NVD disclosure day
CVE-2026-40478
Halo Surface Signal: 4 out of 5 — likely to be public-facing.
A critical flaw in the Thymeleaf Java template engine allows attackers to run unauthorized code on web servers. This means internet-facing applications could be fully compromised if they use unpatched versions and don't properly validate user input.
CVE-2026-40477
Halo Surface Signal: 4 out of 5 — likely to be public-facing.
A critical flaw in Thymeleaf, a Java web component, could let attackers run their own code on your servers by embedding malicious content in web pages, especially when handling user input.
CVE-2026-40351
Halo Surface Signal: 4 out of 5 — likely to be public-facing.
FastGPT has a critical flaw allowing anyone to log in as an administrator without a password, potentially exposing sensitive data and services. Update to version 4.14.9.5 immediately.
CVE-2026-40258
Halo Surface Signal: 3 out of 5 — possibly public-facing.
An internal attacker with owner-level access to the Gramps Web API could exploit the media import feature to save files to unauthorized areas, allowing them to overwrite critical configurations or inject malicious code. This enables full application compromise and control over the underlying server.
CVE-2026-23500
Halo Surface Signal: 2 out of 5 — less likely to be public-facing.
An internal attacker with administrative access to Dolibarr can modify document settings to run unauthorized commands on the server. This allows them to gain full server control, potentially leading to the theft of sensitive business data and further unauthorized activity on the network.
CVE-2026-40342
Halo Surface Signal: 1 out of 5 — much less likely to be public-facing.
An internal attacker with specific database permissions can exploit a flaw in the Firebird database to run unauthorized programs. This could allow the attacker to take full control of the host server and access the sensitive business information stored within the system.
CVE-2026-35546
Halo Surface Signal: 2 out of 5 — less likely to be public-facing.
An external attacker can exploit a flaw in Anviz CX2 Lite and CX7 devices to upload malicious files and take full administrative control. This allows an unauthorized party to compromise the equipment, potentially leading to persistent, long-term remote access.
CVE-2026-32105
Halo Surface Signal: 4 out of 5 — likely to be public-facing.
An xrdp remote desktop flaw allows attackers to alter encrypted traffic without detection, potentially leading to unauthorized access. This issue affects connections not using TLS security.
CVE-2026-40525
Halo Surface Signal: 4 out of 5 — likely to be public-facing.
OpenViking's bot interface has a critical flaw allowing anyone to control bots and access data without a password. This could expose sensitive information and integrations.
CVE-2026-5718
Halo Surface Signal: 5 out of 5 — more likely to be public-facing.
The Drag and Drop Multiple File Upload for Contact Form 7 WordPress plugin has a serious security flaw. Attackers can upload harmful files, potentially taking control of your website. This issue affects internet-facing forms.
CVE-2026-6284
Halo Surface Signal: 2 out of 5 — less likely to be public-facing.
Horner Automation PLCs are vulnerable to weak password security, which allows an internal attacker to gain unauthorized system access. This could allow them to modify critical process settings, potentially resulting in operational disruption or the loss of physical control over equipment.
CVE-2026-41153
Halo Surface Signal: 1 out of 5 — much less likely to be public-facing.
JetBrains Junie contains a flaw that allows an internal attacker to run unauthorized commands by opening a malicious project file. This could grant them full control of a developer's workstation, enabling the theft of sensitive source code and credentials or the compromise of software products.
CVE-2026-37749
Halo Surface Signal: 4 out of 5 — likely to be public-facing.
A critical flaw in the CodeAstro attendance system allows anyone to log in without credentials, potentially exposing sensitive company data. This vulnerability is easily exploitable over the internet.
CVE-2025-15625
Halo Surface Signal: 3 out of 5 — possibly public-facing.
An external attacker can gain unauthorized access to change sensitive database information in Sparx Pro Cloud Server. This allows them to potentially steal or manipulate critical project data and valuable intellectual property.
CVE-2025-15624
Halo Surface Signal: 1 out of 5 — much less likely to be public-facing.
An internal attacker with access to the Sparx Pro Cloud Server system files can view stored user passwords in plain text. This allows them to hijack accounts, granting unauthorized access to sensitive project models and administrative functions.
CVE-2025-15623
Halo Surface Signal: 4 out of 5 — likely to be public-facing.
Sparx Pro Cloud Server may expose database passwords, allowing unauthorized access to sensitive information. This vulnerability is critical because it can be exploited without authentication and often affects internet-facing systems.
CVE-2026-6443
Halo Surface Signal: 4 out of 5 — likely to be public-facing.
Essentialplugin's WordPress plugins contain a secret backdoor, allowing attackers to take control and inject spam into your website. This is a critical security risk requiring immediate attention.