2 vulnerabilities across 1 product scored HIGH or above on July 02, 2026.

  • ๐Ÿ”ด CRITICAL: 1
  • ๐ŸŸ  HIGH: 1

Exploit Status Upgrades

The following CVEs from previous bulletins have been upgraded based on new exploit intelligence:

  • [UPGRADED] CVE-2026-52785 (opf/openproject) โ€” F1: exploitable โ†’ functional, AAS: 11.1 โ†’ 13.1 (HIGH โ†’ CRITICAL). Originally in 2026-06-26 bulletin.
  • [UPGRADED] CVE-2026-45405 (dokku/dokku) โ€” F1: exploitable โ†’ itw, AAS: 10.3 โ†’ 12.8 (HIGH โ†’ CRITICAL). Originally in 2026-06-26 bulletin.
  • [UPGRADED] CVE-2026-54636 (dokku/dokku) โ€” F1: exploitable โ†’ itw, AAS: 10.3 โ†’ 13.9 (HIGH โ†’ CRITICAL). Originally in 2026-06-26 bulletin.
  • [UPGRADED] CVE-2026-52884 (notepad-plus-plus/notepad) โ€” F1: exploitable โ†’ functional, AAS: 9.1 โ†’ 11.1 (HIGH โ†’ HIGH). Originally in 2026-06-26 bulletin.
  • [UPGRADED] CVE-2026-54825 (wpdatatables/wpdatatables) โ€” F1: exploitable โ†’ functional, AAS: 9.6 โ†’ 11.6 (HIGH โ†’ HIGH). Originally in 2026-06-26 bulletin.

๐Ÿ”ด [CRITICAL] craftcms/cms

2 CVEs | CVSS 4.0: 8.7 | AAS 12.8

  • cpe:2.3:a:craftcms:cms:*:*:*:*:*:*:*:* (>= 5.9.0, < 5.10.0)

Craft CMS versions 4.0.0-RC1 through 4.17.x and 5.0.0-RC1 through 5.9.x are affected by two vulnerabilities, including at least one critical-severity issue rated CVSS 8.7 involving server-side request forgery and arbitrary JavaScript injection through the resource-js endpoint. An attacker can manipulate host headers to bypass internal URL validation due to permissive default trustedHosts configuration, potentially forcing the application to serve attacker-controlled content. Organizations running Craft CMS should upgrade immediately to version 4.18.0 or 5.10.0 and review the vendor advisory at the linked GitHub pull request for additional hardening guidance.

Vendor Advisory