MITRE ATT&CK CVE list for this attack path. Use risk scores and timeline to decide what to patch first and what to track next.
| CVE | Description | Max CVSS | EPSS % | Published | Updated |
|---|---|---|---|---|---|
| CVE-2026-46339 | 9Router is an AI router & token saver. From 0.4.30 until 0.4.37, 9Router's src/proxy.js middleware did not protect /api/cli-tools/* and /api/mcp/*, allowing unauthenticated registration of customPlugins through src/app/api/cli-tools/cowork-settings/route.js and command execution through the MCP bridge. This vulnerability is fixed in 0.4.37. | 10.0 | 0.11% | 2026-07-15 | 2026-07-16 |
| CVE-2026-58658 | GPUStack through 2.2.1, fixed in commit 4e20551, contains an unauthenticated information disclosure vulnerability that allows unauthenticated attackers to access sensitive inference logs and modify worker configuration by exploiting unprotected /serveLogs and /debug endpoints on the worker port. Attackers can enumerate model instance IDs to stream serving logs containing prompts and completions, change log levels, and read memory profiling data without any authentication. | 8.8 | N/A | 2026-07-15 | 2026-07-15 |
| CVE-2026-53512 | Better Auth is an authentication and authorization library for TypeScript. Prior to 1.6.11, the legacy oidcProvider and mcp plugins expose OAuth token endpoints whose refresh_token grant authenticates only possession of the bound refreshToken row and matching client_id, without verifying the confidential client's client_secret, allowing an attacker with a valid refresh_token to mint access tokens and rotated refresh tokens through /api/auth/oauth2/token or /api/auth/mcp/token. The @better-auth/o | 9.1 | 0.01% | 2026-07-15 | 2026-07-15 |
| CVE-2026-61613 | Cursor is a code editor built for programming with AI. Prior to the Cloud Agent fix on 03/31/2026, browser-enabled Cursor Cloud Agent sessions allowed attacker-controlled web content to connect from inside the agent container to an unauthenticated local agent endpoint, enabling code execution within the affected Cloud Agent sandbox or session and access to files, repository contents, environment variables, credentials, and GitHub App access tokens available to that session. This issue was fixed | 7.7 | N/A | 2026-07-15 | 2026-07-15 |
| CVE-2026-48325 | ColdFusion is affected by a Missing Authentication for Critical Function vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue does not require user interaction. Scope is changed. | 9.3 | 0.32% | 2026-07-14 | 2026-07-15 |
| CVE-2026-24259 | NVIDIA TensorRT-LLM for Linux contains a vulnerability where an attacker could cause missing authentication for a critical function. A successful exploit of this vulnerability might lead to code execution, data tampering, and information disclosure. | 6.4 | 0.14% | 2026-07-14 | 2026-07-15 |
| CVE-2026-24229 | NVIDIA TensorRT-LLM for Linux contains a vulnerability in the disaggregated orchestrator component, where an attacker could read, write, or delete internal cluster state by sending requests to the FastAPI server. A successful exploit of this vulnerability might lead to information disclosure, data tampering, and denial of service. | 7.3 | 0.12% | 2026-07-14 | 2026-07-15 |
| CVE-2026-48252 | Adobe Experience Manager is affected by a Missing Authentication for Critical Function vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized write access. Exploitation of this issue does not require user interaction. Scope is changed. | 8.6 | 0.43% | 2026-07-14 | 2026-07-15 |
| CVE-2026-47212 | Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Prior to 6.4.40, 7.4.12, and 8.0.12, TwilioRequestParser::doParse() received the configured webhook secret but ignored the X-Twilio-Signature HMAC header, allowing unauthenticated POST requests to inject forged Twilio status payloads. This issue is fixed in versions 6.4.40, 7.4.12, and 8.0.12. | 6.9 | 0.30% | 2026-07-14 | 2026-07-15 |
| CVE-2026-45755 | Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Prior to 7.4.12 and 8.0.12, MailtrapRequestParser::doParse() received the configured webhook secret but ignored the X-Mt-Signature HMAC header, allowing unauthenticated POST requests to inject forged Mailtrap delivery, bounce, open, click, or spam events. This issue is fixed in versions 7.4.12 and 8.0.12. | 6.9 | 0.30% | 2026-07-14 | 2026-07-15 |
| CVE-2026-45754 | Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Prior to 6.4.40, 7.4.12, and 8.0.12, the Mailjet mailer bridge and LOX24 notifier bridge webhook parsers received configured webhook secrets but did not verify them, allowing unauthenticated POST requests to inject forged Mailjet and LOX24 event payloads. This issue is fixed in versions 6.4.40, 7.4.12, and 8.0.12. | 6.9 | 0.46% | 2026-07-14 | 2026-07-15 |
| CVE-2026-50451 | Missing authentication for critical function in Windows Routing and Remote Access Service (RRAS) allows an authorized attacker to elevate privileges locally. | 7.1 | 0.22% | 2026-07-14 | 2026-07-15 |
| CVE-2026-50444 | Missing authentication for critical function in Windows Server Update Service allows an authorized attacker to elevate privileges over a network. | 8.8 | 0.60% | 2026-07-14 | 2026-07-15 |
| CVE-2026-57969 | Missing authentication for critical function in Azure CycleCloud allows an authorized attacker to elevate privileges over a network. | 8.8 | 0.54% | 2026-07-14 | 2026-07-15 |
| CVE-2026-56164 KEV | Missing authentication for critical function in Microsoft Office SharePoint allows an unauthorized attacker to elevate privileges over a network. | 5.3 | 7.05% | 2026-07-14 | 2026-07-14 |
| CVE-2026-50333 | Missing authentication for critical function in Windows Spaceport.sys allows an authorized attacker to elevate privileges locally. | 7.8 | 0.22% | 2026-07-14 | 2026-07-14 |
| CVE-2026-49174 | Missing authentication for critical function in Microsoft Windows DNS allows an authorized attacker to perform tampering locally. | 6.1 | 0.20% | 2026-07-14 | 2026-07-14 |
| CVE-2026-10577 | A security issue exists within the 1715-AENTR EtherNet/IP Adapter. The affected product exposes a network-accessible debug port that does not enforce proper privilege controls, allowing unauthenticated remote access to intrusive command-line interface (CLI) commands. If exploited, a threat actor could read or delete files, stop tasks, modify memory, and change I/O states, potentially impacting the confidentiality, integrity, and availability of the device. | 10.0 | 0.25% | 2026-07-14 | 2026-07-14 |
| CVE-2026-62422 | In JetBrains YouTrack before 2026.1.13757, 2025.3.148033, 2025.2.148048, 2025.1.148120, 2024.3.148430, 2024.2.148429 authentication bypass via direct database access leading to administrative access was possible | 10.0 | 0.35% | 2026-07-14 | 2026-07-15 |
| CVE-2026-58319 | Certain Apache Doris FE HTTP REST administrative APIs were accessible without proper authentication. An unauthenticated attacker with network access to the FE HTTP service could perform unauthorized administrative operations, potentially affecting cluster integrity and availability and leading to cluster instability or denial of service. This issue affects Apache Doris versions prior to 3.1.0. Users are advised to upgrade to Apache Doris 3.1.0 or later. | 9.1 | 0.61% | 2026-07-14 | 2026-07-14 |