7 vulnerabilities across 4 products scored HIGH or above on July 15, 2026.

  • πŸ”΄ CRITICAL: 1
  • 🟠 HIGH: 6

Exploit Status Upgrades

The following CVEs from previous bulletins have been upgraded based on new exploit intelligence:

  • [UPGRADED] CVE-2026-57219 (rabbitmq/rabbitmq_server) β€” F1: theoretical β†’ itw, AAS: 10.9 β†’ 13.7 (HIGH β†’ CRITICAL). Originally in 2026-07-10 bulletin.
  • [UPGRADED] CVE-2026-55879 (openreplay/openreplay) β€” F1: exploitable β†’ itw, AAS: 10.3 β†’ 13.3 (HIGH β†’ CRITICAL). Originally in 2026-07-10 bulletin.
  • [UPGRADED] CVE-2026-54003 (getkirby/kirby) β€” F1: theoretical β†’ poc, AAS: 11.8 β†’ 11.5 (HIGH β†’ HIGH). Originally in 2026-07-09 bulletin.
  • [UPGRADED] CVE-2026-59827 (metabase/metabase) β€” F1: exploitable β†’ itw, AAS: 11.2 β†’ 13.6 (HIGH β†’ CRITICAL). Originally in 2026-07-09 bulletin.
  • [UPGRADED] CVE-2026-59148 (mockoon/mockoon) β€” F1: exploitable β†’ itw, AAS: 9.6 β†’ 12.6 (HIGH β†’ CRITICAL). Originally in 2026-07-09 bulletin.
  • [UPGRADED] CVE-2026-59858 (vim/vim) β€” F1: exploitable β†’ itw, AAS: 9.3 β†’ 12.3 (HIGH β†’ CRITICAL). Originally in 2026-07-09 bulletin.
  • [UPGRADED] CVE-2026-55207 (pimcore/pimcore) β€” F1: theoretical β†’ poc, AAS: 9.1 β†’ 11.6 (HIGH β†’ HIGH). Originally in 2026-07-09 bulletin.
  • [UPGRADED] CVE-2026-57480 (parse-community/parse-server) β€” F1: theoretical β†’ poc, AAS: 9.8 β†’ 12.3 (HIGH β†’ CRITICAL). Originally in 2026-07-08 bulletin.

πŸ”΄ [CRITICAL] wazuh/wazuh

1 CVE | CVSS 4.0: 10.0 | AAS 13.1

  • cpe:2.3:a:wazuh:wazuh:*:*:*:*:*:*:*:* (< 5.0.0-beta3)

Wazuh Manager versions prior to 5.0.0-beta3 are affected by a critical NDJSON injection vulnerability (CVE-2026-56699, CVSS 10.0) in which enrolled agents can inject arbitrary OpenSearch bulk operations through an unescaped DataValue.index field, enabling document deletion, alert tampering, and cross-agent SIEM state manipulation under the manager’s admin credentials. Organizations running Wazuh Manager for security monitoring should treat this as an urgent priority, as exploitation allows compromised or rogue agents to undermine the integrity of the entire SIEM platform. Upgrade to Wazuh 5.0.0-beta3 or later immediately and review the vendor advisory at the link above for additional mitigation guidance.

Vendor Advisory


🟠 [HIGH] open-webui/open-webui

1 CVE | CVSS 4.0: 9.0 | AAS 10.3

  • cpe:2.3:a:open-webui:open-webui:*:*:*:*:*:*:*:* (< 0.3.14)

Open WebUI versions prior to 0.3.14 are affected by a high-severity CORS misconfiguration vulnerability (CVE-2026-56400, CVSS 9.0) that allows attacker-controlled websites to make authenticated cross-origin requests to the functions API endpoint, resulting in arbitrary code execution on the Open WebUI instance when an admin user visits a malicious page. Organizations self-hosting Open WebUI for LLM interaction should prioritize this fix, as exploitation requires only that an authenticated administrator browse to an attacker-controlled site. Upgrade to Open WebUI 0.3.14 or later immediately and consult the vendor advisory for further details.

Vendor Advisory


🟠 [HIGH] getgrav/grav

1 CVE | CVSS 4.0: 9.4 | AAS 10.0

  • cpe:2.3:a:getgrav:grav:*:*:*:*:*:*:*:* (< 1.0.4)

Grav CMS installations using the API plugin (grav-plugin-api) prior to version 1.0.4 are affected by a high-severity password reset poisoning vulnerability (CVE-2026-61451, CVSS 9.4) in which an unauthenticated attacker can inject an arbitrary URL into the forgot-password endpoint, causing reset emails to direct victims to an attacker-controlled host and enabling account takeover. Any organization running Grav with the API plugin exposed to the internet should treat this as urgent, since exploitation requires no authentication and targets administrator accounts. Upgrade the Grav API plugin to version 1.0.4 or later immediately and review the vendor advisory for additional context.

Vendor Advisory


🟠 [HIGH] mervinpraison/praisonai

4 CVEs | CVSS 4.0: 8.8 | AAS 9.2

  • cpe:2.3:a:mervinpraison:praisonai:*:*:*:*:*:*:*:* (< 4.6.78)

PraisonAI versions prior to 4.6.78 are affected by four high-severity vulnerabilities (including CVE-2026-61435 and CVE-2026-61436, max CVSS 8.8) spanning authentication bypass via Host header spoofing in the Call API agent invocation endpoints, allowing remote unauthenticated attackers to circumvent localhost-only restrictions and invoke agents without credentials. Organizations deploying PraisonAI, particularly with network-exposed instances or the PRAISONAI_CALL_AUTH=disabled configuration, should treat this as an urgent concern given the multiple attack surfaces disclosed. Upgrade to PraisonAI 4.6.78 or later immediately and review the referenced commit for full details on all four fixes.

Vendor Advisory