[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fJ86nzSDNndqC8R5hIfhTRc-USyzUEUf57VwIYKQ-8Sw":3},{"report":4,"cves":34,"nav":118},{"id":5,"week_start":6,"week_end":7,"week_label":8,"year":9,"week_number":10,"total_cves":11,"critical_count":12,"high_count":13,"medium_count":14,"low_count":13,"kev_count":12,"top_products":15,"summary_en":31,"is_published":32,"created_at":33},"120253bc-24a7-47d9-9660-806977120376","2026-07-06","2026-07-12","2026-W28",2026,28,11,0,2,7,[16,20,24,27],{"name":17,"slug":18,"count":19},"Drupal","drupal",5,{"name":21,"slug":22,"count":23},"Django","django",3,{"name":25,"slug":26,"count":13},"Go","go",{"name":28,"slug":29,"count":30},"Python","python",1,null,true,"2026-07-17T07:25:22.75243+00:00",{"critical":35,"high":36,"medium":55,"low":103,"kev":117},[],[37,47],{"cveId":38,"severity":39,"cvssScore":40,"description":41,"publishedAt":42,"url":43,"productSlug":26,"productName":25,"productLogo":44,"cycle":45,"isKev":46},"CVE-2026-39822","HIGH",7.8,"On Unix systems, opening a file in an os.Root improperly follows symlinks to locations outside of the Root when the final path component of the a path is a symbolic link and the path ends in \u002F. For example, 'root.Open(\"symlink\u002F\")' will open \"symlink\" even when \"symlink\" is a symbolic link pointing outside of the root.","2026-07-08T17:17:21.31+00:00","https:\u002F\u002Fnvd.nist.gov\u002Fvuln\u002Fdetail\u002FCVE-2026-39822","https:\u002F\u002Fcdn.simpleicons.org\u002Fgo","1.10",false,{"cveId":48,"severity":39,"cvssScore":49,"description":50,"publishedAt":51,"url":52,"productSlug":29,"productName":28,"productLogo":53,"cycle":54,"isKev":46},"CVE-2026-15308",7.5,"The incremental HTML parser (html.parser.HTMLParser) allows for CPU\ndenial-of-service through repeated unterminated markup declarations when\nprocessing uncontrolled data.","2026-07-09T17:16:58.26+00:00","https:\u002F\u002Fnvd.nist.gov\u002Fvuln\u002Fdetail\u002FCVE-2026-15308","https:\u002F\u002Fcdn.simpleicons.org\u002Fpython","3.6",[56,65,73,78,83,89,96],{"cveId":57,"severity":58,"cvssScore":59,"description":60,"publishedAt":61,"url":62,"productSlug":22,"productName":21,"productLogo":63,"cycle":64,"isKev":46},"CVE-2026-53878","MEDIUM",6.1,"An issue was discovered in Django 6.0 before 6.0.7 and 5.2 before 5.2.16.\n`DomainNameValidator` does not prohibit newlines in domain names (unless used via a form field, since `CharField` strips newlines). If an application uses values with newlines in an HTTP response, header injection can occur. Django itself is unaffected because `HttpResponse` prohibits newlines in HTTP headers.\nEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\n","2026-07-07T15:16:48.583+00:00","https:\u002F\u002Fnvd.nist.gov\u002Fvuln\u002Fdetail\u002FCVE-2026-53878","https:\u002F\u002Fcdn.simpleicons.org\u002Fdjango","5.2",{"cveId":66,"severity":58,"cvssScore":67,"description":68,"publishedAt":69,"url":70,"productSlug":18,"productName":17,"productLogo":71,"cycle":72,"isKev":46},"CVE-2026-55804",5.9,"Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Drupal core allows Object Injection. This issue affects Drupal core versions: from 0.0.0 to 10.5.12, from 10.6.0 to 10.6.11, from 11.2.0 to 11.2.14, from 11.3.0 to 11.3.12, from 0.0.0 to 11.0.*, from 0.0.0 to 11.1.*.","2026-07-10T22:16:43.353+00:00","https:\u002F\u002Fnvd.nist.gov\u002Fvuln\u002Fdetail\u002FCVE-2026-55804","https:\u002F\u002Fcdn.simpleicons.org\u002Fdrupal","10.2",{"cveId":74,"severity":58,"cvssScore":67,"description":68,"publishedAt":75,"url":76,"productSlug":18,"productName":17,"productLogo":71,"cycle":77,"isKev":46},"CVE-2026-55803","2026-07-10T22:16:43.25+00:00","https:\u002F\u002Fnvd.nist.gov\u002Fvuln\u002Fdetail\u002FCVE-2026-55803","11.3",{"cveId":79,"severity":58,"cvssScore":67,"description":80,"publishedAt":81,"url":82,"productSlug":18,"productName":17,"productLogo":71,"cycle":77,"isKev":46},"CVE-2026-55806","URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Drupal Drupal core allows Content Spoofing. This issue affects Drupal core versions: from 0.0.0 to 10.5.12, from 10.6.0 to 10.6.11, from 11.2.0 to 11.2.14, from 11.3.0 to 11.3.12, from 0.0.0 to 11.0.*, from 0.0.0 to 11.1.*.","2026-07-10T22:16:43.46+00:00","https:\u002F\u002Fnvd.nist.gov\u002Fvuln\u002Fdetail\u002FCVE-2026-55806",{"cveId":84,"severity":58,"cvssScore":85,"description":86,"publishedAt":87,"url":88,"productSlug":18,"productName":17,"productLogo":71,"cycle":77,"isKev":46},"CVE-2026-55808",5.4,"Improper Neutralization of Input During Web Page Generation (\"Cross-site Scripting\") vulnerability in Drupal Drupal core allows Cross-Site Scripting (XSS). This issue affects Drupal core versions: from 0.0.0 to 10.5.12, from 10.6.0 to 10.6.11, from 11.2.0 to 11.2.14, from 11.3.0 to 11.3.12, from 0.0.0 to 11.0.*, from 0.0.0 to 11.1.*.","2026-07-10T22:16:43.667+00:00","https:\u002F\u002Fnvd.nist.gov\u002Fvuln\u002Fdetail\u002FCVE-2026-55808",{"cveId":90,"severity":58,"cvssScore":91,"description":92,"publishedAt":93,"url":94,"productSlug":26,"productName":25,"productLogo":44,"cycle":95,"isKev":46},"CVE-2026-42505",5.3,"Handshakes which used Encrypted Client Hello could be de-anonymized by a passive network observer due to a disclosure of pre-shared key identities in the unencrypted client hello.","2026-07-08T17:17:21.497+00:00","https:\u002F\u002Fnvd.nist.gov\u002Fvuln\u002Fdetail\u002FCVE-2026-42505","1.22",{"cveId":97,"severity":58,"cvssScore":98,"description":99,"publishedAt":100,"url":101,"productSlug":22,"productName":21,"productLogo":63,"cycle":102,"isKev":46},"CVE-2026-53877",4.8,"An issue was discovered in Django 6.0 before 6.0.7 and 5.2 before 5.2.16.\n`django.contrib.gis.gdal.GDALRaster` over-reads its in-memory buffer when constructed from a bytes object, which can disclose adjacent memory or cause service degradation via a potential segmentation fault when the `vsi_buffer` property is accessed.\nEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\nDjango would like to thank Bence Nagy for reporting this issue","2026-07-07T15:16:48.453+00:00","https:\u002F\u002Fnvd.nist.gov\u002Fvuln\u002Fdetail\u002FCVE-2026-53877","6.0",[104,112],{"cveId":105,"severity":106,"cvssScore":107,"description":108,"publishedAt":109,"url":110,"productSlug":18,"productName":17,"productLogo":71,"cycle":111,"isKev":46},"CVE-2026-55807","LOW",3.1,"Server-Side Request Forgery (SSRF) vulnerability in Drupal Drupal core allows Server Side Request Forgery. This issue affects Drupal core versions: from 0.0.0 to 10.5.12, from 10.6.0 to 10.6.11, from 11.2.0 to 11.2.14, from 11.3.0 to 11.3.12, from 0.0.0 to 11.0.*, from 0.0.0 to 11.1.*.","2026-07-10T22:16:43.563+00:00","https:\u002F\u002Fnvd.nist.gov\u002Fvuln\u002Fdetail\u002FCVE-2026-55807","9.0",{"cveId":113,"severity":106,"cvssScore":107,"description":114,"publishedAt":115,"url":116,"productSlug":22,"productName":21,"productLogo":63,"cycle":102,"isKev":46},"CVE-2026-48588","An issue was discovered in Django 6.0 before 6.0.7 and 5.2 before 5.2.16.\n`UpdateCacheMiddleware` and the `cache_page()` decorator cache responses that vary on cookies when the incoming request carries unrelated cookies, which allows remote attackers to read private data from the shared cache.\nEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\nDjango would like to thank Chris Whyland for reporting this issue.","2026-07-07T15:16:47.447+00:00","https:\u002F\u002Fnvd.nist.gov\u002Fvuln\u002Fdetail\u002FCVE-2026-48588",[],{"prev":119,"next":120},"2026-W27","2026-W29"]