NVD disclosure day

Published threat advisories for July 16, 2026

CVE advisoryCRITICAL

CVE-2026-44182

Jupyter Enterprise Gateway YAML Injection Vulnerability

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

A vulnerability exists in Jupyter Enterprise Gateway that allows for YAML injection. This can occur when untrusted environment variables are interpolated into Kubernetes manifests, enabling attackers to create arbitrary resources, including privileged pods. This could lead to unauthorized access or denial of service.

CVE advisoryCRITICAL

CVE-2026-44181

Jupyter Enterprise Gateway SSTI Allows Remote Code Execution and Cluster Compromise

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

A Server Side Template Injection vulnerability in Jupyter Enterprise Gateway allows remote code execution and potential full Kubernetes cluster compromise. Attackers can inject malicious template expressions into environment variables, enabling them to steal service account tokens and Kubernetes secrets.

CVE advisoryCRITICAL

CVE-2026-63089

WireGuard Easy Weak Token Generation Vulnerability

Halo Surface Signal: 5 out of 5 — more likely to be public-facing.

A cryptographically weak token generation in WireGuard Easy could allow unauthenticated attackers to recover VPN peer credentials. This could enable them to impersonate legitimate peers on the VPN network if the vulnerable route is reachable and unprotected. Understanding your use of this technology and its exposure is

CVE advisoryCRITICAL

CVE-2026-15422

illumos SCTP Kernel Heap Corruption Leading to Remote Code Execution

Halo Surface Signal: 3 out of 5 — possibly public-facing.

A critical vulnerability in the illumos SCTP protocol allows an unauthenticated remote attacker to cause kernel heap corruption and potentially execute code by sending a malformed network packet. This occurs before standard security checks are performed, making affected systems vulnerable if the SCTP protocol is in use

CVE advisoryCRITICAL

CVE-2026-46515

Frogman PBX Information Disclosure Vulnerability

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

Frogman, a system for headless PBX control, has a vulnerability that could expose sensitive information like AMI manager secrets, outbound dial PINs, and dialplan contexts if reachable. An attacker with read access could exploit this to gain further insight into the PBX system, making it important to confirm if this te

CVE advisoryCRITICAL

CVE-2026-46512

Frogman PBX Dialplan Injection Vulnerability

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

A vulnerability in Frogman's dialplan application feature allows a permitted caller to inject arbitrary commands into the system's configuration. This could lead to unauthorized execution of commands on the PBX system. Readers should care because of the potential for system compromise.

CVE advisoryCRITICAL

CVE-2026-45336

HireFlow Hardcoded Secret Key Allows Admin Role Forgery

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

A critical vulnerability in HireFlow, a web-based interview management system, allows unauthenticated attackers to forge session cookies, bypassing authentication and potentially gaining administrative access. This could lead to unauthorized access to candidate and hiring data. The core issue is a hard-coded secret key

CVE advisoryCRITICAL

CVE-2026-63087

Grafana OnCall Unauthenticated Token and Admin Access Vulnerability

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

Grafana OnCall contains an unauthenticated access vulnerability allowing remote attackers to obtain a valid token. This token can be used to authenticate against internal API endpoints, create administrator users, and redirect API calls, potentially impacting incident response operations and system integrity.

CVE advisoryCRITICAL

CVE-2026-46621

Yamcs Script Engine Remote Code Execution Vulnerability.

Halo Surface Signal: 2 out of 5 — less likely to be public-facing.

A vulnerability in the Yamcs script evaluation engine could allow an authenticated user with administrative privileges to execute arbitrary code on the host system. This occurs when user-controlled script text is compiled without proper sandboxing, enabling the import and execution of malicious Java classes. While expl

CVE advisoryCRITICAL

CVE-2026-46562

YAMCS Nashorn Scripting Command Execution Vulnerability.

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

A vulnerability in the Yamcs mission control framework allows unauthenticated users to execute arbitrary OS commands by overriding JavaScript algorithms. This could lead to the compromise of the Yamcs process, impacting mission control operations. Confirming relevance and exposure is crucial for security-aware leaders.

CVE advisoryCRITICAL

CVE-2026-45568

zrok Server-Side Request Forgery via Absolute URL Proxying

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

A critical vulnerability exists in zrok, a tool for sharing web services and resources, where an attacker can redirect requests to arbitrary URLs. This could cause zrok to return responses from an attacker-chosen location, potentially impacting service integrity. Readers should care because this could expose systems or

CVE advisoryCRITICAL

CVE-2026-44632

Yamcs Algorithm Engine Code Injection Vulnerability

Halo Surface Signal: 3 out of 5 — possibly public-facing.

A server-side code injection vulnerability in the Yamcs algorithm evaluation engine allows an authenticated user to execute arbitrary Java code, potentially leading to remote code execution on the host operating system. This issue arises from dynamically compiling user-controlled algorithm text without proper sandboxin

CVE advisoryCRITICAL

CVE-2026-59866

Kiota Code Generator Path Traversal Vulnerability

Halo Surface Signal: 1 out of 5 — much less likely to be public-facing.

A vulnerability in Kiota, an OpenAPI-based HTTP client code generator, allows for path traversal during code generation if an attacker-controlled OpenAPI description is processed. This could lead to the creation of malicious files outside the intended output directory and the injection of arbitrary text into generated

CVE advisoryCRITICAL

CVE-2026-59865

Kiota Command Injection via OpenAPI Description.

Halo Surface Signal: 1 out of 5 — much less likely to be public-facing.

A command injection vulnerability exists in Kiota, an OpenAPI-based HTTP client code generator. An attacker could exploit this by providing a malicious OpenAPI description that, when processed by the `kiota info` command, injects unintended commands, potentially leading to arbitrary command execution. The relevance and

CVE advisoryCRITICAL

CVE-2026-59864

Kiota Path Traversal in Plugin Manifest Generation

Halo Surface Signal: 1 out of 5 — much less likely to be public-facing.

Kiota, a code generator for OpenAPI-based HTTP clients, has a path traversal vulnerability in its plugin manifest generation. This could allow attacker-controlled file paths to be included in generated Microsoft 365 Copilot and Teams plugin manifests, potentially leading to unintended file inclusion or path traversal i

CVE advisoryCRITICAL

CVE-2026-54733

Moodle Office 365 Integration Plugin Signature Verification Bypass

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

The Microsoft 365 and Microsoft Entra ID Plugins for Moodle contain a vulnerability where a Teams SSO login endpoint fails to verify JWT signatures, allowing unauthenticated attackers to forge tokens and gain Moodle sessions as Office 365 users. This could impact Moodle's integrity and data accessed through it.

CVE advisoryCRITICAL

CVE-2026-45695

Kopia HTTP Server Command Injection Vulnerability.

Halo Surface Signal: 3 out of 5 — possibly public-facing.

A vulnerability exists in Kopia's unauthenticated HTTP server that could permit arbitrary command execution. If Kopia is deployed with its HTTP server enabled without a password, an attacker could send unauthenticated requests to trigger this vulnerability. It is uncertain if this specific configuration is in use withi

CVE advisoryCRITICAL

CVE-2026-14890

SGLang Expert-Parallel Backup RCE via Unauthenticated ZeroMQ Socket.

Halo Surface Signal: 3 out of 5 — possibly public-facing.

A vulnerability exists in SGLang's expert-parallel backup subsystem, which uses a network-accessible component without authentication or deserialization safeguards. If enabled and network-reachable, an attacker could send a malicious file to achieve unauthenticated remote code execution. The primary concern is to deter

CVE advisoryCRITICAL

CVE-2026-63306

Stoatchat Server-Side Request Forgery Vulnerability

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

An unauthenticated server-side request forgery vulnerability exists in stoatchat's `/proxy` and `/embed` endpoints, allowing attackers to send arbitrary URLs without proper validation. This enables them to probe internal services, discover applications, and access sensitive metadata endpoints, potentially exposing inte

CVE advisoryCRITICAL

CVE-2026-63305

AVideo OS Command Injection via ffmpeg.json.php

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

AVideo contains an OS command injection vulnerability in the ffmpeg.json.php endpoint, allowing attackers to execute arbitrary shell commands as the web server user by crafting specific encrypted payloads. This could lead to unauthorized system access or modification.

CVE advisoryCRITICAL

CVE-2026-63304

AVideo OS Command Injection via listFFmpegProcesses.

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

AVideo contains an OS command injection vulnerability where unsanitized parameters allow attackers to execute arbitrary commands as the web-server user. This could impact the integrity and availability of the web server. Confirming AVideo's presence and network exposure is necessary to assess relevance.

CVE advisoryCRITICAL

CVE-2026-11386

Ubuntu Pro Client APT Source Injection Leading to Root Code Execution

Halo Surface Signal: 2 out of 5 — less likely to be public-facing.

A vulnerability in Ubuntu Pro client allows for code execution with root privileges by manipulating APT source configurations. An attacker could inject malicious lines into system files if they can tamper with the contract server response, potentially leading to unauthorized package installation and arbitrary code exec

CVE advisoryCRITICAL

CVE-2023-49900

Remote Code Execution via Unsanitized Input in SetParameter Command.

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

An unauthenticated remote attacker can execute arbitrary code by sending specially crafted input to the SetParameter command, potentially compromising affected systems. This vulnerability is reachable over the network without requiring authentication or privileges. It is important to confirm if your environment is rele

CVE advisoryCRITICAL

CVE-2023-49899

Command Execution Vulnerability in Unauthenticated Remote Communication Channel.

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

An unauthenticated remote attacker can execute commands on an affected device by exploiting an improper verification of communication channel origins. This vulnerability allows for remote code execution without authentication, potentially leading to device compromise and further network access. The concern lies in conf

CVE advisoryCRITICAL

CVE-2026-22752

Spring Authorization Server Authentication Bypass Vulnerability

Halo Surface Signal: 5 out of 5 — more likely to be public-facing.

A critical vulnerability exists in Spring Security Spring Authorization Server that allows an attacker with limited privileges to bypass authentication. This could lead to unauthorized access to protected resources and potentially impact data confidentiality and integrity. Confirmation of its use within the environment

CVE advisoryCRITICAL

CVE-2026-15925

Snowflake Connector for Python Improper TLS Hostname Verification

Halo Surface Signal: 1 out of 5 — much less likely to be public-facing.

An improper TLS hostname verification vulnerability in the Snowflake Connector for Python may allow a network attacker to bypass certificate validation. This could lead to the interception and tampering of sensitive data, including credentials and query results, and enable the execution of arbitrary SQL commands. The i

CVE advisoryCRITICAL

CVE-2026-12492

Happy Coders OTP Login for WooCommerce Authentication Bypass Vulnerability

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

A vulnerability in a WordPress plugin allows unauthenticated attackers to bypass one-time password validation, potentially granting them access to any user account, including administrators, or enabling the creation of new accounts. Confirmation is needed to determine if the plugin is in use and externally accessible.

CVE advisoryCRITICAL

CVE-2026-15013

WordPress SAML SSO Plugin Authentication Bypass Allows Account Takeover.

Halo Surface Signal: 5 out of 5 — more likely to be public-facing.

A critical vulnerability in the WordPress SAML Single Sign-On plugin allows unauthenticated attackers to bypass authentication and take over any account, including administrators. This occurs because the plugin fails to validate the SAML `SignatureMethod` Algorithm, enabling attackers to forge assertions and gain full