Summary
The entire .NET July 2026 Patch Tuesday set of security advisories (17 advisories, released 2026-07-14) is published as repository security advisories in the relevant dotnet/* repos, but none have been ingested into the global GitHub Advisory Database. As a result they do not appear at https://github.com/advisories and do not generate Dependabot alerts for the affected NuGet packages.
Each advisory is state=published at the repository level, carries an MSRC-assigned CVE, and lists affected/patched NuGet package version ranges. We're requesting review/ingestion into the global database.
Affected advisories
| CVE |
GHSA |
Repository |
Severity |
Affected package(s) |
Advisory |
| CVE-2026-47302 |
GHSA-cvvh-rhrc-wg4q |
dotnet/runtime |
High |
Microsoft.NETCore.App.Runtime.*, System.Security.Cryptography.Xml |
link |
| CVE-2026-47304 |
GHSA-g8r8-53c2-pm3f |
dotnet/runtime |
High |
System.Security.Cryptography.Xml |
link |
| CVE-2026-50524 |
GHSA-w7cw-xp7h-6j5j |
dotnet/runtime |
High |
Microsoft.NETCore.App.Runtime.* |
link |
| CVE-2026-50525 |
GHSA-8q5v-6pqq-x66h |
dotnet/runtime |
High |
System.Security.Cryptography.Xml |
link |
| CVE-2026-50527 |
GHSA-mmjf-rqrv-855v |
dotnet/runtime |
High |
System.Security.Cryptography.Xml |
link |
| CVE-2026-50528 |
GHSA-qvw7-jm5c-6hqw |
dotnet/runtime |
High |
Microsoft.NETCore.App.Runtime.* |
link |
| CVE-2026-50648 |
GHSA-23rf-6693-g89p |
dotnet/runtime |
High |
System.Security.Cryptography.Xml |
link |
| CVE-2026-50651 |
GHSA-wp74-jgxh-gv4q |
dotnet/runtime |
High |
Microsoft.NETCore.App.Runtime.* |
link |
| CVE-2026-50659 |
GHSA-74jp-vm22-8q8x |
dotnet/runtime |
Medium |
Microsoft.NETCore.App.Runtime.* |
link |
| CVE-2026-57108 |
GHSA-rp2p-6cmp-jxj9 |
dotnet/runtime |
High |
Microsoft.NETCore.App.Runtime.* |
link |
| CVE-2026-56170 |
GHSA-j8gr-8fp3-5q5h |
dotnet/aspnetcore |
High |
Microsoft.AspNetCore.App.Runtime.* |
link |
| CVE-2026-47303 |
GHSA-2p3q-h3hg-jcqq |
dotnet/aspnetcore |
High |
Microsoft.AspNetCore.Authentication.Negotiate |
link |
| CVE-2026-47300 |
GHSA-8prm-248r-h957 |
dotnet/aspnetcore |
High |
Microsoft.AspNetCore.Authentication.Negotiate |
link |
| CVE-2026-50650 |
GHSA-2969-4q4w-w5h3 |
dotnet/wpf |
High |
Microsoft.WindowsDesktop.App.Runtime.* |
link |
| CVE-2026-50649 |
GHSA-44c7-q9c6-8235 |
dotnet/wpf |
High |
Microsoft.WindowsDesktop.App.Runtime.* |
link |
| CVE-2026-50646 |
GHSA-gh2h-rhph-h37g |
dotnet/wpf |
High |
Microsoft.WindowsDesktop.App.Runtime.* |
link |
| CVE-2026-50526 |
GHSA-55jh-fwmh-39m4 |
dotnet/sdk |
High |
Microsoft.NET.Build.Containers |
link |
Additional context
- These are the official Microsoft / .NET advisories for the July 2026 servicing release (.NET 8.0.29, 9.0.18, 10.0.10 and corresponding SDKs).
- Ingestion of prior-month .NET advisories has been inconsistent — e.g.
CVE-2026-33116 and CVE-2026-26171 (April 2026) are in the database as reviewed, but CVE-2026-32203 (April 2026, same System.Security.Cryptography.Xml package) was never ingested.
- All version ranges use each package's own published NuGet version line (verified against nuget.org).
All 17 advisories are published and public; none appear in reviewed or unreviewed state in the global database as of 2026-07-15.
Summary
The entire .NET July 2026 Patch Tuesday set of security advisories (17 advisories, released 2026-07-14) is published as repository security advisories in the relevant
dotnet/*repos, but none have been ingested into the global GitHub Advisory Database. As a result they do not appear at https://github.com/advisories and do not generate Dependabot alerts for the affected NuGet packages.Each advisory is
state=publishedat the repository level, carries an MSRC-assigned CVE, and lists affected/patched NuGet package version ranges. We're requesting review/ingestion into the global database.Affected advisories
GHSA-cvvh-rhrc-wg4qdotnet/runtimeGHSA-g8r8-53c2-pm3fdotnet/runtimeGHSA-w7cw-xp7h-6j5jdotnet/runtimeGHSA-8q5v-6pqq-x66hdotnet/runtimeGHSA-mmjf-rqrv-855vdotnet/runtimeGHSA-qvw7-jm5c-6hqwdotnet/runtimeGHSA-23rf-6693-g89pdotnet/runtimeGHSA-wp74-jgxh-gv4qdotnet/runtimeGHSA-74jp-vm22-8q8xdotnet/runtimeGHSA-rp2p-6cmp-jxj9dotnet/runtimeGHSA-j8gr-8fp3-5q5hdotnet/aspnetcoreGHSA-2p3q-h3hg-jcqqdotnet/aspnetcoreGHSA-8prm-248r-h957dotnet/aspnetcoreGHSA-2969-4q4w-w5h3dotnet/wpfGHSA-44c7-q9c6-8235dotnet/wpfGHSA-gh2h-rhph-h37gdotnet/wpfGHSA-55jh-fwmh-39m4dotnet/sdkAdditional context
CVE-2026-33116andCVE-2026-26171(April 2026) are in the database asreviewed, butCVE-2026-32203(April 2026, sameSystem.Security.Cryptography.Xmlpackage) was never ingested.All 17 advisories are
publishedand public; none appear inreviewedorunreviewedstate in the global database as of 2026-07-15.