| CVE-2025-11698 |
CompactLogix ®, ControlLogix ®, Compact GuardLogix ® and GuardLogix ® Buffer Overflow |
14.07.2026 |
|
| CVE-2025-43892 |
|
14.07.2026 |
4.1 |
| CVE-2025-53379 |
|
14.07.2026 |
7 |
| CVE-2025-62675 |
|
14.07.2026 |
3.4 |
| CVE-2025-62826 |
|
14.07.2026 |
3.1 |
| CVE-2026-11403 |
Nexus Repository Manager - Insufficient Entropy in Format-Specific API Key Generation |
14.07.2026 |
|
| CVE-2026-11917 |
ThinManager® - Path Traversal via API |
14.07.2026 |
|
| CVE-2026-11944 |
openSIS Classic 9.3 - Authenticated path traversal in SentMail attachment download |
14.07.2026 |
|
| CVE-2026-12659 |
Rockwell Automation Flex 5000® Adapter - Denial of Service |
14.07.2026 |
|
| CVE-2026-12707 |
Unbounded path event queue growth in quiche via peer-driven source connection ID rotation |
14.07.2026 |
7.5 |
| CVE-2026-15392 |
DBD::File versions before 1.651 for Perl do not ensure the table file is not a symlink to an untrusted location |
14.07.2026 |
|
| CVE-2026-15697 |
svgdotjs svg.js npm Package API EventTarget.on prototype pollution |
14.07.2026 |
|
| CVE-2026-15698 |
kofrasa mingo Update API updateMany prototype pollution |
14.07.2026 |
|
| CVE-2026-23573 |
|
14.07.2026 |
6.1 |
| CVE-2026-52838 |
Easy!Appointments disable_booking_message rendered as raw HTML on public booking page — Stored XSS |
14.07.2026 |
2.6 |
| CVE-2026-52839 |
Easy!Appointments appointments/store and appointments/update allow cross-provider appointment injection — Authorization Bypass |
14.07.2026 |
3.3 |
| CVE-2026-52840 |
Easy!Appointments has server-side request forgery in CalDAV connection test that exposes the deployment's internal network |
14.07.2026 |
2.7 |
| CVE-2026-52841 |
Easy!Appointments: Authorization bypass in Google OAuth provider binding lets any backend user rebind a peer provider's Google sync |
14.07.2026 |
3.1 |
| CVE-2026-55651 |
Easy!Appointments Vulnerable to Appointments Takeover via Excessive Data Exposure |
14.07.2026 |
7.1 |
| CVE-2026-55954 |
Missing ID token claim validation in ueberauth_apple allows account takeover |
14.07.2026 |
|
| CVE-2026-59204 |
Pillow JPEG2000 tiled decode retains a growing scratch buffer and can be used for denial of service |
14.07.2026 |
|
| CVE-2026-59835 |
|
14.07.2026 |
7.7 |
| CVE-2026-59836 |
|
14.07.2026 |
6.7 |
| CVE-2026-59837 |
|
14.07.2026 |
5.9 |
| CVE-2026-59839 |
|
14.07.2026 |
5 |
| CVE-2026-59840 |
|
14.07.2026 |
4.1 |
| CVE-2026-59841 |
|
14.07.2026 |
6.9 |
| CVE-2026-60081 |
DBI::ProfileData versions before 1.651 for Perl do not limit the path index |
14.07.2026 |
|
| CVE-2026-60082 |
DBI versions before 1.651 for Perl do not enforce statement handle consistency with the row |
14.07.2026 |
|
| CVE-2026-9108 |
Studio 5000 Logix Designer® – Multiple Vulnerabilities |
14.07.2026 |
|
| CVE-2026-9127 |
Studio 5000 Logix Designer® – Multiple Vulnerabilities |
14.07.2026 |
|
| CVE-2026-9128 |
Studio 5000 Logix Designer® – Multiple Vulnerabilities |
14.07.2026 |
|
| CVE-2026-9292 |
Rockwell Automation FactoryTalk® DataMosaix™ Private Cloud - Stored Cross-Site Scripting |
14.07.2026 |
|
| CVE-2026-9636 |
Rockwell Automation CompactLogix® 5380 ControlLogix® 5580 / 1756-EN4 Communications Module – Certificate Revocation List Vulnerability |
14.07.2026 |
|
| CVE-2025-12011 |
CompactLogix ®, ControlLogix ®, Compact GuardLogix ® and GuardLogix ® Buffer Overflow |
14.07.2026 |
|
| CVE-2025-12012 |
CompactLogix ®, ControlLogix ®, Compact GuardLogix ® and GuardLogix ® Buffer Overflow |
14.07.2026 |
|
| CVE-2026-10573 |
1734 POINT I/OTM - Denial of Service via Malformed Inputs on CIP Object |
14.07.2026 |
|
| CVE-2026-10669 |
Xtensa MPU `arch_buffer_validate()` integer-overflow lets a user thread bypass syscall pointer validation |
14.07.2026 |
7.8 |
| CVE-2026-10670 |
User-triggerable kernel NULL-pointer dereference (DoS) in `k_thread_name_copy()` syscall verifier |
14.07.2026 |
5.5 |
| CVE-2026-10671 |
User thread can re-initialize an in-use `k_pipe`, corrupting kernel wait queues (`CONFIG_USERSPACE`) |
14.07.2026 |
7.1 |
| CVE-2026-10672 |
Unterminated URI buffer causes out-of-bounds read in LwM2M firmware pull (Package URI) |
14.07.2026 |
8.2 |
| CVE-2026-10714 |
Rockwell Automation FactoryTalk® Services Platform FTSP - Weak Authentication via JWT Validation Bypass |
14.07.2026 |
|
| CVE-2026-15265 |
Tenable Agent Path Traversal Leading to Remote Code Execution |
14.07.2026 |
9.1 |
| CVE-2026-15695 |
Tenda BE12 Pro DhcpListClient fromDhcpListClient stack-based overflow |
14.07.2026 |
|
| CVE-2026-15696 |
Tenda BE12 Pro VirtualSer fromVirtualSer stack-based overflow |
14.07.2026 |
|
| CVE-2026-52837 |
Easy!Appointments has unauthenticated customer PII disclosure on booking reschedule page |
14.07.2026 |
|
| CVE-2026-58477 |
Sustainable Irrigation Platform 5.2.16 Mass Assignment via HTTP Parameters |
14.07.2026 |
|
| CVE-2026-58478 |
Sustainable Irrigation Platform 5.2.16 SSRF via Node-RED Callback URL |
14.07.2026 |
|
| CVE-2026-58479 |
Sustainable Irrigation Platform 5.2.16 RCE via cli_control Plugin Command Injection |
14.07.2026 |
|
| CVE-2026-60114 |
Sustainable Irrigation Platform 5.2.16 Path Traversal via JSON Backup Restore |
14.07.2026 |
|
| CVE-2026-9140 |
1718-AENTR/1719-AENTR - Denial of Service |
14.07.2026 |
|
| CVE-2026-9653 |
1756-EN2, 1756-EN3, and 1756-ENBT - Denial of Service via CIP Connection ID |
14.07.2026 |
|
| CVE-2026-14902 |
|
14.07.2026 |
4 |
| CVE-2026-14903 |
|
14.07.2026 |
7.7 |
| CVE-2026-15694 |
Tenda BE12 Pro SetIpBind fromSetIpBind stack-based overflow |
14.07.2026 |
|
| CVE-2026-15736 |
Multiple SQL/DDL Injection and Arbitrary File Read Vulnerabilities in snowflake-sqlalchemy |
14.07.2026 |
8.3 |
| CVE-2026-51105 |
|
14.07.2026 |
|
| CVE-2026-58475 |
Sustainable Irrigation Platform 5.2.16 Stored XSS via Program Name |
14.07.2026 |
|
| CVE-2026-58476 |
Sustainable Irrigation Platform 5.2.16 CSRF via Administrative GET Requests |
14.07.2026 |
|
| CVE-2026-8590 |
Spotfire OAuth2 PKCE Bypass for public clients |
14.07.2026 |
|
| CVE-2026-15693 |
Tenda BE12 Pro SafeMacFilter fromSafeMacFilter stack-based overflow |
14.07.2026 |
|
| CVE-2026-53566 |
Out-of-bounds memory read |
14.07.2026 |
|
| CVE-2026-10577 |
Rockwell Automation 1715 Redundant IO – Access Control Vulnerability |
14.07.2026 |
|
| CVE-2026-12588 |
|
14.07.2026 |
|
| CVE-2026-15305 |
TYPO3 CMS - Unrestricted File Upload in Form Framework |
14.07.2026 |
|
| CVE-2026-53565 |
Local Privilege escalation allows a low-privileged user to gain SYSTEM privileges |
14.07.2026 |
|
| CVE-2026-8085 |
Rockwell Automation Arena® - Memory Corruption Vulnerability |
14.07.2026 |
|
| CVE-2026-8312 |
Rockwell Automation Arena® - Memory Corruption Vulnerability |
14.07.2026 |
|
| CVE-2026-8313 |
Rockwell Automation Arena® - Memory Corruption Vulnerability |
14.07.2026 |
|
| CVE-2026-8314 |
Rockwell Automation Arena® - Memory Corruption Vulnerability |
14.07.2026 |
|
| CVE-2026-15691 |
Tenda BE12 Pro SafeClientFilter fromSafeClientFilter stack-based overflow |
14.07.2026 |
|
| CVE-2026-15692 |
Tenda BE12 Pro SafeUrlFilter fromSafeUrlFilter stack-based overflow |
14.07.2026 |
|
| CVE-2026-15718 |
Invalid pointer in the JavaScript: WebAssembly component |
14.07.2026 |
|
| CVE-2026-15719 |
Site isolation in the DOM: Navigation component |
14.07.2026 |
|
| CVE-2026-49488 |
Apache OpenMeetings: Arbitrary File Read |
14.07.2026 |
|
| CVE-2026-62390 |
Apache Kylin: SQL Injection Vulnerability in Catalog Cache Refresh API |
14.07.2026 |
|
| CVE-2026-62392 |
Apache Kylin: OS Command Injection via Async Query API |
14.07.2026 |
|
| CVE-2026-62393 |
Apache Kylin: Improper authorization in job information retrieval |
14.07.2026 |
|
| CVE-2026-15690 |
open62541 Shared Client ua_client_connect.c responseReadNamespacesArray null pointer dereference |
14.07.2026 |
|
| CVE-2026-9341 |
Academy LMS <= 3.8.0 - Authenticated (Subscriber+) Insecure Direct Object Reference via 'user_id' Parameter |
14.07.2026 |
4.3 |
| CVE-2026-15389 |
Inadequate access control in Sesame Time session management |
14.07.2026 |
|
| CVE-2026-62422 |
|
14.07.2026 |
10 |
| CVE-2025-40945 |
|
14.07.2026 |
6.7 |
| CVE-2026-12478 |
Libsoup: incomplete fix for cve-2026-0716: out-of-bounds read in libsoup websocket frame processing (unmasked path) |
14.07.2026 |
|
| CVE-2026-14852 |
mk_sap_hana: Privilege escalation via crafted sapstartsrv process name |
14.07.2026 |
|
| CVE-2026-15043 |
DBI::SQL::Nano versions from 1.42 before 1.651 for Perl have inverted <= and >= SQL operators on text |
14.07.2026 |
|
| CVE-2026-3014 |
Remote Code Execution by administrative user on the Management Server |
14.07.2026 |
|
| CVE-2026-54429 |
|
14.07.2026 |
7.4 |
| CVE-2026-56451 |
|
14.07.2026 |
10 |
| CVE-2026-58319 |
Apache Doris: Improper Authentication in Frontend HTTP API |
14.07.2026 |
|
| CVE-2024-7708 |
|
14.07.2026 |
7.5 |
| CVE-2026-10051 |
|
14.07.2026 |
|
| CVE-2026-12606 |
|
14.07.2026 |
|
| CVE-2026-15183 |
Input Validation Vulnerabilities in Snowflake Spark Connector |
14.07.2026 |
|
| CVE-2026-15416 |
Argo-cd: argo cd unauthenticated remote code execution in repo-server via generatemanifest grpc endpoint |
14.07.2026 |
|
| CVE-2026-58229 |
Unbounded HTTP/1 response-header and chunked-trailer accumulation in Mint causes memory-exhaustion DoS |
14.07.2026 |
|
| CVE-2026-59084 |
Apache Tomcat: EncryptInterceptor requirements not clearly documented |
14.07.2026 |
|
| CVE-2026-59246 |
Zero-length HTTP/2 CONTINUATION frames bypass Mint's header-block byte-size cap and exhaust client memory |
14.07.2026 |
|
| CVE-2026-6790 |
|
14.07.2026 |
5.3 |
| CVE-2026-8384 |
|
14.07.2026 |
5.3 |
| CVE-2025-8412 |
VMDP: Potential buffer overflow in the RtlQueryRegistryValues function |
14.07.2026 |
|
| CVE-2026-13699 |
Databroker 0.6.1 PublishValue missing data_point panic |
14.07.2026 |
4.3 |
| CVE-2026-15075 |
|
14.07.2026 |
|
| CVE-2026-15076 |
|
14.07.2026 |
|
| CVE-2026-57898 |
|
14.07.2026 |
9 |
| CVE-2026-59083 |
Apache Tomcat: Incorrect URL decoding in RewriteValve may allow security control bypass |
14.07.2026 |
|
| CVE-2026-9561 |
|
14.07.2026 |
|
| CVE-2026-59674 |
LPE from suricata user to root due to chown in %post in suricata packaging |
14.07.2026 |
|
| CVE-2026-6851 |
Improper link resolution before file access in Bitdefender Total Security via Link Following (VA-13681) |
14.07.2026 |
|
| CVE-2026-15677 |
code-projects Online Job Portal JobSeekerInsert.php unrestricted upload |
14.07.2026 |
|
| CVE-2026-15678 |
code-projects Online Job Portal DetailJob.php cross site scripting |
14.07.2026 |
|
| CVE-2025-15665 |
BEAF < 4.7.1 - Admin+ Stored XSS via Widget Shortcode Field |
14.07.2026 |
|
| CVE-2026-11563 |
Word Count and Social Shares <= 1.0 - Subscriber+ Arbitrary File Deletion via Path Traversal |
14.07.2026 |
|
| CVE-2026-11567 |
SureForms < 2.11.1 - Unauthenticated Payment Amount Bypass |
14.07.2026 |
|
| CVE-2026-12511 |
AI Engine < 3.5.5 - Editor+ Arbitrary File Write via Path Traversal |
14.07.2026 |
|
| CVE-2026-12583 |
Newsletters < 4.15 - Unauthenticated PHP Object Injection via Subscriber Custom Field |
14.07.2026 |
|
| CVE-2026-12988 |
WP 2FA < 3.1.1.2 - Account Takeover via 2FA Setup Email Binding |
14.07.2026 |
|
| CVE-2026-15672 |
itsourcecode Electronic Judging System add_judges.php sql injection |
14.07.2026 |
|
| CVE-2026-15675 |
code-projects Online Job Portal EditUser.php sql injection |
14.07.2026 |
|
| CVE-2026-15676 |
code-projects Online Job Portal DeleteUser.php sql injection |
14.07.2026 |
|
| CVE-2026-12482 |
Path Traversal via Symlink Name Validation Bypass in keras-team/keras |
14.07.2026 |
|
| CVE-2026-15669 |
louisho5 picobot exec Tool exec.go ExecTool.Execute os command injection |
14.07.2026 |
|
| CVE-2026-15629 |
louisho5 picobot Workspace filesystem.go GetSkill link following |
14.07.2026 |
|
| CVE-2026-15668 |
louisho5 picobot web Tool web.go WebTool.Execute server-side request forgery |
14.07.2026 |
|
| CVE-2026-15626 |
nextlevelbuilder GoClaw ACP ToolBridge Workspace tool_bridge.go writeFile path traversal |
14.07.2026 |
|
| CVE-2026-15627 |
nextlevelbuilder GoClaw tool.go handleNavigate information disclosure |
14.07.2026 |
|
| CVE-2026-15628 |
zhayujie chatgpt-on-wechat CowAgent Vision Tool vision.py Vision._download_to_data_url server-side request forgery |
14.07.2026 |
|
| CVE-2026-11390 |
News Kit Addons For Elementor <= 1.4.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via Site Logo Title and Single Author Box Widgets |
14.07.2026 |
6.4 |
| CVE-2026-11802 |
FoodBook Lite <= 1.5.6 - Missing Authorization to Unauthenticated User Registration via 'registration_action' AJAX Action |
14.07.2026 |
5.3 |
| CVE-2026-15624 |
nextlevelbuilder GoClaw invoke Endpoint create_video_byteplus.go bytePlusDownloadVideo server-side request forgery |
14.07.2026 |
|
| CVE-2026-15625 |
nextlevelbuilder GoClaw exec_approval.go ExecApprovalManager.CheckCommand incomplete blacklist |
14.07.2026 |
|
| CVE-2026-7640 |
WP Customer Area <= 8.3.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'type' Shortcode Attribute |
14.07.2026 |
6.4 |
| CVE-2026-15622 |
poco-ai poco-claw Workspace API workspace.py get_workspace_file authorization |
14.07.2026 |
|
| CVE-2026-0487 |
DLL Hijacking vulnerability in SAProuter on Microsoft Windows |
14.07.2026 |
8.4 |
| CVE-2026-15620 |
mosaxiv clawlet tool_web_fetch.go tools.webFetch server-side request forgery |
14.07.2026 |
|
| CVE-2026-15621 |
mosaxiv clawlet File Tools fs_ops.go edit_file link following |
14.07.2026 |
|
| CVE-2026-27690 |
HTTP Request Smuggling in SAP Approuter |
14.07.2026 |
9.1 |
| CVE-2026-44745 |
Open Redirect vulnerability in SAP Approuter |
14.07.2026 |
8.1 |
| CVE-2026-44747 |
Memory Corruption vulnerability in SAP NetWeaver Application Server ABAP |
14.07.2026 |
9.9 |
| CVE-2026-44752 |
Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Application Server Java(Configuration Wizard) |
14.07.2026 |
8.2 |
| CVE-2026-44753 |
Information Disclosure vulnerability in SAP HANA Extended Application Services classic model (User Self Service) |
14.07.2026 |
3.7 |
| CVE-2026-44759 |
Cross Site Scripting (XSS) vulnerability in SAP NetWeaver Enterprise Portal |
14.07.2026 |
6.1 |
| CVE-2026-44760 |
Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Application Server ABAP (applications based on Business Server Pages) |
14.07.2026 |
4.7 |
| CVE-2026-44761 |
Insecure Sample Credentials in SAP Commerce Cloud |
14.07.2026 |
9.1 |
| CVE-2026-44767 |
Allowlist Bypass in setThemeRoot() Enables Cross-Origin CSS Injection |
14.07.2026 |
6.1 |
| CVE-2026-44768 |
Security misconfiguration in SAP CRM (WebClient UI) |
14.07.2026 |
4.1 |
| CVE-2026-44769 |
SQL Injection vulnerability in SAP S/4HANA Project Management (PPM-PRO) |
14.07.2026 |
5.5 |
| CVE-2026-44770 |
Missing Authorization check in SAP S/4 HANA (Create Single Payment) |
14.07.2026 |
4.3 |
| CVE-2026-44771 |
Missing Authorization check in SAP S/4HANA (Draft operation) |
14.07.2026 |
4.3 |
| CVE-2026-58233 |
Remote Code Execution vulnerability in SAP Change and Transport System Attach Tool (ctsattach) |
14.07.2026 |
7.6 |
| CVE-2026-15619 |
mosaxiv clawlet IPv4 tool_web_fetch.go web_fetch server-side request forgery |
14.07.2026 |
|
| CVE-2026-15618 |
mosaxiv clawlet exec Safety Guard tool_exec.go guardExecCommand protection mechanism |
14.07.2026 |
|
| CVE-2026-15607 |
tanstack db Alias Path select.ts select prototype pollution |
13.07.2026 |
|
| CVE-2026-15605 |
wandb Artifact Integrity Validation hashutil.py ArtifactManifestEntry.download weak hash |
14.07.2026 |
|
| CVE-2026-57855 |
Cockpit CMS Missing Authorization in Bucket File Storage API |
14.07.2026 |
|
| CVE-2026-57856 |
Cockpit CMS Path Traversal via Bucket Name in Bucket File Storage API |
14.07.2026 |
|
| CVE-2026-58489 |
HedgeDoc: CSRF in GitHub Gist export callback |
14.07.2026 |
|
| CVE-2026-58101 |
Crypt::OpenSSL::X509 versions before 2.1.3 for Perl allow denial of service via NULL pointer dereference |
14.07.2026 |
|
| CVE-2026-58102 |
Crypt::OpenSSL::X509 versions before 2.1.3 for Perl allow a heap out-of-bounds read via a long certificate extension OID in hv_exts |
14.07.2026 |
|
| CVE-2026-58486 |
HedgeDoc: Denial-of-service via YAML alias expansion in note frontmatter |
14.07.2026 |
|
| CVE-2026-15597 |
SourceCodester Class and Exam Timetabling System edit_exam2.php sql injection |
14.07.2026 |
|
| CVE-2026-15598 |
antv layout object.js setNestedValue prototype pollution |
14.07.2026 |
|
| CVE-2026-39042 |
|
13.07.2026 |
|
| CVE-2026-51540 |
|
13.07.2026 |
|
| CVE-2026-56877 |
|
14.07.2026 |
6.3 |
| CVE-2026-58487 |
HedgeDoc: Stored HTML injection via email local-part |
13.07.2026 |
|
| CVE-2026-58488 |
HedgeDoc: Rate-limit bypass via CF-Connecting-IP header spoofing |
14.07.2026 |
|
| CVE-2026-15596 |
SourceCodester Class and Exam Timetabling System subject.php cross site scripting |
13.07.2026 |
|
| CVE-2026-15680 |
Lorex 2K Indoor Wi-Fi Security Camera CDeviceOperator Format String Remote Code Execution Vulnerability |
14.07.2026 |
|
| CVE-2026-15681 |
AnyDesk Screen Recording Link Following Denial-of-Service Vulnerability |
14.07.2026 |
|
| CVE-2026-15682 |
AnyDesk Support Information Link Following Denial-of-Service Vulnerability |
14.07.2026 |
|
| CVE-2026-15683 |
Lorex 2K Indoor Wi-Fi Security Camera Device Management Server Improper Certificate Validation Vulnerability |
14.07.2026 |
|
| CVE-2026-15684 |
Glarysoft Glary Utilities Link Following Local Privilege Escalation Vulnerability |
14.07.2026 |
|
| CVE-2026-15685 |
Ollama downloadBlob Improper Validation of Array Index Denial-of-Service Vulnerability |
14.07.2026 |
|
| CVE-2026-51536 |
|
14.07.2026 |
|
| CVE-2026-51537 |
|
14.07.2026 |
|
| CVE-2026-51538 |
|
14.07.2026 |
|
| CVE-2026-51539 |
|
14.07.2026 |
|
| CVE-2026-51541 |
|
14.07.2026 |
|
| CVE-2026-51821 |
|
13.07.2026 |
|
| CVE-2026-59801 |
9Router 0.4.41 - Unauthenticated API Exposure via /api/providers |
14.07.2026 |
|
| CVE-2026-61458 |
PasswordPusher < 2.9.2 Passphrase Brute-Force via Unthrottled Endpoint |
14.07.2026 |
|
| CVE-2026-62184 |
luci-app-banip Log Monitor IP Extraction Bypass |
14.07.2026 |
|
| CVE-2026-62185 |
Argo CD Helm Chart < 10.0.0 Missing Network Policy RCE |
14.07.2026 |
|
| CVE-2026-62186 |
OpenClaw < 2026.6.8 Authorization Bypass via HTTP Model Override |
14.07.2026 |
|
| CVE-2026-62187 |
OpenClaw < 2026.6.9 Feishu tools Authorization Bypass |
13.07.2026 |
|
| CVE-2026-62188 |
OpenClaw < 2026.6.9 Feishu Authorization Bypass |
14.07.2026 |
|
| CVE-2026-62189 |
OpenClaw < 2026.6.9 Symlink Following via Mirror Sync |
14.07.2026 |
|
| CVE-2026-62190 |
OpenClaw < 2026.6.9 Authorization Bypass via flock wrapper |
13.07.2026 |
|
| CVE-2026-62191 |
OpenClaw 2026.6.6 < 2026.6.9 Authorization Bypass via Message Mutations |
14.07.2026 |
|
| CVE-2026-62192 |
OpenClaw 2026.6.6 < 2026.6.9 Authorization Bypass |
14.07.2026 |
|
| CVE-2026-62193 |
OpenClaw 2026.6.5 < 2026.6.9 Authentication Bypass via Plugin Install |
13.07.2026 |
|
| CVE-2026-62194 |
OpenClaw 2026.5.20 < 2026.6.9 Privilege Escalation via Plugin Install |
14.07.2026 |
|
| CVE-2026-62195 |
OpenClaw 2026.5.20 < 2026.6.6 Authorization Bypass via MCP loopback |
14.07.2026 |
|
| CVE-2026-62196 |
OpenClaw 2026.3.22 < 2026.6.6 Authorization Bypass via WhatsApp Group IDs |
13.07.2026 |
|
| CVE-2026-62197 |
OpenClaw < 2026.6.6 Policy Bypass via CDP Discovery |
14.07.2026 |
|
| CVE-2026-62198 |
OpenClaw 2026.5.28 < 2026.6.6 Authorization Bypass via Web Search |
14.07.2026 |
|
| CVE-2026-62199 |
OpenClaw < 2026.6.6 Authentication Bypass via Environment Filtering |
13.07.2026 |
|
| CVE-2026-62200 |
OpenClaw < 2026.6.6 Authentication Bypass via Git ext transport |
14.07.2026 |
|
| CVE-2026-62327 |
9Router 0.4.41 - Unauthenticated API Key Exposure via /api/usage/stats |
14.07.2026 |
|
| CVE-2026-62328 |
9Router 0.4.41 - Unauthenticated Information Disclosure via API Usage Endpoints |
13.07.2026 |
|
| CVE-2026-52533 |
|
14.07.2026 |
|
| CVE-2026-58411 |
ChurchCRM has Reflected Cross-Site Scripting (XSS) via unsanitized request parameter names and values |
13.07.2026 |
|
| CVE-2026-58500 |
MCP Appium: Unescaped Locator Data XSS in MCP-UI Resource (createLocatorGeneratorUI) |
14.07.2026 |
8.2 |
| CVE-2026-62239 |
FlashAttention Symlink Attack via tarfile.extractall in hopper/setup.py |
14.07.2026 |
|
| CVE-2026-62240 |
CrewAI < 1.15.1 SSRF Filter Bypass via HTTP Redirect in Scrape Tools |
14.07.2026 |
|
| CVE-2026-62242 |
Spring Boot Admin Server < 4.1.2 SSRF via Unauthenticated Instance Registration |
14.07.2026 |
|
| CVE-2026-15594 |
waooAI waoowaoo Media hash.ts stablePublicIdFromStorageKey improper authorization |
13.07.2026 |
|
| CVE-2026-15595 |
SourceCodester Class and Exam Timetabling System forsubject.php cross site scripting |
14.07.2026 |
|
| CVE-2026-48363 |
ColdFusion | Uncontrolled Search Path Element (CWE-427) |
14.07.2026 |
8.2 |
| CVE-2026-48364 |
ColdFusion | Uncontrolled Search Path Element (CWE-427) |
14.07.2026 |
8.2 |
| CVE-2026-58409 |
ChurchCRM: Authenticated Remote Code Execution (RCE) via Malicious Plugin Upload |
14.07.2026 |
9.1 |
| CVE-2026-58410 |
ChurchCRM: Improper object-level authorization allows low-privileged users to read and modify other families’ records |
14.07.2026 |
7.1 |
| CVE-2026-58407 |
|
13.07.2026 |
|
| CVE-2026-58408 |
ChurchCRM : Broken Access Control in `CSVCreateFile.php` Allows Low-Privileged Users to Export All Members' PII |
14.07.2026 |
6.5 |