Common Vulnerabilities and Exposures (CVE)

CVE-2026-48010

Jul 17, 2026 23:15:41 UTC

Shopware is an open commerce platform. Prior to 6.6.10.18 and 6.7.10.1, UserController::upsertUser() in src/Core/Framework/Api/Controller/UserController.php writes raw user data in SYSTEM_SCOPE without filtering the admin field, so a non-ad...

CVE-2026-47183

Jul 17, 2026 23:15:36 UTC

Zeroconf is a pure Python implementation of multicast DNS service discovery. Prior to 0.149.6, DNSIncoming._log_exception_debug and the four QuietLogger exception-dedup methods stored an unbounded _seen_logs dictionary keyed by attacker-inf...

CVE-2026-45162

Jul 17, 2026 23:15:31 UTC

Pimcore is an Open Source Data & Experience Management Platform. Prior to 11.5.17 (LTS) and 12.3.7, multiple Pimcore locations call PHP's unserialize() on data from database columns and filesystem files without the allowed_classes restricti...

CVE-2026-8505

Jul 17, 2026 23:15:27 UTC

IBM Langflow OSS 1.0.0 through 1.10.0 has a vulnerability in Langflow's webhook authentication logic allows unauthenticated users to trigger the execution of any flow. The system incorrectly bypasses API key validation when the WEBHOOK_AUTH...

CVE-2026-44739

Jul 17, 2026 23:15:23 UTC

Pimcore is an Open Source Data & Experience Management Platform. Prior to 11.5.17 (LTS) and 12.3.6, the columnConfigAction endpoint in bundles/CustomReportsBundle/src/Controller/Reports/CustomReportController.php passes malicious SQL config...

CVE-2026-7755

Jul 17, 2026 23:15:17 UTC

IBM Langflow OSS 1.0.0 through 1.10.0 Langflow could allow remote code execution due to incomplete validation enforcement on MCP server configuration files.

CVE-2026-15093

Jul 17, 2026 23:15:12 UTC

IBM Engineering AI Hub 1.0.0, 1.1.0, and 1.2.0 could allow a remote attacker to redirect users to malicious websites due to improper validation of user-supplied URLs.

CVE-2026-10652

Jul 17, 2026 22:11:32 UTC

Zephyr's DNS resolver (subsys/net/lib/dns) parses resource records from DNS responses in dns_unpack_answer(), which validated only the fixed RR header (type, class, TTL, rdlength) and accepted any attacker-declared rdlength, including one e...

CVE-2026-10638

Jul 17, 2026 22:11:32 UTC

subsys/net/ip/icmpv6.c reads the network interface from a net_pkt after that packet has been handed to net_try_send_data(). In icmpv6_handle_echo_request() and net_icmpv6_send_error(), the post-send statistics update calls net_pkt_iface(rep...

CVE-2026-56171

Jul 17, 2026 21:34:17 UTC

Exposure of private personal information to an unauthorized actor in Windows RDP allows an unauthorized attacker to disclose information over a network.

CVE-2026-58529

Jul 17, 2026 21:34:17 UTC

Out-of-bounds read in Active Directory Federation Services (AD FS) allows an authorized attacker to disclose information over a network.

CVE-2026-62826

Jul 17, 2026 21:34:16 UTC

Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network.

CVE-2026-55121

Jul 17, 2026 21:34:16 UTC

Out-of-bounds read in Microsoft Office allows an unauthorized attacker to disclose information locally.

CVE-2026-56181

Jul 17, 2026 21:34:15 UTC

Origin validation error in Windows Network Address Translation (NAT) allows an unauthorized attacker to perform spoofing over an adjacent network.

CVE-2026-58638

Jul 17, 2026 21:34:14 UTC

Missing cryptographic step in Windows Boot Loader allows an authorized attacker to bypass a security feature locally.