CVE Pulse

Live vulnerability intelligence from EchelonGraph's CVE feed. Search, filter, and explore vulnerabilities affecting cloud infrastructure.

Subscribe via RSS⚡ Why we're the fastest CVE feed →🛡️ Am I affected? →🔌 MCP for Claude & Cursor →

🟢 Live from Backend343,119 active CVEs tracked33,790 Critical104,779 High120,967 Medium9,168 Low169 Withdrawn
Data freshness: Jul 8, 2026, 07:42 PMLast poll: Jul 8, 07:14 PM UTCSync interval: 2h0m0sNext poll: ~09:14 PM UTCPolls: 3
Why is the EG score different from NVD?

The EG score synthesizes 4 sources — NVD CVSS, CISA KEV, FIRST EPSS, and GHSA — rather than relying on CVSS alone. The signals reshape the score in defensible, transparent ways:

When EG sees…NVD-only scoreEG scoreConfidence
KEV listed (exploited in the wild)8.09.0 ▲HIGH
EPSS ≥ 0.85 (highly exploit-likely)6.58.5 ▲HIGH
Only NVD seen, no corroboration9.89.8 ↻LOW · aggregating
3+ sources agree7.57.4 —HIGH

We don't claim "more accurate" — that's not defensible. We claim more sources, with every input shown. Every CVE detail page exposes its rule trigger, confidence, and source breakdown. Read the full methodology →

🔔 CVE Pulse alerts

Get notified before the next critical CVE hits production

Subscribe to real-time or digest emails covering NVD CVEs and the vendor-disclosed advisories that often land days earlier — Microsoft MSRC, Red Hat, GitHub GHSA.

  • Critical + High CVEs in your inbox, no scrolling required
  • Vendor advisories surfaced the moment they're published
  • Choose real-time, daily, weekly, or monthly cadence

Free · Unsubscribe in one click · No marketing email

Discovered in Last 24 Hours(20)
CVE-2026-59804Pre-NVD 6.86.8
EchelonGraph scoreLOW confidence

This medium-severity CVE scores 6.8 under the CNA's CVSS (NVD's own analysis pending). EPSS exploit-prediction score not yet available (the EPSS model rescores nightly; freshly-published CVEs typically appear within 48 hours). GitHub Security Advisory data not yet ingested — confidence will rise once GHSA publishes (typical lag: hours to days for open-source ecosystem CVEs; never for infrastructure-only CVEs).

Triggered by: NVD CVSS baseline
Sources: cna:vulncheck

Midscene Bridge Server through 1.10.3, fixed in commit 86f4118, contains a missing authentication and CORS misconfiguration vulnerability that allows unauthenticated remote attackers to hijack active bridge sessions by opening a cross-origin WebSocket connection to the local Socket.IO server, which performs no Origin header validation and requires no authentication token. Attackers can connect from any web page visited by the victim to seize the single-client slot, intercept and inject automation commands, exfiltrate command-payload data, or unconditionally terminate the server by supplying the MIDSCENE_BRIDGE_SIGNAL_KILL query parameter.

MEDIUMJul 8
CVE-2026-59803Pre-NVD 7.57.5
EchelonGraph scoreLOW confidence

This high-severity CVE scores 7.5 under the CNA's CVSS (NVD's own analysis pending). EPSS exploit-prediction score not yet available (the EPSS model rescores nightly; freshly-published CVEs typically appear within 48 hours). GitHub Security Advisory data not yet ingested — confidence will rise once GHSA publishes (typical lag: hours to days for open-source ecosystem CVEs; never for infrastructure-only CVEs).

Triggered by: NVD CVSS baseline
Sources: cna:vulncheck

rpcx through 1.9.3, fixed in commit 047aec1, contains a denial-of-service vulnerability in protocol.Message.Decode (protocol/message.go). When a message has the compression flag set, the payload is gzip-decompressed via util.Unzip with no limit on the decompressed output size. The only built-in size guard, protocol.MaxMessageLength, is checked against the compressed on-the-wire frame length, not the decompressed size, so it provides no protection. Because decoding (and decompression) occurs in readRequest before authentication, a single unauthenticated connection can send a small (under 2 MB) gzip-compressed message that expands to gigabytes of heap allocation, leading to out-of-memory conditions and service unavailability.

HIGHJul 8
CVE-2026-59802Pre-NVD 8.28.2
EchelonGraph scoreLOW confidence

This high-severity CVE scores 8.2 under the CNA's CVSS (NVD's own analysis pending). EPSS exploit-prediction score not yet available (the EPSS model rescores nightly; freshly-published CVEs typically appear within 48 hours). GitHub Security Advisory data not yet ingested — confidence will rise once GHSA publishes (typical lag: hours to days for open-source ecosystem CVEs; never for infrastructure-only CVEs).

Triggered by: NVD CVSS baseline
Sources: cna:vulncheck

PasswordPusher before 2.8.1 accepts data URI schemes in URL push payloads due to insufficient validation in the valid_url function. Attackers can create malicious pushes containing data:text/html URIs that execute arbitrary JavaScript in victims' browsers when clicked, enabling phishing and credential theft under the trusted PasswordPusher domain.

HIGHJul 8
CVE-2026-8649Pre-NVD 6.46.4
EchelonGraph scoreLOW confidence

This medium-severity CVE scores 6.4 under the CNA's CVSS (NVD's own analysis pending). EPSS exploit-prediction score not yet available (the EPSS model rescores nightly; freshly-published CVEs typically appear within 48 hours). GitHub Security Advisory data not yet ingested — confidence will rise once GHSA publishes (typical lag: hours to days for open-source ecosystem CVEs; never for infrastructure-only CVEs).

Triggered by: NVD CVSS baseline
Sources: cna:progresssoftware

Improper Neutralization of Special Elements in Data Query Logic vulnerability in Progress MOVEit Transfer (Custom Reports modules). This issue affects MOVEit Transfer: before 2026.0.0, before 2025.1.3, before 2025.0.7.

MEDIUMJul 8
CVE-2026-58251Pre-NVD 6.56.5
EchelonGraph scoreLOW confidence

This medium-severity CVE scores 6.5 under the CNA's CVSS (NVD's own analysis pending). EPSS exploit-prediction score not yet available (the EPSS model rescores nightly; freshly-published CVEs typically appear within 48 hours). GitHub Security Advisory data not yet ingested — confidence will rise once GHSA publishes (typical lag: hours to days for open-source ecosystem CVEs; never for infrastructure-only CVEs).

Triggered by: NVD CVSS baseline
Sources: cna:github_m

NATS Server is a high-performance server for NATS.io, the cloud and edge native messaging system. Prior to 2.14.0, 2.12.7, and 2.11.16, an authenticated user with subscription deny permissions could bypass a plain subject deny rule by using a queue subscription, because queue-specific deny evaluation could override the plain subject deny result when the queue name itself was not denied. This issue is fixed in versions 2.14.0, 2.12.7, and 2.11.16.

MEDIUMJul 8
CVE-2026-55404Pre-NVD 7.57.5
EchelonGraph scoreLOW confidence

This high-severity CVE scores 7.5 under the CNA's CVSS (NVD's own analysis pending). EPSS exploit-prediction score not yet available (the EPSS model rescores nightly; freshly-published CVEs typically appear within 48 hours). GitHub Security Advisory data not yet ingested — confidence will rise once GHSA publishes (typical lag: hours to days for open-source ecosystem CVEs; never for infrastructure-only CVEs).

Triggered by: NVD CVSS baseline
Sources: cna:github_m

yt-dlp and youtube-dl are command-line audio/video downloaders. Prior to 2026.7.4, the --write-link, --write-url-link, and --write-desktop-link options can write .url or .desktop shortcut files using attacker-controlled webpage_url or filename metadata without sufficient validation or escaping, allowing malicious file:// URI injection on Windows or newline-based desktop entry key injection on Linux that can execute commands if the generated shortcut is opened. This issue is fixed in version 2026.7.4.

HIGHJul 8
CVE-2026-60104Pre-NVD 7.37.3
EchelonGraph scoreLOW confidence

This high-severity CVE scores 7.3 under the CNA's CVSS (NVD's own analysis pending). EPSS exploit-prediction score not yet available (the EPSS model rescores nightly; freshly-published CVEs typically appear within 48 hours). GitHub Security Advisory data not yet ingested — confidence will rise once GHSA publishes (typical lag: hours to days for open-source ecosystem CVEs; never for infrastructure-only CVEs).

Triggered by: NVD CVSS baseline
Sources: cna:vulncheck

Bitwarden Server before 2026.6.0 does not verify that the email in a POST /auth-requests/admin-request body belongs to the authenticated caller, allowing a low-privileged organization member to obtain another user's vault key and a victim-scoped access token by creating a Trusted Device Encryption authentication request, bound to an attacker-controlled public key, that is readable from an unauthenticated endpoint once approved resulting in disclosure of the victim's vault key and account takeover.

HIGHJul 8
CVE-2026-59936Pre-NVD 8.78.7
EchelonGraph scoreLOW confidence

This high-severity CVE scores 8.7 under the CNA's CVSS (NVD's own analysis pending). EPSS exploit-prediction score not yet available (the EPSS model rescores nightly; freshly-published CVEs typically appear within 48 hours). GitHub Security Advisory data not yet ingested — confidence will rise once GHSA publishes (typical lag: hours to days for open-source ecosystem CVEs; never for infrastructure-only CVEs).

Triggered by: NVD CVSS baseline
Sources: cna:github_m

pypdf is a free and open-source pure-python PDF library. Prior to 6.14.1, an attacker can craft a PDF with a page content stream containing a not terminated inline image, causing an infinite loop during inline image end marker detection such as when extracting page text. This issue is fixed in version 6.14.1.

HIGHJul 8
CVE-2026-59935Pre-NVD 8.78.7
EchelonGraph scoreLOW confidence

This high-severity CVE scores 8.7 under the CNA's CVSS (NVD's own analysis pending). EPSS exploit-prediction score not yet available (the EPSS model rescores nightly; freshly-published CVEs typically appear within 48 hours). GitHub Security Advisory data not yet ingested — confidence will rise once GHSA publishes (typical lag: hours to days for open-source ecosystem CVEs; never for infrastructure-only CVEs).

Triggered by: NVD CVSS baseline
Sources: cna:github_m

pypdf is a free and open-source pure-python PDF library. Prior to 6.14.2, an attacker can craft a PDF with a page content stream containing a not terminated inline image that uses the ASCII85 or ASCIIHex filters, causing an infinite loop during parsing such as when extracting page text. This issue is fixed in version 6.14.2.

HIGHJul 8
CVE-2026-59939Pre-NVD 7.57.5
EchelonGraph scoreLOW confidence

This high-severity CVE scores 7.5 under the CNA's CVSS (NVD's own analysis pending). EPSS exploit-prediction score not yet available (the EPSS model rescores nightly; freshly-published CVEs typically appear within 48 hours). GitHub Security Advisory data not yet ingested — confidence will rise once GHSA publishes (typical lag: hours to days for open-source ecosystem CVEs; never for infrastructure-only CVEs).

Triggered by: NVD CVSS baseline
Sources: cna:github_m

httplib2 is a comprehensive HTTP client library for Python. Prior to 0.32.0, httplib2 performs unbounded decompression of HTTP response bodies encoded with Content-Encoding: gzip or deflate in _decompressContent in httplib2/init.py, allowing a malicious or compromised HTTP server to return a small compressed payload that expands to an arbitrarily large size in memory and causes MemoryError or OOM-kill in the client process. This issue is fixed in version 0.32.0.

HIGHJul 8
CVE-2026-59947Pre-NVD 4.74.7
EchelonGraph scoreLOW confidence

This medium-severity CVE scores 4.7 under the CNA's CVSS (NVD's own analysis pending). EPSS exploit-prediction score not yet available (the EPSS model rescores nightly; freshly-published CVEs typically appear within 48 hours). GitHub Security Advisory data not yet ingested — confidence will rise once GHSA publishes (typical lag: hours to days for open-source ecosystem CVEs; never for infrastructure-only CVEs).

Triggered by: NVD CVSS baseline
Sources: cna:github_m

Composer is a dependency Manager for the PHP language. Prior to 2.2.29 and 2.10.2, when Composer is run with -vvv debug verbosity, it could print a credential embedded in the username slot of a repository or package URL, such as a GitHub Personal Access Token in https://TOKEN@host/, to debug output because AuthHelper, Url::sanitize, and ProcessExecutor did not sanitize username-only URL credentials. This issue is fixed in versions 2.2.29 and 2.10.2.

MEDIUMJul 8
CVE-2026-59948Pre-NVD 7.07.0
EchelonGraph scoreLOW confidence

This high-severity CVE scores 7.0 under the CNA's CVSS (NVD's own analysis pending). EPSS exploit-prediction score not yet available (the EPSS model rescores nightly; freshly-published CVEs typically appear within 48 hours). GitHub Security Advisory data not yet ingested — confidence will rise once GHSA publishes (typical lag: hours to days for open-source ecosystem CVEs; never for infrastructure-only CVEs).

Triggered by: NVD CVSS baseline
Sources: cna:github_m

Composer is a dependency Manager for the PHP language. Prior to 2.2.29 and 2.10.2, a maliciously crafted package from an untrusted repository other than Packagist.org or Private Packagist can cause Composer to write attacker-controlled files outside the vendor directory and outside the project during install or update by using an invalid package name that is not correctly validated before dependency-resolution results are written or installed. This issue is fixed in versions 2.2.29 and 2.10.2.

HIGHJul 8
CVE-2026-59819Pre-NVD 2.12.1
EchelonGraph scoreLOW confidence

This low-severity CVE scores 2.1 under the CNA's CVSS (NVD's own analysis pending). EPSS exploit-prediction score not yet available (the EPSS model rescores nightly; freshly-published CVEs typically appear within 48 hours). GitHub Security Advisory data not yet ingested — confidence will rise once GHSA publishes (typical lag: hours to days for open-source ecosystem CVEs; never for infrastructure-only CVEs).

Triggered by: NVD CVSS baseline
Sources: cna:github_m

LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. Prior to 1.83.10-stable, LiteLLM's /health/test_connection endpoint resolved request-supplied environment and OIDC file references in litellm_params, allowing a proxy administrator or another privileged caller with permission to test model connections to read files from the local filesystem via an oidc/file/ reference. This issue is fixed in version 1.83.10-stable.

LOWJul 8
CVE-2026-59946Pre-NVD 6.16.1
EchelonGraph scoreLOW confidence

This medium-severity CVE scores 6.1 under the CNA's CVSS (NVD's own analysis pending). EPSS exploit-prediction score not yet available (the EPSS model rescores nightly; freshly-published CVEs typically appear within 48 hours). GitHub Security Advisory data not yet ingested — confidence will rise once GHSA publishes (typical lag: hours to days for open-source ecosystem CVEs; never for infrastructure-only CVEs).

Triggered by: NVD CVSS baseline
Sources: cna:github_m

Composer is a dependency Manager for the PHP language. Prior to 2.2.29 and 2.10.2, a Composer package bin entry containing .. path segments can resolve outside the package install directory and cause Composer's binary installation flow to chmod an existing host file to a world-readable and world-executable mode during composer install, update, or require. This issue is fixed in versions 2.2.29 and 2.10.2.

MEDIUMJul 8
CVE-2026-59822Pre-NVD 8.88.8
EchelonGraph scoreLOW confidence

This high-severity CVE scores 8.8 under the CNA's CVSS (NVD's own analysis pending). EPSS exploit-prediction score not yet available (the EPSS model rescores nightly; freshly-published CVEs typically appear within 48 hours). GitHub Security Advisory data not yet ingested — confidence will rise once GHSA publishes (typical lag: hours to days for open-source ecosystem CVEs; never for infrastructure-only CVEs).

Triggered by: NVD CVSS baseline
Sources: cna:github_m

LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. Prior to 1.84.0, LiteLLM's MCP Streamable HTTP endpoint allowed an unauthenticated attacker to use a fabricated Authorization header to trigger an OAuth2 passthrough fallback path that replaced failed LiteLLM key validation with an empty UserAPIKeyAuth() object, allowing requests to reach MCP tooling without a valid LiteLLM key. This issue is fixed in version 1.84.0.

HIGHJul 8
CVE-2026-59820Pre-NVD 6.16.1
EchelonGraph scoreLOW confidence

This medium-severity CVE scores 6.1 under the CNA's CVSS (NVD's own analysis pending). EPSS exploit-prediction score not yet available (the EPSS model rescores nightly; freshly-published CVEs typically appear within 48 hours). GitHub Security Advisory data not yet ingested — confidence will rise once GHSA publishes (typical lag: hours to days for open-source ecosystem CVEs; never for infrastructure-only CVEs).

Triggered by: NVD CVSS baseline
Sources: cna:github_m

LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. Prior to 1.83.7-stable, LiteLLM Skills archive extraction did not sufficiently validate file paths from uploaded skill ZIP archives, allowing an authenticated user with access to LiteLLM LLM API routes or a key whose allowed_routes includes /v1/skills, anthropic_routes, or llm_api_routes to upload a crafted skill archive containing path traversal entries that could be written outside the intended extraction or staging directory. This issue is fixed in version 1.83.7-stable.

MEDIUMJul 8
CVE-2026-55575Pre-NVD 8.28.2
EchelonGraph scoreLOW confidence

This high-severity CVE scores 8.2 under the CNA's CVSS (NVD's own analysis pending). EPSS exploit-prediction score not yet available (the EPSS model rescores nightly; freshly-published CVEs typically appear within 48 hours). GitHub Security Advisory data not yet ingested — confidence will rise once GHSA publishes (typical lag: hours to days for open-source ecosystem CVEs; never for infrastructure-only CVEs).

Triggered by: NVD CVSS baseline
Sources: cna:github_m

LiquidJS is a Shopify / GitHub Pages compatible template engine in pure JavaScript. Prior to 10.27.1, the pop array filter at src/filters/array.ts allocated a full clone of its input array via [...toArray(v)] without calling this.context.memoryLimit.use(...), allowing a template render such as {{ huge_array | pop }} to allocate an O(N) clone of an attacker-influenced array outside the configured memoryLimit budget. This issue is fixed in version 10.27.1.

HIGHJul 8
CVE-2026-58501Pre-NVD 5.95.9
EchelonGraph scoreLOW confidence

This medium-severity CVE scores 5.9 under the CNA's CVSS (NVD's own analysis pending). EPSS exploit-prediction score not yet available (the EPSS model rescores nightly; freshly-published CVEs typically appear within 48 hours). GitHub Security Advisory data not yet ingested — confidence will rise once GHSA publishes (typical lag: hours to days for open-source ecosystem CVEs; never for infrastructure-only CVEs).

Triggered by: NVD CVSS baseline
Sources: cna:github_m

Zeep is a Python SOAP client. From 4.0.0 before 4.3.3, Settings.forbid_external is defined but not enforced when parsing WSDL or XSD documents, allowing transitive xsd:import, xsd:include, wsdl:import, and lxml entity or DTD references to fetch attacker-chosen HTTP or HTTPS URLs. This issue is fixed in version 4.3.3.

MEDIUMJul 8
CVE-2026-59821Pre-NVD 2.12.1
EchelonGraph scoreLOW confidence

This low-severity CVE scores 2.1 under the CNA's CVSS (NVD's own analysis pending). EPSS exploit-prediction score not yet available (the EPSS model rescores nightly; freshly-published CVEs typically appear within 48 hours). GitHub Security Advisory data not yet ingested — confidence will rise once GHSA publishes (typical lag: hours to days for open-source ecosystem CVEs; never for infrastructure-only CVEs).

Triggered by: NVD CVSS baseline
Sources: cna:github_m

LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. Prior to 1.82.0-stable, LiteLLM's Custom Code Guardrails production create and update paths did not apply the same sandboxing and validation used by the test endpoint, allowing a privileged user with access to create or update guardrails to submit custom Python code that executed in the LiteLLM proxy environment and could expose secrets available to the process. This issue is fixed in version 1.82.0-stable.

LOWJul 8
CVE-2026-49944Pre-NVD 0.0

Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.

NONEJul 8
Top Critical CVEs(12)
CVE-2026-9074Pre-NVD 9.19.1
EchelonGraph scoreHIGH confidence

Score 9.1 from GitHub Security Advisory (severity: CRITICAL) published 2026-07-08. a secondary CVSS source baseline 9.1; sources differ by 0.0.

Triggered by: GitHub Security Advisory CVSS
Sources: ghsa, secondary

IBM API Connect 10.0.8.0 through 10.0.8.9 and 12.1.0.0 through 12.1.0.3 contains an unauthenticated SQL injection vulnerability in the password reset functionality.

CRITICALJul 8
CVE-2026-59873Pre-NVD 9.29.2
EchelonGraph scoreLOW confidence

This critical-severity CVE scores 9.2 under the CNA's CVSS (NVD's own analysis pending). EPSS exploit-prediction score not yet available (the EPSS model rescores nightly; freshly-published CVEs typically appear within 48 hours). GitHub Security Advisory data not yet ingested — confidence will rise once GHSA publishes (typical lag: hours to days for open-source ecosystem CVEs; never for infrastructure-only CVEs).

Triggered by: NVD CVSS baseline
Sources: cna:github_m

node-tar is a tar archive manipulation library for Node.js. Prior to 7.5.19, node-tar does not enforce hard upper bounds on total decompressed data, entry counts, or decompression ratio in extraction and parsing paths such as src/extract.ts, allowing a small crafted gzip bomb to exhaust disk space and CPU. This issue is fixed in version 7.5.19.

CRITICALJul 8
CVE-2026-59702Pre-NVD 9.39.3
EchelonGraph scoreHIGH confidence

Score 9.3 from GitHub Security Advisory (severity: CRITICAL) published 2026-07-08. a secondary CVSS source baseline 9.3; sources differ by 0.0.

Triggered by: GitHub Security Advisory CVSS
Sources: ghsa, secondary

repomix contains a server-side request forgery vulnerability in the POST /api/pack endpoint that allows unauthenticated attackers to make arbitrary outbound requests. The endpoint fails to properly validate http://, https://, and file:// URLs before passing them to git clone, enabling attackers to access private network addresses, GCP metadata services, or local filesystem paths.

CRITICALJul 8
CVE-2026-15062Pre-NVD 9.69.6
EchelonGraph scoreHIGH confidence

Score 9.6 from GitHub Security Advisory (severity: CRITICAL) published 2026-07-08. a secondary CVSS source baseline 9.6; sources differ by 0.0.

Triggered by: GitHub Security Advisory CVSS
Sources: ghsa, secondary

SQL injection vulnerabilities in the Snowflake Snowpark Python SDK (snowpark-python) versions prior to 1.53.0 could allow authenticated low-privilege users to execute SQL beyond their authorization scope. An attacker could exploit these vulnerabilities by embedding SQL payloads in source database column names to escalate privileges via the DataFrameReader.dbapi() API by supplying a specially crafted location parameter to DataFrameWriter write methods to redirect a COPY INTO to an arbitrary source query, or by including a backslash-single-quote sequence in an export path to defeat the normalize_path() sanitizer and inject SQL via DataFrame.to_csv(). Successful exploitation may result in source database compromise, unauthorized cross-tenant data exfiltration, or unauthorized read of Snowflake account data.

CRITICALJul 8
CVE-2026-54061Pre-NVD 9.19.1
EchelonGraph scoreLOW confidence

This critical-severity CVE scores 9.1 under a secondary CVSS source (NVD's own analysis pending). EPSS exploit-prediction score not yet available (the EPSS model rescores nightly; freshly-published CVEs typically appear within 48 hours). GitHub Security Advisory data not yet ingested — confidence will rise once GHSA publishes (typical lag: hours to days for open-source ecosystem CVEs; never for infrastructure-only CVEs).

Triggered by: NVD CVSS baseline
Sources: secondary

Dgraph is an open source distributed GraphQL database. Prior to version 25.3.5, Dgraph Alpha exposes the RPCs used for external snapshot import on the public gRPC port `:9080` without authentication or authorization. As a result, an unauthenticated network client can open `StreamExtSnapshot` and send Badger stream data to the target group’s store. In addition, the receiver calls `Prepare()` before processing the stream. This operation deletes and replaces the existing DB data. Version 25.3.5 patches the issue.

CRITICALJul 8
CVE-2026-58480Pre-NVD 9.89.8
EchelonGraph scoreHIGH confidence

Score 9.8 from GitHub Security Advisory (severity: CRITICAL) published 2026-07-08. a secondary CVSS source baseline 9.8; sources differ by 0.0.

Triggered by: GitHub Security Advisory CVSS
Sources: ghsa, secondary

Blocksy Companion Pro plugin for WordPress before 2.1.47 contains an unauthenticated arbitrary file upload vulnerability that allows attackers to upload executable files by bypassing extension validation in the save_attachments function exposed through the Advanced Reviews feature. Attackers can exploit the Custom Fonts extension's flawed strpos() substring check by uploading double-extension filenames such as shell.woff2.php, causing the validation to pass on the substring match while the web server executes the file as PHP, achieving remote code execution.

CRITICALJul 8
CVE-2026-8307Pre-NVD 9.89.8
EchelonGraph scoreHIGH confidence

Score 9.8 from GitHub Security Advisory (severity: CRITICAL) published 2026-07-08. a secondary CVSS source baseline 9.8; sources differ by 0.0.

Triggered by: GitHub Security Advisory CVSS
Sources: ghsa, secondary

Improper neutralization of special elements used in an SQL command ('SQL injection') vulnerability in Webbeyaz Web Design Mediküm Web allows SQL Injection. This issue affects Mediküm Web: through 08072026. NOTE: The vendor was contacted and it was learned that the product is not supported.

CRITICALJul 8
CVE-2026-41042Pre-NVD 9.1

Unauthenticated callers can supply a malicious H2 JDBC URL through the testConnection API, which executes arbitrary Java code on the server via H2's INIT parameter. Vulnerability in Apache Gravitino. This issue affects Apache Gravitino: before 1.2.1. Users are recommended to upgrade to version 1.2.1, which fixes the issue. This issue only happens when using H2, and H2 is mainly used for testing and local development. Also, Gravitino is typically deployed in the internal environment, so the severity is low.

CRITICALJul 8
CVE-2026-56000Pre-NVD 9.09.0
EchelonGraph scoreMEDIUM confidence

This critical-severity CVE scores 9.0 under a secondary CVSS source (NVD's own analysis pending). EPSS exploit probability: 0.2%, top 88% of all CVEs by exploit prediction. GitHub Security Advisory data not yet ingested — confidence will rise once GHSA publishes (typical lag: hours to days for open-source ecosystem CVEs; never for infrastructure-only CVEs).

Triggered by: NVD CVSS baseline
Sources: epss, secondary

Local attackers with a X connection able to provide GLX commit to the X server xorg-server before 21.2.24 and xwayland before 24.1.13 could cause a Heap Use After Free, due to CommonMakeCurrent() pointing into potentially reallocated memory.

CRITICALJul 8
CVE-2026-9695Pre-NVD 9.89.8
EchelonGraph scoreHIGH confidence

Score 9.8 from GitHub Security Advisory (severity: CRITICAL) published 2026-07-08. a secondary CVSS source baseline 9.8; sources differ by 0.0.

Triggered by: GitHub Security Advisory CVSS
Sources: epss, ghsa, secondary

An Improper Authentication vulnerability affecting DELMIA Apriso from Release 2020 through Release 2026 could allow an attacker to gain privileged access to the server.

CRITICALJul 8
CVE-2026-12153Pre-NVD 9.89.8
EchelonGraph scoreHIGH confidence

Score 9.8 from GitHub Security Advisory (severity: CRITICAL) published 2026-07-08. the CNA's CVSS baseline 9.8; sources differ by 0.0.

Triggered by: GitHub Security Advisory CVSS
Sources: cna:wordfence, epss, ghsa

The WP Learn Manager plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.1.8. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to install and activate arbitrary plugins from the WordPress.org repository on the vulnerable site.

CRITICALJul 8
CVE-2026-14487Pre-NVD 9.19.1
EchelonGraph scoreHIGH confidence

Score 9.1 from GitHub Security Advisory (severity: CRITICAL) published 2026-07-08. a secondary CVSS source baseline 9.1; sources differ by 0.0.

Triggered by: GitHub Security Advisory CVSS
Sources: epss, ghsa, secondary

The Simple Coherent Form plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the removeUploadDir function in all versions up to, and including, 2.4.13. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). The scf_get_id_upload endpoint freely issues a valid scf_upload_file_removal nonce to any unauthenticated visitor, and the removal endpoint's secondary hash check is forgeable offline because it relies on a hardcoded salt embedded in the plugin source, meaning neither control presents a real authorization boundary.

CRITICALJul 8
Vendor-Disclosed Advisories — pre-NVD(593 disclosed before NVD)

Microsoft, Red Hat, GitHub, and other vendors publish security advisories before NVD assigns a CVE-ID. We track those too — full feed at /pulse/vendor-advisories →

PAN-SA-2026-0010High

PAN-SA-2026-0010 Chromium and Prisma Browser: Monthly Vulnerability Update (July 2026)

Palo Alto Networks Security AdvisoriesJul 8
GHSA-f66q-9rf6-8795Medium

Flask-Security-Too: WebAuthn reauthentication freshness bypass via cross-user assertion

GitHub Security AdvisoriesJul 7
GHSA-q855-8rh5-jfgqMedium

ha-mcp: Add-on settings and policy routes are reachable without authentication at the bare root path

GitHub Security AdvisoriesJul 7
GHSA-cwv4-h3j5-w3cfLow

rama has Stored XSS in ServeDir HTML directory listing via unescaped file names and URI path

GitHub Security AdvisoriesJul 7
GHSA-gq4g-fpc9-vjfqLow

Webauthn: SimpleFakeCredentialGenerator with an empty secret produces predictable fake credentials, weakening username enumeration protection

GitHub Security AdvisoriesJul 7
GHSA-j8v8-g9cx-5qf4High

@better-auth/scim: Account/provider takeover via missing owner binding on non-org SCIM providers

GitHub Security AdvisoriesJul 7
GHSA-2vg6-77g8-24mpLow

Better Auth: Stale sessions persist after user deletion across admin, anonymous, and SCIM flows

GitHub Security AdvisoriesJul 7
GHSA-9h47-pqcx-hjr4High

Better Auth has insecure cryptographic defaults in oidcProvider: alg=none advertised and plain PKCE accepted by default

GitHub Security AdvisoriesJul 7
GHSA-86j7-9j95-vpqjHigh

Better Auth has stored XSS in the auth-server origin via javascript: redirect_uri in oidc-provider and mcp

GitHub Security AdvisoriesJul 7
GHSA-p2fr-6hmx-4528Medium

@better-auth/oauth-provider may provide access tokens for unauthorized audiences via unbound resource indicators

GitHub Security AdvisoriesJul 7
GHSA-7856-g3gv-9wq8Low

netfoil: Attacker controlled data written to logs

GitHub Security AdvisoriesJul 7
GHSA-3g4q-2f67-2gvhLow

netfoil has a resource leak in LRU cache

GitHub Security AdvisoriesJul 7
Category
Severity

Showing published CVEs (default). Rejected/withdrawn CVEs are hidden.

Loading...

Tools & resources

Everything in the CVE Pulse, in the form you need it — a quick check, your AI tools, your code, or your inbox.