2 vulnerabilities across 1 product scored HIGH or above on July 02, 2026.
- ๐ด CRITICAL: 1
- ๐ HIGH: 1
Exploit Status Upgrades
The following CVEs from previous bulletins have been upgraded based on new exploit intelligence:
- [UPGRADED] CVE-2026-52785 (opf/openproject) โ F1: exploitable โ functional, AAS: 11.1 โ 13.1 (HIGH โ CRITICAL). Originally in 2026-06-26 bulletin.
- [UPGRADED] CVE-2026-45405 (dokku/dokku) โ F1: exploitable โ itw, AAS: 10.3 โ 12.8 (HIGH โ CRITICAL). Originally in 2026-06-26 bulletin.
- [UPGRADED] CVE-2026-54636 (dokku/dokku) โ F1: exploitable โ itw, AAS: 10.3 โ 13.9 (HIGH โ CRITICAL). Originally in 2026-06-26 bulletin.
- [UPGRADED] CVE-2026-52884 (notepad-plus-plus/notepad) โ F1: exploitable โ functional, AAS: 9.1 โ 11.1 (HIGH โ HIGH). Originally in 2026-06-26 bulletin.
- [UPGRADED] CVE-2026-54825 (wpdatatables/wpdatatables) โ F1: exploitable โ functional, AAS: 9.6 โ 11.6 (HIGH โ HIGH). Originally in 2026-06-26 bulletin.
๐ด [CRITICAL] craftcms/cms
2 CVEs | CVSS 4.0: 8.7 | AAS 12.8
cpe:2.3:a:craftcms:cms:*:*:*:*:*:*:*:*(>= 5.9.0, < 5.10.0)
Craft CMS versions 4.0.0-RC1 through 4.17.x and 5.0.0-RC1 through 5.9.x are affected by two vulnerabilities, including at least one critical-severity issue rated CVSS 8.7 involving server-side request forgery and arbitrary JavaScript injection through the resource-js endpoint. An attacker can manipulate host headers to bypass internal URL validation due to permissive default trustedHosts configuration, potentially forcing the application to serve attacker-controlled content. Organizations running Craft CMS should upgrade immediately to version 4.18.0 or 5.10.0 and review the vendor advisory at the linked GitHub pull request for additional hardening guidance.
- ๐ด CVE-2026-55791 (CVSS 4.0: 6.9)
- ๐ CVE-2026-55794 (CVSS 4.0: 8.7)