Patch Tuesday — July 2026
2026-07-14 · 772 CVEs
CVEs published or modified the week of 2026-07-14, partitioned by vendor.
Microsoft (3 CVEs)
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-58596 | High | 8.3 | — | 2026-07-12 | Untrusted pointer dereference in Microsoft Edge (Chromium-based) allows an unauthorized attacker to elevate privileges over a network. |
CVE-2026-58281 | High | 8.3 | — | 2026-07-11 | Deserialization of untrusted data in Microsoft Edge (Chromium-based) allows an unauthorized attacker to execute code over a network. |
CVE-2026-57211 | Medium | 6.5 | — | 2026-07-10 | RabbitMQ is a messaging and streaming broker. |
Other vendors (769 CVEs across 360 vendors)
Drupal · 46 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-11913 | Critical | 9.8 | — | 2026-07-10 | vulnerability in Drupal Mother May I allows . |
CVE-2026-12535 | Critical | 9.8 | — | 2026-07-10 | Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Formatter Field allows Object Injection. |
CVE-2026-15089 | Critical | 9.1 | — | 2026-07-10 | vulnerability in Drupal Commerce guest registration allows . |
CVE-2026-55810 | High | 8.1 | — | 2026-07-10 | Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Plotly.js Graphing allows Object Injection. |
CVE-2026-55809 | High | 8.1 | — | 2026-07-10 | Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Flag attendance field allows Object Injection. |
CVE-2026-13244 | High | 8.1 | — | 2026-07-10 | Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Tealium iQ Tag Management allows Object Injection. |
CVE-2026-15081 | High | 7.4 | — | 2026-07-10 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Drupal Location Selector allows SQL Injection. |
CVE-2026-13242 | Medium | 6.5 | — | 2026-07-10 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Drupal Geolocation Field allows SQL Injection. |
CVE-2026-13241 | Medium | 6.5 | — | 2026-07-10 | Missing Authorization vulnerability in Drupal Paragraphs allows Forceful Browsing. |
CVE-2026-13240 | Medium | 6.5 | — | 2026-07-10 | Missing Authorization vulnerability in Drupal Paragraphs allows Forceful Browsing. |
CVE-2026-13239 | Medium | 6.5 | — | 2026-07-10 | Missing Authorization vulnerability in Drupal WissKI allows Forceful Browsing. |
CVE-2026-58588 | Medium | 6.1 | — | 2026-07-10 | Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Drupal Canvas allows Cross-Site Scripting (XSS). |
CVE-2026-58587 | Medium | 6.1 | — | 2026-07-10 | Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Drupal Canvas allows Cross-Site Scripting (XSS). |
CVE-2026-13234 | Medium | 6.1 | — | 2026-07-10 | Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal AI (Artificial Intelligence) allows Cross-Site Scripting (XSS). |
CVE-2026-13231 | Medium | 6.1 | — | 2026-07-10 | Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Advanced Content Feedback (aka admin_feedback) allows Stored XSS. |
CVE-2026-15087 | Medium | 5.9 | — | 2026-07-10 | vulnerability in Drupal Clean RESTful allows . |
CVE-2026-15086 | Medium | 5.9 | — | 2026-07-10 | vulnerability in Drupal Raw Formatter [Meta Tag Formatter] allows . |
CVE-2026-11915 | Medium | 5.9 | — | 2026-07-10 | vulnerability in Drupal Brute force attack protection allows . |
CVE-2026-11914 | Medium | 5.9 | — | 2026-07-10 | vulnerability in Drupal Composer allows . |
CVE-2026-55806 | Medium | 5.9 | — | 2026-07-10 | URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Drupal Drupal core allows Content Spoofing. |
CVE-2026-55804 | Medium | 5.9 | — | 2026-07-10 | Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Drupal core allows Object Injection. |
CVE-2026-55803 | Medium | 5.9 | — | 2026-07-10 | Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Drupal core allows Object Injection. |
CVE-2026-58591 | Medium | 5.4 | — | 2026-07-10 | Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Colorbox allows Cross-Site Scripting (XSS). |
CVE-2026-58590 | Medium | 5.4 | — | 2026-07-10 | Missing Authorization vulnerability in Drupal FlowDrop allows Forceful Browsing. |
CVE-2026-58589 | Medium | 5.4 | — | 2026-07-10 | Missing Authorization vulnerability in Drupal FlowDrop allows Forceful Browsing. |
CVE-2026-55808 | Medium | 5.4 | — | 2026-07-10 | Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Drupal core allows Cross-Site Scripting (XSS). |
CVE-2026-15085 | Medium | 5.4 | — | 2026-07-10 | Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal AI SEO/GEO Analyzer allows Stored XSS. |
CVE-2026-15084 | Medium | 5.4 | — | 2026-07-10 | Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal UI Patterns (SDC in Drupal UI) allows Stored XSS. |
CVE-2026-15082 | Medium | 5.4 | — | 2026-07-10 | Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Siteimprove Analytics allows Cross-Site Scripting (XSS). |
CVE-2026-15079 | Medium | 5.4 | — | 2026-07-10 | Improper Restriction of Excessive Authentication Attempts vulnerability in Drupal Login Disable allows Brute Force. |
CVE-2026-13243 | Medium | 4.8 | — | 2026-07-10 | Cross-Site Request Forgery (CSRF) vulnerability in Drupal Salesforce Suite allows Cross Site Request Forgery. |
CVE-2026-13238 | Medium | 4.8 | — | 2026-07-10 | Incorrect Authorization vulnerability in Drupal Commerce Realex / Global Payments allows Forceful Browsing. |
CVE-2026-13237 | Medium | 4.8 | — | 2026-07-10 | Incorrect Authorization vulnerability in Drupal AI Agents allows Forceful Browsing. |
CVE-2026-15080 | Medium | 4.3 | — | 2026-07-10 | Cross-Site Request Forgery (CSRF) vulnerability in Drupal Ray Enterprise Translation allows Cross Site Request Forgery. |
CVE-2026-15083 | Medium | 4.2 | — | 2026-07-10 | Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal ECA: Event - Condition - Action allows Object Injection. |
CVE-2026-13236 | Medium | 4.2 | — | 2026-07-10 | Missing Authorization vulnerability in Drupal AI Agents allows Forceful Browsing. |
CVE-2026-13235 | Low | 3.3 | — | 2026-07-10 | Missing Authorization vulnerability in Drupal AI (Artificial Intelligence) allows Forceful Browsing. |
CVE-2026-13233 | Low | 3.3 | — | 2026-07-10 | Server-Side Request Forgery (SSRF) vulnerability in Drupal OpenAI Provider allows Server Side Request Forgery. |
CVE-2026-11909 | Low | 3.3 | — | 2026-07-10 | Missing Authorization vulnerability in Drupal Examples for Developers allows Forceful Browsing. |
CVE-2026-55807 | Low | 3.1 | — | 2026-07-10 | Server-Side Request Forgery (SSRF) vulnerability in Drupal Drupal core allows Server Side Request Forgery. |
CVE-2026-13232 | Low | 3.1 | — | 2026-07-10 | Incorrect Authorization vulnerability in Drupal Advanced Content Feedback (aka admin_feedback) allows Forceful Browsing. |
CVE-2026-11908 | — | — | — | 2026-07-10 | Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Tagify allows Stored XSS. |
CVE-2026-10770 | — | — | — | 2026-07-10 | Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Anti-Spam by CleanTalk allows Reflected XSS. |
CVE-2026-10769 | — | — | — | 2026-07-10 | Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Commerce Core allows Stored XSS. |
CVE-2026-10768 | — | — | — | 2026-07-10 | Missing Authorization vulnerability in Drupal LocalGov Workflows allows Forceful Browsing. |
CVE-2026-9726 | — | — | — | 2026-07-10 | Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Drupal AlternativeCommerce (Basket) allows Object Injection. |
Red Hat · 22 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-5260 | High | 8.2 | — | 2026-05-26 | A flaw was found in libgnutls. |
CVE-2026-42013 | High | 8.2 | — | 2026-05-26 | A flaw was found in gnutls. |
CVE-2026-50264 | High | 7.8 | — | 2026-06-05 | An out-of-bounds write flaw was found in the X.Org X server and Xwayland in DRIGetBuffers/DRIGetBuffersWithFormat. |
CVE-2026-50261 | High | 7.8 | — | 2026-06-05 | A use-after-free flaw was found in the X.Org X server and Xwayland in SyncChangeCounter(). |
CVE-2026-50260 | High | 7.8 | — | 2026-06-05 | A use-after-free flaw was found in the X.Org X server and Xwayland in FreeCounter(). |
CVE-2026-50259 | High | 7.8 | — | 2026-06-05 | A stack-based buffer overflow flaw was found in the X.Org X server and Xwayland. |
CVE-2026-50258 | High | 7.8 | — | 2026-06-05 | A stack-based buffer overflow flaw was found in the X.Org X server and Xwayland. |
CVE-2026-50257 | High | 7.8 | — | 2026-06-05 | A use-after-free flaw was found in the X.Org X server and Xwayland in miSyncDestroyFence(). |
CVE-2026-50256 | High | 7.8 | — | 2026-06-05 | A stack-based buffer overflow flaw was found in the X.Org X server and Xwayland. |
CVE-2026-11332 | High | 7.8 | — | 2026-06-05 | A flaw was found in ansible-core. |
CVE-2026-15584 | High | 7.5 | — | 2026-07-13 | A privilege escalation vulnerability was found in the incluster-checks tool for OpenShift. |
CVE-2026-15574 | High | 7.5 | — | 2026-07-13 | A flaw was found in the vllm-orchestrator-gateway component. |
CVE-2026-58379 | High | 7.3 | — | 2026-07-03 | A flaw was found in GIMP's Paint Shop Pro (PSP) file format parser. |
CVE-2026-42012 | High | 7.1 | — | 2026-05-26 | A flaw was found in gnutls. |
CVE-2026-48914 | Medium | 6.7 | — | 2026-06-12 | A flaw was found in QEMU's virtio-blk device. |
CVE-2026-42014 | Medium | 6.6 | — | 2026-06-16 | A flaw was found in GnuTLS. |
CVE-2026-62147 | Medium | 6.5 | — | 2026-07-13 | The Tempo Operator's gateway component failed to consistently apply namespace-scoped redaction on some query API response paths when query RBAC was enabled, allowing an authenticated user to read span attributes belonging to other tenants'… |
CVE-2026-50263 | Medium | 5.5 | — | 2026-06-05 | A use-after-free flaw was found in the X.Org X server and Xwayland in CreateSaverWindow(). |
CVE-2026-50262 | Medium | 5.5 | — | 2026-06-05 | An out-of-bounds read flaw was found in the X.Org X server and Xwayland in __glXDisp_ChangeDrawableAttributes(). |
CVE-2026-42015 | Medium | 5.3 | — | 2026-05-26 | A flaw was found in gnutls. |
CVE-2026-15028 | Low | 3.9 | — | 2026-07-10 | A flaw was found in libarchive. |
CVE-2026-5419 | Low | 3.7 | — | 2026-06-01 | A flaw was found in gnutls. |
N/a · 18 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-26396 | High | 7.5 | — | 2026-07-13 | OpenBMB XAgent v1.0.0 and before is vulnerable to path traversal in the file() function in XAgent/XAgentServer/application/routers/workspace.py. |
CVE-2025-45869 | High | 7.3 | — | 2026-07-13 | LogicalDOC Enterprise Version up to and before v9.1.1 is vulnerable to Server-Side Request Forgery (SSRF). |
CVE-2026-15510 | Medium | 6.3 | — | 2026-07-12 | A vulnerability was found in Leantime up to 3.8.0. |
CVE-2026-15509 | Medium | 6.3 | — | 2026-07-12 | A vulnerability has been found in Leantime up to 3.8.0. |
CVE-2026-15478 | Medium | 6.3 | — | 2026-07-12 | A flaw has been found in IceHRM up to 35.0.1. |
CVE-2026-15516 | Medium | 5.6 | — | 2026-07-13 | A vulnerability was detected in MacCMS Pro up to 2022.1000.3005. |
CVE-2026-15530 | Medium | 5.3 | — | 2026-07-13 | A flaw has been found in WuzhiCMS up to 4.1.0. |
CVE-2026-15533 | Medium | 4.7 | — | 2026-07-13 | A security flaw has been discovered in DedeCMS 5.7.118. |
CVE-2026-15605 | Low | 3.1 | — | 2026-07-13 | A security vulnerability has been detected in wandb 0.25.2.dev1. |
CVE-2026-52533 | — | — | — | 2026-07-13 | An issue in D-Link DIR-1253 v.1.0.1.250923.142435 allows an attacker to escalate privileges via the etc/shadow component file |
CVE-2026-51821 | — | — | — | 2026-07-13 | SQL Injection vulnerability in Shenzhou Shihan Video Conference System v.1.0 allows a remote attacker to execute arbitrary code via the /user/getUserLogin endpoint |
CVE-2026-51541 | — | — | — | 2026-07-13 | OpENer 2.3.0 (commit 76b95cf) has an out-of-bounds read issue in CIP message parsing when handling malformed explicit requests with a forged EPath size. |
CVE-2026-51540 | — | — | — | 2026-07-13 | OpENer 2.3.0 (master branch up to commit 76b95cf) is vulnerable to a severe memory corruption issue caused by an integer underflow in the processing of connected explicit messages (SendUnitData). |
CVE-2026-51539 | — | — | — | 2026-07-13 | A Denial of Service (DoS) vulnerability exists in the receive loop of libmodbus 3.1.12 when running on Windows. |
CVE-2026-51538 | — | — | — | 2026-07-13 | EIPStackGroup OpENer 2.3.0 (commit 76b95cf) suffers from an Incorrect Access Control vulnerability in its handling of encapsulation sessions. |
CVE-2026-51537 | — | — | — | 2026-07-13 | EIPStackGroup OpENer 2.3.0 (commit 76b95cf) has an out-of-bounds read issue in Connection Manager handling of ForwardOpen requests when processing short malformed packets. |
CVE-2026-51536 | — | — | — | 2026-07-13 | In OpENer 2.3.0 (commit 76b95cf) when parsing incoming CIP (Common Industrial Protocol) network packets, the length parameter is inconsistently typed across the call stack. |
CVE-2026-39042 | — | — | — | 2026-07-13 | An issue in MikroTIk (SIA Mikrotikls, Latvia) RouterOS 7.21.x before v.7.21.4 and 7.22.x before v.7.22.2 allows a remote attacker to cause a denial of service via the unflatten() function in libumsg.so. |
Juniper · 14 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-57028 | High | 7.3 | — | 2026-07-09 | An Improper Restriction of Communication Channel to Intended Endpoints vulnerability in Juniper Networks Junos OS Evolved allows an unauthenticated, network-based attacker to cause license exhaustion. |
CVE-2026-57032 | Medium | 6.5 | — | 2026-07-09 | An Improper Handling of Undefined Parameters vulnerability in the packet forwarding engine (pfe) of Juniper Networks Junos OS on EX Series devices allows an authenticated attacker with low privileges to cause a Denial-of-Service (DoS). |
CVE-2026-57027 | Medium | 6.5 | — | 2026-07-09 | A Missing Release of Memory after Effective Lifetime vulnerability in the packet forwarding engine (pfe) of Juniper Networks Junos OS on specific EX Series devices allows an unauthenticated adjacent attacker to cause a Denial-of-Service (D… |
CVE-2026-57020 | Medium | 6.5 | — | 2026-07-09 | An Improper Check for Unusual or Exceptional Conditions vulnerability in the packet forwarding engine (pfe) of Juniper Networks Junos OS on QFX10000 Series allows an unauthenticated, adjacent attacker to cause a Denial-of-Service (DoS). |
CVE-2026-57019 | Medium | 6.5 | — | 2026-07-09 | An Improper Validation of Specified Quantity in Input vulnerability in the Packet Forwarding Engine (pfe) of Juniper Networks Junos OS on MX Series allows an unauthenticated, adjacent attacker to cause a Denial-of-Service (DoS). |
CVE-2026-33803 | Medium | 6.5 | — | 2026-07-09 | An Improper Restriction of Communication Channel to Intended Endpoints vulnerability in Juniper Networks Junos OS Evolved allows an unauthenticated, network-based attacker to cause a limited information disclosure and availability impact t… |
CVE-2026-33801 | Medium | 6.5 | — | 2026-07-09 | An Improper Check for Unusual or Exceptional Conditions vulnerability in the routing protocol daemon (RPD) of Juniper Networks Junos OS and Junos OS Evolved allows an adjacent, unauthenticated attacker sending a specific BGP update over an… |
CVE-2026-57030 | Medium | 5.9 | — | 2026-07-09 | A Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') vulnerability in the packet forwarding engine (PFE) of Juniper Networks Junos OS on SRX Series allows an unauthenticated, network-based attacker… |
CVE-2026-33794 | Medium | 5.9 | — | 2026-07-09 | An Improper Check for Unusual or Exceptional Conditions vulnerability in the advanced forwarding toolkit (evo-aftmand) of Juniper Networks Junos OS Evolved on PTX Series allows an unauthenticated network-based attacker generating conti… |
CVE-2026-57054 | Medium | 5.8 | — | 2026-07-09 | A Use of Incorrectly-Resolved Name or Reference vulnerability in the URL filtering plugin of Juniper Networks Junos OS on MX Series allows an unauthenticated, network-based attacker to bypass web filtering and access downstream resources t… |
CVE-2026-57025 | Medium | 5.5 | — | 2026-07-09 | A Return of Pointer Value Outside of Expected Range vulnerability in the fileio library of Juniper Networks Junos OS and Junos OS Evolved allows a local, low-privilged attacker to cause a Denial-of-Service (DoS). |
CVE-2026-57029 | Medium | 5.3 | — | 2026-07-09 | A Missing Synchronization vulnerability in the flow collector handler of Juniper Networks Junos OS Evolved on QFX Series allows an adjacent, unauthenticated attacker to cause a Denial-of-Service (DoS). |
CVE-2026-57021 | Medium | 5.3 | — | 2026-07-09 | An Out-of-bounds Write vulnerability in the http-gatekeeper (http-gk) of Juniper Networks Junos OS on SRX Series allows an unauthenticated, network-based attacker to cause a Denial-of-Service (DoS). |
CVE-2026-33799 | Medium | 4.3 | — | 2026-07-09 | An Out-of-bounds Write vulnerability in the SNMP daemon (snmpd) of Juniper Networks Junos OS and Junos OS Evolved allows an authenticated network-based attacker sending specific valid SNMPv3 queries to trigger a memory leak. |
Openclaw · 14 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-62200 | High | 8.8 | — | 2026-07-13 | OpenClaw versions before 2026.6.1 contain a flaw in host exec environment filtering that could allow Git ext transport to be abused. |
CVE-2026-62199 | High | 8.8 | — | 2026-07-13 | OpenClaw versions before 2026.6.6 contain a flaw in host exec environment filtering that can miss interpreter startup variables. |
CVE-2026-62194 | High | 8.8 | — | 2026-07-13 | OpenClaw versions 2026.5.20 before 2026.6.9 contain a privilege escalation vulnerability in plugin install commands that allows lower-trust callers to execute or persist actions beyond their intended authorization. |
CVE-2026-62190 | High | 8.8 | — | 2026-07-13 | OpenClaw versions before 2026.6.9 contain an authorization bypass vulnerability in the flock wrapper that allows lower-trust callers to execute or persist actions beyond their intended authorization. |
CVE-2026-62197 | High | 8.5 | — | 2026-07-13 | OpenClaw before 2026.6.6 contains a policy bypass vulnerability in browser CDP discovery that accepts blocked WebSocket URLs. |
CVE-2026-62196 | High | 8.3 | — | 2026-07-13 | OpenClaw versions 2026.3.22 before 2026.6.6 contain an authorization bypass vulnerability where WhatsApp group IDs can satisfy elevated sender allowlists. |
CVE-2026-62195 | High | 8.3 | — | 2026-07-13 | OpenClaw versions 2026.5.20 before 2026.6.6 contain an authorization bypass vulnerability in the MCP loopback feature that allows lower-trust callers to execute owner-only tools. |
CVE-2026-62192 | High | 8.1 | — | 2026-07-13 | OpenClaw versions 2026.6.6 before 2026.6.9 contain an authorization bypass vulnerability in Discord guild actions that allows lower-trust callers to perform actions requiring stronger authorization checks. |
CVE-2026-62187 | High | 8.1 | — | 2026-07-13 | OpenClaw Feishu tools (npm package @openclaw/feishu) in versions <= 2026.6.6 could ignore per-account disablement. |
CVE-2026-62186 | High | 7.6 | — | 2026-07-13 | OpenClaw versions before 2026.6.8 contain an authorization bypass vulnerability in OpenAI-compatible HTTP model overrides that allows lower-trust callers to perform actions requiring stronger authorization checks. |
CVE-2026-62191 | High | 7.1 | — | 2026-07-13 | OpenClaw versions 2026.6.6 before 2026.6.9 contain an authorization bypass vulnerability in message mutation handling that allows lower-trust callers to perform actions requiring stronger authorization checks. |
CVE-2026-62189 | High | 7.1 | — | 2026-07-13 | OpenClaw versions before 2026.6.9 contain a symlink following vulnerability in the mirror sync feature that allows lower-trust callers to perform actions requiring stronger authorization. |
CVE-2026-62193 | Medium | 4.9 | — | 2026-07-13 | OpenClaw versions 2026.6.5 before 2026.6.9 contain a vulnerability in the plugin install wrappers that could skip the install policy (authorization) check. |
CVE-2026-62198 | Medium | 4.3 | — | 2026-07-13 | OpenClaw versions 2026.5.28 before 2026.6.6 contain an authorization bypass vulnerability in native web search that allows lower-trust callers to perform actions requiring stronger policy checks. |
Grokability · 13 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-55469 | Medium | 6.5 | — | 2026-07-10 | Snipe-IT is an IT asset/license management system. |
CVE-2026-55843 | Medium | 6.5 | — | 2026-07-10 | Snipe-IT is an IT asset/license management system. |
CVE-2026-55461 | Medium | 6.1 | — | 2026-07-10 | Snipe-IT is an IT asset/license management system. |
CVE-2026-55475 | Medium | 5.7 | — | 2026-07-10 | Snipe-IT is an IT asset/license management system. |
CVE-2026-55464 | Medium | 5.4 | — | 2026-07-10 | Snipe-IT is an IT asset/license management system. |
CVE-2026-55515 | Medium | 5.0 | — | 2026-07-10 | Snipe-IT is an IT asset/license management system. |
CVE-2026-55462 | Medium | 4.3 | — | 2026-07-10 | Snipe-IT is an IT asset/license management system. |
CVE-2026-55476 | Medium | 4.3 | — | 2026-07-10 | Snipe-IT is an IT asset/license management system. |
CVE-2026-55472 | Medium | 4.3 | — | 2026-07-10 | Snipe-IT is an IT asset/license management system. |
CVE-2026-55481 | — | — | — | 2026-07-10 | Snipe-IT is an IT asset/license management system. |
CVE-2026-55479 | — | — | — | 2026-07-10 | Snipe-IT is an IT asset/license management system. |
CVE-2026-55466 | — | — | — | 2026-07-10 | Snipe-IT is an IT asset/license management system. |
CVE-2026-55452 | — | — | — | 2026-07-10 | Snipe-IT is an IT asset/license management system. |
Mozilla · 13 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-12297 | Critical | 9.6 | — | 2026-06-16 | Sandbox escape due to incorrect boundary conditions in the Networking component. |
CVE-2026-12296 | Critical | 9.6 | — | 2026-06-16 | Sandbox escape in the Security: Process Sandboxing component. |
CVE-2026-12295 | Critical | 9.6 | — | 2026-06-16 | Sandbox escape in the DOM: Navigation component. |
CVE-2026-12294 | Critical | 9.6 | — | 2026-06-16 | Sandbox escape in the DOM: Workers component. |
CVE-2026-12291 | High | 8.8 | — | 2026-06-16 | Use-after-free in the Networking: HTTP component. |
CVE-2026-12289 | High | 8.8 | — | 2026-06-16 | Privilege escalation in the Graphics: WebRender component. |
CVE-2026-12328 | High | 8.1 | — | 2026-06-16 | Memory safety bugs present in Firefox ESR 115.36, Firefox ESR 140.11, Thunderbird ESR 140.11, Firefox 151 and Thunderbird 151. |
CVE-2026-12292 | High | 8.1 | — | 2026-06-16 | Incorrect boundary conditions in the Web Audio component. |
CVE-2026-12290 | High | 8.1 | — | 2026-06-16 | Memory safety bug fixed in Firefox 152. |
CVE-2026-12299 | Medium | 5.4 | — | 2026-06-16 | JIT miscompilation in the DOM: Core & HTML component. |
CVE-2026-12298 | Medium | 5.4 | — | 2026-06-16 | Memory safety bug fixed in Firefox 152. |
CVE-2026-14906 | Medium | 5.3 | — | 2026-07-13 | Pages with malicious titles could potentially allow saved PDF content to overwrite PDF files or bundled content within the Firefox for iOS application sandbox. |
CVE-2026-12329 | Medium | 5.3 | — | 2026-06-16 | Memory safety bug fixed in Thunderbird ESR 140.12. |
Palo Alto Networks · 11 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-0284 | Critical | 9.9 | — | 2026-07-09 | An XML injection vulnerability in the Large Scale VPN (LSVPN) functionality of Palo Alto Networks PAN-OS® software enables an unauthenticated attacker with network access to inject malicious XML content, potentially leading to information… |
CVE-2026-0287 | High | 7.5 | — | 2026-07-09 | Multiple denial of service vulnerabilities in Palo Alto Networks PAN-OS® software allow an unauthenticated attacker with network access to cause a denial of service (DoS) condition by sending specially crafted network traffic to or through… |
CVE-2026-0286 | High | 7.2 | — | 2026-07-09 | A command injection vulnerability in the management plane of Palo Alto Networks PAN-OS® software enables an authenticated administrator to execute arbitrary OS commands as root. |
CVE-2026-0283 | High | 7.2 | — | 2026-07-09 | An authentication bypass vulnerability in Large Scale VPN ( LSVPN) functionality of Palo Alto Networks PAN-OS software allows an attacker with network access to bypass security restrictions and establish an unauthorized site-to-site VPN co… |
CVE-2026-0280 | High | 7.2 | — | 2026-07-09 | An IPv6 packet processing vulnerability in the dataplane of Palo Alto Networks PAN-OS® software enables an unauthenticated attacker to bypass firewall security policy enforcement, allowing network traffic that should be blocked to reach pr… |
CVE-2026-0281 | High | 7.1 | — | 2026-07-09 | An information disclosure vulnerability in Palo Alto Networks PAN-OS® software enables an unauthenticated attacker with network access to the management web interface to obtain web session tokens. |
CVE-2026-0282 | Medium | 6.5 | — | 2026-07-09 | A file deletion vulnerability in Palo Alto Networks PAN-OS® software enables an unauthenticated attacker with network access to the management web interface to delete files from a temporary directory. |
CVE-2026-0279 | Medium | 6.1 | — | 2026-07-09 | Multiple cross site scripting vulnerabilities in the User-ID™ Authentication Portal (aka Captive Portal) service, GlobalProtect™ gateway/portal features and Clientless VPN of Palo Alto Networks PAN-OS® software enables a malicious unauthen… |
CVE-2026-0269 | Medium | 5.7 | — | 2026-06-10 | A memory corruption vulnerability in the processing of tunnel traffic in Palo Alto Networks PAN-OS® software allows an authenticated user to initiate system reboots using a maliciously crafted packet. |
CVE-2026-0285 | Medium | 4.9 | — | 2026-07-09 | A server-side request forgery (SSRF) vulnerability in Palo Alto Networks PAN-OS software enables an authenticated administrator with network access to the management web interface to make unauthorized requests from the firewall to internal… |
CVE-2026-0266 | Medium | 4.8 | — | 2026-06-10 | A cross-site scripting (XSS) vulnerability in Palo Alto Networks PAN-OS® software enables a malicious authenticated administrator to store a JavaScript payload using the web interface. |
Unknown · 11 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-11964 | Critical | 9.1 | — | 2026-07-13 | The User Registration & Membership WordPress plugin before 5.2.2 does not verify the authenticity of incoming payment-provider webhook notifications before acting on them, allowing unauthenticated attackers to forge a payment-approved eve… |
CVE-2026-12582 | High | 8.6 | — | 2026-07-13 | The Library Management System WordPress plugin before 3.5.8 does not sanitize and escape a user-supplied parameter before using it in a SQL statement, allowing unauthenticated attackers to perform SQL injection and extract arbitrary data f… |
CVE-2026-11963 | High | 8.1 | — | 2026-07-13 | The User Registration & Membership WordPress plugin before 5.2.2 does not perform an authorization check on a membership-upgrade action and derives the user to modify from a caller-supplied identifier instead of the current user, allowing… |
CVE-2026-12275 | High | 7.1 | — | 2026-07-13 | The Tutor LMS WordPress plugin before 3.9.13 does not, in its Droip and Kirki page-builder integration, perform the enrollment, purchase, and private-course capability checks it enforces in its core course handler, allowing authenticated… |
CVE-2026-12274 | Medium | 6.5 | — | 2026-07-13 | The Tutor LMS WordPress plugin before 3.9.13 does not verify that the requesting user is allowed to edit a target post before overwriting it in one of its content-builder save handlers, authorizing the request only against an unrelated id… |
CVE-2026-10551 | Medium | 6.1 | — | 2026-07-13 | The Breeze Cache WordPress plugin before 2.5.6 is vulnerable to unauthenticated Stored Cross-Site Scripting (XSS) due to a predictable replacement hash used during the HTML minification process and abusing a regular expression. |
CVE-2026-12396 | Medium | 5.4 | — | 2026-07-13 | The WP Job Portal WordPress plugin before 2.5.5 does not perform capability or ownership checks before allowing job moderation actions, allowing authenticated users with a subscriber-level (self-registerable) account to approve, feature… |
CVE-2026-12271 | Medium | 5.4 | — | 2026-07-13 | The Tutor LMS WordPress plugin before 3.9.13 does not verify ownership of the targeted quiz attempt before writing to it, allowing authenticated users with subscriber-level access and above to modify and force-complete other students' qui… |
CVE-2026-12081 | Medium | 5.0 | — | 2026-07-13 | The Database for Contact Form 7, WPforms, Elementor forms WordPress plugin before 1.5.2 does not restrict the PHP classes allowed when unserializing an attacker-supplied form-field value, allowing unauthenticated users to inject arbitrary… |
CVE-2026-12397 | Medium | 4.3 | — | 2026-07-13 | The WP Job Portal WordPress plugin before 2.5.5 does not verify ownership when returning an employer's contact email for a given job, allowing authenticated users with a subscriber-level (self-registerable) account to read other employers… |
CVE-2026-12273 | Medium | 4.3 | — | 2026-07-13 | The Tutor LMS WordPress plugin before 3.9.13 does not perform any authorization or post-target validation before creating a comment in one of its handlers, and stores the comment pre-approved, allowing authenticated users with subscriber-… |
Broadcom · 10 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-57215 | High | 8.8 | — | 2026-07-10 | RabbitMQ is a messaging and streaming broker. |
CVE-2026-57212 | High | 7.7 | — | 2026-07-10 | RabbitMQ is a messaging and streaming broker. |
CVE-2026-57220 | High | 7.5 | — | 2026-07-10 | RabbitMQ is a messaging and streaming broker. |
CVE-2026-57219 | High | 7.5 | — | 2026-07-10 | RabbitMQ is a messaging and streaming broker. |
CVE-2026-57216 | Medium | 6.8 | — | 2026-07-10 | RabbitMQ is a messaging and streaming broker. |
CVE-2026-57218 | Medium | 6.5 | — | 2026-07-10 | RabbitMQ is a messaging and streaming broker. |
CVE-2026-57217 | Medium | 6.5 | — | 2026-07-10 | RabbitMQ is a messaging and streaming broker. |
CVE-2026-57214 | Medium | 5.4 | — | 2026-07-10 | RabbitMQ is a messaging and streaming broker. |
CVE-2026-57221 | Medium | 5.0 | — | 2026-07-10 | RabbitMQ is a messaging and streaming broker. |
CVE-2026-57213 | Medium | 4.8 | — | 2026-07-10 | RabbitMQ is a messaging and streaming broker. |
Eleveo · 10 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-15473 | Medium | 6.3 | — | 2026-07-12 | A vulnerability was identified in Eleveo Call Recording Software 9.7.0. |
CVE-2026-15376 | Medium | 6.3 | — | 2026-07-10 | A vulnerability was found in Eleveo Call Recording Software 9.7.0. |
CVE-2026-15374 | Medium | 6.3 | — | 2026-07-10 | A flaw has been found in Eleveo Call Recording Software 9.7.0. |
CVE-2026-15373 | Medium | 6.3 | — | 2026-07-10 | A vulnerability was detected in Eleveo Call Recording Software 9.7.0. |
CVE-2026-15474 | Medium | 4.3 | — | 2026-07-12 | A security flaw has been discovered in Eleveo Call Recording Software 9.7.0. |
CVE-2026-15472 | Medium | 4.3 | — | 2026-07-12 | A vulnerability was determined in Eleveo Call Recording Software 9.7.0. |
CVE-2026-15471 | Medium | 4.3 | — | 2026-07-12 | A vulnerability was found in Eleveo Call Recording Software 9.7.0. |
CVE-2026-15470 | Medium | 4.3 | — | 2026-07-12 | A vulnerability has been found in Eleveo Call Recording Software 9.7.0. |
CVE-2026-15377 | Medium | 4.3 | — | 2026-07-10 | A vulnerability was determined in Eleveo Call Recording Software 9.7.0. |
CVE-2026-15375 | Medium | 4.3 | — | 2026-07-10 | A vulnerability has been found in Eleveo Call Recording Software 9.7.0. |
Linuxfoundation · 10 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-58253 | High | 8.8 | — | 2026-07-08 | NATS Server is a high-performance server for NATS.io, the cloud and edge native messaging system. |
CVE-2026-58250 | High | 7.5 | — | 2026-07-08 | NATS Server is a high-performance server for NATS.io, the cloud and edge native messaging system. |
CVE-2026-58210 | High | 7.5 | — | 2026-07-08 | NATS Server is a high-performance server for NATS.io, the cloud and edge native messaging system. |
CVE-2026-58213 | High | 7.1 | — | 2026-07-08 | NATS Server is a high-performance server for NATS.io, the cloud and edge native messaging system. |
CVE-2026-58254 | Medium | 6.5 | — | 2026-07-08 | NATS Server is a high-performance server for NATS.io, the cloud and edge native messaging system. |
CVE-2026-58252 | Medium | 6.5 | — | 2026-07-08 | NATS Server is a high-performance server for NATS.io, the cloud and edge native messaging system. |
CVE-2026-58251 | Medium | 6.5 | — | 2026-07-08 | NATS Server is a high-performance server for NATS.io, the cloud and edge native messaging system. |
CVE-2026-44512 | Medium | 5.5 | — | 2026-07-08 | Open Neural Network Exchange (ONNX) is an open standard for machine learning interoperability. |
CVE-2026-58214 | Medium | 4.3 | — | 2026-07-08 | NATS Server is a high-performance server for NATS.io, the cloud and edge native messaging system. |
CVE-2026-58209 | Medium | 4.3 | — | 2026-07-08 | NATS Server is a high-performance server for NATS.io, the cloud and edge native messaging system. |
Mattermost · 10 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-6850 | Medium | 6.5 | — | 2026-07-13 | Mattermost versions 11.7.x <= 11.7.2, 11.6.x <= 11.6.4, 10.11.x <= 10.11.19 fail to validate the length and content of message attachment field values, which allows an authenticated attacker to cause a denial of service for all users in a… |
CVE-2026-10106 | Medium | 6.5 | — | 2026-07-13 | Mattermost versions 11.7.x <= 11.7.2, 11.6.x <= 11.6.4, 10.11.x <= 10.11.19 fail to verify that the channel referenced in an action cookie matches the channel of the target post, which allows an authenticated user without access to a priva… |
CVE-2026-9571 | Medium | 5.9 | — | 2026-07-13 | Mattermost versions 11.7.x <= 11.7.2, 11.6.x <= 11.6.4, 10.11.x <= 10.11.19 fail to invalidate OAuth refresh tokens upon user account deactivation, which allows a deactivated user or an attacker in possession of a valid refresh token to ob… |
CVE-2026-9597 | Medium | 5.4 | — | 2026-07-13 | Mattermost versions 11.7.x <= 11.7.2, 11.6.x <= 11.6.4 fail to verify whether a guest account is deactivated before creating a session in the magic-link token login path, which allows a deactivated guest user to obtain a fully functional s… |
CVE-2026-10085 | Medium | 5.4 | — | 2026-07-13 | Mattermost versions 11.7.x <= 11.7.2, 11.6.x <= 11.6.4, 10.11.x <= 10.11.19 fail to restrict the group_constrained channel flag to public and private channels that support group synchronization, which allows an ordinary group or direct mes… |
CVE-2026-9708 | Medium | 4.9 | — | 2026-07-13 | Mattermost versions 11.7.x <= 11.7.2, 11.6.x <= 11.6.4, 10.11.x <= 10.11.19 fail to validate that an assigned incoming webhook user has access to the target team or channel, which allows a requester with webhook management permissions to c… |
CVE-2026-9824 | Medium | 4.3 | — | 2026-07-13 | Mattermost versions 11.7.x <= 11.7.2, 11.6.x <= 11.6.4, 10.11.x <= 10.11.19 fail to check the manage_shared_channels permission in the /share-channel autocomplete handler, which allows an authenticated user without that permission to enume… |
CVE-2026-6541 | Medium | 4.3 | — | 2026-07-13 | Mattermost versions 11.7.x <= 11.7.1, 11.6.x <= 11.6.4, 10.11.x <= 10.11.19 fail to restrict metric configuration changes to the playbook being saved, which allows an authenticated user with team access to alter another user’s playbook met… |
CVE-2026-10103 | Medium | 4.3 | — | 2026-07-13 | Mattermost versions 11.7.x <= 11.7.2, 11.6.x <= 11.6.4, 10.11.x <= 10.11.19 fail to verify post ownership in the shared channel inbound sync handler, which allows an authenticated remote cluster to modify or delete posts authored by local… |
CVE-2026-9820 | Low | 3.8 | — | 2026-07-13 | Mattermost versions 11.7.x <= 11.7.2, 10.11.x <= 10.11.19 fail to sanitize team objects returned by the scheme teams endpoint, which allows a user with the User Manager role to obtain invite links for private teams and use them to join or… |
Capgo · 9 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-56241 | High | 8.3 | — | 2026-07-12 | Capgo before 12.128.2 contains a privilege escalation vulnerability where demoted super_admin users retain access to delete_non_compliant_bundles and count_non_compliant_bundles RPCs due to stale org_users.user_right column not being clear… |
CVE-2026-56313 | High | 8.1 | — | 2026-07-12 | Capgo before 12.128.2 contains a cross-organization account disruption vulnerability in the SSO prelink endpoint that allows enterprise administrators to delete password identities of users in foreign organizations. |
CVE-2026-56238 | High | 7.5 | — | 2026-07-12 | Capgo before 12.128.2 contains an information disclosure vulnerability in the Supabase PostgREST global_stats endpoint that allows unauthenticated attackers to read sensitive financial and operational metrics using only the public apikey. |
CVE-2026-56303 | High | 7.5 | — | 2026-07-11 | Capgo before 12.128.2 contains an information disclosure vulnerability in the find_apikey_by_value PostgreSQL function marked SECURITY DEFINER and executable by the anon role. |
CVE-2026-56308 | High | 7.3 | — | 2026-07-12 | Capgo before 12.128.2 allows email address changes without requiring current password re-authentication or verification of the existing email address. |
CVE-2026-56252 | Medium | 5.4 | — | 2026-07-12 | Capgo before 12.128.2 contains a scope isolation vulnerability in the POST /webhooks/test endpoint that allows app-scoped API keys to invoke org-scoped webhook operations. |
CVE-2026-56336 | Medium | 5.3 | — | 2026-07-12 | Capgo before 12.128.2 contains an information disclosure vulnerability in the unauthenticated /private/sso/check-domain endpoint that returns internal org_id and provider_id values. |
CVE-2026-56240 | Medium | 4.3 | — | 2026-07-11 | Capgo before 12.128.12 contains a billing authorization bypass vulnerability in the plan_valid calculation that allows organizations with exhausted or expired usage credit grants to bypass billing gates. |
CVE-2026-56281 | Low | 3.8 | — | 2026-07-12 | Capgo before 12.128.2 contains a sql injection vulnerability in the POST /private/admin_stats endpoint where the limit parameter is destructured from unvalidated request body and interpolated directly into Cloudflare Analytics Engine SQL q… |
Evbee · 9 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-22103 | — | — | — | 2026-07-13 | The NPC start endpoint on the web server at port 8090 is vulnerable to command injection. |
CVE-2026-22102 | — | — | — | 2026-07-13 | A POST request sent to a specific webserver endpoint can be used to write to arbitrary file locations. |
CVE-2026-22100 | — | — | — | 2026-07-13 | The OCPP DataTransfer message `ReserveLogin` is vulnerable to command injection. |
CVE-2026-22099 | — | — | — | 2026-07-13 | The charging station does not require authentication for Bluetooth commands to perform actions. |
CVE-2026-22098 | — | — | — | 2026-07-13 | Various sensitive information such as passwords and charging card UIDs are written to log files. |
CVE-2026-22097 | — | — | — | 2026-07-13 | The firmware update mechanism does not include cryptographic signature validation. |
CVE-2026-22096 | — | — | — | 2026-07-13 | The webserver running on port 8090 does not require authentication. |
CVE-2026-22095 | — | — | — | 2026-07-13 | The network diagnosis endpoint on the web server at port 8090 is vulnerable to command injection. |
CVE-2026-22093 | — | — | — | 2026-07-13 | The EVbee Service Android app uses TLS encrypted communication (HTTPS), but does not validate the certificate provided by the server. |
Golang · 9 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-46595 | Critical | 10.0 | — | 2026-05-22 | Previously, CVE-2024-45337 fixed an authorization bypass for misused ssh server configurations; if any other type of callback is passed other than public key, then the source-address validation would be skipped. |
CVE-2026-39821 | Critical | 9.6 | — | 2026-05-22 | The ToASCII and ToUnicode functions incorrectly accept Punycode-encoded labels that decode to an ASCII-only label. |
CVE-2026-39830 | Critical | 9.1 | — | 2026-05-22 | A malicious SSH peer could send unsolicited global request responses to fill an internal buffer, blocking the connection's read loop. |
CVE-2026-39822 | High | 7.8 | — | 2026-07-08 | On Unix systems, opening a file in an os.Root improperly follows symlinks to locations outside of the Root when the final path component of the a path is a symbolic link and the path ends in /. |
CVE-2023-54365 | High | 7.5 | — | 2026-06-23 | Traefik before 2.10.5 and 3.0.0-beta4 is affected by a denial-of-service vulnerability in HTTP/2 request handling inherited from the Go standard library's HTTP/2 implementation (CVE-2023-44487 / CVE-2023-39325, the 'Rapid Reset' technique). |
CVE-2026-39829 | High | 7.5 | — | 2026-05-22 | The RSA and DSA public key parsers did not enforce size limits on key parameters. |
CVE-2026-39828 | Medium | 6.3 | — | 2026-05-22 | When an SSH server authentication callback returned PartialSuccessError with non-nil Permissions, those permissions were silently discarded, potentially dropping certificate restrictions such as force-command after a second factor succeede… |
CVE-2026-42505 | Medium | 5.3 | — | 2026-07-08 | Handshakes which used Encrypted Client Hello could be de-anonymized by a passive network observer due to a disclosure of pre-shared key identities in the unencrypted client hello. |
CVE-2026-39835 | Medium | 5.3 | — | 2026-05-22 | SSH servers which use CertChecker as a public key callback without setting IsUserAuthority or IsHostAuthority could be caused to panic by a client presenting a certificate. |
Mervinpraison · 9 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-61447 | Critical | 10.0 | — | 2026-07-11 | PraisonAI before 1.6.78 contains a remote code execution vulnerability in CodeAgent._execute_python() that executes LLM-generated Python code without AST validation, import restrictions, or sandbox enforcement. |
CVE-2026-61445 | Critical | 9.9 | — | 2026-07-11 | PraisonAI before 4.6.78 contains arbitrary file write and command execution vulnerabilities in the AICoder component due to missing path validation and command sanitization in LLM tool calls. |
CVE-2026-60090 | Critical | 9.8 | — | 2026-07-11 | PraisonAI before 4.6.78 fails to validate the caller-controlled dimension argument in the PGVector and Cassandra knowledge-store create_collection() backends. |
CVE-2026-61426 | High | 8.6 | — | 2026-07-11 | PraisonAI before 1.7.3 contains an insecure default configuration that binds to all interfaces with no API key requirement and wildcard CORS. |
CVE-2026-61429 | High | 8.5 | — | 2026-07-11 | PraisonAI versions before 1.6.78 contain a server-side request forgery vulnerability in the Crawl4AI/Chromium backend that allows attackers to bypass SSRF validation by exploiting DNS rebinding and HTTP redirects. |
CVE-2026-61439 | High | 7.5 | — | 2026-07-11 | PraisonAI versions before 4.6.78 contain a prompt injection defense misconfiguration where the block threshold defaults to CRITICAL severity, allowing HIGH-level threats to pass through unblocked. |
CVE-2026-61428 | High | 7.3 | — | 2026-07-11 | PraisonAI AgentMail versions before 4.6.78 lack signature verification in webhook mode, allowing unauthenticated attackers to inject messages with spoofed sender addresses. |
CVE-2026-61442 | High | 7.1 | — | 2026-07-11 | PraisonAI Platform (praisonai-platform) before 0.1.9 fails to enforce owner/admin authorization on the PATCH routes for projects, issues, and agents, which only require workspace-member role. |
CVE-2026-60088 | Medium | 5.5 | — | 2026-07-11 | PraisonAI before 4.6.78 fails to validate file path references in custom command templates, allowing attackers to read files outside the workspace. |
Unattributed · 9 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-61500 | Critical | 9.8 | — | 2026-07-13 | Rejetto HFS 3.0.0 through 3.2.0 derives its session-cookie signing key from the non-cryptographic Math.random() generator and discloses outputs of the same generator to unauthenticated clients during login. |
CVE-2026-61498 | Critical | 9.8 | — | 2026-07-13 | Vitec Flamingo 4.12.2 contains an unauthenticated OS command injection vulnerability in the admin/ajax/gen_graphs.php endpoint that allows remote unauthenticated attackers to execute arbitrary commands by supplying shell metacharacters in… |
CVE-2026-20744 | Critical | 9.8 | — | 2026-07-10 | The charging station websocket endpoint accepts connections without proper authentication, which could lead to privilege escalation. |
CVE-2026-57855 | High | 8.8 | — | 2026-07-13 | Cockpit CMS contains a missing authorization vulnerability in the Bucket file storage API (/system/buckets/api). |
CVE-2026-62188 | High | 8.1 | — | 2026-07-13 | OpenClaw @openclaw/feishu versions 2026.6.6 and earlier contain an incorrect authorization vulnerability in which the Feishu permission tools could ignore per-account disablement settings. |
CVE-2026-61501 | Medium | 6.1 | — | 2026-07-13 | Rejetto HFS 3.0.0 through 3.2.0 renders log entries in the administration panel as HTML without sanitization. |
CVE-2026-6804 | Medium | 5.3 | — | 2026-07-11 | The AI Chatbot & Workflow Automation by AIWU plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.4.12. |
CVE-2026-58102 | — | — | — | 2026-07-13 | Crypt::OpenSSL::X509 versions before 2.1.3 for Perl allow a heap out-of-bounds read via a long certificate extension OID in hv_exts. |
CVE-2026-55883 | — | — | — | 2026-07-10 | Tilt defines dev environments as code for microservice apps on Kubernetes. |
Frappe · 8 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-58503 | — | — | — | 2026-07-10 | Frappe is a full-stack web application framework. |
CVE-2026-55852 | — | — | — | 2026-07-10 | Frappe is a full-stack web application framework. |
CVE-2026-49394 | — | — | — | 2026-07-10 | Frappe is a full-stack web application framework. |
CVE-2026-48127 | — | — | — | 2026-07-10 | Frappe is a full-stack web application framework. |
CVE-2026-47422 | — | — | — | 2026-07-10 | Frappe is a full-stack web application framework. |
CVE-2026-47199 | — | — | — | 2026-07-10 | Frappe is a full-stack web application framework. |
CVE-2026-42219 | — | — | — | 2026-07-10 | Frappe is a full-stack web application framework. |
CVE-2026-41482 | — | — | — | 2026-07-10 | Frappe is a full-stack web application framework. |
Gnu · 8 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-42009 | High | 7.5 | — | 2026-05-18 | A flaw was found in gnutls. |
CVE-2026-56289 | Medium | 5.5 | — | 2026-07-09 | GNU patch is vulnerable to a denial of service (DoS) due to improper validation of hunk (single block of changes in diff) line offsets in unified-diff input. |
CVE-2026-56288 | Medium | 5.5 | — | 2026-07-09 | GNU patch is vulnerable to a NULL pointer dereference when processing a specially crafted unified-diff patch file. |
CVE-2026-15520 | Medium | 5.3 | — | 2026-07-13 | A vulnerability was determined in GNU LibreDWG 0.13.4-154-g0b573035. |
CVE-2026-40553 | — | — | — | 2026-07-13 | Buffer overflow vulnerability has been found in "extension/readdir.c" program file of gawk (ftype() routine). |
CVE-2026-40469 | — | — | — | 2026-07-13 | Integer overflow vulnerability has been found in "builtin.c" program file of gawk (do_sub() routine). |
CVE-2026-40468 | — | — | — | 2026-07-13 | Integer overflow vulnerability has been found in "builtin.c" program file of gawk. |
CVE-2026-40467 | — | — | — | 2026-07-13 | Use After Free vulnerability has been found in "io.c" program file of gawk (do_getline_redir() routine). |
Imagemagick · 8 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-61861 | Low | 3.7 | — | 2026-07-11 | ImageMagick before 7.1.2-26 contains a use-after-free vulnerability in the FormatMagickCaption method when memory allocation fails. |
CVE-2026-61857 | Low | 3.7 | — | 2026-07-11 | ImageMagick before 7.1.2-26 contains a heap use-after-free vulnerability caused by missing null check when parsing XMP profiles. |
CVE-2026-56373 | Low | 3.7 | — | 2026-07-10 | ImageMagick before 7.1.2-15 contains a use-after-free vulnerability in the PDB decoder that uses a stale pointer when memory allocation fails. |
CVE-2026-61858 | Low | 3.3 | — | 2026-07-11 | ImageMagick before 7.1.2-26 contains a policy bypass vulnerability in the APNG encoder and external delegates due to missing validation checks. |
CVE-2026-61465 | Low | 3.3 | — | 2026-07-11 | ImageMagick before 7.1.2-26 and 6.9.13-51 is missing a check for the allowed memory allocation limit in matrix-backed operations such as -canny. |
CVE-2026-56372 | Low | 3.3 | — | 2026-07-11 | ImageMagick before 7.1.2-19 contains a heap buffer overflow vulnerability in the magnify operation that allows attackers to read out of bounds memory. |
CVE-2026-56366 | Low | 3.3 | — | 2026-07-10 | ImageMagick before 7.1.2-18 contains a memory leak vulnerability in the META reader when processing APP1JPEG input paths. |
CVE-2026-61870 | Low | 2.9 | — | 2026-07-11 | ImageMagick before 7.1.2-26 contains a memory leak vulnerability in the VIFF encoder when memory allocation fails. |
Sourcecodester · 7 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-15597 | High | 7.3 | — | 2026-07-13 | A security flaw has been discovered in SourceCodester Class and Exam Timetabling System 1.0/2.php. |
CVE-2026-15537 | High | 7.3 | — | 2026-07-13 | A security flaw has been discovered in SourceCodester Online Book Store System 1.0. |
CVE-2026-15539 | Medium | 4.7 | — | 2026-07-13 | A security vulnerability has been detected in SourceCodester Online Book Store System 1.0. |
CVE-2026-15596 | Medium | 4.3 | — | 2026-07-13 | A vulnerability was identified in SourceCodester Class and Exam Timetabling System 1.0. |
CVE-2026-15595 | Medium | 4.3 | — | 2026-07-13 | A vulnerability was determined in SourceCodester Class and Exam Timetabling System 1.0. |
CVE-2026-15540 | Medium | 4.3 | — | 2026-07-13 | A vulnerability was detected in SourceCodester Online Book Store System 1.0. |
CVE-2026-15532 | Low | 2.4 | — | 2026-07-13 | A vulnerability was identified in SourceCodester Online Book Store System 1.0. |
Trendnet · 7 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-15484 | High | 8.8 | — | 2026-07-12 | A vulnerability was detected in TRENDnet TEW-821DAP 1.12B01. |
CVE-2026-15483 | High | 8.8 | — | 2026-07-12 | A security vulnerability has been detected in TRENDnet TEW-821DAP 1.12B01. |
CVE-2026-15481 | High | 8.8 | — | 2026-07-12 | A security flaw has been discovered in Trendnet TEW-635BRM up to 1.00.03. |
CVE-2026-15480 | High | 8.8 | — | 2026-07-12 | A vulnerability was identified in Trendnet TEW-635BRM up to 1.00.03. |
CVE-2026-15487 | Medium | 6.3 | — | 2026-07-12 | A vulnerability was found in TRENDnet TEW-821DAP 1.11B03. |
CVE-2026-15486 | Medium | 6.3 | — | 2026-07-12 | A vulnerability has been found in TRENDnet TEW-821DAP 1.11B03. |
CVE-2026-15485 | Medium | 6.3 | — | 2026-07-12 | A flaw has been found in TRENDnet TEW-821DAP 1.11B03. |
Zephyrproject · 7 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-10666 | High | 8.1 | — | 2026-07-12 | parse_ipv4() in subsys/net/ip/utils.c (reached via net_ipaddr_parse() for strings of the form "a.b.c.d:port") copies the port substring into a fixed 17-byte stack buffer (char ipaddr[NET_IPV4_ADDR_LEN + 1]) using a length of str_len - end… |
CVE-2026-10667 | High | 7.8 | — | 2026-07-12 | Zephyr's dynamic kernel-object tracking (kernel/userspace/userspace.c, formerly kernel/userspace.c) maintains a doubly-linked list (obj_list) of dynamically allocated kernel objects. |
CVE-2026-10665 | High | 7.4 | — | 2026-07-12 | In Zephyr's WireGuard subsystem (subsys/net/lib/wireguard), wg_process_data_message() in wg_crypto.c linearizes an inbound transport-data payload into a fixed pool buffer of CONFIG_WIREGUARD_BUF_LEN bytes before decryption. |
CVE-2026-10660 | Medium | 6.4 | — | 2026-07-11 | The Bluetooth BAP Broadcast Assistant GATT client in subsys/bluetooth/audio/bap_broadcast_assistant.c reassembled remote Broadcast Receive State data into a single file-static net_buf_simple (att_buf, BT_ATT_MAX_ATTRIBUTE_LEN = 512 bytes)… |
CVE-2026-10663 | Medium | 6.1 | — | 2026-07-12 | In Zephyr's experimental USB host stack (CONFIG_USB_HOST_STACK), usbh_device_disconnect() (subsys/usb/host/usbh_device.c) freed the root usb_device slab object without clearing the cached pointer ctx->root. |
CVE-2026-10664 | Medium | 5.0 | — | 2026-07-12 | The nRF70 Wi-Fi driver's power-save event handler nrf_wifi_event_proc_get_power_save_info() in drivers/wifi/nrf_wifi/src/wifi_mgmt.c copied TWT (Target Wake Time) flow entries from an nrf_wifi_umac_event_power_save_info event into the fixe… |
CVE-2026-10668 | Low | 2.4 | — | 2026-07-12 | The Nuvoton NuMaker HSUSBD USB device-controller driver (drivers/usb/udc/udc_numaker.c) armed the control Data IN stage unconditionally (base->CEPTXCNT = len in numaker_hsusbd_ep_trigger). |
Freerdp · 5 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-45700 | Critical | 9.8 | — | 2026-05-29 | FreeRDP is a free implementation of the Remote Desktop Protocol. |
CVE-2026-57158 | Critical | 9.1 | — | 2026-07-10 | FreeRDP is a free implementation of the Remote Desktop Protocol. |
CVE-2026-55827 | High | 7.5 | — | 2026-07-10 | FreeRDP is a free implementation of the Remote Desktop Protocol. |
CVE-2026-57157 | Medium | 6.5 | — | 2026-07-10 | FreeRDP is a free implementation of the Remote Desktop Protocol. |
CVE-2026-57156 | — | — | — | 2026-07-10 | FreeRDP is a free implementation of the Remote Desktop Protocol. |
Imagination Technologies · 5 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-7639 | High | 7.8 | — | 2026-07-10 | Software installed and run as a non-privileged user may conduct a sequence of improper GPU system calls causing use after free, which helps in facilitating unprivileged memory access from a shader code. |
CVE-2026-45203 | High | 7.8 | — | 2026-07-10 | Kernel software installed and running inside a Host VM may post improper commands to the GPU Firmware to trigger a memory write outside the permitted range of memory for the host kernel. |
CVE-2026-45196 | High | 7.8 | — | 2026-07-10 | Kernel software installed and running inside a Host VM may post improper commands to the GPU Firmware to trigger a GPU register access which can lead to privilege escalation. |
CVE-2026-41154 | High | 7.8 | — | 2026-07-10 | Software installed and run as a non-privileged user may cause OOB kernel memory reads or writes through GPU API calls. |
CVE-2026-34196 | High | 7.8 | — | 2026-07-10 | Software installed and run as a non-privileged user may conduct improper GPU system calls to cause an integer overflow and map two GPU virtual addresses to the same physical address. |
Shibby · 5 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-15548 | High | 8.8 | — | 2026-07-13 | A security vulnerability has been detected in Shibby Tomato up to 1.28.0000. |
CVE-2026-15545 | High | 8.8 | — | 2026-07-13 | A vulnerability was identified in Shibby Tomato up to 1.28.0000. |
CVE-2026-15544 | High | 8.8 | — | 2026-07-13 | A vulnerability was determined in Shibby Tomato up to 1.28.0000. |
CVE-2026-15547 | Medium | 6.3 | — | 2026-07-13 | A weakness has been identified in Shibby Tomato up to 1.28.0000. |
CVE-2026-15546 | Medium | 6.3 | — | 2026-07-13 | A security flaw has been discovered in Shibby Tomato up to 1.28.0000. |
Themeum · 5 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-57724 | Critical | 9.8 | — | 2026-07-13 | Deserialization of Untrusted Data vulnerability in Themeum Kirki kirki allows Object Injection.This issue affects Kirki: from n/a through <= 6.0.12. |
CVE-2026-57726 | Critical | 9.3 | — | 2026-07-13 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Themeum Kirki kirki allows Blind SQL Injection.This issue affects Kirki: from n/a through <= 6.0.12. |
CVE-2026-57727 | High | 7.5 | — | 2026-07-13 | Missing Authorization vulnerability in Themeum Kirki kirki allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Kirki: from n/a through <= 6.0.13. |
CVE-2026-57725 | High | 7.1 | — | 2026-07-13 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Themeum Kirki kirki allows Stored XSS.This issue affects Kirki: from n/a through <= 6.0.11. |
CVE-2026-57694 | Medium | 6.5 | — | 2026-07-13 | Authorization Bypass Through User-Controlled Key vulnerability in Themeum Tutor LMS tutor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Tutor LMS: from n/a through <= 3.9.13. |
Berriai · 4 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-59822 | High | 8.2 | — | 2026-07-08 | LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. |
CVE-2026-59821 | High | 7.2 | — | 2026-07-08 | LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. |
CVE-2026-59820 | Medium | 6.5 | — | 2026-07-08 | LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. |
CVE-2026-59819 | Medium | 4.9 | — | 2026-07-08 | LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. |
Churchcrm · 4 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-58409 | Critical | 9.1 | — | 2026-07-13 | ChurchCRM is an open-source church management system. |
CVE-2026-58410 | High | 7.1 | — | 2026-07-13 | ChurchCRM is an open-source church management system. |
CVE-2026-58408 | Medium | 6.5 | — | 2026-07-13 | ChurchCRM is an open-source church management system. |
CVE-2026-58411 | — | — | — | 2026-07-13 | ChurchCRM is an open-source church management system. |
Decolua · 4 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-59801 | Critical | 9.8 | — | 2026-07-13 | 9Router through version 0.4.41 contains an unauthenticated access vulnerability that allows remote attackers to interact with provider management API endpoints by sending requests without any credentials due to missing authentication middl… |
CVE-2026-62327 | Critical | 9.1 | — | 2026-07-13 | 9Router through version 0.4.41 contain an unauthenticated information disclosure vulnerability that allows remote attackers to retrieve plaintext API keys for all connected AI provider accounts by sending a single unauthenticated request t… |
CVE-2026-62328 | High | 7.5 | — | 2026-07-13 | 9Router through version 0.4.41 contain an unauthenticated information disclosure vulnerability that allows remote attackers to access sensitive user data by sending requests to unprotected API endpoints. |
CVE-2026-56676 | High | 7.4 | — | 2026-07-10 | 9Router is an AI router & token saver. |
Hedgedoc · 4 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-58489 | — | — | — | 2026-07-13 | HedgeDoc is an open source, real-time collaborative markdown notes application. |
CVE-2026-58488 | — | — | — | 2026-07-13 | HedgeDoc is an open source, real-time, collaborative, markdown notes application. |
CVE-2026-58487 | — | — | — | 2026-07-13 | HedgeDoc is an open source, real-time, collaborative, markdown notes application. |
CVE-2026-58486 | — | — | — | 2026-07-13 | HedgeDoc is an open source, real-time, collaborative, markdown notes application. |
Linux · 4 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-52923 | High | 7.8 | — | 2026-06-24 | In the Linux kernel, the following vulnerability has been resolved: ipc: limit next_id allocation to the valid ID range The checkpoint/restore sysctl path can request the next SysV IPC id through ids->next_id. |
CVE-2026-0268 | Medium | 4.4 | — | 2026-06-10 | A security control bypass vulnerability in Prisma Access Agent for Linux allows a local attacker to route network traffic outside the VPN tunnel. |
CVE-2026-53365 | — | — | — | 2026-07-13 | In the Linux kernel, the following vulnerability has been resolved: vsock/virtio: fix zerocopy completion for multi-skb sends When a large message is fragmented into multiple skbs, the zerocopy uarg is only allocated and attached to the… |
CVE-2026-53364 | — | — | — | 2026-07-13 | In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_conn: Fix memory leak in hci_le_big_terminate() hci_le_big_terminate() allocates iso_list_data via kzalloc_obj but returns 0 without freeing it when neith… |
Logto-io · 4 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-55789 | High | 8.5 | — | 2026-07-10 | Logto is the modern, open-source auth infrastructure for SaaS and AI apps. |
CVE-2026-55377 | High | 8.1 | — | 2026-07-10 | Logto is the modern, open-source auth infrastructure for SaaS and AI apps. |
CVE-2026-55370 | Medium | 6.4 | — | 2026-07-10 | Logto is the modern, open-source auth infrastructure for SaaS and AI apps. |
CVE-2026-54714 | Medium | 6.1 | — | 2026-07-10 | Logto is the modern, open-source auth infrastructure for SaaS and AI apps. |
Openreplay · 4 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-55879 | Critical | 9.3 | — | 2026-07-10 | OpenReplay is a self-hosted session replay suite. |
CVE-2026-55880 | High | 7.1 | — | 2026-07-10 | OpenReplay is a self-hosted session replay suite. |
CVE-2026-57230 | Medium | 5.4 | — | 2026-07-10 | OpenReplay is a self-hosted session replay suite. |
CVE-2026-55881 | — | — | — | 2026-07-10 | OpenReplay is a self-hosted session replay suite. |
Openwrt · 4 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-61876 | High | 8.8 | — | 2026-07-12 | LuCI versions fail to properly encode DHCPv6 lease hostnames before rendering in status tables, allowing adjacent network attackers to inject HTML markup. |
CVE-2026-61875 | High | 8.8 | — | 2026-07-12 | luci-app-upnp contains a stored cross-site scripting vulnerability that allows unauthenticated LAN clients to inject JavaScript via UPnP IGD AddPortMapping SOAP requests. |
CVE-2026-59260 | High | 8.8 | — | 2026-07-12 | OpenWrt luci-app-samba4 read ACL grants file.exec permission on /usr/sbin/smbd, allowing authenticated delegated users to execute the Samba daemon with caller-controlled command-line arguments. |
CVE-2026-62184 | High | 7.5 | — | 2026-07-13 | luci-app-banip contains a log parsing vulnerability where the awk-based parser extracts the first IPv4 address from log lines regardless of field position, allowing attackers to inject arbitrary IPs via attacker-controlled fields like user… |
Plank · 4 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-49972 | High | 8.8 | — | 2026-07-13 | Laravel-Mediable before 7.0.0 contains a file upload vulnerability that allows unauthenticated attackers to achieve remote code execution by uploading a file with an embedded PHP extension disguised within a double extension such as shell… |
CVE-2026-49970 | High | 8.8 | — | 2026-07-13 | Laravel-Mediable before 7.0.0 contains a path traversal vulnerability in the File::sanitizePath() function that allows attackers to write uploaded files to arbitrary locations by controlling the directory argument passed to MediaUploader… |
CVE-2026-49969 | High | 7.4 | — | 2026-07-13 | Laravel-Mediable before 7.0.0 contains a server-side request forgery vulnerability that allows remote attackers to issue arbitrary HTTP requests from the server by supplying unvalidated caller-controlled URLs to endpoints backed by MediaUp… |
CVE-2026-49971 | Medium | 6.1 | — | 2026-07-13 | Laravel-Mediable before 7.0.0 contains a stored cross-site scripting vulnerability that allows authenticated or anonymous users to execute arbitrary JavaScript by uploading unsanitized SVG files containing embedded scripts in onload event… |
Quantumcloud · 4 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-57710 | Critical | 9.9 | — | 2026-07-13 | Unrestricted Upload of File with Dangerous Type vulnerability in quantumcloud WoowBot Pro Max woowbot-pro-max allows Using Malicious Files.This issue affects WoowBot Pro Max: from n/a through <= 14.1.7. |
CVE-2026-57707 | Critical | 9.3 | — | 2026-07-13 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in quantumcloud Simple Business Directory Pro simple-business-directory-pro allows SQL Injection.This issue affects Simple Business Director… |
CVE-2026-57363 | High | 7.1 | — | 2026-07-13 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in QuantumCloud ChatBot chatbot allows Stored XSS.This issue affects ChatBot: from n/a through <= 8.3.7. |
CVE-2026-57414 | Medium | 6.5 | — | 2026-07-13 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in QuantumCloud ChatBot for eCommerce – WoowBot woowbot-woocommerce-chatbot allows Stored XSS.This issue affects ChatBot for eCommerce… |
Rejetto · 4 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-61504 | Medium | 5.4 | — | 2026-07-13 | Rejetto HFS 3.0.0 through 3.2.0 does not escape file names in its fallback "basic" web listing, and this listing can be forced by any browser via the ?get=basic parameter. |
CVE-2026-61505 | Medium | 5.3 | — | 2026-07-13 | Rejetto HFS 3.0.0 through 3.2.0 allows path traversal through the lang query parameter, permitting a remote unauthenticated attacker to read certain JSON files outside the shared folders. |
CVE-2026-61503 | Medium | 5.3 | — | 2026-07-13 | Rejetto HFS 3.0.0 through 3.2.0 returns observably different responses from its login endpoint depending on whether the submitted username exists. |
CVE-2026-61502 | Medium | 4.3 | — | 2026-07-13 | Rejetto HFS 3.0.0 through 3.2.0 accepts state-changing API requests via the GET method and exempts GET requests from its anti-CSRF header check. |
Select-themes · 4 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-57805 | High | 7.5 | — | 2026-07-13 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Select-Themes Tonda tonda allows PHP Local File Inclusion.This issue affects Tonda: from n/a through <= 2.5. |
CVE-2026-57803 | High | 7.5 | — | 2026-07-13 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Select-Themes Struktur Core struktur-core allows PHP Local File Inclusion.This issue affects Struktur Core: from n/a t… |
CVE-2026-57802 | High | 7.5 | — | 2026-07-13 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Select-Themes Struktur struktur allows PHP Local File Inclusion.This issue affects Struktur: from n/a through <= 2.5.1. |
CVE-2026-57801 | High | 7.5 | — | 2026-07-13 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Select-Themes SetSail setsail allows PHP Local File Inclusion.This issue affects SetSail: from n/a through <= 2.1. |
Acymailing Newsletter Team · 3 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-57739 | Critical | 9.3 | — | 2026-07-13 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in AcyMailing Newsletter Team AcyMailing SMTP Newsletter acymailing allows Blind SQL Injection.This issue affects AcyMailing SMTP Newsletter… |
CVE-2026-57741 | High | 7.1 | — | 2026-07-13 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in AcyMailing Newsletter Team AcyMailing SMTP Newsletter acymailing allows Stored XSS.This issue affects AcyMailing SMTP Newsletter: from n/… |
CVE-2026-57740 | High | 7.1 | — | 2026-07-13 | Missing Authorization vulnerability in AcyMailing Newsletter Team AcyMailing SMTP Newsletter acymailing allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects AcyMailing SMTP Newsletter: from n/a through… |
Apache Software Foundation · 3 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-59245 | — | — | — | 2026-07-13 | In the Apache Airflow FAB auth manager, a DAG whose `dag_id` is `DAGs` collided with the global all-DAGs permission resource name produced by `resource_name()`, so a user granted per-DAG `access_control` on that one DAG was silently grante… |
CVE-2026-58065 | — | — | — | 2026-07-13 | The Apache Airflow Git provider runs its git-over-SSH operations with `StrictHostKeyChecking=no` by default, disabling SSH host-key verification. |
CVE-2026-49844 | — | — | — | 2026-07-10 | Improper encoding of non-finite floating-point values during MapMessage JSON serialization in Apache Log4j API produces output that is not valid JSON. |
Astrbotdevs · 3 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-15501 | Medium | 6.3 | — | 2026-07-12 | A security vulnerability has been detected in AstrBotDevs AstrBot up to 4.25.2. |
CVE-2026-15500 | Medium | 6.3 | — | 2026-07-12 | A weakness has been identified in AstrBotDevs AstrBot up to 4.25.2. |
CVE-2026-15499 | Medium | 6.3 | — | 2026-07-12 | A security flaw has been discovered in AstrBotDevs AstrBot up to 4.25.2. |
Cedar-policy · 3 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-55773 | High | 8.8 | — | 2026-07-13 | CedarJava is an open source Java implementation of the Cedar policy language, used for fine-grained authorization decisions. |
CVE-2026-55771 | High | 8.8 | — | 2026-07-13 | CedarJava is an open source Java implementation of the Cedar policy language, used for fine-grained authorization decisions. |
CVE-2026-55772 | High | 8.8 | — | 2026-07-13 | CedarJava is an open source Java implementation of the Cedar policy language, used for fine-grained authorization decisions. |
Cloudfoundry · 3 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-47826 | Critical | 9.1 | — | 2026-07-09 | The blobs.yml path key traversal vulnerability in the BOSH CLI tool allows an attacker to write arbitrary files and exfiltrate sensitive information. |
CVE-2026-47829 | High | 7.8 | — | 2026-07-09 | Argument Injection in bosh-cli allows a compromised BOSH Director to inject arbitrary OpenSSH options into the locally-spawned ssh process when an operator runs bosh ssh -c, bosh logs -f, or other non-interactive SSH paths, leading to loca… |
CVE-2026-41857 | High | 7.8 | — | 2026-07-09 | A compromised or malicious BOSH Director can execute arbitrary shell commands on the operator's workstation when the operator runs bosh ssh (or bosh scp/bosh logs -f) with default flags. |
Codeastro · 3 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-15559 | Medium | 6.3 | — | 2026-07-13 | A vulnerability was detected in CodeAstro Simple Online Leave Management System 1.0. |
CVE-2026-15558 | Medium | 6.3 | — | 2026-07-13 | A security vulnerability has been detected in CodeAstro Simple Online Leave Management System 1.0. |
CVE-2026-15523 | Medium | 6.3 | — | 2026-07-13 | A weakness has been identified in CodeAstro Simple Online Leave Management System 1.0. |
Crawl4ai · 3 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-56260 | Critical | 9.1 | — | 2026-07-12 | Crawl4AI before 0.8.7 contains an arbitrary file write vulnerability in the Docker API server's /screenshot and /pdf endpoints. |
CVE-2026-56261 | High | 8.6 | — | 2026-07-10 | Crawl4AI before 0.8.7 contains a server-side request forgery (SSRF) vulnerability in the Docker API server's /crawl/job and /llm/job endpoints, which accept webhook URLs without destination validation. |
CVE-2026-56259 | High | 8.2 | — | 2026-07-12 | Crawl4AI before 0.8.8 contains credential exfiltration vulnerabilities in the Docker API server that allow attackers to redirect LLM API calls to attacker-controlled endpoints and read arbitrary environment variables. |
Crocoblock · 3 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-61977 | Medium | 5.3 | — | 2026-07-13 | Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Crocoblock JetSearch jet-search allows Retrieve Embedded Sensitive Data.This issue affects JetSearch: from n/a through <= 3.6.1.2. |
CVE-2026-61976 | Medium | 5.3 | — | 2026-07-13 | Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Crocoblock JetBlocks For Elementor jet-blocks allows Retrieve Embedded Sensitive Data.This issue affects JetBlocks For Elementor: from n/a through… |
CVE-2026-61975 | Medium | 5.3 | — | 2026-07-13 | Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Crocoblock JetReviews jet-reviews allows Retrieve Embedded Sensitive Data.This issue affects JetReviews: from n/a through <= 3.0.1. |
Decompress_project · 3 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-39246 | High | 7.5 | — | 2026-07-09 | decompress before 4.2.2 allows arbitrary symlink creation during archive extraction. |
CVE-2026-39245 | Medium | 6.2 | — | 2026-07-09 | decompress before 4.2.2 contains an improper path containment check that enables directory traversal and arbitrary file write. |
CVE-2026-39243 | Medium | 5.5 | — | 2026-07-09 | decompress before 4.2.2 allows arbitrary hardlink creation during archive extraction, enabling file read disclosure and file corruption. |
Fluent · 3 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-44024 | Critical | 9.8 | — | 2026-07-08 | Fluentd collects events from various data sources and writes them to files, RDBMS, NoSQL, IaaS, SaaS, Hadoop and so on. |
CVE-2026-44160 | High | 7.5 | — | 2026-07-08 | Fluentd collects events from various data sources and writes them to files, RDBMS, NoSQL, IaaS, SaaS, Hadoop and so on. |
CVE-2026-44161 | High | 7.2 | — | 2026-07-08 | Fluentd collects events from various data sources and writes them to files, RDBMS, NoSQL, IaaS, SaaS, Hadoop and so on. |
Grafana · 3 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-33382 | High | 7.5 | — | 2026-07-10 | Several Grafana API endpoints, some of them unauthenticated, do not limit the size of the request body before processing it. |
CVE-2026-8595 | Medium | 6.8 | — | 2026-07-10 | A user with Editor permissions can craft a dashboard whose table (TableNG) panel contains a malicious field name that executes as a script in the browser of any user who views the dashboard (stored cross-site scripting). |
CVE-2026-8609 | Medium | 5.3 | — | 2026-07-10 | An unauthenticated attacker can repeatedly call Grafana's OAuth login route with unique values, causing unbounded memory growth that can eventually exhaust memory and crash the Grafana instance (denial of service). |
Gristlabs · 3 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-55659 | High | 7.7 | — | 2026-07-10 | Grist is spreadsheet software using Python as its formula language. |
CVE-2026-55664 | Medium | 4.3 | — | 2026-07-10 | Grist is spreadsheet software using Python as its formula language. |
CVE-2026-55665 | — | — | — | 2026-07-10 | Grist is spreadsheet software using Python as its formula language. |
N8n · 3 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-59209 | Medium | 6.5 | — | 2026-07-09 | n8n is an open source workflow automation platform. |
CVE-2026-58661 | Medium | 4.3 | — | 2026-07-10 | n8n before 2.28.0 (and before 1.123.58 on the 1.x branch) contains a disk space exhaustion vulnerability in the data-table file upload endpoint. |
CVE-2026-56354 | Medium | 4.1 | — | 2026-07-10 | n8n before 1.123.24, 2.10.4, and 2.12.0 (across its 1.x and 2.x branches) contains cross-site scripting and open redirect vulnerabilities in the Form Node due to unsanitized HTML description fields and overly permissive iframe sandbox poli… |
Nodejs · 3 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-6734 | High | 7.5 | — | 2026-06-17 | Impact: When using Socks5ProxyAgent, undici reuses a single connection pool across different origins without verifying that the pool's origin matches the requested origin. |
CVE-2026-12151 | High | 7.5 | — | 2026-06-17 | Impact: The undici WebSocket client enforces maxPayloadSize on the cumulative byte count of fragments in a message but does not enforce a limit on the number of fragments. |
CVE-2026-9697 | High | 7.4 | — | 2026-06-17 | Impact: undici's ProxyAgent silently drops the requestTls option when configured with a SOCKS5 proxy URI (socks5:// or socks://). |
Rafymrx · 3 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-15491 | High | 7.3 | — | 2026-07-12 | A weakness has been identified in RafyMrX TOKO-ONLINE-ROTI up to ddfe1cd587be0a0b5135d8b6e85cce2ec3aece99. |
CVE-2026-15490 | High | 7.3 | — | 2026-07-12 | A security flaw has been discovered in RafyMrX TOKO-ONLINE-ROTI up to ddfe1cd587be0a0b5135d8b6e85cce2ec3aece99. |
CVE-2026-15489 | High | 7.3 | — | 2026-07-12 | A vulnerability was identified in RafyMrX TOKO-ONLINE-ROTI up to ddfe1cd587be0a0b5135d8b6e85cce2ec3aece99. |
Saad Iqbal · 3 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-57810 | High | 8.5 | — | 2026-07-13 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Saad Iqbal APIExperts Square for WooCommerce woosquare allows Blind SQL Injection.This issue affects APIExperts Square for WooCommerce: f… |
CVE-2026-61968 | Medium | 5.4 | — | 2026-07-13 | Missing Authorization vulnerability in Saad Iqbal myCred mycred allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects myCred: from n/a through <= 3.1.2. |
CVE-2026-61958 | Medium | 5.4 | — | 2026-07-13 | Missing Authorization vulnerability in Saad Iqbal License Manager for WooCommerce license-manager-for-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects License Manager for WooCommerce: f… |
Soniccloudorg · 3 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-15497 | High | 7.3 | — | 2026-07-12 | A vulnerability was determined in SonicCloudOrg sonic-agent up to 2.7.2. |
CVE-2026-15496 | Medium | 6.3 | — | 2026-07-12 | A vulnerability was found in SonicCloudOrg sonic-agent up to 2.7.2. |
CVE-2026-15495 | Medium | 6.3 | — | 2026-07-12 | A vulnerability has been found in SonicCloudOrg sonic-agent up to 2.7.2. |
Stmcan · 3 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-57744 | Critical | 9.8 | — | 2026-07-13 | Deserialization of Untrusted Data vulnerability in stmcan RT-Theme 18 | Extensions rt18-extensions allows Object Injection.This issue affects RT-Theme 18 | Extensions: from n/a through <= 2.5. |
CVE-2026-57743 | High | 8.1 | — | 2026-07-13 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in stmcan RT-Theme 18 | Extensions rt18-extensions allows PHP Local File Inclusion.This issue affects RT-Theme 18 | Exten… |
CVE-2026-57745 | High | 7.1 | — | 2026-07-13 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in stmcan RT-Theme 18 | Extensions rt18-extensions allows Reflected XSS.This issue affects RT-Theme 18 | Extensions: from n/a through <= 2.5. |
Tagdiv · 3 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-57734 | High | 7.1 | — | 2026-07-13 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in tagDiv tagDiv Composer td-composer allows Reflected XSS.This issue affects tagDiv Composer: from n/a through <= 5.4.3. |
CVE-2026-57733 | High | 7.1 | — | 2026-07-13 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in tagDiv tagDiv Cloud Library td-cloud-library allows DOM-Based XSS.This issue affects tagDiv Cloud Library: from n/a through <= 3.9.4. |
CVE-2026-57732 | High | 7.1 | — | 2026-07-13 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in tagDiv tagDiv Opt-In Builder td-subscription allows DOM-Based XSS.This issue affects tagDiv Opt-In Builder: from n/a through <= 1.7.4. |
Themefic · 3 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-57388 | High | 7.1 | — | 2026-07-13 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Themefic Hydra Booking hydra-booking allows Stored XSS.This issue affects Hydra Booking: from n/a through <= 1.1.44. |
CVE-2026-57395 | Medium | 6.5 | — | 2026-07-13 | Missing Authorization vulnerability in Themefic Tourfic tourfic allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Tourfic: from n/a through <= 2.22.5. |
CVE-2026-57392 | Medium | 6.5 | — | 2026-07-13 | Missing Authorization vulnerability in Themefic Tourfic tourfic allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Tourfic: from n/a through <= 2.22.5. |
Thememove · 3 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-57791 | High | 7.5 | — | 2026-07-13 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeMove Brook brook allows PHP Local File Inclusion.This issue affects Brook: from n/a through <= 2.9.0. |
CVE-2026-57790 | High | 7.5 | — | 2026-07-13 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeMove Billey billey allows PHP Local File Inclusion.This issue affects Billey: from n/a through <= 2.1.8. |
CVE-2026-57797 | Medium | 4.3 | — | 2026-07-13 | Missing Authorization vulnerability in ThemeMove EduMall edumall allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects EduMall: from n/a through <= 4.5.1. |
Themifyme · 3 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-57369 | High | 7.1 | — | 2026-07-13 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in themifyme Themify Builder themify-builder allows Reflected XSS.This issue affects Themify Builder: from n/a through <= 7.7.4. |
CVE-2026-15097 | Medium | 6.4 | — | 2026-07-11 | The Themify Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'height_slider' Slider Module Field in all versions up to, and including, 7.7.6 due to insufficient input sanitization and output escaping. |
CVE-2026-15096 | Medium | 6.4 | — | 2026-07-11 | The Themify Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Map Module 'b_width_map' Field in all versions up to, and including, 7.7.6 due to insufficient input sanitization and output escaping. |
U-boot · 3 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-29009 | High | 8.2 | — | 2026-07-08 | U-Boot through 2026.04-rc3 contains a buffer overflow vulnerability in nfs_readlink_reply() (net/nfs-common.c) when CONFIG_CMD_NFS is enabled, allowing a malicious or compromised NFS server to overflow the 2048-byte nfs_path_buff buffer by… |
CVE-2026-29008 | High | 7.5 | — | 2026-07-08 | U-Boot through 2026.04-rc3 contains an integer underflow vulnerability in the tcp_rx_state_machine() function (net/tcp.c) that allows a network-adjacent attacker to crash the bootloader by sending a malformed TCP SYN+ACK packet with a mani… |
CVE-2026-29007 | Medium | 5.3 | — | 2026-07-08 | U-Boot through 2026.04-rc3 contains an out-of-bounds read vulnerability in tcp_rx_state_machine() (net/tcp.c) when CONFIG_PROT_TCP is enabled, allowing remote attackers to read beyond TCP segment boundaries by crafting a malicious packet w… |
Wclovers · 3 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-12126 | Medium | 6.4 | — | 2026-07-11 | The WCFM Marketplace – Multivendor Marketplace for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Attachment 'post_title' in all versions up to, and including, 3.7.3 due to insufficient input sanitization… |
CVE-2026-12994 | Medium | 5.3 | — | 2026-07-11 | The WCFM – Frontend Manager for WooCommerce plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 6.7.27. |
CVE-2026-10041 | Medium | 4.3 | — | 2026-07-11 | The WCFM – Frontend Manager for WooCommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 6.7.27 via the wcfm_product_archive due to missing validation on a user controlled key… |
Wp Swings · 3 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-57709 | High | 8.6 | — | 2026-07-13 | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in WP Swings Membership For WooCommerce membership-for-woocommerce allows Path Traversal.This issue affects Membership For WooCommerce: from n/a t… |
CVE-2026-57407 | High | 7.2 | — | 2026-07-13 | Server-Side Request Forgery (SSRF) vulnerability in WP Swings PDF Generator for WordPress pdf-generator-for-wp allows Server Side Request Forgery.This issue affects PDF Generator for WordPress: from n/a through <= 1.6.2. |
CVE-2026-57400 | Medium | 6.5 | — | 2026-07-13 | Missing Authorization vulnerability in WP Swings Event Tickets Manager for WooCommerce event-tickets-manager-for-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Event Tickets Manager f… |
Adobe · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-48364 | High | 8.2 | — | 2026-07-13 | ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Uncontrolled Search Path Element vulnerability that could result in arbitrary code execution in the context of the current user. |
CVE-2026-48363 | High | 8.2 | — | 2026-07-13 | ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Uncontrolled Search Path Element vulnerability that could result in arbitrary code execution in the context of the current user. |
Anydesk · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-15682 | Medium | 4.7 | — | 2026-07-13 | AnyDesk Support Information Link Following Denial-of-Service Vulnerability. |
CVE-2026-15681 | Medium | 4.7 | — | 2026-07-13 | AnyDesk Screen Recording Link Following Denial-of-Service Vulnerability. |
Apache · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-41041 | Critical | 9.1 | — | 2026-07-13 | URL path injection via unencoded user-supplied identifiers vulnerability in Apache Gravitino. |
CVE-2026-49876 | Medium | 6.5 | — | 2026-07-13 | Authenticated SSRF in Gravitino JobManager allows server-side HTTP requests to internal network and cloud metadata endpoints via unvalidated job template URIs. |
Boldgrid · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-9282 | High | 7.5 | — | 2026-07-11 | The W3 Total Cache plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 2.9.4 via the setupSources function. |
CVE-2026-57418 | Medium | 6.5 | — | 2026-07-13 | Missing Authorization vulnerability in BoldGrid Client Invoicing by Sprout Invoices sprout-invoices allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Client Invoicing by Sprout Invoices: from n/a th… |
Citeum · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-35210 | High | 7.1 | — | 2026-07-08 | OpenCTI is an open source platform for managing cyber threat intelligence knowledge and observables. |
CVE-2026-35211 | Medium | 6.5 | — | 2026-07-08 | OpenCTI is an open source platform for managing cyber threat intelligence knowledge and observables. |
Codemenschen · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-57415 | High | 7.1 | — | 2026-07-13 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Codemenschen Gift Vouchers gift-voucher allows Stored XSS.This issue affects Gift Vouchers: from n/a through <= 4.7.0. |
CVE-2026-57412 | Medium | 6.5 | — | 2026-07-13 | Missing Authorization vulnerability in Codemenschen Gift Vouchers gift-voucher allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Gift Vouchers: from n/a through <= 4.6.9. |
Crm Perks · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-57708 | High | 7.1 | — | 2026-07-13 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CRM Perks Contact Form Entries contact-form-entries allows Reflected XSS.This issue affects Contact Form Entries: from n/a through <= 1.5… |
CVE-2026-57421 | High | 7.1 | — | 2026-07-13 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CRM Perks CRM Perks Forms crm-perks-forms allows Reflected XSS.This issue affects CRM Perks Forms: from n/a through <= 1.1.7. |
Denishua · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-57371 | High | 8.8 | — | 2026-07-13 | Deserialization of Untrusted Data vulnerability in denishua WPJAM Basic wpjam-basic allows Object Injection.This issue affects WPJAM Basic: from n/a through <= 7.0. |
CVE-2026-57372 | High | 7.2 | — | 2026-07-13 | Server-Side Request Forgery (SSRF) vulnerability in denishua WPJAM Basic wpjam-basic allows Server Side Request Forgery.This issue affects WPJAM Basic: from n/a through <= 7.0. |
Digi International · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-12352 | Medium | 5.9 | — | 2026-07-07 | This vulnerability allows an unauthenticated actor to bypass authentication and gain access to restricted resources on the device. |
CVE-2026-12948 | — | — | — | 2026-07-07 | A stored cross-site scripting (XSS) vulnerability in the web management interface of the Digi PortServer TS, Digi One SP, Digi One SP IA, and Digi One IA allows a remote, authenticated administrator to inject script into certain system con… |
Discourse · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-55420 | High | 7.5 | — | 2026-07-09 | Discourse is an open-source discussion platform. |
CVE-2026-59828 | Medium | 5.3 | — | 2026-07-09 | Discourse is an open-source discussion platform. |
Edgarrojas · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-57393 | Medium | 6.5 | — | 2026-07-13 | Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in EDGARROJAS WooCommerce PDF Invoice Builder woo-pdf-invoice-builder allows Retrieve Embedded Sensitive Data.This issue affects WooCommerce PDF Invoi… |
CVE-2026-57390 | Medium | 6.5 | — | 2026-07-13 | Missing Authorization vulnerability in EDGARROJAS Extra Product Options Builder for WooCommerce additional-product-fields-for-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Extra Prod… |
Edge-themes · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-57800 | High | 7.5 | — | 2026-07-13 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Edge-Themes Overworld overworld allows PHP Local File Inclusion.This issue affects Overworld: from n/a through <= 1.5. |
CVE-2026-57788 | High | 7.5 | — | 2026-07-13 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Edge-Themes Aalto aalto allows PHP Local File Inclusion.This issue affects Aalto: from n/a through <= 1.8. |
Getgrav · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-61454 | Medium | 5.3 | — | 2026-07-11 | The Grav Admin2 plugin (getgrav/grav-plugin-admin2) before 2.0.4 embeds a global JavaScript variable window.__GRAV_CONFIG__ in the Admin2 SPA bootstrap page at /grav/admin (and its subroutes). |
CVE-2026-58493 | — | — | — | 2026-07-10 | grav-plugin-database is the database plugin for Grav CMS. |
Hydro-québec · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-44383 | High | 7.5 | — | 2026-07-10 | Multiple connections to the backend using the same charging station ID are allowed, which could allow an attacker to deploy multiple instances of malicious OCPP clients to overwhelm the backend. |
CVE-2026-42952 | High | 7.5 | — | 2026-07-10 | Previously, there was no throttling on repeated authentication attempts to the charging station backend, which could allow an attacker to execute a denial-of-service attack. |
Iqonicdesign · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-15073 | Medium | 6.5 | — | 2026-07-11 | The KiviCare – Clinic & Patient Management System (EHR) plugin for WordPress is vulnerable to generic SQL Injection via the 'orderby' parameter in all versions up to, and including, 4.5.0 due to insufficient escaping on the user supplied p… |
CVE-2026-15072 | Medium | 6.5 | — | 2026-07-11 | The KiviCare – Clinic & Patient Management System (EHR) plugin for WordPress is vulnerable to generic SQL Injection via the 'orderby' parameter in all versions up to, and including, 4.5.0 due to insufficient escaping on the user supplied p… |
Jetbrains · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-59796 | High | 8.1 | — | 2026-07-10 | In JetBrains TeamCity before 2026.1.2 pipeline modification was possible due to improper permission checks |
CVE-2026-59795 | High | 8.1 | — | 2026-07-10 | In JetBrains TeamCity before 2026.1.2 stored XSS via unauthenticated agent registration was possible |
Joomshaper.com · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-57830 | — | — | — | 2026-07-13 | The Joomla extension Helix Ultimate is vulnerable to an unauthenticated arbitrary file deletion. |
CVE-2026-57829 | — | — | — | 2026-07-13 | The Joomla extension Helix Ultimate is vulnerable to an unauthenticated stored XSS. |
Lorex · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-15683 | High | 7.5 | — | 2026-07-13 | Lorex 2K Indoor Wi-Fi Security Camera Device Management Server Improper Certificate Validation Vulnerability. |
CVE-2026-15680 | High | 7.5 | — | 2026-07-13 | Lorex 2K Indoor Wi-Fi Security Camera CDeviceOperator Format String Remote Code Execution Vulnerability. |
Magepeopleteam · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-57404 | Medium | 6.5 | — | 2026-07-13 | Missing Authorization vulnerability in magepeopleteam Booking and Rental Manager booking-and-rental-manager-for-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Booking and Rental Manag… |
CVE-2026-61985 | Medium | 5.3 | — | 2026-07-13 | Missing Authorization vulnerability in magepeopleteam Car Rental Manager car-rental-manager allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Car Rental Manager: from n/a through <= 1.3.7. |
Milan Petrovic · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-57771 | High | 8.5 | — | 2026-07-13 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Milan Petrovic GD Rating System gd-rating-system allows Blind SQL Injection.This issue affects GD Rating System: from n/a through <= 3.7. |
CVE-2026-57403 | High | 7.1 | — | 2026-07-13 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Milan Petrovic GD Security Headers gd-security-headers allows Reflected XSS.This issue affects GD Security Headers: from n/a through <= 1… |
Misskey-dev · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-57575 | — | — | — | 2026-07-10 | Misskey is an open source, federated social media platform. |
CVE-2026-57574 | — | — | — | 2026-07-10 | Misskey is an open source, federated social media platform. |
Nodeca · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-59869 | High | 7.5 | — | 2026-07-08 | js-yaml is a JavaScript YAML parser and dumper. |
CVE-2026-59868 | Medium | 5.3 | — | 2026-07-08 | js-yaml is a JavaScript YAML parser and dumper. |
Nsquared · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-59523 | Medium | 6.5 | — | 2026-07-13 | Missing Authorization vulnerability in NSquared Simply Schedule Appointments simply-schedule-appointments allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Simply Schedule Appointments: from n/a thr… |
CVE-2026-57812 | Medium | 6.5 | — | 2026-07-13 | Missing Authorization vulnerability in NSquared Simply Schedule Appointments simply-schedule-appointments allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Simply Schedule Appointments: from n/a thr… |
Open-webui · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-59216 | High | 7.7 | — | 2026-07-09 | Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. |
CVE-2026-59215 | Low | 3.1 | — | 2026-07-09 | Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. |
Owasp-modsecurity · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-52747 | High | 8.6 | — | 2026-07-10 | ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. |
CVE-2026-52761 | Medium | 5.8 | — | 2026-07-10 | ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. |
Phalcon · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-57584 | — | — | — | 2026-07-10 | Phalcon is a high-performance, full-stack PHP framework. |
CVE-2026-54736 | — | — | — | 2026-07-10 | Phalcon is a high-performance, full-stack PHP framework. |
Ragic · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-15552 | Medium | 6.1 | — | 2026-07-13 | Enterprise Cloud Database developed by Ragic has a Stored Cross-Site Scripting vulnerability, allowing unauthenticated remote attackers to inject persistent JavaScript code executed in users' browsers upon page load. |
CVE-2026-15553 | Medium | 5.3 | — | 2026-07-13 | Enterprise Cloud Database developed by Ragic has a Arbitrary File Upload vulnerability, allowing unauthenticated remote attackers to upload malicious files and make them available for users to download. |
Shay · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-57432 | — | — | — | 2026-07-13 | Perl versions through 5.43.10 have an integer overflow in S_measure_struct leading to an out-of-bounds heap read in pack and unpack. |
CVE-2026-13221 | — | — | — | 2026-07-13 | Perl versions through 5.43.9 produce silently incorrect regular expression matches when an alternation of more than 65535 fixed string branches is compiled into a trie in Perl_study_chunk. |
Socket · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-59725 | High | 7.5 | — | 2026-07-08 | Socket.IO enables bidirectional and low-latency communication for every platform. |
CVE-2026-59724 | High | 7.5 | — | 2026-07-08 | Socket.IO enables bidirectional and low-latency communication for every platform. |
Spinnaker · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-44795 | High | 8.8 | — | 2026-07-10 | Spinnaker is an open source, multi-cloud continuous delivery platform. |
CVE-2026-55175 | High | 7.5 | — | 2026-07-10 | Spinnaker is an open source, multi-cloud continuous delivery platform. |
Stylemix · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-13114 | High | 7.2 | — | 2026-07-11 | The Motors – Car Dealership & Classified Listings Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Comment Content and User Biographical Info in all versions up to, and including, 1.4.112 due to insufficient inp… |
CVE-2026-10865 | Medium | 5.3 | — | 2026-07-11 | The Cost Calculator Builder plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.0.11 via the (template body). |
Tilt-dev · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-55884 | — | — | — | 2026-07-10 | Tilt defines dev environments as code for microservice apps on Kubernetes. |
CVE-2026-55882 | — | — | — | 2026-07-10 | Tilt defines dev environments as code for microservice apps on Kubernetes. |
Ux-themes · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-57729 | High | 7.5 | — | 2026-07-13 | Missing Authorization vulnerability in UX-themes Flatsome flatsome allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Flatsome: from n/a through <= 3.20.5. |
CVE-2026-57728 | High | 7.1 | — | 2026-07-13 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in UX-themes Flatsome flatsome allows Reflected XSS.This issue affects Flatsome: from n/a through <= 3.20.5. |
Uxper · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-57799 | High | 7.5 | — | 2026-07-13 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in uxper Nuss nuss allows PHP Local File Inclusion.This issue affects Nuss: from n/a through <= 1.3.6. |
CVE-2026-57794 | High | 7.5 | — | 2026-07-13 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in uxper Golo Framework golo-framework allows PHP Local File Inclusion.This issue affects Golo Framework: from n/a throug… |
Villatheme · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-57422 | High | 7.1 | — | 2026-07-13 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in VillaTheme Bopo – WooCommerce Product Bundle Builder bopo-woo-product-bundle-builder allows Reflected XSS.This issue affects Bopo – WooCo… |
CVE-2026-57698 | Medium | 6.5 | — | 2026-07-13 | Authentication Bypass Using an Alternate Path or Channel vulnerability in VillaTheme Abandoned Cart Recovery for WooCommerce woo-abandoned-cart-recovery allows Authentication Abuse.This issue affects Abandoned Cart Recovery for WooCommerce… |
Vowelweb · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-57776 | Medium | 5.3 | — | 2026-07-13 | Missing Authorization vulnerability in vowelweb VW Wedding vw-wedding allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects VW Wedding: from n/a through <= 1.3.7. |
CVE-2026-57774 | Medium | 5.3 | — | 2026-07-13 | Missing Authorization vulnerability in vowelweb VW Food Corner vw-food-corner allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects VW Food Corner: from n/a through <= 1.1.0. |
Waooai · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-15557 | High | 7.3 | — | 2026-07-13 | A weakness has been identified in waooAI waoowaoo up to 0.4.1. |
CVE-2026-15594 | Low | 3.7 | — | 2026-07-13 | A vulnerability was found in waooAI waoowaoo up to 0.4.1. |
Will-moss · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-15542 | High | 7.3 | — | 2026-07-13 | A vulnerability has been found in will-moss Isaiah up to 1.36.9. |
CVE-2026-15541 | High | 7.3 | — | 2026-07-13 | A flaw has been found in will-moss Isaiah up to 1.36.9. |
Wpmu Dev - Your All-in-one Wordpress Platform · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-57815 | High | 7.5 | — | 2026-07-13 | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in WPMU DEV - Your All-in-One WordPress Platform Forminator forminator allows Path Traversal.This issue affects Forminator: from n/a through <= 1… |
CVE-2026-57814 | High | 7.1 | — | 2026-07-13 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPMU DEV - Your All-in-One WordPress Platform Forminator forminator allows DOM-Based XSS.This issue affects Forminator: from n/a through… |
2coders · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-7544 | Medium | 4.3 | — | 2026-07-11 | The Mux Video Uploader plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.1.4 via the muxvideo_enqueue_settings_script. |
4real · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-6847 | — | — | — | 2026-07-13 | Remote Code Execution vulnerability exists in ThemisNETPanel due to missing authentication for a critical file upload function. |
Adrian Tobey · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-57389 | High | 8.6 | — | 2026-07-13 | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Adrian Tobey Groundhogg groundhogg allows Path Traversal.This issue affects Groundhogg: from n/a through <= 4.4.1. |
Ahmadmj · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-13262 | Medium | 6.5 | — | 2026-07-11 | The Majestic Support – The Leading-Edge Help Desk & Customer Support Plugin plugin for WordPress is vulnerable to generic SQL Injection via the 'val' parameter in all versions up to, and including, 1.1.9 due to insufficient escaping on the… |
Akariasai · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-15535 | Medium | 6.3 | — | 2026-07-13 | A vulnerability was determined in AkariAsai self-rag up to 1fcdc420e48f50a7d7ab1ece5494221b93252e99. |
Akpali9 · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-15493 | Low | 3.5 | — | 2026-07-12 | A vulnerability was detected in Akpali9 Attendance-Management-System up to 70b91fe38f4195b701a45f0edcd4f42d5f64aeee. |
Alioshr · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-15524 | Low | 3.3 | — | 2026-07-13 | A security vulnerability has been detected in alioshr memory-bank-mcp up to 0.2.1/3.1. |
Aman · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-57411 | High | 7.1 | — | 2026-07-13 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Aman CF7 Views – Complete Entry Management for Contact Form 7 cf7-views allows DOM-Based XSS.This issue affects CF7 Views – C… |
Amtt · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-15494 | Medium | 4.7 | — | 2026-07-12 | A flaw has been found in AMTT Hotel Broadband Operation System 1.0. |
Andy_moyle · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-61983 | Medium | 5.3 | — | 2026-07-13 | Missing Authorization vulnerability in andy_moyle Church Admin church-admin allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Church Admin: from n/a through <= 5.0.30. |
Antv · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-15598 | Medium | 6.3 | — | 2026-07-13 | A weakness has been identified in antv layout 2.0.0. |
Aojiaozero · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-15502 | Medium | 6.3 | — | 2026-07-12 | A vulnerability was detected in AojiaoZero Antaris 1.0. |
Appium · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-58500 | High | 8.2 | — | 2026-07-13 | MCP Appium is an MCP server that provides AI assistants with tools to automate mobile app testing on Android and iOS. |
Appsbd · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-57385 | High | 8.5 | — | 2026-07-13 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in appsbd Vitepos vitepos-lite allows Blind SQL Injection.This issue affects Vitepos: from n/a through <= 3.4.2. |
Area 17 · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-15518 | Medium | 4.7 | — | 2026-07-13 | A vulnerability has been found in AREA 17 Twill CMS up to 3.6.0. |
Argoproj · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-62185 | High | 7.6 | — | 2026-07-13 | Argo CD Helm Chart before 10.0.0 fails to install network policies by default, allowing any pod on a cluster to access repo-server and other Argo APIs. |
Arraytics · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-13039 | Medium | 5.3 | — | 2026-07-10 | The Eventin – Event Calendar, Event Registration, Tickets & Booking (AI Powered) plugin for WordPress is vulnerable to authorization bypass due to a regression in versions from 4.0.26 up to and including 4.1.15. |
Aster Telecom · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-15482 | High | 7.3 | — | 2026-07-12 | A weakness has been identified in Aster Telecom Azcall 10/11. |
Augmnt · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-15526 | Low | 3.3 | — | 2026-07-13 | A flaw has been found in augmnt augments-mcp-server 7.1.0. |
Axiomthemes · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-57738 | Critical | 9.8 | — | 2026-07-13 | Deserialization of Untrusted Data vulnerability in axiomthemes 777 triple-seven allows Object Injection.This issue affects 777: from n/a through <= 1.13.0. |
Axllent · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-55187 | Medium | 5.8 | — | 2026-07-10 | Mailpit is an email testing tool and API for developers. |
Bahmni · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-15477 | Medium | 6.3 | — | 2026-07-12 | A vulnerability was detected in Bahmni bahmnicore up to 0.93. |
Baptistearno · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-49213 | High | 8.1 | — | 2026-07-10 | TypeBot is a chatbot builder tool. |
Basix · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-57668 | High | 7.1 | — | 2026-07-13 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Basix NEX-Forms nex-forms-express-wp-form-builder allows Stored XSS.This issue affects NEX-Forms: from n/a through <= 9.2.2. |
Bdthemes · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-57413 | Medium | 6.4 | — | 2026-07-13 | Server-Side Request Forgery (SSRF) vulnerability in bdthemes Instant Image Generator ai-image allows Server Side Request Forgery.This issue affects Instant Image Generator: from n/a through <= 2.1.4. |
Better-auth · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-15527 | Medium | 5.3 | — | 2026-07-13 | A vulnerability has been found in better-auth better-icons up to 1.0.5. |
Blender · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-60103 | Medium | 6.1 | — | 2026-07-13 | Blender 3.0.0 through 5.1.2 contains an out-of-bounds read vulnerability that allows attackers to trigger a crash or read adjacent heap memory by supplying a crafted .blend file with a malicious signed short member_index value in the SDNA… |
Blendmedia · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-4661 | High | 7.5 | — | 2026-07-11 | The WP CTA – Sticky CTA Builder, Generate Leads, Promote Sales plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'fildname' parameter in all versions up to, and including, 2.2.2. |
Bosh-ecosystem / Bosh (Bosh-cli) · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-47828 | High | 8.8 | — | 2026-07-09 | During bosh create-env and bosh delete-env, the CLI uploads compiled CPI packages and rendered job templates to the new VM's DAV blobstore over HTTPS without verifying the server certificate, even though a CA certificate for that endpoint… |
Brainstorm Force · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-57401 | Critical | 9.9 | — | 2026-07-13 | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Brainstorm Force SureDash suredash allows Path Traversal.This issue affects SureDash: from n/a through <= 1.8.0. |
Bytecodealliance · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-44216 | High | 7.5 | — | 2026-05-14 | Wasmtime is a runtime for WebAssembly. |
Cakephp · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-55590 | Medium | 6.1 | — | 2026-07-09 | CakePHP Authentication is an authentication plugin for CakePHP that can also be used in PSR-7 based applications. |
Cap-go · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-56296 | Medium | 5.3 | — | 2026-07-11 | Cap-go before 12.128.2 contains an information disclosure vulnerability in the public.transfer_app RPC function that returns distinct error messages for existing versus non-existing app IDs. |
Catalyst2020 · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-5017 | Medium | 4.9 | — | 2026-07-11 | The Catalyst Connect Zoho CRM Client Portal plugin for WordPress is vulnerable to time-based SQL Injection via the ‘uid’ parameter in all versions up to, and including, 2.2.0 due to insufficient escaping on the user supplied parameter and… |
Centreon · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-14453 | Critical | 9.6 | — | 2026-07-13 | This vulnerability is a critical Server-Side Template Injection (SSTI) in Centreon's centreon-open-tickets module that leads to Remote Code Execution. |
Choijun · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-15338 | High | 7.5 | — | 2026-07-11 | The LA-Studio Element Kit for Elementor plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.6.1 via the get_type_template function. |
Cockpit Hq · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-57856 | High | 8.8 | — | 2026-07-13 | Cockpit CMS contains a path traversal vulnerability in the Bucket file storage API (/system/buckets/api). |
Codecentric · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-62242 | High | 8.6 | — | 2026-07-13 | Spring Boot Admin Server before 4.1.2 contains a server-side request forgery vulnerability that allows unauthenticated attackers to register instances with attacker-controlled healthUrl and managementUrl parameters without validation again… |
Coderevolution · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-57719 | Critical | 10.0 | — | 2026-07-13 | Unrestricted Upload of File with Dangerous Type vulnerability in CodeRevolution Aimogen Pro aimogen-pro allows Using Malicious Files.This issue affects Aimogen Pro: from n/a through <= 2.8.3. |
Codexthemes · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-57804 | High | 7.5 | — | 2026-07-13 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in CodexThemes TheGem Theme Elements (for Elementor) thegem-elements-elementor allows PHP Local File Inclusion.This issue… |
Comfast · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-15511 | Critical | 9.8 | — | 2026-07-12 | A vulnerability was determined in Comfast CF-WR631AX V3 up to 2.7.0.8. |
Coollabsio · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-15507 | Medium | 6.3 | — | 2026-07-12 | A vulnerability was detected in coollabsio Coolify up to 4.1.1. |
Corvusinfo · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-6939 | High | 7.2 | — | 2026-07-11 | The CorvusPay WooCommerce Payment Gateway plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'approval_code' parameter in all versions up to, and including, 2.7.4 due to insufficient input sanitization and output esc… |
Coturn · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-53449 | Medium | 6.0 | — | 2026-07-10 | Coturn is a free open source implementation of TURN and STUN Server. |
Cozmoslabs · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-61971 | Low | 2.7 | — | 2026-07-13 | Authorization Bypass Through User-Controlled Key vulnerability in Cozmoslabs User Profile Picture metronet-profile-picture allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects User Profile Picture: fro… |
Creativews · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-57787 | High | 8.5 | — | 2026-07-13 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in CreativeWS CWS SVGicons cws-svgicons allows Blind SQL Injection.This issue affects CWS SVGicons: from n/a through <= 1.5.5. |
Crewaiinc · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-62240 | High | 7.4 | — | 2026-07-13 | CrewAI before 1.15.1 contains a server-side request forgery vulnerability in the validate_url function that performs one-shot DNS resolution and blocklist checks before returning the original URL unchanged. |
Cvat · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-58373 | Medium | 4.3 | — | 2026-06-30 | CVAT before 2.69.0 contains an improper authorization vulnerability in QualityReportViewSet.get_queryset that allows authenticated attackers to enumerate quality report identifiers belonging to other organizations by exploiting a missing c… |
Cyberlord92 · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-12761 | Critical | 9.8 | — | 2026-07-10 | The miniOrange Social Login and Register (Discord, Google, Twitter, LinkedIn) plugin for WordPress is vulnerable to authentication bypass leading to account takeover in versions up to and including 7.7.0. |
D-link · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-15270 | High | 7.5 | — | 2026-07-09 | A weakness has been identified in D-link DIR-823G 1.0.2B05_20181207. |
Dan Rossiter · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-57695 | High | 7.1 | — | 2026-07-13 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Dan Rossiter Document Gallery document-gallery allows Reflected XSS.This issue affects Document Gallery: from n/a through <= 5.1.0. |
Dao-ailab · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-62239 | Medium | 6.6 | — | 2026-07-13 | FlashAttention through 2.8.3.post1, fixed in commit 0816ef1, contains a symlink attack vulnerability in the download_and_copy() function within hopper/setup.py that extracts NVIDIA toolchain archives without validating symlinks or filterin… |
Dassault Systèmes · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-14165 | High | 7.5 | — | 2026-07-13 | An Authorization Bypass Through User-Controlled Key vulnerability affecting Tuleap Enterprise Edition from 17.0 through 17.5 could allow an attacker to access data of other users without authorization. |
Dcooney · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-15295 | Medium | 4.4 | — | 2026-07-10 | The WordPress Infinite Scroll – Ajax Load More plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 7.0.1 due to insufficient input sanitization and output escaping. |
Dokan, Inc. · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-57706 | High | 7.1 | — | 2026-07-13 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Dokan, Inc. |
Elated-themes · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-57793 | High | 7.5 | — | 2026-07-13 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Elated-Themes Flow flow allows PHP Local File Inclusion.This issue affects Flow: from n/a through <= 1.8. |
Element Invader · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-57376 | High | 7.1 | — | 2026-07-13 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Element Invader ElementInvader Addons for Elementor elementinvader-addons-for-elementor allows DOM-Based XSS.This issue affects ElementIn… |
Eli · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-57691 | Medium | 5.8 | — | 2026-07-13 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Eli Anti-Malware Security and Brute-Force Firewall gotmls allows Reflected XSS.This issue affects Anti-Malware Security and Brute-Force F… |
Envoyproxy · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-47774 | High | 7.5 | — | 2026-06-17 | Envoy is an open source edge and service proxy designed for cloud-native applications. |
Etcd · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-59818 | Medium | 6.5 | — | 2026-07-08 | etcd is a distributed key-value store for the data of a distributed system. |
Evermind-ai · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-58499 | High | 8.2 | — | 2026-07-10 | EverOS is a memory runtime for agents. |
Eyecix · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-57383 | High | 7.1 | — | 2026-07-13 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in eyecix JobSearch wp-jobsearch allows Stored XSS.This issue affects JobSearch: from n/a through <= 3.2.9. |
F5 · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-42055 | High | 8.1 | — | 2026-06-17 | NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_proxy_v2_module and ngx_http_grpc_module modules. |
Fahad Mahmood · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-57419 | Medium | 6.5 | — | 2026-07-13 | Missing Authorization vulnerability in Fahad Mahmood Stock Locations for WooCommerce stock-locations-for-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Stock Locations for WooCommerce… |
Favethemes · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-57768 | High | 8.2 | — | 2026-07-13 | Incorrect Privilege Assignment vulnerability in favethemes Houzez Login Register houzez-login-register allows Privilege Escalation.This issue affects Houzez Login Register: from n/a through <= 3.3.3. |
Filebrowser · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-61874 | Low | 3.1 | — | 2026-07-12 | filebrowser versions before 2.63.17 fail to normalize paths before querying the share index in DeleteWithPathPrefix, allowing authenticated users to leave stale public shares behind. |
Flintop · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-57396 | High | 7.1 | — | 2026-07-13 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Flintop Free Gifts for WooCommerce free-gifts-for-woocommerce allows Stored XSS.This issue affects Free Gifts for WooCommerce: from n/a t… |
Flowise · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-56271 | Critical | 9.8 | — | 2026-07-12 | Flowise before 3.1.0 (affected versions 3.0.13 and earlier) uses weak hardcoded default JWT secrets ('auth_token', 'refresh_token') and default audience and issuer values ('AUDIENCE', 'ISSUER') in the enterprise passport authentication mid… |
Flux159 · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-61459 | Critical | 9.8 | — | 2026-07-10 | MCP Server Kubernetes before 3.9.0 contains an argument injection vulnerability in structured tools (kubectl_get, kubectl_describe, kubectl_delete) that allows attackers to bypass the assertNoDangerousFlags security check by supplying reso… |
Fluxbuilder · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-57375 | Medium | 6.5 | — | 2026-07-13 | Missing Authorization vulnerability in FluxBuilder MStore API mstore-api allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects MStore API: from n/a through <= 4.18.4. |
Form-data · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-12143 | High | 7.5 | — | 2026-06-12 | form-data is a library for creating readable multipart/form-data streams. |
Freshlabs · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-1382 | Medium | 6.4 | — | 2026-07-11 | The fresh Podcaster plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'freshpodcaster' shortcode in all versions up to, and including, 1.0.7 due to insufficient input sanitization and output escaping on user supplie… |
Funnelkit · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-57816 | High | 7.1 | — | 2026-07-13 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in FunnelKit Funnel Builder by FunnelKit funnel-builder allows Reflected XSS.This issue affects Funnel Builder by FunnelKit: from n/a throug… |
Gallerycreator · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-5743 | Medium | 6.4 | — | 2026-07-11 | The SimpLy Gallery Block & Lightbox plugin for WordPress is vulnerable to Stored Cross-Site Scripting via block attributes in all versions up to, and including, 3.3.3.2. |
Genolve · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-1359 | High | 8.8 | — | 2026-07-11 | The Genolve – AI image AI video generation plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the genolve_setOpt() function in all versions up to, and including, 5.0.5. |
Gigabyte · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-9492 | High | 7.8 | — | 2026-07-13 | The MBStorage DRAM lighting control module within Gigabyte Control Center (GCC) developed by GIGABYTE Technology has an Improper Access Control vulnerability. |
Gimp · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-2050 | High | 7.8 | — | 2026-06-24 | GIMP HDR File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability. |
Glarysoft · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-15684 | High | 7.3 | — | 2026-07-13 | Glarysoft Glary Utilities Link Following Local Privilege Escalation Vulnerability. |
Go-shiori · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-61463 | High | 8.8 | — | 2026-07-13 | Shiori contains a privilege escalation vulnerability in the account update endpoint that allows authenticated users to modify the owner field without authorization checks. |
Google Cloud · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-14934 | — | — | — | 2026-07-13 | A Missing Authorization vulnerability in the repository creation functionality in Google Cloud BigQuery, Dataform and Colab Enterprise, in the versions between October 2025 and May 10th, 2026, on Google Cloud Platform, allows an authentica… |
Gotenberg · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-55229 | High | 7.5 | — | 2026-07-10 | Gotenberg is a Docker-powered stateless API for PDF files. |
Gpsd_project · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-58459 | High | 7.8 | — | 2026-07-09 | gpsd through release-3.27.5, fixed at commit 4c06658, contains a command injection vulnerability in gpsprof that allows attackers who control the GPS device subtype value to execute arbitrary shell commands by embedding backtick payloads i… |
Guzzle · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-59883 | Medium | 4.7 | — | 2026-07-08 | Guzzle is an extensible PHP HTTP client. |
H2o · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-55213 | High | 7.5 | — | 2026-07-10 | h2o is an HTTP server with support for HTTP/1.x, HTTP/2 and HTTP/3. |
H3c · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-15479 | High | 7.3 | — | 2026-07-12 | A vulnerability was found in H3C NX15 V100R017. |
Haarg · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-57433 | — | — | — | 2026-07-13 | Storable versions before 3.41 for Perl have a signed integer overflow when deserializing a crafted SX_HOOK record. |
Hamsalam · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-61956 | High | 7.1 | — | 2026-07-13 | Cross-Site Request Forgery (CSRF) vulnerability in hamsalam ووسلام – همگام سازی ووکامرس و باسلام sync-basalam allows Cross Site Request Forgery.This issue affects ووسلام – همگام سازی ووکامرس و باسلام: from n/a through <= 1.9.1. |
Hannan · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-61955 | High | 7.6 | — | 2026-07-13 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Hannan گرویتی فرم فارسی persian-gravity-forms allows Blind SQL Injection.This issue affects گرویتی فرم فارسی: from n/a through <= 3.0.2. |
Hclsoftware · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-56460 | Medium | 6.5 | — | 2026-07-09 | HCL DevOps Deploy / HCL Launch could disclose sensitive configurations and secrets to authenticated users in API responses that could be used in further attacks against the system. |
Hcr707305003 · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-15488 | High | 7.3 | — | 2026-07-12 | A vulnerability was determined in hcr707305003 shiroiAdmin 1.1/1.3. |
Helicone · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-15508 | Medium | 6.3 | — | 2026-07-12 | A flaw has been found in Helicone ai-gateway up to 0.2.0-beta.30. |
Hestiacp · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-30007 | High | 8.8 | — | 2026-07-10 | HestiaCP before 1.9.5 contains an authenticated OS command injection vulnerability that allows low-privilege authenticated users to execute arbitrary commands as root by injecting a single-quote character into unvalidated DNS record types. |
Hitesh Chandwani · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-57365 | Medium | 6.5 | — | 2026-07-13 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Hitesh Chandwani reCAPTCHA (v2 & v3) for Asgaros Forum recaptcha-for-asgaros-forum allows DOM-Based XSS.This issue affects reCAPTCHA… |
Hmbrand · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-9698 | Critical | 9.8 | — | 2026-06-09 | DBI versions before 1.648 for Perl saved errors in a limited-sized buffer. |
Hono · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-56763 | Medium | 4.8 | — | 2026-07-11 | Hono before 4.12.7 allows __proto__ key in parseBody with dot option enabled, permitting specially crafted form field names to create objects with __proto__ properties. |
Httplib2 · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-59939 | High | 7.5 | — | 2026-07-08 | httplib2 is a comprehensive HTTP client library for Python. |
Hupe13 · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-57380 | High | 7.1 | — | 2026-07-13 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in hupe13 Extensions for Leaflet Map extensions-leaflet-map allows DOM-Based XSS.This issue affects Extensions for Leaflet Map: from n/a thr… |
Igweze · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-15492 | Medium | 4.3 | — | 2026-07-12 | A security vulnerability has been detected in igweze wizgrade up to b1d55f22b90cd7e7a6e5002f006d7c649e8086d6. |
Image-size · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-71319 | High | 7.5 | — | 2026-06-09 | image-size through 2.0.2 contains a denial of service vulnerability that allows remote attackers to permanently block the Node.js event loop by supplying a specially crafted image buffer with a zero-valued size field in a recognized box-ty… |
Itsourcecode · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-15536 | Medium | 6.3 | — | 2026-07-13 | A vulnerability was identified in itsourcecode Hospital Management System 1.0. |
Jinher · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-15517 | High | 7.3 | — | 2026-07-13 | A flaw has been found in Jinher OA 1.0. |
Jonasbn · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-58101 | — | — | — | 2026-07-13 | Crypt::OpenSSL::X509 versions before 2.1.3 for Perl allow denial of service via NULL pointer dereference. |
Jose Vega · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-61952 | Medium | 4.9 | — | 2026-07-13 | Missing Authorization vulnerability in Jose Vega WooCommerce Bulk Edit Products – WP Sheet Editor woo-bulk-edit-products allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WooCommerce Bulk Edit Produ… |
Jpadilla · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-48526 | High | 7.4 | — | 2026-05-28 | PyJWT is a JSON Web Token implementation in Python. |
Jwsthemes · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-57789 | High | 7.5 | — | 2026-07-13 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in jwsthemes Aqua aqua allows PHP Local File Inclusion.This issue affects Aqua: from n/a through <= 5.1.2. |
Klosk · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-15525 | Medium | 6.3 | — | 2026-07-13 | A vulnerability was detected in kLOsk adloop up to 0.9.0. |
Knitpay · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-57424 | Medium | 6.5 | — | 2026-07-13 | Missing Authorization vulnerability in knitpay Razorpay Payment Links for WooCommerce rzp-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Razorpay Payment Links for WooCommerce: from n… |
Kodezen Llc · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-57386 | High | 8.8 | — | 2026-07-13 | Incorrect Privilege Assignment vulnerability in Kodezen LLC aBlocks ablocks allows Privilege Escalation.This issue affects aBlocks: from n/a through < 2.9.1. |
Kofi Mokome · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-57423 | High | 7.1 | — | 2026-07-13 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Kofi Mokome Message Filter for Contact Form 7 cf7-message-filter allows Reflected XSS.This issue affects Message Filter for Contact Form… |
Lamaalrajih · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-15528 | Low | 3.3 | — | 2026-07-13 | A vulnerability was found in lamaalrajih kicad-mcp up to 3.3.1. |
Langchain4j · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-55405 | High | 7.6 | — | 2026-07-10 | LangChain4j is a Java library for building LLM-powered applications on the JVM. |
Latepoint · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-57714 | Critical | 9.3 | — | 2026-07-13 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in LatePoint LatePoint latepoint allows Blind SQL Injection.This issue affects LatePoint: from n/a through <= 5.6.3. |
Leap13 · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-12141 | Medium | 4.9 | — | 2026-07-11 | The Premium Addons for Elementor – Powerful Elementor Templates & Widgets plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'premium_tooltip_text' parameter in all versions up to, and including, 4.11.84 due to insuf… |
Lustmored · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-3367 | Medium | 4.4 | — | 2026-07-11 | The Lockme OAuth2 calendars integration plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'App ID' setting in all versions up to, and including, 2.11.0. |
M2team · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-55780 | — | — | — | 2026-07-10 | NanaZip is the 7-Zip derivative intended for the modern Windows experience. |
Mailerpress Team · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-57410 | High | 8.8 | — | 2026-07-13 | Incorrect Privilege Assignment vulnerability in MailerPress Team MailerPress mailerpress allows Privilege Escalation.This issue affects MailerPress: from n/a through <= 2.0.2. |
Makafeli · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-15521 | Medium | 5.3 | — | 2026-07-13 | A vulnerability was identified in makafeli n8n-workflow-builder up to 0.11.0. |
Marcus (Aka @Msykes) · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-57713 | High | 8.8 | — | 2026-07-13 | Deserialization of Untrusted Data vulnerability in Marcus (aka @msykes) Events Manager events-manager allows Object Injection.This issue affects Events Manager: from n/a through <= 7.3.6. |
Mariadb · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-44172 | Critical | 9.8 | — | 2026-06-12 | MariaDB server is a community developed fork of MySQL server. |
Masaakitanaka · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-15335 | High | 7.5 | — | 2026-07-11 | The Booking Package plugin for WordPress is vulnerable to generic SQL Injection via 'email' Form Parameter (form<N>) in all versions up to, and including, 1.7.20 due to insufficient escaping on the user supplied parameter and lack of suffi… |
Mediawiki · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-13707 | High | 7.6 | — | 2026-07-01 | Session fixation vulnerability in Wikimedia Foundation OAuth. |
Melograno Venture Studio · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-57702 | Critical | 9.3 | — | 2026-07-13 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Melograno Venture Studio Amelia ameliabooking allows Blind SQL Injection.This issue affects Amelia: from n/a through <= 2.4.2. |
Merkulove · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-57783 | Medium | 6.5 | — | 2026-07-13 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in merkulove Speaker speaker allows Stored XSS.This issue affects Speaker: from n/a through <= 4.1.13. |
Metabase · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-59827 | Critical | 9.9 | — | 2026-07-09 | Metabase is an open-source business intelligence and embedded analytics tool. |
Metagauss · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-57697 | High | 7.5 | — | 2026-07-13 | Authentication Bypass Using an Alternate Path or Channel vulnerability in Metagauss ProfileGrid profilegrid-user-profiles-groups-and-communities allows Password Recovery Exploitation.This issue affects ProfileGrid : from n/a through <= 5… |
Metasoft 美特软件 · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-15514 | High | 7.3 | — | 2026-07-13 | A weakness has been identified in Metasoft 美特软件 MetaCRM up to 6.4.0 Beta06. |
Mikado-themes · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-57792 | High | 7.5 | — | 2026-07-13 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Dør dor allows PHP Local File Inclusion.This issue affects Dør: from n/a through <= 2.4.1. |
Miniorange Security Software Pvt Ltd. · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-57807 | Critical | 9.8 | — | 2026-07-10 | Authentication Bypass Using an Alternate Path or Channel vulnerability in miniOrange Security Software Pvt Ltd. |
Minitool · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-15475 | Medium | 5.3 | — | 2026-07-12 | A weakness has been identified in MiniTool Partition Wizard up to 13.6. |
Misp · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-62143 | — | — | — | 2026-07-13 | A Server-Side Request Forgery (SSRF) protection bypass existed in the html_to_markdown expansion module of misp-modules. |
Mitchell Bennis · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-57382 | High | 7.1 | — | 2026-07-13 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Mitchell Bennis Simple File List simple-file-list allows Reflected XSS.This issue affects Simple File List: from n/a through <= 6.3.8. |
Mura Software · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-12257 | — | — | — | 2026-07-13 | Versions of Mura CMS prior to 10.0.712 contain a critical remote code execution (RCE) vulnerability. |
Netrr · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-57420 | Medium | 6.5 | — | 2026-07-13 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Netrr Author Box WP Lens author-box-for-divi allows Stored XSS.This issue affects Author Box WP Lens: from n/a through <= 2.1.5. |
Nexcess · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-57705 | High | 7.5 | — | 2026-07-13 | Missing Authorization vulnerability in Nexcess Event Tickets event-tickets allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Event Tickets: from n/a through <= 5.28.5. |
Nextendweb · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-12385 | Medium | 4.3 | — | 2026-07-13 | The Smart Slider 3 plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.5.1.37 via the 'keyword' parameter. |
Nezhahq · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-59155 | — | — | — | 2026-07-10 | Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O&M tool. |
Nicu_m · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-14262 | High | 8.8 | — | 2026-07-11 | The Simple JWT Login – Allows you to use JWT on REST endpoints. |
Nootheme · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-57368 | High | 7.1 | — | 2026-07-13 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NooTheme Jobmonster noo-jobmonster allows Reflected XSS.This issue affects Jobmonster: from n/a through <= 4.8.5. |
Ollama · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-15685 | High | 7.5 | — | 2026-07-13 | Ollama downloadBlob Improper Validation of Array Index Denial-of-Service Vulnerability. |
Openbsd · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-55706 | Medium | 5.8 | — | 2026-06-17 | sppp_pap_input in sys/net/if_spppsubr.c in OpenBSD before 076e2b1 allows authentication bypass via certain zero values for lengths. |
Openplc · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-14480 | Critical | 9.9 | — | 2026-07-10 | OpenPLC Runtime v3 contains an authenticated arbitrary file write vulnerability in the legacy web UI program‑upload workflow. |
Openresty · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-55233 | High | 7.5 | — | 2026-07-10 | OpenResty is a high performance web platform. |
P11-kit_project · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-13757 | Medium | 6.2 | — | 2026-06-29 | A flaw was found in p11-kit. |
Parse-community · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-61448 | — | — | — | 2026-07-11 | Parse Server is affected by a stored cross-site scripting (XSS) vulnerability in versions >= 9.0.0, < 9.10.0-alpha.2 and <= 8.6.83. |
Peachpayments · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-57408 | Medium | 6.5 | — | 2026-07-13 | Missing Authorization vulnerability in peachpayments Peach Payments Gateway wc-peach-payments-gateway allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Peach Payments Gateway: from n/a through <= 4… |
Pglombardo · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-61458 | High | 7.5 | — | 2026-07-13 | PasswordPusher before 2.9.2 contains a brute-force vulnerability in the POST /p/:token/access endpoint that lacks route-specific rate limiting and per-push lockout mechanisms. |
Phil Kurth · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-57378 | High | 7.5 | — | 2026-07-13 | Missing Authorization vulnerability in Phil Kurth Advanced Forms advanced-forms allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Advanced Forms: from n/a through <= 1.9.3.7. |
Phoca.cz · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-57828 | — | — | — | 2026-07-11 | The Joomla extension Phoca Downloads is vulnerable to an authenticated arbitrary file upload that allows registered users uploading executable files and leads to full RCE. |
Phoenixframework · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-58228 | — | — | — | 2026-07-13 | Cross-site scripting vulnerability in phoenixframework phoenix_live_view allows an attacker to bypass URL scheme validation and execute JavaScript in a victim's browser session. |
Picu · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-57387 | High | 7.1 | — | 2026-07-13 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in picu picu picu allows Stored XSS.This issue affects picu: from n/a through <= 3.5.1. |
Pig-mesh · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-15512 | Medium | 6.3 | — | 2026-07-13 | A vulnerability was identified in pig-mesh Pig up to 3.9.2. |
Pipecat · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-54695 | High | 7.5 | — | 2026-07-09 | Pipecat is an open-source Python framework for building real-time voice and multimodal conversational agents. |
Plugin Envision · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-57780 | Medium | 6.5 | — | 2026-07-13 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Plugin Envision Envision Page Builder envision-page-builder allows DOM-Based XSS.This issue affects Envision Page Builder: from n/a throu… |
Pluginsglpi · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-11321 | Medium | 6.4 | — | 2026-07-10 | The DataInjection plugin for GLPI 2.15.6 (GLPI 11 builds) concatenates user-supplied CSV field values directly into SQL queries during CSV import, without parameterization or escaping, resulting in authenticated SQL injection. |
Postmagthemes · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-6801 | Medium | 5.3 | — | 2026-07-11 | The Context Blog theme for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.3.5 via the context_blog_modal_popup. |
Presstigers · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-57782 | Medium | 5.3 | — | 2026-07-13 | Missing Authorization vulnerability in PressTigers Universal Clocks universal-clocks allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Universal Clocks: from n/a through <= 1.2.0. |
Prestashop · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-14846 | — | — | — | 2026-07-13 | In version 8.2.1 of PrestaShop, there is a vulnerability relating to the incorrect sanitisation of elements, caused by inadequate validation of the ‘Alias’ parameter in the ‘Update your address’ function. |
Primefaces · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-15538 | Medium | 6.3 | — | 2026-07-13 | A weakness has been identified in primefaces primereact up to 10.9.8. |
Printfriendly · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-9738 | Medium | 4.4 | — | 2026-07-11 | The Print, PDF, Email by PrintFriendly plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'content_position_css' parameter in all versions up to, and including, 5.5.10 due to insufficient input sanitization and outpu… |
Progress · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-8037 | Critical | 9.6 | — | 2026-06-04 | OS Command Injection Remote Code Execution Vulnerability in API in Progress ADC Products allows an un-authenticated attacker to execute arbitrary commands on the LoadMaster appliance by exploiting unsanitized input in multiple command endp… |
Properfraction · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-57813 | Critical | 9.8 | — | 2026-07-13 | Incorrect Privilege Assignment vulnerability in properfraction MailOptin mailoptin allows Privilege Escalation.This issue affects MailOptin: from n/a through <= 1.2.77.3. |
Property Hive · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-57381 | High | 7.1 | — | 2026-07-13 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Property Hive PropertyHive propertyhive allows Reflected XSS.This issue affects PropertyHive: from n/a through <= 2.2.3. |
Protobufjs · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-59876 | Medium | 4.8 | — | 2026-07-08 | protobufjs compiles protobuf definitions into JavaScript (JS) functions. |
Prowler-cloud · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-59151 | Critical | 9.6 | — | 2026-07-10 | Prowler is a cloud security platform. |
Proxy &Amp; Vpn Blocker · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-57399 | High | 7.1 | — | 2026-07-13 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Proxy & VPN Blocker Proxy & VPN Blocker proxy-vpn-blocker allows Stored XSS.This issue affects Proxy & VPN Blocker: from n/a… |
Psm Plugins · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-57711 | Medium | 6.5 | — | 2026-07-13 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in PSM Plugins SupportCandy supportcandy allows Stored XSS.This issue affects SupportCandy: from n/a through <= 3.4.8. |
Purethemes · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-57786 | High | 8.8 | — | 2026-07-13 | Cross-Site Request Forgery (CSRF) vulnerability in purethemes WorkScout-Core workscout-core allows Authentication Bypass.This issue affects WorkScout-Core: from n/a through <= 1.7.08. |
Pypa · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-59890 | Medium | 6.1 | — | 2026-07-08 | setuptools is a package that allows users to download, build, install, upgrade, and uninstall Python packages. |
Qiling · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-15476 | Medium | 5.3 | — | 2026-07-12 | A security vulnerability has been detected in QILING Disk Master 6.0.0.0. |
Rainafarai · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-7620 | Medium | 4.3 | — | 2026-07-11 | The Notification for Telegram plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 3.5.1. |
Rclone · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-49980 | Critical | 9.8 | — | 2026-06-24 | Rclone is a command-line program to sync files and directories to and from different cloud storage providers. |
Rd Station Conversas · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-4765 | — | — | — | 2026-07-13 | Stored Cross-Site Scripting (XSS) vulnerability in the RD Station Conversas chat. |
Realmag777 · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-57409 | High | 7.1 | — | 2026-07-13 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in RealMag777 Active Products Tables for WooCommerce profit-products-tables-for-woocommerce allows DOM-Based XSS.This issue affects Active P… |
Realtyna · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-57811 | Critical | 10.0 | — | 2026-07-13 | Improper Control of Generation of Code ('Code Injection') vulnerability in Realtyna Realtyna Organic IDX plugin real-estate-listing-realtyna-wpl allows Remote Code Inclusion.This issue affects Realtyna Organic IDX plugin: from n/a through… |
Redefiningtheweb · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-7559 | Medium | 4.3 | — | 2026-07-11 | The Affilia – Affiliate Program & Referral Tracking for WordPress plugin for WordPress is vulnerable to unauthorized access in all versions up to, and including, 3.3.3. |
Rextheme · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-57417 | High | 7.1 | — | 2026-07-13 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in RexTheme Cart Lift cart-lift allows Stored XSS.This issue affects Cart Lift: from n/a through <= 3.1.57. |
Richardperdaan · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-8678 | Medium | 4.3 | — | 2026-07-11 | The MyParcel plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 4.25.1. |
Robin-w · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-15010 | Medium | 6.4 | — | 2026-07-11 | The bbp Style Pack plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 6.4.5 via the Topic Form Additional Fields feature. |
Room 34 Creative Services, Llc · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-59516 | High | 7.1 | — | 2026-07-13 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Room 34 Creative Services, LLC ICS Calendar ics-calendar allows Reflected XSS.This issue affects ICS Calendar: from n/a through <= 12.1.1. |
Roxnor · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-57406 | Medium | 6.5 | — | 2026-07-13 | Missing Authorization vulnerability in Roxnor FundEngine wp-fundraising-donation allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects FundEngine: from n/a through <= 1.7.6. |
Rsjoomla.com · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-57827 | — | — | — | 2026-07-11 | The Joomla extension RSFiles is vulnerable to an unauthenticated arbitrary file upload that allows uploading executable files and leads to full RCE. |
Rustdesk · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-57850 | High | 8.3 | — | 2026-07-10 | RustDesk before 1.4.9 does not enforce a session's authorized connection scope on the server side, so a peer granted a limited session type (FileTransfer, PortForward, ViewCamera, or Terminal) can send control messages and login options re… |
Saadiqbal · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-12738 | Medium | 4.3 | — | 2026-07-11 | The WP Easy Pay – Payment and Donation form Builder for Square plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 4.5.0. |
Samsung Open Source · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-15551 | Medium | 5.5 | — | 2026-07-13 | Integer overflow or wraparound vulnerability in Samsung Open Source rlottie allows Overflow Buffers. |
Saurabhsharma · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-57798 | High | 7.5 | — | 2026-07-13 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in SaurabhSharma NewsPlus Shortcodes newsplus-shortcodes allows PHP Local File Inclusion.This issue affects NewsPlus Shor… |
Secureage · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-15506 | High | 7.8 | — | 2026-07-12 | A security vulnerability has been detected in SecureAge CatchPulse up to 10.9.3. |
Sergey · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-59515 | Critical | 9.3 | — | 2026-07-13 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Sergey AIWU ai-copilot-content-generator allows Blind SQL Injection.This issue affects AIWU: from n/a through <= 1.5.4. |
Sergomanov · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-15498 | High | 7.3 | — | 2026-07-12 | A vulnerability was identified in sergomanov SmartHomeAdatum up to cf495353d81b680675eb8d9aa14a318aa45ce12c. |
Servicenow · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-6875 | — | — | — | 2026-07-13 | ServiceNow has addressed a remote code execution vulnerability that was identified in the ServiceNow AI platform. |
Shapedplugin Llc · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-59521 | High | 7.2 | — | 2026-07-13 | Deserialization of Untrusted Data vulnerability in ShapedPlugin LLC Real Testimonials testimonial-free allows Object Injection.This issue affects Real Testimonials: from n/a through <= 3.1.15. |
Siteground · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-57416 | High | 7.1 | — | 2026-07-13 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in SiteGround SiteGround Email Marketing siteground-email-marketing allows Stored XSS.This issue affects SiteGround Email Marketing: from n/… |
Skillable · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-56877 | Medium | 6.3 | — | 2026-07-13 | The SCORM lab launch endpoint in Skillable (scorm.skillable.com) through 2026-07-13 does not validate the client-supplied userId parameter against the authenticated SCORM session token. |
Smackcoders · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-13353 | High | 8.8 | — | 2026-07-11 | The WP Ultimate CSV Importer – WordPress Import & Export for CSV, XML & Excel plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 8.0.1 via the 'MappedFields' parameter. |
Solacewp · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-13250 | Medium | 5.3 | — | 2026-07-11 | The Solace Extra plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.5.3. |
Sovlix · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-57781 | Medium | 5.3 | — | 2026-07-13 | Missing Authorization vulnerability in Sovlix MeetingHub meetinghub allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects MeetingHub: from n/a through <= 1.25.10. |
Spacetime · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-57693 | Medium | 6.5 | — | 2026-07-13 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Spacetime Ad Inserter ad-inserter allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Ad Inserter… |
Spring · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-40984 | High | 7.5 | — | 2026-06-09 | In Micrometer, it is possible for a user to provide specially crafted HTTP requests that may cause a denial-of-service (DoS) condition. |
Stanford · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-54499 | High | 7.5 | — | 2026-07-08 | Stanza is a Stanford NLP Python library for tokenization, sentence segmentation, NER, and parsing of many human languages. |
Starboardsuite · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-13968 | Medium | 6.4 | — | 2026-07-11 | The Starboard Suite Reservation Calendars plugin for WordPress is vulnerable to Stored Cross-Site Scripting via shortcode attributes in the [starboard-suite-lightbox] shortcode in all versions up to, and including, 3.1.4 due to insufficien… |
Subratamal · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-12103 | Medium | 4.3 | — | 2026-07-11 | The Wallet for WooCommerce plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.6.4. |
Supercleanse · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-12426 | Medium | 5.3 | — | 2026-07-11 | The Members – Membership & User Role Editor Plugin plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.2.22 via the members_filter_protected_posts_for_rest. |
Surecart · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-7655 | High | 8.1 | — | 2026-07-11 | The SureCart plugin for WordPress is vulnerable to privilege escalation via account takeover in versions up to, and including, 4.2.3. |
Surflabtech · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-3552 | Medium | 4.3 | — | 2026-07-11 | The SurfLink - Ultimate Link Manager plugin for WordPress is vulnerable to unauthorized data modification due to a missing capability check on the ajax_import_410() function in all versions up to 2.6.0. |
Tangible · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-57391 | Medium | 6.5 | — | 2026-07-13 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Tangible Loops & Logic tangible-loops-and-logic allows Stored XSS.This issue affects Loops & Logic: from n/a through <= 4.2.3. |
Tencent · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-15515 | High | 7.0 | — | 2026-07-13 | A security vulnerability has been detected in Tencent PC Manager 18.1.30242.301. |
Tenda · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-15543 | High | 8.8 | — | 2026-07-13 | A vulnerability was found in Tenda CH22 1.0.0.1. |
Thales Cert · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-13014 | — | — | — | 2026-07-13 | A vulnerability in Thales CERT "Suspicious" application =< 1.3.4 allows a remote and unauthenticated attacker to execute arbitrary code and arbitrarily overwrite writable application files—including Python modules, configuration files, cro… |
Themebeez · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-57779 | Medium | 5.3 | — | 2026-07-13 | Missing Authorization vulnerability in themebeez Fascinate fascinate allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Fascinate: from n/a through <= 1.1.5. |
Themefusion · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-12536 | Medium | 6.4 | — | 2026-07-13 | The Avada (Fusion) Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘Module Title’ parameter in all versions up to, and including, 3.15.5 due to insufficient input sanitization and output escaping. |
Themegoods · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-57770 | Critical | 9.8 | — | 2026-07-13 | Deserialization of Untrusted Data vulnerability in ThemeGoods Grand Photography grandphotography allows Object Injection.This issue affects Grand Photography: from n/a through <= 5.7.8. |
Themehunk · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-57405 | High | 7.1 | — | 2026-07-13 | Missing Authorization vulnerability in themehunk Open Shop open-shop allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Open Shop: from n/a through <= 1.7.1. |
Themeisle · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-61970 | Medium | 4.9 | — | 2026-07-13 | Server-Side Request Forgery (SSRF) vulnerability in Themeisle Auto Featured Image (Auto Post Thumbnail) auto-post-thumbnail allows Server Side Request Forgery.This issue affects Auto Featured Image (Auto Post Thumbnail): from n/a through <… |
Themelexus · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-57795 | High | 7.5 | — | 2026-07-13 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in themelexus Kitchor kitchor allows PHP Local File Inclusion.This issue affects Kitchor: from n/a through <= 1.4.3. |
Thimpress · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-11901 | Medium | 5.3 | — | 2026-07-11 | The WP Hotel Booking plugin for WordPress is vulnerable to Insufficient Verification of Data Authenticity in all versions up to, and including, 2.3.1. |
Thrivedesk · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-1832 | Medium | 4.3 | — | 2026-07-11 | The ThriveDesk – Live Chat, AI Chatbot, Helpdesk & Knowledge Base plugin for WordPress is vulnerable to unauthorized cache deletion due to a missing capability check on the 'thrivedesk_clear_cache' AJAX action in all versions up to, and in… |
Tigroumeow · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-6784 | High | 8.8 | — | 2026-07-11 | The Code Engine plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 0.3.5 via the 'code-engine' shortcode. |
Tribulant Software · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-57394 | High | 7.1 | — | 2026-07-13 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Tribulant Software Newsletters newsletters-lite allows Reflected XSS.This issue affects Newsletters: from n/a through <= 4.14. |
Trustindex · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-11591 | Medium | 4.4 | — | 2026-07-11 | The Widgets for Google Reviews plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 13.3 due to insufficient input sanitization and output escaping. |
Tugcantopaloglu · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-15522 | Medium | 5.3 | — | 2026-07-13 | A security flaw has been discovered in tugcantopaloglu godot-mcp 2.0.0. |
Unlimited Elements · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-57718 | High | 7.1 | — | 2026-07-13 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Unlimited Elements Unlimited Elements For Elementor (Free Widgets, Addons, Templates) unlimited-elements-for-elementor allows Reflected X… |
Usestrix · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-15519 | Medium | 5.0 | — | 2026-07-13 | A vulnerability was found in usestrix strix up to 1.0.2. |
Videousermanuals · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-11898 | Medium | 4.4 | — | 2026-07-11 | The White Label CMS plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 2.7.12 due to insufficient input sanitization and output escaping. |
Vitec · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-60121 | Critical | 9.8 | — | 2026-07-13 | Vitec Flamingo 4.12.2 contains an unauthenticated OS command injection vulnerability in the admin/ajax/ping.php endpoint that allows remote attackers to execute arbitrary commands by exploiting a double-evaluation flaw in shell argument ha… |
Vlthemes · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-57796 | High | 7.5 | — | 2026-07-13 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in VLThemes Leedo leedo allows PHP Local File Inclusion.This issue affects Leedo: from n/a through <= 3.0.0. |
Vnotex · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-15505 | Low | 3.5 | — | 2026-07-12 | A weakness has been identified in vnotex vnote up to 3.20.1. |
Wago · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-4769 | Critical | 9.8 | — | 2026-07-13 | Certain devices in the WAGO System I/O Field series activate an internal diagnostic capability during the initial startup sequence. |
Wavlink · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-15513 | Medium | 6.3 | — | 2026-07-13 | A security flaw has been discovered in Wavlink WL-NU516U1 260515. |
Webaways · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-9017 | Medium | 5.3 | — | 2026-07-11 | The NEX-Forms – Ultimate Forms Plugin for WordPress plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 9.2.2. |
Webcodingplace · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-57398 | High | 7.1 | — | 2026-07-13 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WebCodingPlace Real Estate Manager Pro real-estate-manager-pro allows Reflected XSS.This issue affects Real Estate Manager Pro: from n/a… |
Webfactory · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-11426 | Medium | 6.5 | — | 2026-07-11 | The UnderConstructionPage PRO plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 5.76. |
Websockets · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-48779 | High | 7.5 | — | 2026-06-17 | ws is an open source WebSocket client and server for Node.js. |
Winfsp · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-7162 | High | 7.8 | — | 2026-07-13 | Successful exploitation of the integer overflow vulnerability could allow an attacker to achieve system-level access to the affected software. |
Wp Grid Builder · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-13756 | High | 8.8 | — | 2026-07-11 | The WP Grid Builder plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 2.3.3. |
Wp Inventory · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-57772 | High | 8.5 | — | 2026-07-13 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WP Inventory WP Inventory Manager wp-inventory-manager allows Blind SQL Injection.This issue affects WP Inventory Manager: from n/a throu… |
Wpdesk · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-57402 | Medium | 6.5 | — | 2026-07-13 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wpdesk Flexible Refund and Return Order for WooCommerce flexible-refund-and-return-order-for-woocommerce allows Stored XSS.This issue aff… |
Wpdevart · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-57778 | Medium | 5.3 | — | 2026-07-13 | Missing Authorization vulnerability in wpdevart Booking calendar, Appointment Booking System booking-calendar allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Booking calendar, Appointment Booking… |
Wpdeveloper · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-57364 | Medium | 6.5 | — | 2026-07-13 | Improper Validation of Specified Quantity in Input vulnerability in WPDeveloper Better Payment – Instant Payments, Donations, Fundraising with Subscriptions & More better-payment allows Accessing Functionality Not Properly Constrained… |
Wpdevteam · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-15155 | High | 8.8 | — | 2026-07-11 | The Essential Addons for Elementor – Popular Elementor Templates & Widgets plugin for WordPress is vulnerable to Authenticated Account Takeover via Email Header Injection in all versions up to, and including, 6.6.10 This is due to insuffic… |
Wpmanageninja · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-57715 | High | 7.1 | — | 2026-07-13 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPManageNinja Fluent CRM fluent-crm allows Reflected XSS.This issue affects Fluent CRM: from n/a through <= 3.1.7. |
Wpmessiah · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-2354 | High | 8.8 | — | 2026-07-11 | The Swiss Toolkit For WP plugin for WordPress is vulnerable to arbitrary file upload due to a flawed file type validation bypass in the `upload_extension_files()` function in all versions up to, and including, 1.4.6. |
Wpovernight · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-13116 | Medium | 4.3 | — | 2026-07-11 | The PDF Invoices & Packing Slips for WooCommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.14.0 via the generate_document_shortcode due to missing validation on a user co… |
Wppool · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-57379 | High | 7.1 | — | 2026-07-13 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPPOOL FormyChat social-contact-form allows Stored XSS.This issue affects FormyChat: from n/a through <= 2.15.3. |
Wpswings · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-10628 | Medium | 4.3 | — | 2026-07-11 | The Points and Rewards for WooCommerce plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 2.10.0. |
Wpvibes · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-13378 | High | 7.2 | — | 2026-07-11 | The Form Vibes – Database Manager for Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Contact Form 7 Form Field in all versions up to, and including, 1.5.2 due to insufficient input sanitization and output escap… |
Wpwax · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-59518 | Critical | 9.8 | — | 2026-07-13 | Deserialization of Untrusted Data vulnerability in wpWax Directorist directorist allows Object Injection.This issue affects Directorist: from n/a through <= 8.8.2. |
Wpxpo · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-57377 | Medium | 6.5 | — | 2026-07-13 | Missing Authorization vulnerability in WPXPO WowAddons product-addons allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WowAddons: from n/a through <= 1.6.8. |
Wpzoom · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-57712 | High | 7.1 | — | 2026-07-13 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPZOOM WPZOOM Portfolio wpzoom-portfolio allows Reflected XSS.This issue affects WPZOOM Portfolio: from n/a through <= 1.4.29. |
Wupsales · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-6803 | Medium | 5.3 | — | 2026-07-11 | The AI Chatbot & Workflow Automation by AIWU plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.4.12. |
X · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-56002 | High | 8.5 | — | 2026-07-08 | A heap bufferflow in pcfReadFont() due to missing glyph bounds checking in libXfont2 before 2.0.8 allows attackers authenticated as X client to execute code within the X server. |
Xtreeme · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-3576 | High | 7.2 | — | 2026-07-11 | The Planyo Online Reservation System plugin for WordPress is vulnerable to Server-Side Request Forgery leading to Local File Inclusion in all versions up to, and including, 3.0. |
Yashbhalgat · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-15531 | Medium | 5.3 | — | 2026-07-13 | A vulnerability has been found in yashbhalgat HashNeRF-pytorch up to 82885e698295982504eb6a26d060a6b2473e3706. |
Yt-dlp · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-55404 | High | 7.5 | — | 2026-07-08 | yt-dlp and youtube-dl are command-line audio/video downloaders. |
Yzhao062 · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-15529 | Medium | 6.3 | — | 2026-07-13 | A vulnerability was detected in yzhao062 pyod 3.5.0/3.5.1/3.5.2. |
Zereight · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-61462 | High | 8.6 | — | 2026-07-13 | mcp-gitlab contains a path traversal vulnerability in the job_id parameter of build/index.js that allows attackers to redirect GitLab API requests to arbitrary endpoints. |
Zitadel · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-56666 | Medium | 4.8 | — | 2026-07-10 | ZITADEL is an open source identity management platform. |
Zorem · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-57773 | High | 7.6 | — | 2026-07-13 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Zorem Advanced Shipment Tracking for WooCommerce woo-advanced-shipment-tracking allows Blind SQL Injection.This issue affects Advanced Sh… |