4 vulnerabilities across 2 products scored HIGH or above on July 12, 2026.
- π΄ CRITICAL: 1
- π HIGH: 3
Exploit Status Upgrades
The following CVEs from previous bulletins have been upgraded based on new exploit intelligence:
- [UPGRADED] CVE-2026-55884 (tilt-dev/tilt) β F1: exploitable β itw, AAS: 10.3 β 13.0 (HIGH β CRITICAL). Originally in 2026-07-10 bulletin.
- [UPGRADED] CVE-2026-54003 (getkirby/kirby) β F1: theoretical β poc, AAS: 11.8 β 11.5 (HIGH β HIGH). Originally in 2026-07-09 bulletin.
- [UPGRADED] CVE-2026-59858 (vim/vim) β F1: exploitable β itw, AAS: 9.3 β 12.3 (HIGH β CRITICAL). Originally in 2026-07-09 bulletin.
- [UPGRADED] CVE-2026-55207 (pimcore/pimcore) β F1: theoretical β poc, AAS: 9.1 β 11.6 (HIGH β HIGH). Originally in 2026-07-09 bulletin.
- [UPGRADED] CVE-2026-57480 (parse-community/parse-server) β F1: theoretical β poc, AAS: 9.8 β 12.3 (HIGH β CRITICAL). Originally in 2026-07-08 bulletin.
- [UPGRADED] CVE-2026-59705 (mem0ai/mem0) β F1: exploitable β itw, AAS: 10.7 β 12.9 (HIGH β CRITICAL). Originally in 2026-07-07 bulletin.
- [UPGRADED] CVE-2026-53511 (kovidgoyal/calibre) β F1: exploitable β itw, AAS: 9.4 β 12.4 (HIGH β CRITICAL). Originally in 2026-07-07 bulletin.
π΄ [CRITICAL] flowise/flowise
1 CVE | CVSS 4.0: 9.3 | AAS 13.0
cpe:2.3:a:flowise:flowise:*:*:*:*:*:*:*:*(< 3.1.0)
Flowise β Critical Authentication Bypass via Hardcoded JWT Secrets
Flowise versions 3.0.13 and earlier are affected by one critical vulnerability (CVE-2026-56271, CVSS 9.3) in which the enterprise authentication middleware silently falls back to weak, publicly known hardcoded JWT secrets when environment variables are not explicitly configured, allowing attackers to forge valid authentication tokens and gain unauthorized access. Organizations running Flowise in enterprise mode should immediately verify whether custom JWT secrets have been set and upgrade to version 3.1.0 or later. Refer to the vendor’s GitHub security advisory (GHSA-cc4f-hjpj-g9p8) for full details and remediation guidance.
- π΄ CVE-2026-56271 (CVSS 4.0: 9.3)
π [HIGH] openwrt/luci
3 CVEs | CVSS 4.0: 9.4 | AAS 11.2
cpe:2.3:a:openwrt:luci:*:*:*:*:*:*:*:*
OpenWrt LuCI β Critical Stored Cross-Site Scripting via Unsanitized Network Input
OpenWrt’s LuCI web interface is affected by three vulnerabilities (including CVE-2026-61876, CVSS 9.4) stemming from improper encoding of network-supplied data such as DHCPv6 lease hostnames before rendering in administrative status pages, allowing adjacent network attackers to inject malicious scripts that execute in an administrator’s browser session. Network administrators running OpenWrt devices with LuCI should update to patched LuCI packages immediately, as exploitation requires only adjacent network access with no authentication. Consult the vendor’s GitHub security advisory (GHSA-686p-p8p9-x6fh) for affected versions and remediation steps.
- π CVE-2026-61876 (CVSS 4.0: 9.4)
- π CVE-2026-61875 (CVSS 4.0: 8.7)
- π CVE-2026-59260 (CVSS 4.0: 8.7)