NVD disclosure day
CVE-2026-39399
Halo Surface Signal: 5 out of 5 — more likely to be public-facing.
A critical flaw in NuGet Gallery allows attackers to execute code or overwrite files by uploading a malicious package, posing a risk to stored content and the server itself.
CVE-2026-35589
Halo Surface Signal: 1 out of 5 — much less likely to be public-facing.
An external attacker can target the nanobot assistant when a user visits a malicious website to take control of their WhatsApp account. This allows the attacker to read private messages, steal sensitive login credentials, and send messages as the user, exposing confidential business communications.
CVE-2026-35033
Halo Surface Signal: 4 out of 5 — likely to be public-facing.
Jellyfin, a media server, has a critical flaw allowing anyone to read any file on your server without a password. This issue is now because it's easily exploitable over the internet.
CVE-2026-34457
Halo Surface Signal: 5 out of 5 — more likely to be public-facing.
OAuth2 Proxy can be bypassed by attackers in certain configurations, allowing them to access protected resources. This issue impacts internet-facing applications and requires immediate attention to patch or secure.
CVE-2026-34615
Halo Surface Signal: 4 out of 5 — likely to be public-facing.
Adobe Connect is vulnerable to code execution, allowing attackers to hijack user accounts or sessions if users click a malicious link. This warrants immediate attention.
CVE-2026-33825
Halo Surface Signal: 1 out of 5 — much less likely to be public-facing.
An internal attacker with standard user access can exploit a flaw in Microsoft Defender to gain full administrative access. This allows them to disable security software and modify critical policies, creating a risk of unauthorized control over the entire system.
CVE-2026-33824
Halo Surface Signal: 5 out of 5 — more likely to be public-facing.
A critical vulnerability in Windows' IKE Extension allows attackers to run code remotely over the network, potentially impacting data security and service availability. This issue warrants immediate attention due to its broad reach and ease of exploitation.
CVE-2026-32202
Halo Surface Signal: 2 out of 5 — less likely to be public-facing.
A flaw in the Windows Shell within Microsoft Windows could allow an external attacker to impersonate trusted services and trick users into interacting with malicious resources. This could lead to the theft of sensitive credentials or unauthorized access to corporate systems.
CVE-2026-32201
Halo Surface Signal: 4 out of 5 — likely to be public-facing.
Microsoft SharePoint Server has an improper input validation vulnerability that allows an unauthorized attacker to perform spoofing over a network. This could potentially lead to deceptive communications or unauthorized access to information.
CVE-2026-27303
Halo Surface Signal: 1 out of 5 — much less likely to be public-facing.
An external attacker can exploit Adobe Connect by tricking employees into clicking malicious links, enabling the execution of unauthorized code on their devices. This could allow attackers to steal sensitive meeting data and confidential files, resulting in the compromise of organizational information.
CVE-2026-27246
Halo Surface Signal: 4 out of 5 — likely to be public-facing.
Adobe Connect has a critical flaw that allows attackers to take over user accounts by tricking them into clicking a malicious link. This needs immediate attention as it can lead to elevated access.
CVE-2026-27245
Halo Surface Signal: 4 out of 5 — likely to be public-facing.
Adobe Connect has a critical security flaw allowing attackers to hijack user accounts or sessions by tricking people into clicking malicious links. This could expose sensitive information and requires immediate attention.
CVE-2026-27243
Halo Surface Signal: 4 out of 5 — likely to be public-facing.
Adobe Connect has a critical flaw that lets attackers steal accounts or sessions by tricking users into clicking malicious links, potentially exposing sensitive information.
CVE-2026-26149
Halo Surface Signal: 2 out of 5 — less likely to be public-facing.
An internal attacker with access to Microsoft Power Apps can manipulate displayed information to impersonate trusted sources. This allows them to deceive staff into providing sensitive credentials or accessing unauthorized data, damaging the integrity of internal business operations.
CVE-2025-70023
Halo Surface Signal: 4 out of 5 — likely to be public-facing.
A critical security flaw in the transloadit uppy file upload tool could allow attackers to take control of your services or steal sensitive customer data. This affects internet-facing web applications.
CVE-2026-39813
Halo Surface Signal: 2 out of 5 — less likely to be public-facing.
An internal attacker can exploit a weakness in Fortinet FortiSandbox to bypass file restrictions and gain unauthorized administrative control. This could allow them to compromise the device, potentially undermining your organization's network defenses.
CVE-2026-39808
Halo Surface Signal: 3 out of 5 — possibly public-facing.
An external attacker can exploit a flaw in the Fortinet FortiSandbox to run unauthorized commands. This allows them to gain full administrative control of the security appliance, potentially enabling persistent access and deeper intrusion into the corporate network.