NVD disclosure day
CVE-2026-40322
Halo Surface Signal: 1 out of 5 — much less likely to be public-facing.
An internal attacker can take advantage of an issue in SiYuan by tricking a user into opening a malicious note. This grants the attacker control over the victim's machine, potentially allowing for the theft of sensitive data.
CVE-2026-5426
Halo Surface Signal: 4 out of 5 — likely to be public-facing.
Digital Knowledge KnowledgeDeliver has a critical flaw allowing unauthenticated attackers to gain full system control over the internet. This issue, due to hard-coded security secrets, means affected systems are at immediate risk.
CVE-2026-37347
Halo Surface Signal: 4 out of 5 — likely to be public-facing.
The SourceCodester Payroll Management system has a critical flaw allowing anyone on the internet to steal or alter sensitive employee data without needing a password. This is urgent because payroll data is highly sensitive.
CVE-2026-37345
Halo Surface Signal: 3 out of 5 — possibly public-facing.
An external attacker can exploit the SourceCodester Vehicle Parking Area Management System to access the backend database. This allows them to steal administrative credentials or sensitive parking records, potentially leading to a complete compromise of the system’s data.
CVE-2026-37340
Halo Surface Signal: 4 out of 5 — likely to be public-facing.
SourceCodester's music system has a critical flaw allowing attackers to steal or change your data and potentially take over the service. This is an internet-facing web application, making it a prime target for immediate attention.
CVE-2026-37339
Halo Surface Signal: 4 out of 5 — likely to be public-facing.
SourceCodester Simple Music Cloud Community System, a web application, has a critical flaw allowing unauthenticated attackers to steal or alter all your data. Act now to protect your information.
CVE-2026-37338
Halo Surface Signal: 4 out of 5 — likely to be public-facing.
SourceCodester Simple Music Cloud Community System has a critical flaw that lets attackers steal or change your data over the internet without needing a login. This could expose sensitive information and compromise system integrity.
CVE-2026-33804
Halo Surface Signal: 4 out of 5 — likely to be public-facing.
A security flaw in @fastify/middie lets attackers bypass checks on Fastify apps if a specific old setting is active, potentially exposing sensitive data.
CVE-2026-6270
Halo Surface Signal: 4 out of 5 — likely to be public-facing.
@fastify/middie is allowing attackers to bypass authentication and access your application's routes and data without permission. Upgrade immediately to version 9.3.2 to fix this critical security flaw.
CVE-2026-31843
Halo Surface Signal: 5 out of 5 — more likely to be public-facing.
The goodoneuz/pay-uz Laravel package has a critical flaw allowing anyone to run malicious code on your server, potentially compromising your entire system. This issue is especially concerning for payment processing systems.
CVE-2024-2374
Halo Surface Signal: 4 out of 5 — likely to be public-facing.
WSO2 products can be tricked into revealing sensitive files or system information because their XML processors allow attackers to provide specially crafted data that causes the system to fetch unwanted content. This could lead to significant data exposure or service disruption.
CVE-2026-3596
Halo Surface Signal: 4 out of 5 — likely to be public-facing.
The WordPress Riaxe Product Customizer plugin has a critical flaw allowing anyone to take full control of your website without needing a password, potentially impacting business operations.
CVE-2026-22619
Halo Surface Signal: 1 out of 5 — much less likely to be public-facing.
An internal attacker could exploit Eaton Intelligent Power Protector to run unauthorized code on the host system. This allows them to gain administrative control over critical power management infrastructure, potentially compromising the underlying server.
CVE-2026-6350
Halo Surface Signal: 5 out of 5 — more likely to be public-facing.
Openfind MailGates/MailAudit has a critical vulnerability allowing unauthenticated attackers to execute any code remotely, potentially compromising your email system.
CVE-2026-6349
Halo Surface Signal: 1 out of 5 — much less likely to be public-facing.
An internal attacker can exploit a vulnerability in HGiga iSherlock to run unauthorized commands on the server. This allows them to gain full control of the system, potentially resulting in the theft of sensitive information and further unauthorized access to your private company network.
CVE-2026-6348
Halo Surface Signal: 1 out of 5 — much less likely to be public-facing.
An internal attacker can exploit the WinMatrix agent to gain full admin rights, risking widespread network compromise. This allows them to execute commands and control the entire infrastructure where the agent is deployed.
CVE-2026-40962
Halo Surface Signal: 3 out of 5 — possibly public-facing.
An external attacker can compromise systems running FFmpeg by tricking them into processing a malicious media file. This could grant the attacker full control over the system, risking unauthorized access or service outages.
CVE-2026-40504
Halo Surface Signal: 3 out of 5 — possibly public-facing.
An external attacker can exploit a security flaw in Creolabs Gravity by submitting malicious scripts to the application, allowing them to gain full control over the host system. This creates a significant risk of unauthorized access to business data and complete compromise of the underlying infrastructure.
CVE-2026-40959
Halo Surface Signal: 2 out of 5 — less likely to be public-facing.
An external attacker could exploit Luanti by loading a malicious mod, allowing them to execute unauthorized code and gain administrative control of the server. This matters because it could lead to a complete system compromise.
CVE-2026-4880
Halo Surface Signal: 4 out of 5 — likely to be public-facing.
WordPress sites using the Barcode Scanner plugin are at risk from unauthenticated attackers who can gain full admin control by exploiting a flaw in how user credentials are handled.