NVD disclosure day

Published threat advisories for July 13, 2026

CVE advisoryCRITICAL

CVE-2026-58102

Crypt::OpenSSL::X509 Heap Out-of-Bounds Read Vulnerability

Halo Surface Signal: 3 out of 5 — possibly public-facing.

A heap out-of-bounds read vulnerability exists in versions of the Crypt::OpenSSL::X509 Perl library before 2.1.3. This flaw, caused by improper handling of long certificate extension Object Identifiers (OIDs), could allow an attacker to expose adjacent memory when parsing specially crafted certificate data. It is uncer

CVE advisoryCRITICAL

CVE-2026-62327

9Router Unauthenticated API Key Exposure Vulnerability

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

An unauthenticated information disclosure vulnerability exists in 9Router software, allowing remote attackers to retrieve plaintext API keys for connected AI provider accounts by accessing a specific API endpoint. Exploitation could enable unauthorized use of these accounts, leading to billing fraud or quota exhaustion

CVE advisoryCRITICAL

CVE-2026-52533

D-Link DIR-1253 Privilege Escalation via etc/shadow

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

A critical privilege escalation vulnerability exists in D-Link DIR-1253 routers, allowing unauthenticated attackers to gain elevated control by manipulating the etc/shadow component. This could lead to unauthorized access and modification of sensitive system information on internet-facing devices.

CVE advisoryCRITICAL

CVE-2026-51821

Shenzhou Shihan Video Conference SQL Injection Vulnerability

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

A critical SQL injection vulnerability in Shenzhou Shihan Video Conference System allows remote attackers to execute arbitrary code via the user login endpoint. This external vulnerability could impact system confidentiality, integrity, and availability if the vulnerable endpoint is reachable.

CVE advisoryCRITICAL

CVE-2026-51541

OpENer Out-of-Bounds Read in CIP Message Parsing

Halo Surface Signal: 2 out of 5 — less likely to be public-facing.

An out-of-bounds read vulnerability exists in the OpENer EtherNet/IP stack when parsing malformed explicit requests, potentially allowing an attacker to read beyond buffer limits. This could impact system integrity or availability. Confirmation of network exposure and relevance to your operations is advised.

CVE advisoryCRITICAL

CVE-2026-51540

OpENer 2.3.0 Integer Underflow Memory Corruption Vulnerability

Halo Surface Signal: 1 out of 5 — much less likely to be public-facing.

A memory corruption vulnerability exists in the OpENer EtherNet/IP stack due to an integer underflow. If reachable, this could allow for system compromise. The reader should care to understand if this technology is used within their environment and if it has any potential exposure.

CVE advisoryCRITICAL

CVE-2026-51538

EIPStackGroup OpENer Session Handle Weakness

Halo Surface Signal: 2 out of 5 — less likely to be public-facing.

EIPStackGroup OpENer has an incorrect access control vulnerability. An attacker on the network can bypass controls by using a valid session handle from another client, potentially leading to unauthorized access to encapsulation sessions. This is a concern for systems using this technology, as it could expose sensitive

CVE advisoryCRITICAL

CVE-2026-51536

OpENer CIP Stack Buffer Overflow Vulnerability.

Halo Surface Signal: 2 out of 5 — less likely to be public-facing.

A vulnerability in the OpENer software's handling of industrial network packets could allow an attacker to cause a stack buffer overflow by sending a crafted network request, potentially affecting system memory. This issue is relevant to industrial control systems, but typical deployments may not be directly exposed to

CVE advisoryCRITICAL

CVE-2026-58409

ChurchCRM Plugin Upload RCE via Malicious PHP Webshells

Halo Surface Signal: 3 out of 5 — possibly public-facing.

An authenticated administrator can achieve Remote Code Execution in ChurchCRM by installing a malicious plugin that contains a PHP webshell. This is possible because the application permits PHP files in plugin archives and places them in the web root, making them executable without further steps. The installation proce

CVE advisoryCRITICAL

CVE-2026-61500

Rejetto HFS Predictable Session Key Allows Remote Code Execution

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

A critical vulnerability in Rejetto HFS file server software allows an unauthenticated remote attacker to gain full administrative control and execute arbitrary code by exploiting predictable session key generation. By observing login attempts, attackers can reconstruct the signing key, forge administrator credentials,

CVE advisoryCRITICAL

CVE-2026-61462

MCP GitLab Path Traversal via Job ID Parameter

Halo Surface Signal: 3 out of 5 — possibly public-facing.

A path traversal vulnerability in mcp-gitlab, affecting the `job_id` parameter, could allow attackers to redirect API requests to unintended endpoints. This may enable unauthorized access to GitLab API resources. The reader should care to confirm if this technology is in use and assess any potential exposure.

CVE advisoryCRITICAL

CVE-2026-57433

Perl Storable Signed Integer Overflow Vulnerability

Halo Surface Signal: 1 out of 5 — much less likely to be public-facing.

Perl's Storable module has a signed integer overflow vulnerability when deserializing crafted data, which can cause applications to terminate unexpectedly. This affects the availability of services processing untrusted or malformed serialized input. Confirmation of usage and exposure is necessary to determine relevance

CVE advisoryCRITICAL

CVE-2026-13221

Perl Regular Expression Match Truncation Vulnerability

Halo Surface Signal: 1 out of 5 — much less likely to be public-facing.

A vulnerability exists in Perl's regular expression engine where extremely complex patterns with over 65,535 fixed string branches can cause incorrect matching outcomes. This may lead to applications making wrong access or filtering decisions. The specific conditions required to trigger this issue are considered rare,

CVE advisoryCRITICAL

CVE-2026-6847

ThemisNETPanel Unauthenticated File Upload Remote Code Execution.

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

ThemisNETPanel contains a critical vulnerability that allows unauthenticated attackers to upload and execute arbitrary PHP files on the server. This could lead to unauthorized access and compromise of the affected system. A patch was released in April 2026.

CVE advisoryCRITICAL

CVE-2026-61498

Vitec Flamingo Unauthenticated OS Command Injection in gen_graphs.php

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

A critical vulnerability exists in Vitec Flamingo, affecting its graph generation script. Unauthenticated attackers can exploit this by sending crafted HTTP requests to inject arbitrary commands, potentially leading to root-level system compromise. This issue requires immediate attention to identify affected systems an

CVE advisoryCRITICAL

CVE-2026-60121

Vitec Flamingo OS Command Injection Vulnerability

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

An unauthenticated OS command injection vulnerability exists in Vitec Flamingo's administrative interface, enabling remote attackers to execute arbitrary commands with root privileges. This flaw arises from improper handling of user input in the `admin/ajax/ping.php` endpoint, which could lead to a full system compromi

CVE advisoryCRITICAL

CVE-2026-12257

Mura CMS API Remote Code Execution Vulnerability

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

A critical remote code execution vulnerability exists in Mura CMS, allowing unauthenticated attackers to compromise systems by sending crafted API requests. This flaw, located in a specific API endpoint, enables the injection and execution of arbitrary code, potentially leading to full system compromise. You should car

CVE advisoryCRITICAL

CVE-2026-14934

Google Cloud BigQuery Dataform Colab Enterprise Privilege Escalation

Halo Surface Signal: 2 out of 5 — less likely to be public-facing.

A critical missing authorization vulnerability in Google Cloud services allowed authenticated attackers to escalate privileges and take over repositories across different tenants. This issue affected services between October 2025 and May 10th, 2026, but has since been patched by Google, and no customer action is requir

CVE advisoryCRITICAL

CVE-2026-59515

AIWU ai-copilot-content-generator Blind SQL Injection Vulnerability.

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

A critical SQL injection vulnerability exists in the AIWU ai-copilot-content-generator, allowing attackers to inject malicious SQL commands. This could lead to unauthorized access to sensitive data or disruption of operations. Confirmation of relevance is needed to safeguard data.

CVE advisoryCRITICAL

CVE-2026-57813

MailOptin Privilege Escalation Vulnerability

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

An Incorrect Privilege Assignment vulnerability exists in MailOptin, a WordPress plugin, which could permit privilege escalation. This issue may allow unauthorized access, impacting system integrity and potentially exposing sensitive information. Confirmation of its use and reachability is necessary for risk assessment

CVE advisoryCRITICAL

CVE-2026-57811

Realtyna Organic IDX Plugin Code Injection Vulnerability

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

A critical code injection vulnerability exists in the Realtyna Organic IDX plugin, allowing remote code inclusion. If reachable, this could lead to the execution of arbitrary code on the server, impacting its integrity and data confidentiality. The plugin is used for real estate listings and is typically exposed to the

CVE advisoryCRITICAL

CVE-2026-57770

Grand Photography Theme Object Injection Vulnerability.

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

A deserialization vulnerability in the Grand Photography theme allows object injection. This could enable unauthenticated attackers to inject malicious code, potentially leading to unauthorized system control if the theme is used and reachable. Confirming its presence and criticality is important.

CVE advisoryCRITICAL

CVE-2026-57739

AcyMailing SMTP Newsletter Blind SQL Injection

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

A SQL Injection vulnerability in AcyMailing SMTP Newsletter allows attackers to execute malicious SQL commands, potentially leading to unauthorized access to sensitive data. This issue is reachable via the network and requires prompt assessment of relevance and potential exposure.

CVE advisoryCRITICAL

CVE-2026-57738

777 Triple Seven Theme Object Injection Vulnerability

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

A deserialization vulnerability in the 777 triple-seven WordPress theme allows object injection via untrusted data. If reachable, this could permit unauthorized code execution, impacting system integrity and availability. It is important to identify if this theme version is in use to assess potential risk.

CVE advisoryCRITICAL

CVE-2026-57726

Kirki Plugin Blind SQL Injection Vulnerability

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

A SQL injection vulnerability in the Kirki plugin could allow attackers to access sensitive data. The vulnerability does not require authentication and can be exploited by sending crafted network requests to affected websites. It is important to determine if this plugin is in use and assess the potential for data expos

CVE advisoryCRITICAL

CVE-2026-57724

Kirki PHP Object Injection Vulnerability.

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

A deserialization flaw in the Kirki WordPress plugin allows object injection, potentially enabling unauthorized code execution. This vulnerability is reachable via the network and could compromise the integrity and availability of affected websites. Confirming its presence and scope within the organization is the immed

CVE advisoryCRITICAL

CVE-2026-57719

Aimogen Pro Unrestricted File Upload Vulnerability

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

An unrestricted file upload vulnerability in the Aimogen Pro WordPress plugin could permit the execution of malicious files. This issue is remotely exploitable without authentication, potentially leading to server compromise. The capability to upload dangerous file types without restriction poses a significant risk.

CVE advisoryCRITICAL

CVE-2026-57714

LatePoint Blind SQL Injection Vulnerability

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

A Blind SQL Injection vulnerability exists in the LatePoint appointment booking plugin, potentially allowing unauthenticated attackers to infer database structure through crafted network requests. This could aid further attacks, although direct data exposure is not explicitly detailed. Understanding the reachability an

CVE advisoryCRITICAL

CVE-2026-57707

Simple Business Directory Pro SQL Injection Vulnerability

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

A SQL injection vulnerability exists in the Simple Business Directory Pro plugin, allowing attackers to manipulate database queries. If reachable, this could result in unauthorized access to sensitive data. It is important to confirm if this plugin is in use and assess its exposure.

CVE advisoryCRITICAL

CVE-2026-41041

Apache Gravitino URL Path Injection Vulnerability.

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

A URL path injection vulnerability in Apache Gravitino allows unencoded user-supplied identifiers to be exploited. If reachable, an attacker could potentially inject arbitrary paths, leading to unauthorized access to system resources or data. This could impact data cataloging and management systems.

CVE advisoryCRITICAL

CVE-2026-22103

Command Injection in NPC Start Endpoint

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

A command injection vulnerability exists in a web server's NPC start endpoint, allowing unauthenticated network access to execute arbitrary commands. This could impact service behavior if the endpoint is reachable, making it important to confirm system relevance and exposure.

CVE advisoryCRITICAL

CVE-2026-22097

Firmware Update Lacks Signature Validation Enabling Arbitrary Code Execution.

Halo Surface Signal: 2 out of 5 — less likely to be public-facing.

A vulnerability exists in a firmware update mechanism due to a lack of cryptographic signature validation. This could allow unauthorized code execution if the firmware update capability is reachable. The risk is that malicious firmware could be uploaded and executed on devices.

CVE advisoryCRITICAL

CVE-2026-22096

Unauthenticated Web Server Information Leakage and File Upload Vulnerability

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

A critical vulnerability exists in a web server running on port 8090 that lacks authentication, potentially allowing unauthorized access to sensitive information like passwords and the ability to upload files. This issue requires verification to determine if the affected web server is present and exposed within the env

CVE advisoryCRITICAL

CVE-2026-22095

Web Server Network Diagnosis Command Injection

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

A critical command injection vulnerability exists in a web server's network diagnosis endpoint, potentially allowing unauthorized remote command execution. The issue is reachable via network requests to port 8090. Its impact depends on whether this diagnostic feature is exposed and actively used.

CVE advisoryCRITICAL

CVE-2026-22093

EVbee Service App Weak TLS Certificate Validation and RC4 Encryption Vulnerability

Halo Surface Signal: 1 out of 5 — much less likely to be public-facing.

The EVbee Service Android app does not validate server certificates, allowing network attackers to intercept and manipulate communication, including charging station access codes, due to weak RC4 encryption with a hardcoded key.

CVE advisoryCRITICAL

CVE-2026-13014

Matryoshka Mail Vulnerability in Thales CERT Suspicious Allows Arbitrary Code Execution and File Overwrite

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

A critical vulnerability in Thales CERT "Suspicious" application enables unauthenticated remote attackers to execute arbitrary code and overwrite files, potentially causing denial of service, compromising secrets, and achieving root-level execution within the container. This issue is classified as external and could im

CVE advisoryCRITICAL

CVE-2026-14453

Centreon Open Tickets SSTI Leading to Remote Code Execution.

Halo Surface Signal: 3 out of 5 — possibly public-facing.

A critical Server-Side Template Injection vulnerability exists in Centreon's centreon-open-tickets module, allowing authenticated users to execute arbitrary code. This could lead to the disclosure of environment secrets and impact the availability of the Centreon Infrastructure Monitoring product.

CVE advisoryCRITICAL

CVE-2026-4769

WAGO System I/O Field Startup Vulnerability Allows Unauthenticated Remote System Compromise.

Halo Surface Signal: 2 out of 5 — less likely to be public-facing.

Certain WAGO System I/O Field devices have a critical vulnerability where an undocumented diagnostic feature is accessible without authentication during their initial startup. This brief window allows unauthenticated remote attackers to gain full system compromise by accessing internal system processes. The issue is re

CVE advisoryCRITICAL

CVE-2026-11964

User Registration Membership Plugin Forges Payment Approval

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

A critical vulnerability in a WordPress plugin allows unauthenticated attackers to forge payment notifications, enabling them to activate paid memberships without completing a real payment. This could impact revenue and customer trust by granting unauthorized access to premium features. Readers should confirm if the af