Skip to content

.NET July 2026 Patch Tuesday advisories (17) not ingested into the GitHub Advisory Database #8717

Description

@bribrothers

Summary

The entire .NET July 2026 Patch Tuesday set of security advisories (17 advisories, released 2026-07-14) is published as repository security advisories in the relevant dotnet/* repos, but none have been ingested into the global GitHub Advisory Database. As a result they do not appear at https://github.com/advisories and do not generate Dependabot alerts for the affected NuGet packages.

Each advisory is state=published at the repository level, carries an MSRC-assigned CVE, and lists affected/patched NuGet package version ranges. We're requesting review/ingestion into the global database.

Affected advisories

CVE GHSA Repository Severity Affected package(s) Advisory
CVE-2026-47302 GHSA-cvvh-rhrc-wg4q dotnet/runtime High Microsoft.NETCore.App.Runtime.*, System.Security.Cryptography.Xml link
CVE-2026-47304 GHSA-g8r8-53c2-pm3f dotnet/runtime High System.Security.Cryptography.Xml link
CVE-2026-50524 GHSA-w7cw-xp7h-6j5j dotnet/runtime High Microsoft.NETCore.App.Runtime.* link
CVE-2026-50525 GHSA-8q5v-6pqq-x66h dotnet/runtime High System.Security.Cryptography.Xml link
CVE-2026-50527 GHSA-mmjf-rqrv-855v dotnet/runtime High System.Security.Cryptography.Xml link
CVE-2026-50528 GHSA-qvw7-jm5c-6hqw dotnet/runtime High Microsoft.NETCore.App.Runtime.* link
CVE-2026-50648 GHSA-23rf-6693-g89p dotnet/runtime High System.Security.Cryptography.Xml link
CVE-2026-50651 GHSA-wp74-jgxh-gv4q dotnet/runtime High Microsoft.NETCore.App.Runtime.* link
CVE-2026-50659 GHSA-74jp-vm22-8q8x dotnet/runtime Medium Microsoft.NETCore.App.Runtime.* link
CVE-2026-57108 GHSA-rp2p-6cmp-jxj9 dotnet/runtime High Microsoft.NETCore.App.Runtime.* link
CVE-2026-56170 GHSA-j8gr-8fp3-5q5h dotnet/aspnetcore High Microsoft.AspNetCore.App.Runtime.* link
CVE-2026-47303 GHSA-2p3q-h3hg-jcqq dotnet/aspnetcore High Microsoft.AspNetCore.Authentication.Negotiate link
CVE-2026-47300 GHSA-8prm-248r-h957 dotnet/aspnetcore High Microsoft.AspNetCore.Authentication.Negotiate link
CVE-2026-50650 GHSA-2969-4q4w-w5h3 dotnet/wpf High Microsoft.WindowsDesktop.App.Runtime.* link
CVE-2026-50649 GHSA-44c7-q9c6-8235 dotnet/wpf High Microsoft.WindowsDesktop.App.Runtime.* link
CVE-2026-50646 GHSA-gh2h-rhph-h37g dotnet/wpf High Microsoft.WindowsDesktop.App.Runtime.* link
CVE-2026-50526 GHSA-55jh-fwmh-39m4 dotnet/sdk High Microsoft.NET.Build.Containers link

Additional context

  • These are the official Microsoft / .NET advisories for the July 2026 servicing release (.NET 8.0.29, 9.0.18, 10.0.10 and corresponding SDKs).
  • Ingestion of prior-month .NET advisories has been inconsistent — e.g. CVE-2026-33116 and CVE-2026-26171 (April 2026) are in the database as reviewed, but CVE-2026-32203 (April 2026, same System.Security.Cryptography.Xml package) was never ingested.
  • All version ranges use each package's own published NuGet version line (verified against nuget.org).

All 17 advisories are published and public; none appear in reviewed or unreviewed state in the global database as of 2026-07-15.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions