14 vulnerabilities across 8 products scored HIGH or above on July 14, 2026.

  • πŸ”΄ CRITICAL: 1
  • 🟠 HIGH: 13

Exploit Status Upgrades

The following CVEs from previous bulletins have been upgraded based on new exploit intelligence:

  • [UPGRADED] CVE-2026-57219 (rabbitmq/rabbitmq_server) β€” F1: theoretical β†’ itw, AAS: 10.9 β†’ 13.7 (HIGH β†’ CRITICAL). Originally in 2026-07-10 bulletin.
  • [UPGRADED] CVE-2026-55884 (tilt-dev/tilt) β€” F1: exploitable β†’ itw, AAS: 10.3 β†’ 13.0 (HIGH β†’ CRITICAL). Originally in 2026-07-10 bulletin.
  • [UPGRADED] CVE-2026-55879 (openreplay/openreplay) β€” F1: exploitable β†’ itw, AAS: 10.3 β†’ 13.3 (HIGH β†’ CRITICAL). Originally in 2026-07-10 bulletin.
  • [UPGRADED] CVE-2026-54003 (getkirby/kirby) β€” F1: theoretical β†’ poc, AAS: 11.8 β†’ 11.5 (HIGH β†’ HIGH). Originally in 2026-07-09 bulletin.
  • [UPGRADED] CVE-2026-59827 (metabase/metabase) β€” F1: exploitable β†’ itw, AAS: 11.2 β†’ 13.6 (HIGH β†’ CRITICAL). Originally in 2026-07-09 bulletin.
  • [UPGRADED] CVE-2026-59148 (mockoon/mockoon) β€” F1: exploitable β†’ itw, AAS: 9.6 β†’ 12.6 (HIGH β†’ CRITICAL). Originally in 2026-07-09 bulletin.
  • [UPGRADED] CVE-2026-59858 (vim/vim) β€” F1: exploitable β†’ itw, AAS: 9.3 β†’ 12.3 (HIGH β†’ CRITICAL). Originally in 2026-07-09 bulletin.
  • [UPGRADED] CVE-2026-55207 (pimcore/pimcore) β€” F1: theoretical β†’ poc, AAS: 9.1 β†’ 11.6 (HIGH β†’ HIGH). Originally in 2026-07-09 bulletin.
  • [UPGRADED] CVE-2026-57480 (parse-community/parse-server) β€” F1: theoretical β†’ poc, AAS: 9.8 β†’ 12.3 (HIGH β†’ CRITICAL). Originally in 2026-07-08 bulletin.
  • [UPGRADED] CVE-2026-59705 (mem0ai/mem0) β€” F1: exploitable β†’ itw, AAS: 10.7 β†’ 12.9 (HIGH β†’ CRITICAL). Originally in 2026-07-07 bulletin.
  • [UPGRADED] CVE-2026-53511 (kovidgoyal/calibre) β€” F1: exploitable β†’ itw, AAS: 9.4 β†’ 12.4 (HIGH β†’ CRITICAL). Originally in 2026-07-07 bulletin.

πŸ”΄ [CRITICAL] vitest-dev/vitest

2 CVEs | CVSS 3.1: 9.8 | AAS 13.1

  • cpe:2.3:a:vitest-dev:vitest:*:*:*:*:*:*:*:*

Vitest, the Vite-powered testing framework by vitest-dev, is affected by 2 vulnerabilities rated up to CRITICAL (CVSS 9.8), including at least one path traversal and arbitrary script execution flaw. On Windows, the Vitest UI/API server incorrectly validated file serving paths, allowing attackers to use backslash-based traversal sequences to read arbitrary files outside the project directory. Exposed API write and rerun features such as saveTestFile and rerun could also be leveraged for arbitrary script execution.

Development and CI/CD teams running Vitest UI or API server in any networked or shared environment should treat this as urgent. The vulnerabilities are considered exploitable. Upgrade immediately to Vitest 3.2.5 or 4.1.0, which contain fixes for both issues. If immediate patching is not possible, restrict network access to the Vitest UI/API server and avoid exposing it beyond localhost.

Vendor Advisory


🟠 [HIGH] google/chrome

5 CVEs | CVSS 3.1: 9.6 | AAS 11.4

  • cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:* (< 150.0.7871.125)

Google Chrome is affected by 5 vulnerabilities rated up to CRITICAL (CVSS 9.6), including multiple use-after-free flaws in core browser components. The most severe issue affects Chrome on Windows prior to version 150.0.7871.125, where a remote attacker could potentially escape the browser sandbox via a crafted HTML page, requiring no user interaction beyond normal browsing.

All organizations and individuals running Google Chrome should update immediately to version 150.0.7871.125 or later. Given Chrome’s near-universal deployment and the sandbox escape capability of the lead vulnerability, this update should be prioritized across all managed endpoints. Chromium-based browsers such as Edge, Brave, and Opera should also be monitored for corresponding patches.

Vendor Advisory


🟠 [HIGH] skylot/jadx

1 CVE | CVSS 4.0: 8.4 | AAS 9.8

  • cpe:2.3:a:skylot:jadx:*:*:*:*:*:*:*:* (< 1.5.6)

jadx, the popular open-source Dex-to-Java decompiler by skylot, is affected by a HIGH severity vulnerability (CVSS 8.4) that enables arbitrary code execution. When exporting a decompiled APK as an Android Gradle project, jadx versions prior to 1.5.6 fail to sanitize the android:versionName value from the AndroidManifest before inserting it into the generated Groovy build script. A malicious APK can inject attacker-controlled Groovy code that executes when the victim opens or builds the exported project in their development environment.

Security researchers, reverse engineers, and malware analysts who use jadx to examine untrusted APKs should treat this as high priority, as these are exactly the users most likely to encounter adversarial samples. Upgrade to jadx 1.5.6 or later immediately. Until patched, avoid using the Gradle export feature on untrusted APKs, or manually inspect generated build.gradle files before opening them in an IDE.

Vendor Advisory


🟠 [HIGH] nvidia/tensorrt-llm

1 CVE | CVSS 3.1: 8.4 | AAS 9.7

  • cpe:2.3:a:nvidia:tensorrt-llm:*:*:*:*:*:*:*:*

NVIDIA TensorRT-LLM for Linux is affected by a HIGH severity vulnerability (CVSS 8.4) in its restricted unpickler used for model weight deserialization. A local, unauthenticated attacker can exploit unsafe deserialization of untrusted data to achieve arbitrary code execution, privilege escalation, data tampering, or information disclosure. The flaw is particularly concerning in shared AI/ML infrastructure where multiple users or pipelines may load model weights from untrusted sources.

Teams operating GPU-accelerated inference environments using TensorRT-LLM should apply the vendor patch immediately. Until a fix is in place, ensure that only trusted, verified model weight files are loaded, and restrict local access to systems running TensorRT-LLM. Review the NVIDIA advisory for affected versions and update guidance.

Vendor Advisory


🟠 [HIGH] cure53/dompurify

1 CVE | CVSS 3.1: 8.2 | AAS 9.5

  • cpe:2.3:a:cure53:dompurify:*:*:*:*:*:*:*:*

DOMPurify, the widely used client-side HTML sanitization library by Cure53, is affected by a HIGH severity cross-site scripting bypass vulnerability (CVSS 8.2) in version 3.4.4. The library incorrectly allowed the selectedcontent element by default, enabling browsers to re-clone unsanitized markup after DOMPurify had already processed it, effectively letting XSS payloads survive sanitization and execute in the victim’s browser.

Any application relying on DOMPurify to sanitize user-supplied HTML should treat this as urgent, given the library’s role as a last line of defense against XSS across countless web applications. Upgrade immediately to DOMPurify 3.4.5, which removes selectedcontent from the default allowlist. Front-end and full-stack teams should audit their dependency trees, as DOMPurify is frequently bundled as a transitive dependency in larger frameworks and CMS platforms.

Vendor Advisory


🟠 [HIGH] symfony/symfony

1 CVE | CVSS 4.0: 8.7 | AAS 9.3

  • cpe:2.3:a:symfony:symfony:*:*:*:*:*:*:*:*

Symfony, the widely used PHP web framework, is affected by a HIGH severity authentication bypass vulnerability (CVSS 8.7) in its security component. When failure_forward is set to true, the DefaultAuthenticationFailureHandler honored a request-supplied _failure_path parameter, allowing an unauthenticated attacker to craft a failing login request that dispatched a subrequest to access_control-protected GET routes while bypassing firewall listeners entirely.

Any application running Symfony with failure_forward enabled in its security configuration should treat this as high priority, as it allows unauthenticated access to protected endpoints. Upgrade immediately to Symfony 5.4.53, 6.4.41, 7.4.13, or 8.0.13 depending on your branch. As a temporary mitigation, disable failure_forward in your security firewall configuration until the patch can be applied.

Vendor Advisory


🟠 [HIGH] adobe/after_effects

2 CVEs | CVSS 3.1: 7.8 | AAS 9.1

  • cpe:2.3:a:adobe:after_effects:*:*:*:*:*:*:*:*

Adobe After Effects is affected by 2 vulnerabilities rated up to HIGH severity (CVSS 7.8), including at least one out-of-bounds write flaw that could result in arbitrary code execution in the context of the current user. Exploitation requires user interaction, specifically opening a malicious project or media file, making this a realistic risk in creative workflows where designers routinely open files from external sources such as clients, vendors, or freelancers.

Creative teams and organizations with Adobe After Effects deployments should apply the latest patches from Adobe as referenced in security bulletin APSB26-78. Until patched, users should exercise caution when opening files from untrusted sources. Administrators managing Adobe deployments via the Creative Cloud admin console should prioritize pushing this update across managed endpoints.

Vendor Advisory


🟠 [HIGH] pi-hole/pi-hole

1 CVE | CVSS 3.1: 8.8 | AAS 9.1

  • cpe:2.3:a:pi-hole:pi-hole:*:*:*:*:*:*:*:* (>= 6.0, < 6.4.3)

Pi-hole, the popular open-source DNS sinkhole used for network-wide ad blocking, is affected by a HIGH severity local privilege escalation vulnerability (CVSS 8.8) in versions 6.0 through 6.4.2. An attacker with code execution as the unprivileged pihole user can replace the logrotate configuration file at /etc/pihole/logrotate, which is then re-owned to root by the FTL prestart script and subsequently parsed with root privileges by the daily pihole flush cron job, allowing arbitrary shell commands to execute as uid 0.

Administrators running Pi-hole in home networks, labs, or enterprise DNS filtering deployments should upgrade to version 6.4.3 immediately. While exploitation requires an initial foothold as the pihole user, any compromise of the Pi-hole web interface or related services could chain into full root access on the host. Review the linked advisory and apply the update through the standard pihole update process.

Vendor Advisory