The NVD is the U.S. government repository of standards based vulnerability management data represented using the Security Content Automation Protocol (SCAP). This data enables automation of vulnerability management, security measurement, and compliance. The NVD includes databases of security checklist references, security-related software flaws, product names, and impact metrics.
For information on how to cite the NVD, including the database's Digital Object Identifier (DOI), please consult NIST's Public Data Repository.
Legal Disclaimer:
Here is where you can read the NVD legal disclaimer.
-
CVE-2026-50321 - Concurrent execution using shared resource with improper synchronization ('race condition') in Windows USB Driver allows an authorized attacker to elevate privileges locally.
Published: July 14, 2026; 2:17:30 PM -0400V3.1: 7.0 HIGH
-
CVE-2026-50322 - Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Runtime allows an authorized attacker to elevate privileges locally.
Published: July 14, 2026; 2:17:31 PM -0400 -
CVE-2026-58538 - Heap-based buffer overflow in Windows Bluetooth Service allows an authorized attacker to elevate privileges locally.
Published: July 14, 2026; 2:18:41 PM -0400 -
CVE-2026-58539 - Out-of-bounds read in Windows RDP allows an unauthorized attacker to disclose information over a network.
Published: July 14, 2026; 2:18:41 PM -0400V3.1: 7.5 HIGH
-
CVE-2026-58540 - Improper authorization in Windows Installer allows an authorized attacker to elevate privileges locally.
Published: July 14, 2026; 2:18:41 PM -0400 -
CVE-2026-58541 - Access of resource using incompatible type ('type confusion') in Windows DWM allows an authorized attacker to elevate privileges locally.
Published: July 14, 2026; 2:18:41 PM -0400 -
CVE-2026-58542 - Heap-based buffer overflow in Windows Media allows an unauthorized attacker to execute code locally.
Published: July 14, 2026; 2:18:42 PM -0400V3.1: 7.8 HIGH
-
CVE-2026-58543 - Concurrent execution using shared resource with improper synchronization ('race condition') in Windows USB Print Driver allows an authorized attacker to elevate privileges with a physical attack.
Published: July 14, 2026; 2:18:42 PM -0400 -
CVE-2026-58546 - Use of uninitialized resource in Windows RDP allows an unauthorized attacker to disclose information over a network.
Published: July 14, 2026; 2:18:42 PM -0400V3.1: 6.5 MEDIUM
-
CVE-2026-58547 - Heap-based buffer overflow in Universal Plug and Play (upnp.dll) allows an authorized attacker to elevate privileges locally.
Published: July 14, 2026; 2:18:42 PM -0400V3.1: 7.8 HIGH
-
CVE-2026-58594 - Integer overflow or wraparound in Windows RDP allows an unauthorized attacker to execute code over a network.
Published: July 14, 2026; 2:18:43 PM -0400V3.1: 9.8 CRITICAL
-
CVE-2026-10667 - Zephyr's dynamic kernel-object tracking (kernel/userspace/userspace.c, formerly kernel/userspace.c) maintains a doubly-linked list (obj_list) of dynamically allocated kernel objects. Iteration over this list in k_object_wordlist_foreach() was perf... read CVE-2026-10667
Published: July 12, 2026; 1:16:24 PM -0400 -
CVE-2026-58613 - Use after free in Windows Cloud Files Mini Filter Driver allows an authorized attacker to elevate privileges locally.
Published: July 14, 2026; 2:18:44 PM -0400 -
CVE-2026-58617 - Improper access control in Microsoft 365 Copilot for iOS allows an unauthorized attacker to elevate privileges over a network.
Published: July 14, 2026; 2:18:44 PM -0400V3.1: 9.8 CRITICAL
-
CVE-2026-58619 - Use after free in Windows Sensor Data Service allows an authorized attacker to elevate privileges locally.
Published: July 14, 2026; 2:18:44 PM -0400 -
CVE-2026-56353 - n8n contains an authentication bypass in the Chat Trigger node when configured with n8n User Auth (a non-default configuration). In affected releases — before 1.123.22, the 2.0.0 through 2.9.2 line, and 2.10.0 — the authentication check on the Cha... read CVE-2026-56353
Published: July 15, 2026; 8:18:02 AM -0400 -
CVE-2026-59259 - n8n before versions 1.123.61, 2.27.4, and 2.28.1 contains a permission bypass vulnerability in external secrets handling caused by a mismatch between the static validation check and the runtime expression engine. An authenticated user with credent... read CVE-2026-59259
Published: July 15, 2026; 8:18:17 AM -0400V3.1: 6.5 MEDIUM
-
CVE-2026-10668 - The Nuvoton NuMaker HSUSBD USB device-controller driver (drivers/usb/udc/udc_numaker.c) armed the control Data IN stage unconditionally (base->CEPTXCNT = len in numaker_hsusbd_ep_trigger). Because the HSUSBD hardware cannot disarm a control Data I... read CVE-2026-10668
Published: July 12, 2026; 1:16:24 PM -0400V3.1: 4.6 MEDIUM
-
CVE-2026-56398 - Open WebUI before 0.9.5 contains a stored cross-site scripting vulnerability in the OAuth authentication flow where the picture claim URL MIME type is inferred from file extension rather than Content-Type header, allowing SVG files to bypass the p... read CVE-2026-56398
Published: July 15, 2026; 8:18:02 AM -0400V3.1: 9.0 CRITICAL
-
CVE-2026-56400 - open-webui before 0.3.14 contains a cross-origin resource sharing misconfiguration allowing arbitrary origins with allow_origins=* and authenticated requests to the /api/v1/functions endpoint. Attackers can execute arbitrary code on the openwebui ... read CVE-2026-56400
Published: July 15, 2026; 8:18:03 AM -0400V3.1: 9.6 CRITICAL