NVD disclosure day
CVE-2026-56081
Halo Surface Signal: 4 out of 5 — likely to be public-facing.
A flaw in Cap-go's authentication logic allows an attacker to register and control an account using a victim's email address before it's verified. This enables an attacker to gain full account control, including policy enforcement, while denying access to the legitimate user.
CVE-2026-56073
Halo Surface Signal: 4 out of 5 — likely to be public-facing.
A critical vulnerability in Cap-go's OTP verification allows bypassing email verification by manipulating server responses, potentially leading to unauthorized two-factor authentication enablement and account takeover.
CVE-2026-48584
Halo Surface Signal: 3 out of 5 — possibly public-facing.
Azure Synapse has a vulnerability that allows an attacker with network access and existing low privileges to elevate their permissions. This could result in unauthorized access to or modification of data processed by the service. It is important to determine if your organization uses Azure Synapse to understand potenti
CVE-2026-48582
Halo Surface Signal: 5 out of 5 — more likely to be public-facing.
A critical vulnerability in Microsoft Exchange Online allows a privileged attacker to elevate their access over a network, potentially leading to unauthorized control of resources. The issue stems from missing authorization. This threat is external and highly likely given the service's public-facing nature.
CVE-2026-45480
Halo Surface Signal: 5 out of 5 — more likely to be public-facing.
An improper authentication vulnerability in Azure Active Directory allows an unauthorized attacker to elevate privileges over a network. This could lead to significant unauthorized access and control, impacting confidentiality, integrity, and availability of services and data.
CVE-2026-48773
Halo Surface Signal: 3 out of 5 — possibly public-facing.
A heap memory corruption vulnerability exists in ProxySQL that could allow unauthenticated remote attackers to cause denial of service or execute code. This affects how ProxySQL handles initial network packets for MySQL and PostgreSQL protocols by processing an oversized first packet length, leading to memory corruptio
CVE-2026-48772
Halo Surface Signal: 4 out of 5 — likely to be public-facing.
ProxySQL, a database proxy, contains a vulnerability where it incorrectly parses PROXY protocol headers, allowing attackers to spoof client IP addresses and bypass routing and access controls, potentially leading to unauthorized access.
CVE-2026-56209
Halo Surface Signal: 4 out of 5 — likely to be public-facing.
A critical vulnerability in the libaom AV1 codec implementation allows an attacker to write to arbitrary memory locations by supplying specially crafted video data. This could lead to denial of service or potential code execution in network-facing encoders with Scalable Video Coding enabled, posing a risk to services t
CVE-2026-9142
Halo Surface Signal: 2 out of 5 — less likely to be public-facing.
An insecure default credentials vulnerability exists in NI grpc-device when TLS is not configured and the server is bound beyond loopback, potentially allowing unauthenticated local network access. This could expose system data or enable unauthorized control of device services.
CVE-2026-48137
Halo Surface Signal: 2 out of 5 — less likely to be public-facing.
An untrusted pointer dereference vulnerability exists in the NI grpc-device API, potentially allowing remote code execution through specially crafted messages. This could impact systems using this API, and it's important to determine if the affected technology is deployed and accessible.
CVE-2026-56142
Halo Surface Signal: 4 out of 5 — likely to be public-facing.
A vulnerability in JetBrains Hub allows privilege escalation by attaching authentication details to accounts. If reachable, this could enable unauthorized users to gain elevated privileges and access sensitive information. Confirming if your environment is affected is important.
CVE-2026-56141
Halo Surface Signal: 4 out of 5 — likely to be public-facing.
A vulnerability in JetBrains Hub allows for account takeover by exploiting predictable restore codes, potentially granting unauthorized access to user accounts if the service is network-reachable.
CVE-2026-50242
Halo Surface Signal: 4 out of 5 — likely to be public-facing.
A vulnerability in JetBrains Hub allows an unauthenticated attacker to bypass authentication via direct database access, potentially leading to administrative control and affecting system integrity. This issue is classified as external and critical.
CVE-2026-44939
Halo Surface Signal: 4 out of 5 — likely to be public-facing.
A command injection vulnerability in Rancher Manager's cluster import endpoint allows remote attackers to execute arbitrary code by exploiting unsanitized YAML parameters, potentially enabling the deployment of malicious containers. This issue could impact cluster management capabilities by allowing unauthorized code e
CVE-2026-8713
Halo Surface Signal: 5 out of 5 — more likely to be public-facing.
The Avada (Fusion) Builder WordPress plugin has a critical vulnerability allowing unauthenticated attackers to delete arbitrary server files. This could lead to remote code execution if critical files are deleted, impacting website integrity and availability. Confirmation of plugin use and exposure assessment is advise
CVE-2026-7515
Halo Surface Signal: 4 out of 5 — likely to be public-facing.
A critical Local File Inclusion vulnerability in the BetterDocs Pro WordPress plugin allows unauthenticated attackers to include and execute arbitrary PHP files. This could lead to unauthorized access to sensitive data or server compromise.
CVE-2026-54414
Halo Surface Signal: 4 out of 5 — likely to be public-facing.
A path traversal vulnerability in FileRise's shared-folder upload endpoint allows an attacker with a valid, upload-enabled shared link to overwrite critical files, enabling administrator account takeover and potential remote code execution. The vulnerability stems from insufficient validation of uploaded filenames, whi
CVE-2026-40624
Halo Surface Signal: 4 out of 5 — likely to be public-facing.
Improper input validation in certain AVer cameras may allow a remote, unauthenticated attacker to execute arbitrary code by sending a specially crafted web request, potentially impacting device operation and data.
CVE-2026-12048
Halo Surface Signal: 2 out of 5 — less likely to be public-facing.
A stored cross-site scripting vulnerability in pgAdmin 4 allows attackers to inject HTML and JavaScript by controlling text returned by a PostgreSQL server. This can lead to phishing attacks and user redirection within the pgAdmin interface. The fix involves sanitization, plain-text rendering, and backend HTML escaping
CVE-2026-12046
Halo Surface Signal: 4 out of 5 — likely to be public-facing.
A flaw in pgAdmin 4's SQL Editor allows unauthenticated access to sensitive data deserialization functions in server mode. If an attacker also has the Flask SECRET_KEY and write access to the session directory, this could lead to unauthenticated remote code execution on the host running pgAdmin.
CVE-2026-12045
Halo Surface Signal: 2 out of 5 — less likely to be public-facing.
A vulnerability in pgAdmin 4's AI Assistant allows an attacker influencing database content to execute arbitrary SQL. This could lead to unauthorized data modification or remote code execution if the pgAdmin user has elevated privileges, making it crucial to assess if your environment uses this tool and is exposed.