notCVE’s cover photo
notCVE

notCVE

Computer and Network Security

Valencia, Valencian Community 93 followers

Cybersecurity Intelligence

About us

The NotCVE mission is to provide a common place for cybersecurity !vulnerabilities that are not acknowledged by vendors but still are serious security issues. We see NotCVE as a great initiative to track and identify security issues that are important for the community.

Website
https://notcve.org
Industry
Computer and Network Security
Company size
11-50 employees
Headquarters
Valencia, Valencian Community
Type
Privately Held
Founded
2017

Locations

  • Primary

    Avenida de la Constitución, 127

    Valencia, Valencian Community 46009, ES

    Get directions

Employees at notCVE

Updates

  • 📊 Weekly Vulnerability Digest #2 — Jul 9–16, 2026 📌 THE WEEK IN NUMBERS 🆕 2,638 new CVEs — 77.2% more than the previous week 📅 377 per day on average 📈 Peak day: 1,070 CVEs published on Jul 14 alone 🔴 848 rated critical (CVSS ≥ 9) 💥 48 with a public exploit already available 🚩 34 rated critical AND with a public exploit 🤖 490 no user interaction needed to exploit ⚠️ 9 added to CISA KEV — actively exploited ⚠️ NEW IN CISA KEV — EXPLOITED IN THE WILD • Oracle E-Business Suite Improper Privilege Management — CVSS 9.8 · added Jul 15 https://lnkd.in/eF_7MViU • KNX Association KNX Protocol Connection Authorization Option 1 Overly… — CVSS 7.5 · added Jul 15 https://lnkd.in/ezWrygf3 • Microsoft SharePoint Server Missing Authentication for Critical Functi… — CVSS 9.8 · added Jul 14 https://lnkd.in/eQTVv4QJ • SonicWall SMA1000 Appliances Code Injection — CVSS 10 · added Jul 14 https://lnkd.in/ebcpbcbT • …and 5 more in the full digest 🎯 MOST LIKELY TO BE EXPLOITED NEXT (EPSS) • CVE-2026-48356 — EPSS 28.3% · CVSS 9.6 — Adobe Commerce | Unrestricted Upload of File with Dangerous… • CVE-2026-50522 — EPSS 19.7% · CVSS 9.8 — Microsoft SharePoint Remote Code Execution Vulnerability • CVE-2026-47992 — EPSS 19.6% · CVSS 7.2 — Adobe Commerce | Improper Neutralization of Special Elements… 💻 TOP AFFECTED PRODUCTS (new CVEs this week) • microsoft windows server 2025 — 388 • microsoft windows 11 26h1 — 381 • microsoft windows 11 24h2 — 378 • microsoft windows 11 25h2 — 378 • microsoft windows server 2022 — 325 • Widest single CVE: CVE-2026-57025 — 43 products affected 🏭 TOP AFFECTED VENDORS (new CVEs this week) • microsoft — 586 • adobe — 54 • praison — 29 • sensiolabs — 29 • apache — 24 📄 Full tables (all vendors, products, KEV) → https://lnkd.in/empj_AmM How does your team keep up with 377 new CVEs a day? 🔎 Search any of them — or 🔔 set alerts for your vendors and products → https://notcve.org #CVE #VulnerabilityManagement #ThreatIntelligence #CyberSecurity

    • No alternative text description for this image
  • 🚨 A NotCVE became a CVE — and that's exactly the point. On 2026-01-19 we published NotCVE-2026-0001: Cloudflare Universal SSL silently augments CAA records, weakening RFC 8657 account binding and potentially enabling unauthorized DV certificate issuance. No CVE was assigned at the time. On 2026-07-01 — 163 days later — Cloudflare assigned CVE-2026-14440 to the issue, now rated CVSS 9.1. This is why NotCVE exists: a public, timestamped, technical record of vulnerabilities that don't get an identifier when they should. The record was there from day one; the identifier caught up. 📄 Original record: https://lnkd.in/exJ9in7i 📄 Assigned CVE: https://lnkd.in/e2jBYXga #CVE #NotCVE #VulnerabilityDisclosure #CyberSecurity

    • No alternative text description for this image
  • View organization page for notCVE

    93 followers

    📊 Weekly Vulnerability Digest #1 — Jul 2–9, 2026 1,533 new CVEs were published this week — 219 per day, 32.6% fewer than the previous week. 🔴 336 critical (CVSS ≥ 9) 💥 41 already have a public exploit available ⚠️ 4 added to CISA KEV — confirmed exploitation in the wild: • Joomlack Page Builder Improper Access Control — CVSS 10 · added 2026-07-07 https://lnkd.in/eQgAEYz6 • JoomShaper SP Page Builder Unrestricted Upload of File with Dangerous… — CVSS 10 · added 2026-07-07 https://lnkd.in/eHzMPhN3 • Langflow Authorization Bypass Through User-Controlled Key — CVSS 9.9 · added 2026-07-07 https://lnkd.in/e3DZg3T5 • Adobe ColdFusion Path Traversal — CVSS 10 · added 2026-07-07 https://lnkd.in/ewEH_HcY 📈 Highest EPSS among the new CVEs: • CVE-2026-27771 — EPSS 40.7% · CVSS 8.5 — Gitea Composer package source links use insufficient permiss… • CVE-2026-43825 — EPSS 8.8% · CVSS 7.3 — Apache OpenNLP :: Core :: ML :: LibSVM: Unsafe Java Deserial… • CVE-2026-44454 — EPSS 2.6% · CVSS 8.8 — Coder vulnerable to workspace auto-creation via crafted URL… Most affected vendors: microsoft (101), apache (49), gitea (40), foxit (28), chromium (27) 📄 Full tables (all vendors, products, KEV) → https://lnkd.in/e6V5Wekd How does your team keep up with 219 CVEs a day? 🔎 Search any of them — or 🔔 set alerts for your vendors and products → https://notcve.org #CVE #VulnerabilityManagement #ThreatIntelligence #CyberSecurity

    • No alternative text description for this image
  • 🚨 New vulnerability disclosure — NotCVE-2026-0008 Microsoft Windows NTFS self-healing duplicate-name handling may allow delayed reparse point exposure from crafted file system images. In certain malformed NTFS volumes, repeated file-open or directory-listing events may cause the same file name to later resolve as a reparse point / symbolic link instead of the original regular file. This can affect security-sensitive programs that operate on mounted images without robust reparse-point handling. Key facts 🔸 Severity: CVSS 6.3 — Moderate 🔸 Affected: Windows 11 24H2 / 26H2 up to build 10.0.26300.8758 🔸 Issue: Race condition enabling link following 🔸 Fixed version: No fixed version currently known Full technical details and references: https://lnkd.in/eYZ4rDZe Credits: Maxim Suhanov #NotCVE #Windows #NTFS #Microsoft #CyberSecurity #VulnerabilityDisclosure #ThreatIntelligence #InfoSec

    • No alternative text description for this image
  • 🚨 New NotCVE published: NotCVE-2026-0007 Schlage/Allegion HandPunch and HandKey biometric access-control devices were publicly documented with serious security weaknesses, including an unauthenticated TCP/3001 management protocol that may allow remote administrative actions when exposed. Even years after the original disclosure, Shodan still appears to show 500+ devices publicly reachable from the Internet. These systems are not just "time clocks"; in many environments they may be part of physical access control for sensitive facilities. Full technical details and references: https://lnkd.in/eKVSUZNX #NotCVE #CyberSecurity #OTSecurity #PhysicalSecurity #AccessControl #Biometrics #Shodan #VulnerabilityResearch

    • No alternative text description for this image
  • 🚨 New vulnerability disclosure — NotCVE-2026-0006 ClawVet API contains a hardcoded fallback JWT secret when the JWT_SECRET environment variable is not configured. An unauthenticated remote attacker who knows or discovers a valid existing user UUID may forge a session token accepted by ClawVet, impersonate that user, and retrieve account information including the API key. A related webhook SSRF weakness is also documented and may be chained after account impersonation and API-key recovery. Key facts 🔸 Severity: CVSS 9.8 — Critical 🔸 Affected: ClawVet API v0.7.0, v0.7.1, and master branch 🔸 Issue: Hardcoded JWT secret 🔸 Attack vector: Network 🔸 Privileges required: None 🔸 SSVC decision: Attend Full technical details and references: https://lnkd.in/eK8F5SVh Credits: netspacer1124 #NotCVE #ClawVet #JWT #APISecurity #CyberSecurity #VulnerabilityDisclosure #ThreatIntelligence #SSRF #InfoSec

    • No alternative text description for this image
  • 🚨 New vulnerability disclosure — NotCVE-2026-0005 TP-Link TL-WR741ND V5 contains an OS command injection issue in its web management interface. According to the public write-up reviewed by NotCVE, a crafted SSID value may reach backend command execution paths. A valid authenticated management session is required. The issue was tested on firmware 3.16.9 Build 150605. Key facts 🔸 Severity: CVSS 8.0 🔸 Affected product: TP-Link TL-WR741ND V5 🔸 Issue: Authenticated OS Command Injection via SSID 🔸 Requirement: Authenticated management access 🔸 Impact: Arbitrary OS command execution / management plane compromise 🔸 SSVC decision: Attend NotCVE also notes that the vendor acknowledged the issue and supplied a beta fix, but no corresponding public stable release could be independently confirmed at the time of review. Full technical details and references: https://lnkd.in/e25CpgzQ Credits: Zombor Máté / r4bbit #NotCVE #TPLink #RouterSecurity #CommandInjection #CyberSecurity #VulnerabilityDisclosure #ThreatIntelligence #InfoSec

    • No alternative text description for this image
  • 🚨 New vulnerability disclosure — NotCVE-2026-0004 BestCrypt Volume Encryption (BCVE) for Windows contains an implementation flaw in its volume-encryption driver: sectors whose first 16 bytes match a fixed BCVE signature may be excluded from normal cryptographic processing. This can lead to limited cleartext disclosure and may allow plaintext injection into a mounted encrypted volume under specific conditions. Key facts 🔸 Severity: CVSS 5.7 — Moderate 🔸 Attack vector: Local 🔸 Issue: Improper signature-based sector bypass 🔸 Impact: Limited cleartext disclosure / plaintext injection 🔸 SSVC decision: Attend Full technical details and references: https://lnkd.in/eQ6HpQPx Credits: Juraj Horňák, Jan Vojtěšek, Maxim Suhanov @errno_fail #NotCVE #BestCrypt #Encryption #CyberSecurity #VulnerabilityDisclosure #ThreatIntelligence #DataSecurity #InfoSec #AppSec

    • No alternative text description for this image
  • 🚨 New vulnerability disclosure — NotCVE-2026-0003 Deno @std/path prior to 1.1.2 contains an inefficient regular expression in the isGlob function that may cause excessive processing time on certain inputs. An attacker able to control input passed to isGlob could trigger high CPU utilization and cause a denial of service condition in affected applications. Key facts 🔸 Severity: CVSS 5.9 — Moderate 🔸 Affected: @std/path prior to 1.1.2 🔸 Issue: Inefficient regex complexity 🔸 Impact: High CPU utilization / DoS 🔸 SSVC decision: Attend Full technical details and references: https://lnkd.in/eX4SmqxJ Credits: Eric Cornelissen #NotCVE #Deno #JavaScript #TypeScript #CyberSecurity #VulnerabilityDisclosure #ThreatIntelligence #DoS #Regex #AppSec

    • No alternative text description for this image
  • 🚨 New vulnerability disclosure — NotCVE-2026-0002 NetScaler ADC (VPX) appliances before 14.1-60.52 may fail to validate the SSH host key of the peer appliance during HA / HA-INC synchronization. In an on-path scenario, an attacker could impersonate a HA peer during rsync/SSH file synchronization, capture inter-node credentials, and abuse the trust relationship between appliances to achieve root-level code execution across the HA pair. Key facts 🔸 Severity: CVSS 7.5 — High 🔸 Affected: NetScaler ADC (VPX) before 14.1-60.52 🔸 Core issue: Missing SSH host key validation 🔸 Attack pattern: Adversary-in-the-Middle / Identity Spoofing 🔸 SSVC decision: Attend This is a strong example of why internal synchronization channels and cluster trust relationships must be treated as high-value security boundaries — especially in HA deployments. Full technical details, attack flow, and references: https://lnkd.in/ekD5Vfbz Credits: Maxim Suhanov @errno_fail #NotCVE #NetScaler #Citrix #CyberSecurity #VulnerabilityDisclosure #ThreatIntelligence #AdversaryInTheMiddle #SSVC #AppSec #InfoSec

    • No alternative text description for this image

Similar pages