13 vulnerabilities across 2 products scored HIGH or above on July 07, 2026.

  • ๐ŸŸ  HIGH: 13

Exploit Status Upgrades

The following CVEs from previous bulletins have been upgraded based on new exploit intelligence:

  • [UPGRADED] CVE-2026-55952 (erlang/otp) โ€” F1: theoretical โ†’ poc, AAS: 9.2 โ†’ 11.7 (HIGH โ†’ HIGH). Originally in 2026-07-02 bulletin.
  • [UPGRADED] CVE-2026-13603 (pretix/pretix-oppwa) โ€” F1: exploitable โ†’ itw, AAS: 9.4 โ†’ 11.9 (HIGH โ†’ HIGH). Originally in 2026-07-01 bulletin.

๐ŸŸ  [HIGH] coollabsio/coolify

12 CVEs | CVSS 3.1: 9.9 | AAS 11.1

  • cpe:2.3:a:coollabsio:coolify:*:*:*:*:*:*:*:* (< 4.0.0-beta.474)

Coolify, the open-source self-hosted server and application management platform by coollabsio, is affected by 12 vulnerabilities, including multiple critical and high-severity issues with a maximum CVSS score of 9.9. The most severe flaws involve missing authorization checks on terminal WebSocket routes, allowing authenticated users to escape their authorized scope and potentially execute commands on resources they should not have access to. Organizations running Coolify should upgrade to version 4.0.0-beta.471 or later immediately, as these vulnerabilities are considered exploitable and could lead to unauthorized command execution across managed infrastructure.

Vendor Advisory


๐ŸŸ  [HIGH] microrealestate/microrealestate

1 CVE | CVSS 4.0: 8.8 | AAS 9.2

  • cpe:2.3:a:microrealestate:microrealestate:*:*:*:*:*:*:*:*

MicroRealEstate, an open-source property management platform, is affected by one high-severity vulnerability (CVSS 8.8) that allows attackers to bypass authentication entirely. The flaw stems from a lack of token state management, enabling adversaries to brute-force one-time passwords and log in as any user, including administrators. Organizations running MicroRealEstate through version 1.0.0-alpha3 should check the vendor repository for patches and restrict network access to their deployments until a fix is applied.

Vendor Advisory