Common Vulnerabilities and Exposures (CVE)

CVE-2026-10589

Jul 16, 2026 17:31:54 UTC

A potential out of bounds write vulnerability could allow a local privileged attacker to execute code in System Management Mode.

CVE-2026-10590

Jul 16, 2026 17:31:27 UTC

A potential missing authentication vulnerability could allow a local privileged attacker to use WMI commands to arbitrarily trigger a System Management Interrupt handler.

CVE-2026-45576

Jul 16, 2026 17:13:51 UTC

zrok is software for sharing web services, files, and network resources. From 0.4.23 until 2.0.3, `zrok2 copy` stores attacker-controlled WebDAV or zrok drive paths such as /../outside.txt in the source inventory and passes them to Filesyst...

CVE-2026-15737

Jul 16, 2026 17:08:49 UTC

AWS Bedrock AgentCore Python SDK is an open-source Python library that provides client tools for building AI agents on the Amazon Bedrock AgentCore platform. Unintended logging of sensitive user content in the OpenTelemetry instrumentati...

CVE-2026-46336

Jul 16, 2026 17:04:31 UTC

Manyfold is an open source, self-hosted web application for managing a collection of 3d models, particularly focused on 3d printing. From 0.96.0 until 0.140.0, authenticated users can rename uploaded files with path traversal sequences beca...

CVE-2026-12525

Jul 16, 2026 17:04:00 UTC

The Redux Framework WordPress plugin before 4.5.13 does not restrict which user meta keys can be written when saving custom profile fields, allowing users with at least the Subscriber role to escalate their privileges to Administrator by su...

CVE-2026-45336

Jul 16, 2026 17:03:00 UTC

HireFlow is a web-based interview management system for managing candidates, scheduling interviews, and tracking hiring progress. In 1.2 and earlier, app.py assigns a hard-coded Flask secret_key used to sign session cookies, allowing unauth...

CVE-2026-46687

Jul 16, 2026 17:01:31 UTC

Emlog is an open source website building system. In 2.6.13 and earlier, the article publishing interface stores a path-traversal template parameter from api_controller.php without validation, and log_controller.php later checks file_exists ...

CVE-2026-46686

Jul 16, 2026 16:59:17 UTC

Emlog is an open source website building system. In 2.6.13 and earlier, the admin backend user search module's keyword parameter from admin/user.php is processed with addslashes but not HTML-escaped before being rendered into the value attr...

CVE-2026-12585

Jul 16, 2026 16:57:01 UTC

The Abandoned Cart Lite for WooCommerce WordPress plugin before 6.8.2 does not protect the integrity of its cart-recovery tokens or bind them to the requesting account, allowing unauthenticated attackers to forge a recovery link that logs t...

CVE-2026-46341

Jul 16, 2026 16:54:01 UTC

The Apify MCP server enables AI agents to extract data from websites using ready-made scrapers, crawlers, and automation tools available on the Apify Store. Prior to 0.9.21, the fetch-apify-docs tool in src/tools/common/fetch_apify_docs.ts ...

CVE-2026-12906

Jul 16, 2026 16:53:35 UTC

The RTMKit WordPress plugin before 2.0.9 does not perform a capability check in one of its AJAX actions and resolves a request-supplied post identifier directly, allowing users with at least the Contributor role to read the titles of other ...

CVE-2026-45367

Jul 16, 2026 16:52:04 UTC

HAPI FHIR is a complete implementation of the HL7 FHIR standard for healthcare interoperability in Java. Prior to 6.9.7, the FHIRPathEngine implementation passes user-controlled regular expressions from matches(), matchesFull(), and replace...

CVE-2026-9046

Jul 16, 2026 16:48:47 UTC

A potential insecure permissions vulnerability was reported in Legion Zone and the Lenovo App Store Windows applications, distributed exclusively in the Chinese market, that when installed on a non‑system partition, could allow a local user...

CVE-2026-6511

Jul 16, 2026 16:48:30 UTC

During an internal security assessment, a potential improper access control vulnerability was discovered in Lenovo Smart Connect for Windows that could allow a local authenticated user to access files owned by a different user on the same s...