NVD disclosure day

Published threat advisories for June 25, 2026

CVE advisoryCRITICAL

CVE-2026-40702

WebSocket Endpoints Allow Unauthorized Access to Charging Station Data.

Halo Surface Signal: 5 out of 5 — more likely to be public-facing.

A critical vulnerability exists in WebSocket endpoints that lack proper authentication, allowing attackers to impersonate charging stations. This could lead to unauthorized access to sensitive data or system actions, potentially resulting in privilege escalation and a compromise of system security. The issue is relevan

CVE advisoryCRITICAL

CVE-2025-71338

Flowise Arbitrary File Write to Remote Code Execution via Document Store API

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

A path traversal vulnerability in Flowise's document store API allows unauthenticated attackers to write arbitrary files to the filesystem, potentially leading to remote code execution. This critical issue affects how the application stores documents and could result in unauthorized system control.

CVE advisoryCRITICAL

CVE-2025-71336

Flowise Custom MCP Unsandboxed Code Execution

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

Flowise contains an unsandboxed remote code execution vulnerability in its Custom MCP feature, allowing unauthenticated attackers to execute arbitrary OS commands, potentially leading to complete compromise of the platform container or server. This is due to minimal authentication and authorization controls, especially

CVE advisoryCRITICAL

CVE-2025-71334

Flowise Arbitrary File Access via Missing Chatflow ID Validation

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

Flowise contains an arbitrary file access vulnerability due to missing validation of parameters used in file handling operations. This could allow an unauthenticated attacker to read or write arbitrary files, potentially leading to remote code execution. Confirming if this technology is in use and exposed externally is

CVE advisoryCRITICAL

CVE-2025-71333

Flowise Arbitrary File Upload Vulnerability

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

Flowise versions up to 2.2.4 contain an unauthenticated arbitrary file upload vulnerability in the /api/v1/attachments endpoint when local storage is configured. This flaw permits attackers to upload malicious files to arbitrary directories, potentially leading to remote code execution and system compromise.

CVE advisoryCRITICAL

CVE-2025-71327

Flowise Authentication Bypass via Unprotected Registration Endpoint

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

An authentication bypass vulnerability in Flowise allows unauthenticated remote attackers to create user accounts via an unprotected registration endpoint. This grants them full API access to the system without needing credentials. The primary concern is confirming if Flowise is in use and assessing potential exposure.

CVE advisoryCRITICAL

CVE-2026-57700

OMGF Pro Arbitrary File Upload Vulnerability

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

A critical vulnerability exists in OMGF Pro, allowing for the upload and use of malicious files. If reachable, this could permit attackers to execute arbitrary code and gain significant control over the affected system, potentially compromising its integrity and availability. Confirmation of the plugin's presence and i

CVE advisoryCRITICAL

CVE-2026-56786

RTKLIB Type-1033 Message Out-of-Bounds Write Vulnerability

Halo Surface Signal: 3 out of 5 — possibly public-facing.

An out-of-bounds write in RTKLIB's decode_type1033 function allows an attacker to corrupt memory by sending a crafted RTCM3 message, potentially leading to arbitrary code execution or denial of service. The relevance and exposure of this vulnerability depend on how RTKLIB is implemented and networked within your enviro

CVE advisoryCRITICAL

CVE-2026-54089

File Browser Proxy Authentication Impersonation Vulnerability.

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

An unauthenticated attacker can impersonate any user, including administrators, and create new accounts in File Browser when proxy authentication is enabled. This is achievable by sending a forged HTTP header to a reachable server, bypassing the need for credentials. This vulnerability allows for unauthorized account c

CVE advisoryCRITICAL

CVE-2026-54088

File Browser Pre-Authentication Command Injection

Halo Surface Signal: 5 out of 5 — more likely to be public-facing.

An authentication flaw in File Browser allows unauthenticated remote attackers to execute arbitrary OS commands on the server by injecting shell metacharacters into login fields. This pre-authentication vulnerability could impact server integrity and data if the application is reachable.

CVE advisoryCRITICAL

CVE-2026-50549

Cursor Code Editor Arbitrary File Write via Malicious Agent Symlink

Halo Surface Signal: 1 out of 5 — much less likely to be public-facing.

A vulnerability in the Cursor code editor allows a malicious agent to write arbitrary files outside the workspace, potentially leading to remote code execution without user interaction. This occurs when path canonicalization fails, enabling unauthorized writes to system locations under user privileges.

CVE advisoryCRITICAL

CVE-2026-50548

Cursor Code Editor Sandbox Escape RCE Vulnerability

Halo Surface Signal: 1 out of 5 — much less likely to be public-facing.

A vulnerability in Cursor, an AI-powered code editor, allows a malicious agent to escape its sandbox by manipulating directory parameters. This could lead to arbitrary file writes outside the intended workspace, potentially enabling unsandboxed remote code execution with user privileges and no further user interaction

CVE advisoryCRITICAL

CVE-2026-56123

socat Heap Buffer Overflow Vulnerability in SOCKS5 Parser.

Halo Surface Signal: 2 out of 5 — less likely to be public-facing.

A heap-based buffer overflow vulnerability exists in socat, where a malicious SOCKS5 proxy can overwrite adjacent memory. This occurs due to a sign-extension flaw when parsing domain name replies, potentially leading to impact if socat is configured in a relevant network context. Understanding the deployment and exposu

CVE advisoryCRITICAL

CVE-2026-55413

ToolJet Authenticated Builder Role RCE Via Marketplace Plugin 3.20.178-lts

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

An authenticated user with a builder role in ToolJet can overwrite a shared marketplace plugin with arbitrary JavaScript, enabling server-side code execution and a potential compromise of the entire deployment. This vulnerability is relevant if your organization uses ToolJet and the affected plugin functionality is rea

CVE advisoryCRITICAL

CVE-2026-54849

Premmerce Wishlist for WooCommerce SQL Injection

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

An unauthenticated SQL injection vulnerability exists in the Premmerce Wishlist for WooCommerce plugin. If reachable, this could allow attackers to access or manipulate sensitive database information, potentially impacting data confidentiality and integrity. The primary concern is determining if this plugin is in use a

CVE advisoryCRITICAL

CVE-2026-54843

Unauthenticated SQL Injection in MDTF Plugin

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

An unauthenticated SQL injection vulnerability exists in a metadata and taxonomy processing component, potentially allowing unauthorized access to sensitive data via network requests. This poses a risk to data integrity and could lead to misuse. Confirming the relevance and exposure of this component within the organiz

CVE advisoryCRITICAL

CVE-2026-54836

YMC Filter SQL Injection Vulnerability

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

A SQL injection vulnerability exists in YMC Filter, potentially allowing attackers to manipulate or access backend data through crafted network requests. This could compromise database integrity and confidentiality. The relevance and exposure of this vulnerability to our environment require confirmation.

CVE advisoryCRITICAL

CVE-2026-54823

Widget Options Contributor RCE Vulnerability

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

A critical remote code execution vulnerability exists in the Widget Options plugin, allowing an attacker with low-privilege access to execute arbitrary code on the server. If reachable, this could lead to a complete compromise of the application and its data, necessitating confirmation of the plugin's use and exposure.

CVE advisoryCRITICAL

CVE-2026-53260

Linux Kernel TCP Request Socket Underflow Advisory

Halo Surface Signal: 1 out of 5 — much less likely to be public-facing.

A vulnerability in the Linux kernel's network request handling could lead to a use-after-free condition, potentially causing system instability or crashes. This issue arises from a race condition involving preemptive scheduling and timer events during socket setup. Swiftly identifying and addressing affected Linux kern

CVE advisoryCRITICAL

CVE-2026-53247

Linux Kernel mtk_eth_soc Use-After-Free in Metadata Teardown.

Halo Surface Signal: 1 out of 5 — much less likely to be public-facing.

A use-after-free vulnerability exists in the Linux kernel's MediaTek Ethernet driver, potentially allowing unauthorized access or data corruption through improper memory handling during packet metadata teardown. If reachable, this could lead to system instability or code execution, making it important to confirm if thi

CVE advisoryCRITICAL

CVE-2026-53246

Linux Kernel SCTP Out-of-Bounds Read in COOKIE_ECHO Processing

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

A vulnerability in the Linux kernel's SCTP processing allows for out-of-bounds reads when handling COOKIE_ECHO chunks, potentially leading to memory corruption. This could be triggered by network-accessible, unauthenticated traffic targeting services that utilize the SCTP protocol. Unpatched systems could be at risk of

CVE advisoryCRITICAL

CVE-2026-53228

Linux Kernel SIT Tunnel Header Pointer Corruption

Halo Surface Signal: 2 out of 5 — less likely to be public-facing.

The Linux kernel's SIT tunnel implementation has a vulnerability where a cached pointer to an inner IPv6 header can become stale after certain network packet offloads, potentially leading to the use of freed memory. This could result in the corruption or disclosure of sensitive data within network traffic. The vulnerab

CVE advisoryCRITICAL

CVE-2026-53225

Linux Kernel SCTP Uninitialized Memory Read Vulnerability

Halo Surface Signal: 3 out of 5 — possibly public-facing.

The Linux kernel's SCTP implementation contains a vulnerability allowing unauthenticated peers to read uninitialized memory. This occurs when a malformed SCTP chunk is sent, causing the system to read beyond expected data. The risk depends on whether your environment uses SCTP and if it's exposed to external network tr

CVE advisoryCRITICAL

CVE-2026-53224

Linux Kernel SCTP Malformed Cookie Out-of-Bounds Read

Halo Surface Signal: 3 out of 5 — possibly public-facing.

A vulnerability in the Linux kernel's SCTP implementation allows for out-of-bounds reads when processing malformed network packets, potentially affecting system stability or leading to information disclosure. This issue may be reachable via the network without authentication.

CVE advisoryCRITICAL

CVE-2026-53221

Linux Kernel ip6_vti Incorrect Tunnel Matching Vulnerability

Halo Surface Signal: 2 out of 5 — less likely to be public-facing.

A flaw in the Linux kernel's IPv6 Virtual Tunnel Interface (ip6_vti) can cause incorrect tunnel matching. This vulnerability may allow an attacker to misdirect network traffic by sending specially crafted packets. The exact impact is uncertain, but it relates to network packet handling.

CVE advisoryCRITICAL

CVE-2026-53215

Linux Kernel mvpp2 RX Buffer Management Vulnerability

Halo Surface Signal: 1 out of 5 — much less likely to be public-facing.

A vulnerability in the Linux kernel's network driver allows attackers to return packet buffers to hardware pools they no longer own, potentially leading to data corruption or denial of service when processing network packets. This issue could impact systems handling network traffic if a specific error path is triggered

CVE advisoryCRITICAL

CVE-2026-53186

Linux Kernel RDMA SRP Bound Sense Copy Vulnerability

Halo Surface Signal: 1 out of 5 — much less likely to be public-facing.

A vulnerability exists in the Linux kernel's RDMA/srp component where a malformed response from a storage target could lead to a read fault. This could potentially cause a denial-of-service condition or memory corruption if reachable. The relevance of this issue depends on the use of specialized InfiniBand or RoCE fabr

CVE advisoryCRITICAL

CVE-2026-53151

Linux Kernel rxrpc ACK Parser Buffer Access Vulnerability

Halo Surface Signal: 3 out of 5 — possibly public-facing.

A vulnerability in the Linux kernel's AF_RXRPC protocol involves an ACK parser that may incorrectly handle fragmented UDP packets, potentially allowing unauthorized access or modification of system data. The issue arises from assumptions about buffer handling during SACK table parsing. This could lead to data corruptio

CVE advisoryCRITICAL

CVE-2026-53131

Linux Kernel Netfilter MAC Header Validation Bypass.

Halo Surface Signal: 2 out of 5 — less likely to be public-facing.

A vulnerability in the Linux kernel's netfilter component allows specially crafted packets to bypass Ethernet MAC header checks. This could affect system integrity and availability by leading to incorrect network packet processing. It is important to determine if affected kernel components are present and reachable.

CVE advisoryCRITICAL

CVE-2026-46752

Apache Kvrocks cjson HEAP Overflow Vulnerability

Halo Surface Signal: 2 out of 5 — less likely to be public-facing.

A critical heap overflow vulnerability exists in the cjson library within Apache Kvrocks, potentially allowing for code execution or denial of service when reachable via network requests. This issue impacts Apache Kvrocks versions from 2.0.4 through 2.15.0. While the database is typically internal, confirming exposure

CVE advisoryCRITICAL

CVE-2026-41566

Apache Kvrocks Improper Permissions Vulnerability.

Halo Surface Signal: 2 out of 5 — less likely to be public-facing.

A flaw in Apache Kvrocks' permission handling could allow a low-privilege attacker to execute arbitrary commands by tricking a user into interacting with a malicious resource, potentially impacting data integrity and confidentiality. The Apache Kvrocks security team is responsible for addressing this, and organizations

CVE advisoryCRITICAL

CVE-2026-8666

Rapid7 InsightConnect Traceroute Plugin OS Command Injection Vulnerability

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

A critical OS command injection vulnerability exists in the Rapid7 InsightConnect Traceroute Plugin for Linux. Remote attackers can execute arbitrary commands by sending unvalidated input through request parameters, potentially leading to unauthorized system access. Confirm if this plugin is in use.

CVE advisoryCRITICAL

CVE-2026-8665

Rapid7 InsightConnect Translate Plugin Command Injection

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

A vulnerability in the Rapid7 InsightConnect Translate Plugin for Linux systems permits remote attackers to execute arbitrary operating system commands due to improper input sanitization in command construction. This could lead to unauthorized command execution if the plugin processes specially crafted text or expressi

CVE advisoryCRITICAL

CVE-2026-8660

Rapid7 InsightConnect Ping Plugin OS Command Injection

Halo Surface Signal: 3 out of 5 — possibly public-facing.

A critical vulnerability exists in a Rapid7 InsightConnect plugin for Linux, allowing attackers to execute arbitrary OS commands by sending specially crafted input. This issue stems from insufficient validation of the host parameter within the plugin's ping action. The potential impact includes unauthorized command exe

CVE advisoryCRITICAL

CVE-2026-8592

Rapid7 InsightConnect AWK Plugin OS Command Injection Vulnerability

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

A critical OS command injection vulnerability exists in the Rapid7 InsightConnect AWK Plugin on Linux, allowing remote attackers to execute arbitrary commands by sending malicious input. This could lead to a compromise of the affected system. It is important to confirm if this plugin is in use within the environment.

CVE advisoryHIGH

CVE-2026-9155

Rapid7 InsightConnect Sed Plugin OS Command Injection

Halo Surface Signal: 3 out of 5 — possibly public-facing.

An OS command injection flaw exists in the Rapid7 InsightConnect Sed Plugin for Linux, allowing authenticated users to run arbitrary commands due to insufficient input validation. This could impact system integrity and data, making it important to verify if the plugin is in use and if the vulnerable functionality is ex

CVE advisoryMEDIUM

CVE-2026-9154

Rapid7 InsightConnect Sed Plugin Arbitrary File Write Vulnerability

Halo Surface Signal: 3 out of 5 — possibly public-facing.

An Arbitrary File Write vulnerability exists in the Rapid7 InsightConnect Sed Plugin on Linux. Authenticated attackers can write to any file path via the expression parameter, potentially leading to system integrity issues or further malicious activity. This is relevant if the Sed Plugin is in use and accessible.