Common Vulnerabilities and Exposures (CVE)

CVE-2026-15943

Jul 17, 2026 11:54:54 UTC

A flaw was found in the Keycloak keycloak-services component, which handles the management of identity providers. The issue occurs when a delegated administrator updates an OIDC identity provider using a masked client secret sentinel value....

CVE-2026-16013

Jul 17, 2026 11:45:10 UTC

A vulnerability has been found in liftoff-sr CIPster up to 632336d414ef708a542377c1aa8d6fdb7c70a760. Affected by this issue is the function CipAppPath::deserialize_symbolic of the file source/src/cip/cipepath.cc. Such manipulation leads to ...

CVE-2026-14614

Jul 17, 2026 11:35:02 UTC

A flaw was found in the ClientResource component of Keycloak's admin services when Fine-Grained Admin Permissions (FGAP) v2 is enabled. This issue allows a delegated administrator, who should only have limited control over specific clients,...

CVE-2026-16009

Jul 17, 2026 11:15:08 UTC

A vulnerability was detected in itsourcecode Hospital Management System 1.0. Affected is an unknown function of the file /prescriptionorderdetail.php. The manipulation of the argument delid results in sql injection. The attack can be launch...

CVE-2026-49998

Jul 17, 2026 11:13:39 UTC

Centrifugo is an open-source scalable real-time messaging server. Prior to 6.8.1, Centrifugo dynamic JWKS endpoint verification could reuse a key for one allowed issuer to verify a JWT for another allowed issuer because the JWKS cache and s...

CVE-2026-62994

Jul 17, 2026 11:12:51 UTC

CoreDNS is a DNS server written in Go. From 1.9.4 until 1.14.5, a network DNS client allowed to request AXFR for a CoreDNS zone can trigger a panic when CoreDNS is configured with k8s_external headless-service zone transfers and Kubernetes ...

CVE-2026-33731

Jul 17, 2026 11:12:04 UTC

WWBN AVideo is an open source video platform. In versions prior to 29.0, the Authorize.Net webhook handler at plugin/AuthorizeNet/webhook.php contains a signature verification bypass that allows an attacker to forge webhook requests with ar...

CVE-2026-44176

Jul 17, 2026 11:11:07 UTC

Kirby is an open-source content management system. Versions prior to 4.9.1 and 5.4.1 do not check the `pages.access` permission during page draft rendering. Permissions are defined for each user role in the user blueprint (site/blueprints/...

CVE-2026-59117

Jul 17, 2026 11:00:53 UTC

Integer overflow or wraparound in Windows Terminal allows an unauthorized attacker to execute code over a network.

CVE-2026-62226

Jul 17, 2026 10:53:19 UTC

OpenClaw 2026.3.28 before 2026.5.19 contain an authorization bypass vulnerability in the browser act route that fails to properly validate current-tab URL checks. Attackers with lower-trust access or configured input paths can perform actio...

CVE-2026-43978

Jul 17, 2026 10:49:37 UTC

wger is a free, open-source workout and fitness manager. In versions prior to 2.6, a gym trainer can escalate their session to any higher-privileged account (gym manager, general manager) by chaining two calls to the trainer-login endpoint....

CVE-2026-44436

Jul 17, 2026 10:48:33 UTC

Quicly is an IETF QUIC protocol implementation intended primarily for use within the H2O HTTP server. Prior to commit 8b178e6, Quicly is vulnerable to a Denial of Service attack through connection state corruption. In QUIC Invariants, the m...

CVE-2026-34150

Jul 17, 2026 10:48:02 UTC

Wazuh is a free and open source platform used for threat prevention, detection, and response. In versions 1.0.0 and above, prior to 4.14.5, a heap buffer overflow in wazuh-analysisd allows an unauthenticated remote attacker to crash the Waz...

CVE-2026-62201

Jul 17, 2026 10:45:41 UTC

OpenClaw versions before 2026.6.6 contain a network policy bypass vulnerability in the sandbox exec-server that allows lower-trust callers to reach internal network destinations blocked by OpenClaw policy. Attackers can send HTTP requests t...

CVE-2026-62208

Jul 17, 2026 10:45:09 UTC

OpenClaw before 2026.6.5 could forward Authorization headers during MCP SSE redirects. When the affected feature is enabled and reachable, a lower-trust caller or configured input path could execute or persist actions beyond the caller's in...