE-2026-62200 OpenClaw < 2026.6.6 Authentication Bypass via Git ext transport 14.07.2026
CVE-2026-62327 9Router 0.4.41 - Unauthenticated API Key Exposure via /api/usage/stats 14.07.2026
CVE-2026-62328 9Router 0.4.41 - Unauthenticated Information Disclosure via API Usage Endpoints 13.07.2026
CVE-2026-52533 14.07.2026
CVE-2026-58411 ChurchCRM has Reflected Cross-Site Scripting (XSS) via unsanitized request parameter names and values 13.07.2026
CVE-2026-58500 MCP Appium: Unescaped Locator Data XSS in MCP-UI Resource (createLocatorGeneratorUI) 14.07.2026 8.2
CVE-2026-62239 FlashAttention Symlink Attack via tarfile.extractall in hopper/setup.py 14.07.2026
CVE-2026-62240 CrewAI < 1.15.1 SSRF Filter Bypass via HTTP Redirect in Scrape Tools 14.07.2026
CVE-2026-62242 Spring Boot Admin Server < 4.1.2 SSRF via Unauthenticated Instance Registration 14.07.2026
CVE-2026-15594 waooAI waoowaoo Media hash.ts stablePublicIdFromStorageKey improper authorization 13.07.2026
CVE-2026-15595 SourceCodester Class and Exam Timetabling System forsubject.php cross site scripting 14.07.2026
CVE-2026-48363 ColdFusion | Uncontrolled Search Path Element (CWE-427) 14.07.2026 8.2
CVE-2026-48364 ColdFusion | Uncontrolled Search Path Element (CWE-427) 14.07.2026 8.2
CVE-2026-58409 ChurchCRM: Authenticated Remote Code Execution (RCE) via Malicious Plugin Upload 14.07.2026 9.1
CVE-2026-58410 ChurchCRM: Improper object-level authorization allows low-privileged users to read and modify other families’ records 14.07.2026 7.1
CVE-2026-58407 13.07.2026
CVE-2026-58408 ChurchCRM : Broken Access Control in `CSVCreateFile.php` Allows Low-Privileged Users to Export All Members' PII 14.07.2026 6.5