376 collected events across every source — vulnerabilities, rulemaking and (soon)
advisories, enforcement & news — newest first. This is the raw stream behind the compliance boards.
-
2026-07-13
NVD CVE
critical
Certain devices in the WAGO System I/O Field series activate an internal diagnostic capability during the initial startup sequence. This functionality is not formally documented and becomes accessible without authentication for a brief period in the early...
cisacmmc-level-2cve-2026-4769defense-industrial-basedevices-compromisefedramp-authorizationincident-responseinternal-diagnostic
-
2026-07-13
NVD CVE
critical
Vitec Flamingo 4.12.2 contains an unauthenticated OS command injection vulnerability in the admin/ajax/gen_graphs.php endpoint that allows remote unauthenticated attackers to execute arbitrary commands by supplying shell metacharacters in the start, end,...
cmmc-level-2command-injectioncve-2026-61498graph-generationinput-sanitizationnist-800-171nvd-cveos-command-execution
-
2026-07-13
NVD CVE
critical
9Router through version 0.4.41 contain an unauthenticated information disclosure vulnerability that allows remote attackers to retrieve plaintext API keys for all connected AI provider accounts by sending a single unauthenticated request to the...
9routerai-provider-accountapi-key-exposurebilling-fraudcompliance-riskcve-2026-62327information-leakagemissing-authentication-middleware
-
2026-07-13
NVD CVE
critical
Rejetto HFS 3.0.0 through 3.2.0 derives its session-cookie signing key from the non-cryptographic Math.random() generator and discloses outputs of the same generator to unauthenticated clients during login. A remote attacker can collect a small number of...
administrative-accessauthenticationconfigurations-featurescve-2026-61500login-responsesnon-cryptographic-generatornvd-cverejetto
-
2026-07-13
NVD CVE
critical
9Router through version 0.4.41 contains an unauthenticated access vulnerability that allows remote attackers to interact with provider management API endpoints by sending requests without any credentials due to missing authentication middleware in the...
9routerapi-endpointapi-keyauthentication-middlewarecompliance-riskcredentials-exposurecve-2026-59801denial
-
2026-07-12
NVD CVE
critical
Flowise before 3.1.0 (affected versions 3.0.13 and earlier) uses weak hardcoded default JWT secrets ('auth_token', 'refresh_token') and default audience and issuer values ('AUDIENCE', 'ISSUER') in the enterprise passport authentication middleware...
api-securityauthentication-bypassauthentication-middlewarecve-2026-56271default-credentialsflowisehardcoded-secretimpersonation
-
2026-07-12
NVD CVE
critical
A vulnerability was determined in Comfast CF-WR631AX V3 up to 2.7.0.8. Affected by this vulnerability is the function system_wl_upload_pic_file of the file /usr/bin/webmgnt of the component FastCGI Backend. This manipulation of the argument filename causes...
cf-wr631axcomfastcommand-injectioncve-2026-15511fastcgi-backendsfile-path-manipulationnvd-cveos-command-injection
-
2026-07-12
NVD CVE
critical
Crawl4AI before 0.8.7 contains an arbitrary file write vulnerability in the Docker API server's /screenshot and /pdf endpoints. The output_path parameter accepts arbitrary filesystem paths without validation, allowing an attacker to supply absolute or...
api-serverarbitrary-file-writecrawl4aicve-2026-56260denialdockerdocker-apusendpoint-security
-
2026-07-11
NVD CVE
critical
PraisonAI before 4.6.78 contains arbitrary file write and command execution vulnerabilities in the AICoder component due to missing path validation and command sanitization in LLM tool calls. Attackers can inject malicious prompts through the chat...
aicoder-componentarbitrary-file-writecommand-executioncommands-sanitizationcve-2026-61445cybersecurityinformation-securityllms-tool
-
2026-07-11
NVD CVE
critical
PraisonAI before 1.6.78 contains a remote code execution vulnerability in CodeAgent._execute_python() that executes LLM-generated Python code without AST validation, import restrictions, or sandbox enforcement. Attackers can influence LLM output through...
arbitrary-code-executioncodeagentcve-2026-61447cybersecuritydatum-exfiltrationenvironment-secretslarge-language-modelllm
-
2026-07-11
NVD CVE
critical
PraisonAI before 4.6.78 fails to validate the caller-controlled dimension argument in the PGVector and Cassandra knowledge-store create_collection() backends. Although schema, keyspace, and collection-name identifiers are validated, the dimension value...
cassandracql-injectioncreate-tablescve-2026-60090cybersecuritydata-validationdatabase-securityddl-injections
-
2026-07-10
NVD CVE
critical
PraisonAI versions before 4.6.78 contain a code injection vulnerability in deploy/api.py where the agents_file parameter is directly interpolated into an f-string without sanitization. Attackers can inject arbitrary Python code that executes when the...
apicode-injectioncve-2026-61444cybersecuritydeploymentnvd-cvepraiseaipython
-
2026-07-10
NVD CVE
critical
The miniOrange Social Login and Register (Discord, Google, Twitter, LinkedIn) plugin for WordPress is vulnerable to authentication bypass leading to account takeover in versions up to and including 7.7.0. This is due to the Profile Completion flow...
accounts-takeoveradministrators-accessauthentication-bypasscve-2026-12761cybersecuritydata-compromiseemail-address-verificationminiorange
-
2026-07-10
NVD CVE
critical
A flaw was found in the `guardrails-detectors` component. This vulnerability allows a remote attacker to perform a blind Server-Side Request Forgery (SSRF) by submitting a specially crafted XML Schema Definition (XSD) string. This can lead to unauthorized...
cloud-metadata-servicescredentials-theftcve-2026-15378file-readsguardrail-detectorsinternal-networkkubernete-apiminio
-
2026-07-10
NVD CVE
critical
The GEO my WP plugin for WordPress was vulnerable to SQL Injection via the 'distance', 'lat', and 'lng' parameters in versions up to, and including, 4.5.4. The values were read from $_SERVER['QUERY_STRING'] via parse_str() (bypassing wp_magic_quotes, which...
cve-2026-15300cybersecurityescape-functiongeo-my-wp-plugininformation-securitynumeric-validationnvd-cvephp
-
2026-07-10
NVD CVE
critical
MCP Server Kubernetes before 3.9.0 contains an argument injection vulnerability in structured tools (kubectl_get, kubectl_describe, kubectl_delete) that allows attackers to bypass the assertNoDangerousFlags security check by supplying resourceType and name...
api-serverargument-injectionbearer-tokencluster-compromisecve-2026-61459cybersecuritydefense-industrial-baseincident-response
-
2026-07-10
NVD CVE
critical
FreeRDP is a free implementation of the Remote Desktop Protocol. From 3.21.0 before 3.28.0, FreeRDP clients using the GFX pipeline contain an incomplete fix for CVE-2026-23530 in planar_decompress_plane_rle_only in libfreerdp/codec/planar.c, allowing a...
buffer-overflowcmmc-level-2compliancecve-2026-23530cve-2026-57158dodfedrampfreerdp
-
2026-07-10
NVD CVE
critical
The Instant Appointment plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'insapp_upload_image_as_attachment' function in all versions up to, and including, 1.2. This makes it possible for...
arbitrary-files-uploadcve-2026-15282cybersecurityfile-type-validationinformation-securityinstant-appointmentnvd-cveplugin
-
2026-07-10
NVD CVE
critical
In JetBrains IntelliJ IDEA before 2026.1.4,
2026.2 code execution via path traversal in project workspace ID handling was possible
code-executioncve-2026-59792cybersecuritydfar-252-204-7012incident-responseintellij-ideajetbrainnist-800-171
-
2026-07-10
NVD CVE
critical
The Super Forms – Drag & Drop Form Builder plugin for WordPress is vulnerable to Arbitrary File Upload in all versions up to, and including, 6.3.313 via the submit_form function. This is due to missing file type validation and the absence of any capability...
ajaxarbitrary-files-uploadcve-2026-14894cybersecurityfile-type-validationnoncenoprivnvd-cve
-
2026-07-09
NVD CVE
critical
The Joomla extension Balbooa Forms is vulnerable to an unauthenticated arbitrary file upload that allows uploading executable files and leads to full RCE.
arbitrary-files-uploadbalbooon-formcybersecurityfiles-uploadjoomlanvd-cverceremote-code-execution
-
2026-07-09
NVD CVE
critical
Hermes WebUI before 0.51.788 contains an unauthenticated remote code execution vulnerability that allows remote attackers to execute arbitrary shell commands by accessing the embedded terminal API endpoints without credentials. Attackers can create a...
api-endpointcommand-executioncybersecuritydefense-industrial-basehermes-webuihttps-requestsincident-responsenvd-cve
-
2026-07-09
NVD CVE
critical
The blobs.yml path key traversal vulnerability in the BOSH CLI tool allows an attacker to write arbitrary files and exfiltrate sensitive information.
Affected versions: BOSH CLI tool versions prior to v7.10.4.
arbitrary-file-writeblob-ymlbosh-clicli-toolcloud-foundrycodecve-2026-47826datum-exfiltration
-
2026-07-09
NVD CVE
critical
Improper neutralization of input during web page generation ('cross-site scripting') in Dynamics 365 Customer Voice allows an unauthorized attacker to perform spoofing over a network.
cross-site-scriptingcustomer-voicecve-2026-47646cybersecuritydynamics-365information-securityinput-validationmicrosoft
-
2026-07-09
NVD CVE
critical
Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in OceanicSoft Informatics Systems Ltd. ValeApp allows Stored XSS.
This issue affects ValeApp: through 09072026. NOTE: The vendor was contacted early about...
cross-site-scriptingcybersecuritydisclosureinput-validationnvd-cveoceanicsoftsoftware-vulnerabilitiesstoreds-xss
-
2026-07-09
NVD CVE
critical
The Blocksy Companion plugin for WordPress is vulnerable to Arbitrary File Upload in all versions up to, and including, 2.1.46 via the save_attachments function. This is due to the Custom Fonts extension registering a wp_check_filetype_and_ext filter that...
arbitrary-files-uploadblocksy-companionblocksy-companion-procustom-fontscve-2026-15158file-extensionmime-validationnvd-cve
-
2026-07-09
NVD CVE
critical
Hermes WebUI before 0.51.307 contains an authentication bypass vulnerability that allows unauthenticated remote attackers to circumvent local-origin IP restrictions on onboarding endpoints by supplying a spoofed X-Forwarded-For header with a loopback...
accesses-tokenapi-keyauthentication-bypasscloud-metadata-endpointcve-2026-58122device-code-flowheaderhermes-webui
-
2026-07-09
NVD CVE
critical
The miniOrange OTP Login, Verification and SMS Notifications plugin for WordPress is vulnerable to Authentication Bypass leading to Administrator Account Takeover in all versions up to, and including, 5.5.1. This is due to the...
accounts-takeoveradministrator-accounts-takeoverauthentication-bypasscve-2026-14245form-noncejavascriptminiorangenonce
-
2026-07-09
NVD CVE
critical
Improper neutralization of special elements used in an SQL command ('SQL injection') vulnerability in Inrove Software and Internet Services BiEticaret allows SQL Injection.
This issue affects BiEticaret: before v3.3.57.
applications-securitybieticaretcve-2026-5955cybersecuritydata-securityinrove-softwarenvd-cvesoftware-vulnerabilities
-
2026-07-09
NVD CVE
critical
An XML injection vulnerability in the Large Scale VPN (LSVPN) functionality of Palo Alto Networks PAN-OS® software enables an unauthenticated attacker with network access to inject malicious XML content, potentially leading to information disclosure or...
cloud-ngfwcve-2026-0284data-corruptioninformation-disclosurelsvpnmalicious-contentsnetwork-accessnot-impacted
-
2026-07-08
NVD CVE
critical
IBM API Connect 10.0.8.0 through 10.0.8.9 and 12.1.0.0 through 12.1.0.3 contains an unauthenticated SQL injection vulnerability in the password reset functionality.
api-connectcve-2026-9074cybersecuritydata-securitydefense-industrial-baseibmincident-responsenist-800-171
-
2026-07-08
NVD CVE
critical
Blocksy Companion Pro plugin for WordPress before 2.1.47 contains an unauthenticated arbitrary file upload vulnerability that allows attackers to upload executable files by bypassing extension validation in the save_attachments function exposed through the...
blocksy-companion-pro-plugincustom-fonts-extensionscve-2026-58480cybersecurityextension-validationfiles-uploadnvd-cvephp
-
2026-07-08
NVD CVE
critical
The Eventer plugin for WordPress is vulnerable to an insecure password reset mechanism in all versions up to, and including, 4.4.2. The plugin stores a plaintext copy of the password reset key in the `eventer_verification_code` user meta field when a user...
cve-2026-9700cve-2026-9701eventer-pluginnvd-cvepassword-resetphpphp-74plaintext
-
2026-07-08
NVD CVE
critical
The Simple Coherent Form plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the removeUploadDir function in all versions up to, and including, 2.4.13. This makes it possible for unauthenticated...
arbitrary-file-deletionauthenticationauthorizationcve-2026-14487cybersecurityfile-path-validationfile-removalhash-checks
-
2026-07-08
NVD CVE
critical
The WP Learn Manager plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.1.8. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for...
arbitrary-code-executionauthorization-bypasscve-2026-12153cybersecuritynvd-cveplugin-activationplugin-installationplugins-vulnerabilities
-
2026-07-08
NVD CVE
critical
Improper neutralization of special elements used in an SQL command ('SQL injection') vulnerability in Webbeyaz Web Design Mediküm Web allows SQL Injection.
This issue affects Mediküm Web: through 08072026. NOTE: The vendor was contacted and it was learned...
cve-2026-8307cybersecuritydatabase-securityimproper-neutralizationmedikum-webnvd-cvesecurity-flawsql-injection
-
2026-07-07
NVD CVE
critical
Cognee before 1.2.0 contains an improper access control vulnerability that allows unauthenticated attackers to overwrite the global LLM provider configuration by self-registering an account and calling the settings endpoint, which performs no admin or...
cogneeconfiguration-overwritecve-2026-58473data-breachesdatum-exfiltrationendpoint-securityimproper-access-controlinstance-wide-impact
-
2026-07-07
NVD CVE
critical
mem0 contains unauthenticated config API endpoints that expose LLM API keys in plaintext and allow server-side request forgery via attacker-controlled ollama_base_url parameter. Unauthenticated attackers can retrieve stored secrets like OpenAI API keys via...
api-keycloud-imdsconfiguration-managementcve-2026-59706cybersecuritydata-exposuredefense-industrial-basenist-800-171
-
2026-07-07
NVD CVE
critical
mem0's openmemory/api component contains an unauthenticated access vulnerability that allows unauthenticated attackers to read, write, and delete arbitrary user memories by accessing API routers registered without authentication middleware. Attackers can...
apiarbitrary-accessescve-2026-59705cybersecuritydata-breachesdata-exposuredenialincident-response
-
2026-07-07
NVD CVE
critical
The WPFunnels – Funnel Builder for WooCommerce with Checkout & One Click Upsell plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 3.12.7 via the 'postData' parameter parameter. This is due to unsanitized...
cve-2026-14345cybersecurityinclude-oncelog-filenvd-cvephppluginremote-code-execution