NVD disclosure day

Published threat advisories for July 8, 2026

CVE advisoryCRITICAL

CVE-2026-54782

CoreWCF SAML Validation Flaw Allows Impersonation

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

CoreWCF's SAML token validation has a vulnerability that an unauthenticated attacker could exploit to impersonate users. This occurs when federated bindings are used with certain configurations, allowing for improper validation of the issuer's signature. This could lead to an attacker assuming the identity of any princ

CVE advisoryCRITICAL

CVE-2026-15113

Chrome for Android Autofill Sandbox Escape Vulnerability

Halo Surface Signal: 1 out of 5 — much less likely to be public-facing.

A use-after-free flaw in Chrome for Android's Autofill feature may allow a remote attacker to escape the browser's sandbox via a crafted HTML page. This could potentially impact user data or system integrity, though exploitation requires user interaction.

CVE advisoryCRITICAL

CVE-2026-52200

Generic OEM UZ801 Router Remote Code Execution via Web API

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

A critical vulnerability in a 4G LTE router's web management API allows remote attackers to execute arbitrary code. This could lead to device compromise and potential control over network functions. It is uncertain how many devices are affected or the specific business impact.

CVE advisoryCRITICAL

CVE-2026-44024

Fluentd File Path Traversal Leading to Arbitrary File Write and Potential RCE.

Halo Surface Signal: 3 out of 5 — possibly public-facing.

A vulnerability in Fluentd, a data collection technology, allows untrusted input to construct file paths, potentially enabling attackers to overwrite arbitrary files and execute remote code. Organizations should verify if they use Fluentd and if it processes untrusted data to assess potential risk.

CVE advisoryCRITICAL

CVE-2026-31309

Mysterium Node Configuration Takeover Vulnerability.

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

An improper authorization vulnerability exists in Mysterium Node's configuration endpoint, allowing unauthenticated attackers to overwrite node settings and achieve full control via a crafted request. This could impact network services or enable malicious activities if the node is reachable externally.

CVE advisoryCRITICAL

CVE-2026-54527

JupyterLab Git Cross-Site Scripting via Crafted Filenames

Halo Surface Signal: 1 out of 5 — much less likely to be public-facing.

A vulnerability in the JupyterLab Git extension allows a crafted filename to execute JavaScript when a user views a renamed file's diff in the Git History tab. This could impact the user's browser session within JupyterLab if the extension is in use and a user encounters such a diff. Uncertainty exists regarding the br

CVE advisoryCRITICAL

CVE-2026-8801

Progress MOVEit Transfer Path Equivalence Vulnerability

Halo Surface Signal: 5 out of 5 — more likely to be public-facing.

A critical path equivalence vulnerability exists in Progress MOVEit Transfer's file upload modules, potentially allowing unauthorized access and modification of files. Given MOVEit Transfer's role in external data exchange, this issue could have severe consequences if reachable.

CVE advisoryCRITICAL

CVE-2026-8649

MOVEit Transfer Custom Reports Data Query Logic Vulnerability

Halo Surface Signal: 5 out of 5 — more likely to be public-facing.

A vulnerability in Progress MOVEit Transfer's custom reports module allows manipulation of data queries, potentially impacting confidentiality, integrity, and availability. As this module is internet-accessible without authentication, an attacker could exploit it to achieve a significant system compromise.

CVE advisoryCRITICAL

CVE-2026-60104

Bitwarden Server Authorization Bypass Allows Vault Key and Token Disclosure

Halo Surface Signal: 5 out of 5 — more likely to be public-facing.

A vulnerability in Bitwarden Server allows a low-privileged user to obtain another user's vault key and access token, potentially leading to account takeover. This occurs because the server does not verify that the email in an authentication request belongs to the authenticated caller. If reachable, this could expose s

CVE advisoryCRITICAL

CVE-2026-59873

node-tar Archive Extraction Denial of Service Vulnerability.

Halo Surface Signal: 2 out of 5 — less likely to be public-facing.

The node-tar library has a vulnerability where it does not limit decompressed data, leading to disk space and CPU exhaustion when processing specially crafted archives. This could result in denial of service for applications using the library to extract or parse archives.

CVE advisoryCRITICAL

CVE-2026-59702

Repomix SSRF via Unvalidated Repository URLs in POST /api/pack.

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

Repomix contains a server-side request forgery vulnerability that allows unauthenticated attackers to make arbitrary outbound requests by submitting specially crafted URLs to the `/api/pack` endpoint. This could expose sensitive internal network addresses or local filesystem paths to attackers.

CVE advisoryCRITICAL

CVE-2026-15062

Snowflake Snowpark Python SDK SQL Injection Vulnerabilities

Halo Surface Signal: 1 out of 5 — much less likely to be public-facing.

SQL injection vulnerabilities in the Snowflake Snowpark Python SDK could permit authenticated, low-privilege users to execute unauthorized SQL commands, potentially resulting in database compromise or data exfiltration. The risk exists when the SDK is used and specific APIs are invoked with crafted inputs.

CVE advisoryCRITICAL

CVE-2026-58480

Blocksy Companion Pro Unauthenticated Arbitrary File Upload Vulnerability

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

A vulnerability in a WordPress plugin allows unauthenticated file uploads, which could lead to remote code execution. If the affected feature is reachable, attackers may compromise the website and its data. Therefore, it is important to verify if this plugin is in use and exposed externally.

CVE advisoryCRITICAL

CVE-2026-54061

Dgraph Unauthenticated Data Overwrite via Snapshot Import

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

Dgraph, a distributed GraphQL database, has a vulnerability allowing unauthenticated network clients to overwrite existing database data through snapshot imports. This could lead to data corruption or unauthorized manipulation if the affected component is reachable. Determining relevance and exposure is crucial.

CVE advisoryCRITICAL

CVE-2026-8307

Mediküm Web SQL Injection Vulnerability

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

A critical SQL injection vulnerability exists in Mediküm Web, a product from Webbeyaz Web Design, which could allow attackers to execute arbitrary SQL commands. If this unsupported product is still deployed and reachable, it could lead to unauthorized access, modification, or deletion of sensitive data within its datab

CVE advisoryCRITICAL

CVE-2026-14454

Imager EXIF Parsing Flaw Allows Denial of Service

Halo Surface Signal: 3 out of 5 — possibly public-facing.

An image processing library can be crashed by a crafted image file due to mishandling of EXIF data. An attacker could exploit this by providing a malicious image that causes worker processes to terminate, potentially disrupting services. The reader should care because this could impact service availability.

CVE advisoryCRITICAL

CVE-2026-41042

Apache Gravitino H2 JDBC URL Arbitrary Code Execution Vulnerability

Halo Surface Signal: 2 out of 5 — less likely to be public-facing.

Unauthenticated callers can exploit a vulnerability in Apache Gravitino by supplying a malicious H2 JDBC URL through the testConnection API, potentially leading to arbitrary Java code execution on the server. This issue is considered to have low severity because it only affects usage with the H2 database, which is typi

CVE advisoryCRITICAL

CVE-2026-56000

X Server and Xwayland Heap Use After Free Vulnerability

Halo Surface Signal: 1 out of 5 — much less likely to be public-facing.

Local attackers with an X connection can exploit a heap use-after-free vulnerability in X server and Xwayland. This memory error could allow attackers to affect system data or service behavior, potentially leading to instability or corruption. Confirming usage and assessing local exposure is important for affected envi

CVE advisoryCRITICAL

CVE-2026-12153

WP Learn Manager Authorization Bypass Allows Arbitrary Plugin Installation

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

The WP Learn Manager WordPress plugin has an authorization bypass vulnerability that allows unauthenticated attackers to install and activate any plugin from the WordPress.org repository. This could compromise website integrity and security.

CVE advisoryCRITICAL

CVE-2026-9701

Eventer WordPress Plugin Insecure Password Reset Vulnerability

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

The Eventer WordPress plugin has a vulnerability in its password reset mechanism, allowing unauthenticated attackers to take over user accounts, including administrative ones, by exploiting an insecurely stored reset key. This flaw could lead to unauthorized access to sensitive information and system control.

CVE advisoryCRITICAL

CVE-2026-14487

WordPress Simple Coherent Form Plugin Arbitrary File Deletion Vulnerability.

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

The Simple Coherent Form WordPress plugin has a vulnerability that allows unauthenticated attackers to delete arbitrary files on the server. This could lead to remote code execution if critical files are deleted due to insufficient file path validation in the plugin's functions.

CVE advisoryCRITICAL

CVE-2026-60002

OpenSSH Use-After-Free During Host Key Re-exchange

Halo Surface Signal: 1 out of 5 — much less likely to be public-facing.

A use-after-free vulnerability in OpenSSH clients can occur when a server changes its host key during a re-exchange, potentially affecting client-side data integrity and leading to a denial-of-service. This issue is relevant because it exposes client systems to compromise.

CVE advisoryCRITICAL

CVE-2026-56843

Plesk XML-RPC API Authorization Flaw Exposes FTP Credentials

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

An authorization flaw in WebPros Plesk's XML-RPC API can permit an authenticated customer to access domains they do not own, potentially revealing other tenants' cleartext FTP credentials and enabling code execution as another user. This vulnerability exists because ownership checks are not consistently enforced, and s