3 vulnerabilities across 2 products scored HIGH or above on July 16, 2026.
- ๐ HIGH: 3
Exploit Status Upgrades
The following CVEs from previous bulletins have been upgraded based on new exploit intelligence:
- [UPGRADED] CVE-2026-57219 (rabbitmq/rabbitmq_server) โ F1: theoretical โ itw, AAS: 10.9 โ 13.7 (HIGH โ CRITICAL). Originally in 2026-07-10 bulletin.
- [UPGRADED] CVE-2026-55884 (tilt-dev/tilt) โ F1: exploitable โ itw, AAS: 10.3 โ 13.0 (HIGH โ CRITICAL). Originally in 2026-07-10 bulletin.
- [UPGRADED] CVE-2026-55879 (openreplay/openreplay) โ F1: exploitable โ itw, AAS: 10.3 โ 13.3 (HIGH โ CRITICAL). Originally in 2026-07-10 bulletin.
- [UPGRADED] CVE-2026-54003 (getkirby/kirby) โ F1: theoretical โ poc, AAS: 11.8 โ 11.5 (HIGH โ HIGH). Originally in 2026-07-09 bulletin.
- [UPGRADED] CVE-2026-59827 (metabase/metabase) โ F1: exploitable โ itw, AAS: 11.2 โ 13.1 (HIGH โ CRITICAL). Originally in 2026-07-09 bulletin.
- [UPGRADED] CVE-2026-59148 (mockoon/mockoon) โ F1: exploitable โ itw, AAS: 9.6 โ 12.6 (HIGH โ CRITICAL). Originally in 2026-07-09 bulletin.
- [UPGRADED] CVE-2026-59858 (vim/vim) โ F1: exploitable โ itw, AAS: 9.3 โ 12.3 (HIGH โ CRITICAL). Originally in 2026-07-09 bulletin.
- [UPGRADED] CVE-2026-55207 (pimcore/pimcore) โ F1: theoretical โ poc, AAS: 9.1 โ 11.6 (HIGH โ HIGH). Originally in 2026-07-09 bulletin.
๐ [HIGH] wwbn/avideo
2 CVEs | CVSS 4.0: 9.2 | AAS 10.2
cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*
WWBN AVideo through version 29.0 is affected by 2 vulnerabilities, including at least one critical OS command injection flaw in the ffmpeg.json.php endpoint rated CVSS 9.2 HIGH. An attacker who can craft a valid encrypted payload can inject arbitrary shell metacharacters through the notifyCode and callback parameters to execute commands as the web-server user, potentially leading to full server compromise. Organizations running AVideo should review the vendor advisory at the linked GitHub security page and apply patches or mitigations immediately.
- ๐ CVE-2026-63305 (CVSS 4.0: 9.2)
- ๐ CVE-2026-63304 (CVSS 4.0: 9.2)
๐ [HIGH] stoatchat/stoatchat
1 CVE | CVSS 4.0: 9.2 | AAS 9.6
cpe:2.3:a:stoatchat:stoatchat:*:*:*:*:*:*:*:*(< 0.13.5)
Stoatchat versions before 0.13.5 are affected by an unauthenticated server-side request forgery vulnerability rated CVSS 9.2 HIGH in the /proxy and /embed endpoints, which accept arbitrary URLs without private IP range validation or DNS filtering. An attacker can exploit this to enumerate internal services, fingerprint applications, and access cloud instance metadata endpoints without any authentication. Organizations running Stoatchat should upgrade to version 0.13.5 or later immediately and review the vendor advisory for additional details.
- ๐ CVE-2026-63306 (CVSS 4.0: 9.2)