1 vulnerability across 1 product scored HIGH or above on July 18, 2026.
- ๐ HIGH: 1
Exploit Status Upgrades
The following CVEs from previous bulletins have been upgraded based on new exploit intelligence:
- [UPGRADED] CVE-2026-54526 (argoproj/argo-workflows) โ F1: exploitable โ itw, AAS: 9.8 โ 12.8 (HIGH โ CRITICAL). Originally in 2026-07-16 bulletin.
- [UPGRADED] CVE-2026-57087 (microsoft/windows) โ F1: exploitable โ itw, AAS: 10.6 โ 13.6 (HIGH โ CRITICAL). Originally in 2026-07-14 bulletin.
- [UPGRADED] CVE-2026-58319 (apache/doris) โ F1: exploitable โ itw, AAS: 10.5 โ 13.5 (HIGH โ CRITICAL). Originally in 2026-07-14 bulletin.
๐ [HIGH] surrealdb/surrealdb
1 CVE | CVSS 4.0: 9.4 | AAS 10.3
cpe:2.3:a:surrealdb:surrealdb:*:*:*:*:*:*:*:*(< 2.0.5)cpe:2.3:a:surrealdb:surrealdb:*:*:*:*:*:*:*:*(>= 2.1.0, < 2.1.5)cpe:2.3:a:surrealdb:surrealdb:*:*:*:*:*:*:*:*(>= 2.2.0, < 2.2.2)
SurrealDB versions prior to 2.0.5, 2.1.x before 2.1.5, and 2.2.x before 2.2.2 are affected by one high-severity vulnerability (CVSS 9.4) involving improper escaping of table and field names in the command-line export function. An authenticated user with OWNER or EDITOR roles can craft malicious table or field names containing injected SurrealQL that executes when a higher-privileged user imports the exported backup, leading to privilege escalation and full root-level takeover of the database instance.
Teams running SurrealDB in any capacity, particularly those allowing user-defined schemas or performing routine backup and restore operations, should treat this as urgent. Upgrade immediately to SurrealDB 2.0.5, 2.1.5, or 2.2.2 and review the vendor advisory at the linked GitHub security page for additional mitigation guidance.
- ๐ CVE-2025-71392 (CVSS 4.0: 9.4)