NVD disclosure day
CVE-2026-42601
Halo Surface Signal: 4 out of 5 — likely to be public-facing.
ArchiveBox has a critical flaw allowing anyone to run commands on your server by sending it bad data, potentially giving attackers full control.
CVE-2026-42571
Halo Surface Signal: 2 out of 5 — less likely to be public-facing.
Pelican allows an internal attacker with a standard account to gain full administrative privileges. This enables unauthorized modification of sensitive system settings and access to restricted data, effectively compromising the platform.
CVE-2026-42569
Halo Surface Signal: 4 out of 5 — likely to be public-facing.
phpVMS, a platform for airline simulation, has a critical flaw allowing anyone online to access a sensitive import feature without a password. Update now to version 7.0.6 or later to protect your system.
CVE-2026-42560
Halo Surface Signal: 5 out of 5 — more likely to be public-facing.
The `auth` library has a critical flaw where all Patreon users are mapped to the same account, enabling attackers to access or merge unrelated user data and subscriptions. This is accessible over the internet and demands immediate attention.
CVE-2026-6665
Halo Surface Signal: 1 out of 5 — much less likely to be public-facing.
An internal attacker with control over a connected database can crash the PgBouncer service or compromise the server by sending malformed data. This poses a risk to database availability and could disrupt critical business operations that rely on this connection tool.
CVE-2026-44313
Halo Surface Signal: 3 out of 5 — possibly public-facing.
An internal attacker with access to Linkwarden can force the software to connect to private internal services that should be inaccessible. This could lead to unauthorized access to sensitive business data or allow the attacker to probe other internal systems.