CVE Field Guide

Critical CVEs

CVE Title Updated Score
CVE-2026-44986 Penpot: Pre-authenticated account takeover via team-invitation token + prepare-register-profile 15.07.2026 9.9
CVE-2026-50148 Metabase: Remote Code Execution via Snowflake JDBC Driver Arbitrary File Write 15.07.2026 10
CVE-2026-42533 NGINX Map directive and Regex matching vulnerability 15.07.2026 9.2
CVE-2026-61736 LightRAG: CORS Wildcard + Credentials Enables Any-Origin Credentialed Requests 15.07.2026 9.3
CVE-2026-61740 LightRAG: Authentication bypass: hardcoded DEFAULT_TOKEN_SECRET and public /auth-status defeat LIGHTRAG_API_KEY protection 15.07.2026 9.3
CVE-2026-56400 open-webui - Remote Code Execution via CORS Misconfiguration and Session Validation 15.07.2026 9
CVE-2026-56699 Wazuh Manager - NDJSON Injection in inventory_sync via Agent-Controlled DataValue.index 15.07.2026 10
CVE-2026-61451 Grav before 1.0.4 Password Reset Token Poisoning via admin_base_url 15.07.2026 9.4
CVE-2026-13385 15.07.2026 9.5
CVE-2026-45363 `jwt` (Ruby gem) - empty-key HMAC bypass 15.07.2026 9.1
CVE-2026-48334 Illustrator | Improper Input Validation (CWE-20) 15.07.2026 9.3
CVE-2026-48284 ColdFusion | Improper Input Validation (CWE-20) 15.07.2026 9.6
CVE-2026-48318 ColdFusion | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE-22) 15.07.2026 9.9
CVE-2026-48319 ColdFusion | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE-22) 15.07.2026 9.1
CVE-2026-48321 ColdFusion | Incorrect Authorization (CWE-863) 15.07.2026 9.3
CVE-2026-48322 ColdFusion | Improper Control of Generation of Code ('Code Injection') (CWE-94) 15.07.2026 9.6
CVE-2026-48324 ColdFusion | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') (CWE-89) 15.07.2026 9.1
CVE-2026-48325 ColdFusion | Missing Authentication for Critical Function (CWE-306) 15.07.2026 9.3
CVE-2026-48327 ColdFusion | Incorrect Authorization (CWE-863) 15.07.2026 9
CVE-2026-15643 AWS HealthLake MCP Server SSRF via Pagination URL 15.07.2026 9.2
CVE-2026-53486 decompress: Archive extraction can create files and links outside the target directory 15.07.2026 9.1
CVE-2026-13001 Podlove Podcast Publisher <= 4.5.1 - Unauthenticated Arbitrary File Upload via podlove_image_cache_url Parameter 14.07.2026 9.8
CVE-2026-47428 Vitest browser mode serves unsanitized otelCarrier query parameter as inline script 15.07.2026 9.6
CVE-2026-48356 Adobe Commerce | Unrestricted Upload of File with Dangerous Type (CWE-434) 15.07.2026 9.6
CVE-2026-48358 Adobe Commerce | Improper Encoding or Escaping of Output (CWE-116) 15.07.2026 9.1
CVE-2026-53633 Vitest: Exposed Browser Mode API Can Proxy CDP and Overwrite Config Files, Leading to RCE 14.07.2026 9.8
CVE-2026-47429 Vitest: Arbitrary file can be read and executed when Vitest UI server is listening 14.07.2026 9.8
CVE-2026-48259 Adobe Experience Manager | Server-Side Request Forgery (SSRF) (CWE-918) 15.07.2026 9.6
CVE-2026-48359 Adobe Experience Manager | Improper Restriction of XML External Entity Reference ('XXE') (CWE-611) 15.07.2026 9.6
CVE-2026-45063 Symfony: Identity Spoofing via Unanchored DN Regex in X509Authenticator 14.07.2026 9.1
CVE-2026-50380 Windows GDI+ Remote Code Execution Vulnerability 15.07.2026 9.6
CVE-2026-50447 Windows Message Queuing Service (MSMQ) Remote Code Execution Vulnerability 15.07.2026 9.8
CVE-2026-50518 Windows DHCP Server Remote Code Execution Vulnerability 15.07.2026 9.8
CVE-2026-55010 Minecraft Bedrock Dedicated Server Remote Code Execution Vulnerability 14.07.2026 9.8
CVE-2026-55040 Microsoft SharePoint Server Security Feature Bypass Vulnerability 15.07.2026 9.1
CVE-2026-55944 Microsoft Dynamics NAV and Microsoft Dynamics 365 Business Central (On Premises) Remote Code Execution Vulnerability 14.07.2026 9.8
CVE-2026-56159 DHCP Server Service Remote Code Execution Vulnerability 15.07.2026 9.8
CVE-2026-56188 Windows Server Network driver Remote Code Execution Vulnerability 14.07.2026 9.8
CVE-2026-56190 Remote Desktop Protocol Remote Code Execution Vulnerability 15.07.2026 9.8
CVE-2026-57092 Microsoft Windows VMSwitch Elevation of Privilege Vulnerability 14.07.2026 9.9
CVE-2026-42990 SQL Server ODBC driver Elevation of Privilege Vulnerability 14.07.2026 9.8
CVE-2026-48561 Microsoft Copilot Remote Code Execution Vulnerability 15.07.2026 9.6
CVE-2026-49172 Windows FTP Service Remote Code Execution Vulnerability 14.07.2026 9.8
CVE-2026-49798 Windows Kernel Elevation of Privilege Vulnerability 15.07.2026 9.3
CVE-2026-50522 Microsoft SharePoint Remote Code Execution Vulnerability 15.07.2026 9.8
CVE-2026-54990 Remote Desktop Client Remote Code Execution Vulnerability 15.07.2026 9.8
CVE-2026-55008 Microsoft Exchange Server Spoofing Vulnerability 15.07.2026 9.6
CVE-2026-58644 Microsoft SharePoint Remote Code Execution Vulnerability 14.07.2026 9.8
CVE-2026-59891 Credential confusion in  @sigstore/oci  can leak registry credentials to an attacker-controlled registry 14.07.2026 9.6
CVE-2026-15701 Totolink NR1800X lighttpd formLogout.htm Form_Logout stack-based overflow 15.07.2026 9.3
CVE-2025-11698 CompactLogix ®, ControlLogix ®, Compact GuardLogix ® and GuardLogix ® Buffer Overflow 14.07.2026 9.2
CVE-2026-55954 Missing ID token claim validation in ueberauth_apple allows account takeover 15.07.2026 9.1
CVE-2025-12011 CompactLogix ®, ControlLogix ®, Compact GuardLogix ® and GuardLogix ® Buffer Overflow 14.07.2026 9.2
CVE-2025-12012 CompactLogix ®, ControlLogix ®, Compact GuardLogix ® and GuardLogix ® Buffer Overflow 14.07.2026 9.2
CVE-2026-15265 Tenable Agent Path Traversal Leading to Remote Code Execution 14.07.2026 9.3
CVE-2026-58479 Sustainable Irrigation Platform 5.2.16 RCE via cli_control Plugin Command Injection 14.07.2026 9.2
CVE-2026-10577 Rockwell Automation 1715 Redundant IO – Access Control Vulnerability 14.07.2026 10
CVE-2026-62422 15.07.2026 10
CVE-2026-56451 14.07.2026 10
CVE-2026-15183 Input Validation Vulnerabilities in Snowflake Spark Connector 14.07.2026 9.2
CVE-2026-57898 14.07.2026 9
CVE-2026-27690 HTTP Request Smuggling in SAP Approuter 14.07.2026 9.1
CVE-2026-44747 Memory Corruption vulnerability in SAP NetWeaver Application Server ABAP 15.07.2026 9.9
CVE-2026-44761 Insecure Sample Credentials in SAP Commerce Cloud 15.07.2026 9.1
CVE-2026-59801 9Router 0.4.41 - Unauthenticated API Exposure via /api/providers 14.07.2026 9.3
CVE-2026-62327 9Router 0.4.41 - Unauthenticated API Key Exposure via /api/usage/stats 14.07.2026 9.3
CVE-2026-58409 ChurchCRM: Authenticated Remote Code Execution (RCE) via Malicious Plugin Upload 14.07.2026 9.1
CVE-2026-6875 Sandbox Escape in ServiceNow AI Platform 14.07.2026 9.5
CVE-2026-61462 mcp-gitlab Path Traversal via job_id Parameter 13.07.2026 9.2
CVE-2026-61500 Rejetto HFS < 3.2.1 Session Forgery via Predictable Signing Key 15.07.2026 9.3
CVE-2026-60121 Vitec Flamingo 4.12.2 Unauthenticated OS Command Injection via ping.php 13.07.2026 9.3
CVE-2026-61498 Vitec Flamingo 4.12.2 Unauthenticated OS Command Injection via gen_graphs.php 14.07.2026 9.3
CVE-2026-6847 Unauthenticated Remote Code Execution in ThemisNETPanel 14.07.2026 9.3
CVE-2026-12257 Remote code execution in Mura Software’s CMS 13.07.2026 9.3
CVE-2026-14934 Cross-Tenant Repository Takeover via Improper Access Control in BigQuery, Dataform and Colab Enterprise 13.07.2026 9.4
CVE-2026-13014 Remote Code Execution vulnerability in "Suspicious" application 13.07.2026 9.2
CVE-2026-22093 Adversary-in-the-Middle (AitM) attack vulnerability in EVbee Service app 13.07.2026 9.5
CVE-2026-22095 Command injection in diagnosis web endpoint 13.07.2026 9.3
CVE-2026-22096 Missing authentication for webserver endpoints 13.07.2026 9.3
CVE-2026-22097 Missing firmware validation allows remote code execution 13.07.2026 9.3
CVE-2026-22098 Sensitive information is written to logs 13.07.2026 9.2
CVE-2026-22102 Arbitrary file overwrite through certificate update functionality 13.07.2026 9.3
CVE-2026-22103 Command injection in NPC start web endpoint 13.07.2026 9.3
CVE-2026-57401 WordPress SureDash plugin <= 1.8.0 - Arbitrary File Deletion vulnerability 13.07.2026 9.9
CVE-2026-57702 WordPress Amelia plugin <= 2.4.2 - SQL Injection vulnerability 13.07.2026 9.3
CVE-2026-57707 WordPress Simple Business Directory Pro plugin <= 15.9.4 - SQL Injection vulnerability 13.07.2026 9.3
CVE-2026-57710 WordPress WoowBot Pro Max plugin <= 14.1.7 - Arbitrary File Upload vulnerability 13.07.2026 9.9
CVE-2026-57714 WordPress LatePoint plugin <= 5.6.3 - SQL Injection vulnerability 13.07.2026 9.3
CVE-2026-57719 WordPress Aimogen Pro plugin <= 2.8.3 - Arbitrary File Upload vulnerability 13.07.2026 10
CVE-2026-57724 WordPress Kirki plugin <= 6.0.12 - PHP Object Injection vulnerability 13.07.2026 9.8
CVE-2026-57726 WordPress Kirki plugin <= 6.0.12 - SQL Injection vulnerability 13.07.2026 9.3
CVE-2026-57738 WordPress 777 theme <= 1.13.0 - PHP Object Injection vulnerability 13.07.2026 9.8
CVE-2026-57739 WordPress AcyMailing SMTP Newsletter plugin <= 10.11.0 - SQL Injection vulnerability 13.07.2026 9.3
CVE-2026-57744 WordPress RT-Theme 18 | Extensions plugin <= 2.5 - PHP Object Injection vulnerability 13.07.2026 9.8
CVE-2026-57770 WordPress Grand Photography theme <= 5.7.8 - PHP Object Injection vulnerability 13.07.2026 9.8
CVE-2026-57811 WordPress Realtyna Organic IDX plugin plugin <= 5.2.0 - Remote Code Execution (RCE) vulnerability 13.07.2026 10
CVE-2026-57813 WordPress MailOptin plugin <= 1.2.77.3 - Privilege Escalation vulnerability 13.07.2026 9.8
CVE-2026-59515 WordPress AIWU plugin <= 1.5.4 - SQL Injection vulnerability 13.07.2026 9.3
CVE-2026-59518 WordPress Directorist plugin <= 8.8.2 - PHP Object Injection vulnerability 13.07.2026 9.8
CVE-2026-14453 A user with low privileges can inject SSTI templates that can lead to RCE in open-tickets 13.07.2026 9.6
CVE-2026-4769 Unauthenticated Access to Internal Diagnostic Interface 13.07.2026 9.3
CVE-2026-15511 Comfast CF-WR631AX V3 FastCGI Backend webmgnt system_wl_upload_pic_file os command injection 14.07.2026 9.3
CVE-2026-56271 Flowise - Weak Default JWT Secrets in Authentication Middleware 13.07.2026 9.3
CVE-2026-61876 LuCI DHCPv6 Lease Hostname Stored Cross-Site Scripting 14.07.2026 9.4
CVE-2026-60090 PraisonAI before 4.6.78 SQL/CQL Injection via vector dimension 14.07.2026 9.3
CVE-2026-61445 PraisonAI before 4.6.78 Arbitrary File Write and Command Execution 14.07.2026 9.4
CVE-2026-61447 PraisonAI before 1.6.78 Remote Code Execution via CodeAgent 13.07.2026 10
CVE-2026-57827 Joomla Extension - rsjoomla.com - Unauthenticated file upload in RSFiles component < 1.17.12 15.07.2026 10
CVE-2026-57828 Joomla Extension - phoca.cz - Authenticated file upload in RSFiles component < 6.1.3 15.07.2026 9
CVE-2026-20744 Hydro-Québec Le Circuit Electrique charging station backend Improper Access Control 14.07.2026 9.3
CVE-2026-55884 Tilt: Missing authentication on the network-exposed Tilt HUD server 15.07.2026 9.2
CVE-2026-55879 OpenReplay: Unauthenticated stored XSS leads to dashboard account takeover 13.07.2026 9.3
CVE-2026-12761 miniOrange Social Login and Register (Discord, Google, Twitter, LinkedIn) <= 7.7.0 - Unauthenticated Authentication Bypass to Administrator Account Takeover via Profile Completion OTP Flow 13.07.2026 9.8
CVE-2026-57807 WordPress OAuth Single Sign On - SSO (OAuth Client) plugin <= 38.5.8 - Broken Authentication vulnerability 13.07.2026 9.8
CVE-2026-61459 MCP Server Kubernetes < 3.9.0 Argument Injection via kubectl Structured Tools 14.07.2026 9.3
CVE-2026-59151 Prowler: SAML Domain Claiming Enables Cross-Tenant Account Takeover 13.07.2026 9.6
CVE-2026-5801 SQLi in Semtek Informatics' SEM-PMP 10.07.2026 9.8
CVE-2026-2397 SQLi in AdamPOS' MobilMen 20T 10.07.2026 9.8
CVE-2026-58492 grav-plugin-database: SQL Injection in PDO::tableExists() due to Unsanitized Table Name Interpolation 10.07.2026 9.2
CVE-2026-15143 Guardrails-detectors: guardrails-detectors: ssrf and local file read via user-supplied xml schema (xml-with-schema:) 10.07.2026 9.3
CVE-2026-55500 9router: Exposure of Sensitive Information and Unprotected Database Import/Export Allows Complete Credential Theft and Database Takeover 10.07.2026 9.9
CVE-2026-56261 Crawl4AI - Server-Side Request Forgery via Webhook URLs 14.07.2026 9.2
CVE-2026-56765 Vikunja - Unauthenticated Instance-Wide Data Breach via Link Share Hash Disclosure Chained with Cross-Project Attachment IDOR 10.07.2026 9.3
CVE-2026-59792 14.07.2026 9.6
CVE-2026-61444 PraisonAI before 4.6.78 Code Injection via f-string 10.07.2026 9.4
CVE-2026-56688 10.07.2026 9.1
CVE-2026-15378 Guardrails-detectors: guardrails-detectors: ssrf and local file read via user-supplied xml schema (xml-with-schema:) 14.07.2026 9.3
CVE-2026-41880 OS Command Injection in R-SOFT DMS 10.07.2026 9
CVE-2026-15282 Instant Appointment <= 1.2 - Unauthenticated Arbitrary File Upload 14.07.2026 9.8
CVE-2026-15300 GEO my WP <= 4.5.4 - Unauthenticated SQL Injection via 'distance' / 'lat' / 'lng' Parameters 10.07.2026 9.1
CVE-2026-14894 Super Forms <= 6.3.313 - Unauthenticated Arbitrary File Upload via 'data' Parameter (datauristring / value) 10.07.2026 9.8
CVE-2026-54760 Langroid: SQLChatAgent dangerous-function blocklist can be bypassed with quoted or schema-qualified pg_read_file calls 10.07.2026 9.3
CVE-2026-54769 Langroid: Sandbox Escape to Remote Code Execution via Incomplete `eval()` Mitigation in TableChatAgent 10.07.2026 10
CVE-2026-55615 Langroid: Neo4jChatAgent executes LLM-generated Cypher without validation (prompt-to-Cypher injection; config-conditional RCE), mirroring the SQLChatAgent bug fixed in CVE-2026-25879 10.07.2026 9.2
CVE-2026-58122 Hermes WebUI < 0.51.307 Authentication Bypass via X-Forwarded-For Header Spoofing 14.07.2026 9.3
CVE-2026-58123 Hermes WebUI < 0.51.788 Unauthenticated RCE via Terminal API 14.07.2026 9.3
CVE-2026-54003 Kirby: External Initialization of the Panel on reverse proxy setups with the `Forwarded` header 09.07.2026 9.1
CVE-2026-59726 Ruflo: Unauthenticated RCE in MCP bridge default docker-compose deployment 09.07.2026 10
CVE-2026-59826 Metabase: Arbitrary Code Execution via Database Connection Detail Bypass 10.07.2026 9.1
CVE-2026-59827 Metabase: Unsafe Deserialization of H2 Query Results 09.07.2026 9.9
CVE-2025-27462 WinPVDrivers: Excessive permissions on user-exposed devices 09.07.2026 9.4
CVE-2025-27463 WinPVDrivers: Excessive permissions on user-exposed devices 09.07.2026 9.4
CVE-2025-27464 WinPVDrivers: Excessive permissions on user-exposed devices 09.07.2026 9.4
CVE-2025-58146 XAPI UTF-8 string handling 09.07.2026 9.4
CVE-2025-58151 varstored: TOCTOU issues with mapped guest memory 09.07.2026 9.4
CVE-2026-23556 oxenstored keeps quota related use counts across domain destruction 09.07.2026 9.4
CVE-2026-23559 Multiple RBAC issues in XAPI 09.07.2026 9.4
CVE-2026-23560 Multiple RBAC issues in XAPI 09.07.2026 9.4
CVE-2026-23561 Multiple RBAC issues in XAPI 10.07.2026 9.4
CVE-2026-23562 Multiple RBAC issues in XAPI 10.07.2026 9.4
CVE-2026-42486 Multiple RBAC issues in XAPI 10.07.2026 9.4
CVE-2026-56292 Joomla Extension - acymailing.com - SQL Injection in AcyMailing extension < 10.11.1 10.07.2026 9.2
CVE-2026-56291 Joomla Extension - balbooa.com - Unauthenticated file upload in Balbooa Forms extension < 2.4.1 11.07.2026 10
CVE-2026-15158 Blocksy Companion <= 2.1.46 - Unauthenticated Arbitrary File Upload via 'blc-review-images[]' Parameter 09.07.2026 9.8
CVE-2026-2342 XSS in Oceanicsoft's ValeApp 09.07.2026 9.3
CVE-2026-5955 SQLi in Inrove Software's BiEticaret 09.07.2026 9.8
CVE-2026-14245 miniOrange OTP Login, Verification and SMS Notifications <= 5.5.1 - Authentication Bypass to Administrator Account Takeover via 'username_b' Parameter 09.07.2026 9.8
CVE-2026-47646 Dynamics 365 Customer Voice Spoofing Vulnerability 09.07.2026 9.3
CVE-2026-54782 CoreWCF: Authentication bypass in CoreWCF SAML 1.1 / 2.0 token signature validation 10.07.2026 10
CVE-2026-44024 Fluentd: Remote Code Execution (RCE) via Arbitrary File Write in `${tag}` Placeholder 10.07.2026 9.8
CVE-2026-54527 JupyterLab Git: Stored XSS leading to RCE 09.07.2026 9.3

Latest Updates

CVE Title Updated Score
CVE-2026-45150 Zen Browser - Missing Fullscreen Security Notification Allows Origin Spoofing 15.07.2026
CVE-2026-50147 Metabase: Arbitrary File Read via MySQL Connection Property Injection 15.07.2026 7.6
CVE-2026-55242 ERPNext: Server-Side Template Injection (SSTI) in Batch autonaming via Stock Settings.naming_series_prefix 15.07.2026 8.8
CVE-2026-61371 15.07.2026
CVE-2026-61605 15.07.2026
CVE-2026-62683 File Browser: Trailing-slash delete leaves a stale public share behind 15.07.2026 3.1
CVE-2026-62685 File Browser: Colliding username normalization gives two users the same home directory 15.07.2026 8.1
CVE-2026-62843 File Browser: Archive builder turns backslash filenames into path traversal (zip-slip) 15.07.2026 6.8
CVE-2026-9007 Reflected XSS in HCL Notes 15.07.2026
CVE-2026-41580 Stirling-PDF: Reflected XSS through crafted PDF metadata fields (Title and Author) 15.07.2026 6.1
CVE-2026-44986 Penpot: Pre-authenticated account takeover via team-invitation token + prepare-register-profile 15.07.2026 9.9
CVE-2026-45805 Penpot: MCP REPL server binds to 0.0.0.0 with unauthenticated /execute endpoint — RCE 15.07.2026 8.8
CVE-2026-45806 Penpot: Authenticated SSRF in remote image import via create-file-media-object-from-url 15.07.2026 7.7
CVE-2026-46709 Tabby: Drag-and-drop path injection still allows RCE via shell command substitution (incomplete fix for CVE-2026-45038) 15.07.2026 7.8
CVE-2026-47158 Vaultwarden: CSRF in SSO Authorization Flow 15.07.2026 8.3
CVE-2026-47159 Vaultwarden: Authentication Flow Information Disclosure in SSO Discovery Allows Organization Enumeration and Pre-Validation Token Exposure 15.07.2026
CVE-2026-47160 Vaultwarden: Server-side request forgery (SSRF) via Icon Endpoint Decimal/Hex/Octal IP Bypass 15.07.2026 5.8
CVE-2026-47164 Vaultwarden: SSO Email Auto-Link Can Bind an Existing Local Account to an Attacker-Controlled IdP Identity 15.07.2026 7.7
CVE-2026-50148 Metabase: Remote Code Execution via Snowflake JDBC Driver Arbitrary File Write 15.07.2026 10
CVE-2026-60005 NGINX ngx_http_slice_module vulnerability 15.07.2026 8.2
CVE-2026-61828 nixos/mysql : `services.mysql` is configured with insecure authentication by default when used with `mysql` or `percona-server` 15.07.2026
CVE-2026-33213 Redash: Open redirect vulnerability in post-login redirect handling 15.07.2026 6.1
CVE-2026-42533 NGINX Map directive and Regex matching vulnerability 15.07.2026 8.1
CVE-2026-52865 NGINX Ingress Controller vulnerability 15.07.2026 6.5
CVE-2026-54560 Cloudreve: OAuth access tokens bypass scope enforcement due to missing client_id claim 15.07.2026 7.6
CVE-2026-54562 Cloudreve: Non-admin remote download users can SSRF loopback/internal services and read imported responses 15.07.2026 6.5
CVE-2026-54563 Cloudreve: Path Traversal / Broken Access Control in Cloudreve WebDAV (`/dav`) — scoped DAV credential escapes its configured account root 15.07.2026 7.1
CVE-2026-55723 NGINX Ingress Controller vulnerability 15.07.2026 8.3
CVE-2026-56434 NGINX ngx_http_ssi_module vulnerability 15.07.2026 6.5
CVE-2026-59762 BIG-IP HTTP/2 vulnerability 15.07.2026 7.5
CVE-2026-60062 NGINX Agent Vulnerability 15.07.2026 6.4
CVE-2026-60065 NGINX Plus ngx_stream_mqtt_filter_module vulnerability 15.07.2026 3.7
CVE-2026-61613 Cursor: Cloud Agent Browser Sandbox Escape 15.07.2026
CVE-2026-61644 FastGPT: /api/core/chat/record/getCollectionQuote can disclose cross-tenant dataset text due to an unbound initialId lookup 15.07.2026 7.7
CVE-2026-61646 FastGPT: Shared axios SSRF guard validates only the initial URL before following redirects 15.07.2026
CVE-2026-61684 FastGPT: Unauthenticated cross-tenant data access via forgeable plugin-invoke JWT (default INVOKE_TOKEN_SECRET='token') 15.07.2026
CVE-2026-61736 LightRAG: CORS Wildcard + Credentials Enables Any-Origin Credentialed Requests 15.07.2026 9.3
CVE-2026-61740 LightRAG: Authentication bypass: hardcoded DEFAULT_TOKEN_SECRET and public /auth-status defeat LIGHTRAG_API_KEY protection 15.07.2026
CVE-2026-61835 Directus: SSRF Protection Bypass via 0.0.0.0 in File Import 15.07.2026 7.7
CVE-2026-61836 Directus: Authorization-dependent response served from unsegmented cache key 15.07.2026 8.6
CVE-2026-62294 Flameshot: OCTOU symlink attack via predictable /tmp path in Flameshot "Open With" 15.07.2026
CVE-2026-43637 Cornac < 2.6.0 Path Traversal via _extract_archive() in download.py 15.07.2026
CVE-2026-59838 15.07.2026 5.3
CVE-2026-62175 15.07.2026
CVE-2026-15779 Samba-winbind: samba: pam_winbind mkhomedir chowns critical system paths without validation 15.07.2026
CVE-2026-15809 Github.com/cri-o/cri-o: fix bypass for cve-2022-4318 — /etc/passwd injection via home env 15.07.2026
CVE-2026-46458 Credential exposure in ICU Scandinavia Boomerang 15.07.2026
CVE-2026-46459 Missing Authorization in ICU Scandinavia Boomerang 15.07.2026
CVE-2026-58554 15.07.2026 6.6
CVE-2026-58556 15.07.2026 5.1
CVE-2026-58557 15.07.2026 4.8
CVE-2026-58558 15.07.2026 7.8
CVE-2026-58559 15.07.2026 6.5
CVE-2026-58549 15.07.2026 4
CVE-2026-58550 15.07.2026 4
CVE-2026-58551 15.07.2026 5.1
CVE-2026-58552 15.07.2026 5.1
CVE-2026-58553 15.07.2026 4
CVE-2026-58555 15.07.2026 6.6
CVE-2026-56339 Capgo - Unauthenticated Organization Existence Enumeration via rescind_invitation RPC 15.07.2026
CVE-2026-56349 n8n - Guardrail Node Bypass via Crafted Input 15.07.2026
CVE-2026-56352 n8n - Arbitrary File Read and Execution via ExecuteWorkflow localFile Parameter 15.07.2026
CVE-2026-56353 n8n - Authentication Bypass in Chat Trigger Node 15.07.2026
CVE-2026-56375 ImageMagick - Memory Leak in ASHLAR Coder Action Failure 15.07.2026
CVE-2026-56398 Open WebUI - Stored Cross-Site Scripting via OAuth Picture Claim SVG Data URI 15.07.2026
CVE-2026-56400 open-webui - Remote Code Execution via CORS Misconfiguration and Session Validation 15.07.2026
CVE-2026-56699 Wazuh Manager - NDJSON Injection in inventory_sync via Agent-Controlled DataValue.index 15.07.2026
CVE-2026-56764 Hono - Timing Attack in basicAuth and bearerAuth Middleware 15.07.2026
CVE-2026-57996 phpMyFAQ - Privilege Escalation via Missing SuperAdmin Guard in user/add Endpoint 15.07.2026
CVE-2026-58655 Grav Flex Objects - Server-Side Template Injection via Dynamic Titles 15.07.2026
CVE-2026-59254 n8n - External Secrets Disclosure via Workflow Node Expressions 15.07.2026
CVE-2026-59259 n8n - Permission Bypass via Expression Parser Mismatch in External Secrets 15.07.2026
CVE-2026-60085 PraisonAI before 4.6.78 Unenforced Security Policy in Subprocess Sandbox 15.07.2026
CVE-2026-60087 PraisonAI before 1.6.78 Tool Approval Cache Bypass 15.07.2026
CVE-2026-61427 PraisonAI before 4.6.78 Authentication Bypass via HTTP-stream 15.07.2026
CVE-2026-61430 PraisonAI before 1.6.78 DNS Rebinding SSRF via web_crawl 15.07.2026
CVE-2026-61433 PraisonAI before 4.6.78 Code Injection via API deployment generator 15.07.2026
CVE-2026-61435 PraisonAI before 4.6.78 Authentication Bypass via Host Header Spoofing 15.07.2026
CVE-2026-61436 PraisonAI before 4.6.78 Missing Webhook Signature Verification 15.07.2026
CVE-2026-61438 PraisonAI before 4.6.78 Remote Code Execution via Broken AST Sandbox 15.07.2026
CVE-2026-61440 PraisonAI Platform before 0.1.9 Authorization Bypass via Label Endpoints 15.07.2026
CVE-2026-61443 PraisonAI before 1.6.78 Remote Code Execution via SkillTools 15.07.2026
CVE-2026-61446 PraisonAI before 1.6.78 Remote Code Execution via Plugin Auto-Discovery 15.07.2026
CVE-2026-61449 Grav before 2.0.2 Decompression Bomb via Forged ZIP Size 15.07.2026
CVE-2026-61451 Grav before 1.0.4 Password Reset Token Poisoning via admin_base_url 15.07.2026
CVE-2026-61452 Grav before 2.0.4 Improper Session Invalidation JWT Access Tokens 15.07.2026
CVE-2026-61453 Grav before 2.0.1 XSS via Twig String Concatenation 15.07.2026
CVE-2026-61457 Grav before 1.0.3 Remote Code Execution via File Upload Extension Bypass 15.07.2026
CVE-2026-61464 ImageMagick before 7.1.2-26 Heap Buffer Over-Write via X11 15.07.2026
CVE-2026-61859 ImageMagick before 7.1.2-26 Policy Bypass via script operation 15.07.2026
CVE-2026-61860 ImageMagick before 7.1.2-26 Use-After-Free via freetype 15.07.2026
CVE-2026-61862 ImageMagick before 7.1.2-26 Information Disclosure via identify 15.07.2026
CVE-2026-61863 ImageMagick before 7.1.2-26 Memory Leak in TIFF Encoder 15.07.2026
CVE-2026-61864 ImageMagick before 7.1.2-26 Memory Leak in Log Colorspace 15.07.2026
CVE-2026-61865 ImageMagick before 7.1.2-26 Memory Leak in Hough Lines 15.07.2026
CVE-2026-61866 ImageMagick before 7.1.2-26 Memory Leak in JNG encoder 15.07.2026
CVE-2026-61867 ImageMagick before 7.1.2-26 Memory Leak in TIFF Encoder 15.07.2026
CVE-2026-61868 ImageMagick before 7.1.2-26 Memory Leak in YUV Decoder 15.07.2026
CVE-2026-61869 ImageMagick before 7.1.2-26 Memory Leak in MIFF Encoder 15.07.2026
CVE-2026-61871 ImageMagick before 7.1.2-26 Memory Leak in ICON decoder 15.07.2026
CVE-2026-61872 ImageMagick before 7.1.2-26 Memory Leak via TIFF Encoder 15.07.2026
CVE-2026-61873 Grav before 9.1.8 Arbitrary File Write via Twig-Processed Filename 15.07.2026
CVE-2026-59236 Authorization bypass in Prospero Flow CRM Excel import allows cross-tenant record injection 15.07.2026
CVE-2026-40633 15.07.2026 7.8
CVE-2026-59235 Missing authorization in Prospero Flow CRM allows low-privileged users to read all bank accounts 15.07.2026
CVE-2026-35152 Apache Fineract: SQL injection in runreports endpoint 15.07.2026
CVE-2026-49501 15.07.2026 6.7
CVE-2026-56287 Apache Fineract: Boolean SQL Injection in Client Search API (orderBy parameter) leading to Local File Disclosure 15.07.2026
CVE-2026-57821 Apache Fineract: Office list: SQL Injection via Subquery in orderBy 15.07.2026
CVE-2026-8281 15.07.2026
CVE-2026-57833 Joomla Extension - weeblr.com - Unauthenticated stored XSS in 4Analytics < 5.0.2 15.07.2026
CVE-2026-58077 Joomla Extension - weeblr.com - Unauthenticated stored XSS in 4Analytics < 5.0.2 15.07.2026
CVE-2026-57831 Joomla Extension - digital-peak.com - Unauthenticated blind SQL injection in DP Calendar 8.18.0 - 10.11.2 15.07.2026
CVE-2026-57832 Joomla Extension - joomdonation.com - Unauthenticated blind SQL injection in EDocman < 3.9 15.07.2026
CVE-2026-14251 Gitops-operator: gitops-operator: missing allowednamespace check in reconcilerhook for clusterrole/role cases enables potential privilege escalation and dos 15.07.2026
CVE-2026-15583 SSRF (confused deputy) in Grafana MCP Server via X-Grafana-URL header 15.07.2026 8.6
CVE-2026-15804 MetaGuru|HCM - SQL Injection 15.07.2026
CVE-2026-11579 Kali Forms < 2.4.17 - Unauthenticated Media Upload 15.07.2026
CVE-2026-11580 Kali Forms < 2.4.17 - Contributor+ Arbitrary Post Metadata Disclosure via IDOR 15.07.2026
CVE-2026-12281 Shibboleth < 2.5.4 - Unauthenticated Administrator Account Creation via Identity Header Spoofing 15.07.2026
CVE-2026-12512 Quotes Llama < 3.1.6 - Unauthenticated SQL Injection via sc Parameter 15.07.2026
CVE-2026-42936 15.07.2026
CVE-2026-11851 15.07.2026
CVE-2026-13385 15.07.2026
CVE-2026-13585 15.07.2026
CVE-2026-15029 15.07.2026
CVE-2026-15030 15.07.2026
CVE-2026-8919 15.07.2026
CVE-2026-8920 15.07.2026
CVE-2026-13230 Information Disclosure Vulnerability in Local Discovery Response in TP-Link Kasa EC70 and EC71 15.07.2026
CVE-2026-9770 Hardcoded Cryptographic Key Information Disclosure Vulnerability on TP-Link Kasa EC70 and EC71 15.07.2026
CVE-2026-15753 zhinianboke xianyu-auto-reply review approve trusting http permission methods on the server side 14.07.2026
CVE-2026-36035 15.07.2026
CVE-2026-51807 15.07.2026
CVE-2026-51808 15.07.2026
CVE-2026-5269 Navigator NCS and MCP System Accounts with Default Passwords 15.07.2026
CVE-2026-5270 Authentication Bypass in Navigator and Blue Planet Products 15.07.2026
CVE-2025-56362 15.07.2026
CVE-2025-56363 15.07.2026
CVE-2025-56364 15.07.2026
CVE-2025-56365 15.07.2026
CVE-2026-15751 mastergo-design mastergo-magic-mcp mcp__getComponentGenerator component-workflow.md execute path traversal 15.07.2026
CVE-2026-15752 zhinianboke xianyu-auto-reply Backend User Endpoint users authorization 15.07.2026
CVE-2026-21840 HCL BigFix Platform is affected by a user enumeration vulnerability 15.07.2026 3.1
CVE-2026-42049 jadx: RCE Via Groovy Code Injection in Gradle Export 15.07.2026
CVE-2026-42447 jadx: HTML Injection in Summary panel 14.07.2026 3.6
CVE-2026-50130 Pi-hole: Local privilege escalation from `pihole` user to root via `/etc/pihole/logrotate` 15.07.2026 8.8
CVE-2026-54572 rclone: Unvalidated symlink target in local `--links` — arbitrary file write from an untrusted remote 15.07.2026 7.5
CVE-2026-54684 jadx: XAPK archive entries with absolute paths can plant drop-in plugins and achieve code execution on the next jadx run 15.07.2026 7
CVE-2026-59732 rclone archive extract allows S3 destination prefix escape via crafted archive paths 14.07.2026 5
CVE-2026-59733 rclone `serve restic --private-repos` authorization bypass: `..` in the URL path lets an authenticated user read, overwrite and delete other users' repositories 15.07.2026 8.8
CVE-2025-56361 15.07.2026
CVE-2026-15750 mastergo-design mastergo-magic-mcp mcp__getComponentLink get-component-link.ts z.string server-side request forgery 15.07.2026
CVE-2026-38450 15.07.2026
CVE-2026-45363 `jwt` (Ruby gem) - empty-key HMAC bypass 15.07.2026 9.1
CVE-2026-46627 Twig: Sandbox resource exhaustion via unbounded `for` / `range()` 14.07.2026
CVE-2026-46628 Twig: The `spaceless` filter implicitly marks its output as safe 15.07.2026
CVE-2026-46629 Twig: Unbounded formatter memoisation in twig/intl-extra keyed on template-controlled arguments 15.07.2026
CVE-2026-46633 Twig: PHP code injection via `{% use %}` template name 15.07.2026
CVE-2026-46634 Twig: `template_from_string()` escapes a SourcePolicy-driven sandbox via synthesized template name 14.07.2026
CVE-2026-46635 Twig: Sandbox property allowlist bypass via the `column` filter (array_column on objects) 15.07.2026
CVE-2026-46637 Twig: HTML-output filters in twig/* extras incorrectly declared `is_safe => ['all']` 14.07.2026
CVE-2026-46638 Twig: `{% sandbox %}{% include %}` skips checkSecurity() on cached templates (incomplete fix for CVE-2024-45411) 15.07.2026
CVE-2026-46639 Twig: Sandbox property and method bypass via object-destructuring assignment 15.07.2026
CVE-2026-46640 Twig: Arbitrary PHP code execution via `_self.(<string>)` macro-reference compilation 15.07.2026
CVE-2026-47730 Twig: XSS in profiler HtmlDumper via unescaped template and profile names 14.07.2026
CVE-2026-47732 Twig Sandbox: multiple `__toString()` policy bypasses via unguarded string coercion points 15.07.2026
CVE-2026-48275 Illustrator | Untrusted Search Path (CWE-426) 15.07.2026 8.6
CVE-2026-48287 CAI Content Credentials | Untrusted Search Path (CWE-426) 14.07.2026 7.4
CVE-2026-48290 CAI Content Credentials | Server-Side Request Forgery (SSRF) (CWE-918) 14.07.2026 8.2
CVE-2026-48295 CAI Content Credentials | Insufficiently Protected Credentials (CWE-522) 14.07.2026 7.5
CVE-2026-48296 CAI Content Credentials | Integer Underflow (Wrap or Wraparound) (CWE-191) 14.07.2026 6.2
CVE-2026-48298 CAI Content Credentials | Integer Underflow (Wrap or Wraparound) (CWE-191) 14.07.2026 6.2
CVE-2026-48302 CAI Content Credentials | Improper Input Validation (CWE-20) 14.07.2026 6.2
CVE-2026-48312 CAI Content Credentials | Improper Input Validation (CWE-20) 14.07.2026 6.8
CVE-2026-48334 Illustrator | Improper Input Validation (CWE-20) 15.07.2026 9.3
CVE-2026-48335 Illustrator | Out-of-bounds Write (CWE-787) 15.07.2026 7.8
CVE-2026-48336 Illustrator | Out-of-bounds Write (CWE-787) 15.07.2026 7.8
CVE-2026-48337 Illustrator | Out-of-bounds Write (CWE-787) 15.07.2026 7.8
CVE-2026-48351 CAI Content Credentials | Improper Input Validation (CWE-20) 14.07.2026 7.5
CVE-2026-48352 CAI Content Credentials | Improper Input Validation (CWE-20) 14.07.2026 7.5
CVE-2026-48353 CAI Content Credentials | Improper Input Validation (CWE-20) 14.07.2026 5.5
CVE-2026-48354 CAI Content Credentials | Integer Overflow or Wraparound (CWE-190) 14.07.2026 6.2
CVE-2026-48357 CAI Content Credentials | Uncontrolled Resource Consumption (CWE-400) 14.07.2026 6.2
CVE-2026-48805 Twig: Sandbox state regression in deprecated internal wrappers in `src/Resources/core.php` 14.07.2026
CVE-2026-48806 Twig: Sandbox `__toString()` policy bypass via dynamic mapping keys 15.07.2026
CVE-2026-48807 Twig: Sandbox `__toString()` policy bypass via `Traversable` in `join` and `replace` filters 15.07.2026
CVE-2026-48808 Twig: Sandbox property allowlist bypass via the `column` filter under `SourcePolicyInterface` 15.07.2026
CVE-2026-49981 Twig: Sandbox filter, tag and function allow-list bypass when sandbox state changes between renders for a cached `Template` 14.07.2026
CVE-2026-15749 mastergo-design mastergo-magic-mcp mcp__C2d get-c2d.ts execute path traversal 15.07.2026
CVE-2026-46644 symfony/polyfill-intl-idn accepts xn-- labels whose Punycode payload decodes to ASCII-only: insecure equivalence 15.07.2026
CVE-2026-48125 UAParser.js: Unbounded `Sec-CH-UA-Model` parsing can trigger ReDoS in `withClientHints()` 15.07.2026 5.3
CVE-2026-48284 ColdFusion | Improper Input Validation (CWE-20) 15.07.2026 9.6
CVE-2026-48318 ColdFusion | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE-22) 15.07.2026 9.9
CVE-2026-48319 ColdFusion | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE-22) 15.07.2026 9.1
CVE-2026-48320 ColdFusion | Cross-site Scripting (Reflected XSS) (CWE-79) 15.07.2026 8.5
CVE-2026-48321 ColdFusion | Incorrect Authorization (CWE-863) 15.07.2026 9.3
CVE-2026-48322 ColdFusion | Improper Control of Generation of Code ('Code Injection') (CWE-94) 15.07.2026 9.6
CVE-2026-48324 ColdFusion | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') (CWE-89) 15.07.2026 9.1
CVE-2026-48325 ColdFusion | Missing Authentication for Critical Function (CWE-306) 15.07.2026 9.3
CVE-2026-48327 ColdFusion | Incorrect Authorization (CWE-863) 15.07.2026 9
CVE-2026-48328 ColdFusion | Improper Input Validation (CWE-20) 15.07.2026 7.7
CVE-2026-48329 ColdFusion | Insufficient Session Expiration (CWE-613) 15.07.2026 2.7
CVE-2026-48332 ColdFusion | Server-Side Request Forgery (SSRF) (CWE-918) 14.07.2026 7.7
CVE-2026-48338 ColdFusion | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE-22) 14.07.2026 6.8
CVE-2026-49476 Soup Sieve: Memory Exhaustion via Large Comma-Separated Selector Lists in soupsieve 15.07.2026 7.5
CVE-2026-49477 Soup Sieve: Regular Expression Denial of Service (ReDoS) in soupsieve Selector Parser 14.07.2026 7.5
CVE-2026-52100 15.07.2026
CVE-2026-52101 15.07.2026
CVE-2026-48311 Bridge | Out-of-bounds Write (CWE-787) 15.07.2026 7.8
CVE-2026-48339 Bridge | Heap-based Buffer Overflow (CWE-122) 15.07.2026 7.8
CVE-2026-48340 Bridge | Untrusted Pointer Dereference (CWE-822) 15.07.2026 7.8
CVE-2026-48341 Bridge | Out-of-bounds Write (CWE-787) 15.07.2026 7.8
CVE-2026-48342 Bridge | Integer Overflow or Wraparound (CWE-190) 15.07.2026 7.8
CVE-2026-48343 Bridge | Out-of-bounds Write (CWE-787) 15.07.2026 7.8
CVE-2026-48758 sigstore-js: DSSE payloadType type-binding failure 15.07.2026 5.4
CVE-2026-48815 sigstore-js: `certificateOIDs` verification constraints are silently dropped and never enforced 15.07.2026 7.5
CVE-2026-48816 sigstore-js: Insufficient Verification of Data Authenticity 15.07.2026 6.5
CVE-2026-49853 Tornado: Authorization header forwarded across cross-origin redirects in SimpleAsyncHTTPClient 14.07.2026 7.7
CVE-2026-49854 Tornado: Out-of-bounds memory access in C extension 15.07.2026 5.3
CVE-2026-49855 tornado AsyncHTTPClient accumulates decompressed chunks without size limit (gzip bomb) 14.07.2026 7.5
CVE-2026-15643 AWS HealthLake MCP Server SSRF via Pagination URL 15.07.2026
CVE-2026-15738 Cross-namespace traffic interception via incorrect route precedence ordering in AWS Load Balancer Controller 15.07.2026
CVE-2026-15764 15.07.2026
CVE-2026-15765 15.07.2026
CVE-2026-15766 14.07.2026
CVE-2026-15767 15.07.2026
CVE-2026-15768 15.07.2026
CVE-2026-15769 14.07.2026
CVE-2026-15770 14.07.2026
CVE-2026-15771 14.07.2026
CVE-2026-15772 14.07.2026
CVE-2026-15773 14.07.2026
CVE-2026-15774 14.07.2026
CVE-2026-15775 15.07.2026
CVE-2026-15776 15.07.2026
CVE-2026-15777 15.07.2026
CVE-2026-15778 15.07.2026
CVE-2026-24220 15.07.2026 6.4
CVE-2026-24226 15.07.2026 6.3
CVE-2026-24227 15.07.2026 5.3
CVE-2026-24229 15.07.2026 7.3
CVE-2026-24233 15.07.2026 8.4
CVE-2026-24234 15.07.2026 6.8
CVE-2026-24238 15.07.2026 7.8
CVE-2026-24259 15.07.2026 6.4
CVE-2026-24268 15.07.2026 7.8
CVE-2026-24271 15.07.2026 6.2
CVE-2026-24272 15.07.2026 7.8
CVE-2026-47470 15.07.2026 6.2
CVE-2026-47471 15.07.2026 7.5
CVE-2026-47472 15.07.2026 7.8
CVE-2026-47473 15.07.2026 7.4
CVE-2026-47475 15.07.2026 6.2
CVE-2026-47971 Media Encoder | Stack-based Buffer Overflow (CWE-121) 15.07.2026 7.8
CVE-2026-47976 Media Encoder | Out-of-bounds Write (CWE-787) 15.07.2026 7.8
CVE-2026-47979 Media Encoder | Out-of-bounds Read (CWE-125) 15.07.2026 5.5
CVE-2026-48269 Premiere Pro | Heap-based Buffer Overflow (CWE-122) 15.07.2026 7.8
CVE-2026-48270 Premiere Pro | Out-of-bounds Write (CWE-787) 15.07.2026 7.8
CVE-2026-48272 Creative Cloud Desktop | Uncontrolled Search Path Element (CWE-427) 15.07.2026 7.8
CVE-2026-48274 After Effects | Out-of-bounds Write (CWE-787) 15.07.2026 7.8
CVE-2026-48308 Premiere Pro | Improper Input Validation (CWE-20) 14.07.2026 5.9
CVE-2026-48344 GoCart | Time-of-check Time-of-use (TOCTOU) Race Condition (CWE-367) 15.07.2026 7.8
CVE-2026-48366 Media Encoder | Out-of-bounds Write (CWE-787) 15.07.2026 7.8
CVE-2026-48367 After Effects | Out-of-bounds Write (CWE-787) 15.07.2026 7.8
CVE-2026-48369 Premiere Pro | Out-of-bounds Write (CWE-787) 15.07.2026 7.8
CVE-2026-48370 Media Encoder | Out-of-bounds Write (CWE-787) 15.07.2026 7.8
CVE-2026-48801 linkify-it: Quadratic algorithmic complexity in LinkifyIt#match scan loop 15.07.2026
CVE-2026-49458 DOMPurify: Cross-realm IN_PLACE sanitization leaves executable markup intact via realm-bound `instanceof` checks 15.07.2026 6.1
CVE-2026-49459 DOMPurify: IN_PLACE mode preserves attributes of a clobbered root element, allowing XSS via attacker-controlled root DOM 15.07.2026 6.1
CVE-2026-49978 DOMPurify IN_PLACE Sanitization Bypass via Attached Shadow Root Inside <template>.content 14.07.2026
CVE-2026-53486 decompress: Archive extraction can create files and links outside the target directory 15.07.2026 9.1
CVE-2026-59889 jackson-databind: @JsonView ypassed for @JsonUnwrapped container properties on deserialization 14.07.2026 6.5
CVE-2026-61520 Simple Machines Forum SSRF via image proxy 15.07.2026
CVE-2026-15409 15.07.2026
CVE-2026-15410 15.07.2026
CVE-2026-15709 Soupwebsocketextensiondeflate: libsoup: libsoup: websocket permessage-deflate unbounded decompression remote denial of service 15.07.2026
CVE-2026-15711 Libsoup: soupwebsocketconnection: libsoup: websocket remote denial of service via oversized control frame protocol violation 15.07.2026
CVE-2026-15713 Libsoup: soupcache: libsoup: http/2 frame window exhaustion remote denial of service via memory leak 15.07.2026
CVE-2026-15714 Libsoup: soupmultipartinputstream: libsoup: out-of-bounds read in soup_multipart_input_stream_read_headers via an oversized multipart boundary string 15.07.2026
CVE-2026-47423 DOMPurify XSS via `selectedcontent` re-clone 14.07.2026 8.2
CVE-2026-47476 15.07.2026 7.5
CVE-2026-47477 15.07.2026 7.5
CVE-2026-47478 15.07.2026 7.5
CVE-2026-47479 15.07.2026 7.5
CVE-2026-47480 15.07.2026 7.5
CVE-2026-47481 15.07.2026 6.5
CVE-2026-47482 15.07.2026 7.5
CVE-2026-47736 Puma PROXY Protocol v1 Parser Allows Remote Memory Exhaustion 15.07.2026 7.5
CVE-2026-47737 Puma PROXY Protocol v1 Accepts Repeated Protocol Headers on Persistent Connections 15.07.2026 7.5
CVE-2026-47984 Adobe Commerce | Incorrect Authorization (CWE-863) 15.07.2026 8.2
CVE-2026-47988 Adobe Commerce | Incorrect Authorization (CWE-863) 15.07.2026 8.6
CVE-2026-47992 Adobe Commerce | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') (CWE-89) 15.07.2026 7.2
CVE-2026-47994 Adobe Commerce | Cross-site Scripting (Stored XSS) (CWE-79) 14.07.2026 8.7
CVE-2026-47995 Adobe Commerce | Cross-site Scripting (Stored XSS) (CWE-79) 15.07.2026 8.1
CVE-2026-47996 Adobe Commerce | Incorrect Authorization (CWE-863) 15.07.2026 7.6
CVE-2026-47997 Adobe Commerce | Incorrect Authorization (CWE-863) 15.07.2026 5.9
CVE-2026-47998 Adobe Commerce | Incorrect Authorization (CWE-863) 15.07.2026 5.9
CVE-2026-47999 Adobe Commerce | Cross-site Scripting (Stored XSS) (CWE-79) 14.07.2026 4.8
CVE-2026-48000 Adobe Commerce | URL Redirection to Untrusted Site ('Open Redirect') (CWE-601) 14.07.2026 4.3
CVE-2026-48001 Adobe Commerce | Information Exposure (CWE-200) 15.07.2026 3.7
CVE-2026-48068 @grpc/grps-js: A malformed request can cause a server crash 14.07.2026 7.5
CVE-2026-48069 @grpc/grps-js: An incoming malformed compressed message can cause a client or server crash 15.07.2026 7.5
CVE-2026-48345 Animate | Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') (CWE-78) 15.07.2026 8.2
CVE-2026-48346 Animate | Untrusted Search Path (CWE-426) 15.07.2026 7.9
CVE-2026-48347 Animate | Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') (CWE-78) 15.07.2026 7.7
CVE-2026-48348 Animate | Incorrect Authorization (CWE-863) 15.07.2026 7.7
CVE-2026-48349 Animate | Incorrect Authorization (CWE-863) 15.07.2026 8.1
CVE-2026-48350 Animate | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE-22) 15.07.2026 8.6
CVE-2026-48356 Adobe Commerce | Unrestricted Upload of File with Dangerous Type (CWE-434) 15.07.2026 9.6
CVE-2026-48358 Adobe Commerce | Improper Encoding or Escaping of Output (CWE-116) 15.07.2026 9.1
CVE-2026-48371 Adobe Commerce | Cross-site Scripting (Stored XSS) (CWE-79) 15.07.2026 5.4
CVE-2026-50528 .NET Security Feature Bypass Vulnerability 15.07.2026 8.2
CVE-2026-50646 .NET Framework Remote Code Execution Vulnerability 15.07.2026 7.8
CVE-2026-50651 .NET Denial of Service Vulnerability 14.07.2026 7.5
CVE-2026-50659 .NET Spoofing Vulnerability 14.07.2026 6.5