2 vulnerabilities across 2 products scored HIGH or above on June 29, 2026.

  • 🟠 HIGH: 2

Exploit Status Upgrades

The following CVEs from previous bulletins have been upgraded based on new exploit intelligence:

  • [UPGRADED] CVE-2026-52785 (None/None) β€” F1: exploitable β†’ functional, AAS: 11.1 β†’ 13.1 (HIGH β†’ CRITICAL). Originally in 2026-06-26 bulletin.
  • [UPGRADED] CVE-2026-45405 (dokku/dokku) β€” F1: exploitable β†’ itw, AAS: 10.3 β†’ 12.8 (HIGH β†’ CRITICAL). Originally in 2026-06-26 bulletin.
  • [UPGRADED] CVE-2026-54636 (dokku/dokku) β€” F1: exploitable β†’ itw, AAS: 10.3 β†’ 13.9 (HIGH β†’ CRITICAL). Originally in 2026-06-26 bulletin.
  • [UPGRADED] CVE-2026-54825 (wpdatatables/wpdatatables) β€” F1: exploitable β†’ functional, AAS: 9.6 β†’ 11.6 (HIGH β†’ HIGH). Originally in 2026-06-26 bulletin.
  • [UPGRADED] CVE-2026-50189 (appsmith/appsmith) β€” F1: exploitable β†’ functional, AAS: 9.7 β†’ 10.8 (HIGH β†’ HIGH). Originally in 2026-06-24 bulletin.
  • [UPGRADED] CVE-2026-54067 (siyuan-note/siyuan) β€” F1: exploitable β†’ functional, AAS: 9.2 β†’ 11.2 (HIGH β†’ HIGH). Originally in 2026-06-24 bulletin.
  • [UPGRADED] CVE-2026-52794 (sentry/sentry) β€” F1: exploitable β†’ itw, AAS: 9.3 β†’ 12.3 (HIGH β†’ CRITICAL). Originally in 2026-06-24 bulletin.

🟠 [HIGH] anthropics/claude-code

1 CVE | CVSS 4.0: 7.7 | AAS 11.0

  • cpe:2.3:a:anthropics:claude-code:*:*:*:*:*:*:*:*

Anthropic Claude Code β€” Sandbox Escape via Git Worktree Confusion

Claude Code versions 2.1.38 through 2.1.163 contain a high-severity vulnerability (CVE-2026-55607, CVSS 7.7) that allows an attacker to escape the seatbelt sandbox through malicious git worktree operations. By creating a worktree named “.git” and exploiting symlink manipulation combined with git fsmonitor execution, an attacker can overwrite sensitive files in the user’s home directory, such as .zshenv, achieving arbitrary code execution outside sandbox restrictions. A proof-of-concept exploit is publicly available, increasing the urgency for remediation.

Teams using Claude Code for development workflows should update to version 2.1.163 or later immediately. Review the vendor advisory at github.com/anthropics/claude-code/security/advisories/GHSA-7835-87q9-rgvv for full remediation guidance and check developer workstations for signs of unexpected modifications to home directory dotfiles.

Vendor Advisory

🟠 [HIGH] suse/rancher

1 CVE | CVSS 4.0: 9.4 | AAS 9.0

  • cpe:2.3:a:suse:rancher:*:*:*:*:*:*:*:* (>= 2.12.0, < 2.12.10)
  • cpe:2.3:a:suse:rancher:*:*:*:*:*:*:*:* (>= 2.13.0, < 2.13.6)
  • cpe:2.3:a:suse:rancher:*:*:*:*:*:*:*:* (>= 2.14.0, < 2.14.2)

SUSE Rancher β€” Project Owner Privilege Escalation

Rancher versions 2.12 before 2.12.10, 2.13 before 2.13.6, and 2.14 before 2.14.2 contain a critical privilege escalation vulnerability (CVE-2026-41052, CVSS 9.4) where users with the Project Owner role can exploit improper privilege handling to escalate their access beyond intended boundaries. Any organization using Rancher for Kubernetes cluster management should treat this as a high-priority issue, as compromised or malicious project-scoped users could gain broader control over managed infrastructure.

Administrators should upgrade to Rancher 2.12.10, 2.13.6, or 2.14.2 immediately and audit Project Owner role assignments for unnecessary or suspicious grants. Review the vendor advisory at github.com/rancher/rancher/security/advisories/GHSA-vx8h-4prv-g744 for additional mitigation details.

Vendor Advisory