0x04 // Actively Exploited
source: CISA KEV →
CVE
Vulnerability
EPSS
Added
CVE-2026-58644
Microsoft SharePoint Deserialization of Untrusted Data Vulnerability
Microsoft · SharePoint
1%
Jul 16, 2026
CVE-2026-25089
Fortinet FortiSandbox OS Command Injection Vulnerability
Fortinet · FortiSandbox
36%
Jul 16, 2026
CVE-2026-39808
Fortinet FortiSandbox OS Command Injection Vulnerability
Fortinet · FortiSandbox
84%
Jul 16, 2026
CVE-2026-46817
Oracle E-Business Suite Improper Privilege Management Vulnerability
Oracle · E-Business Suite
1%
Jul 15, 2026
CVE-2023-4346
KNX Association KNX Protocol Connection Authorization Option 1 Overly Restrictive Account Lockout Mechanism Vulnerability
KNX Association · KNX Protocol Connection Authorization Option 1
<1%
Jul 15, 2026
CVE-2026-56155
Microsoft Active Directory Federation Services Insufficient Granularity of Access Control Vulnerability
Microsoft · Active Directory Federation Services
<1%
Jul 14, 2026
CVE-2026-56164
Microsoft SharePoint Server Missing Authentication for Critical Function Vulnerability
Microsoft · SharePoint Server
6%
Jul 14, 2026
CVE-2026-15409
SonicWall SMA1000 Appliances Server-Side Request Forgery Vulnerability
SonicWall · SMA1000 Appliances
1%
Jul 14, 2026
CVE-2026-15410
SonicWall SMA1000 Appliances Code Injection Vulnerability
SonicWall · SMA1000 Appliances
1%
Jul 14, 2026
CVE-2008-4128
Cisco IOS Cross-Site Request Forgery Vulnerability
Cisco · IOS
24%
Jul 13, 2026
0x03 // Latest CVEs
source: NVD · NIST →
Severity
CVE
CVSS
EPSS
Description
Published
MEDIUM
CVE-2026-16130
4.4
—
A vulnerability was identified in nearai ironclaw up to 0.29.1. The affected element is the function validate_path of th…
Jul 18, 2026
MEDIUM
CVE-2026-16129
5.3
—
A vulnerability has been found in princezuda SafestClaw up to 4.2.4. This vulnerability affects the function ShellAction…
Jul 18, 2026
HIGH
CVE-2026-16128
7.3
—
A security flaw has been discovered in zevorn rt-claw up to 0.2.0. This impacts the function receiver_thread of the file…
Jul 18, 2026
HIGH
CVE-2026-16127
7.3
—
A vulnerability was identified in zevorn rt-claw up to 0.2.0. This affects the function claw_net_get/claw_net_post of th…
Jul 18, 2026
HIGH
CVE-2026-16126
7.3
—
A vulnerability was determined in zevorn rt-claw up to 0.2.0. The impacted element is the function handle_rpc_request of…
Jul 18, 2026
HIGH
CVE-2026-16125
7.3
—
A vulnerability was found in zevorn rt-claw up to 0.2.0. The affected element is the function claw_net_get/claw_net_post…
Jul 18, 2026
MEDIUM
CVE-2026-16124
6.3
—
A security vulnerability has been detected in nextlevelbuilder GoClaw up to 3.15.0-beta.32. This affects the function Ch…
Jul 18, 2026
MEDIUM
CVE-2026-16123
6.3
—
A weakness has been identified in nextlevelbuilder GoClaw up to 3.13.2. Affected by this issue is the function ToolsInvo…
Jul 18, 2026
MEDIUM
CVE-2026-16122
4.3
—
A security flaw has been discovered in nextlevelbuilder GoClaw up to 3.13.2. Affected by this vulnerability is the funct…
Jul 18, 2026
MEDIUM
CVE-2026-16121
6.3
—
A vulnerability was identified in nextlevelbuilder GoClaw up to 3.13.2. Affected is the function isSafeBin of the file i…
Jul 18, 2026
HIGH
CVE-2026-9323
8.1
—
The urwid web display backend (urwid/display/web.py) generates web session identifiers (urwid_id) in Screen.start() by c…
Jul 18, 2026
MEDIUM
CVE-2026-16120
6.3
—
A vulnerability was determined in nextlevelbuilder GoClaw up to 3.13.3-beta.3. This impacts the function matchesAllowlis…
Jul 18, 2026
MEDIUM
CVE-2026-16119
6.3
—
A vulnerability was found in nextlevelbuilder GoClaw up to 3.13.2. This affects the function RequestApproval of the file…
Jul 18, 2026
CRITICAL
CVE-2026-16117
10.0
—
Impact: @fastify/http-proxy versions up to and including 11.5.0 fail to rewrite the request prefix when the prefix segme…
Jul 18, 2026
HIGH
CVE-2026-11826
8.8
—
OpenPLC_v3 contains a heap-based buffer overflow in the getData() function in webserver/core/modbus_master.cpp. getData(…
Jul 18, 2026
N/A
CVE-2025-71398
—
—
SurrealDB before 2.2.2 fails to validate HTTP redirects in http functions, allowing authenticated users to bypass deny-n…
Jul 18, 2026
N/A
CVE-2025-71397
—
—
SurrealDB before 2.0.5, 2.1.x before 2.1.5, and 2.2.x before 2.2.2 allows authenticated users with OWNER or EDITOR permi…
Jul 18, 2026
N/A
CVE-2025-71396
—
—
SurrealDB before 2.0.5, 2.1.x before 2.1.5, and 2.2.x before 2.2.2 does not enforce a default execution-time limit on em…
Jul 18, 2026
N/A
CVE-2025-71395
—
—
SurrealDB versions before 2.2.2 contain a memory exhaustion vulnerability in the string::replace function that fails to…
Jul 18, 2026
N/A
CVE-2025-71394
—
—
SurrealDB versions before 2.2.2 contain a local file read vulnerability in the DEFINE ANALYZER statement that allows aut…
Jul 18, 2026
N/A
CVE-2025-71393
—
—
SurrealDB before 2.2.2 with scripting enabled fails to properly enforce recursion limits when native functions contain e…
Jul 18, 2026
N/A
CVE-2025-71392
—
—
SurrealDB before 2.0.5, 2.1.x before 2.1.5, and 2.2.x before 2.2.2 fails to properly escape table and field names in the…
Jul 18, 2026
N/A
CVE-2025-71391
—
—
SurrealDB versions before 2.2.2 contain an uncaught exception vulnerability in the net module that allows authenticated…
Jul 18, 2026
N/A
CVE-2025-71390
—
—
SurrealDB before 2.2.6, 2.3.6, and 2.1.8 (and 3.0.0-alpha.7 and earlier) fails to validate DNS-resolved hostnames agains…
Jul 18, 2026
MEDIUM
CVE-2024-58370
6.5
—
SurrealDB versions before 1.1.0 fail to enforce recursion depth limits when parsing nested SurrealQL statements includin…
Jul 18, 2026
MEDIUM
CVE-2024-58369
6.5
—
SurrealDB versions before 1.1.1 fail to properly validate invocation of custom parameters and functions at root or names…
Jul 18, 2026
HIGH
CVE-2024-58368
7.5
—
SurrealDB versions before 1.1.0 fail to properly parse the ID, DB, and NS headers in HTTP REST API requests containing s…
Jul 18, 2026
N/A
CVE-2024-58367
—
—
SurrealDB versions before 2.0.4 fail to properly enforce field permissions during SELECT, UPDATE, and DELETE operations,…
Jul 18, 2026
HIGH
CVE-2024-58366
8.5
—
SurrealDB before 1.1.1 contains a format string vulnerability in the rquickjs Exception::throw_type function when script…
Jul 18, 2026
MEDIUM
CVE-2024-58365
6.5
—
SurrealDB versions before 1.2.0 contain an uncaught exception vulnerability in the query executor when processing calls…
Jul 18, 2026
MEDIUM
CVE-2024-58364
6.5
—
SurrealDB versions before 1.2.1 contain an uncaught exception handling vulnerability in span rendering when parsing quer…
Jul 18, 2026
MEDIUM
CVE-2024-58363
6.3
—
SurrealDB before 1.5.4 fails to properly validate authentication when a scope user switches databases using the USE clau…
Jul 18, 2026
HIGH
CVE-2024-58362
8.8
—
SurrealDB before 1.5.5 (and 2.0.0-beta before 2.0.0-beta.3) accepts an arbitrary object in the signin and signup operati…
Jul 18, 2026
MEDIUM
CVE-2024-58361
6.5
—
SurrealDB versions before 2.0.4 contain an uncaught exception handling vulnerability in the parser error rendering code…
Jul 18, 2026
MEDIUM
CVE-2024-58359
6.5
—
SurrealDB versions before 2.1.0 contain a denial of service vulnerability in the sorting mechanism when using ORDER BY r…
Jul 18, 2026
MEDIUM
CVE-2024-58358
4.9
—
SurrealDB versions before 2.1.0 contain a denial of service vulnerability in role conversion that allows privileged owne…
Jul 18, 2026
MEDIUM
CVE-2024-58357
6.5
—
SurrealDB versions before 2.1.0 contain an uncaught exception vulnerability in the rand::time() function that panics whe…
Jul 18, 2026
N/A
CVE-2024-58356
—
—
SurrealDB before 2.1.4 silently fails to overwrite table definitions when the DEFINE TABLE ... OVERWRITE clause is used…
Jul 18, 2026
HIGH
CVE-2023-54366
8.8
—
SurrealDB before 1.0.1 sets default table permissions to FULL instead of NONE, allowing SELECT, CREATE, UPDATE, and DELE…
Jul 18, 2026
HIGH
CVE-2026-9147
7.8
—
uproot dynamically generates Python class source code from ROOT TStreamerInfo records in a file and compiles it at runti…
Jul 18, 2026
N/A
CVE-2026-59173
—
—
Uncontrolled Resource Consumption vulnerability in Apache Traffic Server. This issue affects Apache Traffic Server: from…
Jul 18, 2026
HIGH
CVE-2026-16158
8.7
—
Impact: @fastify/reply-from versions from 8.3.1 up to but not including 12.6.4 build the internal URL cache key by conca…
Jul 18, 2026
HIGH
CVE-2026-15631
8.7
—
Impact: @fastify/http-proxy versions from 9.4.0 up to and including 11.5.0 fail to validate the resolved WebSocket desti…
Jul 18, 2026
HIGH
CVE-2026-16097
8.8
—
A vulnerability was found in Shibby Tomato 1.28. This vulnerability affects the function sub_42537C of the component Sch…
Jul 18, 2026
HIGH
CVE-2026-16096
8.8
—
A vulnerability has been found in Shibby Tomato 1.28 RT-N5x MIPSR2 Build 124. This affects the function sub_40BB50 of th…
Jul 18, 2026
HIGH
CVE-2026-16095
8.8
—
A flaw has been found in Shibby Tomato 1.28 RT-N5x MIPSR2 Build 124. Affected by this issue is the function setup_conntr…
Jul 18, 2026
MEDIUM
CVE-2026-16088
4.7
—
A vulnerability was detected in halo-dev halo up to 2.24.2. Affected by this vulnerability is the function Download of t…
Jul 18, 2026
MEDIUM
CVE-2026-16085
5.3
<1%
A security vulnerability has been detected in Sipeed PicoClaw up to 0.2.9. Affected is the function NewContextBuilder of…
Jul 18, 2026
HIGH
CVE-2026-47871
8.8
<1%
VMware Avi Load Balancer contains a directory traversal vulnerability. Flaws in file path validation allow malicious, au…
Jul 18, 2026
HIGH
CVE-2026-47870
7.1
<1%
VMware Avi Load Balancer contains a privilege escalation vulnerability. A malicious authenticated user with network acce…
Jul 18, 2026
HIGH
CVE-2026-47869
8.7
<1%
VMware Avi Load Balancer contains a remote code execution vulnerability. A malicious authenticated user with network acc…
Jul 18, 2026
HIGH
CVE-2026-47868
7.8
<1%
VMware Avi Load Balancer contains a local privilege escalation vulnerability. A malicious user with local access may be…
Jul 18, 2026
HIGH
CVE-2026-47867
8.7
<1%
VMware Avi Load Balancer contains a remote code execution vulnerability. A malicious user with network access may be abl…
Jul 18, 2026
HIGH
CVE-2026-47866
8.3
<1%
VMware Avi Load Balancer contains an authorization bypass vulnerability. A malicious actor on the network can access a l…
Jul 18, 2026
CRITICAL
CVE-2026-47865
9.8
<1%
VMware Avi Load Balancer contains an authentication bypass vulnerability. A malicious user with network access may be ab…
Jul 18, 2026
HIGH
CVE-2026-16084
7.3
<1%
A weakness has been identified in Sipeed PicoClaw up to 0.2.9. This impacts the function web_fetch of the file pkg/tools…
Jul 18, 2026
MEDIUM
CVE-2026-16083
5.3
<1%
A security flaw has been discovered in Sipeed PicoClaw up to 0.2.9. This affects the function webhook.ParseRequest of th…
Jul 18, 2026
MEDIUM
CVE-2026-16082
5.3
<1%
A vulnerability was identified in Sipeed PicoClaw up to 0.2.9. The impacted element is the function ExecTool.executeRun…
Jul 18, 2026
MEDIUM
CVE-2026-16081
4.3
<1%
A vulnerability was determined in Sipeed PicoClaw up to 0.2.9. The affected element is an unknown function of the file w…
Jul 18, 2026
MEDIUM
CVE-2026-16077
5.3
<1%
A vulnerability was found in AstrBotDevs AstrBot up to 4.25.5. Impacted is the function _normalize_rw_path of the file a…
Jul 18, 2026
MEDIUM
CVE-2026-16076
6.3
<1%
A vulnerability has been found in AstrBotDevs AstrBot up to 4.25.5. This issue affects the function OpenApiRoute.chat_se…
Jul 18, 2026
MEDIUM
CVE-2026-9734
4.3
<1%
The W3SC Elementor to Zoho CRM plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, a…
Jul 18, 2026
MEDIUM
CVE-2026-16075
4.3
<1%
A flaw has been found in AstrBotDevs AstrBot up to 4.25.5. This vulnerability affects the function OpenApiRoute.get_chat…
Jul 18, 2026
MEDIUM
CVE-2026-57980
5.4
<1%
Authentication bypass using an alternate path or channel in Microsoft Edge (Chromium-based) allows an unauthorized attac…
Jul 17, 2026
HIGH
CVE-2026-56741
7.5
<1%
JLine is a Java library for handling console input. Prior to 3.30.14, 4.0.16, and 4.2.1, the JLine3 Telnet server remote…
Jul 17, 2026
HIGH
CVE-2026-56740
7.5
<1%
JLine is a Java library for handling console input. Prior to 3.30.14, 4.0.16, and 4.2.1, the JLine3 Telnet server remote…
Jul 17, 2026
HIGH
CVE-2026-56171
7.1
<1%
Exposure of private personal information to an unauthorized actor in Windows RDP allows an unauthorized attacker to disc…
Jul 17, 2026
LOW
CVE-2026-54335
3.7
<1%
Feathersjs is a framework for creating web APIs and real-time applications with TypeScript or JavaScript. In 5.0.44 and…
Jul 17, 2026
HIGH
CVE-2026-49485
7.5
<1%
HAPI FHIR is a complete implementation of the HL7 FHIR standard for healthcare interoperability in Java. Prior to 6.9.9…
Jul 17, 2026
MEDIUM
CVE-2026-48049
5.3
<1%
@hapi/inert provides static file and directory handlers for hapi.js. From 4.0.0 to 7.1.0, @hapi/inert serves static file…
Jul 17, 2026
MEDIUM
CVE-2026-48022
6.5
<1%
@hapi/wreck is an HTTP client utility. Prior to 18.1.2, Wreck strips credential headers including Authorization, Cookie,…
Jul 17, 2026
N/A
CVE-2026-44979
—
<1%
@hapi/wreck is an HTTP client utility. Prior to 18.1.1, when @hapi/wreck follows a 3xx redirect to a different hostname,…
Jul 17, 2026
CRITICAL
CVE-2026-55518
9.6
<1%
Avo is a framework to create admin panels for Ruby on Rails apps. Prior to 3.32.1 and 4.0.0.beta.51, Avo's association a…
Jul 17, 2026
HIGH
CVE-2026-54498
8.7
<1%
view_component is a framework for building reusable, testable, and encapsulated view components in Ruby on Rails. From 4…
Jul 17, 2026
MEDIUM
CVE-2026-54497
6.8
<1%
view_component is a framework for building reusable, testable, and encapsulated view components in Ruby on Rails. From 4…
Jul 17, 2026
N/A
CVE-2026-54490
—
<1%
websocket-driver is a WebSocket protocol handler with pluggable I/O. Prior to 0.7.5, if this library is used with the pe…
Jul 17, 2026
N/A
CVE-2026-54466
—
<1%
websocket-driver is a WebSocket protocol handler with pluggable I/O. Prior to 0.7.5, the frame format in draft versions…
Jul 17, 2026
LOW
CVE-2026-54244
3.5
<1%
Statamic is a Laravel and Git powered content management system (CMS). Prior to 5.74.0 and 6.20.3, the Live Preview endp…
Jul 17, 2026
MEDIUM
CVE-2026-54243
6.1
<1%
Statamic is a Laravel and Git powered content management system (CMS). Prior to 5.73.24 and 6.20.1, form submission valu…
Jul 17, 2026
MEDIUM
CVE-2026-54242
4.9
<1%
Statamic is a Laravel and Git powered content management system (CMS). Prior to 5.73.24 and 6.20.1, the Glide image prox…
Jul 17, 2026
MEDIUM
CVE-2026-54163
4.7
<1%
secure_headers manages application of security headers with many safe defaults. Prior to 7.3.0, secure_headers builds th…
Jul 17, 2026
CRITICAL
CVE-2026-54159
10.0
<1%
PrestaShop ps_facetedsearch is a module that adds layered navigation filters. From 3.0.0 until 4.0.4, the ps_facetedsear…
Jul 17, 2026
N/A
CVE-2026-53727
—
<1%
css_parser is a Ruby CSS parser. From 2.2.0 until 3.0.0, CssParser::Parser#read_remote_file in lib/css_parser/parser.rb,…
Jul 17, 2026
N/A
CVE-2026-52584
—
<1%
Buffer Overflow vulnerability in libjxl v.0.11.2 and before allows a local attacker to obtain sensitive information via…
Jul 17, 2026
N/A
CVE-2026-52348
—
<1%
cool-admin-java 8.0.0 has a SQL injection vulnerability in the order() method of CrudOption.java.
Jul 17, 2026
N/A
CVE-2026-52203
—
<1%
An issue in MCMS v.6.1.1 allows a remote attacker to obtain sensitive information via the source parameter.
Jul 17, 2026
HIGH
CVE-2026-50274
7.5
<1%
Datadog dd-trace-go is a Go client library for Datadog application performance monitoring, profiling, and security monit…
Jul 17, 2026
HIGH
CVE-2026-50272
7.5
<1%
dd-trace is the Datadog APM client for Node.js. Prior to 5.100.0, W3C baggage propagation in packages/dd-trace/src/bagga…
Jul 17, 2026
HIGH
CVE-2026-50271
7.5
<1%
Datadog dd-trace-py is the Datadog Python APM client. Prior to 4.8.2, Datadog tracing libraries that implement W3C bagga…
Jul 17, 2026
MEDIUM
CVE-2026-49977
4.3
<1%
tarteaucitron.js is a compliant and accessible cookie banner. Prior to 1.33.0, tarteaucitron.cookie.purge() is called on…
Jul 17, 2026
CRITICAL
CVE-2026-48062
9.8
<1%
CodeIgniter is a PHP full-stack web framework. Prior to 4.7.3, the ext_in upload validation rule in system/Validation/St…
Jul 17, 2026
MEDIUM
CVE-2026-45785
6.2
<1%
OpenMcdf is a fully .NET / C# library to manipulate Compound File Binary File Format files, also known as Structured Sto…
Jul 17, 2026
N/A
CVE-2026-45784
—
<1%
rust-openssl provides OpenSSL bindings for the Rust programming language. From 0.10.50 until 0.10.80, CipherCtxRef::ciph…
Jul 17, 2026
HIGH
CVE-2026-44891
7.5
<1%
Netty is a network application framework for development of protocol servers and clients. Prior to 4.1.136.Final and 4.2…
Jul 17, 2026
MEDIUM
CVE-2026-16074
6.3
<1%
A vulnerability was detected in AstrBotDevs AstrBot up to 4.25.2. This affects the function update_plugin/update_all_plu…
Jul 17, 2026
CRITICAL
CVE-2026-13446
9.8
<1%
IBM Langflow OSS 1.0.0 through 1.10.1 contains hard-coded credentials, such as a password or cryptographic key, which it…
Jul 17, 2026
HIGH
CVE-2026-13445
8.1
<1%
IBM Langflow OSS 1.0.0 through 1.10.1 can allow an authenticated attacker to exploit the SaveToFile component to read an…
Jul 17, 2026
MEDIUM
CVE-2026-8861
5.3
<1%
IBM Security Verify could allow a remote attacker to obtain sensitive information when a detailed technical error messag…
Jul 17, 2026
CRITICAL
CVE-2026-8859
9.9
<1%
IBM Langflow OSS 1.0.0 through 1.10.0 Langflow could allow an attacker to write arbitrary files to unintended locations…
Jul 17, 2026
CRITICAL
CVE-2026-8635
9.9
<1%
IBM Langflow OSS 1.0.0 through 1.10.0 allows authenticated users to escalate privileges to superuser by directly manipul…
Jul 17, 2026
No CVEs match your filter.