NVD disclosure day

Published threat advisories for July 9, 2026

CVE advisoryCRITICAL

CVE-2026-58123

Hermes WebUI Unauthenticated Remote Code Execution via Terminal API

Halo Surface Signal: 5 out of 5 — more likely to be public-facing.

Hermes WebUI has an unauthenticated remote code execution vulnerability in its terminal API. Attackers can exploit this by sending sequential HTTP requests to run arbitrary commands as the server process user. This could lead to unauthorized command execution on systems running the WebUI. The relevance and exposure of

CVE advisoryCRITICAL

CVE-2026-58122

Hermes WebUI Authentication Bypass via Spoofed Header

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

A vulnerability in Hermes WebUI allows unauthenticated attackers to bypass IP restrictions by spoofing a header. This could enable them to access internal services, modify cloud configurations or API keys, and gain persistent access through token manipulation. Organizations should verify the exposure of their Hermes We

CVE advisoryCRITICAL

CVE-2026-53963

Discourse Stored XSS via Unescaped Second Factor Name in Admin Impersonation

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

A stored cross-site scripting vulnerability exists in Discourse. An attacker could exploit this by crafting a malicious second factor name on an account, which, when an administrator impersonates that account, allows for script injection. This could potentially lead to unauthorized actions or information disclosure.

CVE advisoryCRITICAL

CVE-2026-54003

Kirby CMS Remote Panel Installation via Trusted Header Handling

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

A vulnerability in the Kirby content management system allows remote attackers to install an administrative Panel and create a user on publicly accessible servers. This occurs when sites have no configured user accounts and improperly trust specific request headers when behind a reverse proxy. This could lead to unauth

CVE advisoryCRITICAL

CVE-2026-59216

Open WebUI Remote Code Execution Vulnerability.

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

A vulnerability in Open WebUI, a self-hosted AI platform, allows authenticated users to execute arbitrary code in another user's session by exploiting how it handles communication events. This could lead to unauthorized actions, potentially compromising user sessions.

CVE advisoryCRITICAL

CVE-2026-59214

Open WebUI Stored Cross-Site Scripting Leads to Server-Side Code Execution.

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

Open WebUI, a self-hosted AI platform, has a vulnerability where stored chat payloads can issue authenticated requests to admin-only endpoints and execute server-side code. This occurs when a user clicks "Run" on a malicious payload, potentially leading to unauthorized actions. This issue is relevant as it affects web

CVE advisoryCRITICAL

CVE-2026-51599

MERCURY MIPC252W RTSP Service Denial of Connection Vulnerability

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

A vulnerability in the RTSP service can allow an unauthenticated remote attacker to make a device's TCP connection unusable. The attacker sends a malformed RTSP request, causing the service to enter a state where it consumes subsequent data until the connection times out. This affects remote viewing and monitoring capa

CVE advisoryCRITICAL

CVE-2026-51597

MERCURY MIPC252W RTSP Authentication Bypass Vulnerability.

Halo Surface Signal: 3 out of 5 — possibly public-facing.

A critical vulnerability in MERCURY MIPC252W IP cameras allows an adjacent network attacker to bypass authentication by replaying captured exchanges, potentially granting unauthorized access to live video streams. This issue stems from the camera's RTSP Digest authentication not properly implementing nonce expiration.

CVE advisoryCRITICAL

CVE-2026-13461

PayRange App WebView JavaScript Injection Escape

Halo Surface Signal: 1 out of 5 — much less likely to be public-facing.

A vulnerability exists in a mobile application's WebView that could allow JavaScript injection. If reachable, this may enable an attacker to escape the sandbox and perform unauthorized actions on a user's device, especially when combined with an SSL bypass flaw.

CVE advisoryCRITICAL

CVE-2026-56292

SQL Injection in AcyMailing Component for Joomla Leads to Database Access

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

A SQL injection vulnerability in the AcyMailing component for Joomla allows unauthorized database access and potential data leakage. This flaw could be exploited by unauthenticated attackers over the network to gain access to sensitive information if the component is deployed on an internet-accessible web server. It is

CVE advisoryCRITICAL

CVE-2026-14261

Xerte Online Toolkits Authentication Bypass and Remote Code Execution Vulnerability

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

A critical vulnerability in Xerte Online Tools allows unauthenticated attackers to bypass authentication and execute remote code. Attackers can exploit the reinstallation process through the `/setup/` folder to point the service to a remote database they control, potentially compromising system integrity and confidenti

CVE advisoryCRITICAL

CVE-2026-12116

Xerte Online Toolkits Antivirus Path RCE Vulnerability

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

A vulnerability in Xerte Online Tools allows for remote code execution by an unauthenticated attacker who can modify server settings to point to a PHP interpreter, enabling the upload and execution of malicious code. This could lead to a compromise of the affected system.

CVE advisoryKnown Exploit

CVE-2026-56291

Balbooa Forms Unauthenticated File Upload Leads to RCE.

Halo Surface Signal: 5 out of 5 — more likely to be public-facing.

An unauthenticated arbitrary file upload vulnerability exists in the Balbooa Forms extension for Joomla, allowing attackers to upload and execute arbitrary files, leading to remote code execution. This impacts website integrity and availability.

• CISA KEV

CVE advisoryCRITICAL

CVE-2026-2342

OceanicSoft ValeApp Stored Cross-Site Scripting Vulnerability.

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

A stored cross-site scripting vulnerability in ValeApp allows attackers to inject malicious scripts into web pages. If reachable, this could enable attackers to execute code in users' browsers, potentially leading to sensitive data exposure or page defacement. The vendor has not responded to inquiries, creating uncerta

CVE advisoryCRITICAL

CVE-2026-15158

Blocksy Companion Arbitrary File Upload Leading to Remote Code Execution

Halo Surface Signal: 5 out of 5 — more likely to be public-facing.

A vulnerability in the Blocksy Companion WordPress plugin's premium version, when specific extensions are active, could allow unauthenticated attackers to upload and execute arbitrary files, potentially leading to remote code execution. The main concern is confirming relevance and exposure to specific configurations.

CVE advisoryCRITICAL

CVE-2026-14245

miniOrange OTP Login Plugin Authentication Bypass Administrator Account Takeover

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

An authentication bypass vulnerability in a WordPress plugin allows unauthenticated attackers to take over administrator accounts. The issue stems from inadequate server-side verification during the password reset process, enabling attackers to target any user and gain full control of the website if the password reset

CVE advisoryCRITICAL

CVE-2026-47840

UAA LDAP StartTLS Vulnerability Allows Password Harvesting and Admin Scope Gain

Halo Surface Signal: 2 out of 5 — less likely to be public-facing.

A network attacker positioned between UAA and its LDAP directory can impersonate the directory, potentially harvesting bind and end-user passwords and forging group memberships. This affects deployments that authenticate users against LDAP over StartTLS.

CVE advisoryMEDIUM

CVE-2026-47646

Dynamics 365 Customer Voice Cross-Site Scripting Vulnerability Allows Spoofing

Halo Surface Signal: 5 out of 5 — more likely to be public-facing.

A critical cross-site scripting vulnerability in Dynamics 365 Customer Voice allows unauthorized attackers to perform spoofing over a network. This means an attacker could potentially trick users into believing they are interacting with a legitimate service. The affected technology is a web-based platform designed for