Breaking
Live threat feed July 4, 2026 | 10:19 UTC
849 CVEs This Month
1 Actively Exploited
0 Ransomware Activity
28 Breaches YTD
Threat Investigation Portal
Investigate an IOC in the live graph workspace.
Investigate IOC
Vulnerability Watch

Top 10 CVEs This Week

Prioritized using CISA KEV, EPSS, CVSS, and recency.

CVE-2026-56782 CVSS 9.8 EPSS 0.0302

Gorse before 0.5.10 contains an authentication bypass vulnerability in the /api/dump and /api/restore endpoints that allows unauthenticated attackers to access protected functionality when admin_api_key is empty, which is the default configuration. Remote attackers can exfiltrate the entire database including user records, items, and feedback data containing personally identifiable information, or completely overwrite the dataset without authentication.

Critical severity issue in affected software published this week.

CVE-2026-13545 CVSS 8.8 EPSS 0.0271

A vulnerability has been found in D-Link DCS-935L 1.10.01. This affects the function sub_400E40 of the file setconf.cgi of the component POST Parameter Handler. Such manipulation of the argument UID leads to os command injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.

Newly published issue in affected software with notable risk signals for defenders.

CVE-2026-13763 CVSS 9.8 EPSS 0.0047

Inconsistent interpretation of HTTP/2 requests in AWS Application Load Balancer with AWS WAF enabled might allow remote actors to bypass AWS WAF managed rule body inspection via crafted HTTP/2 requests that fragment the request body across frames so that only a partial body is inspected. This issue only impacts HTTP/2 ALB target groups. To remediate this issue, customers should enable the "Inspect after sufficient data" target group configuration associated to an ALB load balancer. Refer to: ( https://docs.aws.amazon.com/elasticloadbalancing/latest/application/edit-target-group-attributes.html#waf-http2-inspection )

Critical severity issue in affected software published this week.

CVE-2026-13762 CVSS 9.8 EPSS 0.0044

Inconsistent interpretation of HTTP/2 requests in Amazon CloudFront with AWS WAF enabled might allow remote actors to bypass AWS WAF managed rule body inspection via crafted HTTP/2 requests that fragment the request body across frames so that only a partial body is inspected. This issue was remediated server-side. No customer action is required.

Critical severity issue in affected software published this week.

CVE-2026-57331 CVSS 9.9 EPSS 0.0034

Performer Arbitrary File Deletion in Paid Videochat Turnkey Site <= 7.4.8 versions.

Critical severity issue in affected software published this week.

CVE-2026-58000 CVSS 8.8 EPSS 0.014

luci-proto-openvpn through 0.11.1, fixed in commit e4ff45e, contains a command injection vulnerability in the generateKey ubus method where the cl_meta parameter is interpolated into a shell command without proper escaping or quoting. An authenticated LuCI user with OpenVPN protocol configuration access can inject arbitrary shell metacharacters into cl_meta to execute commands as root via the popen function.

Newly published issue in affected software with notable risk signals for defenders.

CVE-2026-56290 CVSS 9.8 EPSS 0.0033

The Joomla extension Page Builder CK is vulnerable to an unauthenticated arbitrary file upload that allows uploading executable files and leads to full RCE.

Critical severity issue in affected software published this week.

CVE-2026-57999 CVSS 8.8 EPSS 0.0118

luci-app-tailscale-community contains a command injection vulnerability in the tailscale.do_login RPC method that allows authenticated users to execute arbitrary commands as root. The vulnerability exists because user-controlled loginserver and loginserver_authkey parameters are improperly quoted within a double-quoted shell command, allowing shell substitutions like $() to be evaluated by the outer shell before argument processing.

Newly published issue in affected software with notable risk signals for defenders.

CVE-2026-37637 CVSS 9.1 EPSS 0.0047

An issue in Alexantr filemanager v.1.0 allows a remote attacker to execute arbitrary code via the filemanager.php component

Critical severity issue in affected software published this week.

CVE-2026-13564 CVSS 8.8 EPSS 0.0075

A vulnerability was found in Edimax EW-7478APC 1.04. Affected is the function formPPPoESetup of the file /goform/formPPPoESetup of the component POST Request Handler. Performing a manipulation of the argument pppUserName results in stack-based buffer overflow. The attack can be initiated remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.

Newly published issue in affected software with notable risk signals for defenders.

error: Content is protected !!