NVD disclosure day

Published threat advisories for June 24, 2026

CVE advisoryCRITICAL

CVE-2026-39955

Cacti SQL Injection Vulnerability in graph_view.php

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

Cacti, an open-source performance and fault management framework, contains a critical pre-authentication SQL injection vulnerability in its graph viewing component that could allow unauthenticated attackers to access or modify sensitive data. This issue is relevant if your organization uses Cacti, as it could impact sy

CVE advisoryCRITICAL

CVE-2026-39948

Cacti SQL Injection Vulnerability Affecting Graph Viewing

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

A critical SQL injection vulnerability exists in Cacti, an open-source performance monitoring framework, allowing unauthenticated attackers to compromise database confidentiality and integrity. The flaw is reachable pre-authentication on installations with guest graph viewing enabled. Confirm relevance and exposure of

CVE advisoryCRITICAL

CVE-2026-55666

Rocket.Chat Account Takeover via Forged Apple Tokens.

Halo Surface Signal: 5 out of 5 — more likely to be public-facing.

A vulnerability in Rocket.Chat's Apple OAuth login handler allows attackers to take over user accounts by forging authentication tokens. If an email is missing from an Apple-issued token, the platform may accept an arbitrary email from the request, enabling account takeover. This impacts organizations using Rocket.Chat

CVE advisoryCRITICAL

CVE-2026-55570

SiYuan Marketplace HTML Injection Leads to OS Command Execution.

Halo Surface Signal: 1 out of 5 — much less likely to be public-facing.

SiYuan, a knowledge management system, has a vulnerability where untrusted marketplace package fields can lead to HTML injection. In the desktop client, this can escalate to arbitrary operating system command execution, potentially compromising system and user data. The issue is fixed in version 3.7.0.

CVE advisoryCRITICAL

CVE-2026-55454

Appsmith Caddy API Takesover via SSRF

Halo Surface Signal: 2 out of 5 — less likely to be public-facing.

Appsmith's bundled Caddy reverse-proxy has a vulnerability where an authenticated, low-privileged user can take over the proxy's configuration. This is possible by exploiting an SSRF vulnerability to access the unauthenticated admin API internally, potentially impacting the platform's integrity and availability.

CVE advisoryCRITICAL

CVE-2026-54158

SiYuan Cross-Site Scripting and Remote Code Execution Vulnerability

Halo Surface Signal: 1 out of 5 — much less likely to be public-facing.

SiYuan, a knowledge management system, has a vulnerability where interpolated cell content can execute arbitrary JavaScript when specific panels are opened. This could lead to remote code execution on desktop versions if an attacker can modify a synced workspace, affecting all devices that open the compromised data. Th

CVE advisoryCRITICAL

CVE-2026-54069

SiYuan Note Kernel Trusts All Chrome Extensions

Halo Surface Signal: 1 out of 5 — much less likely to be public-facing.

A critical vulnerability in SiYuan Note's kernel allows any installed browser extension to gain administrator access, potentially enabling data exfiltration and configuration tampering. This issue arises from the kernel's unconditional trust of `chrome-extension://` origins. The primary concern is whether this personal

CVE advisoryCRITICAL

CVE-2026-54067

SiYuan CSS Injection Allows Remote Code Execution

Halo Surface Signal: 1 out of 5 — much less likely to be public-facing.

A vulnerability in SiYuan, a personal knowledge management system, allows for arbitrary JavaScript execution through specially crafted CSS snippets embedded in shared workspaces. This could lead to remote code execution on user devices, even if JavaScript is disabled, by chaining through the system's rendering process.

CVE advisoryCRITICAL

CVE-2026-50551

SiYuan Stored XSS in Attribute View Escalates to RCE in Electron Client

Halo Surface Signal: 1 out of 5 — much less likely to be public-facing.

SiYuan, an open-source knowledge management system, has a stored cross-site scripting vulnerability that can escalate to remote code execution in its desktop client. This flaw allows an authenticated attacker to potentially run malicious code on a user's system. The relevance and exposure of this technology within the

CVE advisoryCRITICAL

CVE-2026-52813

Gogs Path Traversal to Remote Code Execution

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

A vulnerability in Gogs, a self-hosted Git service, allows specially crafted organization names to enable path traversal, leading to remote code execution. This could allow an attacker to store or retrieve repository data in arbitrary filesystem locations, potentially overwriting configurations and compromising the sys

CVE advisoryCRITICAL

CVE-2026-52806

Gogs Pull Request Branch Name Injection RCE Vulnerability

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

An authenticated user can execute arbitrary code on a Gogs server by creating a pull request with a specially crafted branch name during a rebase operation. This vulnerability, affecting the self-hosted Git service, could allow an attacker to gain unauthorized control over the affected systems.

CVE advisoryCRITICAL

CVE-2026-45689

Rocket.Chat OAuth Token Forgery Vulnerability

Halo Surface Signal: 5 out of 5 — more likely to be public-facing.

Rocket.Chat's OAuth server is vulnerable to an unauthenticated token forgery, allowing attackers to obtain valid access tokens for any user, including administrators, by sending a crafted POST request. This could grant unauthorized access to sensitive data and administrative functions, potentially leading to server-sid

CVE advisoryCRITICAL

CVE-2026-45688

Rocket.Chat CAS Login Bypass Leading to Account Takeover

Halo Surface Signal: 5 out of 5 — more likely to be public-facing.

An unauthenticated attacker can exploit a vulnerability in Rocket.Chat's CAS login handler to bypass authentication by injecting NoSQL operators. This could allow them to impersonate users, including administrators, and gain full access to the platform's functionalities.

CVE advisoryCRITICAL

CVE-2026-33543

FOSSBilling Guest API Allows New Admin Creation

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

A vulnerability exists in FOSSBilling, an open-source billing system, allowing an unauthenticated attacker to create a new administrator account via a guest API endpoint. This bypasses existing security checks and grants the attacker full administrative privileges and control over the system. This issue is relevant for

CVE advisoryCRITICAL

CVE-2026-53943

Ghost CMS Cache Poisoning Vulnerability Affects Frontend Rendering

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

A vulnerability exists in Ghost CMS versions prior to 6.37.0 where an unauthenticated user can poison shared caches with altered content via a crafted header. This may allow for the takeover of staff accounts if the frontend and admin panel share a domain, impacting user data and access.

CVE advisoryCRITICAL

CVE-2026-13032

Google Chrome for Android WebGL Use After Free Sandbox Escape

Halo Surface Signal: 1 out of 5 — much less likely to be public-facing.

A use-after-free vulnerability in Google Chrome's WebGL component on Android could allow a remote attacker to escape the browser's security sandbox by luring a user to a malicious HTML page. This could potentially impact user data and system integrity.

CVE advisoryCRITICAL

CVE-2026-53088

Linux Kernel bcmgenet Off-by-One Error

Halo Surface Signal: 1 out of 5 — much less likely to be public-facing.

A vulnerability in the Linux kernel's network driver impacts data handling for transmitted packets. If reachable, this could allow for unauthorized access, data compromise, or service disruption. Its critical severity warrants awareness for potential system stability and integrity risks.

CVE advisoryCRITICAL

CVE-2026-53086

Linux Kernel bcmgenet Timeout Handler Race Condition

Halo Surface Signal: 1 out of 5 — much less likely to be public-facing.

A vulnerability in the Linux kernel's network driver could cause race conditions when handling queue timeouts, potentially impacting system stability and availability. The driver incorrectly attempts to stop all transmission queues when only one times out, which may lead to unintended restarts and disrupt network commu

CVE advisoryCRITICAL

CVE-2026-53055

Linux Kernel Use-After-Free in HiSilicon SEC2 Driver.

Halo Surface Signal: 1 out of 5 — much less likely to be public-facing.

A use-after-free vulnerability in the Linux kernel's cryptographic driver may allow attackers to cause system instability or potentially execute arbitrary code by exploiting a race condition during packet transmission under heavy load. This issue affects hardware-accelerated packet processing.

CVE advisoryCRITICAL

CVE-2026-53049

Linux Kernel GFS2 Log Locking Vulnerability

Halo Surface Signal: 1 out of 5 — much less likely to be public-facing.

A Linux kernel vulnerability in the GFS2 file system's logging mechanism has been resolved. The issue involved missing log locking during concurrent transactions, potentially allowing unauthorized data access or modification. Confirmation of relevance is recommended due to the file system's impact.

CVE advisoryCRITICAL

CVE-2026-53046

Linux Kernel ksmbd Use-After-Free via Async Crypto

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

A use-after-free vulnerability exists in the Linux kernel's ksmbd component related to asynchronous crypto operations. This flaw could allow a reachable attacker to trigger a system crash due to premature memory freeing while hardware operations are ongoing. This impacts system stability and availability.

CVE advisoryCRITICAL

CVE-2026-53043

Linux Kernel OCFS2 DLM Out-of-Bounds Read Vulnerability

Halo Surface Signal: 2 out of 5 — less likely to be public-facing.

A Linux kernel vulnerability allows out-of-bounds reads in the OCFS2 Distributed Lock Manager due to insufficient validation of network message data. This could potentially expose sensitive information or cause service disruptions if reachable. It is important to determine if your environment uses this component and is

CVE advisoryCRITICAL

CVE-2026-53010

Linux Kernel ksmbd Use-After-Free Vulnerability During SMB2 Reconnect

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

A critical use-after-free vulnerability exists in the Linux kernel's SMB server (ksmbd) during durable reconnects. This flaw could allow an attacker to corrupt kernel memory and potentially impact system confidentiality, integrity, and availability by exploiting a file descriptor that is accessed after it has been free

CVE advisoryCRITICAL

CVE-2026-53002

Linux Kernel Netfilter Stack Buffer Overflow

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

A critical vulnerability exists in the Linux kernel's netfilter conntrack component, allowing for potential stack-based buffer overflows when processing malformed SIP messages. This could lead to system instability or unauthorized code execution. The netfilter component's role in handling public-facing network traffic

CVE advisoryCRITICAL

CVE-2026-52999

Linux Kernel netfilter Out-of-Bounds Read Vulnerability.

Halo Surface Signal: 3 out of 5 — possibly public-facing.

A vulnerability in the Linux kernel's netfilter component could lead to an out-of-bounds read during TCP option parsing, causing incorrect or failed network data logging. This affects systems configured for passive OS fingerprinting, potentially impacting network visibility and analysis. Uncertainty remains regarding s

CVE advisoryCRITICAL

CVE-2026-52993

Linux Kernel TIPC Double-Free Vulnerability.

Halo Surface Signal: 2 out of 5 — less likely to be public-facing.

A vulnerability in the Linux kernel's TIPC module allows for a double-free condition during message validation, which could lead to system compromise. While the protocol's typical network isolation makes exploitation unlikely, its critical severity requires confirmation of relevance for systems using TIPC. The vulnerab

CVE advisoryCRITICAL

CVE-2026-52989

Linux Kernel nvmet-tcp Uninitialized Iterator Vulnerability

Halo Surface Signal: 3 out of 5 — possibly public-facing.

A Linux kernel vulnerability exists in the nvmet-tcp component that could allow attackers to corrupt data or gain unauthorized access by sending crafted network data. This occurs when error handling fails to properly initialize memory structures, potentially leading to system instability. Identifying systems that use n

CVE advisoryCRITICAL

CVE-2026-52986

Linux Kernel Netfilter SIP Port Parsing Vulnerability

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

A vulnerability in the Linux kernel's Netfilter component could allow an attacker to trigger issues by sending malformed SIP network packets, potentially impacting system data and service behavior. The vulnerability arises from unsafe port parsing that could lead to incorrect message handling. This is relevant due to t

CVE advisoryCRITICAL

CVE-2026-52958

Linux Kernel libceph Out-of-Bounds Access Vulnerability.

Halo Surface Signal: 2 out of 5 — less likely to be public-facing.

A vulnerability in the Linux kernel's libceph component may allow an out-of-bounds memory access if a malformed network message is processed. This could potentially lead to system instability or crashes. The impact is dependent on the specific use and reachability of this kernel component.

CVE advisoryCRITICAL

CVE-2026-56121

Feast Unauthenticated Remote Code Execution via gRPC Deserialization

Halo Surface Signal: 3 out of 5 — possibly public-facing.

Feast contains a critical deserialization vulnerability allowing unauthenticated attackers to execute OS commands on the registry server via a crafted gRPC request. This could lead to system compromise by enabling arbitrary code execution as the service account.

CVE advisoryCRITICAL

CVE-2026-12537

Google Gemini CLI Container Launcher Host Code Execution Vulnerability

Halo Surface Signal: 1 out of 5 — much less likely to be public-facing.

A critical vulnerability exists in a container launcher used by Google Gemini CLI and a GitHub Action. If reachable on headless CI platforms, an unprivileged attacker could execute code on the host system using a crafted configuration file. This matters if these specific tools are used in automated build environments.

CVE advisoryCRITICAL

CVE-2026-56237

Capgo API Key Generation Vulnerability Allows Unauthorized Access.

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

A broken authentication vulnerability exists in Capgo's API key generation mechanism, allowing attackers to create unauthorized API keys by manipulating requests. This could lead to unauthorized access to protected endpoints. The issue is reachable over a network and impacts access controls.

CVE advisoryCRITICAL

CVE-2026-56223

Capgo Account Takeover via Cross-Domain SSO Email Assertion in Provision User

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

A vulnerability exists in Capgo's cross-domain SSO, allowing administrators with a malicious identity provider to merge victim accounts by forging SAML assertions. This could lead to unauthorized access to accounts and data. The affected technology handles single sign-on and user provisioning.

CVE advisoryCRITICAL

CVE-2026-52931

Linux Kernel batman-adv Uninitialized Sender Variables Vulnerability

Halo Surface Signal: 2 out of 5 — less likely to be public-facing.

A vulnerability in the Linux kernel's batman-adv module allows an attacker to trigger undefined behavior by sending a malicious ACK packet to a receiving node. This occurs when the node accesses uninitialized sender variables, potentially impacting mesh network stability.

CVE advisoryCRITICAL

CVE-2026-52924

Linux Kernel SCTP Use-after-Free Vulnerability

Halo Surface Signal: 3 out of 5 — possibly public-facing.

A use-after-free vulnerability in the Linux kernel's SCTP component can be triggered by specific network packet handling, potentially leading to system crashes. This issue affects the memory management during association setup rollback. The exact impact depends on whether SCTP is utilized and exposed within your enviro

CVE advisoryCRITICAL

CVE-2026-52914

Linux Kernel batman-adv Fragment Reassembly Denial of Service.

Halo Surface Signal: 2 out of 5 — less likely to be public-facing.

A vulnerability in the Linux kernel's batman-adv module can allow malformed network fragments to bypass validation, leading to inconsistent length states during reassembly and a local denial of service. The issue stems from incorrect fragment length accounting.

CVE advisoryCRITICAL

CVE-2026-12417

WordPress SignUp & SignIn Plugin Authentication Bypass Vulnerability

Halo Surface Signal: 5 out of 5 — more likely to be public-facing.

A WordPress plugin for sign-up and sign-in has an authentication bypass vulnerability. Attackers can exploit this to take over user accounts, including administrator accounts, by manipulating the password reset process without needing to be logged in. This could lead to unauthorized control of the website. The relevanc

CVE advisoryCRITICAL

CVE-2026-12416

Invoice Generator Plugin for WordPress Account Takeover Vulnerability

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

The Invoice Generator plugin for WordPress has a critical vulnerability that allows unauthenticated attackers to take over any account, including administrators. This is due to a flaw in the password reset functionality that lacks proper security verification, enabling attackers to set new passwords for chosen accounts

CVE advisoryCRITICAL

CVE-2026-12851

GeoVision GV-I/O Box 4E Command Injection Vulnerability

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

GeoVision GV-I/O Box 4E devices contain OS command injection vulnerabilities within their network configuration library. A specially crafted network packet can allow an attacker to execute arbitrary commands, potentially impacting the device's functionality and connected systems.

CVE advisoryCRITICAL

CVE-2026-12850

GeoVision GV-I/O Box OS Command Injection

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

OS command injection vulnerabilities exist in GeoVision GV-I/O Box 4E devices within the `libNetSetObj.so` library. These flaws allow a network-accessible attacker to execute arbitrary commands by sending a specially crafted network packet, potentially impacting device network configuration and operational integrity.

CVE advisoryCRITICAL

CVE-2026-12848

GV-I/O Box 4E DNS Field Stack Overflow

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

A critical stack overflow vulnerability exists in the DVRSearch service of GeoVision's GV-I/O Box 4E. This flaw could allow any network-connected user to send malformed messages, potentially leading to device compromise or disruption of its input/output control functions. It is important to determine if these devices a

CVE advisoryCRITICAL

CVE-2026-12485

GV-I/O Box 4E DVRSearch UDP IP Field Stack Overflow

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

A critical stack overflow vulnerability exists in the DVRSearch service of the GV-I/O Box 4E, a smart embedded device. This flaw can be triggered by specially crafted UDP messages, potentially allowing an attacker to compromise the device's confidentiality, integrity, and availability. Organizations using this technolo