NVD disclosure day
CVE-2026-28780
Halo Surface Signal: 2 out of 5 — less likely to be public-facing.
Apache HTTP Server contains a flaw that allows an internal attacker to send malicious data, potentially causing a system crash or full server compromise. This vulnerability could lead to critical service outages and unauthorized access to sensitive systems.
CVE-2026-40331
Halo Surface Signal: 5 out of 5 — more likely to be public-facing.
Masa CMS has a critical flaw in its API that lets anyone access sensitive data, like admin passwords, without needing an account. This could expose your customer information and system access.
CVE-2026-40330
Halo Surface Signal: 4 out of 5 — likely to be public-facing.
Masa CMS has a critical flaw allowing unauthenticated attackers to steal or delete your sensitive data and potentially control your database. This issue is a high priority for immediate attention.
CVE-2026-40329
Halo Surface Signal: 4 out of 5 — likely to be public-facing.
Masa CMS has a critical flaw that lets attackers steal data or take over your systems. This issue is exposed online and can be exploited remotely by anyone without needing a password.
CVE-2026-34084
Halo Surface Signal: 4 out of 5 — likely to be public-facing.
A critical flaw in PhpSpreadsheet lets attackers execute code or spy on your systems by tricking it into opening malicious spreadsheet files, impacting applications that handle user uploads.
CVE-2026-33324
Halo Surface Signal: 2 out of 5 — less likely to be public-facing.
An internal attacker can manipulate SQLBot’s chat interface to execute unauthorized commands on the underlying database server. This could allow them to take full control of the server and compromise sensitive company data.
CVE-2026-38428
Halo Surface Signal: 3 out of 5 — possibly public-facing.
An external attacker can manipulate the database in the Kestra platform by sending malicious web requests. This could allow unauthorized access to sensitive business workflows, system configurations, and stored credentials, putting proprietary data at risk.
CVE-2026-27960
Halo Surface Signal: 4 out of 5 — likely to be public-facing.
An unauthenticated flaw in OpenCTI lets attackers access any user account, including administrators, through its API. This critical vulnerability poses a significant risk to sensitive cyber threat intelligence data.
CVE-2026-38431
Halo Surface Signal: 2 out of 5 — less likely to be public-facing.
An internal attacker with email template editing rights can run unauthorized commands to gain full control of the ERPNext server. This enables them to steal sensitive business data and compromise the core systems that support daily operations.
CVE-2026-38429
Halo Surface Signal: 2 out of 5 — less likely to be public-facing.
OpenCMS allows an internal attacker with administrative access to view sensitive server files by uploading a malicious file through the file import tool. This exposure could reveal system credentials or configuration data, which may be used to compromise the entire server.
CVE-2026-7411
Halo Surface Signal: 2 out of 5 — less likely to be public-facing.
An external attacker can exploit a file upload vulnerability in the Eclipse BaSyx Java Server SDK to place malicious files on the server. This allows them to run unauthorized code, resulting in a complete loss of control over the system and the data it manages.
CVE-2026-43071
Halo Surface Signal: 1 out of 5 — much less likely to be public-facing.
An internal attacker with administrative access to Linux kernel boot configurations could force a system crash or leak sensitive memory data. This flaw compromises system stability and the integrity of the underlying operating environment.
CVE-2026-43067
Halo Surface Signal: 1 out of 5 — much less likely to be public-facing.
An internal attacker with existing system access could manipulate the Linux ext4 file system to corrupt data or cause a system crash. This could result in the loss of data integrity and the disruption of critical server operations.
CVE-2026-34002
Halo Surface Signal: 1 out of 5 — much less likely to be public-facing.
An internal attacker can exploit a flaw in the X.Org X server to access private data or force a system crash. This allows unauthorized access to sensitive information like credentials and can disrupt key desktop operations, posing a risk to data security and workflow continuity.
CVE-2026-34000
Halo Surface Signal: 2 out of 5 — less likely to be public-facing.
A critical flaw in the X.Org X server lets attackers read sensitive memory or crash systems remotely. This demands immediate attention as it can expose data or disrupt operations without user interaction.
CVE-2026-36356
Halo Surface Signal: 4 out of 5 — likely to be public-facing.
MeiG Smart devices have a critical flaw allowing anyone to run commands on the device over the internet without a password, potentially leading to full device takeover.
CVE-2026-34408
Halo Surface Signal: 5 out of 5 — more likely to be public-facing.
An issue with Gambio's password reset function could allow anyone with an account ID to take over customer accounts. This is a serious risk for online businesses using Gambio, as it could lead to unauthorized access and data compromise.
CVE-2026-43566
Halo Surface Signal: 4 out of 5 — likely to be public-facing.
A critical flaw in OpenClaw allows attackers to gain unauthorized control by tricking the system with fake events. This could let them keep elevated privileges when they shouldn't, potentially leading to serious security breaches.
CVE-2026-43534
Halo Surface Signal: 4 out of 5 — likely to be public-facing.
OpenClaw has a critical flaw allowing unauthenticated attackers to inject malicious commands and gain control of systems by tricking it into running untrusted code. This impacts internet-facing systems.
CVE-2023-54344
Halo Surface Signal: 2 out of 5 — less likely to be public-facing.
An external attacker can exploit the Eclipse Equinox OSGi management console to seize full control of the system without authentication. This allows them to steal sensitive data and gain a permanent foothold, compromising the security of business applications.
CVE-2023-54342
Halo Surface Signal: 2 out of 5 — less likely to be public-facing.
An external attacker can exploit a flaw in the Eclipse Equinox OSGi console to run unauthorized software on the host. This allows them to gain full control of the system, risking unauthorized access to sensitive files and customer data.
CVE-2026-40797
Halo Surface Signal: 4 out of 5 — likely to be public-facing.
WebinarIgnition has a critical flaw allowing attackers to steal sensitive data from your customer database through online webinar registrations. Act now to protect your information.
CVE-2026-5294
Halo Surface Signal: 5 out of 5 — more likely to be public-facing.
A critical flaw in the WordPress Geeky Bot plugin lets anyone install malicious software, potentially giving them full control of your website and its data.
CVE-2025-13618
Halo Surface Signal: 5 out of 5 — more likely to be public-facing.
The Mentoring WordPress plugin has a critical flaw allowing anyone to become an administrator, potentially giving attackers full control of your website without needing an account. This issue warrants immediate attention.
CVE-2026-5722
Halo Surface Signal: 4 out of 5 — likely to be public-facing.
A critical flaw in the MoreConvert Pro WordPress plugin lets anyone take over user accounts, including administrators, by tricking the system with fake verification codes. This affects public-facing websites and deserves immediate attention.