NVD disclosure day
CVE-2026-41242
Halo Surface Signal: 3 out of 5 — possibly public-facing.
An external attacker can exploit a vulnerability in the Protobufjs library to run malicious code on your systems by submitting specially crafted data. This could enable them to compromise backend services, access sensitive configuration details, or gain full control of your applications.
CVE-2026-40494
Halo Surface Signal: 3 out of 5 — possibly public-facing.
An external attacker could exploit a flaw in the SAIL image library by submitting a malicious TGA image file to an application. This could allow the attacker to disrupt business operations or take unauthorized control of the underlying systems.
CVE-2026-40493
Halo Surface Signal: 3 out of 5 — possibly public-facing.
The SAIL image library contains a flaw that allows an external attacker to crash applications or take control of them by sending a malicious image file. This could lead to service disruptions or unauthorized control over business applications.
CVE-2026-40492
Halo Surface Signal: 4 out of 5 — likely to be public-facing.
A flaw in the SAIL image library allows attackers to execute code by sending a specially crafted image file, potentially affecting applications that process user-uploaded images.
CVE-2026-40487
Halo Surface Signal: 4 out of 5 — likely to be public-facing.
Postiz, an AI social media tool, has a critical flaw allowing authenticated users to upload malicious files and take over other user accounts. Update Postiz immediately.
CVE-2026-40582
Halo Surface Signal: 4 out of 5 — likely to be public-facing.
An issue in ChurchCRM allows unauthorized access to user accounts by bypassing security features like two-factor authentication. This means someone with just a password could access sensitive information and system functions, so updating to version 7.2.0 is critical.
CVE-2026-40484
Halo Surface Signal: 3 out of 5 — possibly public-facing.
An external attacker can trick an administrator into compromising ChurchCRM, allowing full control over the server and unauthorized access to sensitive member data. This flaw permits the execution of malicious commands that could completely subvert the application’s hosting environment.
CVE-2026-40324
Halo Surface Signal: 5 out of 5 — more likely to be public-facing.
A vulnerability in the Hot Chocolate GraphQL server can let attackers crash its entire process with a crafted request, disrupting services and dropping user connections. Update immediately.