Common Vulnerabilities and Exposures (CVE)

CVE-2026-13235

Jul 13, 2026 18:06:50 UTC

Missing Authorization vulnerability in Drupal AI (Artificial Intelligence) allows Forceful Browsing. This issue affects AI (Artificial Intelligence) versions: from 0.0.0 to 1.2.17, from 1.3.0 to 1.3.8, from 1.4.0 to 1.4.3.

CVE-2026-58493

Jul 13, 2026 18:06:28 UTC

grav-plugin-database is the database plugin for Grav CMS. Prior to 1.2.0, Database::__call builds PDO DSN strings by directly concatenating user-configurable YAML values from fields such as host, dbname, charset, server, database, directory...

CVE-2026-57221

Jul 13, 2026 18:05:48 UTC

RabbitMQ is a messaging and streaming broker. Prior to 3.13.15, 4.0.20, 4.1.11, and 4.2.6, RabbitMQ does not perform authorization checks on passive queue.declare and exchange.declare AMQP 0-9-1 operations, allowing any authenticated user w...

CVE-2026-13236

Jul 13, 2026 18:05:21 UTC

Missing Authorization vulnerability in Drupal AI Agents allows Forceful Browsing. This issue affects AI Agents versions: from 0.0.0 to 1.1.4, from 1.2.0 to 1.2.5, from 1.3.0 to 1.3.1.

CVE-2026-57584

Jul 13, 2026 18:04:51 UTC

Phalcon is a high-performance, full-stack PHP framework. Prior to 5.15.0, every Phalcon MVC application built with a default router registers a built-in route whose compiled PCRE pattern contains the nested quantifier (/.), and the same con...

CVE-2026-13232

Jul 13, 2026 18:04:11 UTC

Incorrect Authorization vulnerability in Drupal Advanced Content Feedback (aka admin_feedback) allows Forceful Browsing. This issue affects Advanced Content Feedback (aka admin_feedback) versions: from 0.0.0 to 2.8.0.

CVE-2026-59151

Jul 13, 2026 18:03:20 UTC

Prowler is a cloud security platform. Prior to 5.30.3, Prowler's SAML authentication flow trusted the email domain asserted in a SAMLResponse when deciding which tenant should receive the final token, and the ACS finish logic in api/src/bac...

CVE-2026-55880

Jul 13, 2026 18:03:13 UTC

OpenReplay is a self-hosted session replay suite. In 1.27.0 and earlier, three dashboard and note mutation functions ran their SQL without the ownership predicate that their sibling read and edit functions use: notes.delete filtered only on...

CVE-2026-13241

Jul 13, 2026 18:02:48 UTC

Missing Authorization vulnerability in Drupal Paragraphs allows Forceful Browsing. This issue affects Paragraphs versions: from 0.0.0 to 1.21.0.

CVE-2026-13240

Jul 13, 2026 18:02:03 UTC

Missing Authorization vulnerability in Drupal Paragraphs allows Forceful Browsing. This issue affects Paragraphs versions: from 0.0.0 to 1.21.0.

CVE-2026-54736

Jul 13, 2026 18:01:40 UTC

Phalcon is a high-performance, full-stack PHP framework. Prior to 5.14.1, Phalcon\Encryption\Crypt::decrypt compares the attacker-supplied HMAC tag against the freshly computed HMAC using PHP/Zephir identity comparison, which lowers to a by...

CVE-2026-13239

Jul 13, 2026 18:01:25 UTC

Missing Authorization vulnerability in Drupal WissKI allows Forceful Browsing. This issue affects WissKI versions: from 0.0.0 to 4.2.0.

CVE-2026-13238

Jul 13, 2026 18:00:23 UTC

Incorrect Authorization vulnerability in Drupal Commerce Realex / Global Payments allows Forceful Browsing. This issue affects Commerce Realex / Global Payments versions: from 0.0.0 to 3.0.2.

CVE-2026-13237

Jul 13, 2026 17:59:44 UTC

Incorrect Authorization vulnerability in Drupal AI Agents allows Forceful Browsing. This issue affects AI Agents versions: from 0.0.0 to 1.1.4, from 1.2.0 to 1.2.5, from 1.3.0 to 1.3.1.

CVE-2026-41482

Jul 13, 2026 17:58:54 UTC

Frappe is a full-stack web application framework. Prior to 16.18.3, possible path traversal and local file inclusion were possible through secure local resource access in the Chrome PDF Generator. This issue is fixed in version 16.18.3.