NVD disclosure day

Published threat advisories for June 26, 2026

CVE advisoryCRITICAL

CVE-2026-31928

DMP-5000 Default Admin Account Weak Authentication Advisory

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

DMP-5000 devices have a critical vulnerability where default administrative web accounts with weak authentication are not mandatory to change, potentially allowing unauthorized users to gain full system access. This issue is concerning because it enables complete control over affected systems if network-accessible defa

CVE advisoryCRITICAL

CVE-2026-28701

Daktronics Controller Firmware Directory Traversal Vulnerability

Halo Surface Signal: 3 out of 5 — possibly public-facing.

Daktronics Controller Firmware has a directory traversal vulnerability that allows remote users to enumerate arbitrary file system paths. This could lead to information disclosure and further compromise if the firmware is reachable and relevant to your operational technology systems. Confirming its use and exposure is

CVE advisoryCRITICAL

CVE-2026-53576

Kestra API Authentication Bypass Allows Root Container Execution

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

Kestra's REST API authentication filter improperly handles requests ending in `/configs`, allowing unauthenticated access to sensitive endpoints. This vulnerability could enable an unauthenticated attacker to create and execute code as root within the Kestra container, potentially leading to host system compromise if t

CVE advisoryCRITICAL

CVE-2026-49869

Kestra OSS Authentication Bypass Leading to RCE

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

A vulnerability in Kestra OSS allows unauthenticated attackers to bypass authentication and execute arbitrary workflows, potentially leading to remote code execution as root. This occurs because a flawed path check in the AuthenticationFilter permits access to sensitive endpoints. If reachable, this could allow an atta

CVE advisoryCRITICAL

CVE-2026-54352

Budibase ZIP Processing Vulnerability Allows Arbitrary File Read

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

Budibase, an open-source low-code platform, has a vulnerability allowing authenticated users to read any file accessible by the server. This occurs when processing uploaded zip files containing symbolic links, which are not properly handled during extraction and streaming. If reachable, this could lead to unauthorized

CVE advisoryCRITICAL

CVE-2026-54350

Budibase Unauthenticated Data Exposure and Modification Vulnerability

Halo Surface Signal: 5 out of 5 — more likely to be public-facing.

An unauthenticated visitor to a published Budibase application can read and modify all data in connected collections due to improper input sanitization in query execution. This bypasses intended access controls, potentially leading to unauthorized data exposure and alteration.

CVE advisoryCRITICAL

CVE-2026-53309

Linux Kernel OCFS2 DLM Off-by-One Error

Halo Surface Signal: 1 out of 5 — much less likely to be public-facing.

A vulnerability in the Linux kernel's OCFS2 distributed lock manager could allow an attacker to read beyond intended data boundaries, potentially impacting data integrity and confidentiality. The issue stems from an off-by-one error in region comparison logic within the kernel. The exact impact depends on reachability

CVE advisoryCRITICAL

CVE-2026-52782

OpenProject IDOR Allows Project Admins to Hijack Other Projects' Cloud Storage Folders.

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

A vulnerability in OpenProject, a web-based project management application, allows a project administrator to access another project's cloud storage. This IDOR (Insecure Direct Object Reference) can lead to unauthorized access and modification of project data by overwriting access controls on shared cloud storage folde

CVE advisoryCRITICAL

CVE-2026-46386

OpenProject Docker Image Default Secret Key Vulnerability

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

A critical vulnerability exists in OpenProject's default Docker image configuration, allowing logged-in users to access sensitive system information due to a predictable secret key. This issue presents a significant risk as it can lead to unauthorized access and potential system compromise, making it crucial to identif

CVE advisoryCRITICAL

CVE-2026-33646

Mise .tool-versions Arbitrary Command Execution Vulnerability

Halo Surface Signal: 1 out of 5 — much less likely to be public-facing.

A vulnerability in the mise developer tool allows arbitrary command execution if a malicious `.tool-versions` file is processed. This can occur when a user navigates into a directory containing such a file, as the tool's template engine can be exploited without a trust prompt. This could potentially lead to unauthorize

CVE advisoryHIGH

CVE-2026-45405

Dokku Archive Extraction Vulnerability Allows Arbitrary File Write

Halo Surface Signal: 3 out of 5 — possibly public-facing.

Dokku, a Docker-powered platform-as-a-service, has a vulnerability in archive extraction commands where user-supplied archives are not properly sanitized, potentially allowing an attacker to write arbitrary files. This could enable overwriting sensitive files, like SSH keys, to gain unrestricted shell access to the ser

CVE advisoryCRITICAL

CVE-2026-0685

Genshi Template Engine SSTI Vulnerability Allows Remote Code Execution

Halo Surface Signal: 3 out of 5 — possibly public-facing.

A critical server-side template injection vulnerability exists in the Genshi Template Engine's expression evaluation component, potentially allowing remote code execution. This could impact systems if affected applications process crafted template expressions without proper sanitization, leading to unauthorized code ex

CVE advisoryCRITICAL

CVE-2025-11919

JVM Local Temporary Directory Preemption Vulnerability

Halo Surface Signal: 1 out of 5 — much less likely to be public-facing.

A vulnerability exists in the default JVM's handling of temporary files, allowing an attacker with access to a shared temporary directory to inject malicious code during JVM startup. By preemptively placing a malicious library in the classpath, an attacker could cause the JVM to execute arbitrary code. This vulnerabili

CVE advisoryCRITICAL

CVE-2026-56070

Advance Product Search SQL Injection Vulnerability in versions up to 1.4.4

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

An unauthenticated SQL injection vulnerability exists in the Advance Product Search tool, potentially allowing attackers to access or modify sensitive database information. This issue is relevant if the Advance Product Search tool is deployed and reachable, as it could lead to unauthorized data disclosure or service di

CVE advisoryCRITICAL

CVE-2026-56068

JetEngine SQL Injection Vulnerability

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

An unauthenticated SQL injection vulnerability exists in the JetEngine plugin, potentially allowing attackers to access or modify sensitive database information. Since JetEngine is a widely used WordPress plugin, this issue could be relevant to systems utilizing it, posing a risk to data integrity and confidentiality.

CVE advisoryCRITICAL

CVE-2026-56067

JetSmartFilters SQL Injection Vulnerability

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

An unauthenticated SQL injection vulnerability exists in the JetSmartFilters WordPress plugin, potentially allowing attackers to execute malicious SQL commands. This could lead to unauthorized access to sensitive data or disruption of services on affected websites. Confirming the use of this plugin within the environme

CVE advisoryCRITICAL

CVE-2026-56062

Unauthenticated SQL Injection in Quotes Llama <= 3.1.5

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

An unauthenticated SQL injection vulnerability exists in the Quotes llama plugin. This flaw could enable attackers to access or alter database information without authentication, potentially impacting application data integrity and availability. Confirmation of the plugin's use is necessary to assess exposure and relev

CVE advisoryCRITICAL

CVE-2026-56059

Travel Booking Arbitrary File Upload Vulnerability

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

A critical arbitrary file upload vulnerability exists in a travel booking theme, allowing authenticated users to upload malicious files that could compromise system integrity and confidentiality. The vulnerability is reachable via the network and could impact public-facing web services.

CVE advisoryCRITICAL

CVE-2026-56058

Quform Arbitrary File Upload Vulnerability

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

A critical vulnerability in Quform, a web form plugin, allows unauthorized file uploads. If reachable, this could enable attackers to upload malicious files, potentially leading to arbitrary code execution and system compromise. Confirming the use of this plugin is crucial for assessing its relevance to your environmen

CVE advisoryCRITICAL

CVE-2026-56057

Uncanny Automator Pro PHP Object Injection

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

A PHP object injection vulnerability exists in the Uncanny Automator Pro WordPress plugin. If reachable, an attacker could exploit this to execute arbitrary code, potentially compromising system confidentiality, integrity, and availability. This issue is relevant to organizations using the plugin, requiring verificatio

CVE advisoryCRITICAL

CVE-2026-56034

Library Management System SQL Injection Vulnerability

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

An unauthenticated SQL injection vulnerability in the Library Management System could allow attackers to access sensitive data over the network. This could lead to unauthorized data access and potential service disruption. It is uncertain if this technology is in use or exposed.

CVE advisoryCRITICAL

CVE-2026-56033

Dokan Pro Unauthenticated Privilege Escalation

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

An unauthenticated privilege escalation vulnerability exists in Dokan Pro, a WordPress plugin. This allows attackers to gain elevated permissions without authentication, potentially impacting website integrity and availability by granting administrative control. The issue is concerning for marketplace platforms and req

CVE advisoryCRITICAL

CVE-2026-56030

Paytium Plugin Privilege Escalation Vulnerability in versions up to 5.0.2

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

An unauthenticated privilege escalation vulnerability exists in the Paytium technology. If reachable, this could allow attackers to gain unauthorized administrative access. Confirmation of its use and external exposure is needed to assess impact.

CVE advisoryCRITICAL

CVE-2026-56028

Easy Elements for Elementor Unauthenticated Privilege Escalation

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

A critical vulnerability in the Easy Elements for Elementor plugin allows unauthenticated attackers to escalate privileges. This could enable unauthorized administrative control over websites using the plugin, potentially impacting content and configuration. The issue is reachable over the network.

CVE advisoryCRITICAL

CVE-2026-56027

Booster for WooCommerce Arbitrary File Upload Vulnerability

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

A critical arbitrary file upload vulnerability exists in the Booster for WooCommerce plugin. If reachable, an attacker with low-privileged access could upload arbitrary files, potentially leading to code execution and site compromise. This issue impacts e-commerce functionality and requires verification of relevance an

CVE advisoryCRITICAL

CVE-2026-54831

GeoDirectory Unauthenticated SQL Injection Vulnerability

Halo Surface Signal: 5 out of 5 — more likely to be public-facing.

An unauthenticated SQL injection vulnerability exists in GeoDirectory, potentially allowing unauthorized access to data by injecting malicious SQL code. This affects systems utilizing versions prior to 2.8.162. The vulnerability's nature and the plugin's common use for public-facing directories make it a concern for da

CVE advisoryCRITICAL

CVE-2026-54827

Real Estate 7 SQL Injection Vulnerability

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

An unauthenticated SQL injection vulnerability exists in the Real Estate 7 theme, potentially allowing attackers to access or modify database information when the theme is part of a web application. This could impact the integrity and availability of stored data, and its relevance depends on whether the affected theme

CVE advisoryCRITICAL

CVE-2026-54825

Unauthenticated SQL Injection in wpDataTables versions up to 7.4

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

An unauthenticated SQL injection vulnerability in wpDataTables allows attackers to inject malicious SQL code. This could potentially lead to unauthorized access or modification of sensitive data if the vulnerable component is reachable. Organizations using this plugin should confirm its presence and assess any exposure

CVE advisoryCRITICAL

CVE-2026-54820

JetBooking Unauthenticated SQL Injection Vulnerability

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

An unauthenticated SQL injection vulnerability exists in the JetBooking system, allowing attackers to execute malicious SQL code. This could potentially lead to unauthorized access to sensitive data or service disruption. Given the system's network-accessible nature, its relevance to our environment should be confirmed

CVE advisoryCRITICAL

CVE-2026-57926

JetBrains YouTrack Websandbox Prototype Pollution Vulnerability

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

A prototype pollution vulnerability in JetBrains YouTrack's websandbox bridge allows unauthenticated network access, potentially leading to system compromise by affecting application behavior and data integrity. This threat is classified as external and critical, requiring assessment of deployed instances and their exp

CVE advisoryCRITICAL

CVE-2026-53914

JetBrains Kotlin Unsafe Deserialization Code Execution

Halo Surface Signal: 1 out of 5 — much less likely to be public-facing.

A critical vulnerability in JetBrains Kotlin's build cache metadata could enable code execution via unsafe deserialization. This poses a risk to development environments if the affected technology is reachable. Confirming usage of vulnerable Kotlin versions and their exposure is crucial for security-aware leaders and t

CVE advisoryCRITICAL

CVE-2025-55017

Apache IoTDB Path Traversal Vulnerability

Halo Surface Signal: 3 out of 5 — possibly public-facing.

A path traversal vulnerability exists in Apache IoTDB, potentially allowing unauthorized access to restricted directories. If reachable, this could lead to unauthorized data access and modification. Readers should care because this impacts the confidentiality and integrity of data managed by Apache IoTDB.

CVE advisoryCRITICAL

CVE-2026-57880

GeoVision GV-LPC Stack Buffer Overflow Vulnerability

Halo Surface Signal: 5 out of 5 — more likely to be public-facing.

An unauthenticated stack-based buffer overflow in GeoVision surveillance systems may allow remote attackers to cause a denial of service or execute code by sending crafted RTSP requests exploiting insufficient bounds checking. This vulnerability could disrupt video monitoring services if the affected devices are expose

CVE advisoryCRITICAL

CVE-2026-57879

GeoVision GV-LPC2011 and GV-LPC2211 RTSP Stack Buffer Overflow Vulnerability

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

A stack-based buffer overflow vulnerability exists in GeoVision GV-LPC2011 and GV-LPC2211, allowing unauthenticated remote attackers to cause memory corruption or potentially execute arbitrary code via crafted RTSP requests, impacting network-connected devices.

CVE advisoryCRITICAL

CVE-2026-57878

GeoVision GV-LPC Stack Buffer Overflow Vulnerability

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

An unauthenticated stack-based buffer overflow exists in thttpd, potentially affecting GeoVision GV-LPC2011 and GV-LPC2211 devices. A remote attacker could exploit this by sending a crafted HTTP request to cause memory corruption, denial of service, or arbitrary code execution, impacting device availability and integri

CVE advisoryCRITICAL

CVE-2026-2053

WSO2 API Manager WS-Addressing Header Destination Control Vulnerability.

Halo Surface Signal: 5 out of 5 — more likely to be public-facing.

A vulnerability in WSO2 API Manager's message flow component allows unauthenticated attackers to manipulate WS-Addressing headers to redirect server-initiated requests to arbitrary destinations. This could lead to unauthorized access to internal network resources.

CVE advisoryCRITICAL

CVE-2026-48930

Node.js TLS Authority Rebinding via Embedded-Nul Hostnames

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

A flaw in Node.js TLS hostname handling can allow embedded-nul hostnames to cause silent authority rebinding. This vulnerability affects all supported Node.js release lines and could enable attackers to trick Node.js applications into connecting to unintended servers.

CVE advisoryCRITICAL

CVE-2026-9222

Setracker2 Android App Weak Authentication Vulnerability.

Halo Surface Signal: 3 out of 5 — possibly public-facing.

The Setracker2 Android Companion App has a weakness where it only requires a password hash for backend authentication, potentially allowing an attacker with the hash to gain full access to backend services. This could impact systems relying on this app for authentication. Uncertainty remains regarding the specific back