NVD disclosure day

Published threat advisories for July 1, 2026

CVE advisoryCRITICAL

CVE-2026-14439

Altium Path Traversal Leading to Remote Code Execution.

Halo Surface Signal: 3 out of 5 — possibly public-facing.

A path traversal vulnerability in the Git Service component allows authenticated users to move files outside repositories, potentially enabling remote code execution. In multi-tenant environments, this could expose other tenants' data. The issue is fixed in Altium 365 and a specific version of Altium Enterprise Server.

CVE advisoryCRITICAL

CVE-2026-14425

ANGLE Use After Free Vulnerability in Chrome Allows Sandbox Escape

Halo Surface Signal: 1 out of 5 — much less likely to be public-facing.

A use-after-free vulnerability in ANGLE, a graphics component in Google Chrome, could allow remote attackers to escape the browser's sandbox by presenting a malicious HTML page to a user. This may lead to broader system access beyond the browser's isolated environment.

CVE advisoryCRITICAL

CVE-2026-14424

Chrome Dawn Use After Free Sandbox Escape Vulnerability

Halo Surface Signal: 1 out of 5 — much less likely to be public-facing.

A use-after-free vulnerability in Google Chrome on Mac could allow a remote attacker to escape the browser's sandbox via a crafted HTML page. This vulnerability requires user interaction through visiting a malicious webpage, but a successful exploit could lead to unauthorized system access beyond the browser's isolated

CVE advisoryCRITICAL

CVE-2026-14423

Type Confusion in Chrome Tint Allows Sandbox Escape

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

A type confusion flaw in Google Chrome's Tint component may permit a remote attacker to break out of the browser's sandbox. This could occur when a user visits a specially crafted HTML page, potentially leading to unauthorized access or modification of system and user data. The widespread use of Chrome makes this vulne

CVE advisoryCRITICAL

CVE-2026-14420

Google Chrome Dawn Sandbox Escape Vulnerability

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

A critical vulnerability in Google Chrome's Dawn component allows a remote attacker to escape the browser sandbox via a crafted HTML page. This could potentially impact data integrity and confidentiality. Readers should care because this type of vulnerability could allow attackers to bypass security boundaries within t

CVE advisoryCRITICAL

CVE-2026-14411

ANGLE Sandbox Escape Vulnerability in Google Chrome

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

A vulnerability in Google Chrome's ANGLE component could allow a remote attacker to escape the browser's sandbox via a malicious HTML page. This issue requires user interaction through visiting a crafted webpage. If reachable, it could potentially impact confidentiality, integrity, and availability.

CVE advisoryCRITICAL

CVE-2026-14405

Uninitialized Use in Chrome V8 Allows Sandbox Escape

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

A vulnerability in Google Chrome's V8 JavaScript engine allows remote attackers to execute arbitrary code by luring users to a malicious HTML page. While rated low severity by Chromium, this flaw could enable unauthorized code execution within the browser's sandbox, posing a risk due to Chrome's widespread use. It is i

CVE advisoryCRITICAL

CVE-2026-14398

Chrome ANGLE Sandbox Escape Vulnerability

Halo Surface Signal: 1 out of 5 — much less likely to be public-facing.

A use-after-free vulnerability in ANGLE, a Google Chrome component, could permit a remote attacker to escape the browser's sandbox via a malicious HTML page. While the severity is rated critical, it requires user interaction and may not directly impact core systems. Readers should verify if this component is exposed in

CVE advisoryCRITICAL

CVE-2026-14397

ANGLE Out of Bounds Write in Chrome for Mac May Allow Sandbox Escape

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

An out-of-bounds write in ANGLE, a component of Google Chrome on Mac, could allow a remote attacker to escape the browser's sandbox by leading a user to a specially crafted HTML page. This vulnerability has a high severity, and while the exact impact is uncertain, it could potentially lead to unauthorized access to sys

CVE advisoryCRITICAL

CVE-2026-14392

Google Chrome Tint Sandbox Escape Vulnerability

Halo Surface Signal: 1 out of 5 — much less likely to be public-facing.

An out-of-bounds write vulnerability in the Tint component of Google Chrome may allow a remote attacker to escape the browser's sandbox. This could potentially lead to broader system compromise if a user visits a crafted HTML page. The relevance to your organization depends on whether affected browser versions are in u

CVE advisoryCRITICAL

CVE-2026-14390

ANGLE Use After Free in Chrome Allows Sandbox Escape

Halo Surface Signal: 1 out of 5 — much less likely to be public-facing.

A use-after-free vulnerability in ANGLE, a component of Google Chrome, could allow a remote attacker to escape the browser's sandbox through a crafted HTML page. This could lead to unauthorized access to system resources. The issue's high severity rating indicates a potential for significant impact.

CVE advisoryCRITICAL

CVE-2026-14387

Skia Integer Overflow in Chrome Allows Sandbox Escape

Halo Surface Signal: 1 out of 5 — much less likely to be public-facing.

An integer overflow vulnerability in the Skia graphics component of a web browser could allow a remote attacker to escape the browser's sandbox via a crafted HTML page. This requires a user to visit a malicious website, and the direct business impact is uncertain without further information on product relevance and use

CVE advisoryCRITICAL

CVE-2026-52186

UTT nv518G nv518GV3v3.2.7-210919-161313 SQL Injection Vulnerability In gohead/sub_463bbc Component

Halo Surface Signal: 5 out of 5 — more likely to be public-facing.

A SQL injection vulnerability in UTT nv518G devices could allow remote attackers to execute arbitrary code by sending crafted network requests to the `gohead/sub_463bbc` component. This could compromise device integrity and operations. The affected technology is a network device, making it potentially reachable via the

CVE advisoryCRITICAL

CVE-2026-58457

Aitemi M300 Wi-Fi Repeater Command Injection

Halo Surface Signal: 2 out of 5 — less likely to be public-facing.

A vulnerability exists in Shenzhen Aitemi M300 Wi-Fi Repeaters, allowing network-adjacent attackers to inject commands via the web backend. This could grant attackers root-level control over the device if reachable. The primary concern is determining if this hardware is deployed within the environment.

CVE advisoryCRITICAL

CVE-2026-51947

Pivotal CRM Insecure Deserialization Code Execution

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

A critical vulnerability in Pivotal CRM could allow remote code execution by an unauthenticated attacker, impacting system integrity and data. This issue stems from insecure deserialization within a specific component. The main concern is confirming its relevance and exposure within the environment.

CVE advisoryCRITICAL

CVE-2026-50160

Hoppscotch Self-Hosted Mass Assignment Vulnerability Allows JWT Secret Overwrite

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

An unauthenticated attacker can exploit a mass assignment vulnerability in self-hosted Hoppscotch API development environments to overwrite critical secrets like the JWT secret. This could allow the attacker to forge authentication tokens, leading to full server compromise. The vulnerability affects deployments prior t

CVE advisoryCRITICAL

CVE-2026-58453

JAIOTlink C492A-W6 Camera Hard-coded Credentials Vulnerability

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

JAIOTlink Wi-Fi IP cameras have a hard-coded credentials vulnerability. Network-adjacent attackers can use default credentials to gain unauthorized access to camera snapshots, video streams, and network configuration. This could expose sensitive video data and operational control.

CVE advisoryCRITICAL

CVE-2026-34117

Guardian Language System OS Command Injection via text_to_subtitles.php

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

A critical vulnerability exists in a language processing system, allowing unauthenticated remote attackers to execute arbitrary OS commands on the server. This is due to improper handling of the 'id' GET parameter in the text_to_subtitles.php script, which is directly passed to an exec() call without sanitization. If r

CVE advisoryCRITICAL

CVE-2026-34116

Guardian Language System OS Command Injection via Transcribe PHP ID Parameter

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

The Guardian language system's transcription feature has a critical vulnerability where an unauthenticated remote attacker can execute arbitrary operating system commands on the server by exploiting an unsanitized GET parameter in the `transcribe.php` script. This allows for direct command injection without any authent

CVE advisoryCRITICAL

CVE-2026-34115

Guardian Language System Unauthenticated OS Command Injection

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

The Guardian language system has a critical vulnerability where unauthenticated attackers can execute arbitrary operating system commands by manipulating a GET parameter in the `transcribe_amazon.php` script. This could lead to server compromise if the affected script is externally accessible.

CVE advisoryCRITICAL

CVE-2026-34114

Guardian Language System OS Command Injection via translate_text.php

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

A critical vulnerability in the Guardian language-system allows unauthenticated attackers to execute arbitrary OS commands on the server. This is due to improper handling of the `id` GET parameter in `translate_text.php`, which is passed to a PHP `exec()` function without sanitization. If reachable, this could lead to

CVE advisoryCRITICAL

CVE-2026-34113

Guardian Language System Unauthenticated OS Command Injection

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

A critical vulnerability in the Guardian language-system's speech processing component allows unauthenticated remote attackers to execute arbitrary operating system commands. This is due to the system passing a GET parameter directly into a PHP `exec()` call without sanitization, enabling attackers to append shell meta

CVE advisoryCRITICAL

CVE-2026-34112

Guardian Language System OS Command Injection in speechmac.php

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

An unauthenticated remote attacker can execute arbitrary OS commands on the server due to the Guardian language-system's `speechmac.php` script improperly handling the `id` GET parameter. This vulnerability allows for the execution of malicious commands without any authentication, potentially leading to server compromi

CVE advisoryCRITICAL

CVE-2026-34111

Guardian Language System OS Command Injection via ID Parameter in speechmac_text.php.

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

A critical vulnerability exists in the Guardian language-system, allowing unauthenticated remote attackers to execute arbitrary OS commands. This is due to the `speechmac_text.php` script directly using a GET parameter in a PHP `exec()` call without sanitization. Because the system is web-based and reachable via the in

CVE advisoryCRITICAL

CVE-2026-34110

Guardian Language System Unauthenticated OS Command Injection

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

A critical vulnerability exists in Guardian language-system where an unauthenticated remote attacker can execute arbitrary operating system commands. This is possible due to the system passing a GET parameter directly into a PHP exec() call without proper sanitization. If reachable, this could impact server integrity a

CVE advisoryCRITICAL

CVE-2026-34109

Guardian Language System Command Injection Vulnerability

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

The Guardian language-system's `speech.php` script is vulnerable to unauthenticated OS command injection. An unauthenticated remote attacker can append shell metacharacters to the `id` GET parameter to execute arbitrary OS commands on the server. This could lead to a compromise of the server's integrity or unauthorized

CVE advisoryCRITICAL

CVE-2026-34108

Guardian Language System Unauthenticated OS Command Injection in text.php

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

A critical vulnerability exists in a language system component, allowing unauthenticated attackers to execute arbitrary OS commands on the server due to improper handling of an 'id' parameter in the `text.php` script. This issue could lead to unauthorized system control and potential data exfiltration, necessitating im

CVE advisoryCRITICAL

CVE-2026-34107

Guardian Language System Unauthenticated OS Command Injection via ID Parameter in translate.php

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

A critical vulnerability exists in a language translation system, allowing unauthenticated attackers to execute arbitrary operating system commands on the server. This occurs due to the system passing an ID parameter directly into a PHP exec() call without proper sanitization. If the affected technology is reachable, a

CVE advisoryCRITICAL

CVE-2026-34106

Guardian Language System OS Command Injection

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

A critical vulnerability exists in a language system where an unauthenticated remote attacker can execute arbitrary OS commands on the server by manipulating a GET parameter passed directly into a PHP exec() call. If the affected script is reachable, this could allow an attacker to compromise the server. Confirmation o

CVE advisoryCRITICAL

CVE-2026-34104

Guardian Language System SQL Injection in designer.php

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

A critical SQL injection vulnerability exists in a language system due to unsanitized input in `designer.php`, potentially allowing unauthenticated attackers to extract database contents. This issue is reachable via the network and could expose sensitive information.

CVE advisoryCRITICAL

CVE-2026-34103

Guardian Language System SQL Injection in subtitles.php

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

A critical SQL injection vulnerability exists in the Guardian language-system's subtitles.php script. This flaw allows unauthenticated attackers to extract database contents by exploiting an unsanitized GET parameter. The technology is externally exposed, meaning it is reachable via the public internet. Database conten

CVE advisoryCRITICAL

CVE-2026-34102

Guardian Language System SQL Injection via ID Parameter in job_info_get.php

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

A critical SQL injection vulnerability exists in a Guardian language system, allowing unauthorized access to database contents via an unsanitized `id` parameter in `job_info_get.php`. This could enable attackers to extract sensitive information if the system is reachable. Confirmation of affected systems and exposure i

CVE advisoryCRITICAL

CVE-2026-34101

Guardian Language System SQL Injection Vulnerability

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

A critical SQL injection vulnerability exists in Guardian language-system's `text_file.php` script, allowing unauthenticated attackers to extract database contents. This issue arises from the script directly passing a GET parameter into an unsanitized SQL query. Because web applications are often internet-facing, this

CVE advisoryCRITICAL

CVE-2026-34100

Guardian Language System Unauthenticated SQL Injection in Media PHP

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

A critical SQL injection vulnerability in Guardian language-system's media processing allows attackers to extract database contents by manipulating an `id` parameter in `media.php`. This issue, reachable externally, poses a risk of sensitive information disclosure.

CVE advisoryCRITICAL

CVE-2026-34099

Guardian Language System Unauthenticated SQL Injection in job_info.php

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

An unauthenticated attacker can exploit an SQL injection vulnerability in the Guardian language-system's `job_info.php` script by manipulating the `id` GET parameter. This allows for the extraction of sensitive database information, such as the database version, current user, schema names, and table contents, without r

CVE advisoryCRITICAL

CVE-2026-58127

PACSgear MediaWriter Unauthenticated Remote Code Execution via .NET Remoting Service

Halo Surface Signal: 3 out of 5 — possibly public-facing.

A critical vulnerability in PACSgear MediaWriter allows unauthenticated remote attackers to execute code as SYSTEM. This is possible by exploiting an unprotected .NET Remoting TCP service that permits arbitrary file read and write operations, which can be chained with DLL hijacking for remote code execution. While seve

CVE advisoryCRITICAL

CVE-2026-58126

PACSgear PACS Scan Unauthenticated Remote Code Execution via .NET Remoting

Halo Surface Signal: 3 out of 5 — possibly public-facing.

A critical vulnerability in PACSgear PACS Scan allows unauthenticated remote attackers to read/write arbitrary files via a .NET Remoting TCP service, potentially leading to remote code execution with SYSTEM privileges. This affects system integrity and access to sensitive medical data. Uncertainty exists regarding the

CVE advisoryCRITICAL

CVE-2026-57517

Control Web Panel Blind SQL Injection Leads to Remote Code Execution.

Halo Surface Signal: 5 out of 5 — more likely to be public-facing.

A blind SQL injection vulnerability exists in Control Web Panel, allowing unauthenticated attackers to submit unsanitized input to execute arbitrary SQL queries. Successful exploitation could grant attackers MySQL root privileges, enabling them to write arbitrary files and deploy a webshell for remote code execution.

CVE advisoryCRITICAL

CVE-2026-24270

NVIDIA AIStore Authentication Bypass Vulnerability

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

The NVIDIA AIStore framework has an authentication bypass vulnerability that, if reachable over the network, could allow an unauthenticated attacker to escalate privileges, disclose information, or tamper with data. This could affect service availability and data integrity.

CVE advisoryCRITICAL

CVE-2025-15646

HTML Gumbo Heap Disclosure via Template Element Type Confusion

Halo Surface Signal: 3 out of 5 — possibly public-facing.

A vulnerability exists in HTML::Gumbo, a Perl library for parsing HTML, that could lead to heap memory disclosure. If an application uses this library to process HTML containing a `<template>` element, it may over-read memory and reveal sensitive contents. This is relevant if your environment utilizes HTML::Gumbo for p

CVE advisoryCRITICAL

CVE-2026-23537

Feast Feature Server Arbitrary File Write Vulnerability

Halo Surface Signal: 3 out of 5 — possibly public-facing.

A vulnerability in the Feast Feature Server allows unauthenticated remote attackers to write arbitrary JSON files to the server's filesystem, bypassing protections to overwrite critical configurations or startup scripts. This could result in unauthorized system modifications, denial of service, or remote code execution

CVE advisoryCRITICAL

CVE-2026-57692

LCweb PrivateContent Privilege Escalation Vulnerability

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

An incorrect privilege assignment vulnerability exists in PrivateContent, a plugin for managing private content, which could allow an unauthenticated attacker to escalate privileges. This may lead to unauthorized access to sensitive data, depending on the configuration and data handled by affected instances.

CVE advisoryCRITICAL

CVE-2026-13603

`pretix-oppwa` Payment Integration Token Leak Vulnerability

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

A vulnerability exists in a payment integration plugin, allowing attackers to redirect requests to malicious servers and potentially leak sensitive payment provider access tokens. This occurs due to insecure URL concatenation in the plugin's redirection handling. The primary concern is to verify if this specific plugin

CVE advisoryCRITICAL

CVE-2026-14198

@fastify/middie Path Traversal Vulnerability Allows Middleware Bypass

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

A vulnerability in @fastify/middie allows attackers to bypass middleware, such as authentication and authorization, on parameterized paths by sending a crafted URL with an encoded slash. This discrepancy in how the middleware and router handle encoded slashes can lead to unauthorized access to protected routes. Confirm

CVE advisoryCRITICAL

CVE-2026-11387

WordPress SMS Alert Plugin Account Takeover Vulnerability.

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

A vulnerability exists in the SMS Alert WordPress plugin that could allow unauthenticated attackers to take over user accounts, including administrators. This occurs by manipulating password resets on sites using OTP verification with a configured phone number.

CVE advisoryCRITICAL

CVE-2026-10539

Control-M/Server Command Injection Vulnerability

Halo Surface Signal: 2 out of 5 — less likely to be public-facing.

A vulnerability in Control-M/Server's command handling may allow an unauthenticated attacker to execute unauthorized commands, potentially leading to server compromise. This issue arises from insufficient filtering of user-supplied input in server communications. Understanding the reachability and criticality of Contro

CVE advisoryCRITICAL

CVE-2026-7840

UltraVNC Repeater HTTP Server Buffer Overflow Allows Code Execution.

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

UltraVNC repeater software contains a buffer overflow in its HTTP administration server. An unauthenticated attacker can exploit this by sending a crafted HTTP request with a long URI, potentially leading to arbitrary code execution on the host. This issue is critical because it allows remote takeover of systems access

CVE advisoryCRITICAL

CVE-2026-7839

UltraVNC Repeater Hardcoded Password Allows Remote Configuration Takeover

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

UltraVNC repeater initializes its HTTP administration server with a hardcoded default password, enabling remote attackers to gain full administrative control of its configuration and session visibility by reaching the default port. This could allow unauthorized access to network traffic facilitated by the repeater.

CVE advisoryCRITICAL

CVE-2026-6070

WP-BusinessDirectory Unauthenticated Arbitrary File Deletion

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

The WP-BusinessDirectory WordPress plugin has a vulnerability allowing unauthenticated arbitrary file deletion by exploiting insufficient path validation in its upload functionality. This could enable attackers to delete critical server files, potentially causing service disruption. The plugin's public-facing nature in