NVD disclosure day

Published threat advisories for July 7, 2026

CVE advisoryCRITICAL

CVE-2026-14345

WPFunnels WooCommerce Plugin Unauthenticated Remote Code Execution.

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

The WPFunnels – Funnel Builder for WooCommerce plugin has a remote code execution vulnerability that unauthenticated attackers can exploit via the 'postData' parameter. This could allow arbitrary code execution on the server if the plugin's logging is enabled and an administrator views the log file.

CVE advisoryCRITICAL

CVE-2026-34048

Coolify Command Execution Vulnerability via Unauthorized Terminal Access.

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

An authentication bypass vulnerability exists in Coolify's terminal websocket routes, allowing low-privileged users to execute commands on team servers. This could lead to unauthorized access and control over managed systems. Readers should care due to the potential impact on system integrity and data confidentiality.

CVE advisoryCRITICAL

CVE-2026-34047

Coolify Terminal WebSocket Authorization Bypass Vulnerability

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

A vulnerability in Coolify, a server management tool, allows authenticated users to access unauthorized terminal functions, potentially leading to command execution on unintended resources. This issue impacts systems managing servers and applications, and should be reviewed for relevance and potential exposure.

CVE advisoryCRITICAL

CVE-2026-34037

Coolify Cross-Tenant Resource Access Vulnerability

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

A critical vulnerability in Coolify allows authenticated users to clone resources across tenant boundaries, potentially exposing and allowing modification of other teams' data. This occurs due to improper authorization when resolving destination resources, making cross-tenant data access possible. Understanding if Cool