CVE-2026-58494
Wasmtime is a runtime for WebAssembly. Prior to 24.0.11, 36.0.12, 45.0.3, and 46.0.1, wasmtime-wasi hard-link creation and renaming check di
CVSS
6.5
Medium
EPSS
0.1%
p2
KEV
—
Exploit Today
1
0-100
Published: Jul 8, 2026 · Last modified: Jul 10, 2026 · CWE-281 · CWE-863
0.1%EPSS · 30 days0.1%
2026-07-092026-07-16
Wasmtime is a runtime for WebAssembly. Prior to 24.0.11, 36.0.12, 45.0.3, and 46.0.1, wasmtime-wasi hard-link creation and renaming check directory permissions but not matching FilePerms on source and destination preopens, allowing a WASI guest with a read-only source file capability to overwrite host files exposed as FilePerms::READ through wasip1, wasip2, or wasip3 filesystem interfaces. This issue is fixed in versions 24.0.11, 36.0.12, 45.0.3, and 46.0.1.
- github.comhttps://github.com/bytecodealliance/wasmtime/commit/5ddfd5f1ef28f2041fa07d237ad0336e167b0e0c
- github.comhttps://github.com/bytecodealliance/wasmtime/commit/7db94cdcf0c79cb3dfde884b534b653f2dd83367
- github.comhttps://github.com/bytecodealliance/wasmtime/commit/8a250aac0962ca1364b5f16525720e9d0b39edcd
- github.comhttps://github.com/bytecodealliance/wasmtime/commit/d3ceb56ec35f39e02496eeb4e2d9c7f4fb964d9e
- github.comhttps://github.com/bytecodealliance/wasmtime/releases/tag/v24.0.11
- github.comhttps://github.com/bytecodealliance/wasmtime/releases/tag/v36.0.12
- github.comhttps://github.com/bytecodealliance/wasmtime/releases/tag/v45.0.3
- github.comhttps://github.com/bytecodealliance/wasmtime/releases/tag/v46.0.1
- github.comhttps://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-4ch3-9j33-3pmj
CVECVSSEPSSKEVRExploitTitleMod.
CVE-2026-350298.8 HIG97.8%
——29LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. Prior to 1.83.0, the /config/update endpoint does not enforce admin role authorization. A user who is already authenticated into the platform can then use this endpoint to modify proxy configuration and environment variables, register custom pass-through endpoint handlers pointing to attacker-controlled Python code, achieving remote code execution, read arbitrary server files by setting UI_LOGO_PATH and fetching via /get_image, and take over other privileged accounts by overwriting UI_USERNAME and UI_PASSWORD environment variables. Fixed in v1.83.0.2dCVE-2026-479967.6 HIG96.9%
——29Adobe Commerce is affected by an Incorrect Authorization vulnerability that could result in a Security feature bypass. A high-privileged attacker could leverage this vulnerability to bypass security measures and gain unauthorized read access. Exploitation of this issue does not require user interaction. Scope is changed.2dCVE-2025-324622.8 LOW86.9%
——26Sudo before 1.9.17p1, when used with a sudoers file that specifies a host that is neither the current host nor ALL, allows listed users to execute commands on unintended machines.3dCVE-2024-463109.1 CRI82.4%
——25Incorrect Access Control in Cfx.re FXServer v9601 and earlier allows unauthenticated users to modify and read arbitrary user data via exposed API endpoint12dCVE-2021-289367.5 HIG78.8%
——24The Acexy Wireless-N WiFi Repeater REV 1.0 (28.08.06.1) Web management administrator password can be changed by sending a specially crafted HTTP GET request. The administrator username has to be known (default:admin) whereas no previous authentication is required.8dCVE-2025-551309.1 CRI73.6%
——22A flaw in Node.js’s Permissions model allows attackers to bypass `--allow-fs-read` and `--allow-fs-write` restrictions using crafted relative symlink paths. By chaining directories and symlinks, a script granted access only to the current directory can escape the allowed path and read sensitive files. This breaks the expected isolation guarantees and enables arbitrary file read/write, leading to potential system compromise.
This vulnerability affects users of the permission model on Node.js v20, v22, v24, and v25.2d