Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Common Vulnerability Scoring System49895
0
10
CVE-2026-9323
Assigner-VulnCheck
ShareView Details
Assigner-VulnCheck
CVSS Score-9.2||CRITICAL
EPSS-Not Assigned
Published-18 Jul, 2026 | 13:51
Updated-18 Jul, 2026 | 14:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Insecure PRNG and Information Exposure in urwid Web Display Backend

The urwid web display backend (urwid/display/web.py) generates web session identifiers (urwid_id) in Screen.start() by concatenating two random.randrange(10**9) calls that use Python's Mersenne Twister PRNG, which is not cryptographically secure. Each call consumes approximately 30 bits of PRNG state, and the Mersenne Twister internal state is approximately 19,937 bits, so an attacker who observes approximately 334 session IDs (for example via the X-Urwid-ID HTTP response header) can fully reconstruct the internal state and predict all past and future session IDs (Path B). The same identifier is also used as the filename of a FIFO created in the world-listable /tmp directory (for example /tmp/urwid375487765176907690.in), so any local user on the host can list /tmp to enumerate active session tokens directly (Path A). With a valid session ID, an attacker can read the victim's terminal screen via the polling endpoint, inject keystrokes into the victim's session (yielding OS-level code execution with the session owner's privileges if the session runs a shell), and inject exit sequences or flood the FIFO to terminate or crash the session. A prior Bandit S311 warning on this usage was suppressed with # noqa: S311 rather than fixed

Action-Not Available
Vendor-urwid
Product-urwid
CWE ID-CWE-338
Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)
CVE-2025-71392
Assigner-VulnCheck
ShareView Details
Assigner-VulnCheck
CVSS Score-9.4||CRITICAL
EPSS-Not Assigned
Published-18 Jul, 2026 | 13:10
Updated-18 Jul, 2026 | 14:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SurrealDB before 2.2.2 SurrealQL Injection via export

SurrealDB before 2.0.5, 2.1.x before 2.1.5, and 2.2.x before 2.2.2 fails to properly escape table and field names in the command-line export command. An authenticated System User with OWNER or EDITOR roles can create tables or fields with malicious names containing SurrealQL. When a higher-privileged user subsequently imports the exported backup, the injected SurrealQL executes, enabling privilege escalation and root-level takeover of the SurrealDB instance. Applications that let users define custom tables or fields are also exposed to a universal second-order SurrealQL injection even when query parameters are sanitized.

Action-Not Available
Vendor-surrealdb
Product-surrealdb
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CVE-2024-58366
Assigner-VulnCheck
ShareView Details
Assigner-VulnCheck
CVSS Score-9||CRITICAL
EPSS-Not Assigned
Published-18 Jul, 2026 | 13:10
Updated-18 Jul, 2026 | 14:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SurrealDB before 1.1.1 Format String via Scripting Functions

SurrealDB before 1.1.1 contains a format string vulnerability in the rquickjs Exception::throw_type function when scripting is enabled. Attackers with scripting privileges can supply format string sequences in error inputs to read arbitrary memory or execute code with SurrealDB process privileges.

Action-Not Available
Vendor-surrealdb
Product-surrealdb
CWE ID-CWE-134
Use of Externally-Controlled Format String
CVE-2026-16117
Assigner-ce714d77-add3-4f53-aff5-83d477b104bb
ShareView Details
Assigner-ce714d77-add3-4f53-aff5-83d477b104bb
CVSS Score-10||CRITICAL
EPSS-Not Assigned
Published-18 Jul, 2026 | 13:08
Updated-18 Jul, 2026 | 14:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
@fastify/http-proxy vulnerable to prefix escape via URL-encoded characters

Impact: @fastify/http-proxy versions up to and including 11.5.0 fail to rewrite the request prefix when the prefix segment is URL-encoded. Fastify's router URL-decodes paths for route matching, but request.url retains the original encoded form, and the prefix-rewrite step uses a literal string replace against the decoded prefix. A request that encodes one or more characters of the configured prefix therefore matches the route but skips the rewrite, so the raw encoded path is forwarded to the upstream unchanged. The upstream then decodes the path and serves it, letting an attacker reach upstream paths that the proxy was configured to hide via rewritePrefix, including internal or administrative endpoints. Patches: upgrade to @fastify/http-proxy 11.6.0. Workarounds: none.

Action-Not Available
Vendor-@fastify/http-proxy
Product-@fastify/http-proxy
CWE ID-CWE-20
Improper Input Validation
CVE-2026-16097
Assigner-VulDB
ShareView Details
Assigner-VulDB
CVSS Score-8.7||HIGH
EPSS-Not Assigned
Published-18 Jul, 2026 | 12:00
Updated-18 Jul, 2026 | 12:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Shibby Tomato Scheduler Name sub_42537C stack-based overflow

A vulnerability was found in Shibby Tomato 1.28. This vulnerability affects the function sub_42537C of the component Scheduler Name Handler. The manipulation of the argument a1 results in stack-based buffer overflow. It is possible to launch the attack remotely. This project is superseded by FreshTomato.

Action-Not Available
Vendor-Shibby
Product-Tomato
CWE ID-CWE-119
Improper Restriction of Operations within the Bounds of a Memory Buffer
CWE ID-CWE-121
Stack-based Buffer Overflow
CVE-2026-16096
Assigner-VulDB
ShareView Details
Assigner-VulDB
CVSS Score-8.7||HIGH
EPSS-Not Assigned
Published-18 Jul, 2026 | 11:15
Updated-18 Jul, 2026 | 12:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Shibby Tomato webmon_recent_domains sub_40BB50 stack-based overflow

A vulnerability has been found in Shibby Tomato 1.28 RT-N5x MIPSR2 Build 124. This affects the function sub_40BB50 of the file /proc/webmon_recent_domains. The manipulation leads to stack-based buffer overflow. It is possible to initiate the attack remotely. This project is superseded by FreshTomato.

Action-Not Available
Vendor-Shibby
Product-Tomato
CWE ID-CWE-119
Improper Restriction of Operations within the Bounds of a Memory Buffer
CWE ID-CWE-121
Stack-based Buffer Overflow
CVE-2026-16095
Assigner-VulDB
ShareView Details
Assigner-VulDB
CVSS Score-8.7||HIGH
EPSS-Not Assigned
Published-18 Jul, 2026 | 10:15
Updated-18 Jul, 2026 | 11:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Shibby Tomato rc setup_conntrack out-of-bounds write

A flaw has been found in Shibby Tomato 1.28 RT-N5x MIPSR2 Build 124. Affected by this issue is the function setup_conntrack of the file /sbin/rc. Executing a manipulation of the argument ct_tcp_timeout can lead to out-of-bounds write. The attack may be performed from remote. This project is superseded by FreshTomato.

Action-Not Available
Vendor-Shibby
Product-Tomato
CWE ID-CWE-119
Improper Restriction of Operations within the Bounds of a Memory Buffer
CWE ID-CWE-787
Out-of-bounds Write
CVE-2026-47865
Assigner-VMware by Broadcom
ShareView Details
Assigner-VMware by Broadcom
CVSS Score-9.8||CRITICAL
EPSS-0.66% / 47.67%
||
7 Day CHG~0.00%
Published-18 Jul, 2026 | 08:57
Updated-18 Jul, 2026 | 09:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
VMware Avi Load Balancer Authentication Bypass Vulnerability

VMware Avi Load Balancer contains an authentication bypass vulnerability. A malicious user with network access may be able to access the Avi Control plane by bypassing the authentication mechanism. Affected versions: 31.1.1 through 31.2.2 (fixed in 31.2.2-2p3) 30.1.1 through 30.2.6 (fixed in 30.2.7) 22.1.1 through 22.1.7 (fixed in 30.2.7)

Action-Not Available
Vendor-VMware (Broadcom Inc.)
Product-Avi Load Balancer
CWE ID-CWE-287
Improper Authentication
CVE-2026-54466
Assigner-GitHub, Inc.
ShareView Details
Assigner-GitHub, Inc.
CVSS Score-9.2||CRITICAL
EPSS-0.45% / 36.00%
||
7 Day CHG~0.00%
Published-17 Jul, 2026 | 20:53
Updated-17 Jul, 2026 | 21:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
websocket-driver: Message corruption via abuse of protocol length headers

websocket-driver is a WebSocket protocol handler with pluggable I/O. Prior to 0.7.5, the frame format in draft versions of the WebSocket protocol includes a length header that allows an arbitrarily large integer to be encoded as a sequence of bytes with the high bit set. By sending an indefinite sequence of bytes with values 0x80 or above, a client can make the server parse these bytes into an ever-growing integer in lib/websocket/driver/draft75.js; because JavaScript numbers are 64-bit floating point values, this number will eventually lose precision and lead to the subsequent payload being parsed incorrectly. This issue is fixed in version 0.7.5.

Action-Not Available
Vendor-faye
Product-websocket-driver-node
CWE ID-CWE-130
Improper Handling of Length Parameter Inconsistency
CVE-2026-55518
Assigner-GitHub, Inc.
ShareView Details
Assigner-GitHub, Inc.
CVSS Score-9.6||CRITICAL
EPSS-0.33% / 25.20%
||
7 Day CHG~0.00%
Published-17 Jul, 2026 | 20:51
Updated-17 Jul, 2026 | 21:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Avo: Missing Authorization in Avo Association Attach Endpoint Allows Unauthorized Relationship Manipulation and Privilege Escalation

Avo is a framework to create admin panels for Ruby on Rails apps. Prior to 3.32.1 and 4.0.0.beta.51, Avo's association attach workflow checks attach_<association>? in the UI and GET /resources/:resource/:id/:related/new path, but the actual write endpoint, POST /resources/:resource/:id/:related, does not run the same authorization check before mutating the association through Avo::AssociationsController#create. An authenticated low-privileged Avo user can bypass hidden or disabled attach controls and directly attach related records to a parent record by sending a crafted POST request, which can lead to privilege escalation and cross-tenant data exposure where associations represent authorization-bearing relationships. This issue is fixed in versions 3.32.1 and 4.0.0.beta.51.

Action-Not Available
Vendor-avo-hq
Product-avo
CWE ID-CWE-639
Authorization Bypass Through User-Controlled Key
CWE ID-CWE-862
Missing Authorization
CWE ID-CWE-863
Incorrect Authorization
CVE-2026-13446
Assigner-IBM Corporation
ShareView Details
Assigner-IBM Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.21% / 11.65%
||
7 Day CHG~0.00%
Published-17 Jul, 2026 | 20:43
Updated-17 Jul, 2026 | 21:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Langflow is affected by remote code execution, denial of service, path traversal, and exposed credentials due to multiple unauthenticated and insufficiently authorized API endpoints

IBM Langflow OSS 1.0.0 through 1.10.1 contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data.

Action-Not Available
Vendor-IBM Corporation
Product-Langflow OSS
CWE ID-CWE-798
Use of Hard-coded Credentials
CVE-2026-54159
Assigner-GitHub, Inc.
ShareView Details
Assigner-GitHub, Inc.
CVSS Score-10||CRITICAL
EPSS-0.75% / 50.83%
||
7 Day CHG~0.00%
Published-17 Jul, 2026 | 20:39
Updated-17 Jul, 2026 | 21:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
ps_facetedsearch: PHP Object Injection in faceted search cache allows unauthenticated RCE

PrestaShop ps_facetedsearch is a module that adds layered navigation filters. From 3.0.0 until 4.0.4, the ps_facetedsearch module rebuilds selected search filters from the request URL, and the value of a slider filter, price or weight, is taken from the URL without sufficient validation and stored in an internal filter-block cache where it is serialized and later read back with a raw native unserialize() in src/Filters/Block.php. By crafting that value, an unauthenticated attacker can smuggle a malicious serialized PHP object into the cache, and when it is deserialized, a gadget chain writes an arbitrary PHP file inside the modules/ps_facetedsearch/ directory, which is then used as a webshell to run commands on the server. This issue is fixed in version 4.0.4.

Action-Not Available
Vendor-PrestaShop S.A
Product-ps_facetedsearch
CWE ID-CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CVE-2026-48062
Assigner-GitHub, Inc.
ShareView Details
Assigner-GitHub, Inc.
CVSS Score-9.8||CRITICAL
EPSS-0.44% / 35.93%
||
7 Day CHG~0.00%
Published-17 Jul, 2026 | 20:36
Updated-17 Jul, 2026 | 21:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
CodeIgniter: Uploaded file extension validation bypass in `ext_in` rule

CodeIgniter is a PHP full-stack web framework. Prior to 4.7.3, the ext_in upload validation rule in system/Validation/StrictRules/FileRules.php checked the MIME-derived guessed extension instead of the client-provided filename extension. As a result, an uploaded file named shell.php containing GIF-like content could pass validation such as uploaded[avatar]|is_image[avatar]|mime_in[avatar,image/gif]|ext_in[avatar,gif] because the detected MIME type maps to gif, even though the uploaded filename extension is php. Applications are impacted if they accept user-controlled uploads, rely on ext_in to validate the uploaded filename extension, save uploaded files using the original client filename with $file->move($path), store uploads in a web-accessible directory, and allow PHP or other executable files to run from that directory. In those conditions, this may lead to arbitrary code execution. This issue is fixed in version 4.7.3.

Action-Not Available
Vendor-codeigniter4
Product-CodeIgniter4
CWE ID-CWE-434
Unrestricted Upload of File with Dangerous Type
CVE-2026-15091
Assigner-IBM Corporation
ShareView Details
Assigner-IBM Corporation
CVSS Score-9.3||CRITICAL
EPSS-0.57% / 43.30%
||
7 Day CHG~0.00%
Published-17 Jul, 2026 | 19:38
Updated-17 Jul, 2026 | 20:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Multiple Vulnerabilities in IBM Engineering AI hub.

IBM Engineering AI Hub 1.0.0, 1.1.0, and 1.2.0 could allow a remote attacker to execute arbitrary scripts due to improper neutralization of input during web page generation.

Action-Not Available
Vendor-IBM Corporation
Product-Engineering AI Hub
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2026-63030
Assigner-WPScan
ShareView Details
Assigner-WPScan
CVSS Score-9.8||CRITICAL
EPSS-8.95% / 94.67%
||
7 Day CHG~0.00%
Published-17 Jul, 2026 | 19:14
Updated-18 Jul, 2026 | 05:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress < 7.0.2 - REST API batch-route confusion and SQL injection issue leading to Remote Code Execution

WordPress 6.9.x before 6.9.5 and 7.0.x before 7.0.2 is affected by a REST API batch endpoint route confusion issue which, combined with the author__not_in WP_Query SQL Injection (CVE-2026-60137), could allow an attacker to perform SQL Injection and achieve Remote Code Execution.

Action-Not Available
Vendor-WordPress.org
Product-WordPress
CWE ID-CWE-436
Interpretation Conflict
CVE-2026-60137
Assigner-WPScan
ShareView Details
Assigner-WPScan
CVSS Score-5.9||MEDIUM
EPSS-4.03% / 89.45%
||
7 Day CHG~0.00%
Published-17 Jul, 2026 | 19:14
Updated-18 Jul, 2026 | 05:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress < 7.0.2 - Facilitated SQL Injection via author__not_in in WP_Query

WordPress 6.8.x before 6.8.6, 6.9.x before 6.9.5, and 7.0.x before 7.0.2 does not properly sanitise the author__not_in parameter of WP_Query, which could allow SQL Injection when a plugin or theme passes untrusted input to the parameter.

Action-Not Available
Vendor-WordPress.org
Product-WordPress
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2026-8476
Assigner-IBM Corporation
ShareView Details
Assigner-IBM Corporation
CVSS Score-9.9||CRITICAL
EPSS-0.47% / 37.85%
||
7 Day CHG~0.00%
Published-17 Jul, 2026 | 19:11
Updated-17 Jul, 2026 | 20:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Disk Cache Deserialization Remote Code Execution Vulnerability

IBM Langflow OSS 1.0.0 through 1.10.0 contain a critical remote code execution vulnerability in the disk-based caching mechanism. The AsyncDiskCache class uses Python's unsafe pickle.loads() function to deserialize cached objects from disk without validation, integrity verification, or authentication, enabling arbitrary code execution when malicious pickle payloads are processed. Attackers who can influence cached data through file system access, malicious workflow inputs, custom components, or API manipulation can achieve complete system compromise with the privileges of the Langflow server process.

Action-Not Available
Vendor-IBM Corporation
Product-Langflow OSS
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2026-8481
Assigner-IBM Corporation
ShareView Details
Assigner-IBM Corporation
CVSS Score-9.9||CRITICAL
EPSS-0.44% / 35.56%
||
7 Day CHG~0.00%
Published-17 Jul, 2026 | 19:10
Updated-17 Jul, 2026 | 20:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Remote Code Execution via Code Validation Endpoint

IBM Langflow OSS 1.0.0 through 1.10.0 contain a critical remote code execution vulnerability in the code validation API endpoint. The POST /api/v1/validate/code endpoint accepts user-supplied Python code and executes it directly using Python's built-in exec() function without sandboxing, input validation, or privilege restrictions, enabling any authenticated user to execute arbitrary system commands with the full privileges of the Langflow server process.

Action-Not Available
Vendor-IBM Corporation
Product-Langflow OSS
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2026-8635
Assigner-IBM Corporation
ShareView Details
Assigner-IBM Corporation
CVSS Score-9.9||CRITICAL
EPSS-0.29% / 20.76%
||
7 Day CHG~0.00%
Published-17 Jul, 2026 | 19:02
Updated-17 Jul, 2026 | 20:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Arbitrary Code Execution in Python Interpreter Component

IBM Langflow OSS 1.0.0 through 1.10.0 allows authenticated users to escalate privileges to superuser by directly manipulating the database, execute arbitrary system commands, and achieve full system compromise with Langflow service permissions.

Action-Not Available
Vendor-IBM Corporation
Product-Langflow OSS
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2026-8859
Assigner-IBM Corporation
ShareView Details
Assigner-IBM Corporation
CVSS Score-9.9||CRITICAL
EPSS-0.34% / 26.68%
||
7 Day CHG~0.00%
Published-17 Jul, 2026 | 18:58
Updated-17 Jul, 2026 | 20:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Path Traversal in APIRequest Component via Content-Disposition Header

IBM Langflow OSS 1.0.0 through 1.10.0 Langflow could allow an attacker to write arbitrary files to unintended locations due to improper input validation in the APIRequest component. A path traversal vulnerability exists when the "Save to File" feature is enabled, where filenames extracted from HTTP response Content-Disposition headers are not sanitized before being joined to the temporary directory path. An attacker controlling an external HTTP server can supply crafted filename values containing path traversal sequences (e.g., ../), enabling arbitrary file writes to locations accessible by the Langflow process.

Action-Not Available
Vendor-IBM Corporation
Product-Langflow OSS
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2026-9103
Assigner-IBM Corporation
ShareView Details
Assigner-IBM Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.41% / 33.30%
||
7 Day CHG~0.00%
Published-17 Jul, 2026 | 18:49
Updated-17 Jul, 2026 | 19:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Unauthenticated Superuser Token Issuance via Auto-Login Endpoint

IBM Langflow OSS 1.0.0 through 1.10.0 could allow a remote attacker to gain unauthorized access due to improper authentication in the /api/v1/login/auto_login endpoint. The endpoint issues long-lived superuser bearer tokens without requiring authentication when the AUTO_LOGIN configuration is enabled (enabled by default), which may allow an unauthenticated network attacker to obtain full administrative access. Additionally, permissive cross-origin resource sharing (CORS) settings may allow tokens to be exposed to unintended origins, increasing the risk of unauthorized access.

Action-Not Available
Vendor-IBM Corporation
Product-Langflow OSS
CWE ID-CWE-306
Missing Authentication for Critical Function
CVE-2026-9135
Assigner-IBM Corporation
ShareView Details
Assigner-IBM Corporation
CVSS Score-9.9||CRITICAL
EPSS-0.80% / 52.42%
||
7 Day CHG~0.00%
Published-17 Jul, 2026 | 18:48
Updated-17 Jul, 2026 | 19:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Policies Component Dynamic CodeInput Fields Bypass Custom Component Validation

IBM Langflow OSS 1.0.0 through 1.10.0 Langflow versions up to 1.9.2 (commit 94981c443d4918517b9e8163d70fc598dc33a32d) contain a code injection vulnerability in the Policies component's ToolGuard integration that bypasses the allow_custom_components=false security control. The vulnerability exists because the validation mechanism only checks the main component source code in node_template["code"]["value"] but fails to validate dynamic CodeInput fields that store generated ToolGuard Python files. Attackers can embed malicious Python code in these unvalidated dynamic fields, which are persisted in Flow.data and later executed server-side when a guarded tool is invoked through the ToolGuard runtime. This allows authenticated users with flow creation privileges to achieve arbitrary Python code execution on the backend despite custom component restrictions. The vulnerability can be escalated through cross-tenant flow manipulation via the agentic MCP update_flow_component_field tool, which accepts attacker-controlled user_id parameters, enabling attackers to inject malicious code into victim users' flows. When combined with publicly accessible flows and specific misconfigurations (AUTO_LOGIN=true, NEW_USER_IS_ACTIVE=true), the attack can be conducted with reduced authentication requirements.

Action-Not Available
Vendor-IBM Corporation
Product-Langflow OSS
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2026-9198
Assigner-IBM Corporation
ShareView Details
Assigner-IBM Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.35% / 27.43%
||
7 Day CHG~0.00%
Published-17 Jul, 2026 | 17:36
Updated-18 Jul, 2026 | 05:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Unauthenticated Remote Code Execution via Auto-Login Bypass and Code Validation

IBM Langflow OSS 1.0.0 through 1.10.0 allows unauthenticated attackers to chain /api/v1/auto_login (mints SUPERUSER tokens to any network caller) with /api/v1/validate/code (executes user code via exec()) to achieve full RCE on default Langflow deployments

Action-Not Available
Vendor-IBM Corporation
Product-Langflow OSS
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2026-9202
Assigner-IBM Corporation
ShareView Details
Assigner-IBM Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.29% / 21.33%
||
7 Day CHG~0.00%
Published-17 Jul, 2026 | 17:33
Updated-18 Jul, 2026 | 05:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Unauthenticated User Registration Could Lead to Remote Code Execution

IBM Langflow OSS 1.0.0 through 1.10.0 allows unauthenticated attackers to create unlimited user accounts on any Langflow instance; when NEW_USER_IS_ACTIVE=true (documented deployment option), newly created accounts are immediately active and can authenticate to reach RCE endpoints, bypassing the need for AUTO_LOGIN.

Action-Not Available
Vendor-IBM Corporation
Product-Langflow OSS
CWE ID-CWE-306
Missing Authentication for Critical Function
CVE-2026-12694
Assigner-TR-CERT (Computer Emergency Response Team of the Republic of Türkiye)
ShareView Details
Assigner-TR-CERT (Computer Emergency Response Team of the Republic of Türkiye)
CVSS Score-9.1||CRITICAL
EPSS-0.24% / 15.44%
||
7 Day CHG~0.00%
Published-17 Jul, 2026 | 16:59
Updated-17 Jul, 2026 | 18:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Missing Authorization in Vimesoft's Enterprise Video Platform

Missing Authorization vulnerability in Vimesoft Inc. Enterprise Video Platform allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects Enterprise Video Platform: from 3.11.0.0 before 3.25.0.

Action-Not Available
Vendor-Vimesoft Inc.
Product-Enterprise Video Platform
CWE ID-CWE-862
Missing Authorization
CVE-2026-54496
Assigner-GitHub, Inc.
ShareView Details
Assigner-GitHub, Inc.
CVSS Score-9.3||CRITICAL
EPSS-0.32% / 23.59%
||
7 Day CHG~0.00%
Published-17 Jul, 2026 | 16:59
Updated-17 Jul, 2026 | 18:45
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Missing copy constraint in halo2_gadgets variable-base scalar multiplication allows under-constrained base, breaking Orchard Action circuit soundness

ZEBRA is a Zcash node written entirely in Rust. Prior to zebrad 5.0.0, halo2_gadgets 0.5.0, orchard 0.14.0, zcash_primitives 0.28.0, and zcashd 6.20.0, the variable-base scalar multiplication gadget in halo2_gadgets/src/ecc/chip/mul/incomplete.rs used assign_advice() for the base point without a copy constraint tying it to the actual base, allowing a malicious prover to produce a valid proof for an Orchard Action with an under-constrained base point and bypass the diversified-address-integrity check that binds pk_d, g_d, ivk, the nullifier (nf), and the spend validating key (ak) to the note being spent. This issue is fixed in zebrad 5.0.0, halo2_gadgets 0.5.0, orchard 0.14.0, zcash_primitives 0.28.0, and zcashd 6.20.0.

Action-Not Available
Vendor-zcashZcashFoundation
Product-zcashorchardzebrahalo2_gadgetslibrustzcash
CWE ID-CWE-345
Insufficient Verification of Data Authenticity
CVE-2026-12693
Assigner-TR-CERT (Computer Emergency Response Team of the Republic of Türkiye)
ShareView Details
Assigner-TR-CERT (Computer Emergency Response Team of the Republic of Türkiye)
CVSS Score-9.4||CRITICAL
EPSS-0.26% / 17.95%
||
7 Day CHG~0.00%
Published-17 Jul, 2026 | 16:50
Updated-17 Jul, 2026 | 18:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
IDOR in Vimesoft's Enterprise Video Platform

Authorization bypass through User-Controlled key vulnerability in Vimesoft Inc. Enterprise Video Platform allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects Enterprise Video Platform: from 3.11.0.0 before 3.25.0.

Action-Not Available
Vendor-Vimesoft Inc.
Product-Enterprise Video Platform
CWE ID-CWE-639
Authorization Bypass Through User-Controlled Key
CVE-2026-12692
Assigner-TR-CERT (Computer Emergency Response Team of the Republic of Türkiye)
ShareView Details
Assigner-TR-CERT (Computer Emergency Response Team of the Republic of Türkiye)
CVSS Score-9.8||CRITICAL
EPSS-0.35% / 26.83%
||
7 Day CHG~0.00%
Published-17 Jul, 2026 | 16:39
Updated-17 Jul, 2026 | 17:54
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Improper Authentication in Vimesoft's Enterprise Video Platform

Unverified password change vulnerability in Vimesoft Inc. Enterprise Video Platform allows Authentication Bypass. This issue affects Enterprise Video Platform: from 3.11.0.0 before 3.25.0.

Action-Not Available
Vendor-Vimesoft Inc.
Product-Enterprise Video Platform
CWE ID-CWE-620
Unverified Password Change
CVE-2026-9586
Assigner-Security Risk Advisors (SRA)
ShareView Details
Assigner-Security Risk Advisors (SRA)
CVSS Score-9.3||CRITICAL
EPSS-0.41% / 33.26%
||
7 Day CHG~0.00%
Published-17 Jul, 2026 | 15:57
Updated-17 Jul, 2026 | 18:04
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Unauthenticated SQL Injection Leading to Remote Code Execution in Switchvox SMB

An unauthenticated SQL injection vulnerability exists in Sangoma Switchvox SMB Edition 8.3 (104997). The /pa endpoint processes XML content beginning with <PolycomIPPhone> and directly concatenates the user-controlled PhoneIP value into PostgreSQL queries without sanitization or parameterization. An unauthenticated remote attacker can execute arbitrary SQL statements against the backend PostgreSQL database using a single crafted request, including database operations and remote code execution.

Action-Not Available
Vendor-Sangoma Technologies Corp.
Product-Switchvox SMB Edition
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2026-8297
Assigner-TR-CERT (Computer Emergency Response Team of the Republic of Türkiye)
ShareView Details
Assigner-TR-CERT (Computer Emergency Response Team of the Republic of Türkiye)
CVSS Score-9.8||CRITICAL
EPSS-0.26% / 17.54%
||
7 Day CHG~0.00%
Published-17 Jul, 2026 | 15:50
Updated-17 Jul, 2026 | 17:54
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SQLi in GIS Informatics' GisLab Laboratory Management System

Improper neutralization of special elements used in an SQL command ('SQL injection') vulnerability in Gis Informatics Engineering Consulting Laboratory R&D and Software Services Inc. GisLab Laboratory Management System allows SQL Injection. This issue affects GisLab Laboratory Management System: from 1.4.03 through 08072026.

Action-Not Available
Vendor-Gis Informatics Engineering Consulting Laboratory R&D and Software Services Inc.
Product-GisLab Laboratory Management System
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2024-23564
Assigner-HCL Software
ShareView Details
Assigner-HCL Software
CVSS Score-9.1||CRITICAL
EPSS-0.19% / 8.60%
||
7 Day CHG~0.00%
Published-17 Jul, 2026 | 13:25
Updated-17 Jul, 2026 | 14:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

HCL Aftermarket EPC is affected by Business Logic Vulnerability using which a non valid user of the application can obtain passwords from the server and redirect them to their own email address by manipulating the server's response. The application includes checks in the initial requests to verify the validity of the provided UserId, but similar validation is not applied to Email requests when sending passwords to user emails.

Action-Not Available
Vendor-HCL Technologies Ltd.
Product-Aftermarket EPC
CWE ID-CWE-326
Inadequate Encryption Strength
CVE-2026-9810
Assigner-WPScan
ShareView Details
Assigner-WPScan
CVSS Score-9.8||CRITICAL
EPSS-0.28% / 19.67%
||
7 Day CHG~0.00%
Published-17 Jul, 2026 | 06:00
Updated-17 Jul, 2026 | 15:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
AI Chatbot & Workflow Automation by AIWU < 1.5.4 - Unauthenticated Privilege Escalation via MCP OAuth

The AI Copilot WordPress plugin before 1.5.4 does not bind OAuth access tokens to a WordPress user, and accepts any valid token as an administrator session, allowing unauthenticated attackers who complete the public OAuth flow to execute privileged MCP tools as an administrator, including arbitrary user creation and role escalation.

Action-Not Available
Vendor-Unknown
Product-AI Copilot
CWE ID-CWE-269
Improper Privilege Management
CVE-2026-15982
Assigner-Wordfence
ShareView Details
Assigner-Wordfence
CVSS Score-9.8||CRITICAL
EPSS-0.29% / 21.30%
||
7 Day CHG~0.00%
Published-17 Jul, 2026 | 05:35
Updated-17 Jul, 2026 | 14:59
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Aimogen Pro - All-in-One AI Content Writer, Editor, ChatBot & Automation Toolkit <= 2.8.4 - Unauthenticated Privilege Escalation via 'aiomatic_call_google_ai_function'

The Aimogen Pro - All-in-One AI Content Writer, Editor, ChatBot & Automation Toolkit plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 2.8.4. This is due to due to a missing capability check on the 'aiomatic_call_google_ai_function' function. This makes it possible for unauthenticated attackers to leverage the 'aimogen_wp_god_mode' tool to clear function blacklists and execute arbitrary PHP functions, such as creating administrator accounts.

Action-Not Available
Vendor-CodeRevolution
Product-Aimogen Pro - All-in-One AI Content Writer, Editor, ChatBot & Automation Toolkit
CWE ID-CWE-269
Improper Privilege Management
CVE-2026-14956
Assigner-Wordfence
ShareView Details
Assigner-Wordfence
CVSS Score-9.8||CRITICAL
EPSS-0.35% / 27.42%
||
7 Day CHG~0.00%
Published-17 Jul, 2026 | 01:30
Updated-17 Jul, 2026 | 14:59
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Bricksforge <= 3.1.8.6 - Unauthenticated Privilege Escalation via Pro Forms fieldIds Parameter

The Bricksforge plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 3.1.8.6. This is due to improper validation of the fieldIds parameter in the Pro Forms registration action, which allows attacker-supplied field IDs to be added to the trusted form-field whitelist. This makes it possible for unauthenticated attackers to register a new administrator account by submitting a crafted request to a publicly accessible Bricksforge Pro Forms registration form. Successful exploitation requires that the site has a public Bricksforge Pro Forms element configured with the User Registration action.

Action-Not Available
Vendor-Bricksforge
Product-Bricksforge
CWE ID-CWE-269
Improper Privilege Management
CVE-2026-62241
Assigner-VulnCheck
ShareView Details
Assigner-VulnCheck
CVSS Score-9.3||CRITICAL
EPSS-0.39% / 31.25%
||
7 Day CHG~0.00%
Published-17 Jul, 2026 | 00:07
Updated-17 Jul, 2026 | 19:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
clawvet < 0.7.5 Hard-coded JWT Secret Session Forgery

clawvet self-hosted API server (apps/api) before 0.7.5 hard-codes a fallback JWT secret ('clawvet-dev-secret-change-me') in auth.ts and ships it as the default in .env.example. Because GET /api/v1/scans returns scan records containing userId values without authentication, a remote unauthenticated attacker can harvest a victim's userId, forge a valid HS256 cg_session cookie offline using the known secret, and call GET /api/v1/auth/me to obtain the victim's email address, subscription plan, and secret apiKey. The published clawvet npm package (CLI only) is not affected.

Action-Not Available
Vendor-MohibShaikh
Product-clawvet
CWE ID-CWE-306
Missing Authentication for Critical Function
CWE ID-CWE-321
Use of Hard-coded Cryptographic Key
CVE-2026-62232
Assigner-VulnCheck
ShareView Details
Assigner-VulnCheck
CVSS Score-9.1||CRITICAL
EPSS-0.28% / 19.98%
||
7 Day CHG~0.00%
Published-17 Jul, 2026 | 00:07
Updated-17 Jul, 2026 | 15:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Grav < 2.0.4 2FA Bypass via Secret Regeneration

Grav before 2.0.4 contains a two-factor authentication bypass vulnerability in the login plugin where the regenerate2FASecret task checks only user existence, not authorization, during the pending TOTP challenge window. Attackers who know the victim's password can call this task without a CSRF nonce to overwrite the 2FA secret with an attacker-chosen value, compute a valid TOTP code, and complete authentication while reducing 2FA to password-only protection.

Action-Not Available
Vendor-getgrav
Product-grav
CWE ID-CWE-862
Missing Authorization
CVE-2026-51080
Assigner-MITRE Corporation
ShareView Details
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.30% / 21.94%
||
7 Day CHG~0.00%
Published-17 Jul, 2026 | 00:00
Updated-17 Jul, 2026 | 18:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

libpvestorage-perl v9.1.1 and libpve-storage-perl v8.3.7 were discovered to contain an XML External Entity (XXE) vulnerability.

Action-Not Available
Vendor-n/a
Product-n/a
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2026-44182
Assigner-GitHub, Inc.
ShareView Details
Assigner-GitHub, Inc.
CVSS Score-10||CRITICAL
EPSS-0.35% / 27.00%
||
7 Day CHG~0.00%
Published-16 Jul, 2026 | 22:05
Updated-17 Jul, 2026 | 16:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Jupyter Enterprise Gateway Has Kubernetes Manifest Injection via Jinja2 Template Rendering

Jupyter Enterprise Gateway launches remote Jupyter Notebook kernels across distributed clusters like Apache Spark, Kubernetes, and Docker Swarm. In versions prior to 3.3.0, the server interpolates untrusted environment variables (e.g., KERNEL_XXX) into Kubernetes manifests without YAML-aware escaping, enabling YAML injection attacks. Attackers can inject new fields, overwrite critical fields (e.g., duplicate securityContext keys, where the last one prevails), and inject document boundaries (--- for new documents, ... for end-of-document) to generate multiple resources, potentially creating arbitrary types, such as privileged pods. The Jinja2 template for the Kubernetes manifest contains several kernel_xxx variables, such as kernel_working_dir that are used when rendering the manifest and are all vectors for YAML injection. This issue has been fixed in version 3.3.0.

Action-Not Available
Vendor-jupyter-server
Product-enterprise_gateway
CWE ID-CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CVE-2026-44181
Assigner-GitHub, Inc.
ShareView Details
Assigner-GitHub, Inc.
CVSS Score-10||CRITICAL
EPSS-0.46% / 37.07%
||
7 Day CHG~0.00%
Published-16 Jul, 2026 | 22:03
Updated-17 Jul, 2026 | 14:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Jupyter Enterprise Gateway: Jinja2 Template Server Side Template Injection results in Remote Code Execution

Jupyter Enterprise Gateway launches remote Jupyter Notebook kernels across distributed clusters like Apache Spark, Kubernetes, and Docker Swarm. In versions 2.0.0rc2 and above, prior to 3.3.0, the environment variables (KERNEL_XXX) used during the rendering of the Kubernetes manifest are vulnerable to Server Side Template Injection (SSTI). By including Jinja2 template expressions it is possible to execution Python code and OS Commands in the Enterprise Gateway service. The code can use or steal the Kubernetes service account token, which can steal Kubernetes secrets and be used to fully compromise the Kubernetes cluster by scheduling a privileged pod or a pod with a hostPath volume mount. This issue has been fixed in version 3.3.0.

Action-Not Available
Vendor-jupyter-server
Product-enterprise_gateway
CWE ID-CWE-1336
Improper Neutralization of Special Elements Used in a Template Engine
CVE-2026-44180
Assigner-GitHub, Inc.
ShareView Details
Assigner-GitHub, Inc.
CVSS Score-9.8||CRITICAL
EPSS-0.46% / 37.21%
||
7 Day CHG~0.00%
Published-16 Jul, 2026 | 21:59
Updated-17 Jul, 2026 | 15:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Jupyter Enterprise Gateway: ContainerProcessProxy._enforce_prohibited_ids can be Bypassed

Jupyter Enterprise Gateway launches remote Jupyter Notebook kernels across distributed clusters like Apache Spark, Kubernetes, and Docker Swarm. Versions 2.0.0rc1 and above prior to 3.3.0 have a prohibited UID and GID feature that by default prevents launching kernels with UID or GID 0 (root), and this restriction can be bypassed using a specially crafted KERNEL_UID or KERNEL_GID value. This input validation vulnerability allows running Jupyter kernels as root, which can be dangerous as it allows more attack surface, and may lead to container escapes, compromising the worker node and all workloads running on it. Repeated exploitation can compromise all worker nodes, and thus the entire Kubernetes cluster. It is possible to specify volume mounts, so one vector for a container escape is to use a hostPath R/W volume mount, use this UID/GID bypass to run as root, and then gain code execution in the underlying worker node by creating a crontab entry in the mounted host file system. This issue has been fixed in version 3.0.0.

Action-Not Available
Vendor-jupyter-server
Product-enterprise_gateway
CWE ID-CWE-20
Improper Input Validation
CVE-2026-57075
Assigner-CPAN Security Group
ShareView Details
Assigner-CPAN Security Group
CVSS Score-9.1||CRITICAL
EPSS-0.39% / 31.68%
||
7 Day CHG~0.00%
Published-16 Jul, 2026 | 21:39
Updated-17 Jul, 2026 | 15:07
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
YAML::Syck versions before 1.47 for Perl allow an out-of-bounds read via a signed-char lookup-table index in syck_base64dec

YAML::Syck versions before 1.47 for Perl allow an out-of-bounds read via a signed-char lookup-table index in syck_base64dec. The base64 decoder in the bundled libsyck indexes the 256-entry static table b64_xtable with a signed char, so any !!binary byte >= 0x80 sign-extends to a negative index and reads before the table. The decoder receives the raw bytes of any !!binary node, a standard YAML type not gated by $LoadBlessed or $LoadCode, so it is reached on the default Load path. Any caller that runs Load or LoadFile on an untrusted document containing a !!binary scalar with a high-bit byte triggers the read, and the value read can surface in the decoded result.

Action-Not Available
Vendor-TODDR
Product-YAML::Syck
CWE ID-CWE-125
Out-of-bounds Read
CVE-2026-53412
Assigner-Zoom Communications, Inc.
ShareView Details
Assigner-Zoom Communications, Inc.
CVSS Score-9.8||CRITICAL
EPSS-0.51% / 39.97%
||
7 Day CHG~0.00%
Published-16 Jul, 2026 | 21:15
Updated-17 Jul, 2026 | 18:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Zoom Workplace VDI Plugin for Windows - Improper Input Validation

Improper Input Validation in Zoom Desktop Client for Windows, Zoom VDI Client for Windows, and Zoom Meeting SDK for Windows may allow an unauthenticated user to conduct an account takeover via network access.

Action-Not Available
Vendor-Zoom Communications
Product-Zoom Workplace for Windows
CWE ID-CWE-20
Improper Input Validation
CVE-2026-15422
Assigner-0ca53633-f0b5-4853-ba72-e0a2e62000d0
ShareView Details
Assigner-0ca53633-f0b5-4853-ba72-e0a2e62000d0
CVSS Score-9.1||CRITICAL
EPSS-0.51% / 39.97%
||
7 Day CHG~0.00%
Published-16 Jul, 2026 | 19:29
Updated-17 Jul, 2026 | 18:45
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SCTP needs to better-check INIT ACK chunk parameters

The illumos SCTP inbound path performs association lookup for INIT ACK chunks without adequately validating the address parameters carried in the chunk. Since this lookup runs during packet classification (i.e. before SCTP integrity checks or IPsec policy are applied) a remote, unauthenticated attacker can send a crafted SCTP INIT ACK packet with malformed address parameters to cause an out-of-bounds access and kernel heap corruption, which may lead to remote code execution. The flaw has existed since 2010 (illumos-gate commit a5407c02), and affects any illumos distribution prior to illumos-gate commit 53a3efde.

Action-Not Available
Vendor-Triton Data CenterOmniOSillumos
Product-illumos-gateOmniOSSmartOS
CWE ID-CWE-122
Heap-based Buffer Overflow
CWE ID-CWE-787
Out-of-bounds Write
CVE-2026-63089
Assigner-VulnCheck
ShareView Details
Assigner-VulnCheck
CVSS Score-9||CRITICAL
EPSS-0.24% / 14.78%
||
7 Day CHG~0.00%
Published-16 Jul, 2026 | 19:28
Updated-18 Jul, 2026 | 03:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WireGuard Easy Weak Token Generation Information Disclosure via OTL Route

WireGuard Easy through 15.3.0, fixed in commit 66b292b, contains a cryptographically weak one-time link token generation vulnerability that allows unauthenticated network attackers to recover WireGuard peer credentials by brute-forcing a keyspace of at most 1000 candidate tokens per client ID, as the token is computed using CRC32 over a random value constrained to 0-999. Attackers can enumerate candidate tokens against the unauthenticated /cnf/:oneTimeLink route, which lacks rate limiting and does not validate token expiration, to obtain a peer's PrivateKey and PresharedKey and impersonate that peer on the VPN network.

Action-Not Available
Vendor-wg-easy
Product-wg-easy
CWE ID-CWE-338
Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)
CWE ID-CWE-613
Insufficient Session Expiration
CVE-2026-46515
Assigner-GitHub, Inc.
ShareView Details
Assigner-GitHub, Inc.
CVSS Score-9.3||CRITICAL
EPSS-0.32% / 24.43%
||
7 Day CHG~0.00%
Published-16 Jul, 2026 | 18:17
Updated-17 Jul, 2026 | 18:04
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Frogman: Multiple read-tier tools expose admin-grade data and arbitrary GraphQL execution

Frogman provides headless PBX control through MCP and HTTP API. Prior to 1.6.3, PERM_READ access was sufficient to call fm_list_managers, fm_list_pinsets, fm_show_context, fm_get_mcp_config, fm_backup_status, fm_whos_calling, fm_run_saved_query, and fm_diagnose_trunk, exposing AMI manager secrets, outbound dial PINs, full Asterisk dialplan context, root SSH connection commands, backup artifact paths, CDR history, arbitrary saved GraphQL query execution, and raw AMI endpoint dumps containing SIP fields such as password, md5_cred, and oauth_secret. This issue is fixed in version 1.6.3.

Action-Not Available
Vendor-mwtcmi
Product-frogman
CWE ID-CWE-862
Missing Authorization
CVE-2026-46512
Assigner-GitHub, Inc.
ShareView Details
Assigner-GitHub, Inc.
CVSS Score-9.9||CRITICAL
EPSS-0.35% / 27.45%
||
7 Day CHG~0.00%
Published-16 Jul, 2026 | 18:15
Updated-18 Jul, 2026 | 03:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Frogman: Dialplan template parameters interpolated into extensions_custom.conf without escaping

Frogman provides headless PBX control through MCP and HTTP API. Prior to 1.6.2, fm_dialplan_apply accepted template parameters including greeting, dest, url, extension, code, and file, and Tools/DialplanApply.php wrote Dialplan/Templates.php output to extensions_custom.conf while only Dialplan/TemplateBase.php:38-42 sanitized contextName(), allowing a PERM_WRITE caller using confirm:true to inject arbitrary Asterisk directives such as System(), Set(SHELL(...)), Goto, or Macro. This issue is fixed in version 1.6.2.

Action-Not Available
Vendor-mwtcmi
Product-frogman
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2026-45336
Assigner-GitHub, Inc.
ShareView Details
Assigner-GitHub, Inc.
CVSS Score-10||CRITICAL
EPSS-0.43% / 34.72%
||
7 Day CHG~0.00%
Published-16 Jul, 2026 | 17:03
Updated-17 Jul, 2026 | 19:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
HireFlow: Use of Hard-coded Credentials

HireFlow is a web-based interview management system for managing candidates, scheduling interviews, and tracking hiring progress. In 1.2 and earlier, app.py assigns a hard-coded Flask secret_key used to sign session cookies, allowing unauthenticated attackers who know the public source value to forge cookies containing role=admin and user_id values and bypass authentication. The advisory lists version 1.3 as fixed.

Action-Not Available
Vendor-StratonWebDesigners
Product-HireFlow
CWE ID-CWE-798
Use of Hard-coded Credentials
CVE-2026-45568
Assigner-GitHub, Inc.
ShareView Details
Assigner-GitHub, Inc.
CVSS Score-9.9||CRITICAL
EPSS-0.36% / 27.91%
||
7 Day CHG~0.00%
Published-16 Jul, 2026 | 16:45
Updated-17 Jul, 2026 | 14:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
zrok Python ProxyShare can be used as an SSRF proxy through absolute URL paths

zrok is software for sharing web services, files, and network resources. Prior to 2.0.3, zrok's Python SDK ProxyShare Flask proxy route accepts an absolute URL in the request path and passes it to urllib.parse.urljoin, allowing the requested path to replace the configured target host and causing requests.request to return a server-side response from an attacker-chosen URL. This issue is fixed in version 2.0.3.

Action-Not Available
Vendor-openziti
Product-zrok
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2026-3031
Assigner-CPAN Security Group
ShareView Details
Assigner-CPAN Security Group
CVSS Score-9.8||CRITICAL
EPSS-0.40% / 32.46%
||
7 Day CHG~0.00%
Published-16 Jul, 2026 | 16:22
Updated-17 Jul, 2026 | 19:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Image::EPEG versions through 0.15 for Perl embeds an unsupported version of the Epeg library

Image::EPEG versions through 0.15 for Perl embeds an unsupported version of the Epeg library. Image::EPEG includes Epeg 0.9.0 that was last updated in 2004. Epeg is a fast JPEG thumbnail library that was once part of the Englightenment Project.

Action-Not Available
Vendor-TOKUHIROM
Product-Image::EPEG
CWE ID-CWE-1104
Use of Unmaintained Third Party Components
CVE-2026-57074
Assigner-CPAN Security Group
ShareView Details
Assigner-CPAN Security Group
CVSS Score-9.1||CRITICAL
EPSS-0.40% / 32.58%
||
7 Day CHG~0.00%
Published-16 Jul, 2026 | 16:15
Updated-17 Jul, 2026 | 19:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
XML::Bare versions through 0.53 for Perl have an unbounded character lookahead

XML::Bare versions through 0.53 for Perl have an unbounded character lookahead. The parserc_parse function attempts to check for multicharacter strings such as "<![CDATA" or element terminators such as ">" without checking that the offsets are within the buffer. Truncated strings such as "<a/" can trigger an out-of-bounds read.

Action-Not Available
Vendor-CODECHILD
Product-XML::Bare
CWE ID-CWE-125
Out-of-bounds Read
  • Previous
  • 1
  • 2
  • 3
  • ...
  • 997
  • 998
  • Next