CVE Field Guide

Critical CVEs

CVE Title Updated Score
CVE-2026-9323 Insecure PRNG and Information Exposure in urwid Web Display Backend 18.07.2026 9.2
CVE-2024-58366 SurrealDB before 1.1.1 Format String via Scripting Functions 18.07.2026 9
CVE-2025-71392 SurrealDB before 2.2.2 SurrealQL Injection via export 18.07.2026 9.4
CVE-2026-16117 @fastify/http-proxy vulnerable to prefix escape via URL-encoded characters 18.07.2026 10
CVE-2026-47865 VMware Avi Load Balancer Authentication Bypass Vulnerability 18.07.2026 9.8
CVE-2026-13446 Langflow is affected by remote code execution, denial of service, path traversal, and exposed credentials due to multiple unauthenticated and insufficiently authorized API endpoints 17.07.2026 9.8
CVE-2026-48062 CodeIgniter: Uploaded file extension validation bypass in `ext_in` rule 17.07.2026 9.8
CVE-2026-54159 ps_facetedsearch: PHP Object Injection in faceted search cache allows unauthenticated RCE 17.07.2026 10
CVE-2026-54466 websocket-driver: Message corruption via abuse of protocol length headers 17.07.2026 9.2
CVE-2026-55518 Avo: Missing Authorization in Avo Association Attach Endpoint Allows Unauthorized Relationship Manipulation and Privilege Escalation 17.07.2026 9.6
CVE-2026-15091 Multiple Vulnerabilities in IBM Engineering AI hub. 17.07.2026 9.3
CVE-2026-63030 WordPress < 7.0.2 - REST API batch-route confusion and SQL injection issue leading to Remote Code Execution 18.07.2026 9.8
CVE-2026-8476 Disk Cache Deserialization Remote Code Execution Vulnerability 17.07.2026 9.9
CVE-2026-8481 Remote Code Execution via Code Validation Endpoint 17.07.2026 9.9
CVE-2026-8505 Authentication Bypass in Webhook Endpoints Allowed Unauthorized Flow Execution 17.07.2026 9.8
CVE-2026-8635 Arbitrary Code Execution in Python Interpreter Component 17.07.2026 9.9
CVE-2026-8859 Path Traversal in APIRequest Component via Content-Disposition Header 17.07.2026 9.9
CVE-2026-9103 Unauthenticated Superuser Token Issuance via Auto-Login Endpoint 17.07.2026 9.8
CVE-2026-9135 Policies Component Dynamic CodeInput Fields Bypass Custom Component Validation 17.07.2026 9.9
CVE-2026-9198 Unauthenticated Remote Code Execution via Auto-Login Bypass and Code Validation 18.07.2026 9.8
CVE-2026-9202 Unauthenticated User Registration Could Lead to Remote Code Execution 18.07.2026 9.8
CVE-2026-12693 IDOR in Vimesoft's Enterprise Video Platform 17.07.2026 9.4
CVE-2026-12694 Missing Authorization in Vimesoft's Enterprise Video Platform 17.07.2026 9.1
CVE-2026-54496 Missing copy constraint in halo2_gadgets variable-base scalar multiplication allows under-constrained base, breaking Orchard Action circuit soundness 17.07.2026 9.3
CVE-2026-12692 Improper Authentication in Vimesoft's Enterprise Video Platform 17.07.2026 9.8
CVE-2026-8297 SQLi in GIS Informatics' GisLab Laboratory Management System 17.07.2026 9.8
CVE-2026-9586 Unauthenticated SQL Injection Leading to Remote Code Execution in Switchvox SMB 17.07.2026 9.3
CVE-2024-23564 17.07.2026 9.1
CVE-2026-15982 Aimogen Pro - All-in-One AI Content Writer, Editor, ChatBot & Automation Toolkit <= 2.8.4 - Unauthenticated Privilege Escalation via 'aiomatic_call_google_ai_function' 17.07.2026 9.8
CVE-2026-14956 Bricksforge <= 3.1.8.6 - Unauthenticated Privilege Escalation via Pro Forms fieldIds Parameter 17.07.2026 9.8
CVE-2026-62232 Grav < 2.0.4 2FA Bypass via Secret Regeneration 17.07.2026 9.1
CVE-2026-62241 clawvet < 0.7.5 Hard-coded JWT Secret Session Forgery 17.07.2026 9.3
CVE-2026-44181 Jupyter Enterprise Gateway: Jinja2 Template Server Side Template Injection results in Remote Code Execution 17.07.2026 10
CVE-2026-44182 Jupyter Enterprise Gateway Has Kubernetes Manifest Injection via Jinja2 Template Rendering 17.07.2026 10
CVE-2026-44180 Jupyter Enterprise Gateway: ContainerProcessProxy._enforce_prohibited_ids can be Bypassed 17.07.2026 9.8
CVE-2026-53412 Zoom Workplace VDI Plugin for Windows - Improper Input Validation 17.07.2026 9.8
CVE-2026-15422 SCTP needs to better-check INIT ACK chunk parameters 17.07.2026 9.1
CVE-2026-63089 WireGuard Easy Weak Token Generation Information Disclosure via OTL Route 18.07.2026 9
CVE-2026-46512 Frogman: Dialplan template parameters interpolated into extensions_custom.conf without escaping 18.07.2026 9.9
CVE-2026-46515 Frogman: Multiple read-tier tools expose admin-grade data and arbitrary GraphQL execution 16.07.2026 9.3
CVE-2026-45336 HireFlow: Use of Hard-coded Credentials 17.07.2026 10
CVE-2026-45568 zrok Python ProxyShare can be used as an SSRF proxy through absolute URL paths 17.07.2026 9.9
CVE-2026-44632 Yamcs: Server-Side Code Injection (RCE) via Janino Expression Engine in `JavaExprAlgorithmExecutionFactory` 16.07.2026 9.1
CVE-2026-46562 Yamcs: Remote Code Execution via Mission Database algorithm override 16.07.2026 9.8
CVE-2026-46621 Yamcs: Authenticated Remote Code Execution (RCE) via Jython Algorithm Code Injection 16.07.2026 9.1
CVE-2026-63087 Grafana OnCall 1.16.11 Unauthenticated Token Hijack via Plugin Install Endpoint 17.07.2026 9.3
CVE-2026-45695 Kopia: Unauthenticated RCE via SSH ProxyCommand Injection when --insecure --without-password is used 16.07.2026 9.8
CVE-2026-54733 moodle-local_o365: Authentication bypass via unverified JWT signature in Teams SSO endpoint 16.07.2026 9.3
CVE-2026-59864 Kiota: Path/URL injection into generated Copilot plugin manifest via x-ai-* extensions 17.07.2026 9.3
CVE-2026-59865 Kiota: Command injection via x-ms-kiota-info dependencyInstallCommand surfaced by `kiota info` 17.07.2026 9.3
CVE-2026-59866 Kiota: Arbitrary file write + code-injection via x-ms-kiota-info clientClassName and clientNamespaceName 17.07.2026 9.3
CVE-2026-11386 ubuntu-pro-client Input Validation Vulnerability Leading to Arbitrary APT Directive Injection and Remote Code Execution 16.07.2026 9
CVE-2026-63304 AVideo through 29.0 OS Command Injection via listFFmpegProcesses 16.07.2026 9.2
CVE-2026-63305 AVideo through 29.0 OS Command Injection via ffmpeg.json.php 17.07.2026 9.2
CVE-2026-63306 stoatchat before 0.13.5 Unauthenticated SSRF via proxy and embed endpoints 16.07.2026 9.2
CVE-2023-49899 Origin Validation Error in X-Rite MA-T6 18.07.2026 9.8
CVE-2023-49900 Origin Validation Error in X-Rite MA-T6 16.07.2026 9.8
CVE-2026-22752 Spring Security Authorization Server Dynamic Client Registration endpoints perform insufficient validation of client metadata 16.07.2026 9.6
CVE-2026-15925 Improper TLS Hostname Verification in Snowflake Connector for Python 16.07.2026 9.2
CVE-2026-15013 SAML Single Sign On <= 5.4.3 - Unauthenticated Authentication Bypass via 'SAMLResponse' Parameter Signature Algorithm Confusion 16.07.2026 9.8
CVE-2026-54458 AVideo: Unauthenticated Stored DOM Cross-Site Scripting via Per-Client Metadata Broadcast in YPTSocket Plugin 16.07.2026 9.6
CVE-2026-55445 Qinglong: Incomplete fix for CVE-2026-3965: Improper Authentication 18.07.2026 9.3
CVE-2026-52891 Wekan: Shell Injection via Avatar Upload 17.07.2026 9.9
CVE-2026-52893 Wekan: OIDC Account Takeover via Unconditional Email-Based Account Merge in onCreateUser hook 18.07.2026 9.2
CVE-2026-55652 Wekan: Header-login IP allowlist bypass via X-Forwarded-For spoofing in Wekan allows unauthenticated full account takeover (incl. admin) 17.07.2026 9.8
CVE-2026-46339 9Router: Unauthenticated Remote Code Execution via unprotected MCP custom plugin routes 16.07.2026 10
CVE-2026-49352 9Router: Hardcoded Default fallback JWT Secret Allows Authentication Bypass 16.07.2026 9.8
CVE-2026-54052 n8n-MCP: Cross-tenant access to workflow version backups in multi-tenant HTTP deployments 18.07.2026 9.9
CVE-2026-52887 NocoBase: SQL injection in /api/myInAppChannels:list filter to PG-superuser RCE 15.07.2026 10
CVE-2026-45534 DataEase: RCE Vulnerability 16.07.2026 9
CVE-2026-46684 DataEase: Unauthorized Command Execution Vulnerability 17.07.2026 9.5
CVE-2026-49445 Cilium: Sensitive information disclosure and cluster disruption via local Envoy admin socket access 16.07.2026 9.2
CVE-2026-46421 Supply chain compromise via malicious package versions (@cap-js/sqlite, @cap-js/postgres, @cap-js/db-service) 15.07.2026 9.3
CVE-2026-62948 OpenWrt odhcpd/LuCI: unauthenticated DHCPv6 client can inject lease-file lines via FQDN hostname → stored XSS in the LuCI admin UI 15.07.2026 9.6
CVE-2026-50562 FastGPT: Untrusted PR artifacts are pushed and deployed by privileged preview workflows 15.07.2026 9.3
CVE-2026-53512 Better Auth: OAuth refresh-token replay via missing client authentication on oidc-provider and mcp plugins 18.07.2026 9.1
CVE-2026-53513 Better Auth: Server-side request forgery via unvalidated OIDC endpoints on @better-auth/sso provider registration 15.07.2026 9.6
CVE-2026-62378 RustFS Console: Critical Stored XSS in Preview Modal leading to Administrative Account Takeover 16.07.2026 9
CVE-2026-52842 Lightpanda:URL parser misidentifies page origin for URLs containing @ in the path - Same-Origin Policy bypass 15.07.2026 9.3
CVE-2026-52843 Lightpanda: fetch() and XMLHttpRequest attach session cookies to cross-origin requests regardless of credentials mode 15.07.2026 9.3
CVE-2026-44986 Penpot: Pre-authenticated account takeover via team-invitation token + prepare-register-profile 15.07.2026 9.9
CVE-2026-50148 Metabase: Remote Code Execution via Snowflake JDBC Driver Arbitrary File Write 15.07.2026 10
CVE-2026-42533 NGINX Map directive and Regex matching vulnerability 16.07.2026 9.2
CVE-2026-61736 LightRAG: CORS Wildcard + Credentials Enables Any-Origin Credentialed Requests 15.07.2026 9.3
CVE-2026-61740 LightRAG: Authentication bypass: hardcoded DEFAULT_TOKEN_SECRET and public /auth-status defeat LIGHTRAG_API_KEY protection 15.07.2026 9.3
CVE-2026-56400 open-webui - Remote Code Execution via CORS Misconfiguration and Session Validation 15.07.2026 9
CVE-2026-56699 Wazuh Manager - NDJSON Injection in inventory_sync via Agent-Controlled DataValue.index 15.07.2026 10
CVE-2026-61451 Grav before 1.0.4 Password Reset Token Poisoning via admin_base_url 15.07.2026 9.4
CVE-2026-13385 16.07.2026 9.5
CVE-2026-45363 `jwt` (Ruby gem) - empty-key HMAC bypass 15.07.2026 9.1
CVE-2026-48334 Illustrator | Improper Input Validation (CWE-20) 15.07.2026 9.3
CVE-2026-48284 ColdFusion | Improper Input Validation (CWE-20) 15.07.2026 9.6
CVE-2026-48318 ColdFusion | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE-22) 15.07.2026 9.9
CVE-2026-48319 ColdFusion | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE-22) 15.07.2026 9.1
CVE-2026-48321 ColdFusion | Incorrect Authorization (CWE-863) 16.07.2026 9.3
CVE-2026-48322 ColdFusion | Improper Control of Generation of Code ('Code Injection') (CWE-94) 15.07.2026 9.6
CVE-2026-48324 ColdFusion | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') (CWE-89) 15.07.2026 9.1
CVE-2026-48325 ColdFusion | Missing Authentication for Critical Function (CWE-306) 15.07.2026 9.3
CVE-2026-48327 ColdFusion | Incorrect Authorization (CWE-863) 15.07.2026 9
CVE-2026-15643 AWS HealthLake MCP Server SSRF via Pagination URL 15.07.2026 9.2
CVE-2026-53486 decompress: Archive extraction can create files and links outside the target directory 15.07.2026 9.1
CVE-2026-13001 Podlove Podcast Publisher <= 4.5.1 - Unauthenticated Arbitrary File Upload via podlove_image_cache_url Parameter 14.07.2026 9.8
CVE-2026-47428 Vitest browser mode serves unsanitized otelCarrier query parameter as inline script 15.07.2026 9.6
CVE-2026-48356 Adobe Commerce | Unrestricted Upload of File with Dangerous Type (CWE-434) 15.07.2026 9.6
CVE-2026-48358 Adobe Commerce | Improper Encoding or Escaping of Output (CWE-116) 15.07.2026 9.1
CVE-2026-53633 Vitest: Exposed Browser Mode API Can Proxy CDP and Overwrite Config Files, Leading to RCE 16.07.2026 9.8
CVE-2026-47429 Vitest: Arbitrary file can be read and executed when Vitest UI server is listening 14.07.2026 9.8
CVE-2026-48259 Adobe Experience Manager | Server-Side Request Forgery (SSRF) (CWE-918) 15.07.2026 9.6
CVE-2026-48359 Adobe Experience Manager | Improper Restriction of XML External Entity Reference ('XXE') (CWE-611) 15.07.2026 9.6
CVE-2026-45063 Symfony: Identity Spoofing via Unanchored DN Regex in X509Authenticator 14.07.2026 9.1
CVE-2026-50380 Windows GDI+ Remote Code Execution Vulnerability 17.07.2026 9.6
CVE-2026-50447 Windows Message Queuing Service (MSMQ) Remote Code Execution Vulnerability 17.07.2026 9.8
CVE-2026-50518 Windows DHCP Server Remote Code Execution Vulnerability 17.07.2026 9.8
CVE-2026-55010 Minecraft Bedrock Dedicated Server Remote Code Execution Vulnerability 17.07.2026 9.8
CVE-2026-55040 Microsoft SharePoint Server Security Feature Bypass Vulnerability 17.07.2026 9.1
CVE-2026-55944 Microsoft Dynamics NAV and Microsoft Dynamics 365 Business Central (On Premises) Remote Code Execution Vulnerability 17.07.2026 9.8
CVE-2026-56159 DHCP Server Service Remote Code Execution Vulnerability 17.07.2026 9.8
CVE-2026-56188 Windows Server Network driver Remote Code Execution Vulnerability 17.07.2026 9.8
CVE-2026-56190 Remote Desktop Protocol Remote Code Execution Vulnerability 17.07.2026 9.8
CVE-2026-57092 Microsoft Windows VMSwitch Elevation of Privilege Vulnerability 17.07.2026 9.9
CVE-2026-42990 SQL Server ODBC driver Elevation of Privilege Vulnerability 17.07.2026 9.8
CVE-2026-48561 Microsoft Copilot Remote Code Execution Vulnerability 17.07.2026 9.6
CVE-2026-49172 Windows FTP Service Remote Code Execution Vulnerability 17.07.2026 9.8
CVE-2026-49798 Windows Kernel Elevation of Privilege Vulnerability 17.07.2026 9.3
CVE-2026-50522 Microsoft SharePoint Remote Code Execution Vulnerability 17.07.2026 9.8
CVE-2026-54990 Remote Desktop Client Remote Code Execution Vulnerability 17.07.2026 9.8
CVE-2026-55008 Microsoft Exchange Server Spoofing Vulnerability 17.07.2026 9.6
CVE-2026-58644 Microsoft SharePoint Remote Code Execution Vulnerability 17.07.2026 9.8
CVE-2026-59891 Credential confusion in  @sigstore/oci  can leak registry credentials to an attacker-controlled registry 14.07.2026 9.6
CVE-2026-15701 Totolink NR1800X lighttpd formLogout.htm Form_Logout stack-based overflow 15.07.2026 9.3
CVE-2025-11698 CompactLogix ®, ControlLogix ®, Compact GuardLogix ® and GuardLogix ® Buffer Overflow 14.07.2026 9.2
CVE-2026-55954 Missing ID token claim validation in ueberauth_apple allows account takeover 15.07.2026 9.1
CVE-2025-12011 CompactLogix ®, ControlLogix ®, Compact GuardLogix ® and GuardLogix ® Buffer Overflow 14.07.2026 9.2
CVE-2025-12012 CompactLogix ®, ControlLogix ®, Compact GuardLogix ® and GuardLogix ® Buffer Overflow 14.07.2026 9.2
CVE-2026-15265 Tenable Agent Path Traversal Leading to Remote Code Execution 14.07.2026 9.3
CVE-2026-58479 Sustainable Irrigation Platform 5.2.16 RCE via cli_control Plugin Command Injection 14.07.2026 9.2
CVE-2026-10577 Rockwell Automation 1715 Redundant IO – Access Control Vulnerability 14.07.2026 10
CVE-2026-62422 15.07.2026 10
CVE-2026-56451 14.07.2026 10
CVE-2026-15183 Input Validation Vulnerabilities in Snowflake Spark Connector 14.07.2026 9.2
CVE-2026-57898 14.07.2026 9
CVE-2026-27690 HTTP Request Smuggling in SAP Approuter 14.07.2026 9.1
CVE-2026-44747 Memory Corruption vulnerability in SAP NetWeaver Application Server ABAP 15.07.2026 9.9
CVE-2026-44761 Insecure Sample Credentials in SAP Commerce Cloud 15.07.2026 9.1
CVE-2026-59801 9Router 0.4.41 - Unauthenticated API Exposure via /api/providers 14.07.2026 9.3
CVE-2026-62327 9Router 0.4.41 - Unauthenticated API Key Exposure via /api/usage/stats 14.07.2026 9.3
CVE-2026-58409 ChurchCRM: Authenticated Remote Code Execution (RCE) via Malicious Plugin Upload 14.07.2026 9.1
CVE-2026-6875 Sandbox Escape in ServiceNow AI Platform 14.07.2026 9.5
CVE-2026-61462 mcp-gitlab Path Traversal via job_id Parameter 13.07.2026 9.2
CVE-2026-61500 Rejetto HFS < 3.2.1 Session Forgery via Predictable Signing Key 15.07.2026 9.3
CVE-2026-60121 Vitec Flamingo 4.12.2 Unauthenticated OS Command Injection via ping.php 13.07.2026 9.3
CVE-2026-61498 Vitec Flamingo 4.12.2 Unauthenticated OS Command Injection via gen_graphs.php 14.07.2026 9.3
CVE-2026-6847 Unauthenticated Remote Code Execution in ThemisNETPanel 14.07.2026 9.3
CVE-2026-12257 Remote code execution in Mura Software’s CMS 13.07.2026 9.3
CVE-2026-14934 Cross-Tenant Repository Takeover via Improper Access Control in BigQuery, Dataform and Colab Enterprise 13.07.2026 9.4
CVE-2026-13014 Remote Code Execution vulnerability in "Suspicious" application 13.07.2026 9.2
CVE-2026-22093 Adversary-in-the-Middle (AitM) attack vulnerability in EVbee Service app 16.07.2026 9.5
CVE-2026-22095 Command injection in diagnosis web endpoint 16.07.2026 9.3
CVE-2026-22096 Missing authentication for webserver endpoints 16.07.2026 9.3
CVE-2026-22097 Missing firmware validation allows remote code execution 16.07.2026 9.3
CVE-2026-22098 Sensitive information is written to logs 16.07.2026 9.2
CVE-2026-22102 Arbitrary file overwrite through certificate update functionality 16.07.2026 9.3
CVE-2026-22103 Command injection in NPC start web endpoint 16.07.2026 9.3
CVE-2026-57401 WordPress SureDash plugin <= 1.8.0 - Arbitrary File Deletion vulnerability 13.07.2026 9.9
CVE-2026-57702 WordPress Amelia plugin <= 2.4.2 - SQL Injection vulnerability 13.07.2026 9.3
CVE-2026-57707 WordPress Simple Business Directory Pro plugin <= 15.9.4 - SQL Injection vulnerability 13.07.2026 9.3
CVE-2026-57710 WordPress WoowBot Pro Max plugin <= 14.1.7 - Arbitrary File Upload vulnerability 13.07.2026 9.9
CVE-2026-57714 WordPress LatePoint plugin <= 5.6.3 - SQL Injection vulnerability 13.07.2026 9.3
CVE-2026-57719 WordPress Aimogen Pro plugin <= 2.8.3 - Arbitrary File Upload vulnerability 13.07.2026 10
CVE-2026-57724 WordPress Kirki plugin <= 6.0.12 - PHP Object Injection vulnerability 13.07.2026 9.8
CVE-2026-57726 WordPress Kirki plugin <= 6.0.12 - SQL Injection vulnerability 13.07.2026 9.3
CVE-2026-57738 WordPress 777 theme <= 1.13.0 - PHP Object Injection vulnerability 13.07.2026 9.8
CVE-2026-57739 WordPress AcyMailing SMTP Newsletter plugin <= 10.11.0 - SQL Injection vulnerability 13.07.2026 9.3
CVE-2026-57744 WordPress RT-Theme 18 | Extensions plugin <= 2.5 - PHP Object Injection vulnerability 13.07.2026 9.8
CVE-2026-57770 WordPress Grand Photography theme <= 5.7.8 - PHP Object Injection vulnerability 13.07.2026 9.8
CVE-2026-57811 WordPress Realtyna Organic IDX plugin plugin <= 5.2.0 - Remote Code Execution (RCE) vulnerability 13.07.2026 10
CVE-2026-57813 WordPress MailOptin plugin <= 1.2.77.3 - Privilege Escalation vulnerability 13.07.2026 9.8
CVE-2026-59515 WordPress AIWU plugin <= 1.5.4 - SQL Injection vulnerability 13.07.2026 9.3
CVE-2026-59518 WordPress Directorist plugin <= 8.8.2 - PHP Object Injection vulnerability 13.07.2026 9.8
CVE-2026-14453 A user with low privileges can inject SSTI templates that can lead to RCE in open-tickets 13.07.2026 9.6
CVE-2026-4769 Unauthenticated Access to Internal Diagnostic Interface 13.07.2026 9.3
CVE-2026-15511 Comfast CF-WR631AX V3 FastCGI Backend webmgnt system_wl_upload_pic_file os command injection 14.07.2026 9.3
CVE-2026-56271 Flowise - Weak Default JWT Secrets in Authentication Middleware 13.07.2026 9.3
CVE-2026-61876 LuCI DHCPv6 Lease Hostname Stored Cross-Site Scripting 14.07.2026 9.4

Latest Updates

CVE Title Updated Score
CVE-2026-16124 nextlevelbuilder GoClaw web_fetch web_shared.go isPrivateIP server-side request forgery 18.07.2026
CVE-2026-16125 zevorn rt-claw http_request net.c claw_net_post server-side request forgery 18.07.2026
CVE-2026-16123 nextlevelbuilder GoClaw Invoke Endpoint tools_invoke.go ToolsInvokeHandler.ServeHTTP authorization 18.07.2026
CVE-2026-16121 nextlevelbuilder GoClaw exec_approval.go isSafeBin improper authorization 18.07.2026
CVE-2026-16122 nextlevelbuilder GoClaw exec_approval.go matchesAllowlist authorization 18.07.2026
CVE-2026-11826 OpenPLC_v3 Heap-Based Buffer Overflow in Modbus Master getData() 18.07.2026
CVE-2026-9323 Insecure PRNG and Information Exposure in urwid Web Display Backend 18.07.2026
CVE-2023-54366 SurrealDB before 1.0.1 Insecure Default Table Permissions 18.07.2026
CVE-2024-58356 SurrealDB before 2.1.4 Permission Bypass via DEFINE TABLE OVERWRITE 18.07.2026
CVE-2024-58357 SurrealDB before 2.1.0 Denial of Service via rand::time() 18.07.2026
CVE-2024-58358 SurrealDB before 2.1.0 Denial of Service via Nonexistent Role 18.07.2026
CVE-2024-58359 SurrealDB before 2.1.0 Denial of Service via rand() Sorting 18.07.2026
CVE-2024-58361 SurrealDB before 2.0.4 Denial of Service via Parser Exception 18.07.2026
CVE-2024-58362 SurrealDB before 1.5.5 Query Injection via RPC API 18.07.2026
CVE-2024-58363 SurrealDB before 1.5.4 Authentication Bypass via Database Switch 18.07.2026
CVE-2024-58364 SurrealDB before 1.2.1 Denial of Service via Parsing Error 18.07.2026
CVE-2024-58365 SurrealDB before 1.2.0 Denial of Service via Nonexistent Function 18.07.2026
CVE-2024-58366 SurrealDB before 1.1.1 Format String via Scripting Functions 18.07.2026
CVE-2024-58367 SurrealDB before 2.0.4 Improper Authorization via SELECT Permissions 18.07.2026
CVE-2024-58368 SurrealDB before 1.1.0 Denial of Service via HTTP Headers 18.07.2026
CVE-2024-58369 SurrealDB before 1.1.1 Denial of Service via Global Parameters 18.07.2026
CVE-2024-58370 SurrealDB before 1.1.0 Uncontrolled Recursion Denial of Service 18.07.2026
CVE-2025-71390 SurrealDB before 2.3.6 deny-net Bypass via DNS Resolution 18.07.2026
CVE-2025-71391 SurrealDB before 2.2.2 Denial of Service via /sql endpoint 18.07.2026
CVE-2025-71392 SurrealDB before 2.2.2 SurrealQL Injection via export 18.07.2026
CVE-2025-71393 SurrealDB before 2.2.2 Memory Exhaustion via Nested Functions 18.07.2026
CVE-2025-71394 SurrealDB before 2.2.2 Local File Read via DEFINE ANALYZER 18.07.2026
CVE-2025-71395 SurrealDB before 2.2.2 Memory Exhaustion via string::replace 18.07.2026
CVE-2025-71396 SurrealDB before 2.2.2 Denial of Service via JavaScript Scripting 18.07.2026
CVE-2025-71397 SurrealDB before 2.2.2 CPU Exhaustion via nested FOR loops 18.07.2026
CVE-2025-71398 SurrealDB before 2.2.2 SSRF via HTTP Redirect Bypass 18.07.2026
CVE-2026-16117 @fastify/http-proxy vulnerable to prefix escape via URL-encoded characters 18.07.2026 10
CVE-2026-16119 nextlevelbuilder GoClaw WebSocket Approval Endpoint exec_approval.go RequestApproval authorization 18.07.2026
CVE-2026-16120 nextlevelbuilder GoClaw exec_approval.go extractBin name resolution 18.07.2026
CVE-2026-15631 @fastify/http-proxy vulnerable to prefix escape via WebSocket path traversal 18.07.2026 8.7
CVE-2026-59173 Apache Traffic Server: DoS vulnerability in HTTP/2 via stalled flow-control conditions 18.07.2026
CVE-2026-9147 uproot 5.7.4 and prior Code Injection via TStreamerInfo Metadata 18.07.2026
CVE-2026-16158 @fastify/reply-from vulnerable to cross-upstream request routing via URL cache key collision 18.07.2026 8.7
CVE-2026-16097 Shibby Tomato Scheduler Name sub_42537C stack-based overflow 18.07.2026
CVE-2026-16096 Shibby Tomato webmon_recent_domains sub_40BB50 stack-based overflow 18.07.2026
CVE-2026-16095 Shibby Tomato rc setup_conntrack out-of-bounds write 18.07.2026
CVE-2026-16088 halo-dev halo Files Backup Endpoint MigrationEndpoint.java download path traversal 18.07.2026
CVE-2026-16085 Sipeed PicoClaw context.go NewContextBuilder inclusion of functionality from untrusted control sphere 18.07.2026
CVE-2026-16084 Sipeed PicoClaw web.go web_fetch server-side request forgery 18.07.2026
CVE-2026-47865 VMware Avi Load Balancer Authentication Bypass Vulnerability 18.07.2026 9.8
CVE-2026-47866 VMware Avi Load Balancer Authorization Bypass Vulnerability 18.07.2026 8.3
CVE-2026-47867 VMware Avi Load Balancer Remote Code Execution Vulnerability 18.07.2026 8.7
CVE-2026-47868 VMware Avi Load Balancer Local Privilege Escalation Vulnerability 18.07.2026 7.8
CVE-2026-47869 VMware Avi Load Balancer Remote Code Execution Vulnerability 18.07.2026 8.7
CVE-2026-47870 VMware Avi Load Balancer Privilege Escalation Vulnerability 18.07.2026 7.1
CVE-2026-47871 VMware Avi Load Balancer Directory Traversal Vulnerability 18.07.2026 8.8
CVE-2026-16082 Sipeed PicoClaw pipeline_execute.go ExecTool.executeRun toctou 18.07.2026
CVE-2026-16083 Sipeed PicoClaw LINE Webhook line.go webhook.ParseRequest authentication replay 18.07.2026
CVE-2026-16081 Sipeed PicoClaw auth.go cross-site request forgery 18.07.2026
CVE-2026-16077 AstrBotDevs AstrBot Filesystem Computer-Use Tool fs.py _normalize_rw_path link following 18.07.2026
CVE-2026-16076 AstrBotDevs AstrBot API open_api.py OpenApiRoute.chat_send authentication spoofing 18.07.2026
CVE-2026-9734 W3SC Elementor to Zoho CRM <= 2.2.0 - Cross-Site Request Forgery to Settings Update 18.07.2026 4.3
CVE-2026-16075 AstrBotDevs AstrBot session-listing Endpoint open_api.py OpenApiRoute.get_chat_sessions authorization 18.07.2026
CVE-2026-56171 Windows Remote Desktop Protocol (RDP) Information Disclosure Vulnerability 17.07.2026 7.1
CVE-2026-56740 JLine: Unauthenticated Remote Memory Exhaustion via Unbounded Telnet NEW-ENVIRON Variables 17.07.2026 7.5
CVE-2026-57980 Microsoft Edge (Chromium-based) Tampering Vulnerability 17.07.2026 5.4
CVE-2026-44979 @hapi/wreck : Sensitive `Proxy-Authorization` header leaked across cross-hostname redirects 17.07.2026
CVE-2026-48022 @hapi/wreck: Sensitive credential headers leak across cross-port and cross-scheme redirects 17.07.2026 6.5
CVE-2026-48049 @hapi/inert: Static-file confinement bypass via sibling-prefix path 17.07.2026 5.3
CVE-2026-49485 HAPI FHIR: ReDoS via FHIRPath matches()/replaceMatches() in FHIR Validator HTTP Endpoint 17.07.2026 7.5
CVE-2026-54335 Feathersjs: Prototype pollution in @feathersjs/commons _.merge via JSON-parsed __proto__ 17.07.2026 3.7
CVE-2026-56741 JLine: Unauthenticated Remote DoS via Unbounded Telnet NAWS Terminal Geometry 17.07.2026 7.5
CVE-2026-13445 Langflow is affected by remote code execution, denial of service, path traversal, and exposed credentials due to multiple unauthenticated and insufficiently authorized API endpoints 17.07.2026 8.1
CVE-2026-13446 Langflow is affected by remote code execution, denial of service, path traversal, and exposed credentials due to multiple unauthenticated and insufficiently authorized API endpoints 17.07.2026 9.8
CVE-2026-45785 OpenMcdf: Uncatchable infinite loop in DirectoryTree.TryGetDirectoryEntry on crafted CFB directory cycle 17.07.2026 6.2
CVE-2026-48062 CodeIgniter: Uploaded file extension validation bypass in `ext_in` rule 17.07.2026 9.8
CVE-2026-50271 dd-trace-py: Improper parsing of W3C baggage headers may lead to DoS 17.07.2026 7.5
CVE-2026-50274 dd-trace-go: Improper parsing of W3C baggage headers may lead to DoS 17.07.2026 7.5
CVE-2026-52203 17.07.2026
CVE-2026-52348 17.07.2026
CVE-2026-52584 17.07.2026
CVE-2026-54159 ps_facetedsearch: PHP Object Injection in faceted search cache allows unauthenticated RCE 17.07.2026 10
CVE-2026-54466 websocket-driver: Message corruption via abuse of protocol length headers 17.07.2026
CVE-2026-54490 websocket-driver: Resource limit bypass via message compression 17.07.2026
CVE-2026-54497 view_component: Reused Component Instances Retain Stale Render Context 17.07.2026 6.8
CVE-2026-54498 view_component: around_render HTML-Safety Bypass 17.07.2026 8.7
CVE-2026-55518 Avo: Missing Authorization in Avo Association Attach Endpoint Allows Unauthorized Relationship Manipulation and Privilege Escalation 17.07.2026 9.6
CVE-2026-16074 AstrBotDevs AstrBot Plugin Update plugin.py update_all_plugins server-side request forgery 17.07.2026
CVE-2026-44891 Netty: Denial of Service via Unbounded Headers in StompSubframeDecoder 17.07.2026 7.5
CVE-2026-45784 rust-openssl: Potential out-of-bounds write in `CipherCtxRef::cipher_update_inplace` for AES-KW-PAD ciphers 17.07.2026
CVE-2026-49977 tarteaucitron.js: data-cookie attribute can be used to delete arbitrary cookies 17.07.2026 4.3
CVE-2026-50272 dd-trace: Improper parsing of W3C baggage headers may lead to DoS 17.07.2026 7.5
CVE-2026-53727 css_parser: SSRF and Local File Disclosure in `CssParser::Parser#read_remote_file` 17.07.2026
CVE-2026-54163 secure_headers: CSP directive injection via sandbox, plugin_types, and report_to when given untrusted input 17.07.2026 4.7
CVE-2026-54242 Statamic: Server-Side Request Forgery via Glide (DNS rebinding) 17.07.2026 4.9
CVE-2026-54243 Statamic: CSV formula injection in form submission exports 17.07.2026 6.1
CVE-2026-54244 Statamic: Incorrect authorization lets view-only users submit Live Preview content reserved for editors 17.07.2026 3.5
CVE-2025-51678 17.07.2026
CVE-2026-13448 Langflow is affected by remote code execution, denial of service, path traversal, and exposed credentials due to multiple unauthenticated and insufficiently authorized API endpoints 17.07.2026 8.1
CVE-2026-13473 IBM Storage Protect Client is vulnerable to Heap-Based Buffer Overflow 17.07.2026 8.1
CVE-2026-14499 Langflow is affected by remote code execution, denial of service, path traversal, and exposed credentials due to multiple unauthenticated and insufficiently authorized API endpoints 17.07.2026 8.8
CVE-2026-14501 Use of Potentially Dangerous Functionthat in IBM Db2 Genius Hub 17.07.2026 4.3
CVE-2026-14971 This PowerVM Novalink update is being released to address 17.07.2026 3.9
CVE-2026-14979 IBM Engineering Lifecycle Management - Jazz Foundation is vulnerable to XML Entity Expansion attack 17.07.2026 5.3
CVE-2026-44974 Parameter smuggling in @hapi/content header parser allows upload-filter bypass via duplicate parameters 17.07.2026
CVE-2026-45799 Wire: skipGroup() missing negative-length check allows 10-byte payload to crash any Wire-decoding service 17.07.2026 7.5
CVE-2026-46420 setup-php: Command Injection in Repository-Derived PHP Version Resolution 17.07.2026 5.6
CVE-2026-48504 OpenTelemetry Rust: Unbounded memory allocation in W3C Baggage propagation 17.07.2026 5.3
CVE-2026-54171 Excon: redact additional sensitive/risky headers when following redirects 17.07.2026 6.5
CVE-2026-54463 websocket-driver: Memory exhaustion via abuse of protocol length headers 17.07.2026
CVE-2026-54464 websocket-driver: Resource limit bypass via message compression 17.07.2026
CVE-2026-54465 websocket-driver: Memory exhaustion in HTTP header parser 17.07.2026
CVE-2026-55254 NCalc: Denial of Service via Unbounded and Non-Terminating Factorial Evaluation 17.07.2026 4.8