Critical vulnerabilities, curated daily for security professionals
🎯 SSCV Profile
See how vulnerabilities affect your specific environment
CRS uses the System Security Context Vector (SSCV) Framework v1.0 to adjust CVSS scores based on your system's exposure level, network position, and business criticality. Learn more about SSCV Framework
Risk scores will be adjusted based on your selected environment
📊
Today's Security Brief
The most significant disclosures affect PROG MIS enterprise products, with the ERP App (CVE-2026-14807) and Prog Management System (CVE-2026-14808) each carrying a CVSS 9.8 score. Yesterday's activity produced 3 critical vulnerabilities, up from 1 the prior day, alongside 20 high-priority CVEs, a 58% decrease from the previous 48. Rounding out the critical set is CVE-2026-59509 (CVSS 9.2) in the cve-search vulnerability lookup tool, a platform widely used by security teams themselves. Microsoft Office SharePoint (CVE-2026-45659, CVSS 9.5) has confirmed active exploitation in the wild, warranting priority attention for organizations running SharePoint. Patch availability stands at 0% across yesterday's disclosures, so teams should focus on monitoring vendor advisories and applying compensating controls until fixes ship.
PROG MIS enterprise software leads the day with two CVSS 9.8 vulnerabilities in its ERP App and Prog Management System
3 critical CVEs (CVSS 9.0+) disclosed, a 200% increase from the prior day's 1
20 high-priority CVEs (CVSS 7.0-8.9), down 58% from the previous day's 48
cve-search (CVE-2026-59509, CVSS 9.2) puts security teams' own tooling at risk
0% patch availability across yesterday's 23 disclosures — vendor advisories should be monitored closely
Microsoft Office SharePoint (CVE-2026-45659) is actively exploited in the wild
Immediate action: Organizations running Microsoft Office SharePoint should prioritize mitigations for CVE-2026-45659 given confirmed active exploitation, and PROG MIS customers should assess exposure of ERP App and Prog Management System deployments. With no patches yet available for yesterday's disclosures, apply vendor-recommended workarounds, restrict network exposure of affected systems, and watch for advisory updates.
How to read this brief
CVSS score (e.g. 9.1) — severity from 0–10. Red marks critical (9+), orange high (7–8.9).
Exploitability — how hard the flaw is to attack, read from the CVSS vector:
Network / Adjacent / Local / Physical — how close an attacker must get. Network means reachable over the internet.
No / Low / High privileges — the access they need first. No privileges means no login required.
No interaction / User interaction — whether a victim has to do something (open a file, click a link). No interaction means fully automatable.
The lower the bar on all three, the easier to exploit at scale — “Network · No privileges · No interaction” is the worst case: hit from anywhere, no credentials, no victim action.
🔴 Actively exploited — confirmed under attack in the wild (CISA’s Known Exploited Vulnerabilities catalog). Prioritize these regardless of score.
EPSS · Nth percentile — FIRST.org’s estimated chance a flaw is exploited within 30 days. We flag it only in the top 10% — a statistical signal it’s unusually likely to be targeted, separate from whether attacks are confirmed.
💡 Tip: Swipe CVE cards left to ⭐ star, right to ❌ remove
Section Navigation
⚠️
CISA Known Exploited Vulnerabilities
⚠️ CISA KEVURGENT
CVE-2026-45659
9.5📝
MicrosoftOffice SharePoint
Network · Low privileges · No interaction
🔴 Actively exploited in the wildIn CISA KEV since July 1, 2026
An insecure deserialization vulnerability in Microsoft Office SharePoint allows an authorized attacker to execute arbitrary code over a network.
CVSS Base9.5
→
CRSSelect profile
🚨
Critical Vulnerabilities
CVE-2026-14807
9.8📝
PROG MISERP App
Network · No privileges · No interaction
The PROG MIS ERP App contains a hard-coded credentials vulnerability, allowing unauthenticated remote attackers to access application code and compromise database accounts.
CVSS Base9.8
→
CRSSelect profile
CVE-2026-14808
9.8📝
PROG MISProg Management System
Network · No privileges · No interaction
The PROG MIS Prog Management System contains an information exposure vulnerability that allows unauthenticated remote attackers to view sensitive database credentials via a specific application page.
CVSS Base9.8
→
CRSSelect profile
CVE-2026-59509
9.2📝
cve-searchcve-search
Network · No privileges · No interaction
The cve-search application is vulnerable to improper input validation in its API, allowing unauthenticated remote attackers to read arbitrary MongoDB collections, including administrative credentials.
CVSS Base9.2
→
CRSSelect profile
⚠️
High Priority Updates
CVE-2026-14809
7.5📝
PROG MISProg Management System
Network · No privileges · No interaction
The PROG Management System contains a SQL injection vulnerability that allows unauthenticated remote attackers to execute arbitrary SQL commands and access database contents.
CVSS Base7.5
→
CRSSelect profile
CVE-2026-9085
8.8📝
TUBITAK BILGEMPardus-Parental-Control
Local · Low privileges · No interaction
Pardus-Parental-Control contains an improper access control vulnerability that permits local attackers to perform DNS spoofing by exploiting incorrect permission assignments.
CVSS Base8.8
→
CRSSelect profile
CVE-2026-6509
7.8📝
TUBITAK BILGEMPardus Update
Local · Low privileges · No interaction
A missing authorization vulnerability in the Pardus Update utility allows local attackers to escalate privileges on the affected system.
CVSS Base7.8
→
CRSSelect profile
CVE-2026-12250
7.9📝
TUBITAK BILGEMPardus Domain Joiner
Local · Low privileges · User interaction
Pardus Domain Joiner is susceptible to an information disclosure vulnerability where sensitive data is exposed during process invocation, enabling potential excavation.
CVSS Base7.9
→
CRSSelect profile
CVE-2026-14802
7.3📝
Reactcreate-react-app
Network · No privileges · No interaction
A command injection vulnerability in React create-react-app (up to version 5) allows remote attackers to execute arbitrary OS commands.
CVSS Base7.3
→
CRSSelect profile
CVE-2026-14778
7.3📝
SourceCodesterOnlne Examination & Learning Management System
Network · No privileges · No interaction
An improper authorization vulnerability in the SourceCodester Onlne Examination & Learning Management System allows unauthenticated attackers to manipulate enrollment data via ajax_enroll.php.
CVSS Base7.3
→
CRSSelect profile
CVE-2026-14772
7.3📝
SourceCodesterClass and Exam Timetabling System
Network · No privileges · No interaction
A SQL injection vulnerability in SourceCodester Class and Exam Timetabling System allows unauthenticated attackers to execute malicious database queries via the ID argument in edit_course1.php.
CVSS Base7.3
→
CRSSelect profile
CVE-2026-14771
7.3📝
SourceCodesterClass and Exam Timetabling System
Network · No privileges · No interaction
A SQL injection vulnerability in SourceCodester Class and Exam Timetabling System allows unauthenticated attackers to execute malicious database queries via the ID argument in edit_exam1.php.
CVSS Base7.3
→
CRSSelect profile
CVE-2026-14770
7.3📝
SourceCodesterClass and Exam Timetabling System
Network · No privileges · No interaction
A SQL injection vulnerability exists in SourceCodester Class and Exam Timetabling System 1.0, allowing unauthenticated remote attackers to execute arbitrary SQL commands via the /edit_room.php file.
CVSS Base7.3
→
CRSSelect profile
CVE-2026-14769
7.3📝
code-projectsReal State Services
Network · No privileges · No interaction
A SQL injection vulnerability in code-projects Real State Services 1.0 allows remote, unauthenticated attackers to execute arbitrary SQL commands via the Bankname argument in /pay.php.
CVSS Base7.3
→
CRSSelect profile
CVE-2026-14768
7.3📝
code-projectsReal State Services
Network · No privileges · No interaction
A critical SQL injection vulnerability in code-projects Real State Services 1.0 allows unauthenticated remote attackers to execute arbitrary SQL commands via the 'loc' parameter in /builderHome.php.
CVSS Base7.3
→
CRSSelect profile
CVE-2026-14763
7.3📝
code-projectsHotel and Tourism Reservation
Network · No privileges · No interaction
A SQL injection vulnerability exists in the Hotel and Tourism Reservation system, allowing unauthenticated remote attackers to manipulate the database via the 'tour' parameter in tour_reserves.php.
CVSS Base7.3
→
CRSSelect profile
CVE-2026-14762
7.3📝
code-projectsHotel and Tourism Reservation
Network · No privileges · No interaction
A SQL injection vulnerability exists in the rooms.php component of code-projects Hotel and Tourism Reservation 1.0, allowing unauthenticated remote attackers to compromise database integrity.
CVSS Base7.3
→
CRSSelect profile
CVE-2026-14755
7.3📝
code-projectsHotel and Tourism Reservation
Network · No privileges · No interaction
A SQL injection vulnerability exists in the add_event.php file of code-projects Hotel and Tourism Reservation 1.0, enabling unauthenticated remote attackers to execute arbitrary SQL queries.
CVSS Base7.3
→
CRSSelect profile
CVE-2026-14756
7.3📝
code-projectsHotel and Tourism Reservation
Network · No privileges · No interaction
A SQL injection vulnerability in the add_tour.php script of code-projects Hotel and Tourism Reservation 1.0 permits unauthenticated attackers to perform unauthorized database operations.
CVSS Base7.3
→
CRSSelect profile
CVE-2026-14753
7.3📝
mjperpinosastumasy
Network · No privileges · No interaction
A critical authorization bypass vulnerability exists in the mjperpinosa stumasy application, allowing unauthorized actors to potentially circumvent security controls.
CVSS Base7.3
→
CRSSelect profile
CVE-2026-14754
7.3📝
code-projectsHotel and Tourism Reservation
Network · No privileges · No interaction
A SQL injection vulnerability in the code-projects Hotel and Tourism Reservation system allows unauthenticated attackers to execute arbitrary database queries.
CVSS Base7.3
→
CRSSelect profile
CVE-2026-14750
7.3📝
mjperpinosastumasy
Network · No privileges · No interaction
A SQL injection vulnerability in mjperpinosa stumasy allows unauthenticated attackers to execute malicious database queries via improper input handling.
CVSS Base7.3
→
CRSSelect profile
CVE-2026-59510
7.1📝
AIL ProjectAIL Framework
Network · Low privileges · No interaction
The AIL Framework is susceptible to a path traversal vulnerability within its PDF object handling component, potentially allowing unauthorized file access.
CVSS Base7.1
→
CRSSelect profile
CVE-2026-44934
7📝
SUSERancher AI Agent
Local · High privileges · No interaction
SUSE Rancher AI Agent inadvertently exposes sensitive information in logs when the debug log level is enabled.