NVD disclosure day

Published threat advisories for June 29, 2026

CVE advisoryCRITICAL

CVE-2026-55276

Apache Tomcat Always-Incorrect Control Flow Implementation Vulnerability

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

An Always-Incorrect Control Flow Implementation vulnerability in Apache Tomcat could allow an attacker to improperly log web.xml configurations, potentially revealing sensitive information. This issue arises from how special roles and empty authorization constraints are handled during logging. Understanding the reachab

CVE advisoryCRITICAL

CVE-2026-53434

Apache Tomcat CRL Configuration Error Allows Sensitive Data Disclosure

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

A critical vulnerability exists in Apache Tomcat, stemming from an error condition not being handled when configuring Certificate Revocation Lists for FFM-based connectors. This flaw could allow unauthenticated network access to compromise data confidentiality and integrity. Teams managing web application infrastructur

CVE advisoryCRITICAL

CVE-2026-37637

Alexantr File Manager v.1.0 Remote Code Execution Vulnerability

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

A vulnerability in Alexantr file manager's filemanager.php component could allow remote attackers to execute arbitrary code. This is a critical issue because it may enable unauthorized system control. Confirming the presence and exposure of this technology in your environment is the immediate priority.

CVE advisoryCRITICAL

CVE-2026-56782

Gorse Authentication Bypass Allows Database Exfiltration or Overwrite.

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

An authentication bypass vulnerability in Gorse allows unauthenticated attackers to access sensitive functionality, potentially leading to the exfiltration or overwriting of the entire database, including user records and personally identifiable information. This issue is relevant because the affected API endpoints are

CVE advisoryCRITICAL

CVE-2026-11720

Path Traversal in googleapis/mcp-toolbox HTTP Tool URL Builder.

Halo Surface Signal: 1 out of 5 — much less likely to be public-facing.

A path traversal vulnerability exists in a tool for constructing API requests, allowing attackers to bypass path restrictions and access unintended endpoints on the same host. This could potentially lead to unauthorized access to sensitive information or execution of unintended actions. The primary concern is to determ

CVE advisoryCRITICAL

CVE-2026-57331

Paid Videochat Turnkey Site Arbitrary File Deletion

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

A critical flaw in Paid Videochat Turnkey Site software allows authenticated users to delete arbitrary files, potentially causing service disruption or data loss. The vulnerability's network exploitability means it is considered an external threat that could impact the site's availability or lead to further compromise.

CVE advisoryCRITICAL

CVE-2026-56290

Joomla Page Builder CK Arbitrary File Upload RCE.

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

A critical vulnerability exists in the Joomla extension Page Builder CK, allowing unauthenticated arbitrary file uploads that can lead to remote code execution. This could enable an attacker to take over the affected system. Organizations should confirm if this extension is in use and assess its reachability.