NVD disclosure day

Published threat advisories for July 17, 2026

CVE advisoryCRITICAL

CVE-2026-62241

Clawvet API JWT Secret Vulnerability Allows Session Forgery

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

A vulnerability in the clawvet self-hosted API server allows unauthenticated remote attackers to obtain sensitive user data by forging session cookies offline with a hard-coded secret. This could expose user email addresses, subscription plans, and API keys if the server is reachable.

CVE advisoryCRITICAL

CVE-2026-62232

Grav Login Plugin 2FA Bypass Allows Password-Only Authentication

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

A vulnerability in Grav's login plugin permits attackers who know a victim's password to bypass two-factor authentication. By triggering a two-factor secret regeneration, an attacker can replace the legitimate secret with their own, compute a valid code, and gain unauthorized access. This flaw reduces two-factor authen

CVE advisoryCRITICAL

CVE-2026-14956

Bricksforge WordPress Plugin Privilege Escalation Vulnerability.

Halo Surface Signal: 5 out of 5 — more likely to be public-facing.

The Bricksforge WordPress plugin has a privilege escalation vulnerability allowing unauthenticated attackers to create new administrator accounts. This is possible via a public Pro Forms registration form due to improper validation of attacker-supplied field IDs. The risk exists if your site uses this plugin with publi