High Vulnerabilities
| Primary Vendor — Product |
Description | Published | CVSS Score | Source Info |
|---|---|---|---|---|
| 10Web–Form Maker by 10Web | Unauthenticated SQL Injection in Form Maker by 10Web <= 1.15.38 versions. | 2026-06-15 | 9.3 | CVE-2026-39502 |
| 404-redirection-manager–404 Redirection Manager | The 404 Redirection Manager plugin version 1.0 for WordPress contains an unauthenticated SQL injection vulnerability that allows remote attackers to execute arbitrary SQL queries by injecting malicious code through unsanitized user input. Attackers can craft GET requests with SQL injection payloads to manipulate database queries and extract sensitive information from the WordPress database. | 2026-06-15 | 8.2 | CVE-2016-20071 |
| A WP Life–Webenvo | Subscriber Arbitrary File Upload in Webenvo <= 0.0.6 versions. | 2026-06-17 | 9.9 | CVE-2026-39589 |
| AA-Team–Premium Age Verification / Restriction for WordPress | Unauthenticated Arbitrary File Download in Premium Age Verification / Restriction for WordPress <= 3.0.2 versions. | 2026-06-17 | 7.5 | CVE-2025-49403 |
| ACPT–ACPT (Pro) – Custom Post Types Plugin for WordPress | Improper Control of Generation of Code (‘Code Injection’) vulnerability in ACPT ACPT (Pro) – Custom Post Types Plugin for WordPress allows Remote Code Inclusion. This issue affects ACPT (Pro) – Custom Post Types Plugin for WordPress: from n/a through 2.0.47. | 2026-06-16 | 10 | CVE-2026-25470 |
| activity-log.com–WP Sessions Time Monitoring Full Automatic | Subscriber SQL Injection in WP Sessions Time Monitoring Full Automatic <= 1.1.4 versions. | 2026-06-16 | 8.5 | CVE-2026-39581 |
| Adobe–Adobe Acrobat PDF Extension (Chrome) | Adobe Acrobat PDF Extension (Chrome) versions 26.5.2.2 and earlier are affected by a UXSS-class cross-origin data disclosure vulnerability. An attacker could exploit this vulnerability to gain access to data regarding the victim’s session. Exploitation of this issue requires user interaction in that a victim must visit a maliciously crafted URL or interact with a compromised web page. Scope is changed. | 2026-06-16 | 7.4 | CVE-2026-48294 |
| Adobe–DNG SDK | DNG SDK versions 1.7.1 2536 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2026-06-16 | 7.8 | CVE-2026-47964 |
| Advanced Ads GmbH–Advanced Ads Tracking | Unauthenticated SQL Injection in Advanced Ads – Tracking < 3.0.7 versions. | 2026-06-17 | 9.3 | CVE-2025-59554 |
| aguilatechnologies–WP Customer Area | Custom role Path Traversal in WP Customer Area <= 8.3.4 versions. | 2026-06-15 | 8.8 | CVE-2026-42661 |
| Ahmad–GeekyBot | Unauthenticated Arbitrary File Upload in GeekyBot <= 1.2.2 versions. | 2026-06-15 | 10 | CVE-2026-40772 |
| Ahmad–GeekyBot | Unauthenticated SQL Injection in GeekyBot <= 1.2.0 versions. | 2026-06-15 | 9.3 | CVE-2026-39519 |
| Ahmad–JS Help Desk | Unauthenticated SQL Injection in JS Help Desk <= 3.0.9 versions. | 2026-06-15 | 9.3 | CVE-2026-48886 |
| AivahThemes–Car Zone | Unauthenticated Arbitrary File Deletion in Car Zone <= 3.7 versions. | 2026-06-16 | 8.6 | CVE-2025-69139 |
| Al Monsor–ABC Crypto Checkout | Unauthenticated Sensitive Data Exposure in ABC Crypto Checkout <= 1.8.2 versions. | 2026-06-15 | 7.5 | CVE-2026-52695 |
| Alberto Hornero–Clean Login | Unauthenticated Insecure Direct Object References (IDOR) in Clean Login <= 1.15 versions. | 2026-06-17 | 8.2 | CVE-2026-54184 |
| Aman–FunnelKit Automations | Subscriber Broken Authentication in FunnelKit Automations <= 3.7.3 versions. | 2026-06-15 | 7.1 | CVE-2026-39450 |
| Anydesk–AnyDesk | AnyDesk 2.5.0 contains an unquoted service path vulnerability that allows local users to execute arbitrary code with SYSTEM privileges by exploiting the service installation. Attackers can insert malicious executables in the system root path that execute with elevated privileges during application startup or system reboot. | 2026-06-19 | 7.8 | CVE-2016-20094 |
| AOMEI–Backupper | A vulnerability was determined in AOMEI Backupper up to 8.3.0. Impacted is an unknown function in the library amwrtdrv.sys of the component Kernel Driver. Executing a manipulation can lead to improper access controls. The attack needs to be launched locally. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-06-21 | 7.8 | CVE-2026-12780 |
| AOMEI–Dynamic Disk Manager | A vulnerability was found in AOMEI Dynamic Disk Manager up to 10.10.1. This issue affects some unknown processing in the library ddmdrv.sys of the component Kernel Driver. Performing a manipulation results in improper access controls. The attack must be initiated from a local position. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-06-21 | 7.8 | CVE-2026-12779 |
| AOMEI–Partition Assistant | A vulnerability has been found in AOMEI Partition Assistant up to 10.10.1. This vulnerability affects unknown code in the library ampa10.sys of the component Kernel Driver. Such manipulation leads to improper access controls. The attack must be carried out locally. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-06-21 | 7.8 | CVE-2026-12778 |
| Archetyped–Favicon Rotator | Unauthenticated Cross Site Scripting (XSS) in Favicon Rotator <= 1.2.11 versions. | 2026-06-15 | 7.1 | CVE-2026-42649 |
| ArrayHQ–Okay Toolkit | Unauthenticated Cross Site Scripting (XSS) in Okay Toolkit <= 2.3 versions. | 2026-06-15 | 7.1 | CVE-2025-68851 |
| Arraytics–WP Event SOlution | Unauthenticated Broken Access Control in WP Event SOlution <= 4.1.12 versions. | 2026-06-16 | 7.5 | CVE-2025-68045 |
| Arraytics–WP Event SOlution | Unauthenticated Broken Access Control in WP Event SOlution <= 4.1.8 versions. | 2026-06-15 | 7.5 | CVE-2026-40776 |
| artbees–JupiterX Core | Unauthenticated Broken Access Control in JupiterX Core <= 4.14.1 versions. | 2026-06-16 | 7.5 | CVE-2026-39490 |
| Artio–Joomla! com_booking component | Joomla com_booking component 2.4.9 contains an information disclosure vulnerability that allows unauthenticated attackers to enumerate user accounts by exploiting the getUserData function in the customer controller. Attackers can send GET requests to index.php with option=com_booking, controller=customer, task=getUserData, and an id parameter to retrieve user names, usernames, and email addresses through brute force enumeration. | 2026-06-19 | 7.5 | CVE-2023-54357 |
| Avast–AVAST Antivirus | AVAST Antivirus 25.11 contains an unquoted service path vulnerability in the SecureLine service that allows local non-privileged users to execute code with elevated SYSTEM privileges. Attackers can exploit the unquoted binary path in the service configuration to inject malicious executables that execute with high-level system permissions. | 2026-06-19 | 7.8 | CVE-2025-71326 |
| AVer–PTC500S | Improper input validation in AVer PTC500S, PTC115, PTC500+, and PTC115+ cameras may allow a remote, unauthenticated attacker to achieve arbitrary code execution via a specially crafted web request. | 2026-06-18 | 9.8 | CVE-2026-40624 |
| AVideo–AVideo | AVideo through 29.0 contains an authorization bypass vulnerability in the Meet plugin’s uploadRecordedVideo.json.php endpoint that derives the target users_id from the uploaded filename without verification. An attacker with knowledge of the Meet shared secret can craft a malicious file upload with a filename containing an arbitrary users_id to invoke passwordless User->login() and establish an authenticated session as any user including admin. Attackers can obtain the Meet shared secret through path-traversal vulnerabilities or timing attacks against checkToken.json.php, then POST a crafted file to uploadRecordedVideo.json.php with a filename like ‘1-anything.mp4’ to hijack admin sessions and gain full account takeover. | 2026-06-20 | 8.1 | CVE-2026-56345 |
| AVideo–AVideo | AVideo through version 26.0 contains multiple unauthenticated list.json.php endpoints in payment plugins lacking authorization checks, exposing PayPal tokens, Authorize.Net webhooks, and Bitcoin transaction records. Unauthenticated attackers can retrieve all payment transaction data including agreement IDs, user financial records, and API responses via direct GET requests to vulnerable endpoints. | 2026-06-20 | 7.5 | CVE-2026-56341 |
| Awesomemotive–Contact Form by WPForms | Unauthenticated Broken Access Control in Contact Form by WPForms <= 1.10.0.4 versions. | 2026-06-15 | 7.5 | CVE-2026-48835 |
| Awesomemotive–Easy Digital Downloads | Unauthenticated Broken Access Control in Easy Digital Downloads <= 3.6.5 versions. | 2026-06-15 | 7.5 | CVE-2026-39503 |
| AWS–bedrock-agentcore | Improper neutralization of argument delimiters in the install_packages() method in AWS Bedrock AgentCore Python SDK versions >= 1.1.3 and < 1.6.1 might allow a remote authenticated user to execute arbitrary commands within the Code Interpreter sandbox via crafted package name arguments. To mitigate this issue, users should upgrade to version 1.6.1. | 2026-06-17 | 7.3 | CVE-2026-12530 |
| AxiomThemes–Promo | Unauthenticated Local File Inclusion in Promo <= 1.3.0 versions. | 2026-06-17 | 8.1 | CVE-2026-22325 |
| AxiomThemes–Reprizo | Unauthenticated Local File Inclusion in Reprizo <= 1.0.8 versions. | 2026-06-17 | 8.1 | CVE-2026-22326 |
| Ays Pro–Popup box | Unauthenticated Cross Site Scripting (XSS) in Popup box <= 6.2.9 versions. | 2026-06-17 | 7.1 | CVE-2026-54192 |
| Azuriom–Azuriom CMS | Missing Authorization in the server management routes (routes/admin.php) in Azuriom Azuriom CMS before 1.2.11 on all platforms allows an authenticated attacker with the admin.access permission to create AzLink server tokens and take over non-admin user accounts by changing their passwords and email addresses via crafted HTTP requests to /admin/servers/create and the AzLink API endpoints (/api/azlink/password, /api/azlink/email, /api/azlink/user/{id}). | 2026-06-17 | 8.1 | CVE-2026-54415 |
| baptisteArno–typebot.io | TypeBot is a chatbot builder tool. In versions 3.16.1 and earlier, POST /api/blocks/file-input/v3/generate-upload-url is unauthenticated and uses unsanitized fileName input to construct public/ S3 object keys, while issuing presigned PUT URLs that do not bind Content-Type. As a result, any anonymous visitor to a published bot with a file input can upload attacker-controlled HTML, SVG, or JS to attacker-chosen subpaths, including other tenants’ publicly served result paths, enabling arbitrary content hosting and potential stored XSS on the storage origin. ../ traversal is blocked by S3/MinIO canonicalization (signature mismatch), but forward-slash path injection is exploitable. This issue has been fixed in version 3.17.0. | 2026-06-17 | 9.3 | CVE-2026-48768 |
| baptisteArno–typebot.io | TypeBot is a chatbot builder tool. In versions prior to 3.17.2, SSRF validation is implemented by resolving a hostname once and checking whether the resolved IP belongs to a forbidden range allowing for DNS rebinding bypass. The root cause is a time-of-check to time-of-use gap in the SSRF guard. The validator resolves the hostname and approves it, but the later request path performs a fresh resolution and connects to whatever IP the hostname maps to at that moment. The actual outbound request is then performed later using the original hostname, without pinning the validated IP to the network connection. An attacker who can supply a URL to a public bot that performs a server-side HTTP Request block or server-side script fetch can use DNS rebinding to pass the initial validation and still force the server to connect to a private or metadata address during the real request. This enables server-side access to private network services, cloud metadata endpoints, and other internal HTTP targets that the validator was intended to block. The exact downstream impact depends on the reachable internal services. Concrete consequences include metadata disclosure, access to internal admin panels, credential theft from metadata services, and further compromise through internal-only HTTP interfaces. This issue has been fixed in version 3.17.2. | 2026-06-17 | 8.2 | CVE-2026-48764 |
| baptisteArno–typebot.io | TypeBot is a chatbot builder tool. Versions 3.15.2 and below have an Insecure Direct Object Reference vulnerability through cross-workspace Theme Template modification and deletion. The handleSaveThemeTemplate and handleDeleteThemeTemplate handlers validate that the authenticated user is a non-guest member of the provided workspaceId, but then operate on themeTemplateId via Prisma queries that do NOT include workspaceId in the WHERE clause. This allows any authenticated user to modify or delete theme templates belonging to any other workspace and may expose Template IDs via shared typebots or network traffic. This issue has been fixed in version 3.16.0. | 2026-06-17 | 7.1 | CVE-2026-48759 |
| Barn2 Media Ltd–WooCommerce Product Filters | Unauthenticated PHP Object Injection in WooCommerce Product Filters < 2.0.6 versions. | 2026-06-17 | 9.8 | CVE-2026-40725 |
| bbsetheme–BBS e-Franchise | BBS e-Franchise 1.1.1 plugin for WordPress contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the uid parameter. Attackers can craft requests to pages using the plugin’s shortcode with UNION-based SQL injection in the uid parameter to extract sensitive data from the WordPress database including user information and taxonomy terms. | 2026-06-15 | 8.2 | CVE-2016-20072 |
| BdThemes–Element Pack Pro | Contributor Local File Inclusion in Element Pack Pro <= 9.0.6 versions. | 2026-06-17 | 7.5 | CVE-2026-40721 |
| BDthemes–SigmaForms Pro AI Generated Forms | Unauthenticated Arbitrary File Upload in SigmaForms Pro – AI Generated Forms <= 1.4.5 versions. | 2026-06-17 | 9 | CVE-2026-52705 |
| BerriAI–litellm | A weakness has been identified in BerriAI litellm up to 1.59.8. Affected is the function UserAPIKeyAuth of the file litellm/proxy/_experimental/mcp_server/auth/user_api_key_auth_mcp.py of the component MCP Proxy. Executing a manipulation can lead to improper authentication. The attack may be launched remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure. | 2026-06-21 | 7.3 | CVE-2026-12773 |
| BerriAI–litellm | A vulnerability was determined in BerriAI litellm up to 1.82.2. This affects the function json.dumps of the file litellm/proxy/management_endpoints/ui_sso.py of the component SSO Debug Flow. Executing a manipulation can lead to missing authentication. The attack can be executed remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure. | 2026-06-21 | 7.3 | CVE-2026-12795 |
| betterdocs–BetterDocs Pro | The BetterDocs Pro plugin for WordPress is vulnerable to Local File Inclusion in versions up to, and including, 3.8.0 via the `doc_style` parameter. This makes it possible for unauthenticated attackers to include and execute arbitrary .php files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where .php file types can be uploaded and included. | 2026-06-19 | 9.8 | CVE-2026-7515 |
| bgermann–CformsII | Unauthenticated Cross Site Scripting (XSS) in CformsII <= 15.1.3 versions. | 2026-06-15 | 7.1 | CVE-2026-39435 |
| Bhavin Thummar–Product Filter Widget for Elementor | Unauthenticated Cross Site Scripting (XSS) in Product Filter Widget for Elementor <= 1.0.6 versions. | 2026-06-15 | 7.1 | CVE-2026-45437 |
| Binisoft–Windows Firewall Control | Windows Firewall Control 4.8.6.0 contains an unquoted service path vulnerability that allows local attackers to escalate privileges by inserting malicious executables in the service path. Attackers can place executable files in unquoted path directories that the wfcs.exe service will execute with LocalSystem privileges upon service restart or system reboot. | 2026-06-19 | 7.8 | CVE-2016-20091 |
| Bitnami–bitnami/cassandra | Bitnami Cassandra container images are affected by a retained default superuser vulnerability. When a custom administrator account is configured via the CASSANDRA_USER environment variable, the container initialization script creates the new superuser account but fails to drop the built-in cassandra account in certain scenarios. This leaves the default cassandra:cassandra superuser active as an unintended access path. Affected versions – Container image: 4.0.x prior to 4.0.20-photon-5-r7; 4.1.x prior to 4.1.11-photon-5-r7; 5.0.x prior to 5.0.8-photon-5-r4 / 5.0.8-debian-12-r3. | 2026-06-18 | 9.8 | CVE-2026-47846 |
| Blubrry Podcasting–PowerPress Podcasting | Contributor SQL Injection in PowerPress Podcasting <= 11.15.10 versions. | 2026-06-15 | 8.5 | CVE-2026-24637 |
| BoldThemes–Nifty | Unauthenticated PHP Object Injection in Nifty <= 1.4.1 versions. | 2026-06-16 | 9.8 | CVE-2026-27429 |
| Bookly–Bookly | Unauthenticated Sensitive Data Exposure in Bookly <= 27.4 versions. | 2026-06-15 | 7.5 | CVE-2026-42667 |
| bPlugins–B Blocks | Contributor Privilege Escalation in B Blocks <= 2.0.31 versions. | 2026-06-15 | 8.8 | CVE-2026-39579 |
| Brainstorm Force–OttoKit | Unauthenticated PHP Object Injection in OttoKit <= 1.1.27 versions. | 2026-06-15 | 9.8 | CVE-2026-49781 |
| Brainstorm Force–SureDash | Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) vulnerability in Brainstorm Force SureDash allows Blind SQL Injection. This issue affects SureDash: from n/a through 1.8.0. | 2026-06-17 | 8.5 | CVE-2026-54813 |
| Brainstorm Force–WooCommerce Cart Abandonment Recovery | Shop manager Privilege Escalation in WooCommerce Cart Abandonment Recovery < 2.1.0 versions. | 2026-06-15 | 7.2 | CVE-2026-39470 |
| Bricksforge–Bricksforge | Unauthenticated Sensitive Data Exposure in Bricksforge <= 3.1.8.4 versions. | 2026-06-17 | 7.5 | CVE-2026-34888 |
| Brother–SAPSprint | Brother SAPSprint 7.60 contains an unquoted service path vulnerability in the SAPSprint service binary that allows local attackers to escalate privileges. Attackers can place a malicious executable in the Program Files directory path to be executed with LocalSystem privileges when the service starts automatically. | 2026-06-19 | 7.8 | CVE-2021-47985 |
| browserstack–browserstack-cypress-cli | The browserstack-cypress-cli is BrowserStack’s CLI which allows users to run Cypress tests on BrowserStack. Versions prior to 1.36.4 are vulnerable to OS command injection via the cypress_config_file configuration parameter. In readCypressConfigUtil.js, the loadJsFile() function constructs a shell command by interpolating the user-controlled cypress_config_filepath value into a template literal, then executes it via child_process.execSync(). Shell metacharacters in the config path (specifically ” and 😉 allow breaking out of the quoted argument and injecting arbitrary commands. This issue has been fixed in version 1.36.6. | 2026-06-15 | 7.8 | CVE-2026-48723 |
| bytecodealliance–wasmtime | Wasmtime is a runtime for WebAssembly. In versions prior to 24.0.9, 36.0.10, and 44.0.2, when a filesystem preopen is given DirPerms::all() and FilePerms::READ without FilePerms::WRITE, this access control mechanism can be bypassed via the wasip2 descriptor.open-at or wasip1 path_open interfaces by opening a file with only the OpenFlags::TRUNCATE oflag. The root cause is that the clause handling OpenFlags::TRUNCATE in crates/wasi/src/filesystem.rs (Dir::open_at, lines 967-969) did not set open_mode |= OpenMode::WRITE;, which is later used for the access control check against FilePerms to determine whether opening the file is permitted; the single-line fix adds that missing assignment, after which the affected calls correctly fail with error-code.not-permitted and ERRNO_PERM respectively. Only wasmtime-wasi embeddings that combine DirPerms::MUTATE with FilePerms::READ are affected by this bug. In particular, the Wasmtime project’s wasmtime-cli’s use of wasmtime-wasi is not affected, because it always sets FilePerms::all() for all preopens. This issue has been fixed in versions 24.0.9, 36.0.10 and44.0.2. | 2026-06-15 | 7.5 | CVE-2026-47261 |
| CactusThemes–Truemag | Unauthenticated Local File Inclusion in Truemag <= 4.3.14.2 versions. | 2026-06-16 | 8.1 | CVE-2025-69178 |
| Cap-go–capgo | Cap-go before 12.128.2 contains an authentication bypass vulnerability in OTP verification that allows attackers to bypass email verification by modifying server responses. Attackers can intercept OTP verification requests and manipulate HTTP responses to falsely mark verification successful, enabling unauthorized 2FA enablement and account takeover. | 2026-06-19 | 9.4 | CVE-2026-56073 |
| Cap-go–capgo | Cap-go before 12.128.2 contains an authentication logic flaw that lets an attacker register and control an account bound to a victim’s email address before that email is verified. By enabling two-factor authentication on the pre-registered account, the attacker gains control over the account claimed under the victim’s identity, allowing them to read and modify its state and enforce organization-level policies, while the legitimate user is denied access to the account tied to their own email. | 2026-06-19 | 9.1 | CVE-2026-56081 |
| Cap-go–capgo | Capgo (Cap-go/capgo) before 12.128.2 contains an improper access control vulnerability in the SECURITY DEFINER PostgREST RPC function public.record_build_time, which is granted to the anon role and callable with only the public Supabase publishable (sb_publishable_*) anon key. An unauthenticated attacker can insert rows into public.build_logs for arbitrary organizations and, because the function uses ON CONFLICT (build_id, org_id) DO UPDATE, can overwrite existing usage/billing records by reusing the same build_id for a target org. This enables cross-tenant tampering of billing build logs and financial-impact denial of service by inflating billable build time. | 2026-06-19 | 7.5 | CVE-2026-56082 |
| Capgo–Capgo | Capgo before 12.128.12 allows authenticated users to modify their mutable public.users.email to arbitrary addresses, which the SSO provisioning endpoint trusts as an account-merge key. Attackers can pre-position their account with a victim’s corporate SSO email, causing the provision-user endpoint to merge the victim’s SSO identity into the attacker-controlled account. | 2026-06-20 | 8.3 | CVE-2026-56215 |
| Capgo–Capgo | Capgo before 12.128.2 contains a scope escalation vulnerability in the POST /functions/v1/apikey endpoint that allows app-limited API keys to mint unrestricted keys by setting empty limits. Attackers with a compromised app-limited key can create an unrestricted key with org-wide access to resources like app listings and other protected endpoints. | 2026-06-20 | 8.8 | CVE-2026-56216 |
| Capgo–Capgo | Capgo before 12.128.2 contains an information disclosure vulnerability in Supabase PostgREST RPC endpoints is_trial_org and is_paying_org that allows unauthenticated attackers to enumerate organizations and disclose billing status using the public sb_publishable key. Attackers can invoke these endpoints to determine organization existence via distinguishable return values and identify paying customers for targeted profiling. | 2026-06-20 | 7.5 | CVE-2026-56214 |
| Capgo–Capgo | Capgo before 12.128.2 contains a potential privilege escalation vulnerability in the public.apply_usage_overage SECURITY DEFINER function, which performs sensitive billing operations without enforcing internal authorization checks (no validation of auth.uid(), org membership, or check_min_rights). Because the function runs with the owner’s privileges, it bypasses Row Level Security. If EXECUTE permission is available to the authenticated or anon roles (explicitly or via default privileges), an authenticated user could invoke it via Supabase RPC to manipulate billing data for arbitrary organizations, including unauthorized credit depletion and fraudulent overage event insertion. | 2026-06-21 | 7.6 | CVE-2026-56239 |
| Capgo–Capgo | Capgo before 12.128.2 contains an unauthenticated security definer RPC function get_identity_apikey_only that returns the owning user_id for supplied API keys, creating an API key validity oracle and user identity disclosure primitive. Attackers can call this endpoint with valid or invalid API keys to confirm key validity and map keys to user identifiers, then chain results into other exposed RPCs like get_orgs_v6 to retrieve organization membership and management email PII. | 2026-06-21 | 7.5 | CVE-2026-56242 |
| Capgo–Capgo | Capgo before 12.128.2 contains an improper access control vulnerability in the public.get_org_members RPC function that allows unauthenticated attackers to enumerate organization members. Attackers can invoke the endpoint using only the public sb_publishable_* key and an organization UUID to retrieve sensitive member information including email addresses, user IDs, roles, and pending invitations. | 2026-06-21 | 7.5 | CVE-2026-56253 |
| Cargo RD–Cargo Shipping Location for WooCommerce | Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) vulnerability in Cargo RD Cargo Shipping Location for WooCommerce allows Blind SQL Injection. This issue affects Cargo Shipping Location for WooCommerce: from n/a through 5.6. | 2026-06-17 | 9.3 | CVE-2026-54815 |
| Chatway Live Chat–Chatway Live Chat “ AI Chatbot, Customer Support, FAQ & Helpdesk Customer Service & Chat Buttons | Subscriber Sensitive Data Exposure in Chatway Live Chat – AI Chatbot, Customer Support, FAQ & Helpdesk Customer Service & Chat Buttons <= 1.4.8 versions. | 2026-06-15 | 7.4 | CVE-2026-49082 |
| Cherryframework–Cherry Framework Themes | WordPress CherryFramework Themes 3.1.4 contains an information disclosure vulnerability that allows unauthenticated attackers to download sensitive backup files by accessing the download_backup.php endpoint. Attackers can directly access the download_backup.php script in the admin/data_management directory to obtain ZIP archives containing the entire wp-content/themes directory contents. | 2026-06-15 | 7.5 | CVE-2018-25437 |
| ChrisHurst–Simple Backup | WordPress Simple-Backup 2.7.11 contains multiple vulnerabilities that allow unauthenticated attackers to delete arbitrary files and download sensitive files by manipulating the delete_backup_file and download_backup_file parameters in tools.php. Attackers can exploit insufficient input validation using directory traversal techniques to access wp-config.php, database dumps, and other sensitive files, or delete critical files .htaccess to expose backup directories. | 2026-06-15 | 7.5 | CVE-2016-20076 |
| Cisco–Cisco Identity Services Engine Software | A vulnerability in Cisco ISE and ISE-PIC could allow an authenticated, remote attacker to execute arbitrary commands on the underlying operating system of an affected device. To exploit this vulnerability, the attacker must have valid administrative credentials. This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device. A successful exploit could allow the attacker to obtain user-level access to the underlying operating system and then elevate privileges to root. In single-node deployments, successful exploitation of this vulnerability could cause the affected ISE node to become unavailable, resulting in a denial of service (DoS) condition. In that condition, endpoints that have not already authenticated would be unable to access the network until the node is restored. | 2026-06-17 | 9.1 | CVE-2026-20181 |
| Cisco–Cisco Identity Services Engine Software | A vulnerability in Cisco ISE and ISE-PIC could allow an unauthenticated, remote attacker to view sensitive information on an affected device. This vulnerability is due to improper authorization checks when a resource is accessed. An attacker could exploit this vulnerability by sending crafted traffic to an affected device. A successful exploit could allow the attacker to gain access to sensitive information, including hashed credentials that could be used in future attacks. | 2026-06-17 | 7.5 | CVE-2026-20190 |
| claudiopizzillo–PIAF-HMS | claudiopizzillo PIAF-HMS (PBX-In-A-Flash Hotel Management System; no released versions, latest commit 389d2633441b65ced1c104212cd62be2bfca21e5) contains multiple unauthenticated SQL injection vulnerabilities. The application has no authentication mechanism and passes user-supplied HTTP parameters directly into deprecated mysql_query() calls via string concatenation, without sanitization, escaping, or parameterization. Affected sinks include rooms.php (DELETE FROM Rooms WHERE ID = $_GET[‘ID’], unquoted numeric context), checkuser.php (WHERE Ext = ‘$_GET[“Ext”]’), ec.php (date/extension parameters in a WHERE), checkin.php and wakeup.php ($_POST values into INSERT statements), bills.php ($_POST fields built into a WHERE clause), and rates.php and checkout.php. A remote, unauthenticated attacker can inject arbitrary SQL to read, modify, or delete arbitrary records in the backing database (e.g. rooms.php?ID=1 OR 1=1 deletes all room records). Note: queries run via the legacy mysql_* extension, which does not permit stacked statements. | 2026-06-18 | 9.8 | CVE-2026-54419 |
| CMSJunkie WordPress Business Directory Plugins–WP-BusinessDirectory | Subscriber Arbitrary File Upload in WP-BusinessDirectory <= 4.0.0 versions. | 2026-06-15 | 9.9 | CVE-2026-39591 |
| Cmsjunkie–ClassifiedsManager | Joomla Component J-ClassifiedsManager 3.0.5 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through POST parameters. Attackers can submit crafted SQL payloads in the categorySearch, adType, and citySearch parameters to the displayads component to extract sensitive database information including usernames, databases, and version details. | 2026-06-19 | 8.2 | CVE-2019-25751 |
| Cmsjunkie–J-BusinessDirectory | Joomla! Component J-BusinessDirectory 4.9.7 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the type parameter. Attackers can send GET requests to index.php with the option=com_jbusinessdirectory&task=categories.getCategories parameters and inject UNION-based SQL statements in the type parameter to extract database information including schema names and sensitive data. | 2026-06-19 | 8.2 | CVE-2019-25752 |
| Cmsjunkie–J-CruisePortal | Joomla J-CruisePortal 6.0.4 contains an SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL queries by injecting malicious code through the guest_adult parameter. Attackers can send POST requests to the cruises endpoint with crafted SQL payloads in the guest_adult parameter to extract sensitive database information or manipulate database records. | 2026-06-19 | 7.1 | CVE-2019-25749 |
| Cmsjunkie–JHotelReservation | Joomla JHotelReservation 6.0.7 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the rooms parameter. Attackers can send POST requests to the search-hotels endpoint with crafted SQL payloads in the rooms parameter to extract sensitive database information including version details. | 2026-06-19 | 8.2 | CVE-2019-25748 |
| Cmsjunkie–MultipleHotelReservation | Joomla Component J-MultipleHotelReservation 6.0.7 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the hotel_id parameter. Attackers can send POST requests to the search-hotels endpoint with crafted SQL UNION SELECT statements to extract sensitive database information including table names and column data. | 2026-06-19 | 8.2 | CVE-2019-25750 |
| codepeople–WP Time Slots Booking Form | Subscriber SQL Injection in WP Time Slots Booking Form <= 1.2.50 versions. | 2026-06-15 | 8.5 | CVE-2026-48882 |
| codepeople–WP Time Slots Booking Form | Unauthenticated Cross Site Scripting (XSS) in WP Time Slots Booking Form <= 1.2.46 versions. | 2026-06-15 | 7.1 | CVE-2026-40791 |
| codesupplyco–Uppercase | Unauthenticated Local File Inclusion in Uppercase < 1.2.2 versions. | 2026-06-17 | 8.1 | CVE-2026-39559 |
| collectchat–collectchat | Unauthenticated Cross Site Scripting (XSS) in collectchat <= 2.4.9 versions. | 2026-06-17 | 7.1 | CVE-2026-40765 |
| cometd–cometd | CometD is a scalable comet implementation for web messaging. In versions 5.0.0 through 5.0.22, 6.0.0 through 6.0.18, 7.0.0 through 7.0.18, and 8.0.0 through 8.0.8, bad clients that always send a fixed batch value when the server is using the acknowledgement extension may cause the unacknowledged message queue to grow indefinitely, eventually causing an `OutOfMemoryError`. Versions 5.0.23, 6.0.19, 7.0.19, and 8.0.9 patch the issue. As a workaround, disable the acknowledgement extension. | 2026-06-18 | 7.5 | CVE-2025-53114 |
| Comodo–Chromodo Browser | Comodo Chromodo Browser 52.15.25.664 contains an unquoted service path vulnerability in the ChromodoUpdater service that runs with SYSTEM privileges. A local attacker can insert a malicious executable in the service path and execute arbitrary code with elevated privileges upon service restart or system reboot. | 2026-06-19 | 7.8 | CVE-2016-20088 |
| Comodo–Dragon Browser | Comodo Dragon Browser versions up to 52.15.25.663 contain a privilege escalation vulnerability in the DragonUpdater service due to an unquoted service path running with SYSTEM privileges. A local attacker can insert a malicious executable in the service path and execute arbitrary code with elevated privileges upon service restart or system reboot. | 2026-06-19 | 7.8 | CVE-2016-20090 |
| conda-forge–conda-smithy | conda-smithy is a tool for combining a conda recipe with configurations to build using freely hosted CI services into a single repository. Prior to version 3.61.0, a vulnerability in the conda-forge automated webservices allowed unintended write access to feedstock repositories through GitHub username takeover. The root cause is the use of mutable GitHub usernames as identifiers for repository invitation routing, rather than stable, immutable GitHub user IDs. Version 3.61.0 fixes the issue. | 2026-06-18 | 7.6 | CVE-2026-46699 |
| Conekta Group–Conekta Payment Gateway | Unauthenticated Sensitive Data Exposure in Conekta Payment Gateway <= 6.0.0 versions. | 2026-06-15 | 7.5 | CVE-2026-49066 |
| contest-gallery–Contest Gallery Upload & Vote Photos, Media, Sell with PayPal & Stripe | The Contest Gallery – Upload & Vote Photos, Media, Sell with PayPal & Stripe plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 30.0.2 via the `RegistryUserRole` parameter. This is due to the plugin’s admin menu being registered at the `edit_posts` capability level – granting Contributor-level users access to the plugin’s admin pages and a valid `cg_admin` nonce – while the option-saving handler in `change-options-and-sizes.php` performs no `current_user_can()` capability check beyond `check_admin_referer(‘cg_admin’)`, and the `RegistryUserRole` value is processed only through `sanitize_text_field()` and `htmlentities()` without restriction to an allowlist of permitted role names. This makes it possible for authenticated attackers, with author-level access and above, to overwrite the plugin’s stored `RegistryUserRole` option with `administrator`, which the `cg_create_wp_user_from_google_user` function then reads back from the `contest_gal1ery_registry_and_login_options` database table without any allowlist validation and passes directly to `wp_update_user()`, effectively promoting a newly registered Google sign-in account to Administrator. | 2026-06-17 | 8.8 | CVE-2026-12165 |
| Cotonti–Cotonti | Cotonti 1.0.0 (master branch, commit f43f1fc3) is vulnerable to Cross-Site Request Forgery in the administration rights handler. In system/admin/admin.rights.php, the rights update action (‘a=update’) modifies group access rights (including via cot_auth_add_group) without calling cot_check_xg() to validate the anti-CSRF token. A remote attacker who lures an authenticated administrator into visiting a malicious page can force the browser to submit a forged request that grants elevated permissions to an attacker-controlled group, escalating privileges to administrator. Because Cotonti administrators can modify templates and configuration, this can be further leveraged toward remote code execution. | 2026-06-18 | 9.6 | CVE-2026-55742 |
| Cotonti–Cotonti | Cotonti 1.0.0 (master branch, commit f43f1fc3) is vulnerable to Cross-Site Request Forgery in the administration configuration handler. In system/admin/admin.config.php, the configuration update action (‘a=update’) processes POST data via cot_config_update_options() without calling cot_check_xg() to validate the anti-CSRF token (the ‘x’ parameter), unlike other admin handlers (e.g. admin.structure.php, admin.cache.php). A remote attacker who lures an authenticated administrator into visiting a malicious page can force the browser to submit a forged request that modifies arbitrary core, module, or plugin configuration options, which can be leveraged to weaken security or enable further compromise. | 2026-06-18 | 8.8 | CVE-2026-55741 |
| Cotonti–Cotonti | Cotonti 1.0.0 (master branch, commit f43f1fc3) is vulnerable to Cross-Site Request Forgery in the Personal File Storage (PFS) module. In modules/pfs/inc/pfs.main.php, the file upload action (‘a=upload’) processes uploaded files without calling cot_check_xg() to validate the anti-CSRF token, even though sibling actions such as ‘delete’ (line 272) do. A remote attacker who lures an authenticated user into visiting a malicious page can force the browser to submit a forged multipart request that uploads arbitrary files into the victim’s PFS storage. | 2026-06-18 | 8.1 | CVE-2026-55744 |
| Cotonti–Cotonti | Cotonti 1.0.0 (master branch, commit f43f1fc3) is vulnerable to stored Cross-Site Scripting in the Personal File Storage (PFS) module. A folder title (pff_title) is imported with the ‘TXT’ filter, which does not strip or encode HTML (the tag check in cot_import is disabled), so an authenticated user can store HTML/JavaScript in a folder title. In modules/pfs/inc/pfs.main.php the title is assigned to the template variable PFF_ROW_TITLE without htmlspecialchars(), and modules/pfs/tpl/pfs.tpl outputs {PFF_ROW_TITLE} unescaped. When the folder listing is viewed (including by other users for public folders), the injected script executes in the victim’s browser. | 2026-06-18 | 7.6 | CVE-2026-55746 |
| coturn–coturn | Coturn is a free open source implementation of TURN and STUN Server. Versions prior to 4.10.0 contain a stack buffer overflow in decode_oauth_token_gcm(). A uint16_t nonce_len field read from an attacker-supplied OAuth access token (0-65535) is passed directly to memcpy() as the copy length into a 256-byte stack buffer (oauth_encrypted_block.nonce[256]) without bounds checking. The overflow occurs before AES-GCM authentication is verified, the attacker does not need to know the OAuth key or produce a valid AES-GCM token. Up to 735 bytes of attacker-controlled data are written past the buffer, may corrupt adjacent stack data, including control-flow data depending on compiler, ABI, and mitigations. Requires –oauth mode (non-default). This may provide a plausible RCE primitive depending on exploit mitigations; because coturn is widely deployed for WebRTC TURN/STUN and –oauth is commonly recommended, impact can be broad. This issue has been fixed in version 4.10.0. | 2026-06-18 | 8.1 | CVE-2026-43994 |
| Cozmoslabs–Paid Member Subscriptions | Unauthenticated Cross Site Scripting (XSS) in Paid Member Subscriptions <= 2.17.3 versions. | 2026-06-15 | 7.1 | CVE-2026-39514 |
| Cozmoslabs–Profile Builder Pro | Unauthenticated Cross Site Scripting (XSS) in Profile Builder Pro <= 3.15.0 versions. | 2026-06-17 | 7.1 | CVE-2026-42385 |
| Cozy Vision Technologies Pvt. Ltd.–SMS Alert Order Notifications | Subscriber Privilege Escalation in SMS Alert Order Notifications <= 3.9.4 versions. | 2026-06-17 | 9.8 | CVE-2026-54803 |
| Cozy Vision Technologies Pvt. Ltd.–SMS Alert Order Notifications | Unauthenticated Broken Authentication in SMS Alert Order Notifications <= 3.9.3 versions. | 2026-06-17 | 7.5 | CVE-2026-54802 |
| craftcms–cms | Craft CMS (composer package craftcms/cms) versions >= 5.5.0 and <= 5.9.13 contain a remote code execution vulnerability in the FieldsController::actionRenderCardPreview() method, which passes the fieldLayoutConfig POST parameter directly to Fields::createLayout() without calling Component::cleanseConfig(). An authenticated admin user can inject Yii2 event handlers (e.g., ‘on init’ keys) via the fieldLayoutConfig parameter to execute arbitrary PHP code and disclose sensitive information (such as environment variables containing database credentials and CRAFT_SECURITY_KEY). The issue is fixed in version 5.9.14. | 2026-06-21 | 7.2 | CVE-2026-56382 |
| Crawl4AI–Crawl4AI | Crawl4AI before 0.8.7 contains an authentication bypass vulnerability due to a hardcoded default JWT signing key in the Docker API server. Attackers who know the default key can forge valid authentication tokens for any user, bypassing authentication and gaining full access to protected functionality. | 2026-06-21 | 9.8 | CVE-2026-56265 |
| Creative Themes–Blocksy Companion Pro | Unauthenticated SQL Injection in Blocksy Companion Pro < 2.1.29 versions. | 2026-06-17 | 9.3 | CVE-2026-39596 |
| Creative Themes–Blocksy Companion Pro | Contributor Remote Code Execution (RCE) in Blocksy Companion Pro <= 2.1.37 versions. | 2026-06-17 | 9.9 | CVE-2026-40783 |
| CRM Perks–Integration for ActiveCampaign and Contact Form 7, WPForms, Elementor, Ninja Forms | Unauthenticated PHP Object Injection in Integration for ActiveCampaign and Contact Form 7, WPForms, Elementor, Ninja Forms <= 1.1.1 versions. | 2026-06-15 | 9.8 | CVE-2026-9691 |
| CRM Perks–Integration for Contact Form 7 and Constant Contact | Unauthenticated PHP Object Injection in Integration for Contact Form 7 and Constant Contact <= 1.1.6 versions. | 2026-06-15 | 9.8 | CVE-2026-49106 |
| CRM Perks–Integration for Contact Form 7 HubSpot | Unauthenticated PHP Object Injection in Integration for Contact Form 7 HubSpot <= 1.3.7 versions. | 2026-06-15 | 9.8 | CVE-2026-49763 |
| CRM Perks–Integration for Keap/infusionsoft and Contact Form 7, WPForms, Elementor, Formidable, Ninja Forms | Unauthenticated PHP Object Injection in Integration for Keap/infusionsoft and Contact Form 7, WPForms, Elementor, Formidable, Ninja Forms <= 1.2.1 versions. | 2026-06-15 | 9.8 | CVE-2026-49104 |
| CRM Perks–Integration for Mailchimp and Contact Form 7, WPForms, Elementor, Ninja Forms | Unauthenticated PHP Object Injection in Integration for Mailchimp and Contact Form 7, WPForms, Elementor, Ninja Forms <= 1.1.8 versions. | 2026-06-15 | 9.8 | CVE-2026-49765 |
| crm perks–Integration for Salesforce and Contact Form 7, WPForms, Elementor, Formidable, Ninja Forms | Unauthenticated PHP Object Injection in Integration for Salesforce and Contact Form 7, WPForms, Elementor, Formidable, Ninja Forms <= 1.4.3 versions. | 2026-06-15 | 9.8 | CVE-2026-49109 |
| CRM Perks–WP Insightly for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms | Unauthenticated PHP Object Injection in WP Insightly for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms <= 1.1.4 versions. | 2026-06-15 | 9.8 | CVE-2026-49085 |
| CRM Perks–WP Zendesk for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms | Unauthenticated PHP Object Injection in WP Zendesk for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms <= 1.1.4 versions. | 2026-06-15 | 9.8 | CVE-2026-49105 |
| crmperks–Database for Contact Form 7, WPforms, Elementor forms | The Database for Contact Form 7, WPforms, Elementor forms plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the view_page function in all versions up to, and including, 1.5.1. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). Successful exploitation requires an administrator to view or edit the poisoned form entry, at which point PHP’s bracket parser reshapes the attacker-crafted JSON key to bypass the stored-path isset check and trigger deletion of the traversal-specified file. | 2026-06-20 | 8.1 | CVE-2026-9843 |
| Crocoblock–JetEngine | The JetEngine plugin for WordPress is vulnerable to SQL injection in all versions up to and including 3.8.10.1. The listing_load_more AJAX handler accepts a filtered_query parameter that is intentionally excluded from the HMAC query signature check to support front-end filter integration. However, meta_query row values within filtered_query are not sanitized before being merged into SQL construction. This makes it possible for unauthenticated attackers to perform time-based or boolean blind SQL injection by appending a malicious meta_query value to a Load More AJAX request captured from any public Listing Grid page. | 2026-06-17 | 7.5 | CVE-2026-12360 |
| CurlyThemes–Events Schedule – WordPress Events Calendar Plugin | Subscriber SQL Injection in Events Schedule – WordPress Events Calendar Plugin <= 2.7.2 versions. | 2026-06-17 | 8.5 | CVE-2025-69135 |
| Dassault Systmes–SOLIDWORKS Visualize | A Path Traversal vulnerability affecting SOLIDWORKS Visualize from SOLIDWORKS Desktop Release 2024 through SOLIDWORKS Desktop Release 2026 could allow an attacker to write arbitrary files on the server. | 2026-06-17 | 9.8 | CVE-2026-10094 |
| Datalogics–Datalogics Ecommerce Delivery | Unauthenticated Privilege Escalation in Datalogics Ecommerce Delivery <= 2.6.62 versions. | 2026-06-15 | 9.8 | CVE-2026-39583 |
| David Lingren–Media LIbrary Assistant | Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) vulnerability in David Lingren Media LIbrary Assistant allows Blind SQL Injection. This issue affects Media LIbrary Assistant: from n/a through 3.35. | 2026-06-18 | 8.5 | CVE-2026-56012 |
| David Lingren–Media LIbrary Assistant | Unauthenticated Cross Site Scripting (XSS) in Media LIbrary Assistant <= 3.35 versions. | 2026-06-16 | 7.1 | CVE-2026-54198 |
| dbgate–dbgate | DbGate is cross-platform database manager. In versions 7.1.8 and prior, the POST /runners/load-reader endpoint in DbGate accepts a functionName parameter that is directly interpolated into a JavaScript code template without any sanitization or validation. An authenticated user (with basic access, no special permissions required) can inject arbitrary JavaScript code that executes on the server with full process privileges, bypassing the require=null sandbox restriction. An authenticated user with basic access (no admin role, no run-shell-script permission required) can: execute arbitrary OS commands on the DbGate server with the privileges of the Node.js process, read/write any file accessible to the process, pivot to connected databases by reading connection credentials from DbGate’s storage, and compromise the host system – in Docker deployments, this typically means root access within the container. | 2026-06-15 | 8.8 | CVE-2026-48017 |
| deepstreamIO–deepstream.io | deepstream is a server that allows clients and backend services to sync data, send messages and make rpcs at scale. Versions prior to 10.0.5 are vulnerable to Prototype Pollution. Exploitation can lead to potential privilege escalation from any authenticated user with write permission to any record. This issue has been fixed in version 10.0.5. | 2026-06-18 | 9.9 | CVE-2026-49252 |
| Dell–AIOps | Dell AIOps Collector versions prior to 1.18.3 contain a “Use of Default Credentials” vulnerability. A low privileged attacker with console access could potentially exploit this vulnerability to gain Filesystem access. This vulnerability only affects fresh installations of Collector versions earlier than 1.18.3. Systems that have been upgraded (either manually or automatically) to version 1.18.3 or later are not impacted, even if they were originally installed on an earlier version. | 2026-06-17 | 7.8 | CVE-2026-32652 |
| Dell–Dell EMC VxRail Appliance | update_disk_psu_baseline.sh requires password in plain text | 2026-06-16 | 7.4 | CVE-2024-39575 |
| Dell–EMC VxRail Appliance | api-gateway container running with root privilege would allow an attacker to escape the container and access host system to perform unintended actions. | 2026-06-16 | 7 | CVE-2024-38487 |
| Dell–OpenManage | Dell OpenManage Integration with Microsoft Windows Admin Center contains a Remote Code Execution vulnerability in the gateway plugin. A remote authenticated user could potentially exploit this vulnerability to escalate privileges. The malicious user may gain the ability to run arbitrary code remotely. This is a high severity vulnerability so Dell recommends customers to upgrade at the earliest opportunity. | 2026-06-16 | 8.8 | CVE-2024-24909 |
| Dell–PowerFlex | Dell PowerFlex Manager, version(s) [Versions], contain(s) an Improper Authentication vulnerability. An unauthenticated attacker with adjacent network access could potentially exploit this vulnerability, leading to Unauthorized access. | 2026-06-17 | 8.1 | CVE-2026-32804 |
| Dell–PowerFlex | Dell PowerFlex Manager, version(s) [Versions], contain(s) a Missing Authentication for Critical Function vulnerability. An unauthenticated attacker with adjacent network access could potentially exploit this vulnerability, leading to Code execution, Denial of service, Information disclosure, Information tampering, Remote execution, Script injection, and Unauthorized access. | 2026-06-17 | 8.8 | CVE-2026-35065 |
| Dell–PowerFlex | Dell PowerFlex Manager, version(s) Version prior to 4.8, contain(s) an Inclusion of Functionality from Untrusted Control Sphere vulnerability. An unauthenticated attacker with remote access could potentially exploit this vulnerability, leading to Information disclosure. | 2026-06-17 | 7.5 | CVE-2026-22283 |
| Dell–PowerFlex | Dell PowerFlex Manager, version(s) [Versions], contain(s) an Improper Access Control vulnerability. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to denial of service. | 2026-06-17 | 7.1 | CVE-2026-35066 |
| Dell–PowerFlex | Dell PowerFlex Manager, version(s) [Versions], contain(s) an Improper Authentication vulnerability. An unauthenticated attacker with adjacent network access could potentially exploit this vulnerability, leading to Information disclosure, Information tampering, and Unauthorized access. | 2026-06-17 | 7.4 | CVE-2026-49502 |
| Dell–Server Hardware Manager | Dell Server Hardware Manager, versions prior to 3.2.2, contains an Improper Access Control vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Elevation of privileges. | 2026-06-19 | 7.8 | CVE-2026-46461 |
| Dev4Press–GD Rating System | Unauthenticated SQL Injection in GD Rating System <= 3.6.2 versions. | 2026-06-15 | 9.3 | CVE-2026-42639 |
| Dimitri Grassi–Salon booking system | Unauthenticated Insecure Direct Object References (IDOR) in Salon booking system <= 10.30.24 versions. | 2026-06-17 | 7.3 | CVE-2026-40768 |
| Dimitri Grassi–Salon booking system | Unauthenticated Broken Access Control in Salon booking system <= 10.30.25 versions. | 2026-06-15 | 7.5 | CVE-2026-42666 |
| Discuz!–Discuz! X5.0 | Discuz! X5.0 releases 20260320 through 20260501 contains an authentication bypass vulnerability that allows unauthenticated remote attackers to gain unauthorized access to database backup and restore functionality by exploiting a shared cryptographic key between UCenter integration and the database backup API exposed by dbbak.php. Attackers can inject a crafted payload through the username parameter during login to abuse the encryption oracle in logging_ctl::logging_more(), obtain a legitimately signed token, and use it to bypass authorization for database export and import operations, with the additional ability to trigger a race condition to impersonate arbitrary users. | 2026-06-15 | 9.1 | CVE-2026-49952 |
| Discuz!–Discuz! X5.0 | Discuz! X5.0 releases 20260320 through 20260610 contain a local file inclusion vulnerability that allows authenticated administrators to execute arbitrary code by importing a specially crafted plugin configuration containing path traversal sequences in the directory attribute. Attackers can trigger an exception during plugin installation to bypass sanitization routines, causing malicious paths to be stored unsanitized and subsequently passed to include(), which combined with file upload functionality escalates to arbitrary code execution in the context of the web server user. | 2026-06-15 | 7.2 | CVE-2026-49954 |
| Dokan, Inc.–Dokan | Customer Privilege Escalation in Dokan <= 5.0.2 versions. | 2026-06-15 | 8.8 | CVE-2026-49780 |
| doobidoo–mcp-memory-service | mcp-memory-service is a semantic memory layer for AI applications. Prior to version 10.65.3, the HTTP MCP JSON-RPC endpoint at `/mcp` requires only OAuth `read` scope for all requests, then dispatches `tools/call` directly to handlers that include mutating tools. A read-only OAuth client can call `store_memory` and `delete_memory` through MCP even though the corresponding REST endpoints require `write` scope. Version 10.65.3 patches the issue. | 2026-06-19 | 8.1 | CVE-2026-49291 |
| DVDFab–Virtual Drive | A security vulnerability has been detected in DVDFab Virtual Drive 2.0.0.5. Impacted is an unknown function in the library dvdfabio.sys of the component Signed Kernel Driver. The manipulation leads to improper privilege management. An attack has to be approached locally. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-06-15 | 7.8 | CVE-2026-12217 |
| dwbooster–Booking Calendar Contact | WordPress appointment-booking-calendar 1.1.24 contains multiple privilege escalation vulnerabilities that allow unauthenticated attackers to modify calendar settings and inject persistent cross-site scripting payloads through the admin.php page parameters. Attackers can inject malicious JavaScript into the ‘ict’ and ‘ics’ options or the calendar ‘name’ parameter via GET requests to execute arbitrary scripts when the calendar is displayed or accessed in the administration interface. | 2026-06-15 | 7.2 | CVE-2016-20084 |
| dwbooster–Booking Calendar Contact Form | WordPress Booking Calendar Contact Form version 1.0.23 contains an unauthenticated blind SQL injection vulnerability that allows remote attackers to execute arbitrary SQL queries by injecting malicious code through the ‘id’ parameter. Attackers can send requests to the admin-ajax.php endpoint with the action parameter set to ‘dex_bccf_calendar_ajaxevent’ and supply crafted SQL commands in the ‘id’ parameter to extract sensitive database information. | 2026-06-15 | 8.2 | CVE-2016-20068 |
| dwbooster–Booking Calendar Contact Form | WordPress Booking Calendar Contact Form 1.0.23 contains an unauthenticated blind SQL injection vulnerability in the shortcode function that fails to sanitize the calendar parameter before using it in database queries. Attackers can inject SQL commands through the calendar shortcode parameter to execute arbitrary SQL queries and extract sensitive database information. | 2026-06-15 | 8.2 | CVE-2016-20069 |
| dwbooster–CP Polls | WordPress CP Polls 1.0.8 contains a persistent cross-site scripting vulnerability that allows attackers to inject malicious scripts through unsanitized file upload functionality. Attackers can upload files containing script payloads with event handlers like onerror attributes to execute arbitrary JavaScript in the browsers of users viewing the affected content. | 2026-06-15 | 7.2 | CVE-2016-20066 |
| Dylan Kuhn–Geo Mashup | Subscriber SQL Injection in Geo Mashup <= 1.13.19 versions. | 2026-06-17 | 8.5 | CVE-2026-48967 |
| e107inc–e107 | e107 is a content management system (CMS). Versions 2.3.5 and earlier contain a command injection vulnerability in the ImageMagick resize destination path. In resize_image(), the source path is escaped with escapeshellarg(), but the destination path is inserted inside raw double quotes in the convert command; in the submit-news upload flow, that destination filename includes the first six characters of user-controlled news title input. Because the title filter removes literal spaces but not tab characters, and shell expansions such as $(…) and backticks can survive into the quoted destination argument, /bin/sh -c may evaluate attacker-controlled input. Exploitation is possible only when all of the following non-default settings are enabled: resize_method=ImageMagick, subnews_attach=1, upload_enabled=1, subnews_resize is numeric between 30 and 5000, and the attacker is a non-admin in classes permitted by both subnews_class and upload_class. This issue has been fixed in version 2.3.6. | 2026-06-17 | 7.1 | CVE-2026-48997 |
| e4jvikwp–VikRentCar | Unauthenticated Insecure Direct Object References (IDOR) in VikRentCar <= 1.4.5 versions. | 2026-06-15 | 7.5 | CVE-2026-52699 |
| EaseUS–Partition Master | A vulnerability was identified in EaseUS Partition Master up to 14.5. The affected element is an unknown function in the library epmntdrv.sys of the component Kernel Driver. The manipulation leads to improper access controls. The attack needs to be performed locally. The exploit is publicly available and might be used. You should upgrade the affected component. The vendor explains: “We have confirmed that this issue was present only in older versions of the product. Our product has since been updated, and the issue has been resolved in the latest version, so it no longer exists.” | 2026-06-21 | 7.8 | CVE-2026-12781 |
| EaseUS–Partition Master | A security flaw has been discovered in EaseUS Partition Master up to 14.5. The impacted element is an unknown function in the library EUEDKEPM.sys of the component Kernel Driver. The manipulation results in improper access controls. The attack requires a local approach. The exploit has been released to the public and may be used for attacks. The affected component should be upgraded. The vendor explains: “We have confirmed that this issue was present only in older versions of the product. Our product has since been updated, and the issue has been resolved in the latest version, so it no longer exists.” | 2026-06-21 | 7.8 | CVE-2026-12782 |
| Easy Appointments–Easy Appointments | Unauthenticated Broken Access Control in Easy Appointments <= 3.12.21 versions. | 2026-06-15 | 7.5 | CVE-2026-39513 |
| Eclipse Foundation–Eclipse ThreadX – NetX Duo | The security fix for CVE-2025-0728 in eclipse-threadx NetX Duo refactors error handling in the HTTP server PUT process to use a shared cleanup label, but this unified cleanup path unconditionally calls fx_file_close() even when the file was never successfully opened. Multiple error branches jump to the shared cleanup label before any file open operation has occurred, causing fx_file_close() to operate on an uninitialized file handle, leading to undefined behavior, double-close issues, or memory corruption. | 2026-06-19 | 7.5 | CVE-2026-11576 |
| Edgar Rojas–WooCommerce PDF Invoice Builder | Improper Control of Generation of Code (‘Code Injection’) vulnerability in Edgar Rojas WooCommerce PDF Invoice Builder allows Remote Code Inclusion. This issue affects WooCommerce PDF Invoice Builder: from n/a through 2.0.8. | 2026-06-15 | 10 | CVE-2026-52704 |
| Edge-Themes–Alloggio – Hotel Booking | Unauthenticated PHP Object Injection in Alloggio – Hotel Booking <= 2.1.2 versions. | 2026-06-16 | 8.1 | CVE-2026-39539 |
| Edge-Themes–Behold | Unauthenticated PHP Object Injection in Behold <= 1.5 versions. | 2026-06-16 | 8.1 | CVE-2026-40760 |
| Edge-Themes–Eldon | Unauthenticated PHP Object Injection in Eldon <= 1.4.1 versions. | 2026-06-17 | 8.1 | CVE-2026-40738 |
| Edge-Themes–Laurits | Unauthenticated PHP Object Injection in Laurits <= 1.5.1 versions. | 2026-06-16 | 8.1 | CVE-2026-40736 |
| Edge-Themes–Reina | Unauthenticated PHP Object Injection in Reina <= 2.1 versions. | 2026-06-17 | 8.1 | CVE-2026-40735 |
| Edge-Themes–Valeska | Unauthenticated PHP Object Injection in Valeska <= 1.2.2 versions. | 2026-06-16 | 8.1 | CVE-2026-40761 |
| Edimax–BR-6478AC V2 | A vulnerability has been found in Edimax BR-6478AC V2 1.23. The impacted element is the function formWlSiteSurvey of the file /goform/formWlSiteSurvey of the component POST Request Handler. The manipulation of the argument selSSID leads to buffer overflow. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-06-21 | 8.8 | CVE-2026-12806 |
| eemitch–Simple File List | The Simple File List plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the eeSFL_DeleteFile function in all versions up to, and including, 6.3.7. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). The simplefilelist_edit_job AJAX action is registered via wp_ajax_nopriv_, making it accessible without authentication, and the is_admin() guard that would otherwise restrict access is bypassed because is_admin() always returns true for requests to the admin-ajax.php endpoint. | 2026-06-20 | 7.5 | CVE-2026-11911 |
| eemitch–Simple File List | The Simple File List plugin for WordPress is vulnerable to arbitrary file modification due to insufficient authorization checks in all versions up to, and including, 6.3.7. This makes it possible for unauthenticated attackers to delete and modify files on the serve. This vulnerability is exploitable even when the administrator has not enabled the AllowFrontManage setting, because the is_admin() check unconditionally short-circuits the guard before that setting is evaluated. | 2026-06-20 | 7.5 | CVE-2026-11912 |
| Elated-Themes–Aperitif | Unauthenticated Local File Inclusion in Aperitif <= 1.5 versions. | 2026-06-16 | 8.1 | CVE-2026-39549 |
| Elated-Themes–Fidalgo | Unauthenticated PHP Object Injection in Fidalgo <= 1.2.2 versions. | 2026-06-16 | 8.1 | CVE-2026-39554 |
| Elated-Themes–Konsept | Unauthenticated PHP Object Injection in Konsept <= 1.9 versions. | 2026-06-17 | 8.1 | CVE-2026-39556 |
| Elated-Themes–Lonie | Unauthenticated PHP Object Injection in Léonie <= 1.2.1 versions. | 2026-06-16 | 8.1 | CVE-2026-40758 |
| Elated-Themes–Malm | Unauthenticated Local File Inclusion in Malmö <= 2.2 versions. | 2026-06-17 | 8.1 | CVE-2026-39558 |
| Elated-Themes–Mr. SEO | Unauthenticated Local File Inclusion in Mr. SEO <= 2.0 versions. | 2026-06-16 | 8.1 | CVE-2026-39568 |
| Elated-Themes–NeoBeat | Unauthenticated PHP Object Injection in NeoBeat <= 1.7 versions. | 2026-06-16 | 8.1 | CVE-2026-39557 |
| Elated-Themes–Playroom | Unauthenticated PHP Object Injection in Playroom <= 1.4.1 versions. | 2026-06-16 | 8.1 | CVE-2026-39577 |
| Elated-Themes–Roisin | Unauthenticated PHP Object Injection in Roisin <= 1.4 versions. | 2026-06-16 | 8.1 | CVE-2026-40754 |
| Elated-Themes–SingleMalt | Unauthenticated PHP Object Injection in SingleMalt <= 1.5 versions. | 2026-06-17 | 8.1 | CVE-2026-39576 |
| Elated-Themes–Solene | Unauthenticated Local File Inclusion in Solene <= 3.4 versions. | 2026-06-16 | 8.1 | CVE-2026-39522 |
| Elated-Themes–Solene Core | Unauthenticated Local File Inclusion in Solene Core <= 2.3.2 versions. | 2026-06-17 | 8.1 | CVE-2026-39523 |
| Elated-Themes–Valiance | Unauthenticated PHP Object Injection in Valiance <= 1.2 versions. | 2026-06-16 | 8.1 | CVE-2026-39578 |
| ELEXtensions–ELEX WordPress HelpDesk & Customer Ticketing System | Subscriber SQL Injection in ELEX WordPress HelpDesk & Customer Ticketing System <= 3.3.6 versions. | 2026-06-15 | 8.5 | CVE-2026-48964 |
| Eli Scheetz–Anti-Malware Security and Brute-Force Firewall | Contributor PHP Object Injection in Anti-Malware Security and Brute-Force Firewall <= 4.23.87 versions. | 2026-06-15 | 8.8 | CVE-2026-39478 |
| Eli–Eli’s WordCents adSense Widget with Analytics | Unauthenticated Cross Site Scripting (XSS) in Eli's WordCents adSense Widget with Analytics <= 1.3.03.27 versions. | 2026-06-15 | 7.1 | CVE-2025-68872 |
| Emraan Cheema–ListingPro | Unauthenticated SQL Injection in ListingPro <= 2.9.10 versions. | 2026-06-16 | 9.3 | CVE-2026-39438 |
| EMV–Creatify | Deserialization of Untrusted Data vulnerability in EMV Creatify allows Object Injection. This issue affects Creatify: from n/a through 1.5. | 2026-06-17 | 9.8 | CVE-2025-60236 |
| EMV–JobBank | Missing Authorization vulnerability in EMV JobBank allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects JobBank: from n/a through 1.2.3. | 2026-06-17 | 7.3 | CVE-2025-69189 |
| EMV–JobCareer | Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) vulnerability in EMV JobCareer allows Path Traversal. This issue affects JobCareer: from n/a through 7.3. | 2026-06-17 | 8.6 | CVE-2025-69128 |
| EMV–The Hospital | Deserialization of Untrusted Data vulnerability in EMV The Hospital nrghospital allows Object Injection. This issue affects The Hospital: from n/a through 1.8.1. | 2026-06-17 | 9.8 | CVE-2025-60231 |
| envoyproxy–envoy | Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to versions 1.35.11, 1.36.7, 1.37.3, and 1.38.1, a vulnerability in Envoy’s HTTP/2 downstream request processing allows an unauthenticated remote client to trigger excessive memory consumption, potentially resulting in OOM termination of the Envoy process and denial of service. The issue arises from the combination of two behaviors. First, cookie header bytes are not fully accounted for during request header size validation in Envoy. Second, HPACK header block limits in oghttp2/quiche are enforced on encoded bytes without a corresponding limit on total decoded header size. Together, these behaviors allow a malicious client to cause large decoded header allocations while bypassing the intended request header size protections. Versions 1.35.11, 1.36.7, 1.37.3, and 1.38.1 contain a fix. No complete workaround is known short of applying a fix. Possible temporary mitigations include disabling downstream HTTP/2 where operationally feasible; enforcing stricter request header and cookie limits before traffic reaches Envoy; and monitoring Envoy memory usage for abnormal growth under HTTP/2 traffic. | 2026-06-17 | 7.5 | CVE-2026-47774 |
| error311–FileRise | FileRise before 3.16.0 is vulnerable to path traversal in the shared-folder upload endpoint (/api/folder/uploadToSharedFolder.php), leading to arbitrary file write and administrator account takeover. The upload filename is validated by FolderController with basename() and REGEX_FILE_NAME, which permit URL-encoded sequences (the regex blocks / and but not %). The raw filename is then passed to UploadModel::handleUpload, where it is reconstructed as trim(urldecode(basename($fileName))), re-introducing path separators after validation (e.g. ..%2fusers%2fusers.txt becomes ../users/users.txt). UploadNamePolicy::isAllowedForWrite() applies basename() internally and therefore only evaluates the final component (users.txt), allowing the traversal sequence to pass the extension policy. The destination path is then used directly in move_uploaded_file() with no realpath containment check, allowing a write outside the intended upload directory. An attacker who possesses a valid, non-expired, upload-enabled shared-folder link/token (which are designed to be shared publicly) can overwrite users/users.txt to create an administrator account, resulting in unauthenticated admin takeover and, depending on configuration, remote code execution. Exploitation requires possession of a valid, non-expired, upload-enabled shared-folder link/token. This issue is fixed in 3.16.0, which URL-decodes before validation and rejects any path separators in the upload filename. | 2026-06-19 | 9.8 | CVE-2026-54414 |
| Etoilewebdesign–Ultimate Product Catalog | WordPress Ultimate Product Catalog 3.8.6 contains an arbitrary file upload vulnerability that allows authenticated users with contributor, editor, author, or administrator roles to upload malicious files by exploiting the custom fields functionality. Attackers can upload PHP shells through the Products tab custom file field and access them via the upcp-product-file-uploads directory to execute arbitrary code on the server. | 2026-06-15 | 8.8 | CVE-2016-20075 |
| EventPrime–EventPrime | Unauthenticated PHP Object Injection in EventPrime <= 4.3.2.1 versions. | 2026-06-15 | 8.1 | CVE-2026-42687 |
| EventPrime–EventPrime | Subscriber Insecure Direct Object References (IDOR) in EventPrime <= 4.3.0.0 versions. | 2026-06-15 | 7.1 | CVE-2026-39518 |
| EventPrime–EventPrime | Subscriber Cross Site Scripting (XSS) in EventPrime <= 4.3.2.1 versions. | 2026-06-15 | 7.1 | CVE-2026-42686 |
| ExpressTech–Quiz And Survey Master | Unauthenticated Cross Site Scripting (XSS) in Quiz And Survey Master <= 11.0.0 versions. | 2026-06-15 | 7.1 | CVE-2026-40787 |
| ExpressTech–Quiz And Survey Master | Unauthenticated Cross Site Scripting (XSS) in Quiz And Survey Master <= 11.1.2 versions. | 2026-06-15 | 7.1 | CVE-2026-48867 |
| Extendons–WordPress & WooCommerce Scraper Plugin, Import Data from Any Site | Unauthenticated Arbitrary File Upload in WordPress & WooCommerce Scraper Plugin, Import Data from Any Site <= 1.0.7 versions. | 2026-06-17 | 10 | CVE-2025-69129 |
| extendons–WordPress & WooCommerce Scraper Plugin, Import Data from Any Site | Unauthenticated Arbitrary File Download in WordPress & WooCommerce Scraper Plugin, Import Data from Any Site <= 1.0.7 versions. | 2026-06-16 | 7.5 | CVE-2025-69131 |
| Extensions–Joomla Payage | Joomla Payage 2.05 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the aid parameter. Attackers can send GET requests to index.php with malicious aid values in the make_payment task to extract sensitive database information using boolean-based blind or time-based blind techniques. | 2026-06-19 | 8.2 | CVE-2017-20279 |
| Extro–RPC | Joomla! Component RPC Responsive Portfolio 1.6.1 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the id parameter. Attackers can send GET requests to index.php with option=com_pofos&view=pofo&id=[SQL] to extract sensitive database information. | 2026-06-19 | 8.2 | CVE-2017-20258 |
| Eyal Fitoussi–GEO my WordPress | Unauthenticated SQL Injection in GEO my WordPress <= 4.5.5 versions. | 2026-06-16 | 9.3 | CVE-2026-52715 |
| EyeCix Technologies–JobSearch | Unauthenticated Broken Access Control in JobSearch <= 3.2.7 versions. | 2026-06-16 | 7.5 | CVE-2026-49057 |
| eyecix–JobSearch | Unauthenticated SQL Injection in JobSearch <= 3.2.9 versions. | 2026-06-17 | 9.3 | CVE-2026-54186 |
| Ezbsystems–UltraISO Premium Edition | A vulnerability has been found in Ezbsystems UltraISO Premium Edition up to 9.76. Affected by this issue is some unknown functionality in the library bootpt64.sys of the component Kernel Driver. The manipulation leads to improper access controls. Local access is required to approach this attack. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-06-21 | 7.8 | CVE-2026-12786 |
| F5–NGINX Gateway Fabric | When NGINX Plus is configured as the data plane for NGINX Gateway Fabric, an injection vulnerability exists in the NGINX configuration generator component of NGINX Gateway Fabric. User-supplied string values from the NginxProxy Custom Resource Definition serverTokens field and the AuthenticationFilter Custom Resource Definition extraAuthArgs field are rendered directly into NGINX configuration templates without sanitization or escaping. An authenticated attacker with permission to create or modify these Custom Resource Definitions may craft values that inject arbitrary NGINX configuration directives. This is a control plane issue; there is no data plane exposure from the vulnerability trigger itself. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. | 2026-06-17 | 8.1 | CVE-2026-11311 |
| F5–NGINX Gateway Fabric | When NGINX Plus or NGINX Open Source is configured as the data plane for NGINX Gateway Fabric, an injection vulnerability exists in the NGINX configuration generator component of NGINX Gateway Fabric. User-supplied string values from the NginxProxy Custom Resource Definition (CRD) access log format setting are rendered directly into NGINX configuration templates without sanitization or escaping. An authenticated attacker with permission to create or modify these CRDs may craft values that inject arbitrary NGINX configuration directives. This is a control plane issue; there is no data plane exposure from the vulnerability trigger itself. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. | 2026-06-17 | 8.1 | CVE-2026-50107 |
| F5–NGINX Open Source | NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_proxy_v2_module and ngx_http_grpc_module modules. This vulnerability exists when the proxy_http_version to 2 or grpc_pass directives are used to proxy HTTP/2 traffic, the ignore_invalid_headers directive is set to off, and the large_client_header_buffers directive size is larger than 2 megabytes. A remote, unauthenticated attacker, along with conditions beyond their control, could send large headers while creating an upstream request. This may cause a heap-based buffer overflow in the NGINX worker process leading to a restart. Additionally, attackers can execute code on systems with Address Space Layout Randomization (ASLR) disabled or when the attacker can bypass ASLR. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. | 2026-06-17 | 8.1 | CVE-2026-42055 |
| F5–NGINX Open Source | NGINX Open Source has a vulnerability in the ngx_http_v3_module module. When NGINX Open Source is configured to use the HTTP/3 QUIC module, a remote unauthenticated attacker along with conditions beyond their control can use a specially crafted HTTP/3 session to reopen a QPACK encoder stream. This may cause a Use-after-Free in the NGINX worker process leading to a restart. Additionally, attackers can execute code on systems with Address Space Layout Randomization (ASLR) disabled or when the attacker can bypass ASLR. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. | 2026-06-17 | 8.1 | CVE-2026-42530 |
| Faboba–Ultimate Property Listing | Joomla Ultimate Property Listing 1.0.2 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the sf_selectuser_id parameter. Attackers can send GET requests to index.php with the option=com_upl and view=propertylisting parameters to extract sensitive database information including table names and column structures. | 2026-06-19 | 8.2 | CVE-2017-20272 |
| FFmpeg–FFmpeg | An out-of-bounds write vulnerability in FFmpeg’s libavcodec library, specifically in the MagicYUV decoder, allows denial-of-service and, in some cases, can be exploited for remote code execution. This vulnerability is associated with the file libavcodec/magicyuv.C. This issue affects FFmpeg before version 8.1.2. | 2026-06-18 | 8.8 | CVE-2026-8461 |
| fgmacedo–python-statemachine | Python StateMachine versions 3.0.0 before 3.2.0 contains a remote code execution vulnerability that allows attackers to execute arbitrary code by supplying malicious SCXML documents containing crafted `<data expr=”…”>` attributes evaluated unsafely. The SCXMLProcessor passes attacker-controlled expression strings through a call chain ending in Python’s built-in eval() without sandboxing, enabling arbitrary code execution in the context of the hosting process. | 2026-06-17 | 9.8 | CVE-2026-47103 |
| Filipe Nasc–RD Station | Improper Control of Generation of Code (‘Code Injection’) vulnerability in Filipe Nasc RD Station allows Remote Code Inclusion. This issue affects RD Station: from n/a through 5.6.0. | 2026-06-16 | 9.9 | CVE-2026-49774 |
| Flipper Code WordPress Development Company–WP Maps | Unauthenticated SQL Injection in WP Maps <= 4.9.1 versions. | 2026-06-15 | 9.3 | CVE-2026-39492 |
| Flowise–Flowise | Flowise before 2.1.4 allows configuration to be injected into the Chainflow during execution via the overrideConfig option, supported in both the frontend web integration and the backend Prediction API. Because this feature is enabled by default with no allow-list of permitted variables and relies on vm2 for sandboxing, an attacker can abuse it to achieve remote code execution and sandbox escape, denial of service by crashing the server, server-side request forgery, prompt injection, and server variable and data exfiltration. These issues are self-targeted and do not persist to other users. | 2026-06-20 | 9.8 | CVE-2024-58351 |
| Focalpointx–FocalPoint Pro / Free | Joomla! Component FocalPoint Pro/Free 1.2.3 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the id parameter. Attackers can send GET requests to index.php with option=com_focalpoint, view=location, and a crafted id parameter containing SQL commands to extract sensitive database information. | 2026-06-19 | 8.2 | CVE-2017-20263 |
| forem–forem | Forem is open source software for building communities. Prior to commit a2ab6d4, a maliciously crafted email address could allow an attacker to bypass domain allowlist or denylist restrictions and gain access to invite-only forem deployments. The issue is patched as of `a2ab6d4`. As a workaround, some SMTP servers and email delivery providers may drop or refuse to send maliciously crafted email addresses. | 2026-06-16 | 8.2 | CVE-2026-48780 |
| Fortra–Core Privileged Access Manager (BoKS) | Fortra’s Core Privileged Access Manager (BoKS) contains an OS command injection vulnerability in the boks_autoregisterd service. A remote attacker with network access to the service may be able to cause commands to be executed with the privileges of the service during the autoregistration processing. | 2026-06-15 | 9.8 | CVE-2026-9862 |
| Fortra–Core Privileged Access Manager (BoKS) | Fortra BoKS Manager contains an OS command injection vulnerability in the client upgrade and patch tooling for legacy tar-based client installations. A malicious or compromised legacy tar-installed client selected for upgrade or patching may be able to cause commands to be executed on the BoKS Master during client version handling. | 2026-06-15 | 7.5 | CVE-2026-9863 |
| Foxit Software Inc.–Foxit AI | When the application executes the JavaScript script embedded in the PDF within the sandbox, it fails to intercept some dangerous interfaces, which allows remote scripts to be loaded, resulting in arbitrary code execution. | 2026-06-15 | 8.6 | CVE-2026-12057 |
| fs-code–Booknetic | Unauthenticated Broken Authentication in Booknetic <= 4.8.5 versions. | 2026-06-17 | 8.1 | CVE-2026-25439 |
| FunnelKit–Funnel Builder by FunnelKit | Unauthenticated SQL Injection in Funnel Builder by FunnelKit <= 3.15.0.1 versions. | 2026-06-15 | 9.3 | CVE-2026-42381 |
| FunnelKit–Funnel Builder by FunnelKit | Unauthenticated Cross Site Scripting (XSS) in Funnel Builder by FunnelKit <= 3.15.0.2 versions. | 2026-06-15 | 7.1 | CVE-2026-48966 |
| Gegabyte–My Projects | Joomla! Component My Projects 2.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the VerAyari parameter. Attackers can craft requests to the component endpoint with SQL injection payloads to extract sensitive database information including credentials and system data. | 2026-06-19 | 8.2 | CVE-2017-20253 |
| Gegabyte–User Bench | Joomla! Component User Bench 1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the userid parameter. Attackers can send GET requests to index.php with the option=com_userbench&view=detail&userid parameter containing SQL injection payloads to extract sensitive database information including credentials and configuration data. | 2026-06-19 | 8.2 | CVE-2017-20254 |
| geoserver–org.geoserver.extension:gs-db2 | GeoServer is an open source server that allows users to share and edit geospatial data. Prior to version 2.27.0 of the GeoServer DB2 DataStore Extension, an administrator can perform a JNDI attack through specially crafted DB2 jdbc url leading to to Remote Code Execution (RCE). Version 2.27.0 fixes the issue. | 2026-06-18 | 7.2 | CVE-2025-27511 |
| geoserver–org.geoserver.web:gs-web-app | GeoServer is an open source server that allows users to share and edit geospatial data. Prior to versions 2.26.4 and 2.27.3, a vulnerability exists that allows an authenticated administrator with access to GeoServer’s security system to pass arbitrary file names to the Master Password Dump web page and create files containing the master password in plaintext. The provided file name must be an absolute path to the target file, the target file can not already exist and all parent directories must already exist. Versions 2.26.4 and 2.27.3 contain a fix. GeoServer installations where the web interface is either disabled or completely removed are not affected since the vulnerability exists in one of the web pages. | 2026-06-18 | 7.2 | CVE-2025-52465 |
| gitroomhq–postiz-app | Postiz is an AI social media scheduling tool. In versions prior to 2.21.8, the Skool integration callback signed an attacker-controlled JSON blob into a session-shape JWT using the application’s JWT_SECRET, and the auth middleware trusted every claim in that JWT without re-resolving the user from the database. Any authenticated Postiz user could forge a SUPERADMIN session and impersonate arbitrary organizations. This allowed Full Access to the following: all parts of Postiz, including users registered to the specific instance and the ability to post in the name of the victim’s social media channels added to that Postiz instance. This issue has been fixed in version 2.21.8. | 2026-06-16 | 9.9 | CVE-2026-48781 |
| Glen Don Mongaya–Drag and Drop Multiple File Upload Contact Form 7 | Unauthenticated Cross Site Scripting (XSS) in Drag and Drop Multiple File Upload – Contact Form 7 <= 1.3.9.7 versions. | 2026-06-15 | 7.1 | CVE-2026-49055 |
| Government Accountability Office–Electronic Protest Docketing System (EPDS) | The U.S. Government Accountability Office (GAO) Electronic Protest Docketing System (EPDS) and Civilian Board of Contract Appeals (CBCA) Electronic Docketing System (EDS) does not authenticate password change requests to the ‘/update-profile/N’ API endpoint. A remote, unauthenticated attacker could change an arbitrary user’s password. | 2026-06-18 | 9.8 | CVE-2026-54103 |
| Government Accountability Office–Electronic Protest Docketing System (EPDS) | The U.S. Government Accountability Office (GAO) Electronic Protest Docketing System (EPDS) and Civilian Board of Contract Appeals (CBCA) Electronic Docketing System (EDS) trusts client-provided values for the ‘epds_role_id’ parameter without verification, allowing a remote, authenticated attacker to escalate their own privileges. | 2026-06-18 | 8.8 | CVE-2026-54104 |
| Groundhogg–Groundhogg | Sales Representative Arbitrary File Deletion in Groundhogg <= 4.4 versions. | 2026-06-15 | 7.7 | CVE-2026-40727 |
| Groundhogg–HollerBox | Unauthenticated Cross Site Scripting (XSS) in HollerBox <= 2.3.10.1 versions. | 2026-06-15 | 7.1 | CVE-2026-48885 |
| Hakan Ozevin–WP BASE Booking | Unauthenticated Privilege Escalation in WP BASE Booking <= 5.9.0 versions. | 2026-06-15 | 8.1 | CVE-2026-39587 |
| Happyforms–Happyforms | Unauthenticated PHP Object Injection in Happyforms <= 1.26.13 versions. | 2026-06-15 | 9.8 | CVE-2026-49768 |
| haproxy–haproxy | HAProxy through 3.4.0, fixed in commit 5985276, contains an integer overflow vulnerability in the fcgi_conn structure’s drl field that allows buffer misparse as new FCGI record headers. When contentLength is 65535 and paddingLength is 1 or more, the drl field wraps to 0, causing incorrect record consumption and allowing malicious FastCGI backends to desynchronize the FCGI framing parser, potentially causing request routing errors, response smuggling, or memory safety issues. | 2026-06-18 | 7.5 | CVE-2026-55203 |
| haproxy–haproxy | HAProxy through 3.4.0, fixed in commit 9a6d1fe, contains a null pointer dereference vulnerability in hpack_dht_insert() within src/hpack-tbl.c that fails to validate the return value of hpack_dht_defrag() when the memory pool is exhausted. An attacker can trigger HPACK dynamic table insertions under memory pressure to dereference a NULL pointer and crash HAProxy worker processes, causing denial of service. | 2026-06-18 | 7.5 | CVE-2026-55204 |
| harttle–liquidjs | LiquidJS is a Shopify/GitHub Pages compatible template engine written in pure JavaScript. In versions 10.25.7 and below, the date filter’s strftime implementation parses width specifiers like %9999999d and forwards the captured width unchecked into pad()/padStart(), leading to memory and render limit bypass. In src/util/underscore.ts, the pad loop performs unbounded string concatenation without consulting the Context’s memoryLimit or renderLimit, so a single small template ({{ x | date: ‘%5000000d’ }}) produces megabytes of output and unbounded CPU. The memoryLimit and renderLimit options the docs (src/liquid-options.ts:87-92) advertise as DoS controls – and which the docstring explicitly mentions for strftime – are entirely bypassed. Exploitation can cause large memory allocations, high CPU usage, or OOM crashes per render. This issue has been fixed in version 10.26.0. | 2026-06-17 | 7.5 | CVE-2026-45357 |
| harttle–liquidjs | LiquidJS is a Shopify/GitHub Pages compatible template engine written in pure JavaScript. In versions 10.25.7 and below, the built-in strip_html filter uses a regex containing four flawed lazy-quantified alternatives, leading to ReDoS via quadratic backtracking. When the input contains many <script, <style, or <!– opener tokens without matching closers, the V8 regex engine performs O(N²) backtracking, blocking the Node.js event loop. A single ~350 KB request (‘<script’.repeat(50000)) stalls the process for ~10 seconds; cost grows quadratically with input size. The default memoryLimit: Infinity does not bound regex CPU, and even when configured strip_html only charges str.length to the limit – the regex itself runs unbounded. A single unauthenticated request containing crafted untrusted input can cause severe event-loop blocking and CPU amplification that saturates Node.js workers while bypassing memoryLimit protections. This issue has been fixed in version 10.26.0. | 2026-06-17 | 7.5 | CVE-2026-45617 |
| Henryschorradt–Bridge | Joomla! Component PHP-Bridge 1.2.3 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the id parameter. Attackers can send GET requests to index.php with option=com_phpbridge&view=phpview parameters and inject SQL code in the id parameter to extract database information including table and column names. | 2026-06-19 | 8.2 | CVE-2017-20275 |
| hermes-webui–hermes-webui | Hermes WebUI before 0.51.409 contains an authentication bypass vulnerability in passkey registration endpoints that allows unauthenticated remote attackers to register arbitrary passkeys. When HERMES_WEBUI_PASSKEY=1 is enabled with no existing credentials, POST /api/auth/passkey/register/options and POST /api/auth/passkey/register endpoints are accessible without authentication, allowing attackers to claim the first passkey and gain permanent administrative control. | 2026-06-17 | 9.1 | CVE-2026-55196 |
| hippooo–Hippoo Mobile App for WooCommerce | Unauthenticated Broken Access Control in Hippoo Mobile App for WooCommerce <= 1.9.5 versions. | 2026-06-15 | 8.2 | CVE-2026-49065 |
| Hitachi–Hitachi Virtual Storage Platform E990, E1090, E1090H | DoS Vulnerability in 10G iSCSI Interface of Hitachi Virtual Storage Platform. This issue affects Hitachi Virtual Storage Platform E990, E1090, E1090H: before DKCMAIN Ver.93-07-21-80/00-05, CHB(iSCSI) Ver.88-01-02-04, before DKCMAIN Ver.93-07-01-80/00-07, CHB(iSCSI) Ver.88-01-02-04, before DKCMAIN Ver.93-06-82-80/00-06, CHB(iSCSI) Ver.88-01-02-04, before DKCMAIN Ver.93-06-63-80/00-04, CHB(iSCSI) Ver.88-01-02-04; Hitachi Virtual Storage Platform E390, E590, E790, E390H, E590H, E790H: before DKCMAIN Ver.93-07-21-x0/00-05, CHB(iSCSI) Ver.88-01-02-04, before DKCMAIN Ver.93-07-01-x0/00-07, CHB(iSCSI) Ver.88-01-02-04, before DKCMAIN Ver.93-06-82-x0/00-06, CHB(iSCSI) Ver.88-01-02-04, before DKCMAIN Ver.93-06-63-x0/00-04, CHB(iSCSI) Ver.88-01-02-04, before DKCMAIN Ver.93-07-24-x0/00-02, CHB(iSCSI) Ver.88-01-02-04, before DKCMAIN Ver.93-07-02-x0/00-02, CHB(iSCSI) Ver.88-01-02-04; Hitachi Virtual Storage Platform G130, G150, G350, G370, G700, G900, F350, F370, F700, F900: before DKCMAIN Ver.88-08-10-x0/00-05, CHB(iSCSI) Ver.88-01-02-04; Hitachi Virtual Storage Platform G100, G200, G400, G600, G800, F400, F600, F800: before DKCMAIN Ver.83-06-20-x0/00-05, CHB(iSCSI) Ver.83-01-01-29; Hitachi Virtual Storage Platform VX8, 5100, 5500, 5100H, 5500H, 5200, 5600, 5200H, 5600H: before DKCMAIN Ver.90-09-01-00/01-01, CHB(iSCSI) Ver.90-01-01-07, before DKCMAIN Ver.90-08-83-00/01-01, CHB(iSCSI) Ver.90-01-01-07, before DKCMAIN Ver.90-08-63-00/01-01, CHB(iSCSI) Ver.90-01-01-07; Hitachi Virtual Storage Platform VX7, G1000, G1500, F1500: before DKCMAIN Ver.80-06-93-00/00-04, ISFC Ver.80-01-17. | 2026-06-19 | 8.6 | CVE-2025-7737 |
| HKUDS–nanobot | nanobot is a personal AI assistant. In versions 0.1.5.post3 and prior, the WhatsApp bridge in bridge/src/whatsapp.ts constructs a filesystem path using the fileName field from an incoming WhatsApp document message without sanitization. The WhatsApp bridge downloads media attachments and writes them to disk using a filename derived from the sender’s message via documentMessage.fileName, which is concatenated with a prefix and its raw value is passed directly to path.join(mediaDir, outFilename). Node.js path.join resolves .. components, allowing an attacker to escape the intended media/ directory by sending a document with a crafted fileName such as ../../../.ssh/authorized_keys. Because the attacker also controls the file content (the downloaded buffer), this is a write-anywhere primitive – both path and content are attacker-controlled. A fix for this issue is planned for version 0.1.5.post4. | 2026-06-18 | 8.7 | CVE-2026-48716 |
| https://wpreviewslider.com/–WP Review Slider Pro | The WP Review Slider Pro plugin for WordPress is vulnerable to Arbitrary File Deletion in versions up to and including 12.6.8. This is due to missing authorization checks on the wpfb_hide_review and wprp_save_review_admin AJAX handlers combined with insufficient path validation in the wpfb_hidereview_ajax() function, which uses strpos() to check that a stored media URL starts with the expected prefix but fails to sanitize path traversal sequences in the remaining relative path before passing it to unlink(). This makes it possible for authenticated attackers, with subscriber-level access and above, to delete arbitrary files on the affected site’s server which may make remote code execution possible. | 2026-06-16 | 8.1 | CVE-2026-8442 |
| https://wpreviewslider[.]com/–WP Review Slider Pro | The WP Review Slider Pro plugin for WordPress is vulnerable to SQL Injection via the ‘stypes’ and ‘slocations’ parameters of the wppro_get_overall_chart_data AJAX action in versions up to, and including, 12.6.8. This is due to the use of stripslashes() on user-supplied JSON strings prior to json_decode(), which removes the escaping applied by WordPress’s wp_magic_quotes; the resulting decoded array values are then concatenated directly into SQL WHERE clauses without parameterization, and the constructed query is executed via $wpdb->get_results() without $wpdb->prepare(). This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. The handler also returns the executed SQL string in its JSON response, which simplifies oracle construction for blind exploitation. | 2026-06-16 | 8.8 | CVE-2026-8443 |
| https://wpreviewslider[.]com/–WP Review Slider Pro | The WP Review Slider Pro plugin for WordPress is vulnerable to SQL Injection via the ‘curselrevs[]’ parameter of the wpfb_find_reviews AJAX action in versions up to, and including, 12.6.8. This is due to the handler reading $_POST[‘curselrevs’] raw with no sanitization or type casting, then concatenating each array element directly into a `WHERE id IN ( … )` clause without quoting and executing via $wpdb->get_results() without $wpdb->prepare(). This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | 2026-06-16 | 8.8 | CVE-2026-8444 |
| Husain–HB Audio Gallery Lite | WordPress Plugin HB Audio Gallery Lite 1.0.0 contains a path traversal vulnerability that allows unauthenticated attackers to download arbitrary files by manipulating the file_path parameter. Attackers can send requests to the audio-download.php endpoint with directory traversal sequences to access sensitive files like wp-config.php outside the intended gallery directory. | 2026-06-15 | 7.5 | CVE-2016-20081 |
| i18next–i18next-fs-backend | Versions prior to 2.6.6 are vulnerable to prototype pollution via crafted missing-key strings when used to persist missing translation keys (e.g. via i18next-http-middleware’s missingKeyHandler exposed to untrusted input). Backend.writeFile() splits each queued missing-key string on the configured keySeparator (default .) before calling the internal setPath() walker. The walker (getLastOfPath in lib/utils.js) did not guard against unsafe segments, so a key like “__proto__.polluted” was split into [“__proto__”, “polluted”] and walked straight into Object.prototype, allowing an attacker to write arbitrary properties onto the global object prototype. Depending on the host application, polluted prototype properties may cause crashes, corrupted translation behaviour, configuration poisoning, or bypasses of property-based security checks. Applications are affected only if the missingKeyHandler (or another route that forwards untrusted request bodies to i18next.t(…, { … }) with saveMissing: true) is reachable by untrusted users and the default behaviour of splitting missing-key strings on keySeparator is in use (i.e. keySeparator is not false). Apps that do not expose missing-key persistence to untrusted input are not directly affected through this attack path. This issue has been fixed in version 2.6.6. If developers using the library are unable to upgrade immediately, they should take the following precautions: do not expose i18next-http-middleware’s missingKeyHandler to untrusted users (mount it behind authentication, or remove the route), disable missing-key persistence (saveMissing: false, or no backend.create implementation) when accepting writes from untrusted input, and set keySeparator: false in their i18next options to disable backend key splitting (note: this also disables nested translation keys). | 2026-06-15 | 9.1 | CVE-2026-48713 |
| i18next–i18next-http-middleware | i18next-http-middleware is a middleware to be used with Node.js web frameworks like express or Fastify and also for Deno. In versions prior to 3.9.7, the missingKeyHandler blocked the literal request-body keys __proto__, constructor, and prototype (added in 3.9.3, see GHSA-5fgg-jcpf-8jjw), but did not reject dotted variants such as “__proto__.polluted”. Downstream backends that split the missing-key string on a configured keySeparator (notably i18next-fs-backend ≤ 2.6.5) hand these keys to an unguarded setPath() walker that writes to Object.prototype. Applications that expose missingKeyHandler to untrusted input AND use i18next-fs-backend ≤ 2.6.5 are directly exploitable for remote prototype pollution. Other downstream backends that split the missing-key string the same way may be similarly affected. Depending on the host application, polluted prototype properties may cause crashes, corrupted translation behaviour, configuration poisoning, or bypasses of property-based security checks. This issue has been fixed in version 3.9.7. If developers cannot upgrade immediately, they should do the following: do not expose missingKeyHandler to untrusted users (mount it behind authentication, or remove the route), add a request-body filter ahead of the handler that rejects any top-level key containing __proto__, constructor, or prototype after splitting on their configured keySeparator, and disable missing-key persistence (saveMissing: false) when accepting writes from untrusted input. | 2026-06-15 | 9.1 | CVE-2026-48714 |
| iba–ibaPDA | A remote, unauthenticated attacker may exploit a deserialization of untrusted data vulnerability in ibaPDA or ibaDatCoordinator to gain full access to the affected systems. | 2026-06-18 | 9.8 | CVE-2026-8024 |
| IDPay–IDPay Payment Gateway for Woocommerce | Unauthenticated Sensitive Data Exposure in IDPay Payment Gateway for Woocommerce <= 2.2.5 versions. | 2026-06-15 | 7.5 | CVE-2026-34891 |
| IM-Magic–Partition Resizer | A weakness has been identified in IM-Magic Partition Resizer up to 7.9.0. This affects an unknown function in the library MDA_NTDRV.sys of the component Kernel Driver. This manipulation causes improper access controls. The attack requires local access. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-06-21 | 7.8 | CVE-2026-12784 |
| impleCode–eCommerce Product Catalog | Unauthenticated SQL Injection in eCommerce Product Catalog <= 3.5.5 versions. | 2026-06-15 | 9.3 | CVE-2026-52693 |
| Inisev–Backup Migration | Unauthenticated Sensitive Data Exposure in Backup Migration <= 2.1.1 versions. | 2026-06-15 | 7.5 | CVE-2026-39480 |
| Iperiusremote–Iperius Remote | Iperius Remote 1.7.0 contains an unquoted service path vulnerability that allows local users to execute arbitrary code with SYSTEM privileges by exploiting the service installation path. When installed from directories containing spaces, attackers can place malicious executables in the path to be executed with elevated privileges during service startup or system reboot. | 2026-06-19 | 7.8 | CVE-2016-20089 |
| IT Path Solutions–Contact Form to Any API | Unauthenticated Cross Site Scripting (XSS) in Contact Form to Any API <= 3.0.3 versions. | 2026-06-15 | 7.1 | CVE-2026-39449 |
| Jacob N. Breetvelt–WP Photo Album Plus | Unauthenticated SQL Injection in WP Photo Album Plus <= 9.1.08.001 versions. | 2026-06-15 | 9.3 | CVE-2026-39511 |
| JetBrains–GoLand | In JetBrains GoLand before 2026.1.3 remote code execution was possible via untrusted project configuration | 2026-06-19 | 7.1 | CVE-2026-53915 |
| JetBrains–Hub | In JetBrains Hub before 2026.1.13757, 2025.3.148033, 2025.2.148048, 2025.1.148120, 2024.3.148430, 2024.2.148429 authentication bypass via direct database access leading to administrative access was possible | 2026-06-19 | 10 | CVE-2026-50242 |
| JetBrains–Hub | In JetBrains Hub before 2026.1.13757, 2025.3.148033, 2025.2.148048, 2025.1.148120, 2024.3.148430, 2024.2.148429 account takeover via predictable restore codes was possible | 2026-06-19 | 9.8 | CVE-2026-56141 |
| JetBrains–Hub | In JetBrains Hub before 2026.1.13757, 2025.3.148033, 2025.2.148048, 2025.1.148120, 2024.3.148430, 2024.2.148429 privilege escalation by attaching authentication details to accounts was possible | 2026-06-19 | 9.6 | CVE-2026-56142 |
| Jetimpex Inc.–JetBlog | Unauthenticated Sensitive Data Exposure in JetBlog <= 2.4.8 versions. | 2026-06-17 | 7.5 | CVE-2026-52696 |
| Jetimpex Inc.–JetEngine | Contributor PHP Object Injection in JetEngine <= 3.8.9.1 versions. | 2026-06-17 | 9.8 | CVE-2026-49075 |
| Jetimpex Inc.–JetEngine | Unauthenticated SQL Injection in JetEngine <= 3.8.9.1 versions. | 2026-06-17 | 9.3 | CVE-2026-49076 |
| Jetimpex Inc.–JetEngine | Unauthenticated SQL Injection in JetEngine < 3.8.9.1 versions. | 2026-06-17 | 9.3 | CVE-2026-49084 |
| Jetimpex Inc.–JetEngine | Unauthenticated PHP Object Injection in JetEngine <= 3.8.10 versions. | 2026-06-17 | 9.8 | CVE-2026-52706 |
| Jetimpex Inc.–JetEngine | Unauthenticated SQL Injection in JetEngine <= 3.8.10.1 versions. | 2026-06-17 | 9.3 | CVE-2026-54187 |
| Jetimpex Inc.–JetEngine | Unauthenticated Cross Site Scripting (XSS) in JetEngine <= 3.8.9.1 versions. | 2026-06-17 | 7.1 | CVE-2026-49074 |
| Jetimpex Inc.–JetEngine | Unauthenticated Cross Site Scripting (XSS) in JetEngine <= 3.8.10 versions. | 2026-06-17 | 7.1 | CVE-2026-54188 |
| Jetimpex Inc.–JetEngine | Unauthenticated Cross Site Scripting (XSS) in JetEngine <= 3.8.10 versions. | 2026-06-17 | 7.1 | CVE-2026-54189 |
| Jetimpex Inc.–JetSearch | Unauthenticated SQL Injection in JetSearch <= 3.5.17 versions. | 2026-06-17 | 9.3 | CVE-2026-49079 |
| Jetimpex Inc.–JetSmartFilters | Unauthenticated SQL Injection in JetSmartFilters <= 3.8.1 versions. | 2026-06-17 | 9.3 | CVE-2026-48875 |
| Jetmonsters–JetFormBuilder | Unauthenticated Cross Site Scripting (XSS) in JetFormBuilder <= 3.6.0.1 versions. | 2026-06-17 | 7.1 | CVE-2026-54195 |
| JExtensions Store–GPTranslate Multilingual AI Translation for WordPress: Automatically Translate Websites | Unauthenticated SQL Injection in GPTranslate – Multilingual AI Translation for WordPress: Automatically Translate Websites <= 2.32.6 versions. | 2026-06-15 | 9.3 | CVE-2026-49776 |
| jkdevstudio–Qreatix | Unauthenticated Cross Site Scripting (XSS) in Qreatix <= 1.9.4 versions. | 2026-06-16 | 7.1 | CVE-2025-69104 |
| Jobster Marketplace–WPJobster | Unauthenticated SQL Injection in WPJobster <= 6.3.5 versions. | 2026-06-17 | 9.3 | CVE-2026-22340 |
| Jobster Marketplace–WPJobster | Unauthenticated Cross Site Scripting (XSS) in WPJobster <= 6.3.5 versions. | 2026-06-17 | 7.1 | CVE-2026-22339 |
| Joombooking–JB Visa | Joomla! Component JB Visa 1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the visatype parameter. Attackers can send GET requests to index.php with the option=com_bookpro and view=popup parameters, injecting SQL commands in the visatype parameter to extract sensitive database information including credentials and table contents. | 2026-06-19 | 8.2 | CVE-2017-20255 |
| Joomboost–JoomCRM | Joomla! Component JoomCRM 1.1.1 contains an SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL queries by injecting malicious code through the deal_id parameter. Attackers can send GET requests to index.php with option=com_joomcrm&view=contacts and inject SQL code in the deal_id parameter to extract sensitive database information including table names and schemas. | 2026-06-19 | 7.1 | CVE-2019-25761 |
| Joomboost–Joomla JoomRecipe | Joomla JoomRecipe 1.0.4 component contains a blind SQL injection vulnerability in the search_author parameter on the search results page. Attackers can inject SQL code through POST requests to the search endpoint to extract database information using boolean-based blind SQL injection techniques. | 2026-06-19 | 8.2 | CVE-2017-20277 |
| Joomboost–JoomProject | Joomla! Component JoomProject 1.1.3.2 contains an information disclosure vulnerability that allows unauthenticated attackers to access sensitive user data by exploiting the projects endpoint. Attackers can send requests to index.php with option=com_jpprojects&view=projects&tmpl=component&format=json parameters to retrieve user IDs, names, and email addresses in JSON format. | 2026-06-19 | 7.5 | CVE-2019-25762 |
| Joomboost–JoomRecipe | Joomla Component JoomRecipe 1.0.3 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the category parameter. Attackers can send GET requests to the all-recipes endpoint with malicious SQL payloads in the category path segment to extract sensitive database information. | 2026-06-19 | 8.2 | CVE-2017-20278 |
| Joomlaboat–Extra Search | Joomla! Component Extra Search 2.2.8 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the establename parameter. Attackers can send GET requests to index.php with the option=com_extrasearch parameter and malicious SQL in the establename field to extract sensitive database information. | 2026-06-19 | 8.2 | CVE-2017-20281 |
| Joomlashack–OSDownloads | Joomla OSDownloads 1.7.4 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the id parameter. Attackers can send GET requests to index.php with option=com_osdownloads&view=item&id=[SQL] to extract sensitive database information including credentials and configuration data. | 2026-06-19 | 8.2 | CVE-2017-20259 |
| Joomlashowroom–Event Registration Pro Calendar | Joomla Event Registration Pro Calendar 4.1.3 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the id parameter. Attackers can send GET requests to index.php with option=com_registrationpro&view=category&id parameter containing SQL injection payloads to extract sensitive database information. | 2026-06-19 | 8.2 | CVE-2017-20273 |
| Joomlathat–Calendar Planner | Joomla! Component Calendar Planner 1.0.1 contains an SQL injection vulnerability that allows unauthenticated attackers to inject SQL commands through the category_id parameter. Attackers can send GET requests to the events view with malicious SQL code in the category_id parameter to extract sensitive database information. | 2026-06-19 | 8.2 | CVE-2017-20267 |
| Joomplace–Quiz Deluxe | Joomla! Component Quiz Deluxe 3.7.4 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL commands through the ajaxaction.flag_question task. Attackers can inject malicious SQL code via the stu_quiz_id or flag_quest parameters to manipulate database queries and extract sensitive information. | 2026-06-19 | 8.2 | CVE-2017-20257 |
| Joomplace–Survey Force Deluxe | Joomla Survey Force Deluxe 3.2.4 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the invite parameter. Attackers can send GET requests to the component with crafted SQL payloads in the invite parameter to extract sensitive database information. | 2026-06-19 | 8.2 | CVE-2017-20256 |
| Joomshaper–SP Movie Database | Joomla SP Movie Database 1.3 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the searchword parameter. Attackers can send GET requests to the searchresults view with crafted SQL payloads in the searchword parameter to extract sensitive database information. | 2026-06-19 | 8.2 | CVE-2017-20266 |
| Joomunited–WP Media folder Addon | Unauthenticated Arbitrary File Download in WP Media folder Addon <= 4.0.1 versions. | 2026-06-17 | 7.5 | CVE-2026-9690 |
| Jose Conti–Redsys for WooCommerce Light | Unauthenticated Broken Access Control in Redsys for WooCommerce Light <= 7.0.0 versions. | 2026-06-15 | 7.5 | CVE-2026-40741 |
| Jovancoding–Network-AI | Network-AI is a TypeScript/Node.js multi-agent orchestrator. In versions 5.7.1 and earlier, the MCP SSE server allows unauthenticated cross-origin MCP tool invocation due to an empty default secret. This issue was partially addressed by CVE-2026-46701 in version 5.4.5 by closing the CORS flaw (with Access-Control-Allow-Origin now set only for localhost origins), but the empty-default-secret flaw described in the title remained: the SSE MCP server still defaulted to an empty secret, _isAuthorized() still returned true when the secret was empty, and a non-loopback bind only produced a warning. As a result, the server still ran fully unauthenticated by default. Any non-browser caller (for example, curl, SSRF, or a 0.0.0.0 bind) could invoke all 22 MCP tools (config_set, agent_spawn, blackboard_write, token_*) with no credentials. This issue was fixed in version 5.7.2. | 2026-06-17 | 9.1 | CVE-2026-48814 |
| Jthemes–Genemy | Subscriber Privilege Escalation in Genemy <= 1.6.6 versions. | 2026-06-17 | 8.8 | CVE-2025-69138 |
| JTL Software–JTL Shop | JTL Shop versions 5.2.0 through 5.7.1 contains a server-side template injection vulnerability that allows unauthenticated attackers to inject malicious template syntax due to unsanitized user-supplied input passed to the Smarty template engine. Attackers can exploit this flaw to read sensitive server-side values such as database credentials and encryption keys, and on versions 5.4.0 through 5.7.1, leverage registered Smarty modifiers including unserialize and file_get_contents to write a webshell to the web root and execute arbitrary commands as the web server user. | 2026-06-18 | 9.8 | CVE-2026-54390 |
| jwsthemes–AI Lab | Unauthenticated PHP Object Injection in AI Lab < 5.4.2 versions. | 2026-06-17 | 9.8 | CVE-2026-42380 |
| kilbot–WooCommerce POS | Unauthenticated Broken Access Control in WooCommerce POS <= 1.8.14 versions. | 2026-06-16 | 7.5 | CVE-2026-52711 |
| King-products–LMS King Professional | Joomla LMS King Professional 3.2.4.0 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the cp_id parameter. Attackers can send GET requests to index.php with the option=com_lmsking, view=lmsking, layout=learningpath, and task=learningPath parameters to extract sensitive database information. | 2026-06-19 | 8.2 | CVE-2017-20274 |
| Kludex–starlette | Starlette is a lightweight ASGI framework/toolkit. In versions 1.0.1 and earlier, StaticFiles on Windows is vulnerable to SSRF. An UNC path such as \attacker.comshare can cause os.path.realpath to initiate an outbound SMB connection before the path is rejected, exposing the service account’s NTLMv2 credentials for offline cracking or relay even though the HTTP response is only a 404. The issue affects default follow_symlink=False deployments, including frameworks built on Starlette such as FastAPI; POSIX systems and follow_symlink=True are unaffected. The issue is fixed in 1.1.0. | 2026-06-17 | 7.5 | CVE-2026-48818 |
| Knit Pay–Knit Pay | Unauthenticated Broken Access Control in Knit Pay <= 9.4.0.0 versions. | 2026-06-15 | 7.5 | CVE-2026-49070 |
| Kodezen LLC–Academy LMS Pro | Unrestricted Upload of File with Dangerous Type vulnerability in Kodezen LLC Academy LMS Pro allows Upload a Web Shell to a Web Server. This issue affects Academy LMS Pro: from n/a before 3.5.2. | 2026-06-16 | 8 | CVE-2026-39598 |
| Kriesi–Enfold | Unauthenticated Cross Site Scripting (XSS) in Enfold <= 7.1.4 versions. | 2026-06-16 | 7.1 | CVE-2026-48869 |
| LatePoint–LatePoint | Contributor Privilege Escalation in LatePoint <= 5.5.1 versions. | 2026-06-15 | 7.5 | CVE-2026-49083 |
| latepoint–LatePoint Calendar Booking Plugin for Appointments and Events | The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Privilege Escalation to Administrator in versions up to, and including, 5.5.1. The plugin chains three independent flaws that together allow an authenticated Agent (Agent+) to overwrite a WordPress Administrator’s password without ever invoking an Administrator-only API. This makes it possible for authenticated attackers, with Agent access and above, to elevate their privileges to Administrator. | 2026-06-16 | 7.5 | CVE-2026-8176 |
| leejet–stable-diffusion.cpp | stable-diffusion.cpp is a pure C/C++ library for running diffusion model (Stable Diffusion, Flux, Wan, Qwen Image, Z-Image, and more) inference. In versions prior to master-584-0a7ae07, the pickle .ckpt parser in src/model.cpp contained a heap buffer overflow vulnerability in the BINUNICODE opcode handler. The issue was caused by sign confusion on the opcode length field. A crafted .ckpt file could trigger memcpy with a very large length derived from a negative signed value, causing immediate heap corruption. The issue has been resolved in version master-584-0a7ae07. If developers are unable to immediately update their applications they can work around this issue by only loading .ckpt checkpoint files from trusted sources and preferring trusted model sources and safer formats such as .safetensors where possible. | 2026-06-16 | 7.8 | CVE-2026-47747 |
| leejet–stable-diffusion.cpp | stable-diffusion.cpp is a pure C/C++ library for running diffusion model (Stable Diffusion, Flux, Wan, Qwen Image, Z-Image, and more) inference. Versions prior to master-584-0a7ae07 are vulnerable to heap buffer overflow in SHORT_BINUNICODE parsing for PyTorch checkpoint files. The pickle .ckpt parser in src/model.cpp contained a heap buffer overflow vulnerability in the SHORT_BINUNICODE opcode handler. The issue was caused by sign confusion on the opcode length field. A crafted .ckpt file could trigger memcpy with a very large length derived from a negative signed value, causing immediate heap corruption. Any application using affected stable-diffusion.cpp releases to load untrusted .ckpt model files could be vulnerable. A malicious checkpoint file could cause heap corruption through memcpy with an attacker-controlled length. This may lead to process crash and could potentially be leveraged for code execution depending on heap layout. The attack requires the victim or application to load a .ckpt file from an untrusted source, such as a downloaded model from a model sharing site. The issue has been resolved in version master-584-0a7ae07. If developers are unable to immediately update their applications they can work around this issue by not loading .ckpt checkpoint files from untrusted sources, and referring to trusted model sources and safer formats such as .safetensors where possible. | 2026-06-16 | 7.8 | CVE-2026-47749 |
| leejet–stable-diffusion.cpp | stable-diffusion.cpp is a pure C/C++ library for running diffusion model (Stable Diffusion, Flux, Wan, Qwen Image, Z-Image, and more) inference. In versions prior to master-584-0a7ae07, the pickle .ckpt parser in src/model.cpp contained a heap buffer overflow vulnerability in the GLOBAL opcode handler. The issue was caused by missing validation when searching for newline-delimited fields. A crafted .ckpt file without the expected newline could cause the parser to use -1 as a copy length, resulting in immediate heap corruption. The attack requires the victim or application to load a .ckpt file from an untrusted source, such as a downloaded model from a model sharing site. The issue has been resolved in version master-584-0a7ae07. If developers are unable to immediately update their applications they can work around this issue by following these instructions: do not load .ckpt checkpoint files from untrusted sources, and prefer trusted model sources and safer formats such as .safetensors where possible. | 2026-06-16 | 7.8 | CVE-2026-47750 |
| libssh2–libssh2 | libssh2 through 1.11.1, fixed in commit 7acf3df contains an out-of-bounds write vulnerability in ssh2_transport_read() that fails to enforce upper bounds on packet_length field. Remote attackers can send crafted SSH packets with excessively large packet_length values to corrupt heap memory and achieve remote code execution. | 2026-06-17 | 8.1 | CVE-2026-55200 |
| Liquid Web / StellarWP–GiveWP | Unauthenticated Cross Site Scripting (XSS) in GiveWP <= 4.14.2 versions. | 2026-06-15 | 7.1 | CVE-2026-34900 |
| Liquid Web / StellarWP–The Events Calendar | Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) vulnerability in Liquid Web / StellarWP The Events Calendar allows Blind SQL Injection. This issue affects The Events Calendar: from 6.15.12 through 6.16.2. | 2026-06-16 | 9.3 | CVE-2026-49772 |
| LoginPress–LoginPress Pro | Unauthenticated Privilege Escalation in LoginPress Pro <= 6.2.2 versions. | 2026-06-17 | 9.8 | CVE-2026-49058 |
| Magepeople inc.–WpEvently | Unauthenticated Other Vulnerability Type in WpEvently <= 5.3.3 versions. | 2026-06-15 | 7.5 | CVE-2026-45441 |
| Magepeople inc.–WpTravelly | Unauthenticated Bypass Vulnerability in WpTravelly <= 2.1.7 versions. | 2026-06-15 | 7.5 | CVE-2026-27089 |
| Malwarebytes–Malwarebytes | Malwarebytes 4.5 contains an unquoted service path vulnerability in the MBAMService executable that allows local attackers to escalate privileges by injecting malicious code into the system root path. Attackers can place executable files in unquoted path directories that execute with LocalSystem privileges during service startup or system reboot. | 2026-06-19 | 7.8 | CVE-2022-50971 |
| Mamunur Rashid–Classified Listing | Unauthenticated Cross Site Scripting (XSS) in Classified Listing <= 5.3.8 versions. | 2026-06-15 | 7.1 | CVE-2026-42658 |
| ManageWP–ManageWP Worker | Unauthenticated Cross Site Scripting (XSS) in ManageWP Worker <= 4.9.31 versions. | 2026-06-15 | 7.1 | CVE-2026-39463 |
| MantraBrain–Easy Invoice | Unauthenticated Remote Code Execution (RCE) in Easy Invoice <= 2.1.19 versions. | 2026-06-15 | 10 | CVE-2026-48836 |
| mariovalney–CF7 to Webhook | The CF7 to Webhook plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 5.0.0 via the pull_the_trigger. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. Exploitation requires that the admin-configured webhook URL contains a Contact Form 7 field placeholder in the host segment of the URL, and that the affected form is publicly accessible. | 2026-06-18 | 7.2 | CVE-2026-11395 |
| markbeljaars–iRobots.txt SEO | Unauthenticated Cross Site Scripting (XSS) in iRobots.txt SEO <= 1.1.2 versions. | 2026-06-15 | 7.1 | CVE-2025-68840 |
| mastodon–mastodon | Mastodon is a free, open-source social network server based on ActivityPub. In versions there is a missing condition in the check if remote accounts consented to be featured in a remote Collection could lead to attackers bypassing the check and faking consent. An attacker could forge the FeatureAuthorization object that is used to verify consent to be featured in a Collection and thus make it appear as if an account is allowed to be in a Collection when it actually is not. While the FeatureAuthorization must reside on the same domain as the object it is for, a check is missing to make sure said object is actually the same as in the Collection item. This allows an attacker to forge the authorization. Mastodon servers are affected only if running the main branch or nightly builds who have opted into testing the experimental “Collections” feature by setting the environment variable EXPERIMENTAL_FEATURES to a value including collections. This has been patched in version 4.6.0-beta.1. | 2026-06-15 | 7.5 | CVE-2026-47777 |
| Matrix42–Matrix42 Remote Control Host | Matrix42 Remote Control Host 3.20.0031 contains an unquoted service path vulnerability in the FastViewerRemoteService and FastViewerRemoteProxy services that allows local users to execute arbitrary code with SYSTEM privileges. Attackers can place a malicious executable in the Program Files directory with a crafted name to be executed by the service during startup, gaining elevated privileges. | 2026-06-19 | 7.8 | CVE-2016-20095 |
| mattkaye–Answer My Question | Answer My Question 1.3 plugin for WordPress contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the ‘id’ POST parameter. Attackers can submit crafted SQL statements to the modal.php endpoint to extract sensitive database information including WordPress terms and configuration data. | 2026-06-15 | 8.2 | CVE-2016-20073 |
| Melapress–WP Activity Log | Unauthenticated PHP Object Injection in WP Activity Log <= 5.6.3.1 versions. | 2026-06-17 | 9.8 | CVE-2026-54806 |
| melhorenvio–Melhor Envio | Subscriber Broken Authentication in Melhor Envio <= 2.16.3 versions. | 2026-06-17 | 7.6 | CVE-2026-54804 |
| Meow Apps–AI Engine | Editor Privilege Escalation in AI Engine <= 3.4.9 versions. | 2026-06-15 | 7.2 | CVE-2026-27407 |
| Metagauss–RegistrationMagic | Unauthenticated Broken Authentication in RegistrationMagic <= 6.0.8.6 versions. | 2026-06-15 | 9.8 | CVE-2026-49764 |
| metaphorcreations–Post Duplicator | Contributor PHP Object Injection in Post Duplicator <= 3.0.10 versions. | 2026-06-15 | 8.8 | CVE-2026-39474 |
| MetaSlider–Responsive Slider by MetaSlider | Editor Remote Code Execution (RCE) in Responsive Slider by MetaSlider <= 3.106.0 versions. | 2026-06-15 | 9.1 | CVE-2026-39465 |
| MIA Technology Inc.–Pizzy Library | Improper neutralization of formula elements in a CSV file vulnerability in MIA Technology Inc. Pizzy Library allows Code Injection. This issue affects Pizzy Library: from 1.0.0.26250 before 1.3.9.26250. | 2026-06-15 | 8.8 | CVE-2026-5242 |
| MIA Technology Inc.–Pizzy Library | Improper Access Control, Missing Authorization vulnerability in MIA Technology Inc. Pizzy Library allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Pizzy Library: from 1.0.0.26250 before 1.3.9.26250. | 2026-06-15 | 7.1 | CVE-2026-5230 |
| MIA Technology Inc.–Pizzy Library | Improper Control of Interaction Frequency vulnerability in MIA Technology Inc. Pizzy Library allows Flooding. This issue affects Pizzy Library: from 1.0.0.26250 before 1.3.9.26250. | 2026-06-15 | 7.1 | CVE-2026-5233 |
| Microsoft–Azure Active Directory | Improper authentication in Azure Active Directory allows an unauthorized attacker to elevate privileges over a network. | 2026-06-19 | 10 | CVE-2026-45480 |
| Microsoft–Azure AI Bot Service | Improper authentication in Azure Bot Service allows an authorized attacker to elevate privileges over a network. | 2026-06-18 | 7.7 | CVE-2026-32174 |
| Microsoft–Azure Synapse | Execution with unnecessary privileges in Azure Synapse allows an authorized attacker to elevate privileges over a network. | 2026-06-19 | 9.9 | CVE-2026-48584 |
| Microsoft–Microsoft 365 Copilot | Missing authentication for critical function in M365 Copilot allows an unauthorized attacker to disclose information over a network. | 2026-06-18 | 9.8 | CVE-2026-54130 |
| Microsoft–Microsoft 365 Copilot | Url redirection to untrusted site (‘open redirect’) in Microsoft 365 Copilot’s Business Chat allows an unauthorized attacker to elevate privileges over a network. | 2026-06-19 | 8.8 | CVE-2026-47645 |
| Microsoft–Microsoft Cost Management | Exposure of sensitive information to an unauthorized actor in Cost Management Interactive Experiences allows an unauthorized attacker to disclose information over a network. | 2026-06-18 | 7.5 | CVE-2026-47633 |
| Microsoft–Microsoft Dynamics 365 | Improper access control in Microsoft Dynamics 365 allows an authorized attacker to elevate privileges over a network. | 2026-06-18 | 9.9 | CVE-2026-47647 |
| Microsoft–Microsoft Edge (Chromium-based) | Improper neutralization of input during web page generation (‘cross-site scripting’) in Microsoft Edge (Chromium-based) allows an authorized attacker to perform spoofing over a network. | 2026-06-19 | 8.8 | CVE-2026-32208 |
| Microsoft–Microsoft Exchange Online | Missing authorization in Microsoft Exchange Online allows an authorized attacker to elevate privileges over a network. | 2026-06-19 | 9.6 | CVE-2026-48582 |
| Microsoft–Microsoft Malware Protection Engine | Microsoft is aware of an elevation of privilege in the Microsoft Malware Protection Engine in Microsoft Defender publicly referred to as "RoguePlanet ". We are working to provide a high quality security update that addresses this vulnerability. We will provide information in this CVE when the update is available. | 2026-06-16 | 7.8 | CVE-2026-50656 |
| Microweber–Microweber | A weakness has been identified in Microweber up to 2.0.20. This affects the function userfiles_path of the file /api_nosession/thumbnail_img of the component API Endpoint. Executing a manipulation of the argument cache_path_relative can lead to path traversal. It is possible to launch the attack remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-06-15 | 7.3 | CVE-2026-12198 |
| Mikado-Themes–Ashtanga | Unauthenticated PHP Object Injection in Ashtanga <= 1.2 versions. | 2026-06-16 | 8.1 | CVE-2026-40751 |
| Mikado-Themes–ChapterOne | Unauthenticated Local File Inclusion in ChapterOne <= 1.7 versions. | 2026-06-17 | 8.1 | CVE-2026-40731 |
| Mikado-Themes–Chteau | Unauthenticated PHP Object Injection in Château <= 1.2.1 versions. | 2026-06-17 | 8.1 | CVE-2026-40757 |
| Mikado-Themes–EasyMeals | Unauthenticated PHP Object Injection in EasyMeals <= 1.5.1 versions. | 2026-06-17 | 8.1 | CVE-2026-40753 |
| Mikado-Themes–Esme | Unauthenticated PHP Object Injection in Esmée <= 1.4 versions. | 2026-06-16 | 8.1 | CVE-2026-40759 |
| Mikado-Themes–Kastell | Unauthenticated Local File Inclusion in Kastell <= 2.0 versions. | 2026-06-17 | 8.1 | CVE-2026-52707 |
| Mikado-Themes–LuxeDrive | Unauthenticated PHP Object Injection in LuxeDrive <= 1.4 versions. | 2026-06-16 | 8.1 | CVE-2026-40739 |
| Mikado-Themes–Mikado Core | Unauthenticated Local File Inclusion in Mikado Core <= 1.6 versions. | 2026-06-17 | 8.1 | CVE-2026-39537 |
| Mikado-Themes–ShiftUp | Unauthenticated PHP Object Injection in ShiftUp <= 1.3 versions. | 2026-06-17 | 8.1 | CVE-2026-40733 |
| Mikado-Themes–TechLink | Unauthenticated PHP Object Injection in TechLink <= 1.3 versions. | 2026-06-16 | 8.1 | CVE-2026-40755 |
| Mikado-Themes–Zoya | Unauthenticated PHP Object Injection in Zoya <= 1.4 versions. | 2026-06-17 | 8.1 | CVE-2026-40756 |
| Monetizemore–Advanced Ads | Improper Control of Generation of Code (‘Code Injection’) vulnerability in Monetizemore Advanced Ads allows Remote Code Inclusion. This issue affects Advanced Ads: from n/a through 2.0.21. | 2026-06-17 | 7.5 | CVE-2026-54816 |
| Montodel–House-Rental-Management | A vulnerability was detected in Montodel House-Rental-Management up to 90010017b81265eb1ef3810268909f7719a33863. Affected by this issue is some unknown functionality of the file /login.php. The manipulation of the argument Username results in sql injection. The attack can be executed remotely. The exploit is now public and may be used. This product implements a rolling release for ongoing delivery, which means version information for affected or updated releases is unavailable. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-06-21 | 7.3 | CVE-2026-12775 |
| Montonio–Montonio for WooCommerce | Unauthenticated Broken Access Control in Montonio for WooCommerce <= 10.1.2 versions. | 2026-06-15 | 7.5 | CVE-2026-48873 |
| Motive Commerce Search–AI Product Search for WooCommerce Motive Commerce Search | Unauthenticated Broken Access Control in AI Product Search for WooCommerce – Motive Commerce Search <= 1.38.2 versions. | 2026-06-15 | 8.2 | CVE-2026-42664 |
| mra13 / Team Tips and Tricks HQ–Simple Shopping Cart | Unauthenticated Insecure Direct Object References (IDOR) in Simple Shopping Cart <= 5.2.9 versions. | 2026-06-15 | 7.5 | CVE-2026-48868 |
| multer–multer | Impact: multer versions 1.0.0 through 2.1.1 and 3.0.0-alpha.1 are vulnerable to a Denial of Service via deeply nested field names in multipart form data. The append-field dependency parses bracket notation in field names with no limit on nesting depth, allowing an attacker to force allocation of deeply nested object structures that consume CPU and memory. A single HTTP request with a crafted multipart body is sufficient to exploit this. Patches: Users should upgrade to multer 2.2.0 (2.x line) or 3.0.0-alpha.2 (3.x prerelease) and configure the new limits.fieldNestingDepth option to the minimum depth their application requires. Workarounds: Set limits.fields to a reasonable value to reduce the number of fields an attacker can send per request. This does not fully mitigate the issue but limits the impact. | 2026-06-15 | 7.5 | CVE-2026-5079 |
| Myportfolio–Myportfolio | Joomla Component Myportfolio 3.0.2 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the pid parameter. Attackers can send GET requests to index.php with malicious pid values in the task=project&view=grid endpoint to extract sensitive database information. | 2026-06-19 | 8.2 | CVE-2017-20280 |
| Mythemes–my flatonica | Unauthenticated Cross Site Scripting (XSS) in my flatonica <= 0.0.8 versions. | 2026-06-17 | 7.1 | CVE-2024-49269 |
| Naked Cat Plugins (by Webdados)–Feed KuantoKusta for WooCommerce Free | Unauthenticated SQL Injection in Feed KuantoKusta for WooCommerce – Free <= 5.3 versions. | 2026-06-15 | 9.3 | CVE-2026-39441 |
| NCEAS–metacat | Metacat is data repository software that helps researchers preserve, share, and discover data. Versions 2.0.0 and and above contain an unauthenticated SQL injection in the /harvesterRegistration endpoint. HarvesterRegistration.dbInsert() builds an INSERT against HARVEST_SITE_SCHEDULE via string concatenation, using a quoteString() helper that performs raw single-quote wrapping without escaping. Three request parameters reach the sink: unit, contactEmail, and documentListURL. The servlet does not verify a real LDAP identity. Allowing the vulnerable insert to proceed. Since the PostgreSQL backend permits stacked queries via Statement.executeUpdate(), this vulnerability allows full read/write/execute access in the Metacat database context. The vulnerability was remediated in Metacat 3.0.0. | 2026-06-15 | 9.8 | CVE-2026-48114 |
| nesquena–hermes-webui | Hermes WebUI before 0.51.368 contains an authorization bypass vulnerability in the get_profile_cookie() function that accepts unauthenticated profile names from the hermes_profile cookie. An authenticated attacker can forge the hermes_profile cookie value to bypass profile-scoped authorization checks and access sessions, files, and resources across different profiles. | 2026-06-17 | 8.1 | CVE-2026-53871 |
| Netdrive–NetDrive | NetDrive 2.6.12 contains an unquoted service path vulnerability in the Netdrive2_Service_Netdrive2 service that allows local users to execute arbitrary code with SYSTEM privileges. Attackers can insert malicious executables in the system root path that will be executed during service startup or system reboot, resulting in privilege escalation. | 2026-06-19 | 7.8 | CVE-2016-20092 |
| Network-Inventory-Advisor–Network Inventory Advisor | Network Inventory Advisor 5.0.26.0 installs the niaservice service with an unquoted binary path that allows local attackers to escalate privileges by placing malicious executables in intermediate directories. Attackers can exploit the unquoted path in the service configuration to execute arbitrary code with LocalSystem privileges when the service starts or restarts. | 2026-06-19 | 7.8 | CVE-2019-25747 |
| Networkdls–Fortitude HTTP | Fortitude HTTP 1.0.4.0 contains an unquoted service path vulnerability that allows local users to execute arbitrary code with elevated privileges by exploiting the service binary path. Attackers can insert malicious executables in the system root path that execute with SYSTEM privileges during service startup or system reboot. | 2026-06-19 | 7.8 | CVE-2016-20087 |
| Nexi Payments–Nexi XPay | Missing Authorization vulnerability in Nexi Payments Nexi XPay allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Nexi XPay: from n/a through 8.3.1. | 2026-06-17 | 7.5 | CVE-2026-54810 |
| nextgeneditor–NextGen Editor | Joomla NextGen Editor 2.1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL commands through the plname parameter. Attackers can send GET requests to index.php with option=com_nge&view=config and inject malicious SQL code in the plname parameter to extract sensitive database information. | 2026-06-19 | 8.2 | CVE-2017-20252 |
| NI–grpc-device | There is an untrusted pointer dereference vulnerability in the NI grpc-device sideband streaming API that may allow an attacker to cause an arbitrary memory dereference, potentially resulting in remote code execution. Successful exploitation requires an attacker to supply a specially crafted Moniker protobuf message. This affects NI grpc-device 2.17.0 and prior versions. | 2026-06-19 | 9.1 | CVE-2026-48137 |
| NI–grpc-device | There is an insecure default credentials vulnerability in NI grpc-device when TLS configuration is not present and the server is bound beyond loopback. This may allow an unauthenticated user access to the server on the local network. This affects NI grpc-device 2.17.0 and prior versions. | 2026-06-19 | 9.1 | CVE-2026-9142 |
| NI–grpc-device | There is an out-of-bounds read vulnerability in the NI grpc-device streaming API due to a missing bounds check that may result in a denial of service. Successful exploitation requires an attacker to supply a specially crafted write request. This affects NI grpc-device 2.17.0 and prior versions. | 2026-06-19 | 7.5 | CVE-2026-48138 |
| NI–grpc-device | There is a NULL pointer dereference vulnerability in NI grpc-device in the data moniker service that may allow an attacker to cause a denial of service by triggering a crash. Successful exploitation requires an attacker to provide an unknown value to the data moniker service. This affects NI grpc-device 2.17.0 and prior versions. | 2026-06-19 | 7.5 | CVE-2026-48139 |
| Ninja Team–FastDup | Unauthenticated Path Traversal in FastDup <= 2.7.2 versions. | 2026-06-15 | 9.6 | CVE-2026-52703 |
| Nordmograph–StreetGuessr Game | Joomla StreetGuessr Game 1.1.8 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the catid parameter. Attackers can send GET requests to index.php with the option=com_streetguess&view=maps parameters and inject SQL code in the catid parameter to extract sensitive database information including version and database names. | 2026-06-19 | 8.2 | CVE-2017-20271 |
| NousResearch–hermes-agent | Hermes Agent before 0.16.0 contains a DNS rebinding vulnerability in WebSocket endpoints that allows remote attackers to bypass Host and Origin validation. FastAPI HTTP middleware does not execute for WebSocket upgrade requests on /api/pty, /api/ws, /api/pub, and /api/events endpoints, enabling attackers to exploit DNS rebinding and inject malicious commands or read terminal output. | 2026-06-17 | 7.5 | CVE-2026-53869 |
| NSquared–Simply Schedule Appointments | Unauthenticated SQL Injection in Simply Schedule Appointments <= 1.6.9.27 versions. | 2026-06-15 | 9.3 | CVE-2026-39493 |
| NSquared–Simply Schedule Appointments | Unauthenticated Cross Site Scripting (XSS) in Simply Schedule Appointments <= 1.6.10.6 versions. | 2026-06-15 | 7.1 | CVE-2026-39447 |
| NSquared–Simply Schedule Appointments | Unauthenticated Sensitive Data Exposure in Simply Schedule Appointments < 1.6.11.2 versions. | 2026-06-15 | 7.5 | CVE-2026-42384 |
| Nur-Alam39–bus-ticket | Nur-Alam39 bus-ticket (no released versions; latest commit 459cabdbeb99c00225b26e46e3c2c30ae1de7bad) contains an unauthenticated SQL injection vulnerability in bus_info.php. The busid parameter received via HTTP POST is concatenated directly into a MySQL query (select * from bus_info where id=$busid) without sanitization, escaping, or parameterization, and in a numeric (unquoted) context. A remote, unauthenticated attacker can inject arbitrary SQL – for example a UNION-based payload such as busid=-1 UNION SELECT 1,2,3,4,5,6 – to read arbitrary data from the bus_service database. The application connects to the database as the MySQL root account with an empty password, increasing the potential impact. The query is executed via mysqli_query(), which does not permit stacked (semicolon-separated) statements. | 2026-06-18 | 9.8 | CVE-2026-55740 |
| nv-tlabs–GEN3C | NVIDIA Spatial Intelligence Lab’s (SIL) GEN3C contains an unauthenticated remote code execution vulnerability in the inference API server where the /request-inference and /seed-model endpoints deserialize raw HTTP request bodies using Python’s pickle.loads() without authentication or input validation. Attackers can supply a crafted payload containing a __reduce__ gadget to the inference API port to achieve remote code execution as the inference process. | 2026-06-17 | 9.8 | CVE-2026-53805 |
| NVIDIA–NeMo Framework | NVIDIA NeMo Framework for all platforms contains a code injection vulnerability. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, information disclosure, and data tampering. | 2026-06-16 | 7.8 | CVE-2026-24155 |
| NVIDIA–NeMo Framework | NVIDIA NeMo Framework for Linux contains a vulnerability where an attacker may cause deserialization of untrusted data. A successful exploit of this vulnerability may lead to code execution, escalation of privileges, data tampering, and information disclosure. | 2026-06-16 | 7.8 | CVE-2026-24228 |
| oleksandrz–E2Pdf Export Pdf Tool for WordPress | The E2Pdf – Export Pdf Tool for WordPress plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 1.32.26. This is due to the screen_action() function lacking a dedicated capability check and nonce verification – when invoked via the ?action=screen routing path the controller’s index_action() nonce gate is bypassed entirely – while reading an attacker-controlled option name and value from $_POST[‘wp_screen_options’] and passing them directly to update_option() with no allowlist, relying solely on the page-level e2pdf_templates capability which the plugin’s own Permissions UI allows administrators to grant to any role including Subscriber, Contributor, Author, or Editor. This makes it possible for authenticated attackers, with a custom role that has been granted the e2pdf_templates capability, to overwrite arbitrary WordPress options such as default_role and thereby escalate their privileges to administrator. | 2026-06-18 | 8.8 | CVE-2026-12407 |
| OliveTin–OliveTin | OliveTin gives access to predefined shell commands from a web interface. In versions 3000.0.0 and prior, the template engine uses a single shared text/template.Template instance (tpl package-level variable in service/internal/tpl/templates.go) across all goroutines. Every action execution calls tpl.Parse(source) followed by t.Execute() on this shared instance with no synchronization. When two or more actions execute concurrently (which is the normal case – each ExecRequest spawns a goroutine), a race condition occurs: one goroutine’s Parse overwrites the template tree while another goroutine is calling Execute, causing cross-user command contamination, Go runtime panic, and incorrect command execution. This issue has been resolved in version 3000.13.0. | 2026-06-15 | 7.5 | CVE-2026-48708 |
| Omnisend–Email Marketing for WooCommerce by Omnisend | Unauthenticated Broken Authentication in Email Marketing for WooCommerce by Omnisend <= 1.18.0 versions. | 2026-06-15 | 7.5 | CVE-2026-42668 |
| open-webui–open-webui | Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.6, the terminal-server reverse proxy in `backend/open_webui/routers/terminals.py` does not fully confine the user-controlled `path` segment before forwarding it to an admin-configured terminal server. An authenticated user who has been granted access to a terminal server can craft `path` values containing encoded `../` traversal sequences that escape the intended path (or policy) scope on that server, reaching unintended endpoints and files on the terminal-server host. Where the terminal server fans requests out to internal services, this also gives SSRF-style reach into those services. This is a separate code path from the `/api/v1/retrieval/process/web` SSRF (GHSA-c6xv-rcvw-v685), with its own input. Two distinct vectors are consolidated here: first, raw path forwarding / single-encoded traversal (original report); and second, a bypass of the subsequently-added `_sanitize_proxy_path` mitigation using double-encoded dots (`%252e%252e`). The attacker-controlled input is the request `path`, supplied by the non-admin user, not anything an administrator configures, so this is not an admin-trust / Rule-9 situation. Version 0.9.6 fixes the issue. | 2026-06-18 | 7.7 | CVE-2026-54017 |
| OpenClaw–OpenClaw | OpenClaw before 2026.5.26 contains an authorization bypass vulnerability where a surviving pairing-scoped device session can re-establish node token authority after revocation. Attackers with a paired device can regain WebSocket node-level access without renewed approval, weakening revocation controls and maintaining unauthorized access longer than intended. | 2026-06-16 | 8.8 | CVE-2026-53843 |
| OpenClaw–OpenClaw | OpenClaw before 2026.5.7 contains a privilege escalation vulnerability where the allowFrom feature improperly validates Discord account identity using mutable display names instead of immutable user IDs. Attackers with Discord accounts can change their display name to match a policy entry and gain unauthorized agent access intended for another Discord identity. | 2026-06-16 | 8.1 | CVE-2026-53849 |
| OpenClaw–OpenClaw | OpenClaw before 2026.5.12 contains an argument pattern validation bypass in the exec allowlist that allows attackers to execute disallowed arguments for allowlisted executables on Linux and macOS systems. Attackers can bypass configured argPattern restrictions by directly invoking allowlisted executables with unrestricted arguments, potentially enabling unauthorized file access, network access, or command execution. | 2026-06-16 | 8.3 | CVE-2026-53853 |
| OpenClaw–OpenClaw | OpenClaw before 2026.4.2 contains an inline-eval bypass vulnerability allowing authenticated operators to weaken strict allowlist checks via shell positional parameters. Attackers can combine allowlisted tools with shell positional arguments to place inline-eval content in shell carriers outside intended allowlist rules, enabling execution of unapproved shell-provided content. | 2026-06-16 | 8.1 | CVE-2026-53855 |
| OpenClaw–OpenClaw | OpenClaw before 2026.5.3 contains a policy enforcement vulnerability where Zalo contacts with mutable display metadata could match allowFrom policy entries through display name changes. Attackers with mutable display names could receive agent responses intended for different Zalo identities when the feature is enabled. | 2026-06-16 | 8.1 | CVE-2026-53857 |
| OpenClaw–OpenClaw | OpenClaw before 2026.5.26 contains an insufficient sanitization vulnerability in the host environment sanitizer that allows Node.js control variables to bypass validation. Attackers with access to workspace .env files, tool environment overrides, or skill environment blocks can pass malicious Node.js control variables to influence child processes or coverage output paths. | 2026-06-16 | 8.1 | CVE-2026-53864 |
| OpenClaw–OpenClaw | OpenClaw before 2026.5.12 contains an allowlist bypass vulnerability in shell inline-command parsing that allows authenticated operators to execute unapproved commands. A command request using shell inline-command forms could route through a parser case missing the expected allowlist decision, enabling shell content execution without intended approval prompts. | 2026-06-16 | 8.1 | CVE-2026-53866 |
| OpenClaw–OpenClaw | OpenClaw before 2026.5.12 contains an information disclosure vulnerability in streamable-http MCP servers that forwards operator-configured custom headers during cross-origin redirects. Attackers controlling or compromising an MCP endpoint can redirect requests to exfiltrate sensitive headers like API keys or tenant-routing credentials to attacker-controlled origins. | 2026-06-16 | 7.1 | CVE-2026-53840 |
| OpenClaw–OpenClaw | OpenClaw before 2026.5.2 contains an environment variable injection vulnerability allowing workspace .env files to influence Python runtime selection through CLOUDSDK_PYTHON during Gmail setup gcloud execution. Attackers with repository access can manipulate the CLOUDSDK_PYTHON variable to execute setup through unintended local Python paths, potentially enabling arbitrary code execution. | 2026-06-16 | 7.1 | CVE-2026-53842 |
| OpenClaw–OpenClaw | OpenClaw before 2026.4.29 contains a path traversal vulnerability in the install helper that allows workspace .env files to override the npm_execpath configuration used for bundled runtime dependency installation. Attackers with workspace access can execute unintended local package-manager executables during dependency setup to compromise the build environment. | 2026-06-16 | 7.1 | CVE-2026-53846 |
| OpenClaw–OpenClaw | OpenClaw before 2026.5.2 contains an environment variable injection vulnerability where workspace .env STATE_DIRECTORY could influence bundled runtime dependency roots. Attackers can manipulate the STATE_DIRECTORY variable to load runtime dependencies from unintended local paths, potentially executing malicious code during dependency resolution. | 2026-06-16 | 7.1 | CVE-2026-53858 |
| OpenClaw–OpenClaw | OpenClaw before 2026.4.25 contains an input validation vulnerability in tool group policy callers that accept unvalidated group IDs. Attackers who can supply a group ID to the policy resolver could trigger incorrect group-policy decisions for tool invocations, potentially bypassing intended access controls. | 2026-06-16 | 7.1 | CVE-2026-53863 |
| OpenClaw–OpenClaw | OpenClaw before 2026.5.2 contains a path traversal vulnerability in maintenance task execution that allows workspace-derived service paths to influence trash command selection. Attackers can execute unintended local executables from operator-unintended paths during maintenance operations by manipulating workspace-derived environment paths. | 2026-06-16 | 7.1 | CVE-2026-53865 |
| Oracle Corporation–APM – Application Performance Management | Vulnerability in the APM – Application Performance Management product of Oracle Enterprise Manager (component: JADM, JVM Diagnostics). Supported versions that are affected are 13.5 and 24.1. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise APM – Application Performance Management. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all APM – Application Performance Management accessible data and unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of APM – Application Performance Management. CVSS 3.1 Base Score 9.1 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H). | 2026-06-16 | 9.1 | CVE-2026-46858 |
| Oracle Corporation–Identity Manager | Vulnerability in the Identity Manager product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.1.0. Easily exploitable vulnerability allows low privileged attacker with network access via T3, IIOP to compromise Identity Manager. While the vulnerability is in Identity Manager, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Identity Manager. CVSS 3.1 Base Score 9.9 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H). | 2026-06-16 | 9.9 | CVE-2026-35268 |
| Oracle Corporation–Identity Manager | Vulnerability in the Identity Manager product of Oracle Fusion Middleware (component: OIM Legacy UI). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via T3, IIOP to compromise Identity Manager. Successful attacks of this vulnerability can result in takeover of Identity Manager. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). | 2026-06-16 | 9.8 | CVE-2026-46807 |
| Oracle Corporation–Identity Manager | Vulnerability in the Identity Manager product of Oracle Fusion Middleware (component: Security). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.1.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Identity Manager. Successful attacks of this vulnerability can result in takeover of Identity Manager. CVSS 3.1 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). | 2026-06-16 | 8.8 | CVE-2026-35265 |
| Oracle Corporation–Identity Manager | Vulnerability in the Identity Manager product of Oracle Fusion Middleware (component: REST WebServices). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.1.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Identity Manager. Successful attacks of this vulnerability can result in takeover of Identity Manager. CVSS 3.1 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). | 2026-06-16 | 8.8 | CVE-2026-35267 |
| Oracle Corporation–Identity Manager | Vulnerability in the Identity Manager product of Oracle Fusion Middleware (component: REST WebServices). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Identity Manager. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Identity Manager accessible data. CVSS 3.1 Base Score 7.5 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N). | 2026-06-16 | 7.5 | CVE-2026-35269 |
| Oracle Corporation–Identity Manager Connector | Vulnerability in the Identity Manager Connector product of Oracle Fusion Middleware (component: Mainframe Connectors). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.1.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Identity Manager Connector. While the vulnerability is in Identity Manager Connector, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Identity Manager Connector. CVSS 3.1 Base Score 9.9 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H). | 2026-06-16 | 9.9 | CVE-2026-35294 |
| Oracle Corporation–Identity Manager Connector | Vulnerability in the Identity Manager Connector product of Oracle Fusion Middleware (component: Generic Unix Connector). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.1.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Identity Manager Connector. While the vulnerability is in Identity Manager Connector, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Identity Manager Connector. CVSS 3.1 Base Score 9.9 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H). | 2026-06-16 | 9.9 | CVE-2026-46792 |
| Oracle Corporation–Identity Manager Connector | Vulnerability in the Identity Manager Connector product of Oracle Fusion Middleware (component: Database User). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.1.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Identity Manager Connector. While the vulnerability is in Identity Manager Connector, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Identity Manager Connector. CVSS 3.1 Base Score 9.9 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H). | 2026-06-16 | 9.9 | CVE-2026-46793 |
| Oracle Corporation–Identity Manager Connector | Vulnerability in the Identity Manager Connector product of Oracle Fusion Middleware (component: Generic Unix Connector). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.1.0. Easily exploitable vulnerability allows low privileged attacker with network access via SSH to compromise Identity Manager Connector. While the vulnerability is in Identity Manager Connector, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Identity Manager Connector. CVSS 3.1 Base Score 9.9 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H). | 2026-06-16 | 9.9 | CVE-2026-46794 |
| Oracle Corporation–JD Edwards EnterpriseOne Accounts Payable | Vulnerability in the JD Edwards EnterpriseOne Accounts Payable product of Oracle JD Edwards (component: Accounts Payable). The supported version that is affected is 9.2. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise JD Edwards EnterpriseOne Accounts Payable. While the vulnerability is in JD Edwards EnterpriseOne Accounts Payable, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of JD Edwards EnterpriseOne Accounts Payable. CVSS 3.1 Base Score 9.9 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H). | 2026-06-16 | 9.9 | CVE-2026-46908 |
| Oracle Corporation–JD Edwards EnterpriseOne Accounts Payable | Vulnerability in the JD Edwards EnterpriseOne Accounts Payable product of Oracle JD Edwards (component: Accounts Payable). The supported version that is affected is 9.2. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise JD Edwards EnterpriseOne Accounts Payable. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all JD Edwards EnterpriseOne Accounts Payable accessible data as well as unauthorized access to critical data or complete access to all JD Edwards EnterpriseOne Accounts Payable accessible data. CVSS 3.1 Base Score 8.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N). | 2026-06-16 | 8.1 | CVE-2026-46891 |
| Oracle Corporation–JD Edwards EnterpriseOne General Ledger | Vulnerability in the JD Edwards EnterpriseOne General Ledger product of Oracle JD Edwards (component: E1 Foundation). The supported version that is affected is 9.2. Easily exploitable vulnerability allows low privileged attacker with network access via SMB to compromise JD Edwards EnterpriseOne General Ledger. While the vulnerability is in JD Edwards EnterpriseOne General Ledger, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of JD Edwards EnterpriseOne General Ledger. CVSS 3.1 Base Score 9.9 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H). | 2026-06-16 | 9.9 | CVE-2026-46893 |
| Oracle Corporation–JD Edwards EnterpriseOne Human Resources Management | Vulnerability in the JD Edwards EnterpriseOne Human Resources Management product of Oracle JD Edwards (component: Human Resources). The supported version that is affected is 9.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise JD Edwards EnterpriseOne Human Resources Management. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all JD Edwards EnterpriseOne Human Resources Management accessible data as well as unauthorized access to critical data or complete access to all JD Edwards EnterpriseOne Human Resources Management accessible data. CVSS 3.1 Base Score 9.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N). | 2026-06-16 | 9.1 | CVE-2026-46892 |
| Oracle Corporation–JD Edwards EnterpriseOne Order Promising | Vulnerability in the JD Edwards EnterpriseOne Order Promising product of Oracle JD Edwards (component: Order Promising Integration). The supported version that is affected is 9.2. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise JD Edwards EnterpriseOne Order Promising. While the vulnerability is in JD Edwards EnterpriseOne Order Promising, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of JD Edwards EnterpriseOne Order Promising. CVSS 3.1 Base Score 9.9 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H). | 2026-06-16 | 9.9 | CVE-2026-46907 |
| Oracle Corporation–JD Edwards EnterpriseOne Project Costing | Vulnerability in the JD Edwards EnterpriseOne Project Costing product of Oracle JD Edwards (component: Job Costing). The supported version that is affected is 9.2. Easily exploitable vulnerability allows low privileged attacker with network access via JDENET to compromise JD Edwards EnterpriseOne Project Costing. While the vulnerability is in JD Edwards EnterpriseOne Project Costing, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all JD Edwards EnterpriseOne Project Costing accessible data as well as unauthorized access to critical data or complete access to all JD Edwards EnterpriseOne Project Costing accessible data. CVSS 3.1 Base Score 9.6 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N). | 2026-06-16 | 9.6 | CVE-2026-46911 |
| Oracle Corporation–JD Edwards EnterpriseOne Tools | Vulnerability in the JD Edwards EnterpriseOne Tools product of Oracle JD Edwards (component: Enterprise Infrastructure Security). Supported versions that are affected are 9.2.0.0-9.2.26.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via JDENET to compromise JD Edwards EnterpriseOne Tools. Successful attacks of this vulnerability can result in takeover of JD Edwards EnterpriseOne Tools. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). | 2026-06-16 | 9.8 | CVE-2026-46878 |
| Oracle Corporation–JD Edwards EnterpriseOne Tools | Vulnerability in the JD Edwards EnterpriseOne Tools product of Oracle JD Edwards (component: Enterprise Infrastructure Security). Supported versions that are affected are 9.2.0.0-9.2.26.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via JDENET to compromise JD Edwards EnterpriseOne Tools. Successful attacks of this vulnerability can result in takeover of JD Edwards EnterpriseOne Tools. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). | 2026-06-16 | 9.8 | CVE-2026-46879 |
| Oracle Corporation–JD Edwards EnterpriseOne Tools | Vulnerability in the JD Edwards EnterpriseOne Tools product of Oracle JD Edwards (component: Enterprise Infrastructure Security). Supported versions that are affected are 9.2.0.0-9.2.26.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via JDENET to compromise JD Edwards EnterpriseOne Tools. Successful attacks of this vulnerability can result in takeover of JD Edwards EnterpriseOne Tools. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). | 2026-06-16 | 9.8 | CVE-2026-46880 |
| Oracle Corporation–JD Edwards EnterpriseOne Tools | Vulnerability in the JD Edwards EnterpriseOne Tools product of Oracle JD Edwards (component: Enterprise Infrastructure Security). Supported versions that are affected are 9.2.0.0-9.2.26.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via JDENET to compromise JD Edwards EnterpriseOne Tools. Successful attacks of this vulnerability can result in takeover of JD Edwards EnterpriseOne Tools. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). | 2026-06-16 | 9.8 | CVE-2026-46881 |
| Oracle Corporation–JD Edwards EnterpriseOne Tools | Vulnerability in the JD Edwards EnterpriseOne Tools product of Oracle JD Edwards (component: Enterprise Infrastructure Security). Supported versions that are affected are 9.2.0.0-9.2.26.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via JDENET to compromise JD Edwards EnterpriseOne Tools. Successful attacks of this vulnerability can result in takeover of JD Edwards EnterpriseOne Tools. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). | 2026-06-16 | 9.8 | CVE-2026-46882 |
| Oracle Corporation–JD Edwards EnterpriseOne Tools | Vulnerability in the JD Edwards EnterpriseOne Tools product of Oracle JD Edwards (component: Enterprise Infrastructure Security). Supported versions that are affected are 9.2.0.0-9.2.26.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via JDENET to compromise JD Edwards EnterpriseOne Tools. Successful attacks of this vulnerability can result in takeover of JD Edwards EnterpriseOne Tools. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). | 2026-06-16 | 9.8 | CVE-2026-46883 |
| Oracle Corporation–JD Edwards EnterpriseOne Tools | Vulnerability in the JD Edwards EnterpriseOne Tools product of Oracle JD Edwards (component: Enterprise Infrastructure Security). Supported versions that are affected are 9.2.0.0-9.2.26.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via JDENET to compromise JD Edwards EnterpriseOne Tools. Successful attacks of this vulnerability can result in takeover of JD Edwards EnterpriseOne Tools. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). | 2026-06-16 | 9.8 | CVE-2026-46904 |
| Oracle Corporation–JD Edwards EnterpriseOne Tools | Vulnerability in the JD Edwards EnterpriseOne Tools product of Oracle JD Edwards (component: Web Runtime Security). Supported versions that are affected are 9.2.0.0-9.2.26.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise JD Edwards EnterpriseOne Tools. Successful attacks of this vulnerability can result in takeover of JD Edwards EnterpriseOne Tools. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). | 2026-06-16 | 9.8 | CVE-2026-46905 |
| Oracle Corporation–JD Edwards EnterpriseOne Tools | Vulnerability in the JD Edwards EnterpriseOne Tools product of Oracle JD Edwards (component: Enterprise Infrastructure Security). Supported versions that are affected are 9.2.0.0-9.2.26.2. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise JD Edwards EnterpriseOne Tools. While the vulnerability is in JD Edwards EnterpriseOne Tools, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all JD Edwards EnterpriseOne Tools accessible data as well as unauthorized access to critical data or complete access to all JD Edwards EnterpriseOne Tools accessible data. CVSS 3.1 Base Score 9.6 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N). | 2026-06-16 | 9.6 | CVE-2026-46906 |
| Oracle Corporation–JD Edwards EnterpriseOne Tools | Vulnerability in the JD Edwards EnterpriseOne Tools product of Oracle JD Edwards (component: Enterprise Infrastructure Security). Supported versions that are affected are 9.2.0.0-9.2.26.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise JD Edwards EnterpriseOne Tools. Successful attacks of this vulnerability can result in takeover of JD Edwards EnterpriseOne Tools. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). | 2026-06-16 | 9.8 | CVE-2026-46909 |
| Oracle Corporation–JD Edwards EnterpriseOne Tools | Vulnerability in the JD Edwards EnterpriseOne Tools product of Oracle JD Edwards (component: Enterprise Infrastructure Security). Supported versions that are affected are 9.2.0.0-9.2.26.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise JD Edwards EnterpriseOne Tools. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all JD Edwards EnterpriseOne Tools accessible data and unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of JD Edwards EnterpriseOne Tools. CVSS 3.1 Base Score 9.1 (Confidentiality and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H). | 2026-06-16 | 9.1 | CVE-2026-46910 |
| Oracle Corporation–JD Edwards EnterpriseOne Tools | Vulnerability in the JD Edwards EnterpriseOne Tools product of Oracle JD Edwards (component: Web Runtime Security). Supported versions that are affected are 9.2.0.0-9.2.26.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise JD Edwards EnterpriseOne Tools. While the vulnerability is in JD Edwards EnterpriseOne Tools, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all JD Edwards EnterpriseOne Tools accessible data as well as unauthorized update, insert or delete access to some of JD Edwards EnterpriseOne Tools accessible data. CVSS 3.1 Base Score 9.3 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N). | 2026-06-16 | 9.3 | CVE-2026-46912 |
| Oracle Corporation–JD Edwards EnterpriseOne Tools | Vulnerability in the JD Edwards EnterpriseOne Tools product of Oracle JD Edwards (component: Installation Security). Supported versions that are affected are 9.2.0.0-9.2.26.2. Easily exploitable vulnerability allows unauthenticated attacker with logon to the infrastructure where JD Edwards EnterpriseOne Tools executes to compromise JD Edwards EnterpriseOne Tools. While the vulnerability is in JD Edwards EnterpriseOne Tools, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of JD Edwards EnterpriseOne Tools. CVSS 3.1 Base Score 9.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H). | 2026-06-16 | 9.3 | CVE-2026-46913 |
| Oracle Corporation–JD Edwards EnterpriseOne Tools | Vulnerability in the JD Edwards EnterpriseOne Tools product of Oracle JD Edwards (component: Business Logic Infrastructure Security). Supported versions that are affected are 9.2.0.0-9.2.26.2. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise JD Edwards EnterpriseOne Tools. Successful attacks of this vulnerability can result in takeover of JD Edwards EnterpriseOne Tools. CVSS 3.1 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). | 2026-06-16 | 8.8 | CVE-2026-46903 |
| Oracle Corporation–MySQL NDB Cluster | Vulnerability in the MySQL NDB Cluster product of Oracle MySQL (component: Cluster: NDB Operator). Supported versions that are affected are 8.0.11-8.0.46, 8.4.0-8.4.9 and 9.0.0-9.7.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise MySQL NDB Cluster. While the vulnerability is in MySQL NDB Cluster, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all MySQL NDB Cluster accessible data as well as unauthorized access to critical data or complete access to all MySQL NDB Cluster accessible data. CVSS 3.1 Base Score 9.6 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N). | 2026-06-16 | 9.6 | CVE-2026-46861 |
| Oracle Corporation–MySQL Router | Vulnerability in the MySQL Router product of Oracle MySQL (component: Router: General). Supported versions that are affected are 9.0.0-9.7.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise MySQL Router. Successful attacks of this vulnerability can result in takeover of MySQL Router. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). | 2026-06-16 | 9.8 | CVE-2026-46860 |
| Oracle Corporation–MySQL Router | Vulnerability in the MySQL Router product of Oracle MySQL (component: Router: General). Supported versions that are affected are 8.4.0-8.4.9 and 9.0.0-9.7.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via TLS to compromise MySQL Router. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Router. CVSS 3.1 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). | 2026-06-16 | 7.5 | CVE-2026-46862 |
| Oracle Corporation–MySQL Server | Vulnerability in the MySQL Server, MySQL Cluster product of Oracle MySQL (component: Server: Connection Handling). Supported versions that are affected are MySQL Server: 8.4.0-8.4.9, 9.0.0-9.7.0; MySQL Cluster: 8.0.11-8.0.46, 8.4.0-8.4.9 and 9.0.0-9.7.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Server, MySQL Cluster. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server, MySQL Cluster. CVSS 3.1 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). | 2026-06-16 | 7.5 | CVE-2026-46863 |
| Oracle Corporation–MySQL Shell | Vulnerability in the MySQL Shell product of Oracle MySQL (component: Shell for VS Code). The supported version that is affected is 2026.2.0+9.6.1. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise MySQL Shell. While the vulnerability is in MySQL Shell, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of MySQL Shell. CVSS 3.1 Base Score 9.9 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H). | 2026-06-16 | 9.9 | CVE-2026-46850 |
| Oracle Corporation–MySQL Shell | Vulnerability in the MySQL Shell product of Oracle MySQL (component: Shell for VS Code). The supported version that is affected is 2026.2.0+9.6.1. Difficult to exploit vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Shell. While the vulnerability is in MySQL Shell, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of MySQL Shell. CVSS 3.1 Base Score 8.5 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H). | 2026-06-16 | 8.5 | CVE-2026-46870 |
| Oracle Corporation–Oracle Access Manager | Vulnerability in the Oracle Access Manager product of Oracle Fusion Middleware (component: Authentication Engine). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.1.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Access Manager. While the vulnerability is in Oracle Access Manager, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle Access Manager. CVSS 3.1 Base Score 9.9 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H). | 2026-06-16 | 9.9 | CVE-2026-35313 |
| Oracle Corporation–Oracle Access Manager | Vulnerability in the Oracle Access Manager product of Oracle Fusion Middleware (component: Web Server Plugin). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Access Manager. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Access Manager accessible data as well as unauthorized read access to a subset of Oracle Access Manager accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Access Manager. CVSS 3.1 Base Score 7.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L). | 2026-06-16 | 7.3 | CVE-2026-35314 |
| Oracle Corporation–Oracle Advanced Outbound Telephony | Vulnerability in the Oracle Advanced Outbound Telephony product of Oracle E-Business Suite (component: Internal Operations). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Advanced Outbound Telephony. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Advanced Outbound Telephony accessible data as well as unauthorized access to critical data or complete access to all Oracle Advanced Outbound Telephony accessible data. CVSS 3.1 Base Score 9.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N). | 2026-06-16 | 9.1 | CVE-2026-46949 |
| Oracle Corporation–Oracle Advanced Outbound Telephony | Vulnerability in the Oracle Advanced Outbound Telephony product of Oracle E-Business Suite (component: Internal Operations). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Advanced Outbound Telephony. Successful attacks of this vulnerability can result in takeover of Oracle Advanced Outbound Telephony. CVSS 3.1 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). | 2026-06-16 | 8.8 | CVE-2026-46947 |
| Oracle Corporation–Oracle Advanced Outbound Telephony | Vulnerability in the Oracle Advanced Outbound Telephony product of Oracle E-Business Suite (component: Internal Operations). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Advanced Outbound Telephony. Successful attacks of this vulnerability can result in takeover of Oracle Advanced Outbound Telephony. CVSS 3.1 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). | 2026-06-16 | 8.8 | CVE-2026-46950 |
| Oracle Corporation–Oracle Agile PLM | Vulnerability in the Oracle Agile PLM product of Oracle Supply Chain (component: Security). The supported version that is affected is 9.3.6. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Agile PLM. Successful attacks of this vulnerability can result in takeover of Oracle Agile PLM. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). | 2026-06-16 | 9.8 | CVE-2026-46859 |
| Oracle Corporation–Oracle Application Development Framework (ADF) | Vulnerability in the Oracle Application Development Framework (ADF) product of Oracle Fusion Middleware (component: ADF Shared Components). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle Application Development Framework (ADF). Successful attacks of this vulnerability can result in takeover of Oracle Application Development Framework (ADF). CVSS 3.1 Base Score 7.2 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H). | 2026-06-16 | 7.2 | CVE-2026-46769 |
| Oracle Corporation–Oracle Applications Manager | Vulnerability in the Oracle Applications Manager product of Oracle E-Business Suite (component: Internal Operations). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Applications Manager. While the vulnerability is in Oracle Applications Manager, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle Applications Manager. CVSS 3.1 Base Score 9.9 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H). | 2026-06-16 | 9.9 | CVE-2026-46933 |
| Oracle Corporation–Oracle Coherence | Vulnerability in the Oracle Coherence product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 12.2.1.4.0, 14.1.1.0.0, 14.1.2.0.0 and 15.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Coherence. While the vulnerability is in Oracle Coherence, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle Coherence. CVSS 3.1 Base Score 10.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H). | 2026-06-16 | 10 | CVE-2026-35307 |
| Oracle Corporation–Oracle Coherence | Vulnerability in the Oracle Coherence product of Oracle Fusion Middleware (component: Centralized Third Party Jars). Supported versions that are affected are 12.2.1.4.0, 14.1.1.0.0, 14.1.2.0.0 and 15.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Coherence. While the vulnerability is in Oracle Coherence, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle Coherence. CVSS 3.1 Base Score 10.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H). | 2026-06-16 | 10 | CVE-2026-35308 |
| Oracle Corporation–Oracle Coherence | Vulnerability in the Oracle Coherence product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 12.2.1.4.0, 14.1.1.0.0, 14.1.2.0.0 and 15.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle Coherence. Successful attacks of this vulnerability can result in takeover of Oracle Coherence. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). | 2026-06-16 | 9.8 | CVE-2026-35304 |
| Oracle Corporation–Oracle Coherence | Vulnerability in the Oracle Coherence product of Oracle Fusion Middleware (component: Centralized Third Party Jars). The supported version that is affected is 15.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Coherence. While the vulnerability is in Oracle Coherence, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Coherence accessible data as well as unauthorized update, insert or delete access to some of Oracle Coherence accessible data. CVSS 3.1 Base Score 9.3 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N). | 2026-06-16 | 9.3 | CVE-2026-35305 |
| Oracle Corporation–Oracle Coherence | Vulnerability in the Oracle Coherence product of Oracle Fusion Middleware (component: Centralized Third Party Jars). The supported version that is affected is 15.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Coherence. While the vulnerability is in Oracle Coherence, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Coherence accessible data as well as unauthorized update, insert or delete access to some of Oracle Coherence accessible data. CVSS 3.1 Base Score 9.3 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N). | 2026-06-16 | 9.3 | CVE-2026-35306 |
| Oracle Corporation–Oracle Coherence | Vulnerability in the Oracle Coherence product of Oracle Fusion Middleware (component: Centralized Third Party Jars). Supported versions that are affected are 12.2.1.4.0, 14.1.1.0.0, 14.1.2.0.0 and 15.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Coherence. Successful attacks of this vulnerability can result in takeover of Oracle Coherence. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). | 2026-06-16 | 9.8 | CVE-2026-35309 |
| Oracle Corporation–Oracle Coherence | Vulnerability in the Oracle Coherence product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 12.2.1.4.0, 14.1.1.0.0, 14.1.2.0.0 and 15.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Coherence. Successful attacks of this vulnerability can result in takeover of Oracle Coherence. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). | 2026-06-16 | 9.8 | CVE-2026-35310 |
| Oracle Corporation–Oracle Complex Maintenance, Repair and Overhaul | Vulnerability in the Oracle Complex Maintenance, Repair and Overhaul product of Oracle E-Business Suite (component: Production). Supported versions that are affected are 12.2.3-12.2.15. Difficult to exploit vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Complex Maintenance, Repair and Overhaul. While the vulnerability is in Oracle Complex Maintenance, Repair and Overhaul, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle Complex Maintenance, Repair and Overhaul. CVSS 3.1 Base Score 8.5 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H). | 2026-06-16 | 8.5 | CVE-2026-46915 |
| Oracle Corporation–Oracle Complex Maintenance, Repair and Overhaul | Vulnerability in the Oracle Complex Maintenance, Repair and Overhaul product of Oracle E-Business Suite (component: Internal Operations). Supported versions that are affected are 12.2.3-12.2.15. Difficult to exploit vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Complex Maintenance, Repair and Overhaul. Successful attacks of this vulnerability can result in takeover of Oracle Complex Maintenance, Repair and Overhaul. CVSS 3.1 Base Score 7.5 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H). | 2026-06-16 | 7.5 | CVE-2026-46934 |
| Oracle Corporation–Oracle Complex Maintenance, Repair and Overhaul | Vulnerability in the Oracle Complex Maintenance, Repair and Overhaul product of Oracle E-Business Suite (component: Internal Operations). Supported versions that are affected are 12.2.3-12.2.15. Difficult to exploit vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Complex Maintenance, Repair and Overhaul. Successful attacks of this vulnerability can result in takeover of Oracle Complex Maintenance, Repair and Overhaul. CVSS 3.1 Base Score 7.5 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H). | 2026-06-16 | 7.5 | CVE-2026-46935 |
| Oracle Corporation–Oracle Configure to Order | Vulnerability in the Oracle Configure to Order product of Oracle E-Business Suite (component: Supply to Order Workbench). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Configure to Order. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Configure to Order accessible data as well as unauthorized access to critical data or complete access to all Oracle Configure to Order accessible data. CVSS 3.1 Base Score 8.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N). | 2026-06-16 | 8.1 | CVE-2026-46939 |
| Oracle Corporation–Oracle Cost Management | Vulnerability in the Oracle Cost Management product of Oracle E-Business Suite (component: Cost Planning). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Cost Management. Successful attacks of this vulnerability can result in takeover of Oracle Cost Management. CVSS 3.1 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). | 2026-06-16 | 8.8 | CVE-2026-46929 |
| Oracle Corporation–Oracle Cost Management | Vulnerability in the Oracle Cost Management product of Oracle E-Business Suite (component: Cost Planning). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Cost Management. Successful attacks of this vulnerability can result in takeover of Oracle Cost Management. CVSS 3.1 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). | 2026-06-16 | 8.8 | CVE-2026-46940 |
| Oracle Corporation–Oracle Cost Management | Vulnerability in the Oracle Cost Management product of Oracle E-Business Suite (component: Cost Planning). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle Cost Management. Successful attacks of this vulnerability can result in takeover of Oracle Cost Management. CVSS 3.1 Base Score 7.2 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H). | 2026-06-16 | 7.2 | CVE-2026-46938 |
| Oracle Corporation–Oracle Data Integrator | Vulnerability in the Oracle Data Integrator product of Oracle Fusion Middleware (component: Market Place). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Data Integrator. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Data Integrator accessible data as well as unauthorized access to critical data or complete access to all Oracle Data Integrator accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Data Integrator. CVSS 3.1 Base Score 8.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L). | 2026-06-16 | 8.3 | CVE-2026-35262 |
| Oracle Corporation–Oracle Enterprise Asset Management | Vulnerability in the Oracle Enterprise Asset Management product of Oracle E-Business Suite (component: Internal Operations). Supported versions that are affected are 12.2.6-12.2.15. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Enterprise Asset Management. Successful attacks of this vulnerability can result in takeover of Oracle Enterprise Asset Management. CVSS 3.1 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). | 2026-06-16 | 8.8 | CVE-2026-46931 |
| Oracle Corporation–Oracle Enterprise Asset Management | Vulnerability in the Oracle Enterprise Asset Management product of Oracle E-Business Suite (component: Internal Operations). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Enterprise Asset Management. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Enterprise Asset Management accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Enterprise Asset Management. CVSS 3.1 Base Score 7.1 (Confidentiality and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L). | 2026-06-16 | 7.1 | CVE-2026-46932 |
| Oracle Corporation–Oracle Enterprise Command Center Framework | Vulnerability in the Oracle Enterprise Command Center Framework product of Oracle E-Business Suite (component: Core). Supported versions that are affected are V15 and V16. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Enterprise Command Center Framework. While the vulnerability is in Oracle Enterprise Command Center Framework, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle Enterprise Command Center Framework. CVSS 3.1 Base Score 9.9 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H). | 2026-06-16 | 9.9 | CVE-2026-46895 |
| Oracle Corporation–Oracle Enterprise Command Center Framework | Vulnerability in the Oracle Enterprise Command Center Framework product of Oracle E-Business Suite (component: Core). Supported versions that are affected are V15 and V16. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle Enterprise Command Center Framework. While the vulnerability is in Oracle Enterprise Command Center Framework, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle Enterprise Command Center Framework. CVSS 3.1 Base Score 9.1 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H). | 2026-06-16 | 9.1 | CVE-2026-46896 |
| Oracle Corporation–Oracle Enterprise Command Center Framework | Vulnerability in the Oracle Enterprise Command Center Framework product of Oracle E-Business Suite (component: Core). Supported versions that are affected are V15 and V16. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Enterprise Command Center Framework. While the vulnerability is in Oracle Enterprise Command Center Framework, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Enterprise Command Center Framework accessible data as well as unauthorized access to critical data or complete access to all Oracle Enterprise Command Center Framework accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Enterprise Command Center Framework. CVSS 3.1 Base Score 9.9 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L). | 2026-06-16 | 9.9 | CVE-2026-46897 |
| Oracle Corporation–Oracle Enterprise Command Center Framework | Vulnerability in the Oracle Enterprise Command Center Framework product of Oracle E-Business Suite (component: Core). Supported versions that are affected are V15 and V16. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Enterprise Command Center Framework. While the vulnerability is in Oracle Enterprise Command Center Framework, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Enterprise Command Center Framework accessible data as well as unauthorized access to critical data or complete access to all Oracle Enterprise Command Center Framework accessible data. CVSS 3.1 Base Score 9.6 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N). | 2026-06-16 | 9.6 | CVE-2026-46899 |
| Oracle Corporation–Oracle Enterprise Command Center Framework | Vulnerability in the Oracle Enterprise Command Center Framework product of Oracle E-Business Suite (component: Core). Supported versions that are affected are V15 and V16. Easily exploitable vulnerability allows low privileged attacker with network access via HTTPS to compromise Oracle Enterprise Command Center Framework. While the vulnerability is in Oracle Enterprise Command Center Framework, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle Enterprise Command Center Framework. CVSS 3.1 Base Score 9.9 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H). | 2026-06-16 | 9.9 | CVE-2026-46900 |
| Oracle Corporation–Oracle Enterprise Command Center Framework | Vulnerability in the Oracle Enterprise Command Center Framework product of Oracle E-Business Suite (component: Core). Supported versions that are affected are V15 and V16. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Enterprise Command Center Framework. While the vulnerability is in Oracle Enterprise Command Center Framework, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Enterprise Command Center Framework accessible data as well as unauthorized access to critical data or complete access to all Oracle Enterprise Command Center Framework accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Enterprise Command Center Framework. CVSS 3.1 Base Score 9.9 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L). | 2026-06-16 | 9.9 | CVE-2026-46901 |
| Oracle Corporation–Oracle Enterprise Command Center Framework | Vulnerability in the Oracle Enterprise Command Center Framework product of Oracle E-Business Suite (component: Core). Supported versions that are affected are V15 and V16. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle Enterprise Command Center Framework. Successful attacks of this vulnerability can result in takeover of Oracle Enterprise Command Center Framework. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). | 2026-06-16 | 9.8 | CVE-2026-46902 |
| Oracle Corporation–Oracle Enterprise Command Center Framework | Vulnerability in the Oracle Enterprise Command Center Framework product of Oracle E-Business Suite (component: Core). Supported versions that are affected are V15 and V16. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle Enterprise Command Center Framework. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Enterprise Command Center Framework accessible data as well as unauthorized access to critical data or complete access to all Oracle Enterprise Command Center Framework accessible data. CVSS 3.1 Base Score 8.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N). | 2026-06-16 | 8.1 | CVE-2026-46898 |
| Oracle Corporation–Oracle Enterprise Manager Base Platform | Vulnerability in the Oracle Enterprise Manager Base Platform product of Oracle Enterprise Manager (component: Discovery Framework). Supported versions that are affected are 13.5 and 24.1. Easily exploitable vulnerability allows low privileged attacker with network access via HTTPS to compromise Oracle Enterprise Manager Base Platform. While the vulnerability is in Oracle Enterprise Manager Base Platform, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle Enterprise Manager Base Platform. CVSS 3.1 Base Score 9.9 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H). | 2026-06-16 | 9.9 | CVE-2026-46832 |
| Oracle Corporation–Oracle Enterprise Manager Base Platform | Vulnerability in the Oracle Enterprise Manager Base Platform product of Oracle Enterprise Manager (component: Metadata Plugin). Supported versions that are affected are 13.5 and 24.1. Easily exploitable vulnerability allows low privileged attacker with network access via HTTPS to compromise Oracle Enterprise Manager Base Platform. While the vulnerability is in Oracle Enterprise Manager Base Platform, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle Enterprise Manager Base Platform. CVSS 3.1 Base Score 9.9 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H). | 2026-06-16 | 9.9 | CVE-2026-46852 |
| Oracle Corporation–Oracle Enterprise Manager Base Platform | Vulnerability in the Oracle Enterprise Manager Base Platform product of Oracle Enterprise Manager (component: Metadata Plugin). Supported versions that are affected are 13.5 and 24.1. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Enterprise Manager Base Platform. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Enterprise Manager Base Platform, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle Enterprise Manager Base Platform. CVSS 3.1 Base Score 9.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H). | 2026-06-16 | 9.6 | CVE-2026-46853 |
| Oracle Corporation–Oracle Enterprise Manager Base Platform | Vulnerability in the Oracle Enterprise Manager Base Platform product of Oracle Enterprise Manager (component: Target Management). Supported versions that are affected are 13.5 and 24.1. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Enterprise Manager Base Platform. While the vulnerability is in Oracle Enterprise Manager Base Platform, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle Enterprise Manager Base Platform. CVSS 3.1 Base Score 9.9 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H). | 2026-06-16 | 9.9 | CVE-2026-46854 |
| Oracle Corporation–Oracle Enterprise Manager Base Platform | Vulnerability in the Oracle Enterprise Manager Base Platform product of Oracle Enterprise Manager (component: Metadata Plugin). Supported versions that are affected are 13.5 and 24.1. Easily exploitable vulnerability allows low privileged attacker with network access via HTTPS to compromise Oracle Enterprise Manager Base Platform. While the vulnerability is in Oracle Enterprise Manager Base Platform, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle Enterprise Manager Base Platform. CVSS 3.1 Base Score 9.9 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H). | 2026-06-16 | 9.9 | CVE-2026-46855 |
| Oracle Corporation–Oracle Enterprise Manager Base Platform | Vulnerability in the Oracle Enterprise Manager Base Platform product of Oracle Enterprise Manager (component: Metadata Plugin). Supported versions that are affected are 13.5 and 24.1. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Enterprise Manager Base Platform. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Enterprise Manager Base Platform, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle Enterprise Manager Base Platform. CVSS 3.1 Base Score 9.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H). | 2026-06-16 | 9.6 | CVE-2026-46856 |
| Oracle Corporation–Oracle Enterprise Manager Base Platform | Vulnerability in the Oracle Enterprise Manager Base Platform product of Oracle Enterprise Manager (component: Oracle Management Service). Supported versions that are affected are 13.5 and 24.1. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Enterprise Manager Base Platform. Successful attacks of this vulnerability can result in takeover of Oracle Enterprise Manager Base Platform. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). | 2026-06-16 | 9.8 | CVE-2026-46857 |
| Oracle Corporation–Oracle Enterprise Manager Base Platform | Vulnerability in the Oracle Enterprise Manager Base Platform product of Oracle Enterprise Manager (component: Install). Supported versions that are affected are 13.5 and 24.1. Easily exploitable vulnerability allows high privileged attacker with network access via HTTPS to compromise Oracle Enterprise Manager Base Platform. While the vulnerability is in Oracle Enterprise Manager Base Platform, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Enterprise Manager Base Platform accessible data as well as unauthorized read access to a subset of Oracle Enterprise Manager Base Platform accessible data and unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Enterprise Manager Base Platform. CVSS 3.1 Base Score 9.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:H/A:H). | 2026-06-16 | 9 | CVE-2026-46872 |
| Oracle Corporation–Oracle Enterprise Manager Base Platform | Vulnerability in the Oracle Enterprise Manager Base Platform product of Oracle Enterprise Manager (component: Deployment Library). Supported versions that are affected are 13.5 and 24.1. Easily exploitable vulnerability allows high privileged attacker with network access via HTTPS to compromise Oracle Enterprise Manager Base Platform. While the vulnerability is in Oracle Enterprise Manager Base Platform, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle Enterprise Manager Base Platform. CVSS 3.1 Base Score 9.1 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H). | 2026-06-16 | 9.1 | CVE-2026-46875 |
| Oracle Corporation–Oracle Enterprise Manager Base Platform | Vulnerability in the Oracle Enterprise Manager Base Platform product of Oracle Enterprise Manager (component: Agent Next Gen). Supported versions that are affected are 13.5 and 24.1. Easily exploitable vulnerability allows low privileged attacker with network access via SSH to compromise Oracle Enterprise Manager Base Platform. Successful attacks of this vulnerability can result in takeover of Oracle Enterprise Manager Base Platform. CVSS 3.1 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). | 2026-06-16 | 8.8 | CVE-2026-46864 |
| Oracle Corporation–Oracle Enterprise Manager Base Platform | Vulnerability in the Oracle Enterprise Manager Base Platform product of Oracle Enterprise Manager (component: Extensibility Framework). Supported versions that are affected are 13.5 and 24.1. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle Enterprise Manager Base Platform executes to compromise Oracle Enterprise Manager Base Platform. While the vulnerability is in Oracle Enterprise Manager Base Platform, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle Enterprise Manager Base Platform. CVSS 3.1 Base Score 8.2 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H). | 2026-06-16 | 8.2 | CVE-2026-46865 |
| Oracle Corporation–Oracle Enterprise Manager Base Platform | Vulnerability in the Oracle Enterprise Manager Base Platform product of Oracle Enterprise Manager (component: Agent Next Gen). Supported versions that are affected are 13.5 and 24.1. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle Enterprise Manager Base Platform. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Enterprise Manager Base Platform as well as unauthorized update, insert or delete access to some of Oracle Enterprise Manager Base Platform accessible data. CVSS 3.1 Base Score 8.2 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H). | 2026-06-16 | 8.2 | CVE-2026-46866 |
| Oracle Corporation–Oracle Enterprise Manager Base Platform | Vulnerability in the Oracle Enterprise Manager Base Platform product of Oracle Enterprise Manager (component: Extensibility Framework). Supported versions that are affected are 13.5 and 24.1. Easily exploitable vulnerability allows high privileged attacker with network access via HTTPS to compromise Oracle Enterprise Manager Base Platform. Successful attacks of this vulnerability can result in takeover of Oracle Enterprise Manager Base Platform. CVSS 3.1 Base Score 7.2 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H). | 2026-06-16 | 7.2 | CVE-2026-46867 |
| Oracle Corporation–Oracle Enterprise Manager Base Platform | Vulnerability in the Oracle Enterprise Manager Base Platform product of Oracle Enterprise Manager (component: Extensibility Framework). Supported versions that are affected are 13.5 and 24.1. Easily exploitable vulnerability allows high privileged attacker with network access via HTTPS to compromise Oracle Enterprise Manager Base Platform. Successful attacks of this vulnerability can result in takeover of Oracle Enterprise Manager Base Platform. CVSS 3.1 Base Score 7.2 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H). | 2026-06-16 | 7.2 | CVE-2026-46868 |
| Oracle Corporation–Oracle Financials for EMEA | Vulnerability in the Oracle Financials for EMEA product of Oracle E-Business Suite (component: Internal Operations). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle Financials for EMEA. Successful attacks of this vulnerability can result in takeover of Oracle Financials for EMEA. CVSS 3.1 Base Score 7.2 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H). | 2026-06-16 | 7.2 | CVE-2026-46969 |
| Oracle Corporation–Oracle HR Intelligence | Vulnerability in the Oracle HR Intelligence product of Oracle E-Business Suite (component: Internal Operations). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle HR Intelligence. Successful attacks of this vulnerability can result in takeover of Oracle HR Intelligence. CVSS 3.1 Base Score 7.2 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H). | 2026-06-16 | 7.2 | CVE-2026-46922 |
| Oracle Corporation–Oracle HR Intelligence | Vulnerability in the Oracle HR Intelligence product of Oracle E-Business Suite (component: Internal Operations). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle HR Intelligence. Successful attacks of this vulnerability can result in takeover of Oracle HR Intelligence. CVSS 3.1 Base Score 7.2 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H). | 2026-06-16 | 7.2 | CVE-2026-46970 |
| Oracle Corporation–Oracle HR Intelligence | Vulnerability in the Oracle HR Intelligence product of Oracle E-Business Suite (component: Internal Operations). Supported versions that are affected are 12.2.3-12.2.15. Difficult to exploit vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle HR Intelligence. Successful attacks of this vulnerability can result in takeover of Oracle HR Intelligence. CVSS 3.1 Base Score 7.5 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H). | 2026-06-16 | 7.5 | CVE-2026-46971 |
| Oracle Corporation–Oracle HRMS (UK) | Vulnerability in the Oracle HRMS (UK) product of Oracle E-Business Suite (component: UK Payroll). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle HRMS (UK). Successful attacks of this vulnerability can result in takeover of Oracle HRMS (UK). CVSS 3.1 Base Score 7.2 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H). | 2026-06-16 | 7.2 | CVE-2026-46953 |
| Oracle Corporation–Oracle Human Resources | Vulnerability in the Oracle Human Resources product of Oracle E-Business Suite (component: Person). Supported versions that are affected are 12.2.3-12.2.15. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Human Resources. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of Oracle Human Resources. CVSS 3.1 Base Score 7.5 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H). | 2026-06-16 | 7.5 | CVE-2026-46955 |
| Oracle Corporation–Oracle In-Memory Cost Management for Discrete Industries | Vulnerability in the Oracle In-Memory Cost Management for Discrete Industries product of Oracle E-Business Suite (component: Internal Operations). Supported versions that are affected are 12.2.12-12.2.15. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle In-Memory Cost Management for Discrete Industries. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle In-Memory Cost Management for Discrete Industries accessible data as well as unauthorized access to critical data or complete access to all Oracle In-Memory Cost Management for Discrete Industries accessible data. CVSS 3.1 Base Score 9.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N). | 2026-06-16 | 9.1 | CVE-2026-46930 |
| Oracle Corporation–Oracle iSetup | Vulnerability in the Oracle iSetup product of Oracle E-Business Suite (component: General Ledger Update Transform, Reports). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle iSetup. Successful attacks of this vulnerability can result in takeover of Oracle iSetup. CVSS 3.1 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). | 2026-06-16 | 8.8 | CVE-2026-46937 |
| Oracle Corporation–Oracle iSupplier Portal | Vulnerability in the Oracle iSupplier Portal product of Oracle E-Business Suite (component: Home Page). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows low privileged attacker with network access via HTTPS to compromise Oracle iSupplier Portal. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of Oracle iSupplier Portal. CVSS 3.1 Base Score 8.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H). | 2026-06-16 | 8 | CVE-2026-46894 |
| Oracle Corporation–Oracle iSupplier Portal | Vulnerability in the Oracle iSupplier Portal product of Oracle E-Business Suite (component: Internal Operations). Supported versions that are affected are 12.2.3-12.2.15. Difficult to exploit vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle iSupplier Portal. Successful attacks of this vulnerability can result in takeover of Oracle iSupplier Portal. CVSS 3.1 Base Score 7.5 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H). | 2026-06-16 | 7.5 | CVE-2026-46957 |
| Oracle Corporation–Oracle iSupport | Vulnerability in the Oracle iSupport product of Oracle E-Business Suite (component: Internal Operations). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle iSupport. While the vulnerability is in Oracle iSupport, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle iSupport. CVSS 3.1 Base Score 9.1 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H). | 2026-06-16 | 9.1 | CVE-2026-46944 |
| Oracle Corporation–Oracle iSupport | Vulnerability in the Oracle iSupport product of Oracle E-Business Suite (component: Internal Operations). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle iSupport. While the vulnerability is in Oracle iSupport, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle iSupport. CVSS 3.1 Base Score 9.1 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H). | 2026-06-16 | 9.1 | CVE-2026-46945 |
| Oracle Corporation–Oracle iSupport | Vulnerability in the Oracle iSupport product of Oracle E-Business Suite (component: Internal Operations). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle iSupport. While the vulnerability is in Oracle iSupport, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle iSupport. CVSS 3.1 Base Score 9.1 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H). | 2026-06-16 | 9.1 | CVE-2026-46946 |
| Oracle Corporation–Oracle Outsourced Mfg for Discrete Industries | Vulnerability in the Oracle Outsourced Mfg for Discrete Industries product of Oracle E-Business Suite (component: Internal Operations). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Outsourced Mfg for Discrete Industries. Successful attacks of this vulnerability can result in takeover of Oracle Outsourced Mfg for Discrete Industries. CVSS 3.1 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). | 2026-06-16 | 8.8 | CVE-2026-46972 |
| Oracle Corporation–Oracle Outsourced Mfg for Discrete Industries | Vulnerability in the Oracle Outsourced Mfg for Discrete Industries product of Oracle E-Business Suite (component: Internal Operations). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Outsourced Mfg for Discrete Industries. Successful attacks of this vulnerability can result in takeover of Oracle Outsourced Mfg for Discrete Industries. CVSS 3.1 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). | 2026-06-16 | 8.8 | CVE-2026-46973 |
| Oracle Corporation–Oracle Process Manufacturing Process Planning | Vulnerability in the Oracle Process Manufacturing Process Planning product of Oracle E-Business Suite (component: Internal Operations). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Process Manufacturing Process Planning. Successful attacks of this vulnerability can result in takeover of Oracle Process Manufacturing Process Planning. CVSS 3.1 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). | 2026-06-16 | 8.8 | CVE-2026-46942 |
| Oracle Corporation–Oracle Process Manufacturing Product Development | Vulnerability in the Oracle Process Manufacturing Product Development product of Oracle E-Business Suite (component: Internal Operations). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Process Manufacturing Product Development. While the vulnerability is in Oracle Process Manufacturing Product Development, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle Process Manufacturing Product Development. CVSS 3.1 Base Score 9.9 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H). | 2026-06-16 | 9.9 | CVE-2026-46918 |
| Oracle Corporation–Oracle Process Manufacturing Product Development | Vulnerability in the Oracle Process Manufacturing Product Development product of Oracle E-Business Suite (component: Quality Management Specs). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Process Manufacturing Product Development. Successful attacks of this vulnerability can result in takeover of Oracle Process Manufacturing Product Development. CVSS 3.1 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). | 2026-06-16 | 8.8 | CVE-2026-46916 |
| Oracle Corporation–Oracle Project Portfolio Analysis | Vulnerability in the Oracle Project Portfolio Analysis product of Oracle E-Business Suite (component: Internal Operations). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Project Portfolio Analysis. Successful attacks of this vulnerability can result in takeover of Oracle Project Portfolio Analysis. CVSS 3.1 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). | 2026-06-16 | 8.8 | CVE-2026-46961 |
| Oracle Corporation–Oracle Project Portfolio Analysis | Vulnerability in the Oracle Project Portfolio Analysis product of Oracle E-Business Suite (component: Internal Operations). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Project Portfolio Analysis. Successful attacks of this vulnerability can result in takeover of Oracle Project Portfolio Analysis. CVSS 3.1 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). | 2026-06-16 | 8.8 | CVE-2026-46962 |
| Oracle Corporation–Oracle Project Portfolio Analysis | Vulnerability in the Oracle Project Portfolio Analysis product of Oracle E-Business Suite (component: Internal Operations). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle Project Portfolio Analysis. Successful attacks of this vulnerability can result in takeover of Oracle Project Portfolio Analysis. CVSS 3.1 Base Score 7.2 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H). | 2026-06-16 | 7.2 | CVE-2026-46960 |
| Oracle Corporation–Oracle Property Manager | Vulnerability in the Oracle Property Manager product of Oracle E-Business Suite (component: Internal Operations). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle Property Manager. Successful attacks of this vulnerability can result in takeover of Oracle Property Manager. CVSS 3.1 Base Score 7.2 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H). | 2026-06-16 | 7.2 | CVE-2026-46956 |
| Oracle Corporation–Oracle Public Sector Financials (International) | Vulnerability in the Oracle Public Sector Financials (International) product of Oracle E-Business Suite (component: Authorization). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Public Sector Financials (International). Successful attacks of this vulnerability can result in takeover of Oracle Public Sector Financials (International). CVSS 3.1 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). | 2026-06-16 | 8.8 | CVE-2026-46967 |
| Oracle Corporation–Oracle Public Sector Payroll | Vulnerability in the Oracle Public Sector Payroll product of Oracle E-Business Suite (component: Internal Operations). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle Public Sector Payroll. Successful attacks of this vulnerability can result in takeover of Oracle Public Sector Payroll. CVSS 3.1 Base Score 7.2 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H). | 2026-06-16 | 7.2 | CVE-2026-46976 |
| Oracle Corporation–Oracle Quality | Vulnerability in the Oracle Quality product of Oracle E-Business Suite (component: Internal Operations). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Quality. Successful attacks of this vulnerability can result in takeover of Oracle Quality. CVSS 3.1 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). | 2026-06-16 | 8.8 | CVE-2026-46951 |
| Oracle Corporation–Oracle Quality | Vulnerability in the Oracle Quality product of Oracle E-Business Suite (component: Internal Operations). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Quality. Successful attacks of this vulnerability can result in takeover of Oracle Quality. CVSS 3.1 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). | 2026-06-16 | 8.8 | CVE-2026-46952 |
| Oracle Corporation–Oracle Receivables | Vulnerability in the Oracle Receivables product of Oracle E-Business Suite (component: Internal Operations). Supported versions that are affected are 12.2.3-12.2.15. Difficult to exploit vulnerability allows unauthenticated attacker with network access via SOAP to compromise Oracle Receivables. Successful attacks of this vulnerability can result in takeover of Oracle Receivables. CVSS 3.1 Base Score 8.1 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H). | 2026-06-16 | 8.1 | CVE-2026-46927 |
| Oracle Corporation–Oracle Solaris | Vulnerability in the Oracle Solaris product of Oracle Systems (component: Remote Administration Daemon). The supported version that is affected is 11.4. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle Solaris. While the vulnerability is in Oracle Solaris, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Solaris accessible data as well as unauthorized access to critical data or complete access to all Oracle Solaris accessible data. CVSS 3.1 Base Score 10.0 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N). | 2026-06-16 | 10 | CVE-2026-46978 |
| Oracle Corporation–Oracle Solaris | Vulnerability in the Oracle Solaris product of Oracle Systems (component: Filesystem). The supported version that is affected is 11.4. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle Solaris executes to compromise Oracle Solaris. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Solaris accessible data and unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Solaris. CVSS 3.1 Base Score 7.1 (Confidentiality and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H). | 2026-06-16 | 7.1 | CVE-2026-46914 |
| Oracle Corporation–Oracle Spares Management | Vulnerability in the Oracle Spares Management product of Oracle E-Business Suite (component: Internal Operations). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows low privileged attacker with network access via HTTPS to compromise Oracle Spares Management. Successful attacks of this vulnerability can result in takeover of Oracle Spares Management. CVSS 3.1 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). | 2026-06-16 | 8.8 | CVE-2026-46928 |
| Oracle Corporation–Oracle Subledger Accounting | Vulnerability in the Oracle Subledger Accounting product of Oracle E-Business Suite (component: Internal Operations). Supported versions that are affected are 12.2.3-12.2.15. Difficult to exploit vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Subledger Accounting. Successful attacks of this vulnerability can result in takeover of Oracle Subledger Accounting. CVSS 3.1 Base Score 7.5 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H). | 2026-06-16 | 7.5 | CVE-2026-46958 |
| Oracle Corporation–Oracle Subledger Accounting | Vulnerability in the Oracle Subledger Accounting product of Oracle E-Business Suite (component: Internal Operations). Supported versions that are affected are 12.2.3-12.2.15. Difficult to exploit vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Subledger Accounting. Successful attacks of this vulnerability can result in takeover of Oracle Subledger Accounting. CVSS 3.1 Base Score 7.5 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H). | 2026-06-16 | 7.5 | CVE-2026-46959 |
| Oracle Corporation–Oracle Unified Directory | Vulnerability in the Oracle Unified Directory product of Oracle Fusion Middleware (component: OUD Core). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via LDAP to compromise Oracle Unified Directory. Successful attacks of this vulnerability can result in takeover of Oracle Unified Directory. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). | 2026-06-16 | 9.8 | CVE-2026-46773 |
| Oracle Corporation–Oracle Unified Directory | Vulnerability in the Oracle Unified Directory product of Oracle Fusion Middleware (component: OUD Core). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via RMI to compromise Oracle Unified Directory. Successful attacks of this vulnerability can result in takeover of Oracle Unified Directory. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). | 2026-06-16 | 9.8 | CVE-2026-46774 |
| Oracle Corporation–Oracle Unified Directory | Vulnerability in the Oracle Unified Directory product of Oracle Fusion Middleware (component: OUD Core). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via LDAP to compromise Oracle Unified Directory. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Unified Directory accessible data as well as unauthorized read access to a subset of Oracle Unified Directory accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Unified Directory. CVSS 3.1 Base Score 8.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L). | 2026-06-16 | 8.6 | CVE-2026-46776 |
| Oracle Corporation–Oracle Universal Work Queue | Vulnerability in the Oracle Universal Work Queue product of Oracle E-Business Suite (component: Work Provider Site Level Administration). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Universal Work Queue. While the vulnerability is in Oracle Universal Work Queue, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle Universal Work Queue. CVSS 3.1 Base Score 9.9 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H). | 2026-06-16 | 9.9 | CVE-2026-46963 |
| Oracle Corporation–Oracle Universal Work Queue | Vulnerability in the Oracle Universal Work Queue product of Oracle E-Business Suite (component: Work Provider Site Level Administration). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Universal Work Queue. While the vulnerability is in Oracle Universal Work Queue, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle Universal Work Queue. CVSS 3.1 Base Score 9.9 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H). | 2026-06-16 | 9.9 | CVE-2026-46964 |
| Oracle Corporation–Oracle Universal Work Queue | Vulnerability in the Oracle Universal Work Queue product of Oracle E-Business Suite (component: Work Provider Site Level Administration). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Universal Work Queue. Successful attacks of this vulnerability can result in takeover of Oracle Universal Work Queue. CVSS 3.1 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). | 2026-06-16 | 8.8 | CVE-2026-46965 |
| Oracle Corporation–Oracle Universal Work Queue | Vulnerability in the Oracle Universal Work Queue product of Oracle E-Business Suite (component: Work Provider Site Level Administration). Supported versions that are affected are 12.2.3-12.2.15. Difficult to exploit vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Universal Work Queue. Successful attacks of this vulnerability can result in takeover of Oracle Universal Work Queue. CVSS 3.1 Base Score 7.5 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H). | 2026-06-16 | 7.5 | CVE-2026-46966 |
| Oracle Corporation–Oracle Virtual Directory | Vulnerability in the Oracle Virtual Directory product of Oracle Fusion Middleware (component: Virtual Directory Server). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via LDAP to compromise Oracle Virtual Directory. Successful attacks of this vulnerability can result in takeover of Oracle Virtual Directory. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). | 2026-06-16 | 9.8 | CVE-2026-35312 |
| Oracle Corporation–Oracle VM VirtualBox | Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Shared Folders). The supported version that is affected is 7.2.8. Difficult to exploit vulnerability allows low privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle VM VirtualBox accessible data as well as unauthorized access to critical data or complete access to all Oracle VM VirtualBox accessible data. CVSS 3.1 Base Score 7.5 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N). | 2026-06-16 | 7.5 | CVE-2026-35275 |
| Oracle Corporation–Oracle VM VirtualBox | Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: VMSVGA device). The supported version that is affected is 7.2.8. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox. CVSS 3.1 Base Score 7.5 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H). | 2026-06-16 | 7.5 | CVE-2026-46873 |
| Oracle Corporation–Oracle VM VirtualBox | Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). The supported version that is affected is 7.2.8. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox. CVSS 3.1 Base Score 7.5 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H). | 2026-06-16 | 7.5 | CVE-2026-46974 |
| Oracle Corporation–Oracle WebCenter Content | Vulnerability in the Oracle WebCenter Content product of Oracle Fusion Middleware (component: Content Server). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle WebCenter Content. While the vulnerability is in Oracle WebCenter Content, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle WebCenter Content. CVSS 3.1 Base Score 9.1 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H). | 2026-06-16 | 9.1 | CVE-2026-35270 |
| Oracle Corporation–Oracle WebCenter Content | Vulnerability in the Oracle WebCenter Content product of Oracle Fusion Middleware (component: Content Server). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebCenter Content. Successful attacks of this vulnerability can result in takeover of Oracle WebCenter Content. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). | 2026-06-16 | 9.8 | CVE-2026-35286 |
| Oracle Corporation–Oracle WebCenter Content | Vulnerability in the Oracle WebCenter Content product of Oracle Fusion Middleware (component: Content Server). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle WebCenter Content. While the vulnerability is in Oracle WebCenter Content, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle WebCenter Content. CVSS 3.1 Base Score 9.9 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H). | 2026-06-16 | 9.9 | CVE-2026-35316 |
| Oracle Corporation–Oracle WebCenter Content | Vulnerability in the Oracle WebCenter Content product of Oracle Fusion Middleware (component: Content Server). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebCenter Content. Successful attacks of this vulnerability can result in takeover of Oracle WebCenter Content. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). | 2026-06-16 | 9.8 | CVE-2026-35319 |
| Oracle Corporation–Oracle WebCenter Content | Vulnerability in the Oracle WebCenter Content product of Oracle Fusion Middleware (component: Content Server). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebCenter Content. While the vulnerability is in Oracle WebCenter Content, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle WebCenter Content. CVSS 3.1 Base Score 9.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H). | 2026-06-16 | 9 | CVE-2026-35320 |
| Oracle Corporation–Oracle WebCenter Content | Vulnerability in the Oracle WebCenter Content product of Oracle Fusion Middleware (component: Content Server). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle WebCenter Content. While the vulnerability is in Oracle WebCenter Content, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle WebCenter Content. CVSS 3.1 Base Score 9.9 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H). | 2026-06-16 | 9.9 | CVE-2026-35321 |
| Oracle Corporation–Oracle WebCenter Content | Vulnerability in the Oracle WebCenter Content product of Oracle Fusion Middleware (component: Content Server). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle WebCenter Content. While the vulnerability is in Oracle WebCenter Content, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle WebCenter Content. CVSS 3.1 Base Score 9.9 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H). | 2026-06-16 | 9.9 | CVE-2026-35323 |
| Oracle Corporation–Oracle WebCenter Content | Vulnerability in the Oracle WebCenter Content product of Oracle Fusion Middleware (component: Content Server). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebCenter Content. Successful attacks of this vulnerability can result in takeover of Oracle WebCenter Content. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). | 2026-06-16 | 9.8 | CVE-2026-46766 |
| Oracle Corporation–Oracle WebCenter Content | Vulnerability in the Oracle WebCenter Content product of Oracle Fusion Middleware (component: Content Server). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebCenter Content. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle WebCenter Content accessible data as well as unauthorized access to critical data or complete access to all Oracle WebCenter Content accessible data. CVSS 3.1 Base Score 9.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N). | 2026-06-16 | 9.1 | CVE-2026-46777 |
| Oracle Corporation–Oracle WebCenter Content | Vulnerability in the Oracle WebCenter Content product of Oracle Fusion Middleware (component: Content Server). The supported version that is affected is 14.1.2.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebCenter Content. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle WebCenter Content, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle WebCenter Content accessible data as well as unauthorized access to critical data or complete access to all Oracle WebCenter Content accessible data. CVSS 3.1 Base Score 9.3 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N). | 2026-06-16 | 9.3 | CVE-2026-46785 |
| Oracle Corporation–Oracle WebCenter Content | Vulnerability in the Oracle WebCenter Content product of Oracle Fusion Middleware (component: Content Server). The supported version that is affected is 14.1.2.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebCenter Content. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle WebCenter Content, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle WebCenter Content. CVSS 3.1 Base Score 9.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H). | 2026-06-16 | 9.6 | CVE-2026-46786 |
| Oracle Corporation–Oracle WebCenter Content | Vulnerability in the Oracle WebCenter Content product of Oracle Fusion Middleware (component: Content Server). The supported version that is affected is 14.1.2.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebCenter Content. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle WebCenter Content, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle WebCenter Content. CVSS 3.1 Base Score 9.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H). | 2026-06-16 | 9.6 | CVE-2026-46789 |
| Oracle Corporation–Oracle WebCenter Content | Vulnerability in the Oracle WebCenter Content product of Oracle Fusion Middleware (component: Content Server). The supported version that is affected is 14.1.2.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebCenter Content. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle WebCenter Content, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle WebCenter Content accessible data as well as unauthorized access to critical data or complete access to all Oracle WebCenter Content accessible data. CVSS 3.1 Base Score 9.3 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N). | 2026-06-16 | 9.3 | CVE-2026-46795 |
| Oracle Corporation–Oracle WebCenter Content | Vulnerability in the Oracle WebCenter Content product of Oracle Fusion Middleware (component: Content Server). The supported version that is affected is 14.1.2.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebCenter Content. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle WebCenter Content, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle WebCenter Content accessible data as well as unauthorized access to critical data or complete access to all Oracle WebCenter Content accessible data. CVSS 3.1 Base Score 9.3 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N). | 2026-06-16 | 9.3 | CVE-2026-46805 |
| Oracle Corporation–Oracle WebCenter Content | Vulnerability in the Oracle WebCenter Content product of Oracle Fusion Middleware (component: Content Server). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebCenter Content. Successful attacks of this vulnerability can result in takeover of Oracle WebCenter Content. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). | 2026-06-16 | 9.8 | CVE-2026-46813 |
| Oracle Corporation–Oracle WebCenter Content | Vulnerability in the Oracle WebCenter Content product of Oracle Fusion Middleware (component: Content Server). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle WebCenter Content. Successful attacks of this vulnerability can result in takeover of Oracle WebCenter Content. CVSS 3.1 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). | 2026-06-16 | 8.8 | CVE-2026-35315 |
| Oracle Corporation–Oracle WebCenter Content | Vulnerability in the Oracle WebCenter Content product of Oracle Fusion Middleware (component: Content Server). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle WebCenter Content. Successful attacks of this vulnerability can result in takeover of Oracle WebCenter Content. CVSS 3.1 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). | 2026-06-16 | 8.8 | CVE-2026-35317 |
| Oracle Corporation–Oracle WebCenter Content | Vulnerability in the Oracle WebCenter Content product of Oracle Fusion Middleware (component: Content Server). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle WebCenter Content. Successful attacks of this vulnerability can result in takeover of Oracle WebCenter Content. CVSS 3.1 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). | 2026-06-16 | 8.8 | CVE-2026-35322 |
| Oracle Corporation–Oracle WebCenter Content | Vulnerability in the Oracle WebCenter Content product of Oracle Fusion Middleware (component: Content Server). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle WebCenter Content. Successful attacks of this vulnerability can result in takeover of Oracle WebCenter Content. CVSS 3.1 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). | 2026-06-16 | 8.8 | CVE-2026-35324 |
| Oracle Corporation–Oracle WebCenter Content | Vulnerability in the Oracle WebCenter Content product of Oracle Fusion Middleware (component: Content Server). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle WebCenter Content. Successful attacks of this vulnerability can result in takeover of Oracle WebCenter Content. CVSS 3.1 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). | 2026-06-16 | 8.8 | CVE-2026-35325 |
| Oracle Corporation–Oracle WebCenter Content | Vulnerability in the Oracle WebCenter Content product of Oracle Fusion Middleware (component: Content Server). The supported version that is affected is 14.1.2.0.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebCenter Content. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle WebCenter Content, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle WebCenter Content accessible data as well as unauthorized access to critical data or complete access to all Oracle WebCenter Content accessible data. CVSS 3.1 Base Score 8.0 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N). | 2026-06-16 | 8 | CVE-2026-46787 |
| Oracle Corporation–Oracle WebCenter Content | Vulnerability in the Oracle WebCenter Content product of Oracle Fusion Middleware (component: Content Server). The supported version that is affected is 14.1.2.0.0. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle WebCenter Content. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle WebCenter Content, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle WebCenter Content. CVSS 3.1 Base Score 8.4 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H). | 2026-06-16 | 8.4 | CVE-2026-46788 |
| Oracle Corporation–Oracle WebCenter Content | Vulnerability in the Oracle WebCenter Content product of Oracle Fusion Middleware (component: Content Server). The supported version that is affected is 14.1.2.0.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle WebCenter Content. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle WebCenter Content, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle WebCenter Content accessible data as well as unauthorized access to critical data or complete access to all Oracle WebCenter Content accessible data. CVSS 3.1 Base Score 8.7 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N). | 2026-06-16 | 8.7 | CVE-2026-46804 |
| Oracle Corporation–Oracle WebCenter Content | Vulnerability in the Oracle WebCenter Content product of Oracle Fusion Middleware (component: Content Server). The supported version that is affected is 14.1.2.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle WebCenter Content. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle WebCenter Content, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle WebCenter Content accessible data as well as unauthorized update, insert or delete access to some of Oracle WebCenter Content accessible data. CVSS 3.1 Base Score 8.2 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N). | 2026-06-16 | 8.2 | CVE-2026-46806 |
| Oracle Corporation–Oracle WebCenter Content | Vulnerability in the Oracle WebCenter Content product of Oracle Fusion Middleware (component: Content Server). The supported version that is affected is 14.1.2.0.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle WebCenter Content. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle WebCenter Content, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle WebCenter Content accessible data as well as unauthorized access to critical data or complete access to all Oracle WebCenter Content accessible data. CVSS 3.1 Base Score 8.7 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N). | 2026-06-16 | 8.7 | CVE-2026-46808 |
| Oracle Corporation–Oracle WebCenter Content | Vulnerability in the Oracle WebCenter Content product of Oracle Fusion Middleware (component: Content Server). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle WebCenter Content. Successful attacks of this vulnerability can result in takeover of Oracle WebCenter Content. CVSS 3.1 Base Score 7.2 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H). | 2026-06-16 | 7.2 | CVE-2026-35326 |
| Oracle Corporation–Oracle WebCenter Content | Vulnerability in the Oracle WebCenter Content product of Oracle Fusion Middleware (component: Content Server). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTPS to compromise Oracle WebCenter Content. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle WebCenter Content, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle WebCenter Content accessible data as well as unauthorized update, insert or delete access to some of Oracle WebCenter Content accessible data. CVSS 3.1 Base Score 7.6 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N). | 2026-06-16 | 7.6 | CVE-2026-35327 |
| Oracle Corporation–Oracle WebCenter Content | Vulnerability in the Oracle WebCenter Content product of Oracle Fusion Middleware (component: Content Server). The supported version that is affected is 14.1.2.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebCenter Content. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle WebCenter Content accessible data. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). | 2026-06-16 | 7.5 | CVE-2026-46791 |
| Oracle Corporation–Oracle WebCenter Enterprise Capture | Vulnerability in the Oracle WebCenter Enterprise Capture product of Oracle Fusion Middleware (component: Client Bundle). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via RMI to compromise Oracle WebCenter Enterprise Capture. While the vulnerability is in Oracle WebCenter Enterprise Capture, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle WebCenter Enterprise Capture. CVSS 3.1 Base Score 10.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H). | 2026-06-16 | 10 | CVE-2026-46778 |
| Oracle Corporation–Oracle WebCenter Enterprise Capture | Vulnerability in the Oracle WebCenter Enterprise Capture product of Oracle Fusion Middleware (component: Client Bundle). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via RMI to compromise Oracle WebCenter Enterprise Capture. While the vulnerability is in Oracle WebCenter Enterprise Capture, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle WebCenter Enterprise Capture. CVSS 3.1 Base Score 10.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H). | 2026-06-16 | 10 | CVE-2026-46781 |
| Oracle Corporation–Oracle WebCenter Enterprise Capture | Vulnerability in the Oracle WebCenter Enterprise Capture product of Oracle Fusion Middleware (component: Client Bundle). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Easily exploitable vulnerability allows low privileged attacker with network access via T3, IIOP to compromise Oracle WebCenter Enterprise Capture. While the vulnerability is in Oracle WebCenter Enterprise Capture, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle WebCenter Enterprise Capture. CVSS 3.1 Base Score 9.9 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H). | 2026-06-16 | 9.9 | CVE-2026-35280 |
| Oracle Corporation–Oracle WebCenter Enterprise Capture | Vulnerability in the Oracle WebCenter Enterprise Capture product of Oracle Fusion Middleware (component: Client Bundle). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Easily exploitable vulnerability allows low privileged attacker with network access via T3, IIOP to compromise Oracle WebCenter Enterprise Capture. While the vulnerability is in Oracle WebCenter Enterprise Capture, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle WebCenter Enterprise Capture. CVSS 3.1 Base Score 9.9 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H). | 2026-06-16 | 9.9 | CVE-2026-35281 |
| Oracle Corporation–Oracle WebCenter Enterprise Capture | Vulnerability in the Oracle WebCenter Enterprise Capture product of Oracle Fusion Middleware (component: Client Bundle). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Easily exploitable vulnerability allows low privileged attacker with network access via T3, IIOP to compromise Oracle WebCenter Enterprise Capture. While the vulnerability is in Oracle WebCenter Enterprise Capture, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle WebCenter Enterprise Capture. CVSS 3.1 Base Score 9.9 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H). | 2026-06-16 | 9.9 | CVE-2026-35282 |
| Oracle Corporation–Oracle WebCenter Enterprise Capture | Vulnerability in the Oracle WebCenter Enterprise Capture product of Oracle Fusion Middleware (component: Client Bundle). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Easily exploitable vulnerability allows low privileged attacker with network access via T3, IIOP to compromise Oracle WebCenter Enterprise Capture. While the vulnerability is in Oracle WebCenter Enterprise Capture, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle WebCenter Enterprise Capture. CVSS 3.1 Base Score 9.9 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H). | 2026-06-16 | 9.9 | CVE-2026-35283 |
| Oracle Corporation–Oracle WebCenter Enterprise Capture | Vulnerability in the Oracle WebCenter Enterprise Capture product of Oracle Fusion Middleware (component: Client Bundle). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Easily exploitable vulnerability allows low privileged attacker with network access via T3, IIOP to compromise Oracle WebCenter Enterprise Capture. While the vulnerability is in Oracle WebCenter Enterprise Capture, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle WebCenter Enterprise Capture. CVSS 3.1 Base Score 9.9 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H). | 2026-06-16 | 9.9 | CVE-2026-35284 |
| Oracle Corporation–Oracle WebCenter Enterprise Capture | Vulnerability in the Oracle WebCenter Enterprise Capture product of Oracle Fusion Middleware (component: Client Bundle). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Easily exploitable vulnerability allows low privileged attacker with network access via T3, IIOP to compromise Oracle WebCenter Enterprise Capture. While the vulnerability is in Oracle WebCenter Enterprise Capture, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle WebCenter Enterprise Capture. CVSS 3.1 Base Score 9.9 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H). | 2026-06-16 | 9.9 | CVE-2026-35285 |
| Oracle Corporation–Oracle WebCenter Enterprise Capture | Vulnerability in the Oracle WebCenter Enterprise Capture product of Oracle Fusion Middleware (component: Client Bundle). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Easily exploitable vulnerability allows low privileged attacker with network access via T3 to compromise Oracle WebCenter Enterprise Capture. While the vulnerability is in Oracle WebCenter Enterprise Capture, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle WebCenter Enterprise Capture. CVSS 3.1 Base Score 9.9 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H). | 2026-06-16 | 9.9 | CVE-2026-46779 |
| Oracle Corporation–Oracle WebCenter Enterprise Capture | Vulnerability in the Oracle WebCenter Enterprise Capture product of Oracle Fusion Middleware (component: Client Bundle). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle WebCenter Enterprise Capture. While the vulnerability is in Oracle WebCenter Enterprise Capture, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle WebCenter Enterprise Capture. CVSS 3.1 Base Score 9.9 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H). | 2026-06-16 | 9.9 | CVE-2026-46782 |
| Oracle Corporation–Oracle WebCenter Portal | Vulnerability in the Oracle WebCenter Portal product of Oracle Fusion Middleware (component: Security Framework). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebCenter Portal. While the vulnerability is in Oracle WebCenter Portal, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle WebCenter Portal. CVSS 3.1 Base Score 10.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H). | 2026-06-16 | 10 | CVE-2026-46803 |
| Oracle Corporation–Oracle WebCenter Portal | Vulnerability in the Oracle WebCenter Portal product of Oracle Fusion Middleware (component: Security Framework). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebCenter Portal. While the vulnerability is in Oracle WebCenter Portal, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle WebCenter Portal. CVSS 3.1 Base Score 10.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H). | 2026-06-16 | 10 | CVE-2026-46846 |
| Oracle Corporation–Oracle WebCenter Portal | Vulnerability in the Oracle WebCenter Portal product of Oracle Fusion Middleware (component: Composer). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle WebCenter Portal. While the vulnerability is in Oracle WebCenter Portal, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle WebCenter Portal. CVSS 3.1 Base Score 9.9 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H). | 2026-06-16 | 9.9 | CVE-2026-46765 |
| Oracle Corporation–Oracle WebCenter Portal | Vulnerability in the Oracle WebCenter Portal product of Oracle Fusion Middleware (component: Composer). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle WebCenter Portal. While the vulnerability is in Oracle WebCenter Portal, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle WebCenter Portal. CVSS 3.1 Base Score 9.9 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H). | 2026-06-16 | 9.9 | CVE-2026-46767 |
| Oracle Corporation–Oracle WebCenter Portal | Vulnerability in the Oracle WebCenter Portal product of Oracle Fusion Middleware (component: Security Framework). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle WebCenter Portal. While the vulnerability is in Oracle WebCenter Portal, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle WebCenter Portal. CVSS 3.1 Base Score 9.9 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H). | 2026-06-16 | 9.9 | CVE-2026-46802 |
| Oracle Corporation–Oracle WebCenter Portal | Vulnerability in the Oracle WebCenter Portal product of Oracle Fusion Middleware (component: Security Framework). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle WebCenter Portal. While the vulnerability is in Oracle WebCenter Portal, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle WebCenter Portal. CVSS 3.1 Base Score 9.9 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H). | 2026-06-16 | 9.9 | CVE-2026-46814 |
| Oracle Corporation–Oracle WebCenter Portal | Vulnerability in the Oracle WebCenter Portal product of Oracle Fusion Middleware (component: Security Framework). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTPS to compromise Oracle WebCenter Portal. While the vulnerability is in Oracle WebCenter Portal, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle WebCenter Portal. CVSS 3.1 Base Score 9.9 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H). | 2026-06-16 | 9.9 | CVE-2026-46838 |
| Oracle Corporation–Oracle WebCenter Portal | Vulnerability in the Oracle WebCenter Portal product of Oracle Fusion Middleware (component: Security Framework). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTPS to compromise Oracle WebCenter Portal. While the vulnerability is in Oracle WebCenter Portal, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle WebCenter Portal. CVSS 3.1 Base Score 9.9 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H). | 2026-06-16 | 9.9 | CVE-2026-46844 |
| Oracle Corporation–Oracle WebCenter Portal | Vulnerability in the Oracle WebCenter Portal product of Oracle Fusion Middleware (component: Security Framework). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle WebCenter Portal. Successful attacks of this vulnerability can result in takeover of Oracle WebCenter Portal. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). | 2026-06-16 | 9.8 | CVE-2026-46845 |
| Oracle Corporation–Oracle WebCenter Portal | Vulnerability in the Oracle WebCenter Portal product of Oracle Fusion Middleware (component: Runtime Tools). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTPS to compromise Oracle WebCenter Portal. While the vulnerability is in Oracle WebCenter Portal, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle WebCenter Portal. CVSS 3.1 Base Score 9.9 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H). | 2026-06-16 | 9.9 | CVE-2026-46847 |
| Oracle Corporation–Oracle WebCenter Sites | Vulnerability in the Oracle WebCenter Sites product of Oracle Fusion Middleware (component: WebCenter Sites). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebCenter Sites. While the vulnerability is in Oracle WebCenter Sites, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle WebCenter Sites. CVSS 3.1 Base Score 10.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H). | 2026-06-16 | 10 | CVE-2026-46798 |
| Oracle Corporation–Oracle WebCenter Sites | Vulnerability in the Oracle WebCenter Sites product of Oracle Fusion Middleware (component: WebCenter Sites). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebCenter Sites. While the vulnerability is in Oracle WebCenter Sites, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle WebCenter Sites. CVSS 3.1 Base Score 10.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H). | 2026-06-16 | 10 | CVE-2026-46800 |
| Oracle Corporation–Oracle WebCenter Sites | Vulnerability in the Oracle WebCenter Sites product of Oracle Fusion Middleware (component: WebCenter Sites). The supported version that is affected is 14.1.2.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebCenter Sites. Successful attacks of this vulnerability can result in takeover of Oracle WebCenter Sites. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). | 2026-06-16 | 9.8 | CVE-2026-35293 |
| Oracle Corporation–Oracle WebCenter Sites | Vulnerability in the Oracle WebCenter Sites product of Oracle Fusion Middleware (component: WebCenter Sites). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebCenter Sites. Successful attacks of this vulnerability can result in takeover of Oracle WebCenter Sites. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). | 2026-06-16 | 9.8 | CVE-2026-35296 |
| Oracle Corporation–Oracle WebCenter Sites | Vulnerability in the Oracle WebCenter Sites product of Oracle Fusion Middleware (component: WebCenter Sites). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebCenter Sites. Successful attacks of this vulnerability can result in takeover of Oracle WebCenter Sites. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). | 2026-06-16 | 9.8 | CVE-2026-46797 |
| Oracle Corporation–Oracle WebCenter Sites | Vulnerability in the Oracle WebCenter Sites product of Oracle Fusion Middleware (component: WebCenter Sites). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebCenter Sites. Successful attacks of this vulnerability can result in takeover of Oracle WebCenter Sites. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). | 2026-06-16 | 9.8 | CVE-2026-46799 |
| Oracle Corporation–Oracle WebCenter Sites | Vulnerability in the Oracle WebCenter Sites product of Oracle Fusion Middleware (component: WebCenter Sites). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebCenter Sites. Successful attacks of this vulnerability can result in takeover of Oracle WebCenter Sites. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). | 2026-06-16 | 9.8 | CVE-2026-46801 |
| Oracle Corporation–Oracle WebCenter Sites | Vulnerability in the Oracle WebCenter Sites product of Oracle Fusion Middleware (component: WebCenter Sites). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebCenter Sites. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle WebCenter Sites accessible data as well as unauthorized access to critical data or complete access to all Oracle WebCenter Sites accessible data. CVSS 3.1 Base Score 9.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N). | 2026-06-16 | 9.1 | CVE-2026-46809 |
| Oracle Corporation–Oracle WebCenter Sites | Vulnerability in the Oracle WebCenter Sites product of Oracle Fusion Middleware (component: WebCenter Sites). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle WebCenter Sites. Successful attacks of this vulnerability can result in takeover of Oracle WebCenter Sites. CVSS 3.1 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). | 2026-06-16 | 8.8 | CVE-2026-35318 |
| Oracle Corporation–Oracle WebCenter Sites | Vulnerability in the Oracle WebCenter Sites product of Oracle Fusion Middleware (component: WebCenter Sites). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle WebCenter Sites. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of Oracle WebCenter Sites. CVSS 3.1 Base Score 8.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H). | 2026-06-16 | 8 | CVE-2026-46796 |
| Oracle Corporation–Oracle WebCenter Sites | Vulnerability in the Oracle WebCenter Sites product of Oracle Fusion Middleware (component: WebCenter Sites). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Difficult to exploit vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle WebCenter Sites. Successful attacks of this vulnerability can result in takeover of Oracle WebCenter Sites. CVSS 3.1 Base Score 7.5 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H). | 2026-06-16 | 7.5 | CVE-2026-35295 |
| Oracle Corporation–PeopleSoft Enterprise CS Campus Community | Vulnerability in the PeopleSoft Enterprise CS Campus Community product of Oracle PeopleSoft (component: Security). The supported version that is affected is 9.2.38. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise PeopleSoft Enterprise CS Campus Community. Successful attacks of this vulnerability can result in takeover of PeopleSoft Enterprise CS Campus Community. CVSS 3.1 Base Score 8.1 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H). | 2026-06-16 | 8.1 | CVE-2026-46851 |
| Oracle Corporation–PeopleSoft Enterprise CS Student Financials | Vulnerability in the PeopleSoft Enterprise CS Student Financials product of Oracle PeopleSoft (component: Other). The supported version that is affected is 9.2.38. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise PeopleSoft Enterprise CS Student Financials. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all PeopleSoft Enterprise CS Student Financials accessible data as well as unauthorized access to critical data or complete access to all PeopleSoft Enterprise CS Student Financials accessible data. CVSS 3.1 Base Score 8.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N). | 2026-06-16 | 8.1 | CVE-2026-46849 |
| Oracle Corporation–PeopleSoft Enterprise PT PeopleTools | Vulnerability in the PeopleSoft Enterprise PT PeopleTools product of Oracle PeopleSoft (component: Performance Monitor). Supported versions that are affected are 8.61 and 8.62. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise PeopleSoft Enterprise PT PeopleTools. Successful attacks of this vulnerability can result in takeover of PeopleSoft Enterprise PT PeopleTools. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). | 2026-06-16 | 9.8 | CVE-2026-35278 |
| Oracle Corporation–PeopleSoft Enterprise PT PeopleTools | Vulnerability in the PeopleSoft Enterprise PT PeopleTools product of Oracle PeopleSoft (component: Weblogic). Supported versions that are affected are 8.61 and 8.62. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise PeopleSoft Enterprise PT PeopleTools. While the vulnerability is in PeopleSoft Enterprise PT PeopleTools, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all PeopleSoft Enterprise PT PeopleTools accessible data as well as unauthorized access to critical data or complete access to all PeopleSoft Enterprise PT PeopleTools accessible data. CVSS 3.1 Base Score 8.7 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N). | 2026-06-16 | 8.7 | CVE-2026-35271 |
| Oracle Corporation–PeopleSoft Enterprise PT PeopleTools | Vulnerability in the PeopleSoft Enterprise PT PeopleTools product of Oracle PeopleSoft (component: Deployment Package). Supported versions that are affected are 8.61 and 8.62. Easily exploitable vulnerability allows unauthenticated attacker with logon to the infrastructure where PeopleSoft Enterprise PT PeopleTools executes to compromise PeopleSoft Enterprise PT PeopleTools. Successful attacks of this vulnerability can result in takeover of PeopleSoft Enterprise PT PeopleTools. CVSS 3.1 Base Score 8.4 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). | 2026-06-16 | 8.4 | CVE-2026-35272 |
| Oracle Corporation–PeopleSoft Enterprise PT PeopleTools | Vulnerability in the PeopleSoft Enterprise PT PeopleTools product of Oracle PeopleSoft (component: Deployment Package). Supported versions that are affected are 8.61 and 8.62. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise PeopleSoft Enterprise PT PeopleTools. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all PeopleSoft Enterprise PT PeopleTools accessible data as well as unauthorized update, insert or delete access to some of PeopleSoft Enterprise PT PeopleTools accessible data. CVSS 3.1 Base Score 8.2 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N). | 2026-06-16 | 8.2 | CVE-2026-35274 |
| Oracle Corporation–PeopleSoft Enterprise PT PeopleTools | Vulnerability in the PeopleSoft Enterprise PT PeopleTools product of Oracle PeopleSoft (component: Application Server). Supported versions that are affected are 8.61 and 8.62. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise PeopleSoft Enterprise PT PeopleTools. Successful attacks of this vulnerability can result in takeover of PeopleSoft Enterprise PT PeopleTools. CVSS 3.1 Base Score 8.1 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H). | 2026-06-16 | 8.1 | CVE-2026-35276 |
| Oracle Corporation–PeopleSoft Enterprise PT PeopleTools | Vulnerability in the PeopleSoft Enterprise PT PeopleTools product of Oracle PeopleSoft (component: Performance Monitor). Supported versions that are affected are 8.61 and 8.62. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise PeopleSoft Enterprise PT PeopleTools. Successful attacks of this vulnerability can result in takeover of PeopleSoft Enterprise PT PeopleTools. CVSS 3.1 Base Score 8.1 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H). | 2026-06-16 | 8.1 | CVE-2026-35279 |
| Oracle Corporation–PeopleSoft Enterprise PT PeopleTools | Vulnerability in the PeopleSoft Enterprise PT PeopleTools product of Oracle PeopleSoft (component: Deployment Package). Supported versions that are affected are 8.61 and 8.62. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where PeopleSoft Enterprise PT PeopleTools executes to compromise PeopleSoft Enterprise PT PeopleTools. While the vulnerability is in PeopleSoft Enterprise PT PeopleTools, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of PeopleSoft Enterprise PT PeopleTools. CVSS 3.1 Base Score 8.2 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H). | 2026-06-16 | 8.2 | CVE-2026-35288 |
| Oracle Corporation–PeopleSoft Enterprise PT PeopleTools | Vulnerability in the PeopleSoft Enterprise PT PeopleTools product of Oracle PeopleSoft (component: Deployment Package). Supported versions that are affected are 8.61 and 8.62. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTPS to compromise PeopleSoft Enterprise PT PeopleTools. Successful attacks of this vulnerability can result in takeover of PeopleSoft Enterprise PT PeopleTools. CVSS 3.1 Base Score 8.1 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H). | 2026-06-16 | 8.1 | CVE-2026-35289 |
| Oracle Corporation–Siebel Apps – Marketing | Vulnerability in the Siebel Apps – Marketing product of Oracle Siebel CRM (component: Marketing). Supported versions that are affected are 17.0-26.5. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Siebel Apps – Marketing. Successful attacks of this vulnerability can result in takeover of Siebel Apps – Marketing. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). | 2026-06-16 | 9.8 | CVE-2026-46884 |
| Oracle Corporation–Siebel Apps – Marketing | Vulnerability in the Siebel Apps – Marketing product of Oracle Siebel CRM (component: Marketing). Supported versions that are affected are 17.0-26.5. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Siebel Apps – Marketing. Successful attacks of this vulnerability can result in takeover of Siebel Apps – Marketing. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). | 2026-06-16 | 9.8 | CVE-2026-46887 |
| Oracle Corporation–Siebel Apps – Marketing | Vulnerability in the Siebel Apps – Marketing product of Oracle Siebel CRM (component: Marketing). Supported versions that are affected are 17.0-26.5. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Siebel Apps – Marketing. Successful attacks of this vulnerability can result in takeover of Siebel Apps – Marketing. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). | 2026-06-16 | 9.8 | CVE-2026-46889 |
| Oracle Corporation–Siebel Apps – Marketing | Vulnerability in the Siebel Apps – Marketing product of Oracle Siebel CRM (component: Marketing). Supported versions that are affected are 17.0-26.5. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Siebel Apps – Marketing. Successful attacks of this vulnerability can result in takeover of Siebel Apps – Marketing. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). | 2026-06-16 | 9.8 | CVE-2026-46890 |
| Oracle Corporation–Siebel Apps – Marketing | Vulnerability in the Siebel Apps – Marketing product of Oracle Siebel CRM (component: Marketing). Supported versions that are affected are 17.0-26.5. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Siebel Apps – Marketing. Successful attacks of this vulnerability can result in takeover of Siebel Apps – Marketing. CVSS 3.1 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). | 2026-06-16 | 8.8 | CVE-2026-46886 |
| Oracle Corporation–Siebel CRM Cloud Applications | Vulnerability in the Siebel CRM Cloud Applications product of Oracle Siebel CRM (component: Siebel Cloud Manager). Supported versions that are affected are 17.0-26.5. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Siebel CRM Cloud Applications. Successful attacks of this vulnerability can result in takeover of Siebel CRM Cloud Applications. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). | 2026-06-16 | 9.8 | CVE-2026-46919 |
| Oracle Corporation–Siebel CRM Cloud Applications | Vulnerability in the Siebel CRM Cloud Applications product of Oracle Siebel CRM (component: Siebel Cloud Manager). Supported versions that are affected are 17.0-26.5. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise Siebel CRM Cloud Applications. Successful attacks of this vulnerability can result in takeover of Siebel CRM Cloud Applications. CVSS 3.1 Base Score 8.1 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H). | 2026-06-16 | 8.1 | CVE-2026-46920 |
| Oracle Corporation–Siebel CRM Cloud Applications | Vulnerability in the Siebel CRM Cloud Applications product of Oracle Siebel CRM (component: Siebel Cloud Manager). Supported versions that are affected are 17.0-26.5. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Siebel CRM Cloud Applications. Successful attacks of this vulnerability can result in takeover of Siebel CRM Cloud Applications. CVSS 3.1 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). | 2026-06-16 | 8.8 | CVE-2026-46921 |
| Oracle Corporation–Siebel CRM Cloud Applications | Vulnerability in the Siebel CRM Cloud Applications product of Oracle Siebel CRM (component: Siebel Cloud Manager). Supported versions that are affected are 17.0-26.5. Difficult to exploit vulnerability allows unauthenticated attacker with access to the physical communication segment attached to the hardware where the Siebel CRM Cloud Applications executes to compromise Siebel CRM Cloud Applications. While the vulnerability is in Siebel CRM Cloud Applications, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Siebel CRM Cloud Applications. CVSS 3.1 Base Score 8.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H). | 2026-06-16 | 8.3 | CVE-2026-46925 |
| Oracle Corporation–Siebel CRM Cloud Applications | Vulnerability in the Siebel CRM Cloud Applications product of Oracle Siebel CRM (component: Siebel Cloud Manager). Supported versions that are affected are 17.0-26.5. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Siebel CRM Cloud Applications executes to compromise Siebel CRM Cloud Applications. While the vulnerability is in Siebel CRM Cloud Applications, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Siebel CRM Cloud Applications. CVSS 3.1 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H). | 2026-06-16 | 8.8 | CVE-2026-46926 |
| Oracle Corporation–Siebel CRM Deployment | Vulnerability in the Siebel CRM Deployment product of Oracle Siebel CRM (component: Database Upgrade). Supported versions that are affected are 17.0-26.5. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Siebel CRM Deployment executes to compromise Siebel CRM Deployment. Successful attacks of this vulnerability can result in takeover of Siebel CRM Deployment. CVSS 3.1 Base Score 7.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). | 2026-06-16 | 7.8 | CVE-2026-46888 |
| Oracle Corporation–Siebel CRM Integration | Vulnerability in the Siebel CRM Integration product of Oracle Siebel CRM (component: EAI). Supported versions that are affected are 17.0-26.5. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Siebel CRM Integration. Successful attacks of this vulnerability can result in takeover of Siebel CRM Integration. CVSS 3.1 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). | 2026-06-16 | 8.8 | CVE-2026-46885 |
| Oracle Corporation–WebCenter Content: Imaging | Vulnerability in the WebCenter Content: Imaging product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise WebCenter Content: Imaging. Successful attacks of this vulnerability can result in takeover of WebCenter Content: Imaging. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). | 2026-06-16 | 9.8 | CVE-2026-46783 |
| Oracle Corporation–WebCenter Content: Imaging | Vulnerability in the WebCenter Content: Imaging product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise WebCenter Content: Imaging. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all WebCenter Content: Imaging accessible data as well as unauthorized access to critical data or complete access to all WebCenter Content: Imaging accessible data. CVSS 3.1 Base Score 9.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N). | 2026-06-16 | 9.1 | CVE-2026-46784 |
| Oracle Corporation–WebCenter Content: Imaging | Vulnerability in the WebCenter Content: Imaging product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise WebCenter Content: Imaging. Successful attacks of this vulnerability can result in takeover of WebCenter Content: Imaging. CVSS 3.1 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). | 2026-06-16 | 8.8 | CVE-2026-46780 |
| Oracle Corporation–WebLogic Server | Vulnerability in the WebLogic Server product of Oracle Fusion Middleware (component: Console). Supported versions that are affected are 14.1.2.0.0 and 15.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise WebLogic Server. While the vulnerability is in WebLogic Server, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of WebLogic Server. CVSS 3.1 Base Score 10.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H). | 2026-06-16 | 10 | CVE-2026-35292 |
| Oracle Corporation–WebLogic Server | Vulnerability in the WebLogic Server product of Oracle Fusion Middleware (component: Console). Supported versions that are affected are 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise WebLogic Server. While the vulnerability is in WebLogic Server, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of WebLogic Server. CVSS 3.1 Base Score 10.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H). | 2026-06-16 | 10 | CVE-2026-35301 |
| Oracle Corporation–WebLogic Server | Vulnerability in the WebLogic Server product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 14.1.2.0.0 and 15.1.1.0.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise WebLogic Server. While the vulnerability is in WebLogic Server, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of WebLogic Server. CVSS 3.1 Base Score 9.9 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H). | 2026-06-16 | 9.9 | CVE-2026-35263 |
| Oracle Corporation–WebLogic Server | Vulnerability in the WebLogic Server product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 12.2.1.4.0, 14.1.1.0.0, 14.1.2.0.0 and 15.1.1.0.0. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise WebLogic Server. While the vulnerability is in WebLogic Server, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of WebLogic Server. CVSS 3.1 Base Score 9.1 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H). | 2026-06-16 | 9.1 | CVE-2026-35298 |
| Oracle Corporation–WebLogic Server | Vulnerability in the WebLogic Server product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 12.2.1.4.0, 14.1.1.0.0, 14.1.2.0.0 and 15.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via TCP to compromise WebLogic Server. Successful attacks of this vulnerability can result in takeover of WebLogic Server. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). | 2026-06-16 | 9.8 | CVE-2026-35300 |
| Oracle Corporation–WebLogic Server | Vulnerability in the WebLogic Server product of Oracle Fusion Middleware (component: Console). Supported versions that are affected are 14.1.2.0.0 and 15.1.1.0.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTPS to compromise WebLogic Server. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in WebLogic Server, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all WebLogic Server accessible data as well as unauthorized access to critical data or complete access to all WebLogic Server accessible data. CVSS 3.1 Base Score 8.7 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N). | 2026-06-16 | 8.7 | CVE-2026-35258 |
| Oracle Corporation–WebLogic Server | Vulnerability in the WebLogic Server product of Oracle Fusion Middleware (component: Console). Supported versions that are affected are 14.1.2.0.0 and 15.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise WebLogic Server. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of WebLogic Server. CVSS 3.1 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H). | 2026-06-16 | 8.8 | CVE-2026-35259 |
| Oracle Corporation–WebLogic Server | Vulnerability in the WebLogic Server product of Oracle Fusion Middleware (component: Console). Supported versions that are affected are 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise WebLogic Server. Successful attacks of this vulnerability can result in takeover of WebLogic Server. CVSS 3.1 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). | 2026-06-16 | 8.8 | CVE-2026-35299 |
| Oracle Corporation–WebLogic Server | Vulnerability in the WebLogic Server product of Oracle Fusion Middleware (component: Console). Supported versions that are affected are 12.2.1.4.0 and 14.1.1.0.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise WebLogic Server. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in WebLogic Server, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of WebLogic Server. CVSS 3.1 Base Score 8.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H). | 2026-06-16 | 8.3 | CVE-2026-35302 |
| Oracle Corporation–WebLogic Server | Vulnerability in the WebLogic Server product of Oracle Fusion Middleware (component: Console). Supported versions that are affected are 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise WebLogic Server. Successful attacks of this vulnerability can result in takeover of WebLogic Server. CVSS 3.1 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). | 2026-06-16 | 8.8 | CVE-2026-35303 |
| Oracle Corporation–WebLogic Server | Vulnerability in the WebLogic Server product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise WebLogic Server. Successful attacks of this vulnerability can result in takeover of WebLogic Server. CVSS 3.1 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). | 2026-06-16 | 8.8 | CVE-2026-35311 |
| Oracle Corporation–WebLogic Server | Vulnerability in the WebLogic Server product of Oracle Fusion Middleware (component: Console). Supported versions that are affected are 14.1.2.0.0 and 15.1.1.0.0. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where WebLogic Server executes to compromise WebLogic Server. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in WebLogic Server, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all WebLogic Server accessible data as well as unauthorized access to critical data or complete access to all WebLogic Server accessible data. CVSS 3.1 Base Score 7.9 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N). | 2026-06-16 | 7.9 | CVE-2026-46848 |
| Ovatheme–BookPro | Unauthenticated Arbitrary File Deletion in BookPro <= 1.1.0 versions. | 2026-06-17 | 8.6 | CVE-2026-27400 |
| Paolo–GeoDirectory | Unauthenticated SQL Injection in GeoDirectory <= 2.8.152 versions. | 2026-06-15 | 9.3 | CVE-2026-39512 |
| park_of_ideas–Moderno | Unauthenticated PHP Object Injection in Moderno < 1.43 versions. | 2026-06-17 | 9.8 | CVE-2026-49108 |
| Passionate Programmer Peter–WP Data Access | Unauthenticated SQL Injection in WP Data Access <= 5.5.70 versions. | 2026-06-15 | 9.3 | CVE-2026-42665 |
| Paul–iControlWP | Unauthenticated Privilege Escalation in iControlWP <= 5.5.3 versions. | 2026-06-15 | 9.8 | CVE-2026-34901 |
| PerryTS–perry | Perry before 0.5.1166 contains a JWT validation vulnerability that allows remote attackers to bypass token expiration by exploiting the unconditional setting of validate_exp = false in the verify_decode helper within the stdlib JWT verification path. Attackers in possession of a previously issued bearer token can present expired tokens to any jwt.verify() call and retain authenticated access indefinitely, bypassing force-expired sessions such as user logout or administrative revocation. | 2026-06-16 | 9.1 | CVE-2026-53776 |
| Personifyinc–Chromacam | Chromacam 4.0.3.0 contains an unquoted service path vulnerability in the PsyFrameGrabberService that allows local attackers to execute arbitrary code by placing malicious executables in unquoted path directories. Attackers with write access to C: or subdirectories like C:Program Files (x86)Personify can place a malicious Program.exe or PsyFrameGrabberService.exe file that executes with LocalSystem privileges when the service starts automatically at boot. | 2026-06-19 | 7.8 | CVE-2023-54353 |
| pgadmin.org–pgAdmin 4 | Read-only transaction bypass in the pgAdmin 4 AI Assistant allows an attacker who can influence database content that the assistant reads to execute arbitrary SQL with the privileges of the pgAdmin user’s database role. The AI Assistant’s execute_sql_query tool runs LLM-generated SQL inside a BEGIN TRANSACTION READ ONLY wrapper to prevent data modification. The LLM-supplied query was forwarded to the database driver without restriction to a single statement or to read-only verbs, so a multi-statement payload beginning with COMMIT, END, ROLLBACK, or ABORT terminated the read-only transaction and ran subsequent statements in autocommit mode. The trailing ROLLBACK then had no effect. Delivery is via prompt injection: an attacker who can write content into any object the AI Assistant may inspect (a row, a column value, a comment) can cause the LLM to emit the multi-statement payload as a tool call. With ordinary write privileges on the pgAdmin user’s role the attacker can perform unauthorised data modification. When the pgAdmin user’s role is a PostgreSQL superuser or holds pg_execute_server_program, the chain extends to remote code execution on the database server host via COPY … TO PROGRAM. Fix validates the LLM-supplied query up front: it must parse to exactly one non-empty / non-comment statement whose leading real token (after stripping whitespace, comments, and punctuation) is one of SELECT, WITH, EXPLAIN, SHOW, VALUES, or TABLE. Transaction-control verbs, DML, DDL, CALL, COPY, DO, SET/RESET, and everything else are rejected before any database work happens. PostgreSQL’s READ ONLY mode continues to backstop data-modifying CTEs, EXPLAIN ANALYZE on writes, and volatile side effects. This issue affects pgAdmin 4: from 9.13 before 9.16. | 2026-06-18 | 9 | CVE-2026-12045 |
| pgadmin.org–pgAdmin 4 | Two state-mutating endpoints in pgAdmin 4’s SQL Editor blueprint — DELETE /sqleditor/close/<trans_id> and POST /sqleditor/initialize/sqleditor/update_connection/<sgid>/<sid>/<did> — were the only routes in the module missing the @pga_login_required decorator. Both reach a pickle.loads sink on session[‘gridData’][<trans_id>][‘command_obj’]: the close endpoint via close_sqleditor_session(), and update_sqleditor_connection via check_transaction_status(). In server mode these endpoints were reachable without any authenticated pgAdmin session. The defect is a missing-authentication-on-critical-function (CWE-306) wrapper around a deserialization-of-untrusted-data sink (CWE-502). Exploiting it for remote code execution requires the attacker to also forge a server-side session file whose gridData entry contains a malicious pickle payload, which in turn requires both (a) knowledge of pgAdmin’s Flask SECRET_KEY (no chain to leak it is described here — the attacker must already possess it) and (b) write access to pgAdmin’s sessions/ directory on the host. Neither precondition is granted by this defect on its own. When those preconditions are met from another channel (misconfigured deployment, prior compromise, leaked configuration), the missing auth gate is the final hop that turns an existing partial compromise into unauthenticated code execution in the pgAdmin process — and, by extension, on the host under whatever account runs pgAdmin. Fix is a one-line @pga_login_required decorator on each of the two endpoints, matching the convention used by every other route in the module. The is_authenticated / MFA chain now runs before the trans_id is dereferenced, so an unauthenticated request is rejected before reaching the deserialization path. The defect is server-mode only. In DESKTOP mode pgAdmin’s before_request hook re-authenticates DESKTOP_USER on every request, so no endpoint can be exercised in an unauthenticated state and no auth decorator (or its absence) is meaningful. The accompanying regression test mirrors the attacker’s path — harvests an X-pgA-CSRFToken from GET /login and replays it against both endpoints — and self-skips outside server mode for that reason; it is wired into the existing server-mode CI workflow alongside the data-isolation tests. This issue affects pgAdmin 4: from 6.9 before 9.16. | 2026-06-18 | 9 | CVE-2026-12046 |
| pgadmin.org–pgAdmin 4 | Stored cross-site scripting in pgAdmin 4’s error-rendering and plan-node-rendering paths. Text returned by a PostgreSQL server (ErrorResponse messages, including object names quoted back inside relation-does-not-exist errors and inside EXPLAIN Recheck Cond / Exact Heap Blocks fields) was passed verbatim through html-react-parser at every user-facing sink – the notifier toasts, FormFooterMessage / FormInput help and error areas, FormNote, ModalProvider AlertContent and confirmDelete, ToolErrorView, the Explain visualiser’s NodeText panel, the SQL editor confirm dialogs, ConfirmSaveContent, PreferencesHelper modal alerts, and SelectThemes helper text. A PostgreSQL server an attacker controls – or any server returning attacker-influenced text such as a table or column name a low-privilege database user can create – could inject arbitrary HTML (including <iframe>) into the pgAdmin DOM the moment the victim’s pgAdmin connected to that server or viewed an Explain plan that referenced the crafted object. The injected iframe’s srcdoc could fetch attacker-served JavaScript and, by writing to parent.location, redirect the victim’s top-level pgAdmin browser tab to an attacker-controlled URL. Because the injection originates from inside pgAdmin’s own interface, standard anti-clickjacking controls (X-Frame-Options, Content-Security-Policy: frame-ancestors) do not mitigate it. A phishing page rendered inside the legitimate pgAdmin window is indistinguishable from a genuine pgAdmin dialog. Fix combines three complementary layers. (1) DOMPurify sanitisation is wrapped around every html-react-parser call site reachable from notifier, alert, form-error, Explain, and SQL-editor flows. (2) A new plain-text rendering contract – SafeMessage / SafeHtmlMessage components plus Notifier.errorText / alertText / warningText / infoText / successText helpers – is introduced; around fifty callers across browser, tools, dashboard, debugger, misc, llm, preferences, schema diff, and the SQL editor that previously interpolated backend-derived strings are migrated to the plain-text variants. (3) Backend HTML-escape is applied at the post-connection-SQL handler (execute_post_connection_sql) via a new sanitize_external_text helper, so third-party JSON consumers (audit logs, API clients) never receive raw markup either; the Explain plan-info renderer is also patched to _.escape Recheck Cond and Exact Heap Blocks at construction (matching every sibling field), giving defence in depth even before DOMPurify runs. This issue affects pgAdmin 4: from 6.0 before 9.16. | 2026-06-18 | 9.3 | CVE-2026-12048 |
| pgadmin.org–pgAdmin 4 | SQL injection in pgAdmin 4 across every dialog template that renders “COMMENT ON … IS ‘<description>’“ for a user-supplied description field. The Jinja templates for Domains (and their constraints), Foreign Tables, Languages, and Event Triggers, plus the Views OID-lookup query, interpolated the description directly inside a single-quoted SQL literal — “'{{ data.description }}’“ — instead of passing it through the “qtLiteral“ escape filter. An authenticated pgAdmin user with permission to create or alter the affected object types could submit a description containing an apostrophe, break out of the literal and chain arbitrary SQL. The injected SQL runs under the PostgreSQL role the user is already authenticated as; for a connected role with “COPY … TO/FROM PROGRAM“ (typically PostgreSQL superuser), this chains to OS command execution on the PostgreSQL host. The defect does not cross a privilege boundary — the user already has direct SQL access to that role through pgAdmin’s Query Tool — so the attacker gains no capability beyond what their database role already grants. The marginal impact captures bypass of any application-layer Query Tool gating an operator may have configured. The defect was originally reported against the Domain Dialog “description“ field; a code-wide audit identified sixteen sites of the same pattern across the templates listed above. The same review also surfaced ten related sinks in the pgstattuple/pgstatindex stats templates — “pgstattuple(‘{{schema}}.{{table}}’)“ and the matching pgstatindex shape — where “qtIdent“ escapes embedded double quotes inside the identifier but not apostrophes, so a user with CREATE privilege on a schema could plant a table or index named “foo’bar“ and a later stats viewer would render an unbalanced literal. Fix is layered: 1. Sites: replace every “'{{ x.description }}’“ with “{{ x.description|qtLiteral(conn) }}“ (no surrounding quotes — the filter wraps the value in escaped quotes itself). Plumb “conn=self.conn“ through every “render_template“ call that loads one of these templates. Also corrects a “{ % elif“ Jinja typo in the foreign-table schema diff (dead branch). Rewrite the ten pgstattuple/pgstatindex stats sites to address the relation via OID + “::oid::regclass“ cast (e.g. “pgstattuple({{ tid }}::oid::regclass)“), eliminating the embedded literal-call form entirely so that bug-class can no longer recur there. 2. Driver hardening: “qtLiteral“ (in “utils/driver/psycopg3/__init__.py“) used to silently return the raw unescaped value when its “conn“ argument was falsy. It now raises “ValueError“ — surfacing the entire bug class going forward. The change immediately uncovered eight latent plumbing bugs (in “schemas/__init__.py“, “schemas/functions/__init__.py“, “schemas/tables/utils.py“, “foreign_servers/__init__.py“, and seven sites in “roles/__init__.py“) — all fixed as part of this patch. The inner “except“ block that swallowed adapter-level failures and returned the raw value is also removed, so unadaptable inputs raise instead of leaking unescaped values. 3. Regression tests: a per-template behavioural test renders each previously-vulnerable template with an apostrophe-injection payload and asserts the escaped fragment is present and the vulnerable fragment absent; a lint test walks every “*.sql“ template flagging any “'{{ … }}’“ single-quote-wrapped interpolation against an explicit allowlist; unit tests cover the new qtLiteral fail-fast and inner-except raise paths. This issue affects pgAdmin 4: from 1.0 before 9.16. | 2026-06-18 | 8.8 | CVE-2026-12044 |
| php-standard-library–php-standard-library | PHP Standard Library (PSL) is set of APIs covering async, collections, networking, I/O, cryptography, terminal UI, etc. In versions 6.1.0, 6.1.1 and 6.2.0, the PslH2ServerConnection does not validate that the total bytes received in DATA frames match the content-length header declared in the HEADERS frame, allowing request smuggling. This is in violation of RFC 9113 §8.1.1. A malicious client is able to send more DATA bytes than declared, smuggling additional content past application-level size limits and send fewer DATA bytes than declared and close the stream early, causing applications that trust the declared length to behave incorrectly. The vulnerability is only reachable for consumers using PslH2ServerConnection directly to accept untrusted client traffic. Consumers of documented high-level PSL APIs are not affected. This issue has been fixed in versions 6.1.2 and 6.2.1. | 2026-06-17 | 7.5 | CVE-2026-48979 |
| phpMyFAQ–phpMyFAQ | phpMyFAQ before 4.1.4 contains missing authorization vulnerabilities in editUser() and updateUserRights() endpoints that allow authenticated administrators to escalate privileges. Non-SuperAdmin users with edit_user permission can set is_superadmin flag or grant arbitrary rights to escalate to SuperAdmin access. | 2026-06-21 | 8.8 | CVE-2026-56396 |
| PickleScan–PickleScan | PickleScan before 0.0.33 fails to include the pty.spawn function in its unsafe globals list, allowing attackers to bypass security checks. Malicious actors can craft pickle payloads using pty.spawn to achieve arbitrary code execution when files are processed by PickleScan. | 2026-06-17 | 8.8 | CVE-2025-71322 |
| picklescan–picklescan | picklescan before 1.0.4 fails to block pkgutil.resolve_name, allowing attackers to bypass the entire blocklist by resolving any dangerous function through indirect REDUCE calls. Remote attackers can invoke any blocked function such as os.system, builtins.exec, or subprocess.call to achieve remote code execution. | 2026-06-17 | 10 | CVE-2026-3490 |
| picklescan–picklescan | picklescan before 0.0.33 contains an incomplete deny-list that fails to block pydoc.locate and operator.methodcaller functions, allowing attackers to bypass security checks. Remote attackers can craft malicious pickle files using these unblocked functions to achieve arbitrary code execution when the pickle is deserialized. | 2026-06-17 | 9.8 | CVE-2025-71320 |
| picklescan–picklescan | picklescan before 0.0.33 contains an arbitrary file writing vulnerability that allows attackers to bypass the dangerous blocklist by using distutils.file_util.write_file. Attackers can construct malicious pickle objects to overwrite critical system files and achieve denial of service or remote code execution. | 2026-06-17 | 9.8 | CVE-2025-71321 |
| picklescan–picklescan | picklescan before 0.0.33 fails to block the ctypes module, allowing attackers to achieve remote code execution by invoking direct syscalls and accessing raw memory. Attackers can craft malicious pickle files using ctypes.WinDLL to load kernel32.dll and execute arbitrary commands, bypassing sandbox protections and gadget chain detection. | 2026-06-17 | 9.8 | CVE-2025-71323 |
| picklescan–picklescan | picklescan before 0.0.27 contains a parsing logic error in the _list_globals function when handling STACK_GLOBAL opcodes, failing to track arguments in the correct range and allowing malicious pickle files to bypass detection. Attackers can craft pickle files with arguments at position zero to trigger unexpected exceptions and evade security scanning. | 2026-06-17 | 9.8 | CVE-2025-71325 |
| picklescan–picklescan | picklescan before 1.0.4 contains an incomplete blocklist for the profile module that fails to block the module-level profile.run() function, allowing attackers to achieve arbitrary code execution via exec(). Attackers can craft malicious pickle files calling profile.run(statement) to execute arbitrary Python code while picklescan reports zero security issues. | 2026-06-17 | 9.8 | CVE-2026-53873 |
| picklescan–picklescan | picklescan before 1.0.1 contains an unsafe deserialization vulnerability allowing unauthenticated users to execute arbitrary code by hiding eval calls nested under callable objects via getattr. Attackers can embed malicious code in pickle files that evades detection but executes when the pickle is loaded from untrusted sources. | 2026-06-17 | 9.8 | CVE-2026-53874 |
| picklescan–picklescan | picklescan before 0.0.28 fails to detect malicious pickle files that invoke torch.utils._config_module.load_config function within reduce methods. Attackers can craft pickle files embedding arbitrary code that evades detection but executes during pickle.load, enabling remote code execution in supply chain attacks. | 2026-06-21 | 8.1 | CVE-2025-71348 |
| picklescan–picklescan | picklescan before 0.0.30 fails to detect malicious pickle files using idlelib.pyshell.ModifiedInterpreter.runcommand in reduce methods. Attackers can embed undetected code in pickle files that executes remote commands when loaded by victims. | 2026-06-21 | 8.1 | CVE-2025-71357 |
| picklescan–picklescan | picklescan before 0.0.30 fails to detect cProfile.runctx function calls in pickle file reduce methods, allowing attackers to execute arbitrary code. Malicious pickle files bypass picklescan detection and execute remote code when loaded via pickle.load(). | 2026-06-21 | 8.1 | CVE-2025-71378 |
| picklescan–picklescan | picklescan before 0.0.35 contains an unsafe pickle deserialization vulnerability allowing unauthenticated attackers to read arbitrary server files by chaining io.FileIO and urllib.request.urlopen. Attackers can bypass RCE-focused blocklists to exfiltrate sensitive data like /etc/passwd to external servers. | 2026-06-17 | 7.5 | CVE-2026-53872 |
| Pimcore GmbH–Pimcore CMS/DXP | Pimcore CMS/DXP version 12.3.8 contains a sandbox bypass vulnerability that allows authenticated administrative attackers to execute arbitrary methods on PHP objects by exploiting empty checkMethodAllowed() and checkPropertyAllowed() implementations in the custom Twig SecurityPolicy. Attackers can supply malicious Twig templates through the DataObject ClassDefinition LayoutText component to perform arbitrary file reads, execute arbitrary database queries, and potentially achieve remote code execution via PHP object gadget chains, with the pimcore_* function wildcard further broadening the bypass to all Pimcore Twig functions. | 2026-06-17 | 7.2 | CVE-2026-11407 |
| Pods Framework–Pods | Unauthenticated Cross Site Scripting (XSS) in Pods <= 3.3.8 versions. | 2026-06-16 | 7.1 | CVE-2026-54191 |
| pontedilana–php-weasyprint | PhpWeasyPrint is a PHP library allowing PDF generation from a URL or an HTML page. Prior to version 2.5.1, `pontedilana/php-weasyprint` builds the shell command for WeasyPrint by passing the binary path through `escapeshellarg()` first and then checking the *quoted* result with `is_executable()`. On POSIX `escapeshellarg(‘/usr/local/bin/weasyprint’)` returns `’/usr/local/bin/weasyprint’` with the single-quote characters as part of the string, so `is_executable()` looks for a file whose actual name includes those quotes. That file never exists, the “safe” branch is dead code, and the raw `$binary` string (set via the constructor or `setBinary()`) flows directly into `SymfonyComponentProcessProcess::fromShellCommandline()`. Any deployment whose binary path is sourced from configuration, an environment variable, or a per-tenant setting reaches a shell-command-injection sink. The library is documented as a one-to-one substitute for KnpLabs/snappy and inherited the exact pre-fix codepath KnpLabs patched in GHSA-vpr4-p6fq-85jc. PhpWeasyPrint version 2.5.1 contains a patch for the issue. | 2026-06-19 | 8.2 | CVE-2026-49260 |
| pontedilana–php-weasyprint | PhpWeasyPrint is a PHP library allowing PDF generation from a URL or an HTML page. Prior to version 2.6.0, `pontedilana/php-weasyprint` guarded the output filename against the `phar://` stream wrapper with a case-sensitive blacklist. PHP stream wrappers are case-insensitive, so `PHAR://`, `Phar://`, etc. bypass the check and reach `fileExists()` (`file_exists()`) in `prepareOutput()`. On PHP 7 (which the library still supports – PHP 7.4+), this triggers deserialization of a crafted PHAR archive’s metadata, leading to remote code execution. This is the patch-bypass of CVE-2023-28115. The same issue and fix were handled upstream in KnpLabs/snappy (GHSA-92rv-4j2h-8mjj). PhpWeasyPrint version 2.6.0 contains a patch for the issue. | 2026-06-19 | 8.1 | CVE-2026-49286 |
| Powerpackelements–PowerPack Pro for Elementor | Unauthenticated Broken Authentication in PowerPack Pro for Elementor < v2.13.0 versions. | 2026-06-17 | 8.8 | CVE-2026-42629 |
| PraisonAI–PraisonAI | PraisonAI before 4.5.128 contains an arbitrary shell command execution vulnerability where the UI modules hardcode approval_mode to auto, overriding administrator configuration from PRAISON_APPROVAL_MODE environment variable. Authenticated attackers can instruct the LLM agent to execute arbitrary shell commands via subprocess.run with shell=True, bypassing the manual approval gate and insufficient command sanitization blocklists. | 2026-06-18 | 8.8 | CVE-2026-56075 |
| PraisonAI–PraisonAI | PraisonAI before 1.5.128 contains a cross-origin agent execution vulnerability in the AGUI endpoint that allows remote attackers to trigger arbitrary agent execution. The POST /agui endpoint lacks authentication and hardcodes Access-Control-Allow-Origin: * headers, combined with Starlette’s Content-Type-agnostic JSON parsing, enabling attackers to bypass CORS preflight checks via simple requests and exfiltrate sensitive agent responses including tool execution results and environment data. | 2026-06-18 | 8.1 | CVE-2026-56076 |
| PraisonAI–PraisonAI | PraisonAI before 1.5.115 contains a path traversal vulnerability in MultiAgentMonitor that fails to sanitize agent IDs when building file paths. Attackers can include traversal sequences like ../ in agent IDs to read, write, or overwrite arbitrary files, enabling sensitive disclosure, denial of service, or code execution. | 2026-06-18 | 8.8 | CVE-2026-56078 |
| PremiumPress Limited.–WordPress Dating Theme | Unauthenticated Cross Site Request Forgery (CSRF) in WordPress Dating Theme <= 11.2.0 versions. | 2026-06-17 | 8.8 | CVE-2026-22342 |
| PremiumPress Limited.–WordPress Dating Theme | Unauthenticated Broken Access Control in WordPress Dating Theme <= 11.2.0 versions. | 2026-06-17 | 8.6 | CVE-2026-22343 |
| premmerce–Premmerce Dev Tools | The Premmerce Dev Tools plugin for WordPress is vulnerable to Remote Code Execution via missing authorization in versions up to and including 2.0. This is due to the ‘generatePluginHandler’ function lacking any authorization check before processing user-supplied POST data, combined with the ‘createFromStub’ function performing unsanitized string substitution of the ‘premmerce_plugin_namespace’ parameter directly into PHP stub files written to the wp-content/plugins/ directory. An attacker can inject a semicolon followed by arbitrary PHP code into the namespace parameter, causing the generated plugin file to contain and execute that code when accessed via HTTP. This makes it possible for authenticated attackers with Subscriber-level access and above to create arbitrary PHP files on the server and achieve remote code execution. | 2026-06-16 | 8.8 | CVE-2026-6933 |
| PressLayouts–Alukas | Unauthenticated PHP Object Injection in Alukas < 3.0.0 versions. | 2026-06-17 | 8.1 | CVE-2026-39445 |
| PressLayouts–EmallShop | Unauthenticated PHP Object Injection in EmallShop <= 2.4.21 versions. | 2026-06-16 | 8.1 | CVE-2026-39443 |
| PressLayouts–Kapee | Unauthenticated PHP Object Injection in Kapee < 1.7.0 versions. | 2026-06-16 | 8.1 | CVE-2026-39446 |
| PressLayouts–Kapee | Unauthenticated Cross Site Scripting (XSS) in Kapee < 1.7.1 versions. | 2026-06-17 | 7.1 | CVE-2026-41557 |
| PressLayouts–PressMart | Unauthenticated PHP Object Injection in PressMart <= 1.2.26 versions. | 2026-06-17 | 8.1 | CVE-2026-39442 |
| Prince–Integrate Google Drive | Missing Authorization vulnerability in Prince Integrate Google Drive allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Integrate Google Drive: from n/a through 1.3.8. | 2026-06-17 | 8.3 | CVE-2024-32949 |
| Projectopia–Projectopia | Custom role Insecure Direct Object References (IDOR) in Projectopia <= 5.1.25.2 versions. | 2026-06-15 | 7.5 | CVE-2025-59133 |
| Pulseextensions–Flip Wall | Joomla! Component Flip Wall 8.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the wallid parameter. Attackers can send GET requests to index.php with the option=com_flipwall&task=click&wallid parameter containing SQL injection payloads to extract sensitive database information. | 2026-06-19 | 7.1 | CVE-2017-20265 |
| Pulseextensions–Sponsor Wall | Joomla! Component Sponsor Wall 8.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the wallid parameter. Attackers can send GET requests to index.php with the option=com_sponsorwall&task=click&wallid parameter containing SQL injection payloads to extract sensitive database information including credentials and configuration data. | 2026-06-19 | 7.1 | CVE-2017-20264 |
| Qihoo–360 Total Security | A security flaw has been discovered in Qihoo 360 Total Security 6.0. This vulnerability affects the function RpcStringBindingComposeW of the component Nucleus Engine Monitoring Logic. Performing a manipulation of the argument NetworkAddr results in protection mechanism failure. The attack requires a local approach. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-06-15 | 7.8 | CVE-2026-12214 |
| QuantumCloud–ChatBot | Subscriber Broken Access Control in ChatBot <= 7.9.7 versions. | 2026-06-15 | 7.1 | CVE-2026-40788 |
| QuantumCloud–Conversational Forms for ChatBot | Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) vulnerability in QuantumCloud Conversational Forms for ChatBot allows Path Traversal. This issue affects Conversational Forms for ChatBot: from n/a through 1.1.8. | 2026-06-17 | 7.5 | CVE-2024-32729 |
| QuantumCloud–WPBot Pro WordPress Chatbot | Subscriber Arbitrary File Deletion in WPBot Pro WordPress Chatbot <= 13.6.5 versions. | 2026-06-17 | 7.7 | CVE-2025-60223 |
| quarkusio–quarkus | Quarkus is a Java framework for building cloud-native applications. Prior to versions 3.37.0, 3.36.3, 3.33.2.1, 3.33.3, 3.27.4.1, 3.27.5, and 3.20.6.2, Quarkus HTTP path-based authorization policies can be bypassed using encoded semicolons (%3B) to smuggle matrix parameters past the security layer, and using encoded slashes (%2F) or backslashes (%5C) to access protected static resources. This is a distinct issue from CVE-2026-39852, which addressed only literal semicolon stripping. Versions 3.37.0, 3.36.3, 3.33.2.1, 3.33.3, 3.27.4.1, 3.27.5, and 3.20.6.2 contain a patch. | 2026-06-19 | 7.5 | CVE-2026-50559 |
| Radiflow–iSAP Smart Collector | The device has a webserver that exposes a REST API authenticated with a token on the management network. By exploiting an OS command injection vulnerability an authenticated attacker can send arbitrary commands to the device that are executed with administrative permissions by the underlying operating system. | 2026-06-16 | 9.1 | CVE-2026-22313 |
| Radiflow–iSAP Smart Collector | The device has a webserver that exposes a REST API authenticated with a constant token. The unauthenticated API can be used by an attacker to get access to system settings, modify the configuration and execute some commands (e.g. system reboot). | 2026-06-16 | 8.6 | CVE-2026-22312 |
| rainafarai–Notification for Telegram | Unauthenticated Cross Site Scripting (XSS) in Notification for Telegram <= 3.5 versions. | 2026-06-15 | 7.1 | CVE-2026-40732 |
| Raindropsinfotech–Twitch Tv | Joomla! Component Twitch Tv 1.1 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the username and id parameters. Attackers can send GET requests to index.php with option=com_twitchtv and view parameters containing SQL injection payloads to extract sensitive database information including credentials and configuration data. | 2026-06-19 | 8.2 | CVE-2017-20270 |
| Real–RealTimes Desktop Service | RealTimes Desktop Service 18.1.4 contains an unquoted service path vulnerability in the rpdsvc.exe binary that allows local attackers to escalate privileges. Attackers can place malicious executables in unquoted path directories to execute arbitrary code with LocalSystem privileges during service startup or system reboot. | 2026-06-19 | 7.8 | CVE-2020-37251 |
| Really Simple Plugins–Really Simple SSL | Unauthenticated Broken Authentication in Really Simple SSL <= 9.5.10 versions. | 2026-06-15 | 8.1 | CVE-2026-48970 |
| RealMag777–InPost Gallery | Unauthenticated SQL Injection in InPost Gallery <= 2.1.4.6 versions. | 2026-06-16 | 9.3 | CVE-2026-39574 |
| Realtek–Realtek Audio Service | Realtek Audio Service 1.0.0.55 contains an unquoted service path vulnerability in RtkAudioService64.exe that allows local attackers to escalate privileges by injecting malicious code. Attackers can place executable files in the unquoted service path directory to execute arbitrary code with LocalSystem privileges during service startup or system reboot. | 2026-06-19 | 7.8 | CVE-2020-37252 |
| Realtek–Realtek High Definition Audio Driver | Realtek High Definition Audio Driver 6.0.1.6730 contains an unquoted service path vulnerability that allows local attackers to escalate privileges by placing a malicious executable in the service path. Attackers can insert an executable file in the unquoted path and restart the service to execute code with LocalSystem privileges. | 2026-06-19 | 7.8 | CVE-2016-20085 |
| Realtyna–Realtyna Organic IDX plugin | Unauthenticated SQL Injection in Realtyna Organic IDX plugin <= 5.1.0 versions. | 2026-06-15 | 9.3 | CVE-2026-45439 |
| Red Hat–Red Hat Ansible Automation Platform 2 | A command injection vulnerability was found in galaxy_ng. The do_git_checkout() function in the legacy role import API (v1) interpolates unsanitized git ref names (branch/tag names) into shell commands executed via subprocess.run() with shell=True. An authenticated user who controls a git repository can create a branch or tag with shell metacharacters in the name to achieve remote code execution on the pulp worker. The vulnerable endpoint is only reachable when GALAXY_ENABLE_LEGACY_ROLES is set to True, which is not the default configuration. | 2026-06-16 | 7.5 | CVE-2026-12398 |
| Red Hat–Red Hat Enterprise Linux 10 | A flaw was found in Pacemaker. An unauthenticated remote attacker can exploit an integer overflow vulnerability in the remote message decompression process. By sending a specially crafted compressed remote message before authentication, an attacker can cause memory corruption, leading to a denial of service (DoS) in the CIB remote listener. This can result in the affected service crashing. | 2026-06-16 | 8.6 | CVE-2026-10649 |
| Red Hat–Red Hat Enterprise Linux 10 | A heap buffer overflow vulnerability was found in GStreamer’s librfb (RFB/VNC client). The rectangle bounds check incorrectly validates area rather than individual dimensions, allowing a malicious VNC server to send a rectangle that extends beyond the framebuffer. A remote attacker could set up a malicious VNC server and trick a user into connecting, resulting in an out-of-bounds heap write that could lead to code execution or a crash. | 2026-06-15 | 8.8 | CVE-2026-52720 |
| Red Hat–Red Hat Enterprise Linux 10 | A flaw was found in the cifs-utils package where the cifs.upcall helper fails to securely drop its root privileges before looking up user information inside a user-controlled environment. A local, low privileged attacker can exploit this by using a crafted request_key payload to trick the root-owned helper into entering a custom environment (namespace) containing a malicious NSS module. This forces the system to load the attacker’s controlled NSS Module and configuration, allowing them to execute arbitrary commands as the root user, elevating their privileges and fully compromising the system. | 2026-06-18 | 7.8 | CVE-2026-12505 |
| Red Hat–Red Hat Enterprise Linux 10 | An out-of-bounds read vulnerability was found in the VA JPEG decoder in GStreamer’s gst-plugins-bad. The JPEG parser reads a segment length value from the bitstream without validating it against available data. A remote attacker could trick a user into opening a specially crafted JPEG file, causing downstream parsing to read beyond the provided input buffer, leading to a crash or potential information disclosure. | 2026-06-15 | 7.1 | CVE-2026-52719 |
| Red Hat–Red Hat Enterprise Linux 10 | A signed integer overflow vulnerability was found in GStreamer’s VMnc decoder. A crafted VMnc stream with large cursor dimensions can overflow signed integer payload-size arithmetic, bypassing a length check and leading to out-of-bounds reads. A remote attacker could trick a user into opening a specially crafted VMnc file, potentially causing a crash or information disclosure. | 2026-06-15 | 7.1 | CVE-2026-52722 |
| Red Hat–Red Hat Enterprise Linux 10 | A vulnerability was found in the GStreamer RealMedia demuxer (gst-plugins-ugly). When processing a RealMedia (.rm) file, the demuxer parses MDPR (media properties) chunks to configure audio streams. For audio stream header versions 4 and 5, the parser reads fields such as codec type, packet size, sample rate, channel count, and extra codec data length from fixed offsets within the chunk without first checking that the chunk contains enough data. If a malicious file provides an MDPR chunk that is too small to contain a complete audio stream header, the parser reads beyond the end of the buffer. This can cause the application to crash. In some cases, bytes read past the buffer boundary may be incorporated into stream metadata, which could result in limited information disclosure. | 2026-06-15 | 7.1 | CVE-2026-53703 |
| Red Hat–Red Hat Enterprise Linux 10 | A flaw was found in GStreamer’s RealMedia demuxer in the gst-plugins-ugly package. When processing a RealMedia file containing a specially crafted FILEINFO metadata section, the demuxer parses variable-name and variable-value pairs using re_skip_pascal_string() without validating that offsets remain within the mapped buffer. Additionally, the element count controlling the parsing loop is read from attacker-controlled data without validation, which can cause an infinite loop. A crafted RealMedia file can cause the application to crash, hang, or potentially read limited adjacent memory contents. | 2026-06-15 | 7.1 | CVE-2026-53704 |
| Red Hat–Red Hat Enterprise Linux 10 | A flaw was found in GStreamer’s WavPack audio decoder in gst-plugins-good. When processing a specially crafted WavPack file, an integer overflow in the buffer size calculation (4 * block_samples * channels) in gst_wavpack_dec_handle_frame() causes a very small heap allocation. The WavPack library then writes decoded audio samples far beyond the allocated buffer, resulting in heap memory corruption. This affects both 32-bit and 64-bit systems since the arithmetic is performed in 32-bit integers before promotion to the allocation size type. A remote attacker could use this flaw to crash an application or potentially execute arbitrary code by convincing a user to open a malicious WavPack audio file. | 2026-06-15 | 7.6 | CVE-2026-53705 |
| Red Hat–Red Hat Enterprise Linux 10 | A heap buffer overflow vulnerability was found in libaom, the reference AV1 codec implementation. A flaw in the AV1 encoder’s Look-Ahead Processing (LAP) mode causes the first-pass stats ring buffer wrap-around guard to be bypassed when g_lag_in_frames is set to 1 or higher. This results in a 232-byte out-of-bounds write on every encoded frame after the second, corrupting adjacent heap objects. An attacker who can influence encoder configuration in a transcoding service or WebRTC session could exploit this to cause a denial of service (process crash) or potentially achieve code execution. | 2026-06-19 | 7.6 | CVE-2026-56208 |
| Red Hat–Red Hat Enterprise Linux 10 | An arbitrary address write vulnerability was found in libaom, the reference AV1 codec implementation. A missing bounds check in the SVC (Scalable Video Coding) layer ID control function allows an attacker to inject an arbitrary pointer into the cyclic refresh map field via crafted image pixel values. The encoder then writes approximately 1,200 bytes at the attacker-controlled address. This is fully deterministic and does not require a separate information leak. An attacker who can supply frames to a network-facing libaom encoder with SVC enabled could exploit this for denial of service or potential code execution. | 2026-06-19 | 7.1 | CVE-2026-56209 |
| Red Hat–Red Hat Enterprise Linux 10 | A heap-buffer-overflow read vulnerability was found in libaom, the reference AV1 codec implementation. A missing bounds check in the SVC (Scalable Video Coding) layer ID control function allows setting a spatial_layer_id exceeding the configured number of layers. This causes an out-of-bounds heap read of approximately 40,728 bytes when computing a layer context array index. An attacker who can influence SVC encoder parameters in a network-facing service could exploit this for information disclosure (heap content leak) or denial of service (segmentation fault from hitting unmapped memory). | 2026-06-19 | 7.1 | CVE-2026-56210 |
| Red Hat–Red Hat Enterprise Linux 10 | A remote code execution vulnerability was found in libaom, the reference AV1 codec implementation. Insufficient bounds validation in the AV1 encoder’s SVC (Scalable Video Coding) layer ID control allows an attacker to supply crafted video frame pixels that overlap with internal encoder layer context structures. In fork-based video processing services, an attacker can use this to hijack the cyclic refresh map pointer, brute-force the process base address via a crash oracle, and redirect control flow to achieve arbitrary command execution. Exploitation requires the target service to use libaom with SVC encoding enabled and accept attacker-supplied video frames. | 2026-06-19 | 7.1 | CVE-2026-56211 |
| Redhat–QEMU | A flaw was found in QEMU. When reading input audio in the virtio-snd device input callback, the `virtio_snd_pcm_in_cb` function did not check whether the iov could fit the data buffer, potentially leading to a heap out-of-bounds write. This issue exists due to an incomplete fix for CVE-2024-7730. | 2026-06-19 | 7.4 | CVE-2026-3195 |
| RelyWP–Coupon Affiliates | Unauthenticated Cross Site Scripting (XSS) in Coupon Affiliates <= 7.5.3 versions. | 2026-06-15 | 7.1 | CVE-2026-40770 |
| RelyWP–Coupon Affiliates | Subscriber Sensitive Data Exposure in Coupon Affiliates <= 7.8.1 versions. | 2026-06-15 | 7.5 | CVE-2026-49068 |
| ReviewX–ReviewX | Unauthenticated Broken Authentication in ReviewX <= 2.3.6 versions. | 2026-06-15 | 7.5 | CVE-2026-40781 |
| Ritlabs–TinyWeb Server | A security vulnerability has been detected in Ritlabs TinyWeb Server up to 1.94 on Win32. This impacts an unknown function in the library libeay32.dll.html of the component Header Handler. The manipulation of the argument Authorization leads to stack-based buffer overflow. The attack can be initiated remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-06-15 | 7.3 | CVE-2026-12200 |
| Royal Elementor Addons–Royal Elementor Addons Pro | Unauthenticated Cross Site Scripting (XSS) in Royal Elementor Addons Pro < 1.7.1041 versions. | 2026-06-17 | 7.1 | CVE-2026-40720 |
| Royal Plugins–Royal MCP | Unauthenticated Broken Access Control in Royal MCP <= 1.4.2 versions. | 2026-06-15 | 7.3 | CVE-2026-40775 |
| Ruben Garcia–AutomatorWP | Subscriber Broken Authentication in AutomatorWP <= 5.6.7 versions. | 2026-06-15 | 7.1 | CVE-2026-40785 |
| Ruben Garcia–AutomatorWP | Unauthenticated Cross Site Scripting (XSS) in AutomatorWP <= 5.6.7 versions. | 2026-06-15 | 7.2 | CVE-2026-42650 |
| Ruben Garcia–AutomatorWP | Unauthenticated Cross Site Scripting (XSS) in AutomatorWP <= 5.7.2 versions. | 2026-06-15 | 7.1 | CVE-2026-42775 |
| Ruben Garcia–GamiPress | Subscriber SQL Injection in GamiPress <= 7.8.7 versions. | 2026-06-15 | 8.5 | CVE-2026-48874 |
| rxi–microtar | A stack-based buffer overflow exists in the raw_to_header() function in src/microtar.c in rxi microtar 0.1.0. The function copies the 100-byte name and linkname fields of a TAR header with strcpy() without guaranteeing null termination of the source. The POSIX ustar format permits these fixed-width fields to be fully populated with non-null bytes, so a crafted archive whose linkname field (followed by the trailing padding of the 512-byte raw header) contains no null terminator causes strcpy() to read past the end of the 512-byte raw header stack buffer and to write past the destination header buffer. A remote attacker who supplies a crafted TAR archive that the victim opens or parses (via mtar_open(), mtar_read_header(), or mtar_find()) can cause an out-of-bounds read and a stack buffer overflow, resulting in denial of service (crash) and potentially arbitrary code execution. Confirmed with AddressSanitizer: stack-buffer-overflow READ of size 356 in raw_to_header at src/microtar.c:112. | 2026-06-17 | 8.8 | CVE-2026-55738 |
| rxi–microtar | An integer overflow in the mtar_next() function in src/microtar.c in rxi microtar 0.1.0 allows a remote attacker to cause a denial of service (uncontrolled CPU consumption / infinite loop) via a crafted tar archive. mtar_next() computes the offset to the next record as round_up(h.size, 512) + sizeof(mtar_raw_header_t) using 32-bit arithmetic. When the header size field is a multiple of 512 in the range 0xFFFFFC01-0xFFFFFE00 (e.g. 0xFFFFFE00), the addition wraps to 0, so mtar_next() seeks to the current record position instead of advancing. As a result, mtar_find() and any loop that iterates entries with mtar_next() repeat indefinitely over the same record, hanging the process at 100% CPU with no recovery. | 2026-06-17 | 7.5 | CVE-2026-54417 |
| SaasProject–Booking Package | Unauthenticated Broken Access Control in Booking Package <= 1.7.06 versions. | 2026-06-15 | 7.5 | CVE-2026-40774 |
| Satinder Singh–Contact Form Extender for Divi Save Entries, File Upload & Country Code Field | Unauthenticated Arbitrary File Deletion in Contact Form Extender for Divi – Save Entries, File Upload & Country Code Field <= 1.0.6 versions. | 2026-06-15 | 8.6 | CVE-2026-40769 |
| sbouey–Falang multilanguage | Subscriber Privilege Escalation in Falang multilanguage <= 1.4.2 versions. | 2026-06-17 | 8.8 | CVE-2026-54805 |
| Schiocco–Support Board | Unauthenticated Privilege Escalation in Support Board < 3.8.9 versions. | 2026-06-16 | 9.8 | CVE-2026-27395 |
| Select-Themes–Getaway | Unauthenticated Local File Inclusion in Getaway < 1.8 versions. | 2026-06-16 | 8.1 | CVE-2026-39547 |
| Select-Themes–Hiroshi | Unauthenticated PHP Object Injection in Hiroshi <= 1.5.1 versions. | 2026-06-17 | 8.1 | CVE-2026-39560 |
| Select-Themes–Manufaktur Solutions | Unauthenticated PHP Object Injection in Manufaktur Solutions <= 1.1.1 versions. | 2026-06-17 | 8.1 | CVE-2026-40752 |
| Select-Themes–Micdrop | Unauthenticated PHP Object Injection in Micdrop <= 1.3.1 versions. | 2026-06-16 | 8.1 | CVE-2026-39580 |
| Select-Themes–Mildhill | Unauthenticated PHP Object Injection in Mildhill <= 1.5 versions. | 2026-06-17 | 8.1 | CVE-2026-39573 |
| Select-Themes–Sant | Unauthenticated PHP Object Injection in Santé <= 1.5.1 versions. | 2026-06-16 | 8.1 | CVE-2026-39567 |
| Select-Themes–Zermatt | Unauthenticated PHP Object Injection in Zermatt <= 1.6.1 versions. | 2026-06-17 | 8.1 | CVE-2026-39545 |
| sentriz–gonic | gonic is a music streaming server / free-software subsonic server API implementation. Prior to version 0.21.0, a logic error in `ServeCreateOrUpdatePlaylist` allows any authenticated Subsonic user (including non-admin) to write playlist M3U content to an attacker-controlled absolute filesystem path on the gonic host, and to create intermediate directories with `0o777` permissions. The bug is independent of CVE-2026-49338 and CVE-2026-49339. It is an unreachable guard clause combined with no path containment in `Store.Write`. Version 0.21.0 patches the issue. | 2026-06-19 | 8.1 | CVE-2026-49340 |
| sentriz–gonic | gonic is a music streaming server / free-software subsonic server API implementation. Prior to version 0.21.0, the Subsonic API endpoints `/rest/deletePlaylist.view` and `/rest/getPlaylist.view` perform no per-resource authorization. Once authenticated as any user (admin or not), an attacker can delete any playlist owned by any other user (including admin) by passing its `id` and read the full contents (name, comment, song list) of any other user’s **private** (non-public) playlist by passing its `id`. The Subsonic playlist `id` is `base64url(“<userID>/<filename>.m3u”)`. Because filenames are user-supplied or time-derived and the `userID` is a small integer, IDs are guessable and frequently exposed (e.g. a previously-public playlist that was later made private still has the same ID). This breaks the multi-user trust boundary of gonic: a low-privileged user can wipe an administrator’s curated playlists, and a user can exfiltrate any private playlist they obtain an ID for. The issue was fixed in commit `6dd71e6a3c966867ef8c900d359a7df75789f410`, which is part of version 0.21.0. | 2026-06-19 | 7.1 | CVE-2026-49338 |
| sentriz–gonic | gonic is a music streaming server / free-software subsonic server API implementation. The maintainer’s fix in commit `6dd71e6a3c966867ef8c900d359a7df75789f410` added an ownership check based on `playlist.UserID`. However, `playlist.UserID` is derived from the first path segment of the attacker-controlled playlist ID, with no path containment on the resolved file path. Any authenticated Subsonic user can therefore bypass the ownership check and read any other user’s playlist, delete any other user’s playlist, and probe arbitrary file paths on the host for existence/readability. This is a bypass of the boundary the `6dd71e6` fix is trying to enforce; it is closely related to the original GONIC-1 IDOR but uses a different primitive (path traversal in the `id` parameter rather than direct cross-user access). Commit 0824bed88f6bbc490ba28bf09d28e5dfeb07b445 in version 0.21.0 fixes the issue. | 2026-06-19 | 7.1 | CVE-2026-49339 |
| SEO Squirrly–SEO Plugin by Squirrly SEO | Unauthenticated Broken Access Control in SEO Plugin by Squirrly SEO <= 12.4.16 versions. | 2026-06-16 | 7.5 | CVE-2026-52714 |
| ServerCo–getssl | In ServerCo getssl version 2.49 and prior, the ACME challenge token returned to the client was not strictly validated against RFC 8555 before being used in challenge-file handling, allowing a maliciously crafted token to influence local path/filename usage during validation. An attacker who can supply ACME challenge responses to getssl (for example, a malicious or compromised CA endpoint, or an on-path adversary able to tamper with that response path) could exploit this to achieve unauthorized file write/path traversal effects, usually with elevated privileges, ultimately allowing for remote command injection. This issue appears related in spirit to CVE-2023-38198, and is an instance of CWE-73, “External control of file name or path.” Other ACME shell script handlers may be affected by similar issues. | 2026-06-16 | 7.4 | CVE-2026-10303 |
| SeventhQueen–SweetDate Core | Unauthenticated Cross Site Scripting (XSS) in SweetDate Core < 1.1.5 versions. | 2026-06-17 | 7.1 | CVE-2025-69140 |
| Shipster–Baggage Freight Shipping Australia | WordPress Plugin Baggage Freight Shipping Australia 0.1.0 contains an unrestricted file upload vulnerability that allows unauthenticated attackers to upload arbitrary files by exploiting the upload-package.php endpoint. Attackers can submit POST requests with malicious file extensions to the upload handler, which moves files without validation to the plugin upload directory, enabling remote code execution. | 2026-06-15 | 9.8 | CVE-2018-25436 |
| ShopXO–ShopXO | A vulnerability was determined in ShopXO up to 6.7.1. This vulnerability affects the function OrderClose/OrderSuccess/PayLogOrderClose/GoodsGiveIntegral of the file app/api/controller/Crontab.php of the component Scheduled Task Endpoint. Executing a manipulation can lead to authorization bypass. The attack can be executed remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-06-15 | 7.3 | CVE-2026-12204 |
| ShortPixel–ShortPixel Image Optimizer | Author PHP Object Injection in ShortPixel Image Optimizer <= 6.4.3 versions. | 2026-06-15 | 7.2 | CVE-2026-39471 |
| Significant-Gravitas–AutoGPT | AutoGPT is a workflow automation platform for creating, deploying, and managing continuous artificial intelligence agents. Versions prior to 0.6.62 have a DOM-based Cross-Site Scripting (XSS) vulnerability in AutoGPT’s signup page. The application improperly trusts a URL parameter (`next`), which is passed to `router.push`. An attacker can craft a malicious link that, when opened by an authenticated user, performs a client-side redirect and executes arbitrary JavaScript in the context of their browser. This could lead to credential theft, internal network pivoting, and unauthorized actions performed on behalf of the victim. Version 0.6.62 patches the issue. | 2026-06-18 | 8.8 | CVE-2026-55237 |
| Simbunch–SIMGenealogy | Joomla! Component SIMGenealogy 2.1.5 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the type parameter. Attackers can send GET requests to index.php with the option=com_simgenealogy, view=latest parameters and inject malicious SQL in the type parameter to extract sensitive database information. | 2026-06-19 | 8.2 | CVE-2017-20276 |
| SiYuan–SiYuan | SiYuan before v3.6.1 fails to sanitize package metadata and README content in the Bazaar marketplace, allowing malicious package authors to inject arbitrary HTML and JavaScript. Attackers can achieve remote code execution on any user browsing the Bazaar by embedding XSS payloads in package displayName, description, or README fields, exploiting Electron’s nodeIntegration setting to execute OS commands. | 2026-06-21 | 9.6 | CVE-2026-56395 |
| SiYuan–SiYuan | SiYuan before v3.6.1 fails to sanitize package metadata and README content in the Bazaar marketplace, allowing malicious package authors to inject arbitrary HTML and JavaScript. Attackers can achieve remote code execution on any user browsing the Bazaar by embedding XSS payloads in package displayName, description, or README fields, exploiting Electron’s nodeIntegration setting to execute OS commands. | 2026-06-21 | 9.6 | CVE-2026-56397 |
| SlicedInvoices–Sliced Invoices | WordPress Sliced Invoices 3.8.2 contains an authenticated SQL injection vulnerability that allows authenticated attackers to manipulate database queries by injecting SQL code through the ‘post’ parameter. Attackers can send requests to the admin.php endpoint with action=duplicate_quote_invoice and malicious ‘post’ values to extract sensitive database information or modify data. | 2026-06-15 | 7.1 | CVE-2019-25746 |
| Sneeit–MagOne | Unauthenticated Cross Site Scripting (XSS) in MagOne <= 9.0 versions. | 2026-06-16 | 7.1 | CVE-2026-39548 |
| Soft-Php–jCart for OpenCart | Joomla! Component jCart for OpenCart 2.0 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the product_id parameter. Attackers can send GET requests to index.php with the option=com_jcart&route=product/product parameters and malicious product_id values to extract sensitive database information. | 2026-06-19 | 8.2 | CVE-2017-20282 |
| SONAAR MUSIC–Sonaar | Subscriber Privilege Escalation in Sonaar <= 4.27.4 versions. | 2026-06-17 | 8.8 | CVE-2025-59563 |
| SONAAR MUSIC–Sonaar | Unauthenticated Cross Site Scripting (XSS) in Sonaar <= 4.27.4 versions. | 2026-06-17 | 7.1 | CVE-2025-59560 |
| SourceCodester–CET Automated Grading System with AI Predictive Analytics | A security vulnerability has been detected in SourceCodester CET Automated Grading System with AI Predictive Analytics 1.0. Affected is an unknown function of the file /index.php of the component Student Self-Registration Endpoint. The manipulation leads to improper access controls. Remote exploitation of the attack is possible. | 2026-06-17 | 7.3 | CVE-2026-12529 |
| SpeakOut!–SpeakOut! Email Petitions | Unauthenticated SQL Injection in SpeakOut! Email Petitions <= 4.6.5 versions. | 2026-06-15 | 9.3 | CVE-2026-39530 |
| Splunk–Splunk AI Toolkit | In Splunk AI Toolkit versions below 5.7.4, a user who holds the “admin” Splunk role could execute arbitrary OS commands on the host running the Splunk Enterprise instance. The vulnerability is possible because of an unsafe shell execution pattern in the btool configuration helper, which constructs OS command strings from dynamic parameters without disabling shell interpretation. | 2026-06-17 | 9.1 | CVE-2026-20266 |
| Spring–Spring AI | In Spring AI Vector Stores, special characters could be used to force the execution of arbitrary queries in Elasticsearch, OpenSearch, and GemFire VectorDB. Affected components: spring-ai-elasticsearch-store, spring-ai-opensearch-store, spring-ai-gemfire-store. Affected versions: Spring AI 1.0.0 through 1.0.x (fix 1.0.9). Spring AI 1.1.0 through 1.1.x (fix 1.1.8). | 2026-06-15 | 8.6 | CVE-2026-47835 |
| Spring–Spring Cloud Gateway | Spring Cloud Gateway Server forwards the X-Forwarded-For and Forwarded headers from untrusted proxies in certain configuration scenarios. This affects both the WebMVC and WebFlux Gateway Servers. Affected versions: Spring Cloud Gateway 3.1.x (fix 3.1.13). Spring Cloud Gateway 4.1.x (fix 4.1.13). Spring Cloud Gateway 4.2.x (fix 4.2.9). Spring Cloud Gateway 4.3.x (fix 4.3.5). Spring Cloud Gateway 5.0.x (fix 5.0.2). | 2026-06-15 | 8.6 | CVE-2026-47825 |
| Spring–Spring Cloud Sleuth | In Spring Cloud Sleuth, it is possible for a user to provide specially crafted calls that may cause a denial-of-service (DoS) condition. The application is vulnerable when it uses a vulnerable version of org.springframework.cloud:spring-cloud-sleuth-instrumentation and Spring TX instrumentation is not disabled. Affected versions: Spring Cloud Sleuth 3.1.0 through 3.1.13. | 2026-06-15 | 7.5 | CVE-2026-41708 |
| startreedata–mcp-pinot | mcp-pinot is a Python-based Model Context Protocol (MCP) server for interacting with Apache Pinot. In versions 3.0.1 and below, mcp-pinot defaults to running an HTTP MCP server bound to 0.0.0.0:8080 with no authentication enabled. All MCP tools, including SQL query execution, schema creation, and table-config mutation, are reachable by any network-adjacent caller. The server proxies these calls using server-side Pinot credentials, producing a confused-deputy condition that yields full read/write access to the configured Pinot cluster. This issue has been fixed in version 3.1.0 | 2026-06-18 | 10 | CVE-2026-49257 |
| statamic–cms | Statamic is a Laravel and Git powered content management system (CMS). Prior to 5.73.23 and 6.20.0, the fix for CVE-2026-41175 was incomplete. It addressed the issue in the query builder, but the same protection was not applied to in-memory collection sorting. Manipulating sort parameters could result in the loss of content and assets. This requires a front-end template that passes request input into a tag’s sort parameter. It is not exploitable by default – a template would need to be explicitly set up to sort by a visitor-controlled value. This has been fixed in 5.73.23 and 6.20.0. | 2026-06-19 | 7.4 | CVE-2026-49287 |
| SteeltoeOSS–Steeltoe.Discovery.Eureka | Steeltoe is an open source project that provides a collection of libraries that helps users build cloud-native applications. In Steeltoe.Discovery.Eureka prior to versions 4.2.0 and 3.4.0, `DataCenterInfo.FromJson` throws `ArgumentException` for any `name` value other than `”MyOwn”` or `”Amazon”`, despite the Java Eureka specification defining a third valid value: `”Netflix”`. The exception propagates through the entire registry deserialization chain and is swallowed by the periodic cache refresh task, leaving the local service registry permanently empty or stale. Versions 4.2.0 and 3.4.0 patch the issue. If an immediate upgrade is not possible, remove any registrations using unsupported `DataCenterInfo.name` values from the registry. In mixed Java/Spring and Steeltoe environments, audit for the `Netflix` data center type before deploying Steeltoe Eureka clients. | 2026-06-17 | 7.5 | CVE-2026-50196 |
| SteeltoeOSS–Steeltoe.Management.Endpoint | Steeltoe is an open source project that provides a collection of libraries that helps users build cloud-native applications. When Steeltoe management endpoints versions 3.2.2 through 3.3.0 and 4.1.0 are configured to listen on an alternate port (`Management:Endpoints:Port` is configured), the middleware responsible for restricting access to the endpoints uses the `Host` HTTP header rather than the actual network socket port. Versions 3.4.0 and 4.2.0 patch the issue. If an immediate upgrade to a patched version is not possible, add explicit ASP.NET Core authorization (`RequireAuthorization`) to all sensitive actuator endpoints as a defense-in-depth measure independent of port isolation and/or configure the reverse proxy or load balancer to enforce the `Host` header value and prevent clients from setting an arbitrary port. | 2026-06-17 | 8.2 | CVE-2026-50194 |
| SteeltoeOSS–Steeltoe.Management.Endpoint | Steeltoe is an open source project that provides a collection of libraries that helps users build cloud-native applications. In Steeltoe.Management.Endpoint prior to version 4.2.0 and Steeltoe.Management.EndpointCore prior to version 3.4.0, the `Sanitizer` component in the Environment actuator redacts configuration values by matching the configuration key name against a suffix list. The default list (`password`, `secret`, `key`, `token`, `.*credentials.*`, `vcap_services`) does not cover the standard .NET pattern `ConnectionStrings:<name>` or Steeltoe Connectors’ `Steeltoe:Client:<type>:Default:ConnectionString`. There is no value-based scrubbing, so full connection string values including embedded `Password=` and `user:pass@host` segments are returned verbatim in `/actuator/env` responses. Steeltoe.Management.Endpoint 4.2.0 and Steeltoe.Management.EndpointCore 3.4.0 patch the issue. If an immediate upgrade is not possible: On the standard path, remove `env` from the actuator exposure list; add `.*connectionstring.*` to `KeysToSanitize` as a defense-in-depth measure for both paths; and/or require authorization on actuator endpoints. | 2026-06-17 | 7.5 | CVE-2026-50200 |
| Stiofan–Events Calendar for GeoDirectory | Contributor PHP Object Injection in Events Calendar for GeoDirectory <= 2.3.25 versions. | 2026-06-15 | 8.8 | CVE-2026-39532 |
| Stiofan–GetPaid | Insertion of Sensitive Information Into Sent Data vulnerability in Stiofan GetPaid allows Retrieve Embedded Sensitive Data. This issue affects GetPaid: from n/a through 2.8.49. | 2026-06-15 | 7.5 | CVE-2026-49064 |
| strukturag–libde265 | libde265 is an open source implementation of the h.265 video codec. Prior to version 1.0.20, a crafted H.265 bitstream can cause an out-of-bounds array write in `decoder_context::process_reference_picture_set()` (`libde265/decctx.cc:1376`). The root cause is a missing aggregate bound check on predicted short-term reference picture set entries. Individual list sizes are validated, but the combined count after predicted RPS construction can exceed the 16-entry `PocStFoll` array, writing at index 16. Version 1.0.20 patches the issue. | 2026-06-19 | 7.1 | CVE-2026-49295 |
| strukturag–libde265 | libde265 is an open source implementation of the h.265 video codec. Prior to version 1.1.0, a crafted H.265 bitstream with large SPS dimensions and 16-bit bit depth causes a signed integer overflow in `de265_image_get_buffer()` (`libde265/image.cc:128`). The overflow wraps the plane allocation size to a small value (~1 KB), but the subsequent `fill_image()` call computes the real size using `size_t`, writing ~4 GB into the undersized heap buffer. Version 1.1.0 patches the issue. | 2026-06-19 | 7.1 | CVE-2026-49346 |
| Studio Keren Aga LTD.–Unlimited Elements for Elementor (Premium) | Contributor Arbitrary File Upload in Unlimited Elements for Elementor (Premium) <= 2.0.6 versions. | 2026-06-17 | 9.9 | CVE-2026-27041 |
| StylemixThemes–MasterStudy LMS | Subscriber SQL Injection in MasterStudy LMS <= 3.7.25 versions. | 2026-06-15 | 8.5 | CVE-2026-40766 |
| StylemixThemes–Motors | Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) vulnerability in StylemixThemes Motors allows Blind SQL Injection. This issue affects Motors: from n/a through 1.4.109. | 2026-06-17 | 9.3 | CVE-2026-54812 |
| StylemixThemes–Motors | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in StylemixThemes Motors allows PHP Local File Inclusion. This issue affects Motors: from n/a through 1.4.109. | 2026-06-17 | 8.1 | CVE-2026-54814 |
| sunnyadn–js-toml | js-toml is a TOML parser for JavaScript, fully compliant with the TOML 1.0.0 Spec. Versions up to and including 1.1.0 parse hexadecimal / octal / binary integer literals via a hand-written `parseBigInt` loop that multiplies a `BigInt` accumulator by the radix once per input digit. Each iteration performs a `BigInt * BigInt` operation on an accumulator that grows linearly with the number of digits already consumed, so the whole loop is O(n²) in the literal length. The lexer regex places no upper bound on the literal length, so a single TOML document containing one ~500 kB hex literal pins one CPU core for ~40 seconds on a modern laptop (Apple M-series, Node v22). Memory amplification is bounded but CPU amplification is severe and grows quadratically: doubling the literal length quadruples the work. A caller that invokes `load()` on attacker-controlled TOML (configuration upload endpoints, CI/CD systems ingesting third-party `*.toml`, IDE plugins, build tools) is exposed to a single-request CPU exhaustion DoS. Version 1.1.1 fixes the issue. | 2026-06-19 | 7.5 | CVE-2026-49293 |
| SUSE–Harvester | An attacker with network-level access between the SUSE Virtualization and Rancher Manager in SUSE Harvester before 1.8.0 could interfere with the TLS handshake and abuse it to bypass TLS as a security control. | 2026-06-16 | 8.6 | CVE-2025-71261 |
| SUSE–wicked | Passing of unsanitized strings from DHCP replies into the wicked dhcp client before wicked 0.6.79 could be used by attackers operating a malicious DHCP server to execute code on the local machine. | 2026-06-16 | 8.8 | CVE-2026-44932 |
| Syed Balkhi–PushEngage Web Push Notifications, eCommerce Automation & Chat Widget | Subscriber Sensitive Data Exposure in PushEngage – Web Push Notifications, eCommerce Automation & Chat Widget <= 4.2.3 versions. | 2026-06-17 | 7.4 | CVE-2026-52698 |
| Sync-in–server | Sync-in Server is a secure, open-source platform for file storage, sharing, collaboration, and syncing. Prior to version 2.3.0, the private IP blocklist regex used in the URL download feature does not match IPv4-mapped IPv6 addresses (e.g. ::ffff:127.0.0.1), allowing SSRF protection to be bypassed on dual-stack systems. Version 2.3.0 fixes the issue. | 2026-06-16 | 7.7 | CVE-2026-47684 |
| sysown–proxysql | ProxySQL is a proxy for MySQL and its forks, as well as PostgreSQL. In versions 2.0.0 through 3.0.8, the ProxySQL MySQL frontend accepts the `PROXY UNKNOWN <addr> <addr> <port> <port>rn` PP1 frame as a well-formed PROXY protocol header. The HAProxy PROXY protocol v1 specification says that when the protocol token is `UNKNOWN`, the receiver MUST ignore any address fields that follow it, because the proxy has declared it cannot determine the client identity. ProxySQL parses those address fields anyway via `sscanf` and writes the spoofed source address into the session’s `addr.addr` field. From there it flows directly into the query-rule matcher, where the `client_addr` predicate decides routing and ACL. When `mysql-proxy_protocol_networks = ‘*’` (the default), any TCP peer can send a PP1 frame and choose any source IP claim. With that, any `mysql_query_rules` row pinned to a `client_addr` value is forgeable: the attacker writes the address they want to match into the PP1 line, and ProxySQL routes their query as if it came from that address. In practice this is a routing and ACL bypass. Real deployments use `client_addr` for read-write splitting (internal apps go to the primary, public traffic to read replicas), per-app schema pinning, and query-filter rules (DDL allowed only from admin CIDR, public queries blocked from dangerous patterns). An attacker that can reach the frontend port can forge their way into any of those routes. Version 3.0.9 patches this issue. | 2026-06-19 | 10 | CVE-2026-48772 |
| sysown–proxysql | ProxySQL is a proxy for MySQL and its forks, as well as PostgreSQL. Versions 2.0.18 through 3.0.8 have a pre-authentication heap memory corruption vulnerability in the MySQL and PostgreSQL protocol first-read paths. A remote unauthenticated client can declare an oversized first packet length, and ProxySQL passes that attacker-controlled length directly to `recv()` while writing into a fixed 32 KB input queue. Version 3.0.9 patches the issue. | 2026-06-19 | 9.8 | CVE-2026-48773 |
| sysown–proxysql | ProxySQL is a proxy for MySQL and its forks, as well as PostgreSQL. In versions 3.0.0 through 3.0.8, ProxySQL’s GenAI/MCP `run_sql_readonly` tool violates its documented read-only contract for MySQL targets. The tool validates only the full input string with a substring blacklist and first-keyword allowlist, but then executes the entire SQL string on a backend connection created with `CLIENT_MULTI_STATEMENTS`. As a result, a caller can submit a read-only first statement followed by a side-effecting second statement, such as `SELECT 1; RENAME TABLE …`. The validator accepts the payload because it starts with `SELECT` and because side-effecting MySQL statements such as `RENAME TABLE`, `SET`, `RESET`, `LOCK TABLES`, and `KILL` are not rejected by the blacklist. In a live MCP runtime test, the `/mcp/query` endpoint accepted a `run_sql_readonly` request. The MCP response reported success for the first `SELECT`, and direct backend verification showed that the table had actually been renamed. This violates the endpoint’s read-only security contract and lets an MCP caller perform backend writes or administrative SQL, limited by the configured MCP target account’s database privileges. Version 3.0.9 contains a fix. Other operator mitigations include: keeping MCP disabled unless required; setting a non-empty `mcp-query_endpoint_auth` token before exposing `/mcp/query`; restricting MCP listener network exposure; configuring MCP backend target credentials as database-level read-only users; and adding temporary MCP query rules to block obvious multi-statement patterns. | 2026-06-19 | 7.5 | CVE-2026-48774 |
| szTheory–relyra | Relyra is a strict-by-default SAML 2.0 Service Provider library for Elixir and Phoenix. Versions 1.0.0 and 1.1.0 accept forged SAML signatures because SignatureValue was not cryptographically verified before the library returned a successful authentication result. The XMLDSig trust boundary was incomplete as :public_key.verify over the exclusive-C14N canonicalized SignedInfo was not performed against the configured IdP certificate’s public key, DigestValue was not recomputed over the canonicalized referenced element, and canonicalize/2 remained an unused passthrough in the signature-verification path. The result was a structure-only acceptance path where document shape and trust-source rejection could succeed without proving the signature bytes. A forged SignatureValue carrying an attacker-controlled NameID could be accepted as {:ok}. This issue has been fixed in version 1.2.0. | 2026-06-18 | 9.1 | CVE-2026-49454 |
| Takashi Kitajima–MW WP Form | Unauthenticated Cross Site Scripting (XSS) in MW WP Form <= 5.1.3 versions. | 2026-06-15 | 7.1 | CVE-2026-48871 |
| Tammersoft–Shared Files | Unauthenticated Path Traversal in Shared Files <= 1.7.64 versions. | 2026-06-15 | 7.5 | CVE-2026-49112 |
| Taskbuilder–Taskbuilder | Subscriber SQL Injection in Taskbuilder <= 5.0.7 versions. | 2026-06-15 | 8.5 | CVE-2026-52697 |
| Techspawn–MultiLoca | Subscriber Privilege Escalation in MultiLoca <= 4.2.15 versions. | 2026-06-17 | 7.6 | CVE-2026-39546 |
| Terrywcarter–KissGallery | Joomla! Component KissGallery 1.0.0 contains an SQL injection vulnerability that allows unauthenticated attackers to inject SQL commands through the component URL path. Attackers can supply malicious SQL code in the kissgallery endpoint to execute arbitrary database queries and extract sensitive information. | 2026-06-19 | 8.2 | CVE-2017-20269 |
| The Browser Company of New York`–Arc Search | Address bar spoofing in Arc Search for Android allows a remote attacker to display a trusted domain in the address bar while rendering attacker-controlled content, enabling phishing. | 2026-06-16 | 7.4 | CVE-2026-12348 |
| themagnifico52–Charity Zone | Subscriber Arbitrary File Upload in Charity Zone <= 1.1.1 versions. | 2026-06-17 | 9.9 | CVE-2026-40749 |
| themagnifico52–Ecommerce Zone | Subscriber Arbitrary File Upload in Ecommerce Zone <= 0.9.7 versions. | 2026-06-17 | 9.9 | CVE-2026-40747 |
| themagnifico52–Kids Gift Shop | Subscriber Arbitrary File Upload in Kids Gift Shop <= 0.5.4 versions. | 2026-06-17 | 9.9 | CVE-2026-40748 |
| themagnifico52–Kids Online Store | Unrestricted Upload of File with Dangerous Type vulnerability in themagnifico52 Kids Online Store allows Upload a Web Shell to a Web Server. This issue affects Kids Online Store: from n/a through 0.8.9. | 2026-06-16 | 9.9 | CVE-2026-40750 |
| themagnifico52–Restaurant Zone | Subscriber Arbitrary File Upload in Restaurant Zone <= 0.7.8 versions. | 2026-06-17 | 9.9 | CVE-2026-40746 |
| Theme passion–Support Ticket Management System | Unauthenticated Privilege Escalation in Support Ticket Management System <= 1.9 versions. | 2026-06-17 | 9.8 | CVE-2025-69179 |
| THEMECO–Cornerstone | Subscriber Arbitrary Code Execution in Cornerstone < 7.8.8 versions. | 2026-06-16 | 8.5 | CVE-2026-49113 |
| THEMECO–Cornerstone | Subscriber SQL Injection in Cornerstone < 7.8.8 versions. | 2026-06-17 | 8.5 | CVE-2026-54185 |
| ThemeFusion–Avada | Contributor PHP Object Injection in Avada <= 3.15.3 versions. | 2026-06-16 | 8.8 | CVE-2026-12256 |
| themefusion–Avada (Fusion) Builder | The Avada (Fusion) Builder plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the maybe_delete_files function in all versions up to, and including, 3.15.3. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). The attack requires a published Avada form configured to save entries to the database; an unauthenticated attacker submits a path-traversal payload via the wp_ajax_nopriv_fusion_form_submit_ajax handler while also controlling the fusion_privacy_expiration_interval and privacy_expiration_action fields to force an immediate ‘delete’ cleanup, causing the planted entry to be automatically processed by the Fusion_Form_DB_Privacy shutdown-hook routine without any administrator interaction. | 2026-06-19 | 9.1 | CVE-2026-8713 |
| ThemeFusion–Fusion Builder | Contributor PHP Object Injection in Fusion Builder <= 3.15.4 versions. | 2026-06-16 | 9.8 | CVE-2026-54194 |
| ThemeFusion–Fusion Builder | Contributor Arbitrary File Deletion in Fusion Builder <= 3.15.4 versions. | 2026-06-17 | 7.7 | CVE-2026-54193 |
| ThemeGoods–Avante | Unauthenticated Cross Site Scripting (XSS) in Avante < 3.0.5 versions. | 2026-06-17 | 7.1 | CVE-2025-68524 |
| ThemeGoods–Grand Car Rental | Unauthenticated Cross Site Scripting (XSS) in Grand Car Rental <= 3.7 versions. | 2026-06-16 | 7.1 | CVE-2025-69151 |
| ThemeGrill–Masteriyo – LMS | Incorrect Privilege Assignment vulnerability in ThemeGrill Masteriyo – LMS allows Privilege Escalation. This issue affects Masteriyo – LMS: from n/a through 2.2.0. | 2026-06-15 | 8.8 | CVE-2026-49111 |
| ThemeGrill–Masteriyo – LMS | Unauthenticated Broken Access Control in Masteriyo – LMS <= 2.1.5 versions. | 2026-06-15 | 7.5 | CVE-2026-39524 |
| ThemeGrill–Registration Form for WooCommerce | Unauthenticated Privilege Escalation in Registration Form for WooCommerce <= 1.0.9 versions. | 2026-06-17 | 9.8 | CVE-2026-54807 |
| ThemeGrill–User Registration | Unauthenticated Broken Access Control in User Registration <= 5.1.2 versions. | 2026-06-15 | 7.5 | CVE-2026-25425 |
| ThemeGrill–User Registration Stripe | Unauthenticated Broken Access Control in User Registration Stripe <= 1.3.14 versions. | 2026-06-17 | 8.2 | CVE-2026-40726 |
| ThemeGrill–User Registration Stripe | Unauthenticated Broken Access Control in User Registration Stripe <= 1.3.12 versions. | 2026-06-17 | 8.2 | CVE-2026-49081 |
| Themeisle–Redirection for Contact Form 7 | Unauthenticated Cross Site Scripting (XSS) in Redirection for Contact Form 7 <= 3.2.8 versions. | 2026-06-15 | 7.1 | CVE-2026-23970 |
| Themeisle–Social Slider Feed | Unauthenticated Cross Site Scripting (XSS) in Social Slider Feed <= 2.3.2 versions. | 2026-06-15 | 7.1 | CVE-2026-39507 |
| THEMELOGI–Roneous | Unauthenticated Local File Inclusion in Roneous <= 2.1.5 versions. | 2026-06-16 | 8.1 | CVE-2025-69177 |
| THEMELOGI–Wanium | Unauthenticated Local File Inclusion in Wanium <= 1.9.8 versions. | 2026-06-16 | 8.1 | CVE-2025-69136 |
| ThemeMove–Atomlab | Unauthenticated Local File Inclusion in Atomlab <= 2.4.5 versions. | 2026-06-17 | 8.1 | CVE-2026-39590 |
| ThemeREX Group–Elementra | Unauthenticated PHP Object Injection in Elementra <= 1.0.9 versions. | 2026-06-16 | 9.8 | CVE-2026-39529 |
| ThemeREX Group–Geya | Unauthenticated Local File Inclusion in Geya <= 1.15 versions. | 2026-06-16 | 8.1 | CVE-2025-58924 |
| ThemeREX Group–Learnify | Unauthenticated Local File Inclusion in Learnify <= 1.15.0 versions. | 2026-06-16 | 8.1 | CVE-2025-60085 |
| ThemeREX–Abelle | Unauthenticated Local File Inclusion in Abelle <= 1.22 versions. | 2026-06-16 | 8.1 | CVE-2025-69142 |
| ThemeREX–AirSupply | Unauthenticated Local File Inclusion in AirSupply <= 2.0.0 versions. | 2026-06-17 | 8.1 | CVE-2025-69110 |
| ThemeREX–AutoParts | Unauthenticated Local File Inclusion in AutoParts <= 1.5.8 versions. | 2026-06-17 | 8.1 | CVE-2026-22331 |
| ThemeREX–Choreo | Unauthenticated Local File Inclusion in Choreo <= 1.6 versions. | 2026-06-16 | 8.1 | CVE-2025-69165 |
| ThemeREX–CopyPress | Unauthenticated Local File Inclusion in CopyPress <= 1.4.5 versions. | 2026-06-16 | 8.1 | CVE-2025-69118 |
| ThemeREX–Corbesier | Unauthenticated Local File Inclusion in Corbesier <= 1.15.0 versions. | 2026-06-16 | 8.1 | CVE-2025-69119 |
| ThemeREX–Dazzle | Unauthenticated Local File Inclusion in Dazzle <= 1.0.0 versions. | 2026-06-17 | 8.1 | CVE-2025-69120 |
| ThemeREX–Deliciosa | Unauthenticated Local File Inclusion in Deliciosa <= 1.10.0 versions. | 2026-06-16 | 8.1 | CVE-2025-69121 |
| ThemeREX–Dom | Unauthenticated Local File Inclusion in Dom <= 1.24 versions. | 2026-06-16 | 8.1 | CVE-2025-69146 |
| ThemeREX–EcoBlue | Unauthenticated Local File Inclusion in EcoBlue <= 1.15 versions. | 2026-06-17 | 8.1 | CVE-2026-22338 |
| ThemeREX–Eros | Unauthenticated Local File Inclusion in Eros <= 1.3 versions. | 2026-06-16 | 8.1 | CVE-2025-69167 |
| ThemeREX–Especio | Unauthenticated Local File Inclusion in Especio <= 1.0 versions. | 2026-06-16 | 8.1 | CVE-2025-69124 |
| ThemeREX–Etude | Unauthenticated Local File Inclusion in Etude <= 1.6 versions. | 2026-06-17 | 8.1 | CVE-2025-69174 |
| ThemeREX–Eventicity | Unauthenticated Local File Inclusion in Eventicity <= 1.5 versions. | 2026-06-17 | 8.1 | CVE-2025-69170 |
| ThemeREX–Food Drop | Unauthenticated Local File Inclusion in Food Drop <= 1.3 versions. | 2026-06-16 | 8.1 | CVE-2025-69125 |
| ThemeREX–Fortius | Unauthenticated Local File Inclusion in Fortius <= 2.3.0 versions. | 2026-06-17 | 8.1 | CVE-2025-69126 |
| ThemeREX–Gamic | Unauthenticated Local File Inclusion in Gamic <= 1.15 versions. | 2026-06-17 | 8.1 | CVE-2025-69157 |
| ThemeREX–Gat | Unauthenticated Local File Inclusion in Gat <= 1.16 versions. | 2026-06-17 | 8.1 | CVE-2025-69145 |
| ThemeREX–Gita | Unauthenticated Local File Inclusion in Gita <= 1.11 versions. | 2026-06-16 | 8.1 | CVE-2025-69160 |
| ThemeREX–Granola | Unauthenticated Local File Inclusion in Granola <= 1.13 versions. | 2026-06-17 | 8.1 | CVE-2025-69158 |
| ThemeREX–Grecko | Unauthenticated Local File Inclusion in Grecko <= 5.17 versions. | 2026-06-16 | 8.1 | CVE-2025-69162 |
| ThemeREX–Gunslinger | Unauthenticated Local File Inclusion in Gunslinger <= 1.7 versions. | 2026-06-17 | 8.1 | CVE-2025-69166 |
| ThemeREX–HomeRoofer | Unauthenticated Local File Inclusion in HomeRoofer <= 2.11.0 versions. | 2026-06-17 | 8.1 | CVE-2025-58954 |
| ThemeREX–Hot Coffee | Unauthenticated PHP Object Injection in Hot Coffee <= 1.7 versions. | 2026-06-16 | 9.8 | CVE-2025-69108 |
| ThemeREX–Imba | Unauthenticated Local File Inclusion in Imba <= 1.5.0 versions. | 2026-06-17 | 8.1 | CVE-2025-69106 |
| ThemeREX–Ingenioso | Unauthenticated Local File Inclusion in Ingenioso <= 1.14.0 versions. | 2026-06-17 | 8.1 | CVE-2025-69117 |
| ThemeREX–Iona | Unauthenticated Local File Inclusion in Iona <= 1.0.8 versions. | 2026-06-16 | 8.1 | CVE-2025-69116 |
| ThemeREX–ITactics | Unauthenticated Local File Inclusion in ITactics <= 1.0 versions. | 2026-06-16 | 8.1 | CVE-2025-69176 |
| ThemeREX–Joly | Unauthenticated Local File Inclusion in Joly <= 1.22.0 versions. | 2026-06-17 | 8.1 | CVE-2025-58953 |
| ThemeREX–Kelly Young | Unauthenticated Local File Inclusion in Kelly Young <= 1.1.0 versions. | 2026-06-16 | 8.1 | CVE-2025-69141 |
| ThemeREX–Line Agency | Unauthenticated Local File Inclusion in Line Agency <= 1.3.1 versions. | 2026-06-17 | 8.1 | CVE-2025-69175 |
| ThemeREX–LuxMed | Medicine & Healthcare Doctor WordPress Theme | Unauthenticated Local File Inclusion in LuxMed | Medicine & Healthcare Doctor WordPress Theme <= 1.2.2 versions. | 2026-06-17 | 8.1 | CVE-2025-69115 |
| ThemeREX–MaxiNet | Unauthenticated Local File Inclusion in MaxiNet <= 1.2.10 versions. | 2026-06-16 | 8.1 | CVE-2025-69114 |
| ThemeREX–Medeus | Unauthenticated Local File Inclusion in Medeus <= 1.14 versions. | 2026-06-16 | 8.1 | CVE-2025-69150 |
| ThemeREX–Mission | Unauthenticated Local File Inclusion in Mission <= 1.22 versions. | 2026-06-16 | 8.1 | CVE-2025-69143 |
| ThemeREX–Modernee | Unauthenticated Local File Inclusion in Modernee <= 1.6.0 versions. | 2026-06-16 | 8.1 | CVE-2025-69105 |
| ThemeREX–Neuronet | Unauthenticated Local File Inclusion in Neuronet < 1.14.0 versions. | 2026-06-17 | 8.1 | CVE-2025-58952 |
| ThemeREX–Nexio | Unauthenticated Local File Inclusion in Nexio <= 1.10.0 versions. | 2026-06-16 | 8.1 | CVE-2025-69113 |
| ThemeREX–Orpheus | Unauthenticated Local File Inclusion in Orpheus <= 1.3 versions. | 2026-06-17 | 8.1 | CVE-2025-69171 |
| ThemeREX–Planty | Unauthenticated Local File Inclusion in Planty <= 1.14.0 versions. | 2026-06-16 | 8.1 | CVE-2025-69112 |
| ThemeREX–Plumbing | Unauthenticated PHP Object Injection in Plumbing <= 1.6 versions. | 2026-06-17 | 9.8 | CVE-2025-69127 |
| ThemeREX–Preservation | Unauthenticated Local File Inclusion in Preservation <= 1.10 versions. | 2026-06-17 | 8.1 | CVE-2025-69144 |
| ThemeREX–Printo | Unauthenticated Local File Inclusion in Printo <= 1.11 versions. | 2026-06-16 | 8.1 | CVE-2025-69159 |
| ThemeREX–Putter | Unauthenticated Local File Inclusion in Putter <= 1.17 versions. | 2026-06-16 | 8.1 | CVE-2025-69147 |
| ThemeREX–Quirky | Unauthenticated Local File Inclusion in Quirky <= 1.23 versions. | 2026-06-17 | 8.1 | CVE-2025-69148 |
| ThemeREX–Raider Spirit | Unauthenticated Local File Inclusion in Raider Spirit <= 1.1.2 versions. | 2026-06-16 | 8.1 | CVE-2025-69109 |
| ThemeREX–Reisen | Unauthenticated PHP Object Injection in Reisen <= 1.4.1 versions. | 2026-06-17 | 9.8 | CVE-2025-69111 |
| ThemeREX–Resurs | Unauthenticated Local File Inclusion in Resurs <= 1.3 versions. | 2026-06-17 | 8.1 | CVE-2025-69172 |
| ThemeREX–Rosaleen | Unauthenticated Local File Inclusion in Rosaleen <= 2.8 versions. | 2026-06-16 | 8.1 | CVE-2025-69107 |
| ThemeREX–SeaFood Company | Unauthenticated PHP Object Injection in SeaFood Company <= 1.4 versions. | 2026-06-16 | 9.8 | CVE-2025-69122 |
| ThemeREX–Skyward | Unauthenticated Local File Inclusion in Skyward <= 1.10 versions. | 2026-06-17 | 8.1 | CVE-2025-69164 |
| ThemeREX–Snow Club | Unauthenticated Local File Inclusion in Snow Club <= 1.1 versions. | 2026-06-17 | 8.1 | CVE-2025-69123 |
| ThemeREX–Snowy | Unauthenticated Local File Inclusion in Snowy <= 1.13 versions. | 2026-06-17 | 8.1 | CVE-2025-69161 |
| ThemeREX–Spike | Unauthenticated Local File Inclusion in Spike <= 1.2 versions. | 2026-06-16 | 8.1 | CVE-2025-69168 |
| ThemeREX–ThemeREX Addons | Unauthenticated PHP Object Injection in ThemeREX Addons <= 2.36.1.1 versions. | 2026-06-17 | 9.8 | CVE-2025-60205 |
| ThemeREX–Tipsy | Unauthenticated Local File Inclusion in Tipsy <= 1.1 versions. | 2026-06-17 | 8.1 | CVE-2025-69173 |
| ThemeREX–Top Dog | Unauthenticated Local File Inclusion in Top Dog <= 1.0.5 versions. | 2026-06-16 | 8.1 | CVE-2025-69149 |
| ThemeREX–WineShop | Unauthenticated Local File Inclusion in WineShop <= 3.17 versions. | 2026-06-16 | 8.1 | CVE-2025-69163 |
| themetechmount–TrueBooker | Unauthenticated Broken Access Control in TrueBooker <= 1.1.9 versions. | 2026-06-15 | 9.1 | CVE-2026-48881 |
| Themeton–Lagom | Deserialization of Untrusted Data vulnerability in Themeton Lagom allows Object Injection. This issue affects Lagom: from n/a through 2.0. | 2026-06-17 | 9.8 | CVE-2025-60229 |
| Themeton–The Barber Shop | Deserialization of Untrusted Data vulnerability in Themeton The Barber Shop allows Object Injection. This issue affects The Barber Shop: from n/a through 1.9. | 2026-06-17 | 9.8 | CVE-2025-60230 |
| Themeum–Right Way | Unauthenticated Local File Inclusion in Right Way <= 4.0 versions. | 2026-06-17 | 8.1 | CVE-2026-22330 |
| Themeum–Skillate | Unauthenticated Cross Site Scripting (XSS) in Skillate <= 1.2.10 versions. | 2026-06-17 | 7.1 | CVE-2026-22329 |
| Themeum–Tutor LMS Pro | Unauthenticated SQL Injection in Tutor LMS Pro <= 3.9.6 versions. | 2026-06-17 | 9.3 | CVE-2026-22332 |
| Themify–Themify Folo | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Themify Folo allows Reflected XSS. This issue affects Themify Folo: from n/a through 1.9.6. | 2026-06-17 | 7.1 | CVE-2025-31013 |
| Themovation–Entrepreneur – Booking for Small Businesses WordPress Theme | Subscriber PHP Object Injection in Entrepreneur – Booking for Small Businesses WordPress Theme <= 3.1.3 versions. | 2026-06-17 | 8.8 | CVE-2025-69130 |
| Thrive Themes–Thrive Apprentice | Unauthenticated PHP Object Injection in Thrive Apprentice < 10.8.10.2 versions. | 2026-06-17 | 9.8 | CVE-2026-49107 |
| tinyhumansai–OpenHuman | The shell tool command allowlist in the SecurityPolicy of OpenHuman desktop agent through 0.54.0 (default Supervised security policy) can be bypassed to execute arbitrary OS commands with the privileges of the desktop user. Two flaws in src/openhuman/security/policy.rs combine: (1) is_args_safe() blocks the find flags -exec and -ok but not the functionally identical -execdir and -okdir, which also execute an arbitrary command for each matched file; and (2) skip_env_assignments() strips leading inline KEY=value environment-variable assignments before allowlist validation, so a command such as GIT_EXTERNAL_DIFF=<cmd> git diff is validated as the allowed git diff but, when executed via the shell, runs <cmd> through git’s environment-driven hooks (for example GIT_EXTERNAL_DIFF or GIT_SSH_COMMAND). Because the sandbox is the primary trust boundary between untrusted LLM-processed content and the host operating system, an attacker can achieve remote code execution via indirect prompt injection: a malicious document, email, calendar event, or web page ingested by the agent instructs it to run a benign-looking allowlisted command, resulting in arbitrary command execution, data exfiltration, arbitrary file read/write, and lateral movement on the user’s machine. The issue was fixed in commit 60050aa09a870f53ed7e4cd40ed41fd2860329e7 (first released in 0.54.22-staging; first stable release 0.56.0), which blocks -execdir/-okdir for find. | 2026-06-17 | 9.6 | CVE-2026-55743 |
| tinyproxy–tinyproxy | Tinyproxy through 1.11.3, fixed in commit ff45d3b, fails to reconcile conflicting Content-Length and Transfer-Encoding: chunked headers, forwarding both verbatim to the backend while using Content-Length to determine how many request body bytes to consume. Remote attackers can desynchronize the proxy and backend parser state, allowing injection of arbitrary HTTP requests to the backend to enable cache poisoning, access control bypass, and request hijacking. | 2026-06-17 | 9.1 | CVE-2026-54387 |
| tinyproxy–tinyproxy | Tinyproxy through 1.11.3, fixed in commit 364cdb6, fails to reject requests containing multiple Content-Length headers with differing values, forwarding all duplicate headers to the backend while using the first value to determine how many request body bytes to consume. Remote attackers can desynchronize the proxy and backend parser state, allowing injection of arbitrary HTTP requests to the backend to enable cache poisoning, access control bypass, and request hijacking. | 2026-06-17 | 9.1 | CVE-2026-54388 |
| tinyproxy–tinyproxy | Tinyproxy through 1.11.3, fixed in commit 09312a1, fails to properly validate the Host header during stathost detection, allowing unauthenticated attackers to access the stats page by injecting a matching Host header or bypass detection via port manipulation. Remote attackers can trigger unauthorized access to internal proxy statistics or misroute requests as transparent proxy connections to circumvent access controls. | 2026-06-17 | 8.2 | CVE-2026-55202 |
| Tips and Tricks HQ–WP eMember | Unauthenticated SQL Injection in WP eMember < v10.9.4 versions. | 2026-06-17 | 9.3 | CVE-2026-54811 |
| TMS–Amelia | Subscriber Privilege Escalation in Amelia <= 2.3 versions. | 2026-06-15 | 8.8 | CVE-2026-48889 |
| TMS–Amelia | Unauthenticated Sensitive Data Exposure in Amelia <= 2.2 versions. | 2026-06-15 | 7.5 | CVE-2026-40789 |
| TMS–wpDataTables | Unauthenticated SQL Injection in wpDataTables <= 7.3.6 versions. | 2026-06-16 | 9.3 | CVE-2026-49080 |
| tnomi–Attendance Manager | Subscriber SQL Injection in Attendance Manager <= 0.6.2 versions. | 2026-06-16 | 7.6 | CVE-2026-52712 |
| Tomdever–wpForo Forum | Unauthenticated SQL Injection in wpForo Forum <= 3.0.4 versions. | 2026-06-15 | 9.3 | CVE-2026-40798 |
| Tomdever–wpForo Forum | Unauthenticated Broken Authentication in wpForo Forum <= 3.1.0 versions. | 2026-06-17 | 9.8 | CVE-2026-49767 |
| Tomdever–wpForo Forum | Unauthenticated PHP Object Injection in wpForo Forum <= 3.1.0 versions. | 2026-06-15 | 9.8 | CVE-2026-49769 |
| Tomdever–wpForo Forum | Unauthenticated Broken Access Control in wpForo Forum < 3.0.2 versions. | 2026-06-15 | 7.5 | CVE-2026-40767 |
| traccar–traccar-client | Traccar Client is a GPS tracking mobile app for sending location updates to private servers using the open-source Traccar platform. In versions 9.7.19 and below, a single crafted deep link can silently hijack all GPS tracking parameters and redirect telemetry to an attacker-controlled server. The app registers a custom org.traccar.client://config deep-link scheme that silently writes attacker-supplied parameters (server URL, device ID, accuracy, distance, and interval) into the app’s persistent configuration with no confirmation, notification, or visual indication. A single crafted link delivered via SMS, email, a webpage, or any installed app can therefore reconfigure the app the moment the victim taps it, with no special permissions required. As a result, an attacker can covertly redirect all of the victim’s GPS telemetry to their own server at maximum precision and frequency, and the change persists across restarts. This gives the attacker continuous, real-time tracking of the victim’s location. This issue has been fixed in version 9.7.20. | 2026-06-16 | 9.3 | CVE-2026-48745 |
| truelockmc–streambert | Streambert is a cross-platform Electron Desktop App to stream and download any video media. In versions 2.4.0 and prior, a high-severity Zip Slip vulnerability was identified in Streambert’s subtitle extraction logic. The application does not sanitize archive entry filenames during extraction, allowing a malicious archive to perform path traversal and write arbitrary files to the host filesystem. The subtitle extraction process downloads a ZIP archive and extracts its entries. The destination file path is constructed by concatenating the raw archive entry name (extracted.name) directly to the temporary directory path. If a malicious ZIP archive containing directory traversal sequences is processed, it escapes the temporary directory boundaries. The application then writes the extracted payload anywhere on the host filesystem subject to the application’s current write permissions. This issue has been fixed in version 2.5.0. | 2026-06-16 | 10 | CVE-2026-48055 |
| TURCK–TBEN-LL-SE-M2 | Due to the improper neutralization of special elements used in a name parameter a low privileged remote attacker can exploit a command injection vulnerability in the Managed Ethernet Switch, resulting in full system compromise. | 2026-06-16 | 8.8 | CVE-2026-5416 |
| tychesoftwares–Order Delivery Date for WooCommerce | Unauthenticated SQL Injection in Order Delivery Date for WooCommerce <= 4.5.1 versions. | 2026-06-15 | 9.3 | CVE-2026-42386 |
| Ultimatebeaver–Ultimate Addons for Beaver Builder | WordPress Ultimate Addons for Beaver Builder 1.2.4.1 contains an authentication bypass vulnerability that allows attackers to gain unauthorized access by exploiting the social media login form functionality. Attackers can submit a POST request to the admin-ajax.php endpoint with the uabb-lf-google-submit action, a valid administrator email address, and a valid nonce to obtain session cookies and authenticate as that user. | 2026-06-20 | 9.8 | CVE-2019-25763 |
| undici–undici | Impact: The undici WebSocket client enforces maxPayloadSize on the cumulative byte count of fragments in a message but does not enforce a limit on the number of fragments. A malicious WebSocket server can stream many small or empty continuation frames that each pass per-frame and cumulative-size validation, collectively causing unbounded memory growth in the client process. The result is memory exhaustion and a denial of service. Affected applications are those using the undici WebSocket client (new WebSocket(…)) or the WebSocketStream API that can be induced to connect to an attacker-controlled or compromised WebSocket endpoint. All releases starting at undici 6.17.0 are affected. Patches: Upgrade to undici >= 6.26.0, >= 7.28.0, or >= 8.5.0. Workarounds: No workaround is available. The fix must be applied through an upgrade. | 2026-06-17 | 7.5 | CVE-2026-12151 |
| undici–undici | Impact: When using Socks5ProxyAgent, undici reuses a single connection pool across different origins without verifying that the pool’s origin matches the requested origin. All requests are dispatched through the pool connected to the first origin, regardless of the intended destination. This causes cross-origin request routing: credentials and request data intended for origin B are sent to origin A, responses from the wrong origin are trusted, and HTTPS requests may be silently downgraded to HTTP. Impacted users are applications that use Socks5ProxyAgent (directly or via setGlobalDispatcher) and make requests to more than one origin. This was introduced in undici 7.23.0 via PR #4385 and affects all versions through 8.1.0. Patches: Upgrade to undici v7.26.0 or v8.2.0. Workarounds: Use a separate Socks5ProxyAgent instance per origin, or avoid using Socks5ProxyAgent with multiple origins. | 2026-06-17 | 7.5 | CVE-2026-6734 |
| undici–undici | Impact: The undici WebSocket client enforces maxPayloadSize per-frame but does not enforce the cumulative size of fragmented uncompressed messages. A malicious WebSocket server can stream many small fragments that each pass per-frame validation but collectively exceed the configured limit, causing unbounded memory growth in the client process. The result is memory exhaustion and a denial of service. Affected applications are those using the undici WebSocket client (new WebSocket(…)) that can be induced to connect to an attacker-controlled or compromised WebSocket endpoint. This is a regression specific to undici 8.1.0. The 6.25.0 line shipped the equivalent cumulative check from the start and is unaffected. The 7.x line never had the maxPayloadSize feature and is also unaffected. Patches: Upgrade to undici >= 8.5.0. Workarounds: No workaround is available. The fix must be applied through an upgrade. | 2026-06-17 | 7.5 | CVE-2026-9675 |
| undici–undici | Impact: undici’s ProxyAgent silently drops the requestTls option when configured with a SOCKS5 proxy URI (socks5:// or socks://). The target HTTPS connection through the SOCKS5 tunnel falls back to Node’s default trust store, ignoring user-configured ca, cert, key, rejectUnauthorized, and servername settings. Applications that pin to an internal or corporate CA via requestTls.ca will, when their proxy URI is SOCKS5, get the default Mozilla CA bundle as the trust anchor instead. Any cert signed by any publicly-trusted CA for the target hostname is accepted, breaking the intended pin and enabling MITM read and tamper of the HTTPS exchange. Affected applications are those that use undici’s ProxyAgent (or Socks5ProxyAgent directly) with SOCKS5 AND rely on requestTls for TLS scope restriction. The bug was introduced in undici 7.23.0 when SOCKS5 support was added. Patches: Upgrade to undici v7.28.0 or v8.5.0. Workarounds: No workaround is available within the SOCKS5 path. If a SOCKS5 proxy with TLS scope restriction is required and an upgrade is not yet possible, route the traffic through an HTTP-proxy ProxyAgent instead, where requestTls is honored correctly. | 2026-06-17 | 7.4 | CVE-2026-9697 |
| Utillz–Brikk | Subscriber Arbitrary Content Deletion in Brikk <= 3.0.0 versions. | 2026-06-16 | 7.5 | CVE-2025-69103 |
| VamTam–Auto Repair | Unauthenticated Cross Site Scripting (XSS) in Auto Repair <= 22.6 versions. | 2026-06-17 | 7.1 | CVE-2026-22328 |
| vanyukov–Offload, AI & Optimize with Cloudflare Images | The Offload, AI & Optimize with Cloudflare Images plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.10.2 via the ‘account-id’ parameter parameter. This is due to insufficient privilege enforcement on the cf_images_do_setup AJAX handler, which requires only the upload_files capability (Author+) rather than manage_options before writing to wp-config.php, combined with the absence of single-quote escaping – sanitize_text_field() does not strip single quotes, and filter_input(INPUT_POST) bypasses wp_magic_quotes() slashing – allowing a single quote in the account-id or api-key parameter to break out of the single-quoted PHP string literal in the write_config() define() statement. This makes it possible for authenticated attackers, with author-level access and above, to execute code on the server. This is possible because the ‘cf-images-nonce’ nonce required by the AJAX handler is exposed to all Author-level and above users on wp-admin/upload.php via the CFImages JavaScript object, meaning any upload-capable user can satisfy the nonce check and reach the vulnerable wp-config.php write path. | 2026-06-18 | 8.8 | CVE-2026-9860 |
| Vembu–Vembu StoreGrid | Vembu StoreGrid 4.0 contains an unquoted service path vulnerability in the RemoteBackup and RemoteBackup_webServer services that allows local attackers to escalate privileges. Attackers can place a malicious executable in the unquoted path and restart the service to execute code with LocalSystem privileges. | 2026-06-19 | 7.8 | CVE-2016-20086 |
| VeronaLabs–Slimstat Analytics | Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) vulnerability in VeronaLabs Slimstat Analytics allows Blind SQL Injection. This issue affects Slimstat Analytics: from n/a through 5.4.11. | 2026-06-17 | 8.5 | CVE-2026-54818 |
| VideoWhisper.com–Broadcast Live Video | Unauthenticated PHP Object Injection in Broadcast Live Video < 7.1.3 versions. | 2026-06-15 | 9.8 | CVE-2026-27053 |
| VideoWhisper.com–Paid Videochat Turnkey Site | Unauthenticated Deserialization of untrusted data in Paid Videochat Turnkey Site <= 7.3.23 versions. | 2026-06-15 | 8.1 | CVE-2026-27333 |
| VillaTheme–GIFT4U | Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) vulnerability in VillaTheme GIFT4U allows Blind SQL Injection. This issue affects GIFT4U: from n/a through 1.0.10. | 2026-06-17 | 9.3 | CVE-2026-54809 |
| vLLM–vLLM | vLLM versions >= 0.10.2 and < 0.13.0 are missing sparse tensor validation in multimodal embeddings processing. Because PyTorch disables sparse tensor invariant checks by default, an attacker can submit crafted embedding requests with malformed (negative or out-of-bounds) tensor indices, when the prompt-embeds feature is enabled, to trigger crashes or resource exhaustion (denial of service), with potential for out-of-bounds/write-what-where memory corruption. This continues CVE-2025-62164, whose prior fix only disabled the feature by default rather than addressing the root cause. | 2026-06-20 | 8.8 | CVE-2026-56340 |
| Wasiliy Strecker–Contest Gallery | Unauthenticated SQL Injection in Contest Gallery <= 28.1.6 versions. | 2026-06-15 | 9.3 | CVE-2026-40771 |
| WC Lovers.–WooCommerce Frontend Manager Ultimate | Subscriber SQL Injection in WooCommerce Frontend Manager – Ultimate < 6.7.7 versions. | 2026-06-17 | 8.5 | CVE-2026-22335 |
| WC Product Table–WooCommerce Product Table Lite | Unauthenticated Cross Site Scripting (XSS) in WooCommerce Product Table Lite <= 4.6.3 versions. | 2026-06-15 | 7.1 | CVE-2026-34902 |
| WcMultishipping Mondial Relay & Chronopost for Wooommerce–WCMultiShipping | Subscriber SQL Injection in WCMultiShipping <= 3.0.2 versions. | 2026-06-15 | 8.5 | CVE-2026-52700 |
| Wdmtech–vAccount | Joomla! Component vAccount 2.0.2 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the vid parameter. Attackers can send GET requests to the vaccount-dashboard/expense endpoint with crafted SQL payloads in the vid parameter to extract sensitive database information including version and database names. | 2026-06-19 | 8.2 | CVE-2019-25756 |
| Wdmtech–vBizz | Joomla! Component vBizz 1.0.7 contains an unrestricted file upload vulnerability that allows authenticated attackers to upload arbitrary PHP files by submitting malicious files through the profile_pic parameter. Attackers can upload PHP files via POST requests to the employee view endpoint and execute them from the uploads directory to achieve remote code execution. | 2026-06-19 | 8.8 | CVE-2019-25758 |
| Wdmtech–vBizz | Joomla! Component vBizz 1.0.7 contains an SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL queries by injecting malicious code through the payid parameter. Attackers can submit POST requests to the employee management interface with crafted payid array values containing SQL commands to extract sensitive database information including version and database names. | 2026-06-19 | 7.1 | CVE-2019-25759 |
| Wdmtech–VMap | Joomla! Component VMap 1.9.6 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code into the latlngbound parameter. Attackers can send GET requests to index.php with the option=com_vmap&task=loadmarker parameters containing SQL injection payloads to manipulate database queries and extract sensitive information. | 2026-06-19 | 8.2 | CVE-2019-25753 |
| Wdmtech–vRestaurant | Joomla Component vRestaurant 1.9.4 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the keysearch parameter. Attackers can send POST requests to the menu-listing-layout endpoint with crafted SQL payloads in the keysearch parameter to extract database table names and sensitive information from the database. | 2026-06-19 | 8.2 | CVE-2019-25754 |
| Wdmtech–vReview | Joomla Component vReview 1.9.11 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the cmId parameter. Attackers can send POST requests to the editReview task endpoint with URL-encoded SQL UNION statements in the cmId parameter to extract database information including usernames, passwords, and database versions. | 2026-06-19 | 8.2 | CVE-2019-25755 |
| Wdmtech–vWishlist | Joomla vWishlist 1.0.1 contains an SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL queries by injecting malicious code through the vproductid and userid parameters. Attackers can send POST requests to the component with crafted SQL payloads in these parameters to extract sensitive database information including version and database names. | 2026-06-19 | 7.1 | CVE-2019-25757 |
| Web Guy–Stop Spammers | Unauthenticated Cross Site Scripting (XSS) in Stop Spammers <= 2026.3 versions. | 2026-06-15 | 7.1 | CVE-2026-48876 |
| WebAppick–CTX Feed | Shop manager PHP Object Injection in CTX Feed <= 6.6.26 versions. | 2026-06-15 | 7.2 | CVE-2026-39434 |
| WebGeniusLab–Integrio Core | Unauthenticated Local File Inclusion in Integrio Core < 1.2.8 versions. | 2026-06-16 | 8.1 | CVE-2026-34894 |
| WebGeniusLab–Softlab Core | Unauthenticated Local File Inclusion in Softlab Core < 1.2.11 versions. | 2026-06-16 | 8.1 | CVE-2026-34895 |
| WebGeniusLab–Thegov Core | Unauthenticated Local File Inclusion in Thegov Core < 2.0.23 versions. | 2026-06-16 | 8.1 | CVE-2026-34893 |
| Webilia Inc.–Listdom | Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) vulnerability in Webilia Inc. Listdom allows Blind SQL Injection. This issue affects Listdom: from n/a through 5.4.0. | 2026-06-17 | 9.3 | CVE-2026-54819 |
| Webilia Inc.–Listdom | Unauthenticated Privilege Escalation in Listdom <= 5.5.0 versions. | 2026-06-15 | 7.3 | CVE-2026-49063 |
| Webkul–Ajax Quiz | Joomla! Component Ajax Quiz 1.8 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the cid parameter. Attackers can send GET requests to index.php with the option=com_ajaxquiz and view=ajaxquiz parameters to extract sensitive database information including table names and column structures. | 2026-06-19 | 8.2 | CVE-2017-20262 |
| Webmin–Webmin | The Webmin HTTP server (miniserv.pl) allows unauthenticated attackers to impersonate any user with a configured SSL client certificate by sending a forged HTTP header. A remote attacker can spoof certificate DNs and authenticate as any user. Fixed in 2.641. | 2026-06-18 | 8.1 | CVE-2026-56020 |
| Weborange–Bargain Product VM3 | Joomla! Component Bargain Product VM3 1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the product_id parameter. Attackers can supply crafted SQL statements in GET requests to the brainy and alice views to extract sensitive database information. | 2026-06-19 | 8.2 | CVE-2017-20261 |
| Weborange–Price Alert | Joomla! Component Price Alert 3.0.2 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the product_id parameter. Attackers can send requests to the subscribeajax view with crafted SQL payloads in the product_id parameter to extract sensitive database information including credentials and configuration data. | 2026-06-19 | 8.2 | CVE-2017-20260 |
| websockets–ws | ws is an open source WebSocket client and server for Node.js. All versions from 1.1.0 up to (but not including) 5.2.5, from 6.0.0 up to 6.2.4, from 7.0.0 up to 7.5.11, and from 8.0.0 up to 8.21.0 are affected by a memory exhaustion DoS vulnerability. A peer can send a high volume of exceptionally small fragments and data chunks, with modest network traffic, to force the remote peer into allocating and holding structural wrappers that consume far more memory than the default documented message-size limit, leading to process termination due to OOM. This issue has been fixed in versions 5.2.5, 6.2.4, 7.5.11, and 8.21.0. | 2026-06-16 | 7.5 | CVE-2026-48779 |
| WebToffee–WooCommerce PDF Invoices, Packing Slips, Delivery Notes and Shipping Labels | Unauthenticated Sensitive Data Exposure in WooCommerce PDF Invoices, Packing Slips, Delivery Notes and Shipping Labels <= 4.9.4 versions. | 2026-06-15 | 7.5 | CVE-2026-49056 |
| Weird-Solutions–TFTP Broadband | TFTP Broadband 4.3.0.1465 contains an unquoted service path vulnerability in the tftpt.exe service binary that allows local attackers to execute arbitrary code with system privileges. Attackers can place a malicious executable in the Program Files directory path that will be executed during service startup or system reboot with LocalSystem privileges. | 2026-06-19 | 7.8 | CVE-2020-37250 |
| Winstep–Winstep | Winstep 18.06.0096 contains an unquoted service path vulnerability in the Winstep Xtreme Service that allows local attackers to escalate privileges. Attackers can place malicious executables in the Program Files directory to be executed with LocalSystem privileges when the service starts. | 2026-06-19 | 7.8 | CVE-2020-37253 |
| Wise–Wisecleaner | Wise Care 365 4.27 and Wise Disk Cleaner 9.29 contain unquoted service path vulnerabilities in the WiseBootAssistant and SpyHunter 4 Service respectively, allowing local users to execute arbitrary code with SYSTEM privileges. Attackers can insert malicious executables in the system root path that execute during service startup or system reboot with elevated privileges. | 2026-06-19 | 7.8 | CVE-2016-20093 |
| WishList Products, LLC.–WishList Member X | Subscriber Arbitrary File Upload in WishList Member X <= 3.29.0 versions. | 2026-06-17 | 9.9 | CVE-2026-25446 |
| Wombat Plugins–Advanced Product Fields (Product Addons) for WooCommerce | Shop manager PHP Object Injection in Advanced Product Fields (Product Addons) for WooCommerce <= 1.6.19 versions. | 2026-06-15 | 7.2 | CVE-2026-39499 |
| Wondershare–PDFelement | Wondershare PDFelement 5.2.9 contains a privilege escalation vulnerability due to an unquoted service path in the WsAppService Windows service. Local attackers can place a malicious executable in the service path and execute code with LocalSystem privileges upon service restart or system reboot. | 2026-06-19 | 7.8 | CVE-2020-37254 |
| WooCommerce–WooCommerce | WooCommerce 7.1.0 contains a remote code execution vulnerability that allows attackers to execute arbitrary PHP code by injecting shell commands through the product-type parameter. Attackers can send requests to the class-wc-meta-box-product-images.php endpoint with unsanitized product-type values to write malicious PHP files to the web root. | 2026-06-20 | 9.8 | CVE-2022-50972 |
| WP Chill–Modula Image Gallery | Author PHP Object Injection in Modula Image Gallery <= 2.14.18 versions. | 2026-06-15 | 7.2 | CVE-2026-39481 |
| Wp Directory Kit–WP Directory Kit | Unauthenticated Broken Access Control in WP Directory Kit <= 1.5.0 versions. | 2026-06-15 | 7.5 | CVE-2026-39534 |
| WP E-Signature–Signature Add-On for WooCommerce | Unauthenticated Sensitive Data Exposure in Signature Add-On for WooCommerce <= 2.0 versions. | 2026-06-15 | 7.5 | CVE-2026-52694 |
| WP Engine–Faust.js | Authentication Bypass Using an Alternate Path or Channel vulnerability in WP Engine Faust.Js allows Password Recovery Exploitation. This issue affects Faust.Js: from n/a through 1.8.7. | 2026-06-15 | 8.8 | CVE-2026-49062 |
| WP Overnight–WooCommerce PDF Invoices & Packing Slips | Shop manager PHP Object Injection in WooCommerce PDF Invoices & Packing Slips < 5.9.0 versions. | 2026-06-15 | 7.2 | CVE-2026-39472 |
| WP Swings–Event Tickets Manager for WooCommerce | Unauthenticated Broken Access Control in Event Tickets Manager for WooCommerce <= 1.5.3 versions. | 2026-06-15 | 7.5 | CVE-2026-34898 |
| WP Swings–Upsell Order Bump Offer for WooCommerce | Unauthenticated Broken Authentication in Upsell Order Bump Offer for WooCommerce <= 3.1.4 versions. | 2026-06-15 | 7.5 | CVE-2026-49110 |
| WP Travel Engine–WP Travel Engine | Unauthenticated PHP Object Injection in WP Travel Engine <= 6.7.12 versions. | 2026-06-15 | 9.8 | CVE-2026-49770 |
| WP Travel Engine–WP Travel Engine | Unauthenticated Other Vulnerability Type in WP Travel Engine <= 6.7.10 versions. | 2026-06-15 | 7.5 | CVE-2026-49078 |
| WP Travel–WP Travel Gutenberg Blocks | Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) vulnerability in WP Travel WP Travel Gutenberg Blocks allows Blind SQL Injection. This issue affects WP Travel Gutenberg Blocks: from n/a through 3.9.4. | 2026-06-17 | 9.3 | CVE-2026-54808 |
| WP User Manager–WP User Manager | Subscriber Arbitrary File Deletion in WP User Manager <= 2.9.16 versions. | 2026-06-15 | 9.9 | CVE-2026-49766 |
| wp-buy–SEO Redirection | Unauthenticated Cross Site Scripting (XSS) in SEO Redirection <= 9.17 versions. | 2026-06-15 | 7.1 | CVE-2026-52702 |
| wp.insider–Affiliates Manager | Unauthenticated Sensitive Data Exposure in Affiliates Manager <= 2.9.50 versions. | 2026-06-15 | 7.5 | CVE-2026-52692 |
| wp.insider–Simple Membership | Unauthenticated Broken Access Control in Simple Membership <= 4.7.1 versions. | 2026-06-15 | 7.5 | CVE-2026-34886 |
| WPClever–WPC Product Bundles for WooCommerce | Unauthenticated Broken Access Control in WPC Product Bundles for WooCommerce <= 8.5.3 versions. | 2026-06-15 | 7.5 | CVE-2026-48883 |
| WPClever–WPC Product Options for WooCommerce | Unauthenticated Arbitrary File Download in WPC Product Options for WooCommerce <= 3.2.1 versions. | 2026-06-15 | 7.5 | CVE-2026-49061 |
| WPDeveloper–EmbedPress | Unauthenticated Sensitive Data Exposure in EmbedPress <= 4.5.2 versions. | 2026-06-15 | 7.5 | CVE-2026-48872 |
| WPExperts–Post SMTP | Unauthenticated Cross Site Scripting (XSS) in Post SMTP <= 3.6.2 versions. | 2026-06-15 | 7.1 | CVE-2026-48838 |
| WPFactory–Min Max Step Quantity Limits Manager for WooCommerce | Unauthenticated Cross Site Scripting (XSS) in Min Max Step Quantity Limits Manager for WooCommerce <= 5.2.2 versions. | 2026-06-16 | 7.1 | CVE-2026-39437 |
| WPFunnels–WPFunnels Pro | Unauthenticated Cross Site Scripting (XSS) in WPFunnels Pro <= 2.9.4 versions. | 2026-06-17 | 7.1 | CVE-2026-49778 |
| WPGraphQL–WPGraphQL | Unauthenticated SQL Injection in WPGraphQL < 2.11.1 versions. | 2026-06-15 | 7.5 | CVE-2026-40762 |
| WPLocker–PT Luxa Addons | Subscriber Arbitrary File Upload in PT Luxa Addons <= 1.2.2 versions. | 2026-06-17 | 9.9 | CVE-2025-60218 |
| WPManageNinja–Best Payments Plugin for WP | Unauthenticated Bypass Vulnerability in Best Payments Plugin for WP <= 4.6.19 versions. | 2026-06-15 | 7.5 | CVE-2026-42655 |
| WPMet–MetForm Pro | Unauthenticated Broken Access Control in MetForm Pro <= 3.9.1 versions. | 2026-06-17 | 9.1 | CVE-2026-24611 |
| wpmudev–Branda White Label & Branding, Free Login Page Customizer | The Branda plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.4.29. This is due to the plugin not properly validating a user’s identity prior to updating their password. This makes it possible for unauthenticated attackers to change arbitrary user’s passwords, including administrators, and leverage that to gain access to their account. | 2026-06-19 | 9.8 | CVE-2026-11551 |
| WPos–Woocommerce Book Price | Subscriber Arbitrary File Download in Woocommerce Book Price <= 1.3 versions. | 2026-06-17 | 7.5 | CVE-2026-22334 |
| WPTasty–AWP Classifieds | Unauthenticated Broken Access Control in AWP Classifieds <= 4.4.4 versions. | 2026-06-15 | 7.5 | CVE-2026-39533 |
| Wptimecapsule–Time Capsule Plugin | WordPress Time Capsule Plugin 1.21.16 contains an authentication bypass vulnerability that allows unauthenticated attackers to gain administrative access by sending a crafted POST request with the IWP_JSON_PREFIX header. Attackers can exploit this flaw to obtain valid administrator session cookies and access the WordPress dashboard without providing credentials. | 2026-06-20 | 7.5 | CVE-2020-37255 |
| wpWax–Directorist Booking | Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) vulnerability in wpWax Directorist Booking allows Blind SQL Injection. This issue affects Directorist Booking: from n/a through 3.0.3. | 2026-06-16 | 8.5 | CVE-2026-49073 |
| WPZOOM–WPZOOM Addons for Elementor | Unauthenticated Cross Site Scripting (XSS) in WPZOOM Addons for Elementor <= 1.3.4 versions. | 2026-06-17 | 7.1 | CVE-2026-39597 |
| XServer–CloudSecure WP Security | Unauthenticated Broken Authentication in CloudSecure WP Security <= 1.4.7 versions. | 2026-06-15 | 8.1 | CVE-2026-42411 |
| xtemos–Hitek | Unauthenticated Local File Inclusion in Hitek < 1.8.3 versions. | 2026-06-17 | 8.1 | CVE-2026-39582 |
| Yandex–Punto Switcher | Punto Switcher through 4.5.0.583 contains an unquoted search path element vulnerability that allows local attackers to execute arbitrary code by exploiting the application’s call to WinExec without a fully qualified path for RunDll32.exe when invoking shell32.dll Control_RunDLL input.dll. Attackers can place a malicious executable earlier in the search order to achieve arbitrary code execution in the context of the affected user. | 2026-06-18 | 7.8 | CVE-2026-25865 |
| Yannick Lefebvre–Link Library | Contributor Arbitrary File Deletion in Link Library <= 7.8.8 versions. | 2026-06-15 | 7.7 | CVE-2026-40779 |
| Yealink–SIP-T46U | A vulnerability was detected in Yealink SIP-T46U 108.87.50.1. The affected element is the function StartReportInformation of the file /api/inner/beforewifitest of the component Web FastCGI Service. The manipulation of the argument port results in stack-based buffer overflow. Access to the local network is required for this attack. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-06-15 | 8 | CVE-2026-12218 |
| Yealink–SIP-T46U | A vulnerability has been found in Yealink SIP-T46U 108.86.0.118. This affects the function mod_upgrade.SparePartsUpload of the file /api/upgrade/accupgradebychunk of the component Firmware Chunk Upload handler. Such manipulation of the argument uid leads to stack-based buffer overflow. The attack can only be initiated within the local network. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-06-15 | 8 | CVE-2026-12220 |
| Yealink–SIP-T46U | A vulnerability was found in Yealink SIP-T46U 108.86.0.118. This impacts the function sprintf of the file /api/upgrade/upgrade of the component Firmware Chunk Upload Handler. Performing a manipulation of the argument uid/start_offset results in stack-based buffer overflow. The attack needs to be approached within the local network. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-06-15 | 8 | CVE-2026-12221 |
| Yealink–SIP-T46U | A vulnerability was determined in Yealink SIP-T46U 108.86.0.118. Affected is the function mod_webd.BlueToothTest of the file /api/inner/bttest of the component Web FastCGI Service. Executing a manipulation of the argument btMac/pin/reserved can lead to stack-based buffer overflow. The attack needs to be done within the local network. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-06-15 | 8 | CVE-2026-12222 |
| Yeeaddons–YayMail | Shop manager PHP Object Injection in YayMail <= 4.3.3 versions. | 2026-06-15 | 7.2 | CVE-2026-39498 |
| yeoman–environment | Yeoman Environment provides an API to discover, create, and run generators, and to configure where and how a generator is resolved. Versions 2.9.0 through 6.0.0 install missing local generator packages from caller-supplied package names without user confirmation. In downstream consumers that pass attacker-controlled project configuration into this path, this can result in arbitrary package installation and code execution during CLI bootstrap. The vulnerable method is installLocalGenerators(), which calls repository.install() directly without prompting the user. This issue has been fixed in version 6.0.0. | 2026-06-16 | 8.6 | CVE-2026-42089 |
| yydevelopment–Advanced 301 and 302 Redirect | Unauthenticated SQL Injection in Advanced 301 and 302 Redirect <= 1.6.9 versions. | 2026-06-15 | 9.3 | CVE-2026-49067 |
| Zcontent–Zap Calendar Lite | Joomla! Component Zap Calendar Lite 4.3.4 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the ‘eid’ parameter. Attackers can send GET requests to the RSVP plugin endpoint with crafted SQL payloads to extract sensitive database information including database names and table structures. | 2026-06-19 | 8.2 | CVE-2017-20268 |
| zephyrproject–zephyr | Zephyr’s Bluetooth Classic Hands-Free Profile (HFP) Hands-Free role parser (subsys/bluetooth/host/classic/hfp_hf.c) contains an out-of-bounds write. During Service Level Connection setup the HF sends AT+CIND=? and parses the AG’s +CIND: response in cind_handle(), which assigns a per-entry counter index and calls cind_handle_values() for each list element. cind_handle_values() then wrote hf-ind_table[index] = i without verifying that index is within the 20-element int8_t ind_table[] array of struct bt_hfp_hf. Because the parser places no cap on the number of +CIND: list entries, a remote Attendant Gateway (a malicious, compromised, or spoofed peer the device connects to over Bluetooth) can send a response with more than 20 recognized indicator entries and drive index arbitrarily large, writing a small attacker-positioned value past the array into adjacent struct fields (feature masks, SDP/version state, the calls[] array, work/atomic bookkeeping) and potentially beyond the static connection pool slot. This yields memory corruption and at least denial of service of the Bluetooth host, triggered by a single malformed AT response with no user interaction. The sibling consumer ag_indicator_handle_values() already performed the equivalent bounds check; this commit adds the same index = ARRAY_SIZE(hf-ind_table) guard to close the gap. Affects builds with CONFIG_BT_HFP_HF enabled; introduced with the original HFP HF CIND parser (~v1.7) and present through v4.4.0. | 2026-06-17 | 7.1 | CVE-2026-10641 |
| Zidithemes–Grip | Subscriber Arbitrary File Upload in Grip <= 1.0.9 versions. | 2026-06-17 | 9.9 | CVE-2024-52488 |
| Zozothemes–Restaurt | Subscriber Arbitrary File Upload in Restaurt <= 1.0.4 versions. | 2026-06-17 | 9.9 | CVE-2026-22327 |
| Zyxel–GS1900-48HPv2 firmware | A stack-based buffer overflow vulnerability in the CGI program of Zyxel GS1900-48HPv2 firmware versions through 2.90(ABTQ.1)C0 could allow a LAN-based, unauthenticated attacker to exploit the flaw and potentially execute OS commands via a crafted HTTP request. | 2026-06-16 | 8.8 | CVE-2026-7273 |
Medium Vulnerabilities
| Primary Vendor — Product |
Description | Published | CVSS Score | Source Info |
|---|---|---|---|---|
| 10web–Form Maker by 10Web Mobile-Friendly Drag & Drop Contact Form Builder | The Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder plugin for WordPress is vulnerable to generic SQL Injection via the ‘groupids’ parameter in all versions up to, and including, 1.15.43 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | 2026-06-18 | 4.9 | CVE-2026-11776 |
| 10web–Form Maker by 10Web Mobile-Friendly Drag & Drop Contact Form Builder | The Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder plugin for WordPress is vulnerable to generic SQL Injection via the ‘name’ parameter in all versions up to, and including, 1.15.43 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with administrator-level access, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | 2026-06-18 | 4.9 | CVE-2026-11777 |
| 2download–2Download Connector for 2DL Hosted Checkout | The 2Download Connector for 2DL Hosted Checkout plugin for WordPress is vulnerable to unauthorized access in all versions up to, and including, 0.1.5. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to view arbitrary customers’ subscription data including subscription status, product names, order IDs, purchase dates, and expiry dates. | 2026-06-19 | 5.3 | CVE-2026-6798 |
| abtest–Abtest | WordPress Plugin Abtest contains a local file inclusion vulnerability that allows unauthenticated attackers to include arbitrary files by manipulating the action parameter. Attackers can send GET requests to abtest_admin.php with malicious action values to include files from the admin directory and execute arbitrary code. | 2026-06-15 | 6.2 | CVE-2016-20082 |
| AcademySoftwareFoundation–openexr | OpenEXR is the reference implementation and specification for the EXR image format, widely used in the motion picture industry. In versions 3.4.0 through 3.4.11, an integer overflow in ht_undo_impl() in src/lib/OpenEXRCore/internal_ht.cpp leads to a heap-buffer overflow when decoding a crafted HTJ2K-compressed EXR file. decode->channels[i].width (int32_t) is multiplied by bytes_per_element in 32-bit signed arithmetic. With large widths (e.g., >= 536870912 for FLOAT data), this overflows, producing a corrupted offset that is later used for pointer arithmetic and can cause a heap out-of-bounds write. The same unchecked multiplication pattern appears in two other HTJ2K paths (bytes-per-line accumulation and pixel-line pointer advancement). As with related CVE-2026-34378 through CVE-2026-34589 fixes in other codecs, validating only after the multiplication is too late because the value may already be overflowed. This issue has been fixed in version 3.4.12. | 2026-06-18 | 6.1 | CVE-2026-44663 |
| activepieces–activepieces | A vulnerability was detected in activepieces up to 0.83.0. This vulnerability affects the function handleUrlFile in the library packages/server/engine/src/lib/variables/processors/file.ts of the component File URL Handler. The manipulation results in server-side request forgery. The attack can be executed remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-06-21 | 6.3 | CVE-2026-12813 |
| adamsilverstein–User Admin Simplifier | The User Admin Simplifier plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.0.0. This is due to missing or incorrect nonce validation on the useradminsimplifier_options_page function. This makes it possible for unauthenticated attackers to reset and permanently delete any user’s stored menu and admin-bar configuration via a forged request that triggers uas_save_admin_options() and overwrites the useradminsimplifier_options database entry via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2026-06-19 | 4.3 | CVE-2026-11775 |
| addonspress–Advanced Import | The Advanced Import plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.4.6. This is due to the plugin using wp_remote_get() to fetch a user-supplied URL without validating that the URL does not point to internal or private network resources in the demo_download_and_unzip() function. The ‘demo_file’ parameter from $_POST is passed through sanitize_text_field() (which only handles XSS-related sanitization) and then directly into wp_remote_get() when ‘demo_file_type’ is set to ‘url’. Notably, the plugin uses wp_safe_remote_get() in other locations (theme template libraries) which would provide SSRF protection, but fails to use it in this critical AJAX handler. This makes it possible for authenticated attackers, with Author-level access and above (upload_files capability), to make web requests to arbitrary locations originating from the web application, which can be used to query and view data from internal services, including cloud instance metadata endpoints. | 2026-06-19 | 6.4 | CVE-2026-4328 |
| Adobe–DNG SDK | DNG SDK versions 1.7.1 2536 and earlier are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to disclose sensitive information. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2026-06-16 | 5.5 | CVE-2026-47927 |
| Adobe–DNG SDK | DNG SDK versions 1.7.1 2536 and earlier are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to disclose sensitive information. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2026-06-16 | 5.5 | CVE-2026-47934 |
| Adobe–DNG SDK | DNG SDK versions 1.7.1 2536 and earlier are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to disclose sensitive information. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2026-06-16 | 5.5 | CVE-2026-47963 |
| Ahmad–JS Help Desk | Unauthenticated Broken Access Control in JS Help Desk <= 3.0.9 versions. | 2026-06-15 | 6.5 | CVE-2026-48887 |
| Ahmad–WP Job Portal | Subscriber Cross Site Scripting (XSS) in WP Job Portal <= 2.5.2 versions. | 2026-06-15 | 6.5 | CVE-2026-48880 |
| algolplus–Advanced Order Export For WooCommerce | The Advanced Order Export For WooCommerce plugin for WordPress is vulnerable to generic SQL Injection via the ‘sort_direction’ parameter in all versions up to, and including, 4.0.10 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with shop manager-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. The endpoint requires a valid woe_nonce and Shop Manager-level capabilities (view_woocommerce_reports or export_woocommerce_orders), and wp_magic_quotes protection is stripped via stripslashes_deep() before processing, allowing quote and backslash characters to survive intact into the SQL context. | 2026-06-18 | 4.9 | CVE-2026-11360 |
| ali2woo–AliNext | Missing Authorization vulnerability in ali2woo AliNext allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects AliNext: from n/a through 3.3.5. | 2026-06-17 | 6.5 | CVE-2024-37210 |
| Amit Mittal–Shipment Tracker for Woocommerce | Subscriber Cross Site Scripting (XSS) in Shipment Tracker for Woocommerce <= 1.5.3.2 versions. | 2026-06-15 | 6.5 | CVE-2026-39540 |
| Andy Moyle–Emergency Password Reset | Cross-Site request forgery (CSRF) vulnerability in Andy Moyle Emergency Password Reset allows Cross Site Request Forgery. This issue affects Emergency Password Reset: from n/a through 8.0. | 2026-06-17 | 4.3 | CVE-2024-35648 |
| Apollo Pharmacy–Blood Glucose Monitoring System (Model No. APG-01 BT) | An attacker within BLE communication range can passively intercept wireless traffic and obtain sensitive health-related information, including glucose measurement values. | 2026-06-18 | 6.5 | CVE-2026-50034 |
| Apollo Pharmacy–Blood Glucose Monitoring System (Model No. APG-01 BT) | An attacker within BLE communication range can monopolize the device’s only available BLE connection slot, preventing legitimate users or applications from establishing a connection. | 2026-06-18 | 6.5 | CVE-2026-52866 |
| artbees–JupiterX Core | Subscriber Cross Site Scripting (XSS) in JupiterX Core <= 4.14.1 versions. | 2026-06-15 | 6.5 | CVE-2026-39491 |
| authlib–joserfc | joserfc is a Python library that provides an implementation of several JSON Object Signing and Encryption (JOSE) standards. In versions 1.3.4 through 1.6.5, joserfc accepts oversized RFC7797 b64=false JWS payloads without applying JWSRegistry.max_payload_length, which can lead to resource exhaustion. The normal JWS compact and flattened JSON paths reject payloads above the configured payload-size limit with ExceededSizeError. The RFC7797 unencoded payload paths do not make the same check. A valid b64=false compact or flattened JSON JWS can therefore deserialize successfully with a payload larger than JWSRegistry.max_payload_length. Applications that accept lower-trust JWS values and rely on joserfc to reject oversized token content during verification have a moderate availability risk. This issue has been fixed in version 1.6.7. | 2026-06-17 | 5.3 | CVE-2026-48990 |
| Autodesk–Revit | A maliciously crafted RFA file, when converted to FormIt via “Convert RFA to FormIt” in Autodesk Revit, can force a NULL Pointer Dereference vulnerability. Successful exploitation may cause the application to crash, leading to a denial-of-service condition. | 2026-06-17 | 5.5 | CVE-2026-1288 |
| AVideo–AVideo | AVideo through version 27.0 contains a server-side request forgery vulnerability in plugin/Live/test.php that allows authenticated administrators to read arbitrary URLs via the statsURL parameter, which lacks isSSRFSafeURL() validation and accepts requests to private IP ranges and cloud metadata endpoints. Attackers can exploit this by crafting requests to internal services, cloud metadata endpoints like 169.254.169.254, and localhost to retrieve sensitive information including IAM credentials, internal service responses, and network configuration details. | 2026-06-20 | 6.8 | CVE-2026-56342 |
| AVideo–AVideo | AVideo through version 25.0 contains an authentication bypass vulnerability in the decryptMessage.json.php endpoint that allows unauthenticated users to decrypt PGP messages. Remote attackers can submit private keys, ciphertext, and passphrases to perform server-side decryption without credentials, exposing key material to logs and enabling resource exhaustion attacks. | 2026-06-20 | 6.5 | CVE-2026-56346 |
| Avirtum–iPages Flipbook | Missing Authorization vulnerability in Avirtum iPages Flipbook allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects iPages Flipbook: from n/a through 1.5.1. | 2026-06-17 | 5.3 | CVE-2024-33909 |
| Awesomemotive–Envira Photo Gallery | Unauthenticated Broken Access Control in Envira Photo Gallery <= 1.12.5 versions. | 2026-06-16 | 6.5 | CVE-2026-54190 |
| AWS–Kiro IDE | Incorrect default permissions in Kiro IDE on macOS and Linux before version 0.11.133 could expose the authentication token cache file to other local users or processes via world-readable permissions (0644) instead of owner-restricted permissions (0600). To remediate this issue, users should upgrade to Kiro IDE version 0.11.133 or later. After upgrading and restarting the application, the cache file permissions are automatically updated on the next token refresh. Users operating in a multi-user environment can invalidate existing tokens by reauthenticating. | 2026-06-15 | 5.5 | CVE-2026-11931 |
| BerriAI–litellm | A security flaw has been discovered in BerriAI litellm up to 1.82.2. This impacts the function authenticate_user of the file litellm/proxy/auth/login_utils.py of the component PROXY_ADMIN database API Key Generator. Performing a manipulation results in session expiration. The attack may be initiated remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure. | 2026-06-21 | 6.3 | CVE-2026-12772 |
| BerriAI–litellm | A security vulnerability has been detected in BerriAI litellm up to 1.82.2. Affected by this vulnerability is the function _execute_with_mcp_client of the file litellm/proxy/_experimental/mcp_server/rest_endpoints.py of the component MCP Server Connection Testing. The manipulation leads to server-side request forgery. Remote exploitation of the attack is possible. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure. | 2026-06-21 | 6.3 | CVE-2026-12774 |
| BerriAI–litellm | A vulnerability was identified in BerriAI litellm up to 1.82.2. This impacts the function get_redirect_response_from_openid of the file litellm/proxy/management_endpoints/ui_sso.py of the component SSO Authentication Flow. The manipulation leads to session expiration. The attack is possible to be carried out remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure. | 2026-06-21 | 6.3 | CVE-2026-12796 |
| BerriAI–litellm | A security flaw has been discovered in BerriAI litellm up to 1.82.5. Affected is the function async_pre_call_hook of the file enterprise/enterprise_hooks/banned_keywords.py of the component Completions Interface. The manipulation of the argument prompt results in incorrect authorization. The attack may be performed from remote. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure. | 2026-06-21 | 6.3 | CVE-2026-12797 |
| BerriAI–litellm | A weakness has been identified in BerriAI litellm up to 1.82.2. Affected by this vulnerability is the function load_openapi_spec_async of the file litellm/proxy/_experimental/mcp_server/openapi_to_mcp_generator.py of the component MCP OpenAPI Spec Loader. This manipulation of the argument spec_path causes server-side request forgery. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure. | 2026-06-21 | 6.3 | CVE-2026-12798 |
| BerriAI–litellm | A vulnerability was determined in BerriAI litellm up to 1.63.1. The impacted element is an unknown function of the file litellm/proxy/management_endpoints/key_management_endpoints.py of the component Admin Key Handler. This manipulation causes improper authorization. The attack can be initiated remotely. The exploit has been publicly disclosed and may be utilized. Patch name: 23781. It is recommended to apply a patch to fix this issue. The vendor was contacted early about this disclosure. | 2026-06-21 | 5.4 | CVE-2026-12770 |
| BerriAI–litellm | A vulnerability was identified in BerriAI litellm up to 1.82.2. This affects an unknown function of the file litellm/proxy/auth/user_api_key_auth.py of the component M2M JWT Handler. Such manipulation leads to improper authorization. The attack can be launched remotely. A high complexity level is associated with this attack. The exploitability is reported as difficult. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure. | 2026-06-21 | 5 | CVE-2026-12771 |
| BerriAI–litellm | A security vulnerability has been detected in BerriAI litellm up to 1.82.2. Affected by this issue is the function ui_view_users of the file litellm/proxy/management_endpoints/internal_user_endpoints.py of the component Incomplete Fix CVE-2025-0628. Such manipulation leads to improper authorization. It is possible to launch the attack remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure. | 2026-06-21 | 4.3 | CVE-2026-12799 |
| Bitnami–bitnami/mariadb-galera | Bitnami MariaDB Galera container images and Helm chart are affected by a hardcoded default credential vulnerability in the Galera replication health-check user. The MARIADB_REPLICATION_USER and MARIADB_REPLICATION_PASSWORD environment variables defaulted to monitor and monitor respectively. This user is granted REPLICATION CLIENT privileges from any host (‘%’). The Bitnami Helm chart for MariaDB Galera did not expose parameters to configure this user’s credentials, resulting in all chart deployments using this publicly known credential by default. Affected versions – Container image: 10.6.x prior to 10.6.27-photon-5-r0; 10.11.x prior to 10.11.17-photon-5-r1; 11.4.x prior to 11.4.12-photon-5-r0; 11.8.x prior to 11.8.7-photon-5-r1; 12.3.x prior to 12.3.2-photon-5-r0 / 12.3.2-debian-12-r0. Helm chart: prior to 18.3.0. | 2026-06-18 | 5.3 | CVE-2026-47847 |
| bitpressadmin–Bit integrations Form Integration, Webhook, Spreadsheets, CRM, LMS & Email Automation | The Bit integrations – Form Integration, Webhook, Spreadsheets, CRM, LMS & Email Automation plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.8.7 via the upload_attachment. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. Exploitation requires a form integration to be configured with a field mapped to a WooCommerce product image, product gallery, downloadable files, or Google Contacts attachment field, which is a default use case for these integrations. | 2026-06-19 | 6.5 | CVE-2026-11989 |
| Black Lantern Security–BBOT | The postman_download module uses the workspace name field from the Postman API to construct the local directory path without sanitization. If a malicious workspace has a name containing path traversal characters, pathlib resolves the path outside the intended output directory, allowing an attacker to write arbitrary files to the user’s system. | 2026-06-17 | 6.5 | CVE-2026-12568 |
| Black Lantern Security–BBOT | The unarchive internal module’s archive extraction commands perform no code-level validation on extracted file paths, relying entirely on the behavior of external tools (e.g. GNU tar) which varies by platform. While CVE-2025-10284 addressed git-specific RCE vectors, the underlying archive extraction path traversal was never fixed. On systems with GNU tar < 1.34 (Ubuntu 20.04, Debian Buster, CentOS 7, many Docker base images), a malicious archive can write files outside the intended extraction directory. | 2026-06-17 | 5.3 | CVE-2026-12565 |
| blubrry–PowerPress Podcasting plugin by Blubrry | The PowerPress Podcasting plugin by Blubrry plugin for WordPress is vulnerable to Stored Cross-Site Scripting via ’embed’ Episode Meta Field in all versions up to, and including, 11.16.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The embed value is stored via update_post_meta() rather than through WordPress core’s post content pipeline, meaning kses-on-save filtering is never applied – even for Author-role users who would otherwise lack unfiltered_html – making this path unprotected by WordPress’s standard role-based XSS mitigations. | 2026-06-18 | 6.4 | CVE-2026-12098 |
| BoldGrid–W3 Total Cache | Author Broken Access Control in W3 Total Cache <= 2.9.1 versions. | 2026-06-17 | 4.7 | CVE-2026-39595 |
| Booking Activities Team–Booking Activities | Unauthenticated Broken Access Control in Booking Activities <= 1.16.48.1 versions. | 2026-06-15 | 6.5 | CVE-2026-39525 |
| Bootstrapped Ventures–Visual Link Preview | Subscriber Sensitive Data Exposure in Visual Link Preview <= 2.4.1 versions. | 2026-06-15 | 6.5 | CVE-2026-48878 |
| bplugins–Services Section Block Showcase Service Details in Grid or Columns | The Services Section Block – Showcase Service Details in Grid or Columns plugin for WordPress is vulnerable to Stored Cross-Site Scripting via ‘link’ Block Attribute in all versions up to, and including, 1.4.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The payload persists inside HTML comments in post_content, bypassing wp_kses_post sanitization at save time, and executes via both the primary service link anchor and a secondary title-wrapped anchor when the linkIn option is set to ‘title’. | 2026-06-18 | 6.4 | CVE-2026-11402 |
| Brandfolder–Brandfolder | WordPress Brandfolder plugin version 3.0 and earlier contains a local file inclusion vulnerability in callback.php that allows unauthenticated attackers to include arbitrary files by manipulating the wp_abspath parameter. Attackers can supply path traversal sequences or remote URLs through the wp_abspath parameter to read sensitive files like wp-config.php or execute remote code. | 2026-06-15 | 6.2 | CVE-2016-20080 |
| Bricks–Bricks Builder | Subscriber Broken Access Control in Bricks Builder <= 2.1.4 versions. | 2026-06-17 | 4.3 | CVE-2026-40723 |
| Bricksable–Bricksable for Bricks Builder | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Bricksable for Bricks Builder allows Stored XSS. This issue affects Bricksable for Bricks Builder: from n/a through 1.6.83. | 2026-06-18 | 5.9 | CVE-2026-56009 |
| bunny.net–bunny.net | Subscriber Broken Access Control in bunny.net <= 2.3.6 versions. | 2026-06-15 | 6.3 | CVE-2025-68049 |
| Canon Inc.–EOS Network Setting Tool for Windows | Improper validation of SSH host keys in Canon EOS Network Setting Tool Version 1.5.0 or earlier | 2026-06-15 | 6.5 | CVE-2026-9258 |
| Canon Inc.–EOS Network Setting Tool for Windows | Improper validation of server certificates in Canon EOS Network Setting Tool Version 1.5.0 or earlier | 2026-06-15 | 6.5 | CVE-2026-9259 |
| Canon Inc.–EOS Network Setting Tool for Windows | Use of hard-coded cryptographic keys in Canon EOS Network Setting Tool Version 1.5.0 or earlier | 2026-06-15 | 6.2 | CVE-2026-9260 |
| Canon Inc.–EOS Network Setting Tool for Windows | Use of weak SSH cryptographic algorithms in Canon EOS Network Setting Tool Version 1.5.0 or earlier | 2026-06-15 | 6.8 | CVE-2026-9261 |
| Canon Inc.–EOS Network Setting Tool for Windows | Use of a non-secure protocol as the default FTP configuration in Canon EOS Network Setting Tool Version 1.5.0 or earlier | 2026-06-15 | 6.5 | CVE-2026-9262 |
| Cap-go–capgo | Cap-go capgo before 12.128.2 contains an authorization bypass in several Supabase PostgREST RPC functions (get_app_metrics, get_global_metrics, get_total_metrics) that are granted to the anon role without enforcing org membership or permission checks. An unauthenticated attacker using only the public Supabase API key (sb_publishable_*) can query arbitrary org_id values to disclose cross-tenant usage telemetry (MAU, bandwidth, installs, gets), enumerate app IDs for a target org, and determine org existence via an oracle (valid org returns metrics, invalid returns []). | 2026-06-20 | 5.3 | CVE-2026-56235 |
| Cap-go–capgo | Cap-go before 12.128.2 contains an information disclosure vulnerability in the OPTIONS /build/upload/:jobId/* endpoint that allows unauthenticated attackers to enumerate valid builder job IDs through observable response discrepancies. Attackers can probe the endpoint without authentication to distinguish valid job IDs from invalid ones and generate sustained unauthenticated traffic for resource consumption. | 2026-06-21 | 5.3 | CVE-2026-56316 |
| Cap-go–capgo | Capgo before 12.128.2 contains a flaw in the Enforce Password Policy feature: after a Super Admin enables the policy and successfully changes their password to a compliant one, the backend does not update the password-compliance state. As a result, the backend continues to treat the account as non-compliant and repeatedly forces password-reset prompts, permanently locking the Super Admin out of organization access (organization lockout / denial of service) despite valid authentication. | 2026-06-19 | 4.9 | CVE-2026-56080 |
| Cap-go–capgo | Cap-go before 12.128.12 contains a broken cursor pagination vulnerability in the /private/devices endpoint on the Cloudflare/workerd path that allows authenticated attackers to cause duplicate-page loops and make later rows unreachable. Attackers with app.read_devices access can exploit non-advancing cursor filters to trigger infinite pagination loops, prevent dataset traversal, and cause repeated processing in device-management workflows. | 2026-06-20 | 4.3 | CVE-2026-56307 |
| capacitor-native-biometric–capacitor-native-biometric | capacitor-native-biometric before 12.128.2 contains an authentication bypass vulnerability where the onAuthenticationSucceeded() method fails to validate CryptoObject parameters. Attackers can hook the onAuthenticationSucceeded() function using dynamic instrumentation to bypass biometric authentication without valid credentials. | 2026-06-20 | 4.8 | CVE-2026-56294 |
| Capgo–Capgo | Capgo before 12.128.2 contains a cross-tenant authorization bypass vulnerability in PostgREST endpoints that allows org-scoped read API keys to access other tenants’ webhook secrets and delivery logs. Attackers can query the webhooks and webhook_deliveries endpoints to exfiltrate HMAC signing secrets and delivery payloads, enabling forged webhook events against victim organizations. | 2026-06-19 | 6.5 | CVE-2026-56079 |
| Capgo–Capgo | Capgo before 12.128.2 contains an authorization bypass vulnerability in the /build/status and /build/logs endpoints that allows attackers to access build jobs belonging to different applications by supplying a mismatched app_id and job_id combination. Limited API keys restricted to a single app can retrieve build status and logs from other apps by providing an authorized app_id while using a job_id from an unauthorized app, exposing sensitive build information including logs, metadata, and potentially credentials. | 2026-06-21 | 6.5 | CVE-2026-56229 |
| Capgo–Capgo | Capgo before 12.128.2 contains a broken row level security policy in the org_users table that allows authenticated users to elevate privileges from admin to super_admin. Attackers can exploit the insufficient RLS enforcement to gain unauthorized super_admin access and compromise system security. | 2026-06-21 | 6.5 | CVE-2026-56251 |
| Capgo–Capgo | Capgo before 12.128.2 contains an authorization bypass vulnerability in webhook management endpoints that allows non-expiring API keys to bypass the require_apikey_expiration organization policy. The checkWebhookPermission function fails to call apikeyHasOrgRightWithPolicy, enabling attackers with legacy non-expiring keys to list, create, and delete webhooks despite explicit organizational policy requiring key expiration. | 2026-06-20 | 6.3 | CVE-2026-56295 |
| Capgo–Capgo | Capgo before 12.128.2 contains an authorization bypass vulnerability in the public.upsert_version_meta SECURITY DEFINER function exposed via PostgREST RPC, allowing unauthenticated attackers to insert arbitrary rows into version_meta for any app_id. Attackers can exploit this by calling the RPC endpoint with a public anon key to poison storage metrics, causing persistent false data in dashboards and triggering incorrect alerts across victim applications. | 2026-06-20 | 5.3 | CVE-2026-56213 |
| Capgo–Capgo | Capgo before 12.128.2 fails to strip EXIF metadata including GPS geolocation data from uploaded images, allowing information disclosure. Attackers can download uploaded images and extract precise latitude and longitude coordinates revealing user physical location at capture time. | 2026-06-20 | 5.3 | CVE-2026-56218 |
| Capgo–Capgo | Capgo before 12.128.2 contains a server-side request forgery vulnerability in webhook URL validation that allows loopback and internal addresses. Organization admins can configure webhooks pointing to localhost or 127.0.0.1, and when triggered, the backend performs outbound requests to these addresses with error responses disclosed to users. | 2026-06-20 | 5.4 | CVE-2026-56227 |
| Capgo–Capgo | Capgo before 12.128.2 contains an information disclosure vulnerability in the unauthenticated /replication endpoint that exposes internal PostgreSQL replication telemetry including slot names and WAL LSN positions. Attackers can access this endpoint without authentication to retrieve sensitive infrastructure details such as replication slot names, confirmed_flush_lsn, restart_lsn values, and database error messages for reconnaissance purposes. | 2026-06-20 | 5.3 | CVE-2026-56282 |
| Capgo–Capgo | Capgo before 12.128.2 contains an authentication bypass vulnerability in the /build/upload/:jobId/* endpoint that allows unauthenticated attackers to trigger consistent 500 errors. Remote attackers can send OPTIONS requests to bypass authentication middleware and invoke tusProxy logic with invalid credentials, enabling trivial request flooding and denial of service. | 2026-06-21 | 5.3 | CVE-2026-56299 |
| Capgo–Capgo | Capgo before 12.128.2 fails to enforce a maximum value on the minimum password length field in its password policy configuration. An authenticated organization administrator can set an extremely large numeric value (e.g., billions of characters) as the minimum password length, making compliance impossible for all organization members. Once the policy is enabled, users (including administrators) are unable to change their passwords or access the organization, resulting in an organization-wide account lockout and application-level denial of service. | 2026-06-20 | 4.9 | CVE-2026-56228 |
| Capgo–Capgo | Capgo before 12.128.2 contains an information disclosure vulnerability in the GET /statistics/app/:app_id endpoint that allows app-limited API keys to distinguish existing sibling app IDs through differential error responses. Attackers can enumerate real app IDs outside their allowed scope by observing 500 PGRST116 errors for inaccessible apps versus 401 errors for nonexistent apps, breaking tenant isolation. | 2026-06-20 | 4.3 | CVE-2026-56319 |
| Capgo–Capgo | Capgo before 12.128.2 contains an open redirect vulnerability in the confirm-signup endpoint that allows attackers to redirect users to arbitrary external websites. The confirmation_url parameter is not validated, enabling attackers to craft malicious links for phishing and credential harvesting attacks. | 2026-06-20 | 4.7 | CVE-2026-56332 |
| capgo–cli | Capgo CLI before 12.128.2 contains arbitrary file overwrite vulnerabilities in login and build credentials operations that follow symlinks without validation. Attackers can create malicious symlinks in repositories to overwrite arbitrary files or expose credentials with world-readable permissions when developers run the CLI. | 2026-06-21 | 6.1 | CVE-2026-56236 |
| carrierwaveuploader–carrierwave | CarrierWave is a framework to upload files from Ruby applications. In versions prior to 2.2.7 and 3.1.3, the content_type_denylist check fails to escape regex metacharacters in string entries, causing the denylist to silently not match the content types it is intended to block. In lib/carrierwave/uploader/content_type_denylist.rb:57, denylist entries are interpolated directly into a regex without Regexp.quote or anchoring, so an entry such as image/svg+xml becomes the pattern /image/svg+xml/, in which + is treated as a quantifier rather than a literal character and therefore never matches the real MIME type image/svg+xml. This is inconsistent with the allowlist implementation, which correctly applies both Regexp.quote and a A anchor. Other content types containing regex metacharacters, such as application/xhtml+xml, are affected as well. As a result, any application that relies on content_type_denylist to block image/svg+xml, most commonly to prevent stored XSS, is silently unprotected. An attacker can upload an SVG file containing arbitrary JavaScript; if the application serves that SVG inline from its own origin, the script executes in the victim’s browser, resulting in stored XSS. This issue has been fixed in versions 2.2.7 and 3.1.3. | 2026-06-16 | 4.7 | CVE-2026-44587 |
| Cisco–Cisco Catalyst SD-WAN Manager | A vulnerability in the web UI of Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, could allow an authenticated, remote attacker to create a file or overwrite any file on the filesystem of an affected system. This vulnerability exists because the affected software does not properly validate user-supplied input during a file upload process. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected API endpoint of the affected system. A successful exploit could allow the attacker to create or overwrite any file on the underlying operating system. This file could later be used to elevate to root. To exploit this vulnerability, the attacker must have valid credentials with at least a lower-privileged, single-task user account. | 2026-06-15 | 6.5 | CVE-2026-20262 |
| Cisco–Cisco Crosswork Network Change Automation | A vulnerability in the web-based management interface of Cisco Crosswork Network Controller could allow an authenticated, remote attacker to execute arbitrary commands on an affected device. This vulnerability is due to insufficient input validation in the configuration template engine of the web-based management interface. An attacker could exploit this vulnerability by sending a crafted request to the affected device. A successful exploit could allow the attacker to execute arbitrary commands on the underlying operating system in limited areas of the file system. This vulnerability affects only areas of the operating system for which the template user has write permissions. To exploit this vulnerability, the attacker must have valid template user credentials with write permissions. Template users with read permissions cannot exploit this vulnerability. | 2026-06-17 | 6.3 | CVE-2026-20220 |
| Cisco–Cisco Umbrella Insights Virtual Appliance | A vulnerability in the vmadmin CLI of Cisco Umbrella Virtual Appliance could allow an authenticated, local attacker to elevate privileges on an affected device. This vulnerability is due to insufficient validation of user-supplied commands. An attacker with vmadmin privileges could exploit this vulnerability by using certain commands at the CLI. A successful exploit could allow the attacker to elevate privileges to root. | 2026-06-17 | 6 | CVE-2026-20246 |
| Cisco–Cisco Webex App | A vulnerability in the browser-based version of Cisco Webex App could have allowed an unauthenticated, remote attacker to redirect users to a malicious webpage. Cisco has addressed this vulnerability in the Cisco Webex App, and no customer action is needed. This vulnerability existed due to improper input validation of URL parameters in an HTTP request. Prior to this vulnerability being addressed, an attacker could have exploited this vulnerability by persuading a user to click a crafted URL. A successful exploit could have allowed the attacker to redirect a user to a malicious website. | 2026-06-17 | 4.3 | CVE-2026-20178 |
| Client Portal Ltd.–Client Portal (Pro) | CP Client Arbitrary File Download in Client Portal (Pro) <= 5.6.2 versions. | 2026-06-17 | 6.5 | CVE-2026-40724 |
| Cloud Foundry Foundation–bpm-release | setupBpmLogs follows symlink for bpm.log open and chown – container-to-host privilege escalation via /etc/shadow. A compromised process inside a bpm container can cause root to chown an arbitrary host file to vcap and append bpm JSON log lines to it. The chown alone lets the attacker take ownership of /etc/shadow and read every password hash on the host via the read-only /etc bind mount. This is a container-to-host confidentiality break affecting every bpm-managed job. Affected versions: bpm-release, all versions prior to v1.4.30. | 2026-06-18 | 6.1 | CVE-2026-47833 |
| Cloudflare–Quiche | Cloudflare Quiche was affected by 2 use-after-free vulnerabilities in the connection ID iterator FFI functions. The “quiche_connection_id_iter_next” and “quiche_conn_retired_scid_next” functions would return a pointer to a “ConnectionId” to the applications via function arguments, but the owned “ConnectionId” would be dropped at the end of those functions’ scope. Only applications using those FFI functions are affected. The FFI API is disabled by default by a build-time feature flag. Impact If unpatched, an application calling the affected FFI functions will dereference freed memory. The most likely outcome is undefined behavior leading to a process crash (denial of service). Depending on allocator state, the read may also return adjacent heap contents, resulting in limited information disclosure or incorrect connection identifier handling. Mitigation Users are requested to upgrade to quiche 0.29.2 which is the earliest version containing the fix for this issue. | 2026-06-19 | 5.6 | CVE-2026-11941 |
| codepeople–Appointment Booking Calendar | The Appointment Booking Calendar plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 1.4.01. This is due to insufficient authorization and missing per-calendar ownership checks in the cpabc_appointments_calendar_load2() function, which is reachable via the cpabc_calendar_load2=1 query parameter in wp-admin and only checks is_admin() && current_user_can(‘edit_posts’), a capability available to Contributor-level users and above. This makes it possible for authenticated attackers with Contributor-level access and above to supply an arbitrary calendar ID via the id parameter and extract customer booking information, including email addresses, names, phone numbers, booking times, and comments, from any calendar managed by the plugin. | 2026-06-18 | 4.3 | CVE-2026-12111 |
| Comfast–CF-WR631AX V3 | A flaw has been found in Comfast CF-WR631AX V3 up to 2.7.0.8. This issue affects the function system of the file /cgi-bin/mbox-config?section=ping_config of the component API Endpoint. This manipulation of the argument destination causes os command injection. The attack is possible to be carried out remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-06-21 | 6.3 | CVE-2026-12814 |
| contrid–Slideshow Gallery LITE | The Slideshow Gallery LITE plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘alwaysauto’ shortcode attribute in all versions up to, and including, 1.8.5. This is due to insufficient input sanitization and output escaping on user-supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-06-18 | 6.4 | CVE-2026-2021 |
| coollabsio–coolify | A vulnerability has been found in coollabsio coolify 4.0.0. Impacted is an unknown function of the component Image Name Handler. Such manipulation leads to os command injection. The attack may be performed from remote. The vendor was contacted early about this disclosure but did not respond in any way. The changelog for 4.1.2 mentions “[i]mproved image, branch, proxy, and deployment input validation”. | 2026-06-21 | 6.3 | CVE-2026-12815 |
| Cotonti–Cotonti | Cotonti 1.0.0 (master branch, commit f43f1fc3) is vulnerable to Cross-Site Request Forgery in the Personal File Storage (PFS) module. In modules/pfs/inc/pfs.editfolder.php, the folder update action (‘a=update’) updates folder metadata (title, description, public/gallery flags) without calling cot_check_xg() to validate the anti-CSRF token. A remote attacker who lures an authenticated user into visiting a malicious page can force the browser to submit a forged request that modifies the victim’s folder metadata, including making a private folder public. | 2026-06-18 | 5.4 | CVE-2026-55745 |
| coturn–coturn | Coturn is a free open source implementation of TURN and STUN Server. Versions prior to 4.11.0 contain a stored cross-site scripting (XSS) vulnerability in the web-admin HTTPS interface. An attacker who can create a TURN allocation with a crafted USERNAME value can inject HTML/JavaScript that executes when an authenticated web-admin user views the TURN session list. In configurations using anonymous TURN access (–no-auth), this may be exploitable without TURN credentials. In authenticated deployments, exploitation requires valid TURN credentials or control over a provisioned username. This issue has been fixed in version 4.11.0. | 2026-06-18 | 5.4 | CVE-2026-43915 |
| craftcms–cms | Craft CMS from 4.0.0-RC1 contains an authenticated path traversal vulnerability in the assets/icon endpoint where the extension parameter is not validated before file existence checks. Attackers can bypass extension validation by passing traversal sequences that resolve to existing SVG files, allowing local file read access. | 2026-06-21 | 6.5 | CVE-2026-56394 |
| craftcms–cms | Craft CMS from version 5.0.0-RC1 contains a stored cross-site scripting vulnerability in the User Permissions page where user group names are rendered without proper HTML escaping. Attackers with admin access can inject arbitrary JavaScript via the user group name field that executes when other users view or edit permissions. | 2026-06-21 | 4.8 | CVE-2026-56381 |
| craftcms–cms | Craft CMS contains a stored cross-site scripting (XSS) vulnerability in the editableTable.twig component when using the ‘Row Heading’ column type. The application fails to sanitize input within row heading default values, allowing an attacker with an administrator account (with allowAdminChanges enabled) to inject arbitrary JavaScript that executes when another user views a page containing the affected table field. Affected versions are >= 4.5.0-beta.1 through 4.16.18 and >= 5.0.0-RC1 through 5.8.22; fixed in 4.16.19 and 5.8.23. | 2026-06-21 | 4.8 | CVE-2026-56383 |
| craftcms–cms | Craft CMS contains a missing authorization vulnerability in the assets/preview-thumb endpoint. A Control Panel user without permission to view a target private asset can call the endpoint with an attacker-controlled assetId and receive preview HTML containing a signed fallback transform preview link for that private asset, because no asset-view permission check is performed before preview generation. This affects versions >= 4.0.0-RC1, <= 4.17.7 and >= 5.0.0-RC1, <= 5.9.13, and is fixed in 4.17.8 and 5.9.14. | 2026-06-21 | 4.3 | CVE-2026-56384 |
| craftcms–cms | Craft CMS versions >= 5.0.0-RC1, <= 5.9.13 and >= 4.0.0-RC1, <= 4.17.7 contain an authorization bypass in the assets/preview-file endpoint. The action does not enforce per-asset view authorization before returning preview content, allowing an authenticated low-privileged user to supply a controlled assetId for an asset they are not permitted to view and still receive preview response data (previewHtml), including a private preview image route containing the target private assetId. Fixed in 5.9.14 and 4.17.8. | 2026-06-21 | 4.3 | CVE-2026-56385 |
| craftcms–cms | Craft CMS 4.x (>= 4.0.0-RC1, < 4.17.0-beta.1) and 5.x (>= 5.0.0-RC1, < 5.9.0-beta.1) contain multiple stored cross-site scripting vulnerabilities where settings names and field option labels are rendered without sanitization (e.g., via the checkbox.twig template, which used {{ label|raw }}). An authenticated administrator (with allowAdminChanges enabled) can inject malicious payloads into section names, volume names, user group names, global set names, generated field names, checkbox/radio option labels, and custom source labels, causing arbitrary JavaScript to execute in other users’ control-panel sessions. Fixed in 4.17.0-beta.1 and 5.9.0-beta.1. | 2026-06-21 | 4.8 | CVE-2026-56393 |
| creativethemeshq–Blocksy Companion | The Blocksy Companion plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 2.1.45 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with editor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | 2026-06-19 | 4.4 | CVE-2026-12430 |
| creavi–Creavi Appointment Booking Calendar | The Appointment Booking Calendar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via custom booking field labels in all versions up to, and including, 1.4.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-06-19 | 6.4 | CVE-2026-1856 |
| deepakkite–Secure Client Portal and Private File Sharing Plugin User Private Files | The File Sharing & Download Manager – User Private Files plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘fldr_ttl’ parameter in all versions up to, and including, 2.1.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-06-16 | 6.4 | CVE-2026-10093 |
| Dell–Peripheral Manager | Dell Peripheral Manager, versions prior to 1.7.3, contain an uncontrolled search path element vulnerability. An attacker could potentially exploit this vulnerability through preloading malicious dll., leading to arbitrary code execution. | 2026-06-16 | 6.7 | CVE-2024-22447 |
| Dell–Peripheral Manager | Dell Peripheral Manager, versions from 1.5.1 to 1.7.2, contain an uncontrolled search path element vulnerability. An attacker could potentially exploit this vulnerability through preloading malicious executable, leading to arbitrary code execution. | 2026-06-16 | 6.7 | CVE-2024-22451 |
| Dell–PowerFlex | Dell PowerFlex Manager, version(s) [Versions], contain(s) an Improper Access Control vulnerability. A low privileged attacker with adjacent network access could potentially exploit this vulnerability, leading to Elevation of privileges and Unauthorized access. | 2026-06-17 | 5.7 | CVE-2026-35067 |
| Dell–PowerFlex | Dell PowerFlex Manager, version(s) [Versions], contain(s) an Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) vulnerability. A low privileged attacker with adjacent network access could potentially exploit this vulnerability, leading to Script injection. | 2026-06-17 | 5.7 | CVE-2026-35069 |
| Dell–PowerFlex | Dell PowerFlex Manager, version(s) [Versions], contain(s) an Improper Access Control vulnerability. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to denial of service. | 2026-06-17 | 4.3 | CVE-2026-35162 |
| Dell–PowerFlex | Dell PowerFlex Manager, version(s) 4.6.0.1, contain(s) an Use of a Broken or Risky Cryptographic Algorithm vulnerability. An unauthenticated attacker with remote access could potentially exploit this vulnerability, leading to Information disclosure and Information tampering. | 2026-06-17 | 4.8 | CVE-2026-40641 |
| Dell–PowerFlex Manager | Dell PowerFlex Manager, versions prior to 4.5.1.1, contain an improper certificate validation vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability leading to man-in-the-middle attack in tandem with DNS cache poisoning. | 2026-06-17 | 6.5 | CVE-2024-47477 |
| Dell–PowerFlex rack | Dell PowerFlex rack, version(s) RCM 3.7/3.7, contain(s) a Host Header Injection vulnerability. An unauthenticated attacker with remote access could potentially exploit this vulnerability to trigger redirections. | 2026-06-17 | 4.3 | CVE-2025-32748 |
| Dell–PowerStore | PowerStore contains a Stored Cross-Site Scripting Vulnerability in the PowerStore Manager. A remote authenticated low-privileged malicious actor could potentially exploit this vulnerability, it could lead to script execution in the client browser. | 2026-06-16 | 5.4 | CVE-2024-30476 |
| dijitul–Fancy Testimonials | The Fancy Testimonials plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘author’ shortcode attribute in the ‘testimonial’ shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-06-18 | 6.4 | CVE-2026-8039 |
| Discuz!–Discuz! X5.0 | Discuz! X5.0 releases 20260320 through 20260610 contains a CAPTCHA bypass vulnerability that allows unauthenticated remote attackers to defeat challenge controls by exploiting limited complexity and predictable character sets in generated CAPTCHA images. Attackers can train a custom optical character recognition model against collected CAPTCHA samples to reliably predict challenge text, bypassing protections on login, registration, and other functionality from automated abuse. | 2026-06-15 | 6.5 | CVE-2026-49953 |
| dokaninc–Dokan: AI Powered WooCommerce Multivendor Marketplace Solution Build Your Own Amazon, eBay, Etsy | The Dokan: AI Powered WooCommerce Multivendor Marketplace Solution – Build Your Own Amazon, eBay, Etsy plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.0.3 via the change_order_status, add_order_note, delete_order_note, add_shipping_tracking_info, grant_access_to_download, and revoke_access_to_download AJAX handlers due to missing ownership validation on a user-controlled order ID key. This makes it possible for authenticated attackers, with custom vendor-level access and above, to modify the status of arbitrary orders, add attacker-controlled notes to any order (including customer-facing notes that trigger WooCommerce notification emails to buyers), delete any order note or WordPress comment by ID regardless of ownership, inject fake shipping tracking information on any order, and grant or revoke downloadable-product permissions on any order in the marketplace. Critically, nonce validity is not a barrier to exploitation: each of these AJAX handlers generates and embeds its nonce on the authenticated vendor’s own dashboard order pages (e.g., /dashboard/orders/?order_id=OWN_ORDER_ID), which the attacker legitimately controls. The attacker harvests a valid nonce from their own order detail page and replays it against a victim order ID – the nonce only proves the request originates from a logged-in session, not that the order belongs to that vendor. This directly rebuts the prior rejection reasoning that ‘users cannot generate valid nonces on command’: vendor users can and do generate valid nonces on demand simply by loading their own dashboard pages. Source-code analysis confirmed the vulnerable code path is present and unpatched through version 5.0.1. | 2026-06-18 | 4.3 | CVE-2026-10023 |
| dwbooster–Booking Calendar Contact Form | WordPress Booking Calendar Contact Form 1.0.23 contains privilege escalation and stored cross-site scripting vulnerabilities that allow authenticated users to modify plugin options and inject malicious scripts by failing to verify user privileges and sanitize input parameters. Attackers with subscriber-level accounts can inject XSS payloads through parameters like price, name, calendar_language, and email_confirmation_to_user via admin-ajax.php and admin.php endpoints to execute arbitrary JavaScript in administrator browsers. | 2026-06-15 | 6.4 | CVE-2016-20070 |
| dwbooster–CP Polls | WordPress CP Polls 1.0.8 contains a cross-site request forgery vulnerability that allows attackers to perform unauthorized actions on behalf of authenticated users. Attackers can craft malicious HTML pages that execute unwanted poll operations when administrators visit the page while logged in. | 2026-06-15 | 4.3 | CVE-2016-20067 |
| Edimax–BR-6478AC V2 | A vulnerability was found in Edimax BR-6478AC V2 1.23. This affects the function setWAN of the file /goform/setWAN of the component POST Request Handler. The manipulation of the argument pppUserName/pptpUserName/L2TPUserName results in command injection. It is possible to launch the attack remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-06-21 | 6.3 | CVE-2026-12807 |
| Edimax–BR-6478AC V2 | A vulnerability was determined in Edimax BR-6478AC V2 1.23. This impacts the function stainfo of the file /goform/stainfo of the component POST Request Handler. This manipulation of the argument interface causes command injection. The attack can be initiated remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-06-21 | 6.3 | CVE-2026-12808 |
| Edimax–BR-6478AC V2 | A vulnerability was identified in Edimax BR-6478AC V2 1.23. Affected is the function wiz_5in1_redirect of the file /goform/wiz_5in1_redirect of the component POST Request Handler. Such manipulation of the argument newpass leads to command injection. The attack can be launched remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-06-21 | 6.3 | CVE-2026-12809 |
| Edimax–BR-6478AC V2 | A security flaw has been discovered in Edimax BR-6478AC V2 1.23. Affected by this vulnerability is the function mp of the file /goform/mp of the component POST Request Handler. Performing a manipulation of the argument command results in command injection. The attack may be initiated remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-06-21 | 6.3 | CVE-2026-12810 |
| eemitch–Simple File List | The Simple File List plugin for WordPress is vulnerable to unauthorized file operations due to a missing authorization check on the ‘frontmanage’ shortcode attribute in all versions up to, and including, 6.3.7. This makes it possible for authenticated attackers, with contributor-level access and above, to perform arbitrary file operations including deletion, move, folder creation, and download. An attacker can create a draft post containing the ‘eeSFL’ shortcode, render it via the post preview endpoint to harvest the nonce needed to authorize the operations, and then submit file operation requests that bypass the intended authorization checks in includes/ee-list-ops-bar-process.php. | 2026-06-20 | 6.5 | CVE-2026-12119 |
| eLightUp–Meta Box WordPress Custom Fields Framework | Contributor Arbitrary File Deletion in Meta Box – WordPress Custom Fields Framework <= 5.11.1 versions. | 2026-06-15 | 6.8 | CVE-2026-39468 |
| equalizedigital–Equalize Digital Accessibility Checker WCAG, ADA, EAA and Section 508 compliance | The Equalize Digital Accessibility Checker – WCAG, ADA, EAA and Section 508 compliance plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.42.1. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with author-level access and above, to dismiss, ignore, or restore accessibility audit issue records belonging to posts they are not permitted to edit by supplying an issue from their own post as an authorization token to affect matching issues across the entire site. An Author-level user can exploit this by passing largeBatch=true on a dismiss-issue request referencing one of their own post’s issues, causing the handler to bulk-modify all site-wide accessibility issues sharing the same ‘object’ value – including those belonging to administrator-owned posts. | 2026-06-18 | 4.3 | CVE-2026-9199 |
| eventkoi–Event Koi Lite Events Calendar, Event Management, RSVP, and Tickets | The Event Koi Lite – Events Calendar, Event Management, RSVP, and Tickets plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.3.13.1 via the get_events. This makes it possible for unauthenticated attackers to extract sensitive data including virtual meeting URLs, physical location data, latitude/longitude coordinates, Google Maps links, and RSVP configuration belonging to draft, pending, and private events that are otherwise inaccessible via public URLs. | 2026-06-18 | 5.3 | CVE-2026-10029 |
| Extend Themes–Skyline WP | Cross-Site request forgery (CSRF) vulnerability in Extend Themes Skyline WP allows Cross Site Request Forgery. This issue affects Skyline WP: from n/a through 1.0.10. | 2026-06-17 | 4.3 | CVE-2024-34810 |
| F5–NGINX Gateway Fabric | When NGINX Gateway Fabric is configured using GRPCRoutes, an authenticated, remote attacker with permission to create or modify GRPCRoute resources can cause the NGINX Gateway Fabric control plane to terminate by sending undisclosed GRPCRoute configurations containing backendRef filters. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. | 2026-06-17 | 6.5 | CVE-2026-32682 |
| F5–NGINX Open Source | NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_charset_module module. When content is served or proxied through a location block with both source_charset utf-8; and a charset directive (for example, charset koi8-r;) configured, remote, unauthenticated attackers can send requests (in conjunction with conditions beyond their control) to cause a heap buffer over-read in the NGINX worker process, leading to limited disclosure of memory or a restart. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. | 2026-06-17 | 4.8 | CVE-2026-48142 |
| fduflyer–DroneAware-Node-Releases | DroneAware is a drone detection platform. The centralized DroneAware server backing droneaware.io was vulnerable to an account pre-hijacking attack in which an attacker could register an account using a victim’s email address with an attacker-controlled password before the victim completed account activation. When the legitimate owner later activated the account, either by clicking the email verification link or by logging in via Google SSO, the attacker-set password became fully valid, enabling silent and persistent account takeover without any notification to the victim. The vulnerability was fixed server-side on 2025-05-20; no user action is required. Node binaries and self-hosted detection nodes are not affected. There are no workarounds; the fix was deployed server-side and no client-side mitigation is applicable. | 2026-06-17 | 6.8 | CVE-2026-48117 |
| fireplugins–FireBox Popups Increase Sales and Grow Your Email List | The FireBox Popups – Increase Sales and Grow Your Email List plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.1.7 via the ‘form_id’ parameter. This makes it possible for unauthenticated attackers to extract download a full CSV export of all form submissions – including any personally identifiable information submitted by users – for any arbitrary form_id. | 2026-06-18 | 5.3 | CVE-2026-12120 |
| Flowise–Flowise | Flowise before 3.0.8 contains a cross-site scripting (XSS) vulnerability caused by insufficient input filtering in chat messages and custom agent functions. An attacker can inject malicious JavaScript by sending an iframe payload (e.g., <iframe src=”javascript:alert(document.cookie)”>) in a chat box, or by having a custom agent function return an XSS payload from an external website. The injected script executes in the victim’s browser, enabling theft of cookies and session data. | 2026-06-20 | 6.1 | CVE-2025-71331 |
| FlowiseAI–Flowise | A vulnerability was determined in FlowiseAI Flowise up to 3.1.2. The impacted element is an unknown function of the file packages/components/nodes/documentloaders/S3/S3.ts of the component S3 Document Loader. Executing a manipulation can lead to path traversal. It is possible to launch the attack remotely. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-06-21 | 6.3 | CVE-2026-12821 |
| FluxBuilder–MStore API | Authentication Bypass Using an Alternate Path or Channel vulnerability in FluxBuilder MStore API allows Password Recovery Exploitation. This issue affects MStore API: from n/a through 4.18.4. | 2026-06-17 | 6.5 | CVE-2026-54817 |
| FolioVision–FV Flowplayer Video Player | Subscriber Cross Site Scripting (XSS) in FV Flowplayer Video Player < 7.5.51.7212 versions. | 2026-06-15 | 6.5 | CVE-2026-49773 |
| geoserver–org.geoserver.web:gs-web-app | GeoServer is an open source server that allows users to share and edit geospatial data. Prior to versions 2.26.4 and 2.27.3, a GeoServer that uses `ENTITY_RESOLUTION_ALLOWLIST` may allow attacker to perform unauthenticated Server-Side Request Forgery (SSRF). This vulnerability requires that GeoServer is set up to use a proxy base URL and the `ENTITY_RESOLUTION_ALLOWLIST` (default since 2.25.0). Versions 2.26.4 and 2.27.3 contain a fix. GeoServer installations are only affected by this vulnerability if they use a proxy base URL that does not contain a URL path or end with a slash. If the proxy base URL does not contain a path, adding a slash to the end of the URL will mitigate this vulnerability. | 2026-06-18 | 6.5 | CVE-2025-58175 |
| gitroomhq–postiz-app | Postiz is an AI social media scheduling tool. Versions prior to 2.21.8 contained an unauthenticated endpoint that accepted a signed token and applied subscription-enforcement side effects to the organization referenced in that token’s claims, without verifying the token’s intended purpose. The endpoint, /public/modify-subscription, could not change the persisted subscription tier, but it did execute enforcement-related side effects on the caller’s own organization, including adjusting team-member enablement state, disabling integrations exceeding the asserted plan’s limits, and resetting the scheduled-post cron when the asserted plan was the free tier. Impact is limited to the attacker’s own organization and cannot be redirected at other tenants through this endpoint. This issue has been fixed in version 2.21.8. | 2026-06-16 | 4.8 | CVE-2026-48783 |
| GNOME–Evolution Data Server | A flaw was found in evolution-data-server. Inconsistent comparison logic in the addressbook file backend allows a Flatpak application with D-Bus access to craft a malicious URI containing directory traversal sequences. This URI is stored without proper validation during contact creation or modification. Later, during contact deletion, the URI is processed with a less strict check, leading to the deletion of arbitrary files on the host filesystem. This could potentially include critical Flatpak override files. | 2026-06-16 | 5.6 | CVE-2026-2604 |
| Government Accountability Office–Electronic Protest Docketing System (EPDS) | The U.S. Government Accountability Office (GAO) Electronic Protest Docketing System (EPDS) and Civilian Board of Contract Appeals (CBCA) Electronic Docketing System (EDS) expose sensitive account information through the ‘update-profile/’ API endpoint. A remote, unauthenticated attacker can submit a request containing an arbitrary ‘user_id’ parameter and receive a JSON response containing account-specific information, including the associated email address. | 2026-06-18 | 5.3 | CVE-2026-54105 |
| Government Accountability Office–Electronic Protest Docketing System (EPDS) | The U.S. Government Accountability Office (GAO) Electronic Protest Docketing System (EPDS) and Civilian Board of Contract Appeals (CBCA) Electronic Docketing System (EDS) do not validate X-Forwarded-For HTTP headers, allowing a remote attacker with compromised administrator credentials to bypass network access controls and log in. | 2026-06-18 | 4.7 | CVE-2026-54106 |
| Grafana–Enterprise Traces (GET) | A TraceQL query in Grafana Tempo with a large exemplars hint value can cause the Tempo instance to allocate an excessive amount of memory, resulting in an out-of-memory crash. This could allow an authenticated user to trigger a denial of service against the Tempo service. | 2026-06-19 | 6.5 | CVE-2026-27878 |
| Greg Winiarski–WPAdverts | Unauthenticated Broken Access Control in WPAdverts <= 2.3.0 versions. | 2026-06-15 | 6.5 | CVE-2026-40782 |
| Grit42–Grit | A vulnerability was identified in Grit42 Grit up to 0.11.0. This issue affects the function Grit::Assays::DataTableEntity of the file modules/assays/backend/app/models/grit/assays/data_table_entity.rb. The manipulation leads to sql injection. The attack is possible to be carried out remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-06-15 | 6.3 | CVE-2026-12206 |
| Groundhogg–Groundhogg | Subscriber Broken Access Control in Groundhogg < 4.4.1 versions. | 2026-06-15 | 6.5 | CVE-2026-40793 |
| Hackplayers–evil-winrm | Evil-WinRM through 3.9, fixed in commit 6ecd570, contains a path traversal vulnerability in the download_dir() function that allows a rogue or compromised remote Windows server to write files outside the intended download directory by returning filenames with traversal sequences from Get-ChildItem command output that are passed unsanitized to File.join(). Attackers controlling the remote server can exploit this to overwrite sensitive client-side files such as SSH authorized_keys or shell configuration files, achieving persistent access or privilege escalation on the client machine. | 2026-06-17 | 6.8 | CVE-2026-55201 |
| harttle–liquidjs | LiquidJS is a Shopify/GitHub Pages compatible template engine written in pure JavaScript. Versions 10.25.7 and below are vulnerable to XSS through a flaw in the strip_html filter logic. The strip_html filter is intended to remove HTML tags from a string before rendering, and is widely used as an XSS sanitizer. The implementation uses a regex whose catch-all branch (<.*?>) does not match line terminators, so any HTML tag containing a n or r character passes through unmodified. An attacker who can place a newline inside a tag (e.g. <imgnsrc=xnonerror=alert(1)>) bypasses sanitization entirely, since browsers treat newlines as whitespace within a tag and execute the resulting onerror/onload/etc. handler. Exploitation is possible for applications that both render attacker-controlled strings via {{ x | strip_html }} to defend against HTML injection and do not separately HTML-escape that output (default behavior – outputEscape is unset by default). This issue has been fixed in version 10.26.0. | 2026-06-17 | 6.1 | CVE-2026-44644 |
| harttle–liquidjs | LiquidJS is a Shopify/GitHub Pages compatible template engine written in pure JavaScript. In versions 10.25.7 and below, the renderLimit option can be fully bypassed by a {% for %} (or {% tablerow %}) tag whose body is empty. The renderLimit option is documented in docs/source/tutorials/dos.md as the mechanism that “mitigates this by limiting the time consumed by each render() call.” The per-iteration time check is reached only when the body contains at least one template node, so a template such as {%- for i in (1..N) -%}{%- endfor -%} iterates the full collection without ever consulting renderLimit. With a configured renderLimit of 50 ms, a single parseAndRenderSync call has been observed to consume 2.26 seconds (~45× over the limit) and scales linearly with N up to memoryLimit, allowing a low-privileged template author to wedge an event-loop thread for an attacker-chosen duration. Deployments that rely on a finite renderLimit for DoS protection (common in multi-tenant template-authoring environments) can still be forced by a single crafted template to monopolize a Node.js event-loop worker for attacker-controlled time, potentially stalling in-flight requests, with availability impact only. This issue has been fixed in version 10.26.0. | 2026-06-17 | 6.5 | CVE-2026-44645 |
| harttle–liquidjs | LiquidJS is a Shopify/GitHub Pages compatible template engine written in pure JavaScript. In versions 10.25.7 and below, Context.spawn() creates a child Context for the {% render %} tag but does not propagate the parent context’s resolved ownPropertyOnly value, resulting in a silent bypass. The new context re-derives ownPropertyOnly from opts.ownPropertyOnly (the instance-level option), silently discarding any RenderOptions.ownPropertyOnly override that was supplied to parseAndRender(). As a result, a developer who runs a Liquid instance with the backwards-compatible ownPropertyOnly:false and then locks down an untrusted render with parseAndRender(…, { ownPropertyOnly: true }) still leaks prototype-chain properties from inside any {% render %} partial. This is a distinct exploit surface from the previously identified array-filter variants (where, reject, group_by, find, find_index, has) – the underlying root cause in Context.spawn() is shared, but {% render %} is a separately reachable sink that needs no filter usage. This issue has been fixed in version 10.26.0. | 2026-06-17 | 5.3 | CVE-2026-44646 |
| hashgraph–guardian | Hashgraph Guardian through 3.5.0, fixed in commit ba8c566, contains a stored cross-site scripting vulnerability that allows authenticated users with the STANDARD_REGISTRY role to inject malicious scripts by submitting a crafted companyName value via the branding configuration API endpoint. Attackers can exploit the unsanitized innerHTML assignment in the branding service to execute arbitrary JavaScript in the browser of every authenticated user on every page load. | 2026-06-18 | 4.8 | CVE-2026-22674 |
| hcengineering–Huly Platform | A vulnerability has been found in hcengineering Huly Platform up to 0.7.0. Affected is the function getMailboxSecret of the file server/account/src/operations.ts of the component RPC Interface. The manipulation leads to improper access controls. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-06-15 | 4.3 | CVE-2026-12212 |
| hcengineering–Huly Platform | A vulnerability was found in hcengineering Huly Platform up to 0.7.0. Affected by this vulnerability is the function getAccountInfo of the file server/account/src/operations.ts of the component User Information Handler. The manipulation results in improper authorization. The attack may be launched remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-06-15 | 4.3 | CVE-2026-12213 |
| HCL Software–ZIE | HCL ZIE for Web is affetced by an Unrestricted File Upload vulnerability, If the server is configured to execute code, then it may be possible to obtain command execution on the server by uploading a file known as a web shell, which allows you to execute arbitrary code or operating system commands. For this attack to be successful, the file needs to be uploaded inside the Webroot, and the server must be configured to execute the code | 2026-06-17 | 4.3 | CVE-2025-59872 |
| HCLSoftware–Verse for Android | The compose-rich-editor library (v1.0.0-rc14) used in HCL Verse for Android’s rich text email composition fails to properly validate all HTML input thereby allowing malicious content to be executed in certain situations. | 2026-06-19 | 6.3 | CVE-2026-21768 |
| henrikmelin–More Fields | WordPress More Fields Plugin 2.1 contains a cross-site request forgery vulnerability that allows attackers to perform unauthorized actions by disabling CSRF token validation. Attackers can craft malicious web pages that trick logged-in administrators into adding or deleting custom fields and boxes on the Write/Edit page via POST and GET requests to the options-general.php endpoint. | 2026-06-15 | 5.3 | CVE-2016-20083 |
| Henrique Dias–IMDb Profile Widget | WordPress IMDb Profile Widget 1.0.8 contains a local file inclusion vulnerability that allows unauthenticated attackers to read arbitrary files by manipulating the url parameter. Attackers can supply directory traversal sequences in GET requests to pic.php to access sensitive files like wp-config.php containing database credentials and configuration data. | 2026-06-15 | 6.2 | CVE-2016-20078 |
| HKUDS–AI-Trader | A vulnerability was found in HKUDS AI-Trader up to 74caf996f78dcc0c657df8365c8544678a16e215. This affects an unknown part of the file /api/research/agents.csv of the component Research Export. Performing a manipulation results in information disclosure. Remote exploitation of the attack is possible. The exploit has been made public and could be used. This product follows a rolling release approach for continuous delivery, so version details for affected or updated releases are not provided. The patch is named 91a31aac1b0f4dbc6b8bef9f6eff0b7912e0bc65. Applying a patch is the recommended action to fix this issue. The vendor confirms: “Research export endpoints now require an authenticated agent with the research_exports capability”. | 2026-06-15 | 5.3 | CVE-2026-12203 |
| ILIAS–Learning Management System | A vulnerability was identified in ILIAS Learning Management System 11.0. This issue affects the function ilTrQuery::executeQueries of the file components/ILIAS/Tracking/classes/class.ilTrQuery.php of the component Learning Progress Tracking. Such manipulation of the argument troup_table_nav leads to sql injection. It is possible to launch the attack remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-06-21 | 4.7 | CVE-2026-12789 |
| info@welcart–Welcart e-Commerce | Unauthenticated Broken Access Control in Welcart e-Commerce <= 2.11.28 versions. | 2026-06-15 | 6.5 | CVE-2026-49775 |
| Inisev–Social Media & Share Icons | : Missing Authorization vulnerability in Inisev Social Media & Share Icons allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Social Media & Share Icons: from n/a through 2.8.6. | 2026-06-17 | 4.3 | CVE-2024-31435 |
| IObit–Malware Fighter | A flaw has been found in IObit Malware Fighter up to 13.2.0. Affected by this vulnerability is an unknown functionality of the component DLL Handler. This manipulation causes permission issues. The attack requires local access. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-06-15 | 5.3 | CVE-2026-12201 |
| Iqonic Design–KiviCare | Subscriber Insecure Direct Object References (IDOR) in KiviCare <= 4.2.1 versions. | 2026-06-15 | 6.3 | CVE-2026-40792 |
| j_3rk–Video Conferencing with Zoom | The Video Conferencing with Zoom plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 4.6.7. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to obtain the site’s Zoom SDK API key and a freshly-signed JWT that can be used with the Zoom Web SDK to join any Zoom meeting associated with those credentials without a legitimate invitation. | 2026-06-16 | 5.3 | CVE-2026-6964 |
| jamie–Dharma Booking | WordPress Dharma Booking 2.28.3 and earlier contains a local file inclusion vulnerability that allows unauthenticated attackers to include arbitrary files by manipulating the gateway parameter. Attackers can supply file paths with directory traversal sequences or null byte injection to the gateway parameter in proccess.php to read sensitive files like configuration and system files. | 2026-06-15 | 6.2 | CVE-2016-20079 |
| Jegstudio–Startupzy | Missing Authorization vulnerability in Jegstudio Startupzy startupzy allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Startupzy: from n/a through 1.1.1. | 2026-06-17 | 4.3 | CVE-2024-33685 |
| Jetmonsters–JetFormBuilder | Subscriber Privilege Escalation in JetFormBuilder <= 3.6.1 versions. | 2026-06-17 | 6.8 | CVE-2026-54196 |
| jgwhite33–WP Google Review Slider | Unauthenticated Cross Site Scripting (XSS) in WP Google Review Slider <= 18.0 versions. | 2026-06-15 | 6.3 | CVE-2026-39451 |
| Joomtech–Easy Shop | Joomla! Component Easy Shop 1.2.3 contains a local file inclusion vulnerability that allows unauthenticated attackers to read arbitrary files by supplying base64-encoded file paths. Attackers can send GET requests to index.php with the option parameter set to com_easyshop, task set to ajax.loadImage, and a base64-encoded file path in the file parameter to retrieve sensitive files like configuration.php and system files. | 2026-06-19 | 6.2 | CVE-2019-25760 |
| jsonata-js–jsonata | A weakness has been identified in jsonata-js jsonata up to 2.2.0. The affected element is the function createFrame of the file src/jsonata.js of the component Function Binding Frame System. This manipulation causes improperly controlled modification of object prototype attributes. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-06-15 | 5.3 | CVE-2026-12208 |
| Jthemes–Genemy | Subscriber Broken Access Control in Genemy <= 1.6.6 versions. | 2026-06-16 | 6.5 | CVE-2025-69137 |
| juice-shop–multi-juicer | MultiJuicer is used to run separate Juice Shop instances on a central kubernetes cluster without the need for local instances. In versions 8.0.0 through 10.0.0, the team join endpoint (POST /multi-juicer/api/teams/{team}/join) accepted requests with any Content-Type, including text/plain. Because that content type does not trigger a CORS preflight, an attacker could host a cross-site HTML form that auto-submits to the endpoint and forces a victim’s browser to log in as the attacker’s team. A successful, undetected attacker can cause victims to unwittingly solve Juice Shop challenges under the attacker’s team identity. In a CTF context this lets the attacker inflate their team’s score using other players’ activity, and any sensitive data the victim enters into “their” Juice Shop ends up in the attacker’s instance. The vulnerability is exploitable without any prior authentication; the victim only needs to visit a page the attacker controls while having network access to the MultiJuicer deployment. SameSite=Strict on the session cookie does not mitigate this, because the attack plants a new cookie rather than relying on an existing one. This issue was fixed in version 10.0.1. | 2026-06-15 | 4.3 | CVE-2026-48518 |
| KaymeePhotography–Photocart Link | WordPress Plugin Photocart Link 1.6 contains a local file inclusion vulnerability that allows unauthenticated attackers to read arbitrary files by exploiting insufficient input validation in decode.php. Attackers can supply base64-encoded file paths in the ‘id’ parameter to the decode.php endpoint to retrieve sensitive files like wp-config.php containing database credentials and configuration data. | 2026-06-15 | 6.2 | CVE-2016-20077 |
| kestra-io–kestra | Kestra is an open-source, event-driven orchestration platform. Prior to versions 1.3.19, 1.2.19, 1.1.19, and 1.0.43, Kestra task `inputFiles` writes rendered file names directly under the task working directory. When a flow forwards untrusted execution or webhook data into an `inputFiles` file name, a caller can use `../` path segments to create or overwrite files outside that task working directory on the worker filesystem. Versions 1.3.19, 1.2.19, 1.1.19, and 1.0.43 patch the issue. | 2026-06-19 | 6.5 | CVE-2026-48129 |
| King Addons–King Addons for Elementor | Subscriber Cross Site Scripting (XSS) in King Addons for Elementor <= 51.1.62 versions. | 2026-06-15 | 6.5 | CVE-2026-48870 |
| Kludex–starlette | Starlette is a lightweight ASGI framework/toolkit. In versions 1.0.1 and below, when dispatching a request, HTTPEndpoint selects the handler by lowercasing the HTTP method and looking it up as an attribute with getattr, without restricting the lookup to a known set of HTTP verbs. When an HTTPEndpoint subclass is registered through Route(…) without an explicit methods= argument, the route does not constrain the method and every method reaches the endpoint. If a non-standard HTTP method whose lowercased name matches an attribute on the endpoint subclass reaches the endpoint, that attribute is invoked as if it were a request handler. An attacker can use this to reach methods that were never meant to be HTTP handlers, such as internal helpers, without the authorization checks applied by the intended public handler. An application (including Starlette-based frameworks like FastAPI) is affected if it registers an HTTPEndpoint subclass via Route(…) without explicitly setting methods=, and that subclass includes extra methods named like non-standard HTTP verbs that take one request argument and return a response. This issue has been fixed in version 1.1.0. | 2026-06-17 | 5.3 | CVE-2026-48817 |
| kortix-ai–suna | A weakness has been identified in kortix-ai suna up to 0.8.38. Affected by this issue is the function router.replace/router.push of the file apps/frontend/src/app/auth/page.tsx of the component Auth Endpoint. Executing a manipulation of the argument returnURL can lead to cross site scripting. The attack may be launched remotely. The exploit has been made available to the public and could be used for attacks. Upgrading to version 0.8.39 can resolve this issue. This patch is called f5dec7aa0c1b8fa0125938f292c0f2430ca75f6c. It is advisable to upgrade the affected component. The researcher explains: “The issue was fixed in v0.8.39 without notifying the wider user base via a security disclosure.” | 2026-06-21 | 4.3 | CVE-2026-12811 |
| langchain-ai–langchain-ai | LangGraph Python SDK is used to connect to running LangGraph API servers, manage assistants, threads and stream runs from Python applications. Versions 0.3.14 and prior have unsafe URL path construction through unsanitized caller-supplied identifier values used in HTTP request paths for resource operations. Without sanitization of those values, identifiers that contain characters with special meaning in URL paths could cause the resulting request to address a different resource (and potentially a different resource type) than the SDK method’s call site indicates. In deployments where the SDK receives identifier values that originate from untrusted sources, this could result in unintended access, modification, or deletion of resources beyond the calling user’s authorization scope. This issue is most consequential in deployments that forward end-user-supplied values directly into SDK identifier parameters without first validating them against an expected format (such as a UUID), and rely on URL-prefix-based authorization at an upstream layer (reverse proxy, edge gateway, WAF), where the authorization decision is made on the SDK call’s intended path rather than on the final delivered request path. The issue has been fixed in version 0.3.15. | 2026-06-16 | 4.2 | CVE-2026-48776 |
| langchain-ai–langgraph | LangGraph SQLite Checkpoint is an implementation of LangGraph CheckpointSaver that uses SQLite DB (both sync and async, via aiosqlite). In versions 4.1.0 and prior, the JsonPlusSerializer can reconstruct Python objects from JSON checkpoint payloads. Under conditions where someone could modify checkpoint bytes at rest in the backing store, the deserialization path could reconstruct objects beyond what the application expects, which could in turn result in code execution at checkpoint load time. This is a defense-in-depth issue. The affected behavior is reachable only when checkpoint bytes at rest in the backing store can be modified by an unauthorized party. In most deployments that prerequisite already implies a serious incident; the additional concern is turning “checkpoint-store write access” into code execution in the application runtime. This issue has been fixed in version 4.1.1. | 2026-06-16 | 6.8 | CVE-2026-48775 |
| langflow-ai–langflow | A vulnerability was identified in langflow-ai langflow up to 1.9.3. This affects an unknown function of the component Bundle URL Loader. The manipulation leads to code injection. The attack needs to be performed locally. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-06-21 | 5.3 | CVE-2026-12822 |
| leejet–stable-diffusion.cpp | stable-diffusion.cpp is a pure C/C++ library for running diffusion model (Stable Diffusion, Flux, Wan, Qwen Image, Z-Image, and more) inference. Versions prior to master-584-0a7ae07 are vulnerable to an out-of-bounds reads error through PyTorch checkpoint pickle opcode parsing. The pickle .ckpt parser in src/model.cpp did not consistently check that enough input remained before reading opcode arguments or advancing the parser buffer with a crafted or truncated .ckpt file. Throughout the pickle parser, opcode handlers advanced the parser position with expressions such as buffer += N without first checking that buffer + N <= buffer_end. A truncated file could therefore cause reads past the end of the metadata buffer. LibFuzzer found crashes in under one second using malformed checkpoint inputs. Any application using affected stable-diffusion.cpp releases to load untrusted .ckpt model files could be vulnerable. The attack requires the victim or application to load a .ckpt file from an untrusted source, such as a downloaded model from a model sharing site. This issue has been fixed in version master-584-0a7ae07. If developers are unable to immediately update their applications, they can work around this issue by ensuring they do not load .ckpt checkpoint files from untrusted sources. They should prefer trusted model sources and safer formats such as .safetensors where possible. | 2026-06-16 | 5.5 | CVE-2026-47748 |
| leethompson–Lazy Content Slider Plugin | WordPress Lazy Content Slider Plugin 3.4 contains a cross-site request forgery vulnerability that allows attackers to perform unauthorized actions by crafting malicious HTML forms. Attackers can trick authenticated administrators into submitting POST requests to the plugin settings page via lzcs_admin.php to modify plugin configuration parameters like lzcs_color and lzcs_count. | 2026-06-15 | 4.3 | CVE-2016-20074 |
| legalweb–WP DSGVO Tools (GDPR) | The WP DSGVO Tools (GDPR) plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 3.1.39. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to supply an arbitrary victim email address and trigger immediate SAR processing via the process_now and is_ajax parameters, receiving tokenized download links (zip_link, pdf_link) in the HTTP response that expose the victim’s personal data – including WordPress account details, comment author names, email addresses, IP addresses, and comment content – without any proof of ownership. The nonce used for the CSRF check is publicly rendered by the SAR shortcode form and is shared across all anonymous visitors, meaning any unauthenticated attacker can trivially obtain a valid nonce and bypass this gate entirely. | 2026-06-19 | 5.3 | CVE-2026-10034 |
| lemonldap-ng–lemonldap-ng | A vulnerability was detected in lemonldap-ng up to 2.23.0. Impacted is an unknown function in the library lemonldap-ng-portal/lib/Lemonldap/NG/Portal/CDC.pm of the component SAML Common Domain Cookie Endpoint. Performing a manipulation of the argument url results in open redirect. The attack is possible to be carried out remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-06-21 | 4.3 | CVE-2026-12804 |
| libexpat project–libexpat | In libexpat before 2.8.2, there is a heap-based buffer overflow in doProlog in xmlparse.c because scaffold backing array reallocation is mishandled when there is data-structure sharing across parsers. | 2026-06-19 | 6.9 | CVE-2026-56132 |
| libexpat project–libexpat | libexpat before 2.8.2 has an integer overflow in storeAtts. | 2026-06-21 | 6.9 | CVE-2026-56403 |
| libexpat project–libexpat | libexpat before 2.8.2 has an integer overflow in addBinding. | 2026-06-21 | 6.9 | CVE-2026-56404 |
| libexpat project–libexpat | libexpat before 2.8.2 has an integer overflow in getAttributeId. | 2026-06-21 | 6.9 | CVE-2026-56405 |
| libexpat project–libexpat | libexpat before 2.8.2 has an integer overflow in XML_ParseBuffer because it lacked a check that was present in XML_Parse. | 2026-06-21 | 6.9 | CVE-2026-56406 |
| libexpat project–libexpat | libexpat before 2.8.2 has an integer overflow in doProlog that is related to storeEntityValue and entity textLen. | 2026-06-21 | 6.9 | CVE-2026-56407 |
| libexpat project–libexpat | libexpat before 2.8.2 has an integer overflow in copyString. | 2026-06-21 | 6.9 | CVE-2026-56408 |
| libexpat project–libexpat | xmlwf in libexpat before 2.8.2 has an integer overflow for the output filename when -d outputDir is used. | 2026-06-21 | 6.5 | CVE-2026-56409 |
| libexpat project–libexpat | xmlwf in libexpat before 2.8.2 has an integer overflow in resolveSystemId. | 2026-06-21 | 6.9 | CVE-2026-56410 |
| libexpat project–libexpat | xmlwf in libexpat before 2.8.2 has an integer overflow in endDoctypeDecl via NOTATION declarations. | 2026-06-21 | 6.9 | CVE-2026-56411 |
| libexpat project–libexpat | libexpat before 2.8.2 lacks handler call depth tracking for calls to XML_ResumeParser from within handlers in cases of a policy violation. Thus, a use-after-free can occur (similar to the CVE-2026-50219 situation). | 2026-06-19 | 4.9 | CVE-2026-56131 |
| libexpat project–libexpat | libexpat before 2.8.2 does not consider XML_TOK_DATA_CHARS in doCdataSection and thus lacks handler call depth tracking for various calls from within handlers in cases of a policy violation. Thus, a use-after-free can occur. NOTE: this issue exists because of an incomplete fix for CVE-2026-50219. | 2026-06-21 | 4.9 | CVE-2026-56412 |
| libssh2–libssh2 | libssh2 through 1.11.1, fixed in commit 2dae302, contains an out-of-bounds heap read vulnerability in the sftp_symlink() function in src/sftp.c that allows a malicious SSH server or man-in-the-middle attacker to disclose heap memory contents or cause a crash by sending a crafted SSH_FXP_NAME response. Attackers can supply a link_len value larger than the actual packet data in SSH_FXP_NAME responses for SFTP READLINK and REALPATH operations, triggering a heap buffer over-read of up to target_len minus one bytes due to the missing validation of available packet buffer size before the memcpy operation. | 2026-06-18 | 6.5 | CVE-2025-15661 |
| libssh2–libssh2 | libssh2 through 1.11.1, fixed in commit 1762685, contains a pre-authentication denial of service vulnerability in the SSH_MSG_EXT_INFO handler in src/packet.c that allows a malicious SSH server to cause a client CPU exhaustion loop by sending a crafted extension count value. A malicious server can set nr_extensions to 0xFFFFFFFF during key exchange, causing the client to spin in a tight CPU loop for over 60 seconds because return values from _libssh2_get_string() are unchecked and the session timeout does not apply to CPU-bound loops. | 2026-06-17 | 5.9 | CVE-2026-55199 |
| Liquid Web / StellarWP–Event Tickets | Unauthenticated Bypass Vulnerability in Event Tickets <= 5.27.5 versions. | 2026-06-15 | 6.5 | CVE-2026-42662 |
| liseperu–Elizaibots | Contributor Cross Site Scripting (XSS) in Elizaibots <= 1.0.2 versions. | 2026-06-15 | 6.5 | CVE-2025-15659 |
| lsegal–yard | YARD is a documentation generation tool for the Ruby programming language. Prior to version 0.9.44, YARD’s static cache lookup reads a request path before the router’s path cleanup runs. When a server is configured with a document root, a traversal path such as `/../yard-cache-secret.html` is joined against that root and can return a readable sibling `.html` file outside the intended static tree. Version 0.9.44 patches the issue. | 2026-06-19 | 5.3 | CVE-2026-49342 |
| Mamunur Rashid–Classified Listing | Unauthenticated Broken Access Control in Classified Listing <= 5.3.8 versions. | 2026-06-15 | 6.5 | CVE-2026-42640 |
| Mamunur Rashid–Classified Listing | Subscriber Broken Access Control in Classified Listing <= 5.3.9 versions. | 2026-06-15 | 6.3 | CVE-2026-42651 |
| marimo-team–marimo | marimo before 0.23.9 contains a reflected cross-site scripting vulnerability in the notebook page that allows unauthenticated attackers to inject arbitrary JavaScript by exploiting improper escaping of single quotes in the file query parameter reflected into an inline JavaScript string literal. Attackers can craft a malicious link with a payload beginning with __new__ to bypass the 404 check and inject JavaScript into the page, which executes without Content-Security-Policy restrictions in the origin of a victim’s marimo server. | 2026-06-17 | 6.1 | CVE-2026-54386 |
| markdown-it–markdown-it | markdown-it is a Markdown parser. Versions 14.1.1 and below contain a denial-of-service vulnerability when typographer: true is enabled, due to quadratic (O(n^2)) processing in the smartquotes rule. The issue stems from repeatedly modifying strings with replaceAt(), which performs O(n) slicing and concatenation per quote character. This can cause excessive CPU consumption when parsing quote-heavy, user-supplied markdown and may let attackers degrade or disrupt service availability. Although typographer is disabled by default, many production apps enable it for smart typography, making the issue relevant. This issue has been fixed in version 14.2.0. | 2026-06-17 | 5.3 | CVE-2026-48988 |
| MarketingFire–Widget Options | Insertion of sensitive information into sent data vulnerability in MarketingFire Widget Options allows Retrieve Embedded Sensitive Data. This issue affects Widget Options: from n/a through 4.0.1. | 2026-06-17 | 6.5 | CVE-2024-35690 |
| Mattermost–Mattermost | Mattermost Desktop App versions <=6.1 5.5.13.0 fail to restrict the allow list of domains to which NTLM credentials were forwarded to in the Mattermost Desktop App which allows any user on a server without the image proxy enabled to intercept other users credentials via embedding an image that routes to an external web server. Mattermost Advisory ID: MMSA-2026-00651 | 2026-06-15 | 6.3 | CVE-2026-6517 |
| Mattermost–Mattermost | Mattermost Desktop App versions <=6.1 5.5.13.0 fail to account for attempting to open extremely long URLs in the Mattermost Desktop App which allows a malicious server owner to crash the application via including a script to call window.open on a very large URL. Mattermost Advisory ID: MMSA-2026-00652 | 2026-06-15 | 6.5 | CVE-2026-8683 |
| mbis–Permalink Manager Lite | The Permalink Manager Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via post titles in the admin URI Editor interface in all versions up to, and including, 2.5.3.3 due to insufficient output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in the admin Permalink Manager page that will execute whenever an administrator accesses the Permalink Manager page. | 2026-06-17 | 6.4 | CVE-2026-8494 |
| mcdope–pam_usb | pam_usb provides hardware authentication for Linux using removable media. In versions prior to 0.9.2, getenv() environment variables XRDP_SESSION, DISPLAY and TMUX allow environment variable injection into local-check logic. These environment variables influence whether a current session is local or remote, and a PAM module that runs in the context of setuid binaries (sudo, su), getenv() returns attacker-controlled values whenever the process environment has been manipulated by a local user. This issue has been fixed in version 0.9.2. | 2026-06-18 | 6.3 | CVE-2026-48980 |
| mcdope–pam_usb | pam_usb provides hardware authentication for Linux using ordinary removable media. In versions prior to 0.9.2, pam_usb calls xmlReadFile() with flags=0 when loading the configuration file, allowing libxml2 to process external entity references (XXE), potentially making outbound network connections or local file reads at XML parse time from the context of the authenticating process. The vulnerability requires the configuration file to contain crafted XML entity references. Since pam_usb.conf is root-owned, direct exploitation requires prior write access to the config, but the defence-in-depth impact is significant given that pam_usb.so runs in setuid contexts (sudo, su). This issue has been fixed in version 0.9.2. | 2026-06-18 | 6.7 | CVE-2026-48981 |
| mcdope–pam_usb | pam_usb provides hardware authentication for Linux using ordinary removable media. In versions prior to 0.9.2, when updating a one-time pad file, a temporary file is created using open() without the O_EXCL flag. Without O_EXCL, the create operation is not atomic: two concurrent processes racing to update the same pad may both succeed in opening the file, with the second write silently overwriting the first. The one-time pad is the core replay-prevention mechanism of pam_usb. A successful race could result in the stored pad value diverging from what either process expected, potentially causing authentication failures or, in a precisely timed attack, creating a window for pad reuse. This issue has been fixed in version 0.9.2. | 2026-06-18 | 5.8 | CVE-2026-48982 |
| mcdope–pam_usb | pam_usb provides hardware authentication for Linux using ordinary removable media. In versions prior to 0.9.2, a symlink race condition exists in per-device and per-user pad directory creation. pam_usb uses a check-then-act pattern: it calls lstat() to test for existence and then calls mkdir() separately to create the directory. A local attacker can win the race between these calls by replacing the target path with a symlink to a directory they control. If successful, one-time pad files may be written to an attacker-controlled location, potentially exposing future pad values before use or disrupting authentication. This issue has been fixed in version 0.9.2. | 2026-06-18 | 5.8 | CVE-2026-48983 |
| mcdope–pam_usb | pam_usb provides hardware authentication for Linux using ordinary removable media. In versions 0.9.1 and below, pusb_is_loginctl_local() can cause a NULL dereference crash when parsing loginctl output. The function calls popen() and reads the result; if the Remote field is only a newline, fgets() succeeds but strtok_r(buf, “n”, &saveptr) returns NULL. A subsequent strcmp(is_remote, “no”) then dereferences NULL, causing undefined behavior (typically SIGSEGV) and crashing the PAM module. This can crash the authenticating process (e.g., sudo, login) and, depending on PAM stack configuration, deny access for all users of the affected service. This issue has been fixed in version 0.9.2. | 2026-06-18 | 5.5 | CVE-2026-48985 |
| mcdope–pam_usb | pam_usb provides hardware authentication for Linux using ordinary removable media. In versions 0.9.1 and below, the xfree() memory release helper in calls free() without first zeroing the buffer contents, releasing heap-allocated buffers containing sensitive data – including one-time pad bytes read from disk – without clearing, leaving the sensitive content in freed heap memory until it happens to be overwritten by a subsequent allocation. On a system where a use-after-free condition exists, or where a heap inspection primitive becomes available, this could allow recovery of pad values or other authentication material from freed memory regions. This is a defence-in-depth requirement consistent with prior hardening work in this codebase (GHSA-vx6f-rrqr-j87c applied explicit_bzero to some pad paths; this issue generalises the pattern to the central deallocation helper). | 2026-06-18 | 4.7 | CVE-2026-48984 |
| mcdope–pam_usb | pam_usb provides hardware authentication for Linux using removable media. In pam_usb 0.9.1 and earlier, usb_get_process_parent_id() can cause an infinite loop DoS because it does not initialize *ppid on failure. In pusb_local_login(), the same variable is reused as input and output in a process-tree while loop; if /proc/<pid>/stat cannot be read (for example, when an ancestor process exits during authentication), the PID is not updated and the loop does not terminate. This hangs the authenticating process (such as sudo, sshd, or login) until it is forcibly terminated. This issue has been fixed in version 0.9.2. | 2026-06-18 | 4.7 | CVE-2026-48986 |
| medkey-org–medkey | A security flaw has been discovered in medkey-org medkey up to fc09b7ba9441ff590b72d428d5380834216b09ed. Impacted is the function actionGetPatientById of the file appmodulesmedicalportrestcontrollersPatientController.php of the component HTTP REST API. The manipulation of the argument ID results in improper control of resource identifiers. The attack may be performed from remote. The exploit has been released to the public and may be used for attacks. This product utilizes a rolling release system for continuous delivery, and as such, version information for affected or updated releases is not disclosed. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-06-15 | 4.3 | CVE-2026-12207 |
| Microsoft–GitHub Copilot Chat | Initialization of a resource with an insecure default in GitHub Copilot and Visual Studio Code allows an unauthorized attacker to disclose information over a network. | 2026-06-19 | 6.5 | CVE-2026-50519 |
| Microsoft–Microsoft 365 Copilot | Improper neutralization of special elements used in a command (‘command injection’) in Microsoft Copilot allows an unauthorized attacker to perform tampering over a network. | 2026-06-19 | 6.5 | CVE-2026-42895 |
| mohammadtanzilurrahman–Static Block | The Static Block plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.2. This is due to the static_block_content() shortcode handler retrieving a post via get_post() using an attacker-supplied ‘id’ attribute and outputting its post_content without verifying the post’s status (private, draft, pending) or the requesting user’s capability to view it. This makes it possible for authenticated attackers, with contributor-level access and above, to read the contents of arbitrary posts, including private and draft static blocks (and any other post type) created by administrators, by embedding the [static_block_content id=”X”] shortcode in their own content and previewing it. | 2026-06-16 | 4.3 | CVE-2026-10780 |
| Mojoomla–School Management | Unauthenticated Insecure Direct Object References (IDOR) in School Management <= 93.1.0 versions. | 2026-06-17 | 5.3 | CVE-2025-15657 |
| mojoomla–WPAMS | Subscriber Arbitrary Content Deletion in WPAMS < 49.5.3 versions. | 2026-06-16 | 6.5 | CVE-2026-39433 |
| Montodel–House-Rental-Management | A flaw has been found in Montodel House-Rental-Management up to 90010017b81265eb1ef3810268909f7719a33863. This affects an unknown part of the file /index.php?page=houses. This manipulation of the argument ID causes sql injection. The attack is possible to be carried out remotely. The exploit has been published and may be used. This product adopts a rolling release strategy to maintain continuous delivery. Therefore, version details for affected or updated releases cannot be specified. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-06-21 | 6.3 | CVE-2026-12776 |
| mra13 / Team Tips and Tricks HQ–Stripe Payments | Unauthenticated Bypass Vulnerability in Stripe Payments <= 2.0.98 versions. | 2026-06-15 | 6.5 | CVE-2026-42752 |
| multer–multer | Impact: multer versions 2.0.0-alpha.1 through 2.1.1 and 3.0.0-alpha.1 are vulnerable to a Denial of Service when using diskStorage. Aborted or malformed multipart uploads leave orphaned partial files on disk because the Readable.pipe() call does not propagate the stream destroy signal to the underlying fs.WriteStream. An attacker can exhaust disk space by triggering many aborted uploads, with no application bug required. Patches: Users should upgrade to multer 2.2.0 (2.x line) or 3.0.0-alpha.2 (3.x prerelease). Both versions track in-flight write streams and clean them up on the abort path. Workarounds: None. | 2026-06-15 | 5.3 | CVE-2026-5038 |
| myCred–Bookify | Subscriber Broken Access Control in Bookify <= 1.1.1 versions. | 2026-06-15 | 6.5 | CVE-2025-69332 |
| myCred–myCred | Subscriber Broken Access Control in myCred <= 3.0.3 versions. | 2026-06-15 | 6.5 | CVE-2026-40794 |
| Nasir Ahmed–Advanced Form Integration | Subscriber Broken Access Control in Advanced Form Integration <= 1.126.12 versions. | 2026-06-15 | 6.5 | CVE-2026-42659 |
| nesquena–hermes-webui | Hermes WebUI before 0.51.443 contains a broken access control vulnerability in the /api/session endpoint that allows authenticated users to disclose cross-profile session transcripts. Attackers can bypass profile boundary checks by directly querying session IDs belonging to other profiles via GET /api/session?session_id=<foreign_id>&messages=1 to retrieve unauthorized conversation transcripts and metadata. | 2026-06-17 | 6.5 | CVE-2026-55197 |
| nesquena–hermes-webui | Hermes WebUI before 0.51.443 contains an authorization bypass vulnerability in the session export endpoint that allows authenticated users to access sessions from other profiles. The _handle_session_export handler in api/routes.py fails to verify active-profile ownership before serializing session data, enabling attackers to exfiltrate foreign session transcripts by guessing or knowing session identifiers. | 2026-06-17 | 6.5 | CVE-2026-55198 |
| nesquena–hermes-webui | Hermes WebUI before 0.51.468 contains a resource exhaustion vulnerability in the unauthenticated POST /api/onboarding/oauth/start endpoint that allows unbounded accumulation of in-memory flow state and daemon threads. Attackers can send repeated or concurrent requests to exhaust server memory and thread resources, potentially triggering repeated outbound device-code requests to upstream OAuth providers. | 2026-06-18 | 5.3 | CVE-2026-55205 |
| NI–grpc-device | There is an unchecked enum cast vulnerability in NI grpc-device BeginSidebandStream that may allow an attacker to trigger invalid enum states and undefined behavior, potentially resulting in a denial of service. Successful exploitation requires an attacker to supply a specially crafted message containing an out-of-range value. This affects NI grpc-device 2.17.0 and prior versions. | 2026-06-19 | 6.5 | CVE-2026-48140 |
| NI–grpc-device | There is a memory leak in NI grpc-device BeginSidebandStream that may result in denial of service due to memory exhaustion. This affects NI grpc-device 2.17.0 and prior versions. | 2026-06-19 | 5.3 | CVE-2026-48141 |
| nilfs-dev–nilfs-utils | NILFS utilities through 2.3.0, fixed in commit 26efb5d, nilfs_sb_is_valid() function fails to validate s_log_block_size field in NILFS2 superblock before bit-shift operations. Attackers supplying crafted NILFS2 images trigger undefined behavior through oversized shifts or out-of-memory conditions, crashing tools like nilfs-tune and dumpseg. | 2026-06-18 | 5.5 | CVE-2026-55392 |
| NousResearch–hermes-agent | Hermes Agent before 0.16.0 creates response_store.db and webhook_subscriptions.json with world-readable permissions (mode 0o644), exposing conversation history and HMAC secrets to local users. Attackers with local filesystem access can read these files directly to obtain sensitive data including conversation history, tool payloads, prompts, and per-route HMAC secrets. | 2026-06-17 | 5.5 | CVE-2026-53870 |
| OceanWP–Ocean Product Sharing | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in OceanWP Ocean Product Sharing allows Stored XSS. This issue affects Ocean Product Sharing: from n/a through 2.2.2. | 2026-06-18 | 5.9 | CVE-2026-56007 |
| OFFIS–DCMTK | A flaw has been found in OFFIS DCMTK up to 3.7.0. The affected element is the function XMLNode::parseFile in the library ofstd/libsrc/ofxml.cc. Executing a manipulation can lead to heap-based buffer overflow. The attack may be performed from remote. The exploit has been published and may be used. This patch is called 1d4b3815c0987840a983160bfc671fef63a3105b. It is best practice to apply a patch to resolve this issue. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product. | 2026-06-21 | 6.3 | CVE-2026-12805 |
| ollybach–WPPizza | Subscriber Sensitive Data Exposure in WPPizza <= 3.19.9 versions. | 2026-06-15 | 6.5 | CVE-2026-40796 |
| OpenBSD–OpenBSD | sppp_pap_input in sys/net/if_spppsubr.c in OpenBSD before 076e2b1 allows authentication bypass via certain zero values for lengths. | 2026-06-17 | 5.8 | CVE-2026-55706 |
| openbsd–src | OpenBSD before commit 6a23123 (2026-06-18) contains an out-of-bounds read vulnerability in the mpls_do_error function within sys/netmpls/mpls_input.c that allows remote attackers to disclose kernel stack memory by sending crafted MPLS frames with 16 labels and no Bottom-of-Stack bit set. | 2026-06-18 | 5.3 | CVE-2026-56099 |
| OpenClaw–OpenClaw | OpenClaw before 2026.5.12 contains a cross-site scripting vulnerability in exported session HTML that preserves unsafe javascript: and data: links in generated content. Attackers can execute browser-side scripts if a trusted operator opens the exported file and activates a malicious link. | 2026-06-16 | 6.1 | CVE-2026-53841 |
| OpenClaw–OpenClaw | OpenClaw before 2026.4.29 contains a session visibility check bypass vulnerability in shared memory search that allows authenticated callers to access memory entries without proper authorization. Attackers can skip session visibility guards on the search path to retrieve memory entries that should not be visible to their session. | 2026-06-16 | 6.5 | CVE-2026-53844 |
| OpenClaw–OpenClaw | OpenClaw before 2026.4.25 contains a privilege escalation vulnerability in internal and webchat command authentication that allows senders to inherit wildcard ownerAllowFrom state across channel boundaries. Attackers can exploit this by sending commands on affected internal or webchat paths to execute owner-style command behavior outside intended channel scope, potentially bypassing access controls. | 2026-06-16 | 6.5 | CVE-2026-53854 |
| OpenClaw–OpenClaw | OpenClaw before 2026.5.26 contains a hostname validation vulnerability allowing attackers to bypass blocklist comparisons using trailing-dot notation in model or workspace-derived URLs. Attackers can exploit inconsistent hostname checks to reach destinations that operators intended to block through hostname policies. | 2026-06-16 | 6.5 | CVE-2026-53859 |
| OpenClaw–OpenClaw | OpenClaw before 2026.5.6 contains an allowlist bypass vulnerability in the macOS Swift exec feature that misses combined POSIX inline-command flags. Attackers can execute shell content outside the intended allowlist check by using combined flag forms, potentially allowing unauthorized command execution depending on operator configuration. | 2026-06-16 | 6.6 | CVE-2026-53861 |
| OpenClaw–OpenClaw | OpenClaw before 2026.5.6 contains a privilege escalation vulnerability in the Active Memory write scope that allows Gateway operators with operator.write access to modify global configuration without requiring operator.admin privileges. Attackers with operator.write access can exploit insufficient scope validation to apply unauthorized configuration changes beyond the intended write scope. | 2026-06-16 | 5.4 | CVE-2026-53847 |
| OpenClaw–OpenClaw | OpenClaw before 2026.4.25 contains a control scope enforcement bypass vulnerability in the focus command that allows authenticated callers to execute the command without proper authorization checks. Attackers can trigger the focus command to change focus state outside intended caller authority, potentially enabling unauthorized operations depending on gateway configuration and input trust levels. | 2026-06-16 | 5.5 | CVE-2026-53850 |
| OpenClaw–OpenClaw | OpenClaw before 2026.5.12 contains a notification bypass vulnerability allowing Slack reaction events to enter the agent pipeline despite disabled reaction notifications. Attackers can trigger unintended agent processing by sending reaction events when the feature is enabled, potentially leading to unauthorized processing of lower-trust input. | 2026-06-16 | 5.3 | CVE-2026-53851 |
| OpenClaw–OpenClaw | OpenClaw before 2026.4.25 contains a scope containment bypass vulnerability in device re-pairing that allows authenticated operators to restore broader scopes than intended by submitting empty-scope re-pairing requests. Attackers can exploit this by sending re-pairing requests with empty scope sets to skip containment guards and retain unauthorized device access. | 2026-06-16 | 5.4 | CVE-2026-53852 |
| OpenClaw–OpenClaw | OpenClaw 2026.4.23 before 2026.4.24 contains an insecure file permissions vulnerability in config recovery that restores OpenClaw.json with overly broad permissions. Local attackers on shared hosts can read sensitive configuration data by exploiting the recovery path to access the restored config file. | 2026-06-16 | 5.5 | CVE-2026-53856 |
| OpenClaw–OpenClaw | OpenClaw before 2026.5.6 contains a hook bypass vulnerability where skill commands routed through the affected dispatch path skip before-tool-call hook coverage. Attackers can exploit this by sending skill commands through the vulnerable dispatch path to bypass hook-based auditing and policy enforcement mechanisms. | 2026-06-16 | 4.3 | CVE-2026-53845 |
| OpenClaw–OpenClaw | OpenClaw before 2026.5.26 contains an exec allowlist bypass vulnerability allowing authenticated operators to execute wrapper-level side effects outside allowlisted command intent. Attackers can craft command requests that bypass allowlist validation by leveraging transparent command wrappers to perform unintended operations. | 2026-06-16 | 4.3 | CVE-2026-53848 |
| OpenClaw–OpenClaw | OpenClaw before 2026.5.7 contains a sender policy bypass vulnerability in BlueBubbles that allows participants to match allowlist entries through conversation metadata rather than stable sender identity. Attackers can influence conversation-level identifiers to receive agent responses intended for configured senders, potentially bypassing access controls. | 2026-06-16 | 4.2 | CVE-2026-53860 |
| OpenClaw–OpenClaw | OpenClaw before 2026.5.12 contains a bootstrap token replay vulnerability allowing callers with pending token access to reuse tokens with broader requested scopes. Attackers can replay bootstrap tokens before approval to escalate pairing authority beyond intended scope limits. | 2026-06-16 | 4.2 | CVE-2026-53862 |
| OpenStack–Horizon | OpenStack Horizon before 25.7.4 produces scripts for OpenStack RC file downloading that may have a crafted project name with shell metacharacters. NOTE: some parties consider this a security hardening opportunity to address certain types of user error, not a vulnerability. | 2026-06-17 | 6 | CVE-2026-55748 |
| OpenStack–Nova | In OpenStack Nova before 33.0.2, the server create API does not strip certain hint data. The resulting instance has no Placement allocation. | 2026-06-16 | 5.4 | CVE-2026-46448 |
| OPMC–WooCommerce Anti-Fraud | Unauthenticated Broken Access Control in WooCommerce Anti-Fraud <= 7.2.6 versions. | 2026-06-17 | 6.5 | CVE-2026-49072 |
| OPMC–WooCommerce Dropshipping | Unauthenticated Broken Authentication in WooCommerce Dropshipping <= 5.2.4 versions. | 2026-06-17 | 6.5 | CVE-2026-49071 |
| optimole–Optimole Optimize Images | Convert WebP & AVIF | CDN & Lazy Load | Image Optimization | The Optimole – Optimize Images | Convert WebP & AVIF | CDN & Lazy Load | Image Optimization plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.2.6. This is due to missing or incorrect nonce validation on the replace_file function. This makes it possible for unauthenticated attackers to overwrite existing media attachments with attacker-supplied file content by supplying a forged multipart POST request targeting any attachment the victim has edit_post capability over via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. The forged request requires a victim with at least Author-level privileges, as the handler enforces a current_user_can(‘edit_post’, $id) check; tricking an Author-level or higher user into clicking a crafted link is sufficient to trigger the overwrite against attachments that user can edit. | 2026-06-18 | 4.3 | CVE-2026-11784 |
| Oracle Corporation–Identity Manager | Vulnerability in the Identity Manager product of Oracle Fusion Middleware (component: End User Self Service). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via IIOP to compromise Identity Manager. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Identity Manager accessible data as well as unauthorized read access to a subset of Identity Manager accessible data. CVSS 3.1 Base Score 6.5 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N). | 2026-06-16 | 6.5 | CVE-2026-46810 |
| Oracle Corporation–MySQL Shell | Vulnerability in the MySQL Shell product of Oracle MySQL (component: Shell: Dump and Load). Supported versions that are affected are 8.4.0-8.4.9 and 9.0.0-9.7.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Shell. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all MySQL Shell accessible data. CVSS 3.1 Base Score 6.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N). | 2026-06-16 | 6.5 | CVE-2026-46869 |
| Oracle Corporation–MySQL Shell | Vulnerability in the MySQL Shell product of Oracle MySQL (component: Shell for VS Code). The supported version that is affected is 2026.2.0+9.6.1. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Shell. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all MySQL Shell accessible data. CVSS 3.1 Base Score 6.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N). | 2026-06-16 | 6.5 | CVE-2026-46871 |
| Oracle Corporation–Oracle Access Manager | Vulnerability in the Oracle Access Manager product of Oracle Fusion Middleware (component: Authentication Engine). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Access Manager. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Access Manager accessible data as well as unauthorized read access to a subset of Oracle Access Manager accessible data. CVSS 3.1 Base Score 6.5 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N). | 2026-06-16 | 6.5 | CVE-2026-35261 |
| Oracle Corporation–Oracle Access Manager | Vulnerability in the Oracle Access Manager product of Oracle Fusion Middleware (component: Authentication Engine). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Access Manager. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Access Manager, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Access Manager accessible data as well as unauthorized read access to a subset of Oracle Access Manager accessible data. CVSS 3.1 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N). | 2026-06-16 | 6.1 | CVE-2026-46812 |
| Oracle Corporation–Oracle Application Development Framework (ADF) | Vulnerability in the Oracle Application Development Framework (ADF) product of Oracle Fusion Middleware (component: Security Framework). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Application Development Framework (ADF). Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Application Development Framework (ADF), attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Application Development Framework (ADF) accessible data as well as unauthorized read access to a subset of Oracle Application Development Framework (ADF) accessible data. CVSS 3.1 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N). | 2026-06-16 | 6.1 | CVE-2026-46770 |
| Oracle Corporation–Oracle Application Development Framework (ADF) | Vulnerability in the Oracle Application Development Framework (ADF) product of Oracle Fusion Middleware (component: Java Business Objects). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where Oracle Application Development Framework (ADF) executes to compromise Oracle Application Development Framework (ADF). Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Application Development Framework (ADF) accessible data. CVSS 3.1 Base Score 4.1 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N). | 2026-06-16 | 4.1 | CVE-2026-46771 |
| Oracle Corporation–Oracle Application Development Framework (ADF) | Vulnerability in the Oracle Application Development Framework (ADF) product of Oracle Fusion Middleware (component: ADF Faces). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where Oracle Application Development Framework (ADF) executes to compromise Oracle Application Development Framework (ADF). Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Application Development Framework (ADF) accessible data as well as unauthorized update, insert or delete access to some of Oracle Application Development Framework (ADF) accessible data. CVSS 3.1 Base Score 4.7 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:L/A:N). | 2026-06-16 | 4.7 | CVE-2026-46772 |
| Oracle Corporation–Oracle VM VirtualBox | Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: VMSVGA device). The supported version that is affected is 7.2.8. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle VM VirtualBox. CVSS 3.1 Base Score 6.0 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H). | 2026-06-16 | 6 | CVE-2026-46768 |
| Oracle Corporation–Oracle VM VirtualBox | Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: VMSVGA device). The supported version that is affected is 7.2.8. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle VM VirtualBox accessible data. CVSS 3.1 Base Score 6.0 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:N). | 2026-06-16 | 6 | CVE-2026-46825 |
| Oracle Corporation–Oracle VM VirtualBox | Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: VMSVGA device). The supported version that is affected is 7.2.8. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle VM VirtualBox accessible data. CVSS 3.1 Base Score 6.0 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N). | 2026-06-16 | 6 | CVE-2026-46877 |
| Oracle Corporation–Oracle WebCenter Content | Vulnerability in the Oracle WebCenter Content product of Oracle Fusion Middleware (component: Content Server). The supported version that is affected is 14.1.2.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebCenter Content. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle WebCenter Content accessible data. CVSS 3.1 Base Score 5.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N). | 2026-06-16 | 5.3 | CVE-2026-46790 |
| Oracle Corporation–PeopleSoft Enterprise CS Campus Community | Vulnerability in the PeopleSoft Enterprise CS Campus Community product of Oracle PeopleSoft (component: Integration and Interfaces). The supported version that is affected is 9.2.38. Easily exploitable vulnerability allows high privileged attacker with network access via HTTPS to compromise PeopleSoft Enterprise CS Campus Community. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all PeopleSoft Enterprise CS Campus Community accessible data as well as unauthorized access to critical data or complete access to all PeopleSoft Enterprise CS Campus Community accessible data. CVSS 3.1 Base Score 6.5 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N). | 2026-06-16 | 6.5 | CVE-2026-46979 |
| Oracle Corporation–WebLogic Server | Vulnerability in the WebLogic Server product of Oracle Fusion Middleware (component: Console). Supported versions that are affected are 14.1.2.0.0 and 15.1.1.0.0. Difficult to exploit vulnerability allows high privileged attacker with network access via HTTP to compromise WebLogic Server. Successful attacks of this vulnerability can result in takeover of WebLogic Server. CVSS 3.1 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H). | 2026-06-16 | 6.6 | CVE-2026-35291 |
| pgadmin.org–pgAdmin 4 | Open redirect in pgAdmin 4’s multi-factor authentication flow. The MFA validate and register endpoints honoured the user-supplied ‘next’ query/form parameter without confirming the target pointed back inside pgAdmin, so an authenticated victim who clicked /mfa/validate?next=<external> — a link typically delivered by phishing — would be sent to an attacker-controlled host directly out of the trusted auth flow. The defect is a trusted-domain redirect, not a privilege bypass: the attacker gains no read/write access to pgAdmin or the victim’s database, but the redirect launders the attacker’s destination through pgAdmin’s URL, which raises the success rate of credential-phishing follow-on against the victim. Fix introduces a same-origin _is_safe_redirect_url helper and gates every MFA redirect that consumes user-supplied ‘next’ values through it. The helper allows only relative paths and absolute URLs whose scheme is http(s) and whose host matches the current request host; it rejects external hosts in absolute and protocol-relative form, non-http schemes (javascript:, data:, mailto:), userinfo tricks (http://localhost@attacker/), and backslash variants that some browsers normalize to forward slashes. Unsafe targets fall back to the internal browser index. A dedicated regression test exercises each accept/reject category and the original reporter PoC. This issue affects pgAdmin 4: from 6.0 before 9.16. | 2026-06-18 | 4.3 | CVE-2026-12049 |
| pgadmin.org–pgAdmin 4 | SQL injection in pgAdmin 4’s named restore point endpoint (POST /browser/server/restore_point/{gid}/{sid}). The user-supplied ‘value’ field was interpolated directly into the SQL string with str.format() instead of being passed as a bound parameter, allowing an authenticated pgAdmin user with a connected PostgreSQL session to inject additional statements through that endpoint. The injected SQL executes under the database role the user is already authenticated as. The defect does not cross a privilege boundary — the user already has direct SQL access to that role through the Query Tool — so the attacker gains no capability beyond what their database role already grants them. The marginal impact accounts for the fact that the injection path is not the documented SQL-execution interface, so a deployment that gates the Query Tool at the application layer could see SQL executed through a path it did not anticipate. Fix passes the restore point name as a bound parameter and schema-qualifies the function call as pg_catalog.pg_create_restore_point so a non-default search_path on the connection cannot redirect the call to a shadow definition. A regression test asserts the value arrives as a bound parameter and not spliced into the SQL string. This issue affects pgAdmin 4: from 1.0 before 9.16. | 2026-06-18 | 4.3 | CVE-2026-12050 |
| phppoet–SysBasics Customize My Account for WooCommerce Dashboard, Endpoints, Avatar & Menu Manager | The Customize My Account For Woocommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘sysbasics_user_avatar’ shortcode in versions up to, and including, 4.3.6. This is due to insufficient input sanitization and output escaping on user supplied attributes (min_height, min_width, max_height, max_width) in the wcmamtx_get_avatar_default() function, which are concatenated unescaped into the get_avatar() extra_attr style attribute. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-06-18 | 6.4 | CVE-2026-12136 |
| phppoet–SysBasics Customize My Account for WooCommerce Dashboard, Endpoints, Avatar & Menu Manager | The SysBasics Customize My Account for WooCommerce – Dashboard, Endpoints, Avatar & Menu Manager plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘tab’ parameter in all versions up to, and including, 4.3.6 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. Because the vulnerable plugin_options_page() function is only rendered within the WordPress admin dashboard, successful exploitation requires the targeted victim to be logged in with Shop Manager-level access or higher. | 2026-06-18 | 6.1 | CVE-2026-12137 |
| picklescan–picklescan | picklescan before 1.0.1 contains an unsafe pickle deserialization vulnerability allowing unauthenticated attackers to create arbitrary zero-byte files via logging.FileHandler class instantiation. Attackers can exploit this by crafting malicious pickle payloads to bypass RCE blocklists and create lock files or other filesystem artifacts, potentially causing denial of service or application disruption. | 2026-06-20 | 6.5 | CVE-2026-56304 |
| pontedilana–php-weasyprint | PhpWeasyPrint is a PHP library allowing PDF generation from a URL or an HTML page. Prior to version 2.6.0, `pontedilana/php-weasyprint` fetches the content of option values server-side via `file_get_contents()` when the value looks like a URL, without restricting the URL scheme. The `attachment` option of `Pdf` is the reachable sink: any value that passes `isOptionUrl()` (`filter_var(…, FILTER_VALIDATE_URL)`) is downloaded by the PHP process and embedded into the generated PDF. Because `FILTER_VALIDATE_URL` accepts `http`, `https`, `ftp`, `file` and PHP stream wrappers such as `php://`, an attacker who can influence the `attachment` value reaches both a **Server-Side Request Forgery** primitive (e.g. internal HTTP endpoints, cloud metadata) and a local file disclosure primitive (`file://`, `php://filter/…`), with the fetched bytes exfiltrated as a PDF attachment. This is the same class of issue KnpLabs/snappy patched for its `xsl-style-sheet` option in GHSA-c5fp-p67m-gq56. The library is documented as a one-to-one substitute for KnpLabs/snappy and shares the same code shape. PhpWeasyPrint version 2.6.0 contains a patch for the issue. | 2026-06-19 | 6.5 | CVE-2026-49359 |
| PraisonAI–PraisonAI | PraisonAI before 1.5.115 contains an information disclosure vulnerability in the MultiAgentLedger component that allows attackers to access sensitive data by registering agents with duplicate IDs. Attackers can exploit the lack of agent ID uniqueness enforcement to share ledger instances and expose system prompts and conversation history between agents. | 2026-06-18 | 6.5 | CVE-2026-56077 |
| PraisonAI–PraisonAI | PraisonAI before 1.5.128 caches tool approval decisions by tool name only, not by invocation arguments, allowing subsequent execute_command calls to bypass approval prompts. Attackers can exploit this by obtaining initial approval for a benign command, then silently exfiltrate API keys and credentials via subsequent shell commands without user consent. | 2026-06-18 | 5.5 | CVE-2026-56074 |
| pressprimer–PressPrimer Quiz AI Quiz Maker, Exam Builder & LMS Assessment Plugin | The PressPrimer Quiz – AI Quiz Maker, Exam Builder & LMS Assessment Plugin plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.3.0 via the ‘rule_id’ parameter due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with custom-level access and above, to modify or delete quiz rules belonging to other teachers, resulting in unauthorized tampering of another user’s quiz structure. | 2026-06-18 | 4.3 | CVE-2026-10623 |
| properfraction–ProfilePress | Subscriber Cross Site Scripting (XSS) in ProfilePress <= 4.16.13 versions. | 2026-06-15 | 6.5 | CVE-2026-41556 |
| purethemes–WorkScout-Core | Unauthenticated Arbitrary File Deletion in WorkScout-Core <= 1.7.11 versions. | 2026-06-17 | 6.5 | CVE-2026-52716 |
| pydantic–pydantic-ai | Pydantic AI is a Python agent framework for building applications and workflows with Generative AI. In versions 1.56.0 through 1.101.0, 2.0.0b1, and 2.0.0b2, the cloud-metadata blocklist could be bypassed by encoding the metadata IP in an IPv6 transition form that the previous fix, CVE-2026-46678, did not decode, exposing cloud IAM short-term credentials. The previous remediation decoded only IPv4-mapped IPv6, 6to4, and the NAT64 well-known prefix, so the metadata guarantee did not hold for the remaining transition forms: IPv4-compatible IPv6 (::a.b.c.d), the NAT64 RFC 8215 local-use prefix (64:ff9b:1::/48), operator-chosen NAT64 prefixes, and ISATAP. The IPv6 wrapper is then delivered to the underlying IPv4 metadata endpoint. This occurs when an application using Pydantic AI opts a URL into force_download=’allow-local’ (which disables the default block on private/internal IPs) and runs on a network that actually routes the affected IPv6 transition forms: NAT64-configured networks (IPv6-only or dual-stack-with-NAT64 deployments, including some Kubernetes setups) for the NAT64 variants, or networks with an ISATAP tunnel for ISATAP. A standard dual-stack cloud VM or container does not route these forms and is not affected in practice. The IPv4-compatible and Teredo variants are deprecated and addressed as defense-in-depth. This is an incomplete fix of GHSA-cqp8-fcvh-x7r3 / CVE-2026-46678 (itself a follow-up to CVE-2026-25580). This issue has been fixed in version 2.0.0b3. | 2026-06-16 | 6.8 | CVE-2026-48782 |
| Rain-Task Ltd.–WPBakery Page Builder | Subscriber Broken Access Control in WPBakery Page Builder <= 8.7.2 versions. | 2026-06-17 | 6.5 | CVE-2026-45436 |
| Rank Math SEO–Rank Math SEO | Subscriber Broken Access Control in Rank Math SEO <= 1.0.271 versions. | 2026-06-15 | 6.5 | CVE-2026-34892 |
| Rara Themes–Metro Magazine | Missing Authorization vulnerability in Rara Themes Metro Magazine allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Metro Magazine: from n/a through 1.4.1. | 2026-06-16 | 6.5 | CVE-2026-40809 |
| Rara Themes–Metro Magazine | Missing Authorization vulnerability in Rara Themes Metro Magazine allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Metro Magazine: from n/a through 1.3.7. | 2026-06-17 | 4.3 | CVE-2024-37496 |
| Really Simple Plugins B.V.–Really Simple SSL | Subscriber Broken Access Control in Really Simple SSL <= 9.5.9 versions. | 2026-06-15 | 6.5 | CVE-2026-48969 |
| Red Hat–Red Hat AI Inference Server | A flaw was found in vLLM, an open-source library for large language model inference. This vulnerability arises from improper handling of image metadata, specifically EXIF orientation and PNG transparency (tRNS) data, during image processing. When images are converted to RGB, transparency information may be implicitly discarded or remapped, leading to unexpected rendering of transparent pixels and distortion of input content. This can result in the model misinterpreting image content, potentially affecting the integrity of processed data. | 2026-06-17 | 4.8 | CVE-2026-12491 |
| Red Hat–Red Hat Ansible Automation Platform 2 | A flaw was found in the AWX GitHub webhook integration. When processing GitHub pull_request webhooks, the controller stores the pull_request.statuses_url value from the webhook payload without validating that it points to a trusted GitHub API endpoint. If a job template is configured with a GitHub Personal Access Token as its webhook credential, the controller later POSTs that token to the stored callback URL when posting job status updates. An attacker who can submit a correctly signed forged webhook using the job template’s webhook_key can redirect the callback to an attacker-controlled URL and exfiltrate the configured GitHub PAT. | 2026-06-19 | 6.3 | CVE-2026-12726 |
| Red Hat–Red Hat Ansible Automation Platform 2.7 | A flaw was found in Ansible Lightspeed. This vulnerability, related to insufficient session expiration, allows a remote attacker to maintain persistent access to the Ansible Lightspeed instance. If an attacker exfiltrates a valid OAuth (Open Authorization) access token before a user logs out, they can continue to authenticate and access sensitive data. This is because the application fails to invalidate the token on the backend, leaving it valid until its natural expiration. This can lead to unauthorized read access to Ansible resources such as inventories, playbooks, and configuration data. | 2026-06-15 | 5.3 | CVE-2026-44188 |
| Red Hat–Red Hat Directory Server 11 | A flaw was found in 389 Directory Server. During schema reload, the attr_syntax_swap_ht() function unconditionally frees attribute syntax information nodes, bypassing the refcount-based deferred deletion used elsewhere in the attribute syntax subsystem. If an administrator triggers schema reload while concurrent LDAP query traffic is active, worker threads may access freed memory, resulting in use-after-free or double-free and a denial of service (server crash). | 2026-06-18 | 5 | CVE-2026-11791 |
| Red Hat–Red Hat Directory Server 11 | A flaw was found in 389 Directory Server in the __aclp__normalize_acltxt() function of aclparse.c. A malformed ACI (Access Control Instruction) string can trigger heap-buffer-overflow writes and reads during ACI parsing. The function fails to validate that the ACI keyword has sufficient length after whitespace stripping, leading to a 1-byte out-of-bounds write and subsequent out-of-bounds reads. An authenticated user with write access to the aci attribute could send a crafted ACI value to silently corrupt heap memory in the directory server process. | 2026-06-17 | 5.4 | CVE-2026-12528 |
| Red Hat–Red Hat Enterprise Linux 10 | A flaw was found in GnuTLS. The `gnutls_pkcs11_token_set_pin` function, used for changing the Security Officer PIN, can lead to a use-after-free vulnerability. This occurs when an attacker attempts to change the PIN with a NULL old PIN for a token that lacks a protected authentication path. | 2026-06-16 | 6.6 | CVE-2026-42014 |
| Red Hat–Red Hat Enterprise Linux 10 | A denial of service vulnerability was found in GStreamer’s AV1 codec parser in gst-plugins-bad. The gst_av1_parser_parse_tile_list_obu() function passes a byte count to a bit-reader API that expects a bit count, causing parser desynchronization. A remote attacker could trick a user into opening a specially crafted AV1 media file, triggering an assertion abort and causing the application to crash. | 2026-06-15 | 6.5 | CVE-2026-52718 |
| Red Hat–Red Hat Enterprise Linux 10 | A flaw was found in GNOME localsearch (previously known as tracker-miners) MP3 Extractor. When processing specially crafted MP3 files containing ID3v2.4 tags, a missing bounds check in the `extract_performers_tags` function can lead to a heap buffer overflow. This vulnerability allows a remote attacker to cause a Denial of Service (DoS) by triggering a read of unmapped memory. In some cases, it could also lead to information disclosure by reading visible heap data. | 2026-06-16 | 5.6 | CVE-2026-1764 |
| Red Hat–Red Hat Enterprise Linux 10 | A flaw was found in the `tracker-extract-mp3` component of GNOME localsearch (previously known as tracker-miners). This vulnerability, a heap buffer overflow, occurs when processing specially crafted MP3 files. A remote attacker could exploit this by providing a malicious MP3 file, leading to a Denial of Service (DoS) where the application crashes. It may also potentially expose sensitive information from the system’s memory. | 2026-06-16 | 5.6 | CVE-2026-1765 |
| Red Hat–Red Hat Enterprise Linux 10 | A flaw was found in GNOME localsearch (previously known as tracker-miners) MP3 Extractor, specifically within the tracker-extract-mp3 component. This heap buffer overflow vulnerability occurs when processing specially crafted MP3 files containing malformed ID3v2.3 COMM (Comment) tags. An attacker could exploit this by providing a malicious MP3 file, leading to a denial of service (DoS), which causes an application crash, and potentially disclosing sensitive information from the heap memory. | 2026-06-16 | 5.6 | CVE-2026-1766 |
| Red Hat–Red Hat Enterprise Linux 10 | A flaw was found in the GNOME localsearch (previously known as tracker-miners) MP3 Extractor `tracker-extract-mp3` component. A remote attacker could exploit this heap buffer overflow vulnerability by providing a specially crafted MP3 file containing malformed ID3 tags. This incorrect length calculation during the parsing of performer tags can lead to a read beyond the allocated buffer, potentially causing a Denial of Service (DoS) due to a crash or enabling information disclosure. | 2026-06-16 | 5.6 | CVE-2026-1767 |
| Red Hat–Red Hat Enterprise Linux 10 | A flaw was found in libXpm. A local user with low privileges could exploit an Out-of-Bounds Read vulnerability in the `xpmNextWord()` function by processing a specially crafted or very small XPM (X PixMap) image file. This improper validation of file boundaries can cause an internal pointer to read beyond the file’s end, leading to application crashes and Denial of Service conditions. | 2026-06-16 | 5.5 | CVE-2026-4367 |
| Red Hat–Red Hat Enterprise Linux 10 | Multiple out-of-bounds read vulnerabilities were found in GStreamer’s pcapparse element. Malformed PCAP records can trigger reads beyond buffer boundaries during IPv4/TCP header parsing. This element is primarily used in debugging pipelines, limiting real-world exposure. A local attacker could trick a user into processing a specially crafted PCAP file, potentially leading to a crash or information disclosure. | 2026-06-15 | 5.3 | CVE-2026-52721 |
| Red Hat–Red Hat Enterprise Linux AI (RHEL AI) 3 | A use-after-free vulnerability was found in FFmpeg’s RASC video decoder. The decode_move() function initializes a read pointer into a decompressed buffer, but a subsequent reallocation of that same buffer during move-table processing leaves the pointer dangling. An attacker could exploit this by providing a specially crafted AVI file containing a malicious RASC video stream. When a user opens or plays the file, the decoder reads from freed heap memory, which could lead to a denial of service (crash). | 2026-06-19 | 6.5 | CVE-2026-12706 |
| Red Hat–Red Hat Hardened Images | A flaw was found in Katello’s of Red Hat Satellite. A content upload functionality where insufficient authorization checks in the ContentUploadsController allowed users with the edit_products permission to query content information for repositories outside the products they were authorized to manage. An authenticated attacker could exploit this issue to determine whether specific content exists within repositories that should otherwise be inaccessible. This issue does not allow unauthorized modification, import, or publication of content. | 2026-06-17 | 4.3 | CVE-2026-12515 |
| RelyWP–Simple Cloudflare Turnstile | Unauthenticated Broken Authentication in Simple Cloudflare Turnstile <= 1.38.0 versions. | 2026-06-15 | 5.8 | CVE-2026-40799 |
| rewish–WP Emmet | Administrator Cross Site Scripting (XSS) in WP Emmet <= 0.3.4 versions. | 2026-06-15 | 5.9 | CVE-2025-15658 |
| rocklobsterinc–Bogo | The Bogo plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.9.1 via the bogo_rest_create_post_translation. This makes it possible for authenticated attackers, with subscriber-level access and above, to extract the raw title, content, excerpt, and password of any private, draft, or password-protected post by triggering its duplication via the translation endpoint and reading the returned title.raw, content.raw, and excerpt.raw fields of the duplicated post. This vulnerability is exploitable against posts written in a non-default locale, as authenticated subscribers can request a translation into the site’s default locale to pass the locale-only permission gate. While subscribers can trigger the endpoint, this is only impactful at the Contributor-level as they can actually read the duplicated content. | 2026-06-19 | 4.3 | CVE-2026-9013 |
| rometheme–RTMKit | The RTMKit plugin for WordPress is vulnerable to Incorrect Authorization in all versions up to, and including, 2.0.7 This is due to the get_submission_content AJAX endpoint lacking a capability check to verify that a user has permission to access the requested form submission data. This makes it possible for authenticated attackers, with Contributor-level access and above, to view arbitrary form submissions from other users by iterating the entries_id parameter. | 2026-06-16 | 6.5 | CVE-2026-5149 |
| rtCamp Inc.–rtMedia for WordPress, BuddyPress and bbPress | Subscriber Broken Access Control in rtMedia for WordPress, BuddyPress and bbPress <= 4.7.9 versions. | 2026-06-15 | 6.5 | CVE-2026-40773 |
| RubyLouvre–avalon | A security vulnerability has been detected in RubyLouvre avalon up to 2.2.10. The impacted element is an unknown function of the file src/filters/index.js of the component Template Filter Handler. Such manipulation leads to improperly controlled modification of object prototype attributes. It is possible to launch the attack remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-06-15 | 5.3 | CVE-2026-12209 |
| runtipi–runtipi | Runtipi is a personal homeserver orchestrator. In versions 4.9.1 through 4.9.3, Runtipi serves marketplace app logos from files inside cloned app-store repositories through an unauthenticated endpoint, which leads to arbitrary file read through app-store logo symlinks. The path guard checks only the lexical path before Node reads the file, so a Git app store that contains metadata/logo.jpg as a symbolic link can cause Runtipi to read and return the symlink target. Because the endpoint is public and the symlink target may point outside the cloned repository, this can expose local files from the Runtipi container such as /data/.env, /data/state/seed, logs, or application files. This can disclose JWT secrets, service credentials, local configuration, and operational logs depending on the instance. The issue has been fixed in version 4.10.0. | 2026-06-16 | 6.5 | CVE-2026-47277 |
| Saad Iqbal–WP EasyPay | Cross-Site Request Forgery (CSRF) vulnerability in Saad Iqbal WP EasyPay allows Cross Site Request Forgery. This issue affects WP EasyPay: from n/a through 4.4.0. | 2026-06-18 | 6.5 | CVE-2026-56024 |
| saadiqbal–Points Management System For Gamification, Ranks, Badges, and Loyalty Rewards Program myCred | The Points Management System For Gamification, Ranks, Badges, and Loyalty Rewards Program – myCred plugin for WordPress is vulnerable to Stored Cross-Site Scripting via ‘wrap’ Shortcode Attribute in all versions up to, and including, 3.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-06-17 | 6.4 | CVE-2026-8607 |
| sc Internet Vivoo–WpStream | Subscriber Arbitrary File Upload in WpStream < 4.11.2 versions. | 2026-06-15 | 5.4 | CVE-2026-39527 |
| shaarli–Shaarli | Shaarli is a personal bookmarking service. Versions 0.16.1 and prior contain a DOM-based Cross-Site Scripting (XSS) vulnerability in the Thumbnail Synchronizer feature. When an administrator runs the thumbnail update process, malicious bookmark titles are returned via an AJAX response and inserted into the DOM using innerHTML without proper sanitization. The issue originates from the interaction between the backend thumbnail update endpoint and the frontend JavaScript responsible for rendering update progress. On the backend, the ThumbnailsController::ajaxUpdate method returns bookmark data formatted using the ‘raw’ formatter. This includes the unescaped bookmark title in the JSON response. On the client side, the script thumbnails-update.js processes this AJAX response and dynamically updates the progress interface. Administrators using the thumbnail synchronization feature are affected and exploitation could lead to session hijacking, privilege escalation, backdoor injection and full compromise. This issue has been fixed in version 0.16.2. | 2026-06-17 | 5.8 | CVE-2026-48821 |
| shaarli–Shaarli | Shaarli is a personal bookmarking service. Versions 0.16.1 and prior contain a stored Cross-Site Scripting (XSS) vulnerability in the Markdown-to-HTML conversion process used in the Bookmark Description field. An authenticated user can inject a malicious javascript: URI inside a Markdown link. The vulnerability originates in the filterProtocols method within BookmarkMarkdownFormatter.php.This method attempts to sanitize Markdown links by filtering dangerous protocols (such as javascript:) before rendering. It uses the following regular expression: (#]((.*?))#is). This regex is designed to detect inline Markdown links, but it fails to detect Markdown reference-style links because reference-style links are resolved by the Markdown parser after preprocessing. The filterProtocols method never inspects the actual URL used in these references and as a result, an attacker can supply a javascript: URI inside a reference definition. This issue has been fixed in version 0.16.2. | 2026-06-17 | 5.8 | CVE-2026-48822 |
| shaarli–Shaarli | Shaarli is a personal bookmarking service. Versions 0.16.1 and prior contain a stored Cross-Site Scripting (XSS) vulnerability in the tag filtering functionality of Shaarli. An authenticated user can inject arbitrary JavaScript into the tags field when creating a bookmark (Shaare). The malicious payload is stored and later executed when users interact with the “Filter by tag” search feature on the homepage. User-supplied input in the tags field is not properly sanitized or output-escaped before being rendered in the tag filtering interface. When a bookmark is created with a malicious payload inside the tag field, the payload is stored in the database. Later, when a user searches using the “Filter by tag” functionality on the homepage, the application renders matching tags dynamically. If the tag value contains HTML with JavaScript event handlers, it is injected into the DOM. This impacts anyone interacting with the “Filter by tag” search functionality, administrators and privileged users. This issue has been fixed in version 0.16.2. | 2026-06-17 | 4.8 | CVE-2026-48823 |
| Shareaholic–Shareaholic | Missing Authorization vulnerability in Shareaholic allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Shareaholic: from n/a through 9.7.11. | 2026-06-17 | 4.3 | CVE-2024-24709 |
| slimphp–Slim | Slim is a PHP micro framework that enables users to write simple web applications and APIs. In versions 4.4.0 through 4.15, if an application uses HttpException::setTitle() and/or setDescription() to include untrusted/request-derived data in the error title or description (e.g. “No products found matching ‘{$query}’.”), an attacker could inject arbitrary HTML/JavaScript that executes in the victim’s browser when they encounter an HTML error page generated by Slim. The vulnerability is present even with displayErrorDetails = false as the unescaped title and description are rendered on this error path. Built-in exceptions (HttpNotFoundException, HttpBadRequestException, etc.) ship plain-text defaults, so a vanilla Slim app with no user code is not exploitable. Only applications that feed untrusted data into setTitle() and/or setDescription() are affected. The issue has been fixed in 4.15.2. If developers are unable to immediately update their applications, they can work around this issue by avoiding passing untrusted/request-derived data into HttpException::setTitle() and setDescription() and using static, plain-text error copy instead. They should also register a custom error renderer (an ErrorRendererInterface implementation, or a subclass of HtmlErrorRenderer that escapes the title and description) for the HTML media type. | 2026-06-15 | 6.1 | CVE-2026-48157 |
| Splunk–Splunk AI Toolkit | In Splunk AI Toolkit versions below 5.7.4, a low-privileged user that does not hold the “admin” or “power” Splunk roles could cause the Splunk AI Toolkit to make outbound requests over HTTP to a server that an attacker controls, which could allow for data exfiltration. The vulnerability exists because of an insecure default domain allowlist in the Splunk AI Toolkit, which does not restrict outbound AI agent requests to approved external domains. | 2026-06-17 | 4.3 | CVE-2026-20265 |
| statamic–cms | Statamic is a Laravel and Git powered content management system (CMS). Prior to 5.73.23 and 6.20.0, an authenticated Control Panel user could view metadata and content for resources they don’t have permission to view, including entries, assets, users, roles, groups, and other configured resources. Depending on the resource, this could expose titles, custom field values, entry content, asset metadata, and the existence of users, roles, and groups. No data could be modified. This has been fixed in 5.73.23 and 6.20.0. | 2026-06-19 | 4.3 | CVE-2026-49288 |
| SteeltoeOSS–Steeltoe.Configuration.Abstractions | Steeltoe is an open source project that provides a collection of libraries that helps users build cloud-native applications. In Steeltoe.Configuration.Abstractions 4.0.0 through 4.1.0, when MySQL or PostgreSQL service bindings from `VCAP_SERVICES` include TLS client credentials, the Connectors library writes those credentials to temporary files in `Path.GetTempPath()` using `File.CreateText`. On Linux, `File.CreateText` creates files with mode `0644` (world-readable) under the process umask, and the files are never deleted. The same key material is protected at mode `0400` in `/proc/<pid>/environ`. Steeltoe.Configuration.Abstractions version 4.2.0 patches the issue. If an immediate upgrade is not possible, prevent other processes from running in the container under a different UID with access to `/tmp`. | 2026-06-17 | 4.7 | CVE-2026-50267 |
| SteeltoeOSS–Steeltoe.Management.Endpoint | Steeltoe is an open source project that provides a collection of libraries that helps users build cloud-native applications. In Steeltoe.Management.Endpoint prior to version 4.2.0 and Steeltoe.Management.EndpointCore prior to version 3.4.0, all Steeltoe actuator endpoints default to `EndpointPermissions.Restricted`, which is mappeds to Cloud Foundry’s `read_basic_data` permission (granted to Space Auditors and similar low-trust roles). Sensitive actuators including heap dump, environment, and thread dump do not raise this to `EndpointPermissions.Full`, so CF’s `read_sensitive_data` permission flag is not enforced for those endpoints. Spring Boot’s equivalent Cloud Foundry integration gates these endpoints with `read_sensitive_data` by default. Steeltoe.Management.Endpoint 4.2.0 and Steeltoe.Management.EndpointCore 3.4.0 patch the issue. If an immediate upgrade is not possible, explicitly set `RequiredPermissions = EndpointPermissions.Full` in the options for `HeapDumpEndpointOptions`, `EnvironmentEndpointOptions`, and `ThreadDumpEndpointOptions`; and/or if heap dump, thread dump, or environment are not needed in production, register only the required actuators individually instead of using `AddAllActuators()`. | 2026-06-17 | 6.5 | CVE-2026-50201 |
| SteeltoeOSS–Steeltoe.Security.Authentication.CloudFoundryBase | Steeltoe is an open source project that provides a collection of libraries that helps users build cloud-native applications. In Steeltoe.Security.Authentication.CloudFoundryBase prior to version 3.4.0, Steeltoe.Security.Authentication.JwtBearer prior to version 4.2.0, and Steeltoe.Security.Authentication.OpenIdConnect prior to version 4.2.0, the JWT signing key cache in `TokenKeyResolver` uses `kid` as the sole cache key without namespacing by authority. In applications with multiple `JwtBearer` schemes pointing to different identity providers, a key fetched for one scheme can satisfy token validation for another. Additionally, cached keys have no expiration, so rotated or revoked keys remain trusted until the application process restarts. Steeltoe.Security.Authentication.CloudFoundryBase version 3.4.0, Steeltoe.Security.Authentication.JwtBearer version 4.2.0, and Steeltoe.Security.Authentication.OpenIdConnect version 4.2.0 patch the issue. If an immediate upgrade is not possible: In multi-scheme deployments, configure only one `JwtBearer` scheme per application when different identity providers are required; and/or restart the application process after an identity provider signing key rotation to clear stale cached keys. | 2026-06-17 | 5.9 | CVE-2026-50202 |
| stellarwp–Kadence Blocks Page Builder Toolkit for Gutenberg Editor | The Kadence Blocks – Page Builder Toolkit for Gutenberg Editor plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.7.5 via the editor_assets_variables. This makes it possible for authenticated attackers, with contributor-level access and above, to extract the site’s connected Kadence account license key, license owner email, api_key, api_email, and license domain from the browser console by inspecting window.kadence_blocks_params.proData. Exploitation requires only that an administrator has previously connected a valid Kadence license; the full credential bundle is then readable by any Contributor-level user from the block editor client context without any server-side request manipulation. | 2026-06-18 | 4.3 | CVE-2026-11357 |
| strablengineering–STRABL A checkout solution | The STRABL – A checkout solution plugin for WordPress is vulnerable to Missing Authentication in all versions up to and including 4.5. The plugin registers a REST API webhook endpoint at /wp-json/strabl/webhook/order with a permission_callback of __return_true, which allows all incoming requests without any authentication or authorization checks. No shared secret, signature validation, HMAC verification, or token-based authentication is implemented. This makes it possible for unauthenticated attackers to create fraudulent WooCommerce orders and mark them as completed by supplying paymentStatus=paid, manipulate existing order statuses by providing an externalOrderId, create new WordPress user accounts with the customer role, issue refunds on existing orders, cancel existing orders, and apply chargeback fees – all without making a legitimate payment or having any valid credentials. | 2026-06-19 | 5.3 | CVE-2026-3640 |
| strukturag–libde265 | libde265 is an open source implementation of the h.265 video codec. Prior to version 1.0.20, a crafted sequence of H.265 NAL units causes `decoder_context::read_slice_NAL()` (`libde265/decctx.cc:481`) to attach slice headers to a finished picture object that has no active image unit, resulting in attacker-controlled unbounded heap growth. The retained headers are never freed until the picture is released, which may not happen during continuous streaming. Version 1.0.20 patches the issue. | 2026-06-19 | 4.3 | CVE-2026-49337 |
| strukturag–libheif | libheif is a HEIF and AVIF file format decoder and encoder. Prior to version 1.22.1, the uncompressed HEIF decoder validates explicit icef compressed-unit offsets using unit_offset + unit_size. Because the addition can wrap, a crafted HEIF file can pass the range check and then construct a vector from iterators outside the compressed item buffer, producing an out-of-bounds heap read and crash. Version 1.22.1 patches the issue. | 2026-06-19 | 6.5 | CVE-2026-49271 |
| StylemixThemes–MasterStudy LMS Pro | Missing Authorization vulnerability in StylemixThemes MasterStudy LMS Pro allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects MasterStudy LMS Pro: from n/a before 4.7.16. | 2026-06-15 | 6.5 | CVE-2025-64215 |
| StylemixThemes–Motors | Subscriber Broken Access Control in Motors < 1.4.107 versions. | 2026-06-15 | 6.5 | CVE-2026-39515 |
| SUSE–libzypp | A path traversal in handling the “path” component of .repo files processed by libzypp before 17.38.13 in the 17.x series, or before 16.22.19 could be used by attackers to fill directories on the system outside of the zypp cache with content. | 2026-06-18 | 6.5 | CVE-2026-44942 |
| svaarala–duktape | A weakness has been identified in svaarala duktape up to 2.99.99. This issue affects some unknown processing of the file duk_api_bytecode.c. Executing a manipulation of the argument count_instr can lead to memory corruption. The attack requires local access. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-06-15 | 5.3 | CVE-2026-12216 |
| teamwsa–Woosa Marktplaats for WooCommerce | The Woosa – Marktplaats for WooCommerce plugin for WordPress is vulnerable to Arbitrary File Read via Path Traversal in versions up to and including 2.0.4. This is due to insufficient path sanitization in the render_logs_ui() function, which accepts a base64-encoded file name from the ‘log_file’ GET parameter and concatenates it directly with the plugin’s log directory path without validating that the resolved path remains within the intended directory. This makes it possible for authenticated attackers, with Administrator-level access, to read the contents of arbitrary files on the server, including wp-config. | 2026-06-19 | 4.9 | CVE-2026-7547 |
| techlabpro1–Classified Listing AI-Powered Classified ads & Business Directory | The Classified Listing – Classified ads & Business Directory plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 5.4.2. This is due to a missing capability/ownership check on the gallery_image_update_as_feature AJAX handler (action: rtcl_fb_gallery_image_update_as_feature), which accepts a user-supplied listing ID and attachment ID and sets the featured image of a listing while only validating a nonce that is exposed to any logged-in user on the frontend listing-submission form. This makes it possible for authenticated attackers, with Subscriber-level access and above, to change the featured image of arbitrary listings they do not own. | 2026-06-19 | 4.3 | CVE-2026-10779 |
| Themefic–Ultra Addons for WPForms | Subscriber Broken Access Control in Ultra Addons for WPForms <= 1.0.11 versions. | 2026-06-15 | 6.4 | CVE-2026-39594 |
| ThemeGrill–Masteriyo – LMS | Unauthenticated Broken Authentication in Masteriyo – LMS <= 2.1.8 versions. | 2026-06-15 | 6.5 | CVE-2026-42743 |
| themeisle–Orbit Fox: Duplicate Page, Menu Icons, SVG Support, Cookie Notice, Custom Fonts & More | The Orbit Fox: Duplicate Page, Menu Icons, SVG Support, Cookie Notice, Custom Fonts & More plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 3.0.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | 2026-06-18 | 4.4 | CVE-2026-11358 |
| Themeisle–WP Full Stripe Free | Subscriber Broken Authentication in WP Full Stripe Free <= 8.4.1 versions. | 2026-06-15 | 6.5 | CVE-2026-42378 |
| Themeum–Tutor LMS | Unauthenticated Broken Access Control in Tutor LMS <= 3.9.7 versions. | 2026-06-15 | 6.5 | CVE-2026-40743 |
| themeum–Tutor LMS eLearning and online course solution | The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to generic SQL Injection via the ‘data’ parameter in all versions up to, and including, 3.9.11 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | 2026-06-18 | 4.9 | CVE-2026-10736 |
| thorsten–phpMyFAQ | phpMyFAQ is an open source FAQ web application. Versions prior to 4.1.4 have Missing Authorization in the API CategoryController. CVE-2026-24421 addressed this in the BackupController by adding: $this->userHasPermission(PermissionType::BACKUP). The same fix was not applied to 4 other write endpoints in the public API. All 4 only call $this->hasValidToken() – which checks a shared API key header, rather than the individual user’s role permissions. The following APIs are affected: POST /api/v4.0/category (CategoryController::create), POST /api/v4.0/faq (FaqController::create), PUT /api/v4.0/faq (FaqController::update), and POST /api/v4.0/question (QuestionController::create). This issue has been fixed in version 4.1.4. | 2026-06-18 | 6.5 | CVE-2026-49205 |
| TMS–Amelia | Subscriber Broken Access Control in Amelia <= 2.2 versions. | 2026-06-15 | 6.5 | CVE-2026-40795 |
| ts-deepmerge–ts-deepmerge | Versions of the package ts-deepmerge before 8.0.0 are vulnerable to Uncaught Exception due to the improper handling of built-in Object.prototype methods (such as toString, valueOf). When user-controlled input contains these keys with non-function values, the resulting merged object becomes broken – any string context operation throws a TypeError, crashing the application. | 2026-06-19 | 5.3 | CVE-2026-12644 |
| typemill–typemill | Typemill before 2.24.0 contains a path traversal vulnerability that allows authenticated attackers with Author-level privileges to read arbitrary files outside the content directory by supplying traversal sequences in the path query parameter passed to Storage::getFile() with an empty folder argument. Attackers can bypass traversal-prevention controls in Storage::getFolderPath() to access sensitive files. | 2026-06-17 | 6.5 | CVE-2026-49133 |
| undici–undici | Impact: Undici’s cache interceptor incorrectly classifies some responses as cacheable when the upstream Cache-Control header uses whitespace-padded qualified private or no-cache field names such as private=” authorization” or no-cache=”tauthorization”. The parser preserves the surrounding whitespace, so later comparisons against the literal authorization field name fail and the response is stored. In shared-cache mode, this allows a response containing one user’s authenticated data to be served from cache to a subsequent caller, including an unauthenticated caller, when both requests resolve to the same cache key. Affected applications are those that explicitly enable the cache interceptor (interceptors.cache()) in shared mode, forward Authorization headers upstream, and receive cacheable responses with non-canonical qualified private or no-cache directives. Patches: Upgrade to undici v7.28.0 or v8.5.0. Workarounds: If upgrade is not immediately possible, disable shared-cache mode for traffic that includes Authorization headers, avoid caching responses to authenticated requests, or add Vary: Authorization upstream. | 2026-06-17 | 5.9 | CVE-2026-9678 |
| undici–undici | Impact: undici’s cookie parser in parseSetCookie percent-decodes cookie values via qsUnescape, turning encoded sequences like %0D%0A, %00, %3B, and %3D into their literal byte equivalents. RFC 6265 §5.4 does not specify any decoding and browsers do not decode either. Applications that parse a Set-Cookie header and then forward the parsed value into a response header (proxies, middleware, SSR frameworks) become vulnerable to HTTP response header injection: an attacker-controlled upstream can inject arbitrary Set-Cookie, Location, or Cache-Control headers into the application’s downstream response, enabling session fixation, open redirect, or cache poisoning. Affected applications are those that use undici’s cookie parsing (parseSetCookie, parseCookie, getSetCookies) and forward the parsed cookie value into a response header. This was introduced in undici 7.0.0 via PR #3789. Patches: Upgrade to undici v6.26.0, v7.28.0 or v8.5.0. Workarounds: If upgrade is not immediately possible, do not forward values returned by parseSetCookie/parseCookie/getSetCookies directly into response headers; sanitize the value first to strip or reject CR, LF, NUL, ;, and = bytes. | 2026-06-17 | 5.9 | CVE-2026-9679 |
| universal-tool-calling-protocol–python-utcp | A vulnerability was detected in universal-tool-calling-protocol python-utcp 1.1.0. This affects an unknown function of the component utcp-gql/utcp-websocket. Performing a manipulation results in server-side request forgery. The attack can be initiated remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-06-15 | 6.3 | CVE-2026-12210 |
| valhalla–valhalla | Valhalla is an open source routing engine and accompanying libraries for use with OpenStreetMap data. Versions 3.6.3 and prior are vulnerable to reflected cross-site scripting (XSS) due to improper neutralization of input in the JSONP callback parameter. When a request specifies a JSONP callback, the value is reflected directly into the HTTP response body with Content-Type: application/javascript, without any validation, output encoding, or allowlist filtering. An attacker can craft a URL containing arbitrary JavaScript in the callback parameter; if a victim is induced to load that URL via a <script src=”…”> tag, the injected script executes in the context of the serving origin, potentially leading to session token theft, credential disclosure, or actions performed on behalf of the victim. This issue was not fixed at time of publication. | 2026-06-15 | 6.1 | CVE-2026-49294 |
| VeronaLabs–Slimstat Analytics | Unauthenticated Deserialization of untrusted data in Slimstat Analytics < 5.4.0 versions. | 2026-06-17 | 6.5 | CVE-2026-27410 |
| VeronaLabs–WP SMS | Subscriber Sensitive Data Exposure in WP SMS <= 7.2.1 versions. | 2026-06-15 | 6.5 | CVE-2026-40790 |
| virtio-snd device–virtio-snd device | An integer overflow vulnerability was found in the virtio-snd device via PCM_INFO requests from the guest. A malicious guest can provide out-of-bounds stream counts, potentially leading to unbounded memory allocation on the host and a denial of service condition. | 2026-06-19 | 5.5 | CVE-2026-3196 |
| vllm–vllm | vLLM versions >= 0.6.3 and < 0.9.0 contain multiple regular expression denial of service (ReDoS) vulnerabilities. Several regex patterns – in vllm/lora/utils.py, the phi4mini tool parser, and the OpenAI-compatible serving chat endpoint – are susceptible to catastrophic backtracking. An attacker submitting crafted input with nested or repeated structures can trigger severe CPU consumption and performance degradation, resulting in denial of service. | 2026-06-20 | 4.3 | CVE-2025-71379 |
| vynnus–PopAd | Administrator Server Side Request Forgery (SSRF) in PopAd <= 1.0.4 versions. | 2026-06-15 | 4.4 | CVE-2025-60175 |
| Wasiliy Strecker–Contest Gallery | Subscriber Cross Site Scripting (XSS) in Contest Gallery <= 28.1.6 versions. | 2026-06-15 | 6.5 | CVE-2026-42656 |
| Wasiliy Strecker–Contest Gallery | Unauthenticated Other Vulnerability Type in Contest Gallery <= 28.1.7 versions. | 2026-06-15 | 6.5 | CVE-2026-42657 |
| Wasiliy Strecker–Contest Gallery | Subscriber Sensitive Data Exposure in Contest Gallery <= 28.1.7 versions. | 2026-06-15 | 6.5 | CVE-2026-42660 |
| watchful–XCloner | Subscriber Sensitive Data Exposure in XCloner <= 4.8.6 versions. | 2026-06-15 | 6.5 | CVE-2026-48965 |
| Webful Creations–RepairBuddy | Subscriber Broken Access Control in RepairBuddy <= 4.1132 versions. | 2026-06-15 | 6.5 | CVE-2026-39584 |
| Webmin–Webmin | Webmin allows unauthenticated attackers to read the contents of any file ending in .conf within module directories, due to a bypassable regex pattern. | 2026-06-18 | 5.3 | CVE-2026-56021 |
| Webmin–Webmin | Webmin accepts basic authentication without session cookies when an attacker provides the ‘User-Agent: webmin’ header, allowing bypass of additional MFA requirements. Fixed in 2.641. | 2026-06-18 | 5.3 | CVE-2026-56022 |
| webpack-dev-server–webpack-dev-server | Impact: When a user-configured proxy on webpack-dev-server has a broad context (e.g. /) and ws: true, it also intercepts the dev server’s own HMR WebSocket and forwards it to the proxy target. This leaks the browser’s cookies and Origin header to the backend, bypasses the dev server’s Host/Origin validation, and corrupts the HMR socket (both HMR and the proxy end up writing to the same socket). Patches: Fixed in webpack-dev-server@5.2.5. Workarounds: Scope user-defined proxy context to specific paths instead of /, or omit ws: true from the proxy entry when WebSocket forwarding is not required. | 2026-06-15 | 5.3 | CVE-2026-9595 |
| WishList Member–WishList Member X | Subscriber Broken Access Control in WishList Member X <= 3.29.0 versions. | 2026-06-17 | 4.3 | CVE-2026-24575 |
| woocommerce–WooCommerce Stripe Payment Gateway | The WooCommerce Stripe Payment Gateway plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `ajax_pay_for_order()` function in all versions up to, and including, 10.7.0 This is due to a missing order ownership or order_key verification when processing payment for an order via the `wc_stripe_pay_for_order` WC-AJAX endpoint. The function only validates a nonce (which is publicly available on any WooCommerce page where Express Checkout is enabled), but does not verify that the requesting user owns the target order and is allowed to modify it. This makes it possible for unauthenticated attackers to force any pending order into a failed status by providing a fake payment method, causing a payment exception that updates the order status to “failed” via sequential order ID enumeration. | 2026-06-16 | 6.5 | CVE-2026-2381 |
| WP Chill–Download Monitor | Author Arbitrary File Download in Download Monitor <= 5.1.9 versions. | 2026-06-15 | 4.4 | CVE-2026-39489 |
| WP Chill–Modula Image Gallery | Subscriber Cross Site Scripting (XSS) in Modula Image Gallery <= 2.14.23 versions. | 2026-06-15 | 6.5 | CVE-2026-42688 |
| WP Engine–WP Migrate Lite | Unauthenticated Cross Site Request Forgery (CSRF) in WP Migrate Lite <= 2.7.8 versions. | 2026-06-15 | 4.7 | CVE-2026-49043 |
| wp.insider–Simple Membership | Unauthenticated Cross Site Scripting (XSS) in Simple Membership <= 4.7.2 versions. | 2026-06-15 | 6.5 | CVE-2026-42663 |
| wpcalc–Counter Box Add Countdowns, Timers & Dynamic Counters to WordPress | The Counter Box – Add Countdowns, Timers & Dynamic Counters to WordPress plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 2.0.13 via deserialization of untrusted input . This makes it possible for authenticated attackers, with administrator-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present. Deserialization is triggered automatically upon the post-import redirect that renders the list table, and again when any item is opened for editing, requiring no additional navigation beyond the import action itself. | 2026-06-17 | 6.6 | CVE-2026-12115 |
| WPDeveloper–Essential Addons for Elementor | Unauthenticated Broken Access Control in Essential Addons for Elementor < 6.6.0 versions. | 2026-06-15 | 5.3 | CVE-2026-25440 |
| wpdevteam–BetterDocs AI Documentation, Knowledge Base, Docs, Wikis, FAQ with Chatbot | The BetterDocs – Knowledge Base Docs & FAQ Solution for Elementor & Block Editor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the blockId attribute of the betterdocs/category-slate-layout Gutenberg block in versions up to, and including, 4.5.3. This is due to insufficient input sanitization and output escaping in the CategorySlateLayout::render() method, which echoes the blockId block attribute directly into an HTML class attribute without esc_attr(). This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-06-19 | 6.4 | CVE-2026-12157 |
| wpgmaps–WP Go Maps Google Map, OpenStreetMap, Leaflet Map | The WP Go Maps – Most Popular Map Plugin plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 10.1.01. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to create arbitrary records in plugin database tables (maps, markers, circles, polygons, polylines, rectangles, and point labels) by supplying a WPGMZA-namespaced CRUD-backed class name via the phpClass parameter. The namespace validation check (requiring the ‘WPGMZA’ prefix) does not prevent exploitation because classes such as WPGMZAMap and WPGMZAMarker satisfy it while still triggering an INSERT into the corresponding plugin table before the route rejects the request. | 2026-06-19 | 5.3 | CVE-2026-12238 |
| wpinsider-1–Simple Membership | The Simple Membership plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 4.7.5. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to deactivate arbitrary member accounts by forging a charge.refunded webhook event containing a victim’s subscription ID, setting the target member’s account_state to ‘inactive’ and triggering cancellation hooks, transaction-record status changes, and cancellation notification emails. This vulnerability is exploitable only on installations where no Stripe webhook signing secret has been configured, which is the default out-of-the-box state; sites that have configured the stripe-webhook-signing-secret option are routed to the properly verified HMAC path and are not affected. | 2026-06-18 | 5.3 | CVE-2026-12093 |
| Wpmet–GetGenie | Unauthenticated Sensitive Data Exposure in GetGenie <= 4.4.1 versions. | 2026-06-16 | 6.5 | CVE-2026-54197 |
| WPMet–MetForm Pro | Subscriber Broken Access Control in MetForm Pro <= 3.9.1 versions. | 2026-06-17 | 4.3 | CVE-2026-24610 |
| wproyal–Royal Addons for Elementor Addons and Templates Kit for Elementor | The Royal Addons for Elementor – Addons and Templates Kit for Elementor plugin for WordPress is vulnerable to Arbitrary File Read in versions 1.7.1058 through 1.7.1059. This is due to the wpr_get_csv_handle() helper (introduced in version 1.7.1058 as part of the patch for CVE-2026-6229) falling back to is_readable() and fopen($source, ‘r’) on the attacker-controlled settings.table_upload_csv.url value when it does not parse as an HTTP URL, with no allow-list, traversal block, or extension check. This makes it possible for authenticated attackers, with Contributor-level access and above, to save a crafted wpr-data-table widget through Elementor’s save_builder endpoint and have the rendered preview return the line-by-line contents of any file readable by the PHP process, including wp-config.php. | 2026-06-19 | 6.5 | CVE-2026-8118 |
| WWBN–AVideo | AVideo TopMenu plugin through version 26.0 contains a stored cross-site scripting vulnerability in menu item rendering due to missing output encoding of icon classes, URLs, and text labels. Attackers can inject malicious JavaScript through unescaped menu item fields that execute for all site visitors, potentially stealing session cookies or performing unauthorized actions. | 2026-06-20 | 6.1 | CVE-2026-56347 |
| XianYuLauncher–XianYuLauncher | XianYuLauncher is a Minecraft Java Edition launcher. In versions prior to 1.5.5, sensitive authentication artifacts could be exposed during a user-initiated login under certain local attack conditions. Affected versions relied on a fixed localhost redirect URI without PKCE or state validation. Exploitation is most likely to occur when an attacker is able to observe, intercept, or otherwise interfere with the local authentication flow on the same device. This issue has been fixed in version 1.5.5. | 2026-06-17 | 5.5 | CVE-2026-48991 |
| Yealink–SIP-T46U | A flaw has been found in Yealink SIP-T46U 108.86.0.118. The impacted element is the function mod_diagnose.CommandShellByType of the file /api/diagnosis/start of the component Web FastCGI Service. This manipulation of the argument Time causes command injection. The attack can be initiated remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-06-15 | 6.3 | CVE-2026-12219 |
| Yealink–SIP-T46U | A vulnerability was identified in Yealink SIP-T46U 108.86.0.118. Affected by this vulnerability is the function mod_webd.TFTPUploadIperf of the file /api/inner/tftpuploadiperf of the component Web FastCGI Service. The manipulation of the argument ip/port leads to command injection. The attack needs to be initiated within the local network. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-06-15 | 5.5 | CVE-2026-12223 |
| Yoast BV–Yoast SEO Premium | Missing Authorization vulnerability in Yoast BV Yoast SEO Premium allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Yoast SEO Premium: from n/a through 26.6. | 2026-06-17 | 5.5 | CVE-2026-40722 |
| zealopensource–Abandoned Contact Form 7 | The Abandoned Contact Form 7 plugin for WordPress is vulnerable to unauthorized arbitrary post deletion in versions up to, and including, 2.2. This is due to a missing capability check and missing nonce validation in the action__remove_abandoned() function, which is registered to both the wp_ajax_remove_abandoned and wp_ajax_nopriv_remove_abandoned hooks. The handler takes a user-supplied recover_id parameter from $_POST and passes it directly to wp_delete_post() with the force-delete flag set to true, without verifying that the ID belongs to the plugin’s own cf7af_data post type. This makes it possible for unauthenticated attackers to permanently delete arbitrary posts, pages, or other content on the affected site by sending a single admin-ajax. | 2026-06-16 | 5.3 | CVE-2026-9187 |
| zephyrproject–zephyr | On Xtensa targets with CONFIG_USERSPACE and CONFIG_XTENSA_MMU, the page-table code (arch/xtensa/core/ptables.c) maintains a global list, xtensa_domain_list, of active memory domains using a list node embedded inside the caller-owned struct k_mem_domain. When a domain is destroyed via k_mem_domain_deinit() – arch_mem_domain_deinit(), the page tables are torn down and domain-arch.ptables is set to NULL, but the domain’s node was not removed from xtensa_domain_list. The freed/deinitialized domain therefore remained linked into the global list as a dangling pointer into caller-owned storage that may then be freed or reused. Any subsequent arch_mem_map()/arch_mem_unmap() operation (widely invoked by kernel memory-mapping and demand-paging code) traverses the stale node and dereferences domain-ptables: at minimum a NULL pointer dereference causing a fatal MMU exception (denial of service), and if the k_mem_domain storage has been freed or reused, a use-after-free in which a stale/controlled ptables value is dereferenced and written through during the page-table walk (l2_page_table_map writes l1_table[…] and l2_table[…], and xtensa_mmu_compute_domain_regs writes into the domain struct and the L1 table), yielding page-table memory corruption that can undermine userspace isolation. The vulnerable path is reachable only from privileged kernel/supervisor code (k_mem_domain_deinit is not a syscall), not directly from unprivileged user threads or remotely. Affected: Zephyr v4.4.0 (the Xtensa memory-domain de-initialization feature was introduced in commit 3032b58f52d and first shipped in v4.4.0); fixed on main by adding sys_slist_find_and_remove() in arch_mem_domain_deinit(). The Xtensa MPU path is unaffected. | 2026-06-16 | 6.3 | CVE-2026-10635 |
| zephyrproject–zephyr | subsys/net/ip/ipv6_mld.c:mld_send() read the packet interface via net_pkt_iface(pkt) after net_send_data(pkt) returned successfully. Per the network stack’s ownership contract (include/zephyr/net/net_core.h, and the explicit warning in subsys/net/ip/net_core.c:453-460 ‘do not use pkt after that call’), a successful send transfers ownership of the net_pkt and the L2 driver frees it (e.g. ethernet_send() unrefs the packet on success, subsys/net/l2/ethernet/ethernet.c:790), returning it to its k_mem_slab. The subsequent net_pkt_iface(pkt) is therefore a read of a freed object; the recovered interface pointer is then dereferenced and incremented by the per-interface statistics path (net_stats.h UPDATE_STAT/SET_STAT) when CONFIG_NET_STATISTICS_PER_INTERFACE is enabled. If the freed slot is concurrently reallocated, pkt-iface may read back as NULL (NULL-pointer dereference / crash) or as a stale/garbage pointer (stray increment write / memory corruption). The path is reachable remotely on the local link without authentication: handle_mld_query() (registered for NET_ICMPV6_MLD_QUERY) responds to a valid MLDv2 General Query (unspecified multicast address, hop limit 1) by calling send_mld_report() – mld_send(). The result is a remotely triggerable denial of service of the networking stack, with a narrow possibility of memory corruption. The fix caches the interface in a local before sending and no longer touches the packet after net_send_data(). The IPv4/IGMP sibling (igmp_send) already used the corrected pattern. | 2026-06-16 | 5.9 | CVE-2026-10637 |
| zephyrproject–zephyr | subsys/net/ip/icmpv6.c reads the network interface from a net_pkt after that packet has been handed to net_try_send_data(). In icmpv6_handle_echo_request() and net_icmpv6_send_error(), the post-send statistics update calls net_pkt_iface(reply)/net_pkt_iface(pkt) on the just-sent packet. The send path (net_try_send_data – net_if_tx) unreferences and may free the packet back to its memory slab before returning – synchronously in the RX thread when no TX queue is configured (CONFIG_NET_TC_TX_COUNT == 0), and asynchronously the driver/L2 may already have freed it otherwise. net_pkt_iface() therefore dereferences a freed (and possibly reused) net_pkt; with CONFIG_NET_STATISTICS_PER_INTERFACE the stale iface pointer is further dereferenced and written through (iface-stats.icmp.sent++), turning the use-after-free read into a write through an attacker-influenceable pointer. The core stack already documents this hazard in net_core.c (“do not use pkt after that call”) and caches iface before sending; the ICMPv6 callers did not. An unauthenticated remote attacker triggers the flaw simply by sending an ICMPv6 Echo Request (ping) or an IPv6 packet that elicits an ICMPv6 error (unknown next header, fragment reassembly timeout, destination unreachable), leading to denial of service via crash and potential memory corruption. Affected: Zephyr networking with CONFIG_NET_NATIVE_IPV6, roughly v4.2.0 through v4.4.0. The fix caches the interface pointer before sending and uses it for all statistics updates; the sibling commit 86e21665d46 fixes the identical bug in ICMPv4. | 2026-06-16 | 5.9 | CVE-2026-10638 |
| zephyrproject–zephyr | Zephyr’s native TCP stack iterates the global connection list in net_tcp_foreach() (subsys/net/ip/tcp.c) using the SYS_SLIST_FOR_EACH_CONTAINER_SAFE macro, which caches a pointer to the next list node. Prior to this fix the function released tcp_lock while invoking the per-connection callback and re-acquired it afterwards. During that window a concurrent tcp_conn_release(), running on the dedicated TCP work-queue thread when a connection’s reference count drops to zero (e.g. a remote peer closing or resetting the connection), can remove and k_mem_slab_free() the cached next connection. When the iterator advances it dereferences the freed (and possibly reallocated) slab memory – a use-after-free that can crash the system (denial of service) and, if the slot has been reused, cause the callback to operate on an attacker-influenced object (potential information disclosure or further fault). net_tcp_foreach() is reached in production via the ‘net conn’ network shell command and via net_tcp_close_all_for_iface() on interface-down; the freeing side is driven by ordinary TCP traffic. The fix moves the connection/context teardown in tcp_conn_release() inside the tcp_lock critical section and keeps tcp_lock held across the callback in net_tcp_foreach(). The defect was introduced with the modern (TCP2) stack in 2020 and affects releases up to and including v4.4.0. | 2026-06-15 | 4.8 | CVE-2026-10634 |
| zephyrproject–zephyr | In Zephyr’s native IPv4 stack, icmpv4_handle_echo_request() in subsys/net/ip/icmpv4.c builds an echo-reply packet (reply), hands it to net_try_send_data(), and then, on success, calls net_stats_update_icmp_sent(net_pkt_iface(reply)). net_try_send_data() transfers ownership of reply to the TX path (net_if_try_queue_tx – net_if_tx – L2/driver send, or the asynchronous net_if_tx_thread), which can unref it to refcount 0 and return the struct net_pkt to its slab (net_pkt_unref – k_mem_slab_free) before the stats line runs. net_core.c documents this exact contract (‘the pkt might contain garbage already … do not use pkt after that call’). The post-send net_pkt_iface(reply) therefore reads reply-iface out of a freed (and possibly already reallocated) net_pkt, a use-after-free read; with CONFIG_NET_STATISTICS_PER_INTERFACE the stats macro additionally increments a counter through that value, i.e. a dereference/write through a stale or recycled-slot pointer. The path is reached unauthenticated by any remote host that pings the device (net_icmpv4_input – net_icmp_call_ipv4_handlers – icmpv4_handle_echo_request) and is gated on CONFIG_NET_STATISTICS_ICMP. Impact is a probabilistic read of recycled packet memory plus a possible wild-pointer write under a timing race, leading most likely to corrupted interface statistics or a remotely triggerable crash (DoS). The defect was introduced in 2019 (v1.14) and is present through v4.4.0. The companion change in net_icmpv4_send_error() is not a use-after-free because it reads net_pkt_iface(orig), the caller-owned received packet, which stays alive across the send. The fix caches the interface pointer from the live received packet before sending and uses it for the post-send stats updates. | 2026-06-16 | 4.8 | CVE-2026-10639 |
| zephyrproject–zephyr | Zephyr’s IPv6 Neighbor Discovery send paths (net_ipv6_send_na, net_ipv6_send_ns, net_ipv6_send_rs in subsys/net/ip/ipv6_nbr.c) updated the per-interface ICMP-sent statistics by calling net_pkt_iface(pkt) after net_send_data(pkt) had already returned successfully. On the success path the network stack owns and releases the packet’s reference (the L2/driver send unrefs it, e.g. ethernet_send – net_pkt_unref), so for a freshly allocated packet with refcount 1 the net_pkt slab block can be freed before the statistics line runs (synchronously when no TX queue thread is configured, or via a concurrent TX thread otherwise). The subsequent net_pkt_iface(pkt) reads pkt-iface from the freed slab block, and with CONFIG_NET_STATISTICS_PER_INTERFACE enabled that loaded pointer is dereferenced to increment iface-stats.icmp.sent, a use-after-free (CWE-416). If the slab block was reallocated in the meantime the read/increment targets unrelated or attacker-influenced memory, yielding corrupted statistics, a fault/crash (denial of service), or potential limited memory corruption. The vulnerable Neighbor Advertisement path is reachable by any unauthenticated on-link node simply by sending ICMPv6 Neighbor Solicitations to a Zephyr node with native IPv6 enabled (handle_ns_input – net_ipv6_send_na). Affected from v3.3.0 through v4.4.0; the fix uses the already-available iface argument instead of touching the sent packet. Configurations without per-interface statistics dereference only a global counter and are not affected by the memory-safety aspect. | 2026-06-16 | 4.2 | CVE-2026-10640 |
| zhilink ()–ADP Application Developer Platform | A vulnerability was found in zhilink 智互è”(深圳)科技有é™å…¬å¸ ADP Application Developer Platform 应用开å‘è€…å¹³å° 1.0.0. This affects an unknown part of the component testConnection Endpoint. The manipulation of the argument jdbcUrl results in deserialization. The attack may be performed from remote. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-06-21 | 6.3 | CVE-2026-12787 |
| zhilink ()–ADP Application Developer Platform | A vulnerability was determined in zhilink 智互è”(深圳)科技有é™å…¬å¸ ADP Application Developer Platform 应用开å‘è€…å¹³å° 1.0.0. This vulnerability affects unknown code of the file /adpweb/a/base/barcodeDetail/import of the component XML Parser. This manipulation causes xml external entity reference. It is possible to initiate the attack remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-06-21 | 6.3 | CVE-2026-12788 |
Low Vulnerabilities
| Primary Vendor — Product |
Description | Published | CVSS Score | Source Info |
|---|---|---|---|---|
| Black Lantern Security–BBOT | The docker_pull module uses the realm parameter from a Docker registry’s WWW-Authenticate response header as the authentication endpoint without validation. An attacker in a man-in-the-middle position between bbot and a Docker registry could modify this header to redirect the authentication request to an arbitrary endpoint, potentially leaking authentication tokens. | 2026-06-17 | 3.1 | CVE-2026-12566 |
| Black Lantern Security–BBOT | The github_workflows module constructs local directory paths from user-controlled repository names without validating for symlinks. A local attacker sharing the scan directory can plant a symlink at the predictable output path, causing workflow data to be written to an attacker-chosen location. | 2026-06-17 | 2.2 | CVE-2026-12567 |
| Browerbase–Browserbase | A security flaw has been discovered in Browserbase up to 20260526. This impacts an unknown function of the component Autobrowse Trace Artifact Handler. The manipulation results in incorrect default permissions. The attack requires a local approach. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-06-21 | 3.3 | CVE-2026-12823 |
| Capgo–Capgo | Capgo before 12.128.2 contains an authentication logic flaw: a user with permission to manage team or organization security settings can enable mandatory two-factor authentication for all team members without first enabling 2FA on their own account. The application fails to verify the initiator’s 2FA status before allowing the policy change, resulting in inconsistent security enforcement, potential administrative misuse, and lockout risk for team members. | 2026-06-20 | 3.8 | CVE-2026-56212 |
| Capgo–Capgo | Capgo before 12.128.2 uses ILIKE pattern matching instead of exact matching for app_id lookup in the preview subdomain resolver, allowing underscore characters in app_id to act as SQL wildcards. Attackers can create apps with app_ids differing by one character at underscore positions to cause unintended pattern matches, breaking preview functionality for legitimate apps or causing app-id confusion. | 2026-06-20 | 3.1 | CVE-2026-56325 |
| Capgo–Capgo | Capgo before 12.128.2 contains an open redirect vulnerability in stripe_portal and stripe_checkout endpoints that accept unvalidated callbackUrl, successUrl, and cancelUrl parameters. Authenticated attackers can craft malicious billing URLs to redirect users to attacker-controlled domains for phishing and credential harvesting. | 2026-06-20 | 3.5 | CVE-2026-56330 |
| Dell–PowerFlex | Dell PowerFlex Manager, version(s) [Versions], contain(s) an Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) vulnerability. A low privileged attacker with adjacent network access could potentially exploit this vulnerability, leading to information disclosure. | 2026-06-17 | 3.5 | CVE-2026-35068 |
| GNU–Savane | GNU Savannah Administration Savane through 3.17 uses untrusted data as part of authorization. | 2026-06-20 | 3.7 | CVE-2026-56355 |
| HCL Software–iControl | HCL iControl was affected by Inadequate Session Timeout vulnerability. The vulnerability involves a security risk where a web application fails to automatically terminate user sessions after a period of inactivity | 2026-06-17 | 3.1 | CVE-2025-62340 |
| ImageMagick–ImageMagick | ImageMagick before 7.1.2-15 and 6.9.x before 6.9.13-40 contains an integer overflow in the PSB (PSD v2) RLE decoding path (ReadPSDChannelRLE in coders/psd.c) that causes a heap out-of-bounds read on 32-bit builds. Processing a crafted PSB file can lead to information disclosure or a crash. | 2026-06-21 | 3.7 | CVE-2026-56367 |
| ImageMagick–ImageMagick | ImageMagick before 7.1.2-15 (and 6.x before 6.9.13-40) contains a heap out-of-bounds read in the PCD coder’s DecodeImage loop. A crafted PCD file can trigger a one-byte heap out-of-bounds read during image decoding, resulting in denial of service and potential disclosure of an adjacent heap byte. | 2026-06-21 | 3.7 | CVE-2026-56378 |
| Intelbras–iNVU 7016 FT | A flaw has been found in Intelbras iNVU 7016 FT 3.004.00IB000.0.T Build 2025-09-26. This impacts an unknown function of the file /RPC2_Loadfile/syslog/ of the component Web Interface. Executing a manipulation can lead to path traversal. The attack can be launched remotely. The exploit has been published and may be used. It is recommended to upgrade the affected component. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product. | 2026-06-15 | 2.7 | CVE-2026-12211 |
| Intelliants–Subrion CMS | A vulnerability has been found in Intelliants Subrion CMS up to 4.0.3. Affected by this issue is some unknown functionality of the component Blocks Endpoint. Such manipulation of the argument CSS class name leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-06-15 | 2.4 | CVE-2026-12202 |
| NI–grpc-device | There is an incorrect conversion between numeric types vulnerability in NI grpc-device due to missing range checks in CodeGen. This may silently discard high bits if a size value exceeded the target type’s range. This affects NI grpc-device 2.17.0 and prior versions. | 2026-06-19 | 3.7 | CVE-2026-9143 |
| OliveTin–OliveTin | OliveTin gives access to predefined shell commands from a web interface. In versions 3000.0.0 and prior, The ValidateArgumentType RPC endpoint in service/internal/api/api.go does not perform any authentication or authorization checks. Unlike all other data-returning API endpoints, it does not call auth.UserFromApiCall or checkDashboardAccess. When AuthRequireGuestsToLogin is enabled (the security-conscious configuration), this endpoint remains accessible to unauthenticated users and can be used as an oracle to enumerate valid action binding IDs and their argument configurations. This issue has been fixed in version 3000.13.0. | 2026-06-15 | 3.7 | CVE-2026-48709 |
| Oracle Corporation–Oracle VM VirtualBox | Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: VMSVGA device). The supported version that is affected is 7.2.8. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle VM VirtualBox accessible data. CVSS 3.1 Base Score 3.2 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N). | 2026-06-16 | 3.2 | CVE-2026-46815 |
| Oracle Corporation–Oracle VM VirtualBox | Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: VMSVGA device). The supported version that is affected is 7.2.8. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle VM VirtualBox accessible data. CVSS 3.1 Base Score 3.2 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N). | 2026-06-16 | 3.2 | CVE-2026-46816 |
| Oracle Corporation–Oracle VM VirtualBox | Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). The supported version that is affected is 7.2.8. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle VM VirtualBox accessible data. CVSS 3.1 Base Score 3.2 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N). | 2026-06-16 | 3.2 | CVE-2026-46874 |
| Oracle Corporation–Oracle VM VirtualBox | Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: VMSVGA device). The supported version that is affected is 7.2.8. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle VM VirtualBox accessible data. CVSS 3.1 Base Score 3.2 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N). | 2026-06-16 | 3.2 | CVE-2026-46977 |
| pgadmin.org–pgAdmin 4 | HTML injection in pgAdmin 4’s cloud deployment module. The verify_credentials, deploy, regions, and update-server endpoints under /rds/, /azure/, /google/, and the top-level /cloud/ blueprint propagated AWS / Azure / Google SDK exception text – and the related file-resolution and database-commit exception text – into the JSON response body (the info and errormsg fields) without HTML-encoding. The Cloud Wizard frontend rendered these strings through html-react-parser, so an attacker-influenced exception message embedded structural HTML directly into the wizard’s DOM. The reported entry point is /rds/verify_credentials/. An authenticated pgAdmin user submits a crafted access_key whose value contains an <iframe/src=…> payload; AWS STS rejects the credential with an IncompleteSignature exception whose text quotes the access_key verbatim; the pgAdmin backend forwards that text into the JSON info field; the Cloud Wizard’s FormFooterMessage parses it as HTML. The browser fetches the iframe’s src from an attacker-controlled host, and JavaScript executing inside the cross-origin iframe writes to parent.location, redirecting the victim’s pgAdmin tab. Because the injection renders inside pgAdmin’s own interface, X-Frame-Options and Content-Security-Policy frame-ancestors do not mitigate it. Baseline impact is self-targeted (the same user who supplied the payload sees the injection); escalation against other authenticated users requires an additional cross-site request-forgery primitive capable of submitting the malformed credential request with a valid X-pgA-CSRFToken in the victim’s browser context. The same unsanitised-error-into-JSON pattern was present across multiple sibling endpoints – Azure’s check_cluster_name_availability, every Google endpoint that surfaces SDK errors (verification_ack, projects, regions, instance_types, database_versions, the verify_credentials path-resolution branches), the central /deploy endpoint that bubbles str(e) from deploy_on_rds / deploy_on_azure / deploy_on_google, and update_cloud_server which surfaces the str(e) from a failing db.session.commit – all of which are now covered. Fix HTML-escapes every external/SDK exception string at the endpoint sink via a new shared sanitize_external_text helper (HTML escape with control-character strip), promoted out of the psycopg3 driver into web/pgadmin/utils/text_sanitize.py. The Cloud Wizard frontend additionally renders its FormFooterMessage in plain-text mode for backend-derived strings, so the value is never parsed as HTML even if a future sink forgets the escape. This issue affects pgAdmin 4: from 6.6 before 9.16. | 2026-06-18 | 3.5 | CVE-2026-12047 |
| pontedilana–php-weasyprint | PhpWeasyPrint is a PHP library allowing PDF generation from a URL or an HTML page. Prior to version 2.6.0, `AbstractGenerator::$temporaryFiles` is a public array, and `removeTemporaryFiles()` – invoked from `__destruct()` and from a registered shutdown function – calls `unlink()` on every entry without verifying that the path is contained within the temporary folder. Any code holding a reference to a generator instance can push an arbitrary path into the array and have it deleted on script shutdown. This mirrors the KnpLabs/snappy issue GHSA-87qc-37cw-84h4. PhpWeasyPrint version 2.6.0 contains a patch for the issue. | 2026-06-19 | 3 | CVE-2026-49358 |
| Radware–Cyber Controller | A security vulnerability has been detected in Radware Cyber Controller up to 10.11.0. This affects an unknown part of the component HTML Report Generation. The manipulation leads to HTML injection. Remote exploitation of the attack is possible. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-06-21 | 3.5 | CVE-2026-12812 |
| Snes9X team–Snes9X | snes9x 1.63 allows an out-of-bounds write and denial of service via a crafted .ups file. | 2026-06-17 | 2.9 | CVE-2026-39199 |
| SteeltoeOSS–Steeltoe.Configuration.Encryption | Steeltoe is an open source project that provides a collection of libraries that helps users build cloud-native applications. In Steeltoe.Configuration.Encryption 4.0.0 through 4.1.0, configuring `encrypt:rsa:algorithm=OAEP` does not enable OAEP encryption. Due to an incorrect BouncyCastle transformation string, the `OAEP` setting selects PKCS#1 v1.5, which is the same algorithm as the `DEFAULT` setting. Steeltoe.Configuration.Encryption version 4.2.0 patches the issue. | 2026-06-17 | 1.9 | CVE-2026-50268 |
| stiofansisland–UsersWP Front-end login form, User Registration, User Profile & Members Directory plugin for WP | The UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WP plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.2.63 via the ‘user_id’ parameter due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with editor-level access and above, to reset and permanently delete the avatar or banner image of any arbitrary user, including administrators, by clearing their avatar_thumb or banner_thumb metadata in the uwp_usermeta table. | 2026-06-18 | 2.7 | CVE-2026-12102 |
| undici–undici | Impact: When undici parses a Set-Cookie header, it accepts any SameSite attribute value that contains Strict, Lax, or None as a substring, rather than the case-insensitive exact match specified by RFC 6265. Non-spec values are silently mapped to one of the three standard tokens. For example, SameSite=NoneOfYourBusiness is parsed as None (the most permissive setting), and SameSite=StrictLax is parsed as Lax (a downgrade from Strict). Affected applications are those that consume Set-Cookie headers from server responses (for example via undici’s fetch or proxy code paths) and then forward or rely on the parsed sameSite attribute. A malicious or non-compliant server can coerce the consumer’s view of a cookie’s SameSite policy to a weaker value, silently degrading the SameSite enforcement the cookie is supposed to provide. This was introduced in undici 5.15.0 when the cookies feature was added. Patches: Upgrade to undici v6.26.0, v7.28.0 or v8.5.0. Workarounds: After parsing a Set-Cookie header, validate that the resulting sameSite attribute is one of ‘Strict’, ‘Lax’, or ‘None’ (exact, case-insensitive) before forwarding or relying on it. | 2026-06-17 | 3.7 | CVE-2026-11525 |
| undici–undici | Impact: Undici’s HTTP/1.1 client is vulnerable to response queue poisoning on reused keep-alive sockets. An attacker-controlled upstream server can inject an unsolicited HTTP/1.1 response onto an idle socket after a request completes. When the client dispatches the next request on that socket, it associates the injected response with the new request, causing responses to be delivered to the wrong requests. This requires an attacker-controlled or compromised upstream HTTP/1.1 server and keep-alive connection reuse. Patches: Upgrade to undici v6.26.0, v7.28.0 or v8.5.0. Workarounds: Disable keep-alive connection reuse by setting keepAliveTimeout: 0 on the Client or Pool. | 2026-06-17 | 3.7 | CVE-2026-6733 |
| zephyrproject–zephyr | In Zephyr’s IPv4 IGMP implementation, igmp_send() in subsys/net/ip/igmp.c read the network interface back out of the packet via net_pkt_iface(pkt) after the packet had been handed to net_send_data(). On the successful-send path the packet’s last reference may already have been released by the L2 driver or by the network stack’s TX handling (synchronously in the default NET_TC_TX_COUNT=0 immediate-transmit configuration), returning the net_pkt slab block to its free list. The subsequent net_pkt_iface(pkt) dereferences the freed packet, a use-after-free read; with CONFIG_NET_STATISTICS_PER_INTERFACE the resulting dangling interface pointer is further dereferenced for a statistics-counter write. The IGMP send path is reachable without authentication from inbound IPv4 IGMP membership queries addressed to 224.0.0.1 (net_ipv4_igmp_input – send_igmp_report/send_igmp_v3_report – igmp_send), as well as from local multicast join/leave/rejoin operations. Realistic impact is undefined behavior and potential denial of service (sporadic crash or stats corruption); a controllable write requires the asynchronous TX path plus a concurrent slab reuse. The flaw was introduced with IGMPv2 support and affects releases from v2.6.0 through v4.4.0. The fix caches the interface pointer before sending. Note the analogous IPv6 MLD path (mld_send in subsys/net/ip/ipv6_mld.c) retains the same unfixed pattern. | 2026-06-16 | 3.7 | CVE-2026-10636 |
Severity Not Yet Assigned
| Primary Vendor — Product |
Description | Published | CVSS Score | Source Info |
|---|---|---|---|---|
| AcademySoftwareFoundation–openexr | OpenEXR is the reference implementation and specification for the EXR image format, widely used in the motion picture industry. In versions 3.4.0 through 3.4.11, the HTJ2K (High-Throughput JPEG 2000) decoder, ht_undo_impl() in OpenEXRCore is vulnerable to a heap-buffer-overflow READ. The ht_undo_imp function copies decoded pixels out of a per-line OpenJPH buffer using the EXR channel’s declared width as the iteration count. The codestream embedded in the EXR chunk can declare different (smaller) tile/line dimensions than the EXR header advertises, but ht_undo_impl() does not validate this – it pulls width 32-bit samples from cur_line->i32[] without checking the OpenJPH line buffer’s actual length. A crafted EXR file produces a 4-byte heap-buffer-overflow READ immediately after a buffer allocated by ojph::local::codestream::finalize_alloc(). The bug is reachable through the standard scanline-decode entry point used by every consumer of exr_decoding_run/Imf::checkOpenEXRFile, including thumbnailers, asset pipelines, and the exrcheck utility – i.e. any application that opens untrusted EXR files. The result is a deterministic crash (DoS) and potential adjacent-heap leak. This issue has been fixed in version 3.4.12. | 2026-06-18 | not yet calculated | CVE-2026-45696 |
| ail-project–ail-framework | AIL framework contains a path traversal vulnerability in the /objects/item/diff endpoint. The endpoint accepts item identifiers through the s1 and s2 query parameters and, prior to the fix, attempted to retrieve and compare item contents without first verifying that both referenced items existed as valid AIL objects. An authenticated AIL user could craft malicious item identifiers containing path traversal sequences to cause the application to read gzip-compressed files accessible to the AIL process. This could result in unauthorized disclosure of local file contents, limited to files readable by the application and compatible with the expected gzip-compressed item format. The issue was fixed by validating that both requested items exist before their contents are accessed. | 2026-06-19 | not yet calculated | CVE-2026-56138 |
| Andrei Marcu–Andrei Marcu linx-server v2.3.8 | An issue in the uploadPostHandler component of Andrei Marcu linx-server v2.3.8 allows attackers to cause a Denial of Service (DoS) via a crafted POST request. | 2026-06-15 | not yet calculated | CVE-2026-50879 |
| Android–Android | In Contacts Provider, there is a possible way to access the contacts database due to SQL injection. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. | 2026-06-17 | not yet calculated | CVE-2026-28576 |
| anna-is-cute–paste v0.1.1 | An issue in the /api/v0/pastes endpoint of anna-is-cute paste v0.1.1 allows attackers to cause a Denial of Service (DoS) via a crafted POST request. | 2026-06-15 | not yet calculated | CVE-2026-50882 |
| ANSSI–DFIR-ORC | Local privilege escalation by loading DLLs from a shared temporary directory in ANSSI’s DFIR-ORC, versions 10.2.7 and prior. An attacker with prior access to the system, can place a malicious DLL in C:WindowsTemp and wait for the application to be executed. Because DFIR-ORC is extracted and executed from that location with administrative privileges, the malicious library can be loaded automatically, allowing the attacker to gain administrator privileges on the affected machine. | 2026-06-18 | not yet calculated | CVE-2026-11958 |
| Apache Software Foundation–Apache Airflow SFTP provider | A path traversal in the SFTP provider (`SFTPHook.retrieve_directory` / `SFTPOperator(operation=get)`) let a malicious or compromised remote SFTP server write files outside the configured local destination directory via crafted directory-entry names. No Airflow account is required – the attack surface is any deployment downloading directories from an untrusted SFTP server. Upgrade `apache-airflow-providers-sftp` to 5.8.1 or later. | 2026-06-17 | not yet calculated | CVE-2026-50203 |
| Apache Software Foundation–Apache APISIX | Improper Input Validation vulnerability in Apache APISIX. The attacker can take advantage of certain configuration in forward-auth plugin to spoof identity headers. This issue affects Apache APISIX: from 2.12.0 through 3.16.0. Users are recommended to upgrade to version 3.17.0, which fixes the issue. | 2026-06-19 | not yet calculated | CVE-2026-39998 |
| Apache Software Foundation–Apache APISIX | Authentication Bypass by Spoofing vulnerability in Apache APISIX. The attacker can completely bypass authentication capitalising on certain configurations of jwt-auth plugin. This issue affects Apache APISIX: from v2.2 through v3.16.0. Users are recommended to upgrade to version v3.17.0, which fixes the issue. | 2026-06-19 | not yet calculated | CVE-2026-39999 |
| Apache Software Foundation–Apache APISIX | Use of Less Trusted Source vulnerability in Apache APISIX. Attacker can take advantage of wolf-rbac plugin under default configuration to potentially pollute logs with spoofed identity information and exploit IP based access control rules. This issue affects Apache APISIX: from 1.2.0 through 3.16.0. Users are recommended to upgrade to version 3.17.0, which fixes the issue. | 2026-06-19 | not yet calculated | CVE-2026-44046 |
| Apache Software Foundation–Apache APISIX | Insufficient Verification of Data Authenticity vulnerability in Apache APISIX. The openid-connect plugin under default configuration has an attack surface that allows the attacker to spoof identity headers allowing the attacker to get unauthorized access the protected resources. This issue affects Apache APISIX: from 2.3 through 3.16.0. Users are recommended to upgrade to version 3.17.0, which fixes the issue. | 2026-06-19 | not yet calculated | CVE-2026-44087 |
| Apache Software Foundation–Apache APISIX | URL Redirection to Untrusted Site (‘Open Redirect’) vulnerability in Apache APISIX. The default configuration of cas-auth in Apache APISIX is vulnerable to phishing and credential theft. This issue affects Apache APISIX: from 3.0.0 through 3.16.0. Users are recommended to upgrade to version 3.17.0, which fixes the issue. | 2026-06-19 | not yet calculated | CVE-2026-44915 |
| Apache Software Foundation–Apache APISIX | Incorrect Authorization vulnerability in Apache APISIX. An attacker can capitalise on authz-casdoor plugin under default configuration to authenticate themselves with credentials from a different source. This issue affects Apache APISIX: from 2.14.1 through 3.16.0. Users are recommended to upgrade to version 3.17.0, which fixes the issue. | 2026-06-19 | not yet calculated | CVE-2026-47339 |
| Apache Software Foundation–Apache APISIX | Authentication Bypass by Capture-replay vulnerability in Apache APISIX. Attacker can benefit from certain configurations in hmac-auth to re-use a token forever, bypassing expiry. This issue affects Apache APISIX: from 3.11.0 through 3.16.0. Users are recommended to upgrade to version 3.17.0, which fixes the issue. | 2026-06-19 | not yet calculated | CVE-2026-47341 |
| Apache Software Foundation–Apache APISIX | URL Redirection to Untrusted Site (‘Open Redirect’) vulnerability in Apache APISIX. The attacker could manipulate some client headers to perform an open-redirect, to potentially expose the session token. This issue affects Apache APISIX: from 3.0.0 through 3.16.0. Users are recommended to upgrade to version 3.17.0, which fixes the issue. | 2026-06-19 | not yet calculated | CVE-2026-48895 |
| Apache Software Foundation–Apache APISIX | Improper Validation of Integrity Check Value vulnerability in Apache APISIX. The jwe-decrypt plugin under default configuration is vulnerable to authentication bypass. This issue affects Apache APISIX: from 3.8.0 through 3.16.0. Users are recommended to upgrade to version 3.17.0, which fixes the issue. | 2026-06-19 | not yet calculated | CVE-2026-49230 |
| Apache Software Foundation–Apache APISIX | Authentication Bypass by Spoofing vulnerability in opa plugin. An attacker could relay spoofed identity headers to upstream capitalising on non-default configuration in opa plugin. This could allow the attacker to assume higher privileges on the upstream service. This issue affects Apache APISIX: from 3.5.0 through 3.16.0. Users are recommended to upgrade to version 3.17.0, which fixes the issue. | 2026-06-19 | not yet calculated | CVE-2026-49231 |
| Apache Software Foundation–Apache APISIX | Cross-Site Request Forgery (CSRF) vulnerability in the cas-auth plugin under default configurations. This defect allows a remote attacker that manages to send a victim to a webpage controlled by them can cause the victim’s browser to become authenticated as a different identity. Actions the victim takes upstream are then attributed to attackers identity. This issue affects Apache APISIX: from 3.0.0 through 3.16.0. Users are recommended to upgrade to version 3.17.0, which fixes the issue. | 2026-06-19 | not yet calculated | CVE-2026-49871 |
| Apache Software Foundation–Apache APISIX | Improper Authentication vulnerability in Apache APISIX. When the cas-auth plugin is used in a route, an attacker can possibly authenticate itself with credentials from a different source. This issue affects Apache APISIX: from 3.0.0 through 3.16.0. Users are recommended to upgrade to version 3.17.0, which fixes the issue. | 2026-06-19 | not yet calculated | CVE-2026-49872 |
| Apache Software Foundation–Apache DolphinScheduler | DataSource API Missing Authorization Check Leads to Arbitrary Data Source Metadata Disclosure in Apache DolphinScheduler. This issue affects Apache DolphinScheduler: before 3.4.2. Users are recommended to upgrade to version 3.4.2, which fixes the issue. | 2026-06-17 | not yet calculated | CVE-2026-32966 |
| Apache Software Foundation–Apache DolphinScheduler | Incorrect Authorization vulnerability of `/v2` experimental interface in Apache DolphinScheduler. This issue affects Apache DolphinScheduler: before 3.4.2. Users are recommended to upgrade to version 3.4.2, which fixes the issue. | 2026-06-17 | not yet calculated | CVE-2026-32967 |
| Apache Software Foundation–Apache DolphinScheduler | Incorrect Authorization vulnerability allows users with system login privileges to delete task definitions in unauthorized projects This issue affects Apache DolphinScheduler versions prior to 3.4.2. Users are recommended to upgrade to version 3.4.2, which fixes this issue. | 2026-06-17 | not yet calculated | CVE-2026-41280 |
| Apache Software Foundation–Apache DolphinScheduler | Incorrect Authorization vulnerability allows users to access workflow instance information belonging to projects they do not have permission to access. This issue affects Apache DolphinScheduler versions prior to 3.4.2. Users are recommended to upgrade to version 3.4.2, which fixes this issue. | 2026-06-17 | not yet calculated | CVE-2026-42357 |
| Apache Software Foundation–Apache DolphinScheduler | Allow authenticated users to access alert instances associated with alert groups they do not have permission to access. in Apache DolphinScheduler. This issue affects Apache DolphinScheduler: before 3.4.2. Users are recommended to upgrade to version 3.4.2, which fixes the issue. | 2026-06-17 | not yet calculated | CVE-2026-47340 |
| Apache Software Foundation–Apache Shiro | A remote attacker can inject LDAP special characters into the Distinguished Name (DN) construction in DefaultLdapRealm class. User-supplied username input is directly concatenated into the LDAP DN template without any escaping of RFC 2253 special characters. This allows an attacker to manipulate the DN structure used for LDAP bind authentication, potentially bypassing authentication or impersonating other users. This issue affects all Apache Shiro versions through 2.2.0, and 3.0.0-alpha-1 when using DefaultLdapRealm Upgrade to Apache Shiro 2.2.1 or 3.0.0-alpha-2 or later, which fixes the issue. | 2026-06-17 | not yet calculated | CVE-2026-49268 |
| authelia–authelia | Authelia is an open-source authentication and authorization server providing two-factor authentication and single sign-on (SSO) for applications via a web portal. In versions 4.38.0 through 4.39.19, when a user authenticates via Basic Auth (i.e via the `Authorization` header with the `Basic` scheme) on the authz verification endpoint, Authelia takes the username directly from the `Authorization` header and passes it as is to the regulation system for ban checking and attempt recording. LDAP treats usernames case insensitively : `john`, `John`, and `JOHN` all bind as the same user. But the regulation SQL queries treat the lookup of these values in certain scenarios as case sensitive. This allows each variation of a usernames case to have its own ban bucket. Upgrade to 4.39.20 to receive a patch. As a workaround, explicitly disable the basic auth mechanism. | 2026-06-19 | not yet calculated | CVE-2026-47203 |
| authelia–authelia | Authelia is an open-source authentication and authorization server providing two-factor authentication and single sign-on (SSO) for applications via a web portal. In versions 4.36.0 through 4.39.19, due to lack of canonicalization of domains in very specific edge cases, an access control rule may be skipped when it should match a request. The specific conditions that could lead to a security issue for vulnerability are: 1. The specific target resource of the attack must be using the forwarded authorization integration; 2. The requested domain must have two additional segments compared to a session domain i.e. `a.b.example.com` is requested, but the session domain is `example.com`; 3. There access control rules must specify two separate rules which both contain inexact domain matches such as `*.b.example.com` and `*.example.com` i.e. wildcards, username matches, group matches; 4. The rules must be in order of most specific domain to least specific domain; 5. The second rule must be more permissive than the first rule; 6. The attacker must specifically request a URL for the more specific domain, with the second part containing one or more capitalized letters i.e. `https://a.B.example.com` and no other segment with capitalized letters; 7. The integration used must not be the Envoy ExtAuthz integration; and 8. The proxy must not canonicalize the requested host name in the relevant header before sending it to the relevant authorization endpoint. The kind of configuration used to produce this issue and result in a `bypass` rule being matched has long been highly discouraged. Essentially hosts which should be bypassed entirely should not be secured by having the proxy check them with the authorization handlers. Upgrade to 4.39.20 to receive a patch. | 2026-06-19 | not yet calculated | CVE-2026-48794 |
| AzeoTech–DAQFactory | In AzeoTech DAQFactory versions 21.1 and prior, a Type Confusion vulnerability can be exploited by an attacker using specially crafted .ctl files which can result in code execution. | 2026-06-18 | not yet calculated | CVE-2026-12390 |
| Ben Busby–whoogle-search v1.2.3 | An information disclosure vulnerability in the configuration endpoint of Ben Busby whoogle-search v1.2.3 allows attackers to obtain sensitive information via a crafted GET request. | 2026-06-15 | not yet calculated | CVE-2026-50870 |
| Benjamin Jonard Koillection–Benjamin Jonard Koillection v1.8.0 | An authenticated Server-Side Request Forgery (SSRF) in the custom scraper subsystem component of Benjamin Jonard Koillection v1.8.0 allows attackers to scan internal resources via supplying a crafted URL. | 2026-06-15 | not yet calculated | CVE-2026-50888 |
| Bernd Bestel–grocy v4.6.0 | Bernd Bestel grocy v4.6.0 was discovered to contain a SQL injection vulnerability in the product-group parameter at /stockreports/spendings. This vulnerability allows attackers to access sensitive database information via a crafted SQL statement. | 2026-06-15 | not yet calculated | CVE-2026-50890 |
| BIAFRA–Dancer2::Plugin::Auth::OAuth | Dancer2::Plugin::Auth::OAuth versions before 0.22 for Perl default to a predictable nonce. The default nonce was generated using an MD5 hash of the epoch time, which is predictable. | 2026-06-15 | not yet calculated | CVE-2026-11832 |
| Bludit–Bludit CMS | Bludit CMS before version 3.18.4 allows Remote Code Execution (RCE) via the API Plugin. The POST /api/files/{key} endpoint in bl-plugins/api/plugin.php fails to perform authorization checks and lacks file extension validation. An attacker with a valid API token can upload a malicious PHP script and execute arbitrary code on the server. | 2026-06-15 | not yet calculated | CVE-2026-38329 |
| Bludit–Bludit v3.19.0 | An issue in the api/plugin.php component of Bludit v3.19.0 allows attackers to execute a directory traversal via supplying a crafted request. | 2026-06-15 | not yet calculated | CVE-2026-50869 |
| Bonsai–Bonsai v6.0 | Incorrect access control in the impworks Bonsai v6.0 allows authenticated attackers with Editor privileges to escalate privileges to Administrator and execute unauthorized account, password, and configuration changes. | 2026-06-15 | not yet calculated | CVE-2026-50881 |
| Boyleep–Boyleep K11 | An issue in Boyleep K11, y108 firmware v.2.3.0.11291 allows a physically proximate attacker to execute arbitrary code via the factory test feature. | 2026-06-15 | not yet calculated | CVE-2026-36933 |
| byrongamatos–slopsmith | Slopsmith is a self-contained web application for browsing, playing, and practicing Rocksmith 2014 Custom DLC (CDLC). Prior to 0.2.9-alpha.5, a path-traversal vulnerability in Slopsmith’s archive extractors allows an attacker to write arbitrary files outside the extraction directory by supplying a crafted PSARC or sloppak archive. With the default Docker configuration (running as root) and the ability to drop a file into the plugin directory, this escalates to arbitrary remote code execution on the host. Three archive extractors concatenated archive-entry filenames directly onto the extraction root without validation: `lib/psarc.py::unpack_psarc` – PSARC TOC filenames; `lib/patcher.py::unpack_psarc` – duplicate of the above in the patcher flow; `lib/sloppak.py::_unpack_zip` – bare `ZipFile.extractall()` with no member filter. Each accepts entry names containing `..` segments, absolute paths, or backslash separators. The Python `zipfile` module’s default `extractall()` is documented as not preventing traversal when callers don’t supply a member-filter callback. Version 0.2.9-alpha.5 patches the issue. Until updated, do not open PSARC or sloppak archives from untrusted sources, and do not expose the Slopsmith instance to the public internet. Docker users should also pull the latest image after the next slopsmith Docker image is published. | 2026-06-19 | not yet calculated | CVE-2026-49290 |
| cakephp–cakephp | CakePHP is a rapid development framework for PHP. In versions 4.5.11 and earlier, 4.6.0 through 4.6.3, 5.0.0 through 5.1.6, 5.2.0 through 5.2.12, and 5.3.0 through 5.3.5, View::_getElementFileName() does not check that the resolved element path is within the application/plugin view template paths. When element names are created with specifically crafted user-supplied data this weakness can be leveraged to include other PHP files on the server. Patched releases are available in 5.3.6, 5.2.13, 5.1.7, 4.6.4, and 4.5.11. | 2026-06-17 | not yet calculated | CVE-2026-48820 |
| Canonical–Microceph | Canonical MicroCeph versions from the squid and tentacle track are vulnerable to a path traversal issue in the remote-import API. Holders of a trusted cluster mTLS certificate (such as enrolled cluster members) or join token can manipulate files in an imported remote cluster within the /var/snap/microceph confinement. This would allow daemon disruption and pollution of the cluster state. | 2026-06-19 | not yet calculated | CVE-2026-10720 |
| Citrix–Citrix Cloud | In Citrix Cloud through 2025-11-10, an account with read-only access can trigger the beginning of a workflow for write operations, e.g., the system will send a one-time password to an attacker-controlled email address when the attacker attempts to reset the password of a user account. | 2026-06-17 | not yet calculated | CVE-2025-66391 |
| cursor–cursor | Cursor is a code editor built for programming with AI. In versions prior to 3.0.0, the Cursor Desktop could execute workspace-defined Claude hook commands from .claude/settings.local.json without dedicated user approval. A malicious workspace or agent-created file could configure hooks that run local commands in the user’s context when an agent turn ends. This could allow sandbox escape, persistence across turns, local data access, or follow-on compromise. This issue has been fixed in version 3.0.0. | 2026-06-15 | not yet calculated | CVE-2026-48124 |
| CursorTouch–Windows-MCP | Windows-MCP is an open-source project that integrates AI agents with Windows. In versions prior to 0.7.5, certain HTTP modes exposed the MCP control plane without authentication while enabling wildcard CORS (allow_origins=*, allow_methods=*, allow_headers=*). Because the same server also exposed a PowerShell tool that executes caller-controlled commands as the Windows user running Windows-MCP, attackers could reach the control plane from arbitrary origins or non-browser clients and achieve arbitrary PowerShell execution. This issue was fixed in version 0.7.5. | 2026-06-17 | not yet calculated | CVE-2026-48989 |
| Datadog, Inc–Vector v.0.54.0 | Datadog, Inc Vector v0.54.0 was discovered to contain a SQL injection vulnerability in the set_uri_query parameter in the KeyPartitioner::partition function. This vulnerability allows attackers to access sensitive database information via crafted SQL statements. | 2026-06-15 | not yet calculated | CVE-2026-39196 |
| Datadog, Inc–Vector v.0.54.0 | An issue in the /util/http/prelude.rs endpoint of Datadog, Inc Vector v0.54.0 allows attackers to cause a Denial of Service (DoS) via a crafted request or payload. | 2026-06-15 | not yet calculated | CVE-2026-39197 |
| Deck9–Deck9 Input v2.0.1 | Incorrect access control in the /{form}/webhooks/{webhook} endpoint of Deck9 Input v2.0.1 allows authenticated attackers to arbitrarily modify or delete another tenant’s webhook via a crafted request. | 2026-06-15 | not yet calculated | CVE-2026-50875 |
| Deck9–Deck9 Intput v2.0.1 | A cross-site scripting (XSS) vulnerability in Deck9 Input v2.0.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload. | 2026-06-15 | not yet calculated | CVE-2026-50876 |
| Devolutions–Devolutions Server | Improper access control in PAM account discovery results in Devolutions Server 2026.2.5, 2026.1.21 allows an authenticated user to retrieve account discovery scan results. | 2026-06-16 | not yet calculated | CVE-2026-11890 |
| Devolutions–Devolutions Server | Improper access control in Devolutions Server 2026.2.5, 2026.1.21 allows an authenticated user to access attachments via folder duplication with inherited permissions. | 2026-06-16 | not yet calculated | CVE-2026-12105 |
| Devolutions–Devolutions Server | Improper access control in the social login connection endpoint in Devolutions Server 2026.2.5 allows an authenticated vault member to enumerate social login entry metadata to which they are not authorized via a crafted API request. | 2026-06-16 | not yet calculated | CVE-2026-12117 |
| Devolutions–Remote Desktop Manager | Improper input validation in the SSH Elevate Shell feature in Devolutions Remote Desktop Manager 2026.2.7 allows an authenticated user with permission to create or modify a shared SSH entry to execute arbitrary commands on a remote SSH host using stored elevation credentials via a crafted alternate username and user interaction with the Elevate Shell action. | 2026-06-15 | not yet calculated | CVE-2026-12161 |
| Devolutions–Remote Desktop Manager | Improper host validation in the social login autofill feature in Devolutions Remote Desktop Manager 2026.2.8 allows an attacker to disclose stored social login credentials via a crafted web entry pointing to a provider lookalike domain. | 2026-06-15 | not yet calculated | CVE-2026-12162 |
| Devolutions–UniGetUI | Use of an incorrectly resolved name or reference in the pinget backend in Devolutions UniGetUI 2026.2.0 and earlier allows a WinGet community catalog contributor to cause an installed application to be correlated to an unrelated, attacker-controlled catalog package and to execute an attacker-controlled installer via a crafted catalog package whose normalized name is contained as a substring within the installed application name when a user applies the proposed update. | 2026-06-17 | not yet calculated | CVE-2026-10696 |
| Docker–Docker Sandboxes | Docker Sandboxes (sbx) enforces an HTTP/S-only egress allowlist but does not apply it to DNS resolution: the per-network embedded DNS server forwards any queried name to the host resolver whenever the network is internet-connected, without consulting the policy. A workload inside a sandbox, which the threat model treats as untrusted, can therefore encode data into DNS labels for an attacker-controlled domain and exfiltrate it through a DNS covert channel, bypassing the configured allowlist. | 2026-06-18 | not yet calculated | CVE-2026-12039 |
| Docker–Docker Sandboxes | Docker Sandboxes (sbx) blocks ICMP egress with an authorizer applied only at network-creation time, and does not re-apply it to networks rebuilt from disk when the Docker daemon restarts, so a restart-surviving sandbox forwards ICMP to arbitrary hosts. A workload inside a sandbox, which the threat model treats as untrusted, can therefore defeat the documented ICMP egress block to perform network reconnaissance and exfiltrate data over an ICMP covert channel, regardless of the configured allowlist. | 2026-06-18 | not yet calculated | CVE-2026-12539 |
| dtwang–line-desktop-mcp | Line Desktop MCP is a project that, while unaffiliated with the official line-bot-mcp-server, allows users to directly operate the LINE Desktop application on Windows or Mac via MCP. `line-desktop-mcp` supports a `–http-mode` Streamable HTTP transport for use with clients such as n8n. In this mode the server binds to `0.0.0.0` and exposes the MCP `/mcp` endpoint without an MCP-layer authentication check. Prior to version 1.1.2, any network client that can reach the port can initialize a session, list tools, and call tools that read LINE Desktop chat history or send LINE messages through the already logged-in desktop application. Version 1.1.2 fixes the issue. | 2026-06-19 | not yet calculated | CVE-2026-49357 |
| Eclipse Foundation–Eclipse 4diac | In Eclipse 4diac FORTE versions 3.0.0 to 3.1.0, a specially crafted DELETE connection command to the management interface can lead to a dangling pointer. This allows subsequent commands to access freed memory (use-after-free). | 2026-06-18 | not yet calculated | CVE-2026-9158 |
| Eclipse Foundation–Eclipse Theia | In Eclipse Theia versions prior to 1.71.0, the AI chat rendered Markdown image tags from AI responses, triggering HTTP requests to arbitrary external URLs without restriction. Combined with prompt injection in a malicious workspace, an attacker could induce the AI agent to construct image URLs encoding sensitive information from the workspace or conversation context, exfiltrating it to attacker-controlled servers. The workspace trust enforcement introduced in v1.71.0 mitigates the documented attack chain by disabling AI features in untrusted workspaces. | 2026-06-18 | not yet calculated | CVE-2026-22551 |
| Eclipse Foundation–Eclipse Theia | In Eclipse Theia versions prior to 1.71.0, the AI chat agent processed workspace file and directory names as part of its prompt context without distinguishing them from system instructions. An attacker could craft a malicious repository with adversarial directory or file names that, when analyzed by the AI agent, would cause the agent to follow attacker-controlled instructions (indirect prompt injection). Combined with other AI chat features available in untrusted workspaces, this enabled attack chains leading to data exfiltration via Markdown image rendering or arbitrary command execution via task definitions. | 2026-06-18 | not yet calculated | CVE-2026-44688 |
| Eclipse Foundation–Eclipse Theia | In Eclipse Theia versions prior to 1.69.0, custom task definitions in workspace files (e.g. .theia/tasks.json, .vscode/tasks.json) could be executed without requiring workspace trust. An attacker could craft a malicious repository that, when cloned and opened in Theia, leads to execution of arbitrary commands with the user’s privileges. In combination with AI chat features and a workspace .theia/settings.json that disabled tool confirmation, this could be triggered automatically by sending a message in the AI chat. | 2026-06-18 | not yet calculated | CVE-2026-44691 |
| Eclipse Foundation–Eclipse Theia | In Eclipse Theia versions prior to 1.71.0, files matching the pattern .prompts/*.prompttemplate in a workspace were automatically loaded and could override or extend the AI agent’s system prompts. An attacker could craft a malicious repository containing prompt template files that, when the workspace was opened in Theia, replaced the AI’s system instructions with attacker-controlled content (indirect prompt injection). Combined with other AI chat features available in untrusted workspaces, this enabled attack chains leading to data exfiltration via Markdown image rendering or arbitrary command execution via task definitions. | 2026-06-18 | not yet calculated | CVE-2026-46580 |
| elixir-grpc–grpc | Authorization Bypass Through User-Controlled Key vulnerability in elixir-grpc grpc allows authenticated attackers to access or modify resources belonging to other users by smuggling a conflicting value for any path-bound field via the query string or request body. In ‘Elixir.GRPC.Server.Transcode’:map_request/5 (lib/grpc/server/transcode.ex), all three clauses use Map.merge/2 with path bindings as the first argument, giving them the lowest merge precedence. A request such as GET /users/me/profile?user_id=victim (or a POST with {“user_id”: “victim”} when body: “*”) yields a decoded protobuf struct where the path-bound field carries the attacker-supplied value rather than the router-extracted value. Any handler that uses the path-bound field for authorization, multi-tenancy scoping, or ownership checks is silently bypassed. This issue affects grpc from 0.8.0 before 1.0.0. | 2026-06-15 | not yet calculated | CVE-2026-48599 |
| elixir-grpc–grpc | Deserialization of Untrusted Data and Allocation of Resources Without Limits or Throttling vulnerabilities in elixir-grpc grpc allow unauthenticated attackers to crash the BEAM node via atom table exhaustion and, when a decoded term flows into a call site that invokes it, achieve remote code execution on the server. ‘Elixir.GRPC.Codec.Erlpack’:decode/2 (lib/grpc/codec/erlpack.ex) calls :erlang.binary_to_term/1 on the raw gRPC message body without the :safe option, no size bound, and no type guard. Any unauthenticated peer that sends a request with Content-Type: application/grpc+erlpack can send a crafted payload that mints arbitrary new atoms (which are never garbage-collected, exhausting the bounded atom table and crashing the VM) or that encodes a fun term which, if applied anywhere downstream, executes attacker-controlled code inside the server process. This issue affects grpc from 0.4.0 before 1.0.0. | 2026-06-15 | not yet calculated | CVE-2026-48853 |
| elixir-grpc–grpc | Allocation of Resources Without Limits or Throttling vulnerability in elixir-grpc grpc allows unauthenticated attackers to exhaust the BEAM’s memory and crash the server by streaming a large or slow-trickle unary request body. ‘Elixir.GRPC.Server.Adapters.Cowboy.Handler’:read_full_body/3 (lib/grpc/server/adapters/cowboy/handler.ex) accumulates every received chunk into a single growing binary with no size cap. Additionally, when the client omits the grpc-timeout header, the per-chunk read timeout resolves to :infinity, allowing a slow-trickle client to keep the connection alive indefinitely while memory grows. A single connection is sufficient to exhaust server memory and crash the node. This issue affects grpc from 0.3.1 before 1.0.0. | 2026-06-15 | not yet calculated | CVE-2026-48854 |
| elixir-grpc–grpc | Improper Handling of Highly Compressed Data (Data Amplification) vulnerability in elixir-grpc grpc (GRPC.Compressor.Gzip, GRPC.Message modules) allows a denial of service via a gzip decompression bomb. This vulnerability is associated with program files lib/grpc/compressor/gzip.ex, lib/grpc/message.ex and program routines ‘Elixir.GRPC.Compressor.Gzip’:decompress/1, ‘Elixir.GRPC.Message’:from_data/2. ‘Elixir.GRPC.Compressor.Gzip’:decompress/1 calls :zlib.gunzip/1 directly on attacker-controlled bytes with no decompressed-size limit, ratio check, or incremental decoding. Because this module is the registered gzip GRPC.Compressor implementation, it is invoked automatically whenever an incoming gRPC frame carries the grpc-encoding: gzip header. :zlib.gunzip/1 allocates the entire decompressed result as a single binary, so a small highly compressible payload (for example a few kilobytes of zeros, which gzip compresses at roughly 1000:1) expands to multiple gigabytes inside a single call. The max_receive_message_length limit is enforced only against the already-decompressed message, so it provides no protection. An unauthenticated remote peer can send a single crafted frame to exhaust the BEAM node’s heap and trigger an out-of-memory kill. This issue affects grpc: from 0.4.0 before 1.0.0. | 2026-06-15 | not yet calculated | CVE-2026-53430 |
| Enhancesoft–osTicket | A session fixation vulnerability has been identified in osTicket v1.18.2. This security flaw allows an attacker to hijack a victim’s account by keeping the initial session identifier (OSTSESSID) active after a successful login. The issue lies in the fact that the application does not invalidate the pre-authentication cookie or generate a new identifier for the authenticated context. As a result, if an attacker manages to set a known session identifier in the victim’s browser, they will be able to maintain unauthorised access to the account once the victim has authenticated. | 2026-06-16 | not yet calculated | CVE-2026-9507 |
| Feuerhamster–MailForm v1.1.0 | An issue in the attachment handling component of Feuerhamster MailForm v1.1.0 allows attackers to cause a Denial of Service (DoS) via a crafted request. | 2026-06-15 | not yet calculated | CVE-2026-50878 |
| Filestash–Filestash v0.4.0 | Incorrect access control in the /admin/api/config component of Filestash v0.4.0 allows attackers to escalate privileges via sending a crafted request. | 2026-06-15 | not yet calculated | CVE-2026-50891 |
| flatnotes–flatnotes v5.5.4 | An arbitrary file upload vulnerability in the attachment handling component of flatnotes v5.5.4 allows attackers to execute arbitrary code via uploading a crafted HTML or SVG file. | 2026-06-15 | not yet calculated | CVE-2026-50873 |
| Flexera–FlexNet Manager Suite | A security vulnerability has been identified in FlexNet Manager Suite 2025 R1 that could allow an authenticated user with read-only access to account settings to escalate their privileges to Administrator level. | 2026-06-19 | not yet calculated | CVE-2026-4026 |
| Flexera–FlexNet Manager Suite | A security vulnerability has been identified in FlexNet Manager Suite 2025 R1 and R2 that could allow unauthorized access to attachment files due to insufficient access control. | 2026-06-19 | not yet calculated | CVE-2026-4027 |
| flipped-aurora–gin-vue-admin | gin-vue-admin is an AI-assisted basic development platform. In version 2.9.1, an authenticated attacker with access to the code-generation feature and MCP management interface can exploit this vulnerability by injecting attacker-controlled Go source code through POST /autoCode/addFunc, and then invoking POST /autoCode/mcpStart to trigger a rebuild and restart of the standalone MCP service. This allows arbitrary operating system commands to be executed on the server with the privileges of the application process. Successful exploitation may lead to remote code execution (RCE), modification of backend source code or runtime logic, deployment of persistent backdoors, access to or manipulation of application data and configuration, and further impact on local resources running under the same service account or privilege context. The risk is highest in deployments that retain the source tree, allow writes to source files, and support local build or startup of standalone MCP components. In environments using binary-only releases, read-only filesystems, or with local build capabilities removed, the exploitability of the full attack chain is significantly reduced. However, once the online code-generation capability and MCP-hosted startup workflow are enabled, the overall security impact may reach high to critical severity. As of time of publication, it is unknown if a patched version is available. As a workaround, enforce strict allowlist validation on path- and identifier-related fields such as `humpPackageName`, `packageName`, `FuncName`, and `Router`, and only permit safe identifier formats. | 2026-06-19 | not yet calculated | CVE-2026-48787 |
| Flowise–Flowise | Flowise before 3.0.13 contains an information exposure vulnerability in the POST /api/v1/account/forgot-password endpoint that returns full user objects including PII to unauthenticated attackers. An attacker can enumerate valid email addresses and harvest sensitive user data including user IDs, names, account status, and timestamps by sending requests with known email addresses. | 2026-06-20 | not yet calculated | CVE-2026-56267 |
| Flowise–Flowise | Flowise before 3.1.2 contains a mass assignment vulnerability in the PUT /api/v1/user endpoint that allows authenticated users to directly modify the credential field without validation. Attackers can bypass password change verification and session invalidation by supplying a crafted password hash, establishing persistent account access after temporary session compromise. | 2026-06-20 | not yet calculated | CVE-2026-56276 |
| fossar–selfoss v2.20 | An issue in the loopback request handling component of fossar selfoss v2.20-SNAPSHOT allows attackers to execute arbitrary commands and obtain sensitive information via supplying a crafted HTTP request. | 2026-06-15 | not yet calculated | CVE-2026-50872 |
| FuseSource–jansi | A heap buffer overflow vulnerability exists in the Jansi JNI “ioctl()” wrapper due to a lack of size verification for the argument array before the system call. This can lead to heap corruption and application crashes (DoS). All versions are believed to be vulnerable. This project is unmaintained at the time of CVE assignment. | 2026-06-16 | not yet calculated | CVE-2026-8484 |
| Google–Android | In multiple functions of btm_sec.cc, there is a possible way for an attacker to intercept SMS messages due to a logic error in the code. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is needed for exploitation. | 2026-06-17 | not yet calculated | CVE-2025-48571 |
| Google–Android | In overrideConfig of CarrierConfigLoader.java, there is a possible way to bypass UID check due to a permissions bypass. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | 2026-06-17 | not yet calculated | CVE-2025-48617 |
| Google–Android | In multiple locations, there is a possible 3rd party passkey entry pairing approval due to a missing permission check. This could lead to remote (proximal/adjacent) escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | 2026-06-17 | not yet calculated | CVE-2025-48640 |
| Google–Android | In multiple locations there is a possible provisioning bypass due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | 2026-06-17 | not yet calculated | CVE-2025-48643 |
| Google–Android | In SettingsLib, there is a possible way to disable system components due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | 2026-06-17 | not yet calculated | CVE-2026-0019 |
| Google–Android | In Contacts Provider, there is a possible way to access an incoming call’s phone number and associated metadata due to a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. | 2026-06-17 | not yet calculated | CVE-2026-0057 |
| Google–Android | In setAllowedCarriers of PhoneInterfaceManager.java, there is a possible way to disable carrier restrictions due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | 2026-06-17 | not yet calculated | CVE-2026-0063 |
| Google–Android | In multiple places, there is a possible persistent denial of service due to resource exhaustion. This could lead to local denial of service with no additional execution privileges needed. User interaction is not needed for exploitation. | 2026-06-17 | not yet calculated | CVE-2026-0064 |
| Google–Android | In createSessionInternal of PackageInstallerService.java, there is a possible method to remove a DPC app from a managed device without DO consent due to desync from persistence. This could lead to local escalation of privilege if a user can install a malicious app with no additional execution privileges needed. User interaction is needed for exploitation. | 2026-06-17 | not yet calculated | CVE-2026-0068 |
| Google–Android | In SettingsLib, there is a possible missing permission check due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | 2026-06-17 | not yet calculated | CVE-2026-0071 |
| Google–Android | In NFC, there is a possible way to spoof an NFC event due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | 2026-06-17 | not yet calculated | CVE-2026-0081 |
| Google–Android | In tryStartActivity of NfcDispatcher.java, there is a possible automatic special app access permission assignment due to an insecure default value. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | 2026-06-17 | not yet calculated | CVE-2026-0082 |
| Google–Android | In Nfc::eventCallback() of Nfc.h, there is a possible use after free due to a race condition. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | 2026-06-17 | not yet calculated | CVE-2026-0083 |
| Google–Android | In Package Manager, there is a possible device lock controller bypass due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | 2026-06-17 | not yet calculated | CVE-2026-0092 |
| Google–Android | In multiple functions of vpu_ioctl.c, there is a possible use after free due to a race condition. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | 2026-06-16 | not yet calculated | CVE-2026-0125 |
| Google–Android | In WC-Radio, there is a possible out of bounds write due to a missing bounds check. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation. | 2026-06-16 | not yet calculated | CVE-2026-0126 |
| Google–Android | In NrmmMsgCodec::DecodeUPUTransparentContext of cn_NrmmDecoder.cpp, there is a possible out-of-bounds read due to memory corruption. This could lead to remote denial of service causing a communication processor crash with no additional execution privileges needed. User interaction is not needed for exploitation. | 2026-06-16 | not yet calculated | CVE-2026-0127 |
| Google–Android | In RtcpFbPacket::decodeRtcpFbPacket, there is a possible out of bounds read due to an integer overflow. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is needed for exploitation. | 2026-06-16 | not yet calculated | CVE-2026-0128 |
| Google–Android | In RtcpByePacket::decodeByePacket, there is a possible due to a missing bounds check. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is needed for exploitation. | 2026-06-16 | not yet calculated | CVE-2026-0129 |
| Google–Android | In RtcpChunk::decodeRtcpChunk, there is a possible out of bounds read due to a heap buffer overflow. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is needed for exploitation. | 2026-06-16 | not yet calculated | CVE-2026-0130 |
| Google–Android | In RtpPacket::decodePacket, there is a possible out of bounds access due to an integer overflow. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation. | 2026-06-16 | not yet calculated | CVE-2026-0131 |
| Google–Android | In Modem, there is a possible out of bounds write due to a heap buffer overflow. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation. | 2026-06-16 | not yet calculated | CVE-2026-0132 |
| Google–Android | In smmu_attach_dev of arm-smmu-v3.c, there is a possible way to sign malicious Android Runtime bootclass artifacts due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | 2026-06-16 | not yet calculated | CVE-2026-0133 |
| Google–Android | In PostWipeData of recovery_ui.cpp, there is a possible data persistence issue after a factory reset due to a logic error in the code. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. | 2026-06-16 | not yet calculated | CVE-2026-0134 |
| Google–Android | In Modem, there is a possible out of bounds read due to a missing bounds check. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation. | 2026-06-16 | not yet calculated | CVE-2026-0135 |
| Google–Android | In Modem, there is a possible out of bounds read due to a missing bounds check. This could lead to remote denial of service with no additional execution privileges needed. User interaction is not needed for exploitation. | 2026-06-16 | not yet calculated | CVE-2026-0136 |
| Google–Android | In edgetpu_sync_fence_group_shutdown() of edgetpu-dmabuf.c, there is a possible elevation of privilege due to a use after free. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. | 2026-06-16 | not yet calculated | CVE-2026-0137 |
| Google–Android | In lwis_io_buffer_write of lwis_io_buffer.c, there is a possible out of bounds write due to memory corruption. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. | 2026-06-16 | not yet calculated | CVE-2026-0138 |
| Google–Android | In Modem, there is a possible out of bounds write due to a missing bounds check. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation. | 2026-06-16 | not yet calculated | CVE-2026-0139 |
| Google–Android | In RtpPacket::decodePacket, there is a possible out-of-bounds read due to an integer overflow. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is needed for exploitation. | 2026-06-16 | not yet calculated | CVE-2026-0140 |
| Google–Android | In decodeAppPacket of RtcpAppPacket.cpp, there is a possible OOB read due to a missing bounds check. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. | 2026-06-16 | not yet calculated | CVE-2026-0141 |
| Google–Android | In iavb_parse_key_data of avb_rsa.c, there is a possible out of bounds read due to improper input validation. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. | 2026-06-16 | not yet calculated | CVE-2026-0142 |
| Google–Android | In lwis_device_external_event_emit of lwis_event.c, there is a possible memory corruption due to a use after free. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. | 2026-06-16 | not yet calculated | CVE-2026-0143 |
| Google–Android | In writeAocCommand of AocAudioCodec.cpp, there is a possible memory safety issue due to a missing bounds check. This could lead to remote denial of service with no additional execution privileges needed. User interaction is not needed for exploitation. | 2026-06-16 | not yet calculated | CVE-2026-0144 |
| Google–Android | In keymint, there is a possible Permission Bypass due to a logic error in the code. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. | 2026-06-16 | not yet calculated | CVE-2026-0145 |
| Google–Android | In mfc_core_get_dec_metadata_sei_nal of mfc_core_reg_api.c, there is a possible out of bounds write due to a missing bounds check. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation. | 2026-06-16 | not yet calculated | CVE-2026-0146 |
| Google–Android | In __mfc_core_nal_q_get_dec_metadata_sei_nal of mfc_core_nal_q.c, there is a possible out of bounds write due to a missing bounds check. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation. | 2026-06-16 | not yet calculated | CVE-2026-0147 |
| Google–Android | In multiple functions of VideoRtpPayloadDecoderNode.cpp, there is a possible out of bounds write due to an integer overflow. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation. | 2026-06-16 | not yet calculated | CVE-2026-0148 |
| Google–Android | In RtpSession::rtpSendRtcpPacket, there is a possible OOB write due to a heap buffer overflow. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation. | 2026-06-16 | not yet calculated | CVE-2026-0149 |
| Google–Android | In ExecuteGraph command handler of EdgeTPU firmware, there is a possible out of bounds write due to an integer overflow. This could lead to local escalation of privilege with root privileges needed. User interaction is not needed for exploitation. | 2026-06-16 | not yet calculated | CVE-2026-0150 |
| Google–Android | In IntfGraphCreate of intfgraph.c, there is a possible out of bounds write due to an integer overflow. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation. | 2026-06-16 | not yet calculated | CVE-2026-0151 |
| Google–Android | In OSMMapPMRGeneric of pmr_os.c, there is a possible way to leverage a system call to system call to maliciously expand the VMA out of bounds due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | 2026-06-16 | not yet calculated | CVE-2026-0152 |
| Google–Android | In Write of msg_to_host_buffer.cc, there is a possible out of bounds write due to an incorrect bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | 2026-06-16 | not yet calculated | CVE-2026-0153 |
| Google–Android | In Modem, there is a possible way to trigger a modem crash during a SIP REFER request due to memory corruption. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation. | 2026-06-16 | not yet calculated | CVE-2026-0154 |
| Google–Android | In ImsMediaBitReader::ReadByteBuffer, there is a possible OOB read due to a missing bounds check. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. | 2026-06-16 | not yet calculated | CVE-2026-0155 |
| Google–Android | In checkSsrcCollisionOnRcv of RtpSession.cpp, there is a possible memory safety issue due to a missing null check. This could lead to remote denial of service with no additional execution privileges needed. User interaction is not needed for exploitation. | 2026-06-16 | not yet calculated | CVE-2026-0156 |
| Google–Android | In RtcpHeader::decodeRtcpHeader, there is a possible OOB read due to a missing bounds check. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. | 2026-06-16 | not yet calculated | CVE-2026-0157 |
| Google–Android | In Camera, there is a possible unauthorized way to access photos due to a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. | 2026-06-16 | not yet calculated | CVE-2026-0158 |
| Google–Android | In TextRtpPayloadDecoderNode::DecodeT140 of TextRtpPayloadDecoderNode.cpp, there is a possible out of bounds write due to a missing bounds check. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation. | 2026-06-16 | not yet calculated | CVE-2026-0160 |
| Google–Android | In numberOfReportBlocks of RtpSession.cpp, there is a possible out of bounds write due to an integer overflow. This could lead to remote escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | 2026-06-16 | not yet calculated | CVE-2026-0161 |
| Google–Android | In ParsePayloads of AudioSdpParser.cpp, there is a possible memory corruption due to type confusion. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation. | 2026-06-16 | not yet calculated | CVE-2026-0162 |
| Google–Android | In Modem, there is a possible out of bounds write due to a missing bounds check. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation. | 2026-06-16 | not yet calculated | CVE-2026-0164 |
| Google–Android | In several functions of the RTCP packet decoder, there is a possible out-of-bounds read due to a missing bounds check. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is needed for exploitation. | 2026-06-16 | not yet calculated | CVE-2026-0165 |
| Google–Android | In AndroidManifest.xml, there is a possible persistent denial of service due to a missing permission check. This could lead to local denial of service with no additional execution privileges needed. User interaction is not needed for exploitation. | 2026-06-18 | not yet calculated | CVE-2026-28573 |
| Google–Android | In PackageInstaller.Session#transfer of frameworks/base/services/core/java/com/android/server/pm/PackageInstallerSession.java, there is a possible memory exhaustion attack due to a logic error in the code. This could lead to local denial of service with no additional execution privileges needed. User interaction is not needed for exploitation. | 2026-06-17 | not yet calculated | CVE-2026-28575 |
| Google–Android | In MmsSmsProvider of MmsSmsProvider.java, there is a possible way to retrieve sensitive information due to a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. | 2026-06-17 | not yet calculated | CVE-2026-28587 |
| Google–Android | In Telecomm, there is a possible way to initiate an unauthorized phone call due to a permissions bypass. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | 2026-06-17 | not yet calculated | CVE-2026-28615 |
| Google–Chrome | Use after free in WebShare in Google Chrome on Windows prior to 149.0.7827.155 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical) | 2026-06-17 | not yet calculated | CVE-2026-12437 |
| Google–Chrome | Inappropriate implementation in WebView in Google Chrome on Android prior to 149.0.7827.155 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical) | 2026-06-17 | not yet calculated | CVE-2026-12438 |
| Google–Chrome | Use after free in Digital Credentials in Google Chrome prior to 149.0.7827.155 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Critical) | 2026-06-17 | not yet calculated | CVE-2026-12439 |
| Google–Chrome | Use after free in DigitalCredentials in Google Chrome on Windows prior to 149.0.7827.155 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical) | 2026-06-17 | not yet calculated | CVE-2026-12440 |
| Google–Chrome | Use after free in File Input in Google Chrome on Linux prior to 149.0.7827.155 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Critical) | 2026-06-17 | not yet calculated | CVE-2026-12441 |
| Google–Chrome | Use after free in Passwords in Google Chrome on Android prior to 149.0.7827.155 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: Critical) | 2026-06-17 | not yet calculated | CVE-2026-12442 |
| Google–Chrome | Use after free in Web Authentication in Google Chrome prior to 149.0.7827.155 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: Critical) | 2026-06-17 | not yet calculated | CVE-2026-12443 |
| Google–Chrome | Out of bounds read in Chromoting in Google Chrome on Windows prior to 149.0.7827.155 allowed a local attacker to obtain potentially sensitive information from process memory via a malicious file. (Chromium security severity: High) | 2026-06-17 | not yet calculated | CVE-2026-12444 |
| Google–Chrome | Use after free in Extensions in Google Chrome prior to 149.0.7827.155 allowed an attacker who convinced a user to install a malicious extension to potentially exploit heap corruption via a crafted Chrome Extension. (Chromium security severity: High) | 2026-06-17 | not yet calculated | CVE-2026-12445 |
| Google–Chrome | Inappropriate implementation in Passwords in Google Chrome prior to 149.0.7827.155 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: High) | 2026-06-17 | not yet calculated | CVE-2026-12446 |
| Google–Chrome | Heap buffer overflow in WebRTC in Google Chrome prior to 149.0.7827.155 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High) | 2026-06-17 | not yet calculated | CVE-2026-12447 |
| Google–Chrome | Inappropriate implementation in WebView in Google Chrome on Android prior to 149.0.7827.155 allowed a remote attacker to perform privilege escalation via a crafted HTML page. (Chromium security severity: High) | 2026-06-17 | not yet calculated | CVE-2026-12448 |
| Google–Chrome | Use after free in Chromoting in Google Chrome on Windows prior to 149.0.7827.155 allowed a local attacker to perform OS-level privilege escalation via a malicious file. (Chromium security severity: High) | 2026-06-17 | not yet calculated | CVE-2026-12449 |
| Google–Chrome | Inappropriate implementation in Media in Google Chrome prior to 149.0.7827.155 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: High) | 2026-06-17 | not yet calculated | CVE-2026-12450 |
| Google–Chrome | Use after free in DigitalCredentials in Google Chrome prior to 149.0.7827.155 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) | 2026-06-17 | not yet calculated | CVE-2026-12451 |
| Google–Chrome | Use after free in Downloads in Google Chrome on Android prior to 149.0.7827.155 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) | 2026-06-17 | not yet calculated | CVE-2026-12452 |
| Google–Chrome | Insufficient validation of untrusted input in Input in Google Chrome prior to 149.0.7827.155 allowed a remote attacker who had compromised the renderer process to bypass same origin policy via a crafted HTML page. (Chromium security severity: High) | 2026-06-17 | not yet calculated | CVE-2026-12453 |
| Google–Chrome | Race in Safe Browsing in Google Chrome on Mac prior to 149.0.7827.155 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) | 2026-06-17 | not yet calculated | CVE-2026-12454 |
| Google–Chrome | Use after free in Tab Strip in Google Chrome prior to 149.0.7827.155 allowed a remote attacker who convinced a user to engage in specific UI gestures to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) | 2026-06-17 | not yet calculated | CVE-2026-12455 |
| Google–Chrome | Inappropriate implementation in Extensions in Google Chrome prior to 149.0.7827.155 allowed an attacker who convinced a user to install a malicious extension to bypass same origin policy via a crafted Chrome Extension. (Chromium security severity: High) | 2026-06-17 | not yet calculated | CVE-2026-12456 |
| Google–Chrome | Inappropriate implementation in Extensions in Google Chrome prior to 149.0.7827.155 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTML page. (Chromium security severity: High) | 2026-06-17 | not yet calculated | CVE-2026-12457 |
| Google–Chrome | Inappropriate implementation in Passwords in Google Chrome prior to 149.0.7827.155 allowed a remote attacker who convinced a user to engage in specific UI gestures to leak cross-origin data via a crafted HTML page. (Chromium security severity: High) | 2026-06-17 | not yet calculated | CVE-2026-12458 |
| Google–Chrome | Inappropriate implementation in Serial in Google Chrome prior to 149.0.7827.155 allowed a remote attacker to inject arbitrary scripts or HTML (UXSS) via a crafted HTML page. (Chromium security severity: High) | 2026-06-17 | not yet calculated | CVE-2026-12459 |
| Google–Chrome | Insufficient policy enforcement in File System Access in Google Chrome prior to 149.0.7827.155 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted PDF file. (Chromium security severity: High) | 2026-06-17 | not yet calculated | CVE-2026-12460 |
| Google–Chrome | Out of bounds read in WebRTC in Google Chrome on Windows prior to 149.0.7827.155 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: High) | 2026-06-17 | not yet calculated | CVE-2026-12461 |
| Google–Chrome | Use after free in Media in Google Chrome prior to 149.0.7827.155 allowed a remote attacker who had compromised the renderer process to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High) | 2026-06-17 | not yet calculated | CVE-2026-12462 |
| Google–Chrome | Inappropriate implementation in Views in Google Chrome on Linux prior to 149.0.7827.155 allowed a remote attacker who had compromised the renderer process to inject arbitrary scripts or HTML (UXSS) via a crafted HTML page. (Chromium security severity: High) | 2026-06-17 | not yet calculated | CVE-2026-12463 |
| Google–Chrome | Use after free in Browser in Google Chrome prior to 149.0.7827.155 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) | 2026-06-17 | not yet calculated | CVE-2026-12464 |
| Google–Chrome | Object lifecycle issue in Metrics in Google Chrome prior to 149.0.7827.155 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) | 2026-06-17 | not yet calculated | CVE-2026-12465 |
| Google–Chrome | Heap buffer overflow in WebRTC in Google Chrome on Windows prior to 149.0.7827.155 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: High) | 2026-06-17 | not yet calculated | CVE-2026-12466 |
| Google–Chrome | Use after free in Extensions in Google Chrome prior to 149.0.7827.155 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) | 2026-06-17 | not yet calculated | CVE-2026-12467 |
| Google–Chrome | Race in Updater in Google Chrome on Mac prior to 149.0.7827.155 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) | 2026-06-17 | not yet calculated | CVE-2026-12468 |
| Google–Chrome | Uninitialized Use in GPU in Google Chrome on Android prior to 149.0.7827.155 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: High) | 2026-06-17 | not yet calculated | CVE-2026-12469 |
| Google–MCP Toolbox for Databases (googleapis/mcp-toolbox) | An authentication bypass vulnerability exists in the generic opaque token validation path (validateOpaqueToken) of googleapis/mcp-toolbox. When verifying an unparsed opaque token via an OAuth 2.0 introspection endpoint (RFC 7662), the toolbox decodes the response into an introspectResp struct where the Active field is declared as a pointer to a boolean (*bool). The code only explicitly rejects a token if the response contains a populated active field set to false (if introspectResp.Active != nil && !*introspectResp.Active). If an introspection endpoint responds with a payload that completely omits the mandatory active key, the internal variable remains nil, causing the conditional check to short-circuit. As a result, Toolbox accepts authorization tokens missing the “active” field, granting access to protected tools and underlying data sources. | 2026-06-18 | not yet calculated | CVE-2026-11717 |
| Google–MCP Toolbox for Databases (googleapis/mcp-toolbox) | An authentication bypass vulnerability exists in the generic opaque token validation path (validateOpaqueToken) of googleapis/mcp-toolbox. When the toolbox validates an opaque token via an OAuth 2.0 introspection endpoint (RFC 7662), it decodes the response into an introspectResp struct. However, the subsequent claim-checking logic (validateClaims) evaluates the issuer condition as if a.issuer != “” && iss != “”. If the external OAuth provider’s introspection response omits the optional iss (issuer) field completely, the variable iss defaults to an empty string. This causes the conditional block to evaluate to false and be skipped silently. Consequently, the application accepts tokens issued by unauthorized or unintended third-party identity providers. | 2026-06-18 | not yet calculated | CVE-2026-11718 |
| Google–MCP Toolbox for Databases (googleapis/mcp-toolbox) | An authenticated authorization bypass vulnerability exists in MCP Toolbox for Databases due to missing scope enforcement across older protocol handlers. While the 2025-11-25 protocol version handler correctly enforces per-tool restrictions defined by scopesRequired, older supported protocol versions (2025-06-18, 2025-03-26, and 2024-11-05) omit this check. An authenticated client with low-privilege tokens (e.g., read) can bypass the intended per-tool scope restrictions and execute high-privilege tools (e.g., admin) simply by specifying an older protocol version in the MCP-Protocol-Version header, or by omitting the header entirely (which causes the server to default to the vulnerable 2024-11-05 handler). | 2026-06-18 | not yet calculated | CVE-2026-11719 |
| GPAC–MP4Box v.2.4 | A NULL pointer dereference in the gf_isom_copy_sample_info function (isomedia/isom_write.c) of GPAC MP4Box v2.4 allows attackers to cause a Denial of Service (DoS) via supplying a crafted MP4 file. | 2026-06-15 | not yet calculated | CVE-2025-55641 |
| GPAC–MP4Box v.2.4 | GPAC MP4Box v2.4 was discovered to contain a floating point exception in the avidmx_process function (isomedia/isom_write.c). | 2026-06-15 | not yet calculated | CVE-2025-55642 |
| GPAC–MP4Box v.2.4 | A NULL pointer dereference in the TrackWriter handling component (filters/mux_isom.c) of GPAC MP4Box v2.4 allows attackers to cause a Denial of Service (DoS) via supplying a crafted MP4 file. | 2026-06-15 | not yet calculated | CVE-2025-55643 |
| GPAC–MP4Box v.2.4 | A heap use-after-free in the gf_node_get_tag function (scenegraph/base_scenegraph.c) of GPAC MP4Box v2.4 allows attackers to cause a Denial of Service (DoS) via supplying a crafted MP4 file. | 2026-06-15 | not yet calculated | CVE-2025-55644 |
| GPAC–MP4Box v.2.4 | A heap buffer overflow in the gf_cenc_set_pssh function (isomedia/drm_sample.c) of GPAC MP4Box v2.4 allows attackers to cause a Denial of Service (DoS) via supplying a crafted MP4 file. | 2026-06-15 | not yet calculated | CVE-2025-55645 |
| GPAC–MP4Box v.2.4 | An Out-of-Memory in the mp4_mux_cenc_insert_pssh function (filters/mux_isom.c) of GPAC MP4Box v2.4 allows attackers to cause a Denial of Service (DoS) via supplying a crafted MP4 file. | 2026-06-15 | not yet calculated | CVE-2025-55647 |
| GPAC–MP4Box v.2.4 | A heap buffer overflow in the gf_opus_parse_packet_header function (media_tools/av_parsers.c) of GPAC MP4Box v2.4 allows attackers to cause a Denial of Service (DoS) via supplying a crafted MP4 file. | 2026-06-15 | not yet calculated | CVE-2025-55648 |
| GPAC–MP4Box v.2.4 | A NULL pointer dereference in the gf_media_map_esd function (media_tools/isom_tools.c) of GPAC MP4Box v2.4 allows attackers to cause a Denial of Service (DoS) via supplying a crafted MP4 file. | 2026-06-15 | not yet calculated | CVE-2025-55649 |
| GPAC–MP4Box v.2.4 | A heap use-after-free in the gf_node_get_tag function (scenegraph/base_scenegraph.c) of GPAC MP4Box v2.4 allows attackers to cause a Denial of Service (DoS) via supplying a crafted MP4 file. | 2026-06-15 | not yet calculated | CVE-2025-55650 |
| GPAC–MP4Box v.2.4 | A heap buffer overflow in the gf_isom_vp_config_new function (isomedia/avc_ext.c) of GPAC MP4Box v2.4 allows attackers to cause a Denial of Service (DoS) via supplying a crafted MP4 file. | 2026-06-15 | not yet calculated | CVE-2025-55652 |
| GPAC–MP4Box v.2.4 | A stack overflow in the gf_opus_read_length function (media_tools/av_parsers.c) of GPAC MP4Box v2.4 allows attackers to cause a Denial of Service (DoS) via supplying a crafted MP4 file. | 2026-06-15 | not yet calculated | CVE-2025-55660 |
| GPAC–MP4Box v.2.4 | A heap buffer overflow in the Opus audio stream parser component of GPAC MP4Box v2.4 allows attackers to cause a Denial of Service (DoS) via supplying a crafted MP4 file. | 2026-06-15 | not yet calculated | CVE-2025-55661 |
| GPAC–MP4Box v.2.4 | A segmentation violation in the Track_SetStreamDescriptor function (isomedia/track.c) of GPAC MP4Box v2.4 allows attackers to cause a Denial of Service (DoS) via supplying a crafted MP4 file. | 2026-06-15 | not yet calculated | CVE-2025-55663 |
| Grav–grav-plugin-api | Grav 2.0.0-rc.9 with Admin2 2.0.0-rc.14 contains a stored cross-site scripting (XSS) vulnerability in the Admin2 Pages API save flow. | 2026-06-18 | not yet calculated | CVE-2026-11982 |
| gtsteffaniak–filebrowser | FileBrowser Quantum is a free, self-hosted, web-based file manager. Versions prior to 1.3.2-stable, 1.4.0-beta and 1.4.1-beta are vulnerable to Path Traversal through the publicPatchHandler in backend/http/public.go which joins user-controlled fromPath and toPath body fields with the trusted d.share.Path BEFORE the downstream sanitizer runs. Because filepath.Join collapses .. segments during the join, the sanitizer in resourcePatchHandler never sees the traversal and the move/copy/rename operates on a path outside the shared directory. The same root-cause pattern was patched for the bulk DELETE endpoint as CVE-2026-44542 (GHSA-fwj3-42wh-8673), but the PATCH handler with the identical pattern was not updated. A public share link with AllowModify=true is sufficient to exploit this. Anyone holding such a link can move, copy, or rename arbitrary files within the share owner’s source root. This issue has been fixed in versions 1.3.3-stable and 1.4.2-beta. | 2026-06-16 | not yet calculated | CVE-2026-48777 |
| HAYAJO–Mojolicious::Sessions::Storable | Mojolicious::Sessions::Storable versions through 0.05 for Perl generate session ids insecurely. The default session id generator returns a SHA-1 hash seeded with the built-in rand function, the epoch time, the heap address of an anonymous hash, and the PID. These are predictable or low-entropy sources that are unsuitable for security purposes. | 2026-06-18 | not yet calculated | CVE-2026-9692 |
| HP Inc.–HP One Agent Software | Potential security vulnerabilities have been identified in the HP One Agent for certain HP PC products, which might allow for escalation of privilege and/or denial of service. HP is releasing software updates to mitigate these potential vulnerabilities. | 2026-06-15 | not yet calculated | CVE-2026-5064 |
| icagenda.com–iCagenda extension for Joomla | A vulnerability in the iCagenda extension for Joomla allows the upload of arbitrary files in the file attachment feature, ultimately resulting in PHP code upload and execution. | 2026-06-20 | not yet calculated | CVE-2026-48939 |
| Imagination Technologies–Graphics DDK | Software installed and run as a non-privileged user may conduct improper GPU system calls to cause an error path leading to UAF of GPU page tables. The vulnerability allows physical memory allocated for MMU page tables to be used after being freed. This was caused by an error path that would not cleanup properly before freeing the physical allocation. | 2026-06-19 | not yet calculated | CVE-2026-34192 |
| Imagination Technologies–Graphics DDK | Software installed and run as a non-privileged user may conduct improper GPU system calls to cause mismanagement of resources creating a write use after free scenario. A shared resource (memory page) managed by a CPU thread of control (driver) and accessed by a GPU thread of control (Firmware) can cause a write UAF when the CPU thread frees the resource before the GPU FW has finished accessing it. | 2026-06-19 | not yet calculated | CVE-2026-41156 |
| InHand Networks–IR912 | InHand Networks IR912 V1.0.0.r20042 and IR915 V1.0.0.r20042 (including earlier versions) were discovered to contain a command injection vulnerability in the Python configuration function. This vulnerability allows remote attackers to execute arbitrary commands as root via a crafted input. | 2026-06-18 | not yet calculated | CVE-2026-38714 |
| InHand Networks–IR912 | InHand Networks IR912 V1.0.0.r20042 and IR915 V1.0.0.r20042 (including earlier versions) were discovered to contain a command injection vulnerability in the log viewing function. This vulnerability allows remote attackers to execute arbitrary commands as root via a crafted input. | 2026-06-18 | not yet calculated | CVE-2026-38715 |
| InHand Networks–IR912 | InHand Networks IR912 V1.0.0.r20042 and IR915 V1.0.0.r20042 (including earlier versions) were discovered to contain a command injection vulnerability in the Python application export function. This vulnerability allows remote attackers to execute arbitrary commands as root via a crafted input. | 2026-06-18 | not yet calculated | CVE-2026-38716 |
| InHand Networks–IR912 | InHand Networks IR912 V1.0.0.r20042 and IR915 V1.0.0.r20042 (including earlier versions) were discovered to contain a command injection vulnerability in the file upload function. The vulnerability allows remote attackers to execute arbitrary commands as root via a crafted input. | 2026-06-18 | not yet calculated | CVE-2026-38717 |
| InHand Networks–IR912 | InHand Networks IR912 V1.0.0.r20042 and IR915 V1.0.0.r20042 (including earlier versions) were discovered to contain a buffer overflow vulnerability in the device registration function. This vulnerability could allow an attacker to cause a denial of service attack on the remote target device. | 2026-06-18 | not yet calculated | CVE-2026-38718 |
| Iru, Inc–Kandi Agent | An issue in Iru, Inc Kandji Agent before v.4.7.5(5374) allows a local attacker to escalate privileges via a client validation gap to invoke restricted agent functionality. | 2026-06-15 | not yet calculated | CVE-2026-39118 |
| JazzCore–python-pdfkit | In JazzCore python-pdfkit 1.0.0, the from_string method enables the execution of JavaScript code within the context of the server application and the exfiltration of local files. | 2026-06-17 | not yet calculated | CVE-2025-26240 |
| JimuReport–JimuReport | JimuReport versions 2.3.4 and below are vulnerable to remote code execution due to improper handling of Aviator expressions. The /jmreport/executeSelectApi endpoint passes user-supplied input directly to the Aviator expression engine without adequate validation allowing attackers to execute arbitrary code. | 2026-06-17 | not yet calculated | CVE-2026-36418 |
| JONASBN–Crypt::OpenSSL::PKCS12 | Crypt::OpenSSL::PKCS12 versions before 1.96 for Perl permits a heap OOB read in print_attribute UTF8STRING path. print_attribute() copies a UTF8STRING ASN.1 attribute value into a heap buffer sized exactly to its declared length via strncpy, leaving no NUL terminator. Downstream callers run strlen() on the result and pass the inflated length to newSVpvn(), copying attacker-influenced adjacent heap bytes into a Perl scalar. | 2026-06-20 | not yet calculated | CVE-2026-9265 |
| joomshaper.net–SP LMS extension for Joomla | SP LMS (com_splms) < 4.1.4 by JoomShaper deserializes user-controlled cookie data without validation, enabling an unauthenticated remote attacker to execute arbitrary code on the server. | 2026-06-20 | not yet calculated | CVE-2026-48909 |
| joomshaper.net–SP Page Builder extension for Joomla | A vulnerability in SP Page Builder for Joomla allows unauthenticated users to upload arbitrary files, ultimately resulting in the upload and execution of PHP code. | 2026-06-20 | not yet calculated | CVE-2026-48908 |
| kan-ishka–linux Reminiscene v0.3.0 | An OS command injection vulnerability in the media archiving and export pipeline component of kanishka-linux Reminiscence v0.3.0 allows attackers to execute arbitrary commands via supplying a crafted input. | 2026-06-15 | not yet calculated | CVE-2026-50871 |
| kanishka–linux Reminiscence v0.3.0 | An OS command injection vulnerability in the /manage/features/media component of kanishka-linux Reminiscence v0.3.0 allows attackers to execute arbitrary commands via supplying a crafted input. | 2026-06-15 | not yet calculated | CVE-2026-50874 |
| l3montree-dev–devguard | DevGuard provides vulnerability management for the full software supply chain. Prior to 1.4.2, on a DevGuard API instance with one or more public assets, any authenticated user – including users from a different organization with no membership or role in the affected org/project – can create, update, reapply, and delete VEX rules on those public assets. The same flaw affects the other vulnerability-triage write endpoints exposed under a public asset, including VEX rule create / update / reapply / delete; dependency-vuln event creation (accept / reject / mitigate decisions), batch event creation, vuln sync, and mitigation; license risk creation; external reference writes; and/or artifact creation and license refresh. The attacker needs a valid account on the instance, but no membership in the victim organization, project, or asset is required. Version `v1.4.2`contains a patch. As a workaround, make affected assets non-public. In the asset settings, switch visibility from public to private. This removes the public-read exemption in the access-control middleware and restores correct authorization on all write endpoints for that asset. Downstream consumers that previously relied on the public `vex.json` / `sbom.json` endpoints will need to be granted explicit access or must receive an exported file version until the patched release is deployed. | 2026-06-19 | not yet calculated | CVE-2026-48089 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: net/sched: fix pedit partial COW leading to page cache corruption tcf_pedit_act() computes the COW range for skb_ensure_writable() once before the key loop using tcfp_off_max_hint, but the hint does not account for the runtime header offset added by typed keys. This can leave part of the write region un-COW’d. Fix by moving skb_ensure_writable() inside the per-key loop where the actual write offset is known, and add overflow checking on the offset arithmetic. For negative offsets (e.g. Ethernet header edits at ingress), use skb_cow() to COW the headroom instead. Guard offset_valid() against INT_MIN, where negation is undefined. | 2026-06-16 | not yet calculated | CVE-2026-46331 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: RDMA: During rereg_mr ensure that REREG_ACCESS is compatible If IB_MR_REREG_ACCESS changes from RO to RW then the umem has to be re-evaluated to ensure it is properly pinned as RW. Since the umem is hidden inside each driver’s mr struct add a ib_umem_check_rereg() function that each driver has to call before processing IB_MR_REREG_ACCESS. mlx4 has to retain its duplicate ib_access_writable check because it implements IB_MR_REREG_ACCESS | IB_MR_REREG_TRANS by changing both items in place sequentially while the MR is live, so it will continue to not support this combination. | 2026-06-19 | not yet calculated | CVE-2026-52908 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ip6_vti: set netns_immutable on the fallback device. john1988 and Noam Rathaus reported that vti6_init_net() does not set the netns_immutable flag on the per-netns fallback tunnel device (ip6_vti0). Other similar tunnel drivers (like ip6_tunnel, sit, ip6_gre, and ip_tunnel) correctly set this flag during their fallback device initialization to prevent them from being moved to another network namespace. | 2026-06-19 | not yet calculated | CVE-2026-52909 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: bpf: Free reuseport cBPF prog after RCU grace period. Eulgyu Kim reported the splat below with a repro. [0] The repro sets up a UDP reuseport group with a cBPF prog and replaces it with a new one while another thread is sending a UDP packet to the group. The reuseport prog is freed by sk_reuseport_prog_free(). bpf_prog_put() is called for “e”BPF prog to destruct through multiple stages while cBPF prog is freed immediately by bpf_release_orig_filter() and bpf_prog_free(). If a reuseport prog is detached from the setsockopt() path (reuseport_attach_prog() or reuseport_detach_prog()), sk_reuseport_prog_free() is called without waiting for RCU readers to complete, resulting in various bugs. Let’s defer freeing the reuseport cBPF prog after one RCU grace period. Note “e”BPF prog is safe as is unless the fast path starts to touch fields destroyed in bpf_prog_put_deferred() and __bpf_prog_put_noref(). [0]: BUG: KASAN: vmalloc-out-of-bounds in reuseport_select_sock+0xedc/0x1220 net/core/sock_reuseport.c:596 Read of size 4 at addr ffffc9000051e004 by task slowme/10208 CPU: 6 UID: 1000 PID: 10208 Comm: slowme Not tainted 7.0.0-geb7ac95ff75e #32 PREEMPT(full) Hardware name: QEMU Ubuntu 24.04 PC v2 (i440FX + PIIX, arch_caps fix, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 Call Trace: <IRQ> dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0xca/0x240 mm/kasan/report.c:482 kasan_report+0x118/0x150 mm/kasan/report.c:595 reuseport_select_sock+0xedc/0x1220 net/core/sock_reuseport.c:596 udp4_lib_lookup2+0x3bc/0x950 net/ipv4/udp.c:495 __udp4_lib_lookup+0x768/0xe20 net/ipv4/udp.c:723 __udp4_lib_lookup_skb+0x297/0x390 net/ipv4/udp.c:752 __udp4_lib_rcv+0x1312/0x2620 net/ipv4/udp.c:2752 ip_protocol_deliver_rcu+0x282/0x440 net/ipv4/ip_input.c:207 ip_local_deliver_finish+0x3bb/0x6f0 net/ipv4/ip_input.c:241 NF_HOOK+0x30c/0x3a0 include/linux/netfilter.h:318 NF_HOOK+0x30c/0x3a0 include/linux/netfilter.h:318 __netif_receive_skb_one_core net/core/dev.c:6181 [inline] __netif_receive_skb net/core/dev.c:6294 [inline] process_backlog+0xaa4/0x1960 net/core/dev.c:6645 __napi_poll+0xae/0x340 net/core/dev.c:7709 napi_poll net/core/dev.c:7772 [inline] net_rx_action+0x5d7/0xf50 net/core/dev.c:7929 handle_softirqs+0x22b/0x870 kernel/softirq.c:622 do_softirq+0x76/0xd0 kernel/softirq.c:523 </IRQ> <TASK> __local_bh_enable_ip+0xf8/0x130 kernel/softirq.c:450 local_bh_enable include/linux/bottom_half.h:33 [inline] rcu_read_unlock_bh include/linux/rcupdate.h:924 [inline] __dev_queue_xmit+0x1dd7/0x3710 net/core/dev.c:4890 neigh_output include/net/neighbour.h:556 [inline] ip_finish_output2+0xca9/0x1070 net/ipv4/ip_output.c:237 NF_HOOK_COND include/linux/netfilter.h:307 [inline] ip_output+0x29f/0x450 net/ipv4/ip_output.c:438 ip_send_skb+0x45/0xc0 net/ipv4/ip_output.c:1508 udp_send_skb+0xb04/0x1510 net/ipv4/udp.c:1195 udp_sendmsg+0x1a71/0x2350 net/ipv4/udp.c:1485 sock_sendmsg_nosec net/socket.c:727 [inline] __sock_sendmsg net/socket.c:742 [inline] __sys_sendto+0x554/0x680 net/socket.c:2206 __do_sys_sendto net/socket.c:2213 [inline] __se_sys_sendto net/socket.c:2209 [inline] __x64_sys_sendto+0xde/0x100 net/socket.c:2209 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x160/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x415a2d Code: b3 66 2e 0f 1f 84 00 00 00 00 00 66 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f6bc31e41e8 EFLAGS: 00000212 ORIG_RAX: 000000000000002c RAX: ffffffffffffffda RBX: 00007f6bc31e4cdc RCX: 0000000000415a2d RDX: 0000000000000001 RSI: 00007f6bc31e421f RDI: 0000000000000003 RBP: 00007f6bc31e4240 R08: 00007f6bc31e4220 R09: 0000000000000010 R10: 0000000000000000 R11: —truncated— | 2026-06-19 | not yet calculated | CVE-2026-52910 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ksmbd: scope conn->binding slowpath to bound sessions only When the binding SESSION_SETUP sets conn->binding = true, the flag stays set after the call so that the global session lookup in ksmbd_session_lookup_all() can find the session, which was not added to conn->sessions. Because the flag is connection-wide, the global lookup path will also resolve any other session by id if asked. Tighten the global lookup so that the returned session must have this connection registered in its channel xarray (sess->ksmbd_chann_list). The channel entry is installed by the existing binding_session path in ntlm_authenticate()/krb5_authenticate() when a SESSION_SETUP completes successfully, so this condition is a strict equivalent of “this connection has been accepted as a channel of this session”. Connections that have not bound to a given session cannot reach it via the global table. The existing conn->binding gate for entering the slowpath is preserved so that non-binding connections keep the fast-path-only behavior, and the session->state check is unchanged. | 2026-06-21 | not yet calculated | CVE-2026-52911 |
| liquidfiles–liquidfiles | Liquidfiles versions before 4.2.12 are affected by a broken access control vulnerability resulting in privilege escalation from an Admin in a secondary domain to a Sysadmin by modifying a group in their managed secondary (non-default) group. | 2026-06-20 | not yet calculated | CVE-2026-12673 |
| LLDAP–LLDAP v0.6.2 | An input handling flaw in the HTTP refresh token process of LLDAP v0.6.2 allows attackers to cause a Denial of Service (DoS) via sending a crafted refresh-token header. | 2026-06-15 | not yet calculated | CVE-2026-50889 |
| LMS–LMS | An SQL Injection vulnerability exists in LMS (LAN Management System) before commit 4cb30a7 within the “tarifflist.php” module due to insufficient sanitization of the POST “tg[]” parameter. The application directly concatenates user-supplied array values into an SQL query using “implode()”, allowing authenticated attackers to perform Error-Based SQL injection and extract sensitive database information. | 2026-06-18 | not yet calculated | CVE-2026-40455 |
| LMS–LMS | An OS Command Injection vulnerability exists in LMS (LAN Management System) before commit 9fcb4de due to an IP address parameter being passed to the “exec()” function without proper validation, allowing attackers to execute arbitrary operating system commands. | 2026-06-18 | not yet calculated | CVE-2026-40456 |
| LMS–LMS | A Reflected Cross-Site Scripting (XSS) vulnerability exists in LMS (LAN Management System) before commit 9c5651b in the “dbrecover.php” and “netremap.php” modules where unsanitized GET parameters are directly embedded into HTML output. This allows an attacker to inject arbitrary JavaScript when an authenticated user clicks a crafted link, provided the required conditions (such as a network defined in the system) are met. | 2026-06-18 | not yet calculated | CVE-2026-40457 |
| LY Corporation–Armeria | A vulnerability has been identified in armeria-xds versions 1.38.0 through 1.39.0, where DataSourceStream in the xDS module can resolve control-plane-supplied filenames and environment variables without restriction, allowing a compromised or semi-trusted xDS control plane to read arbitrary local files and environment variables on the xDS client host. | 2026-06-19 | not yet calculated | CVE-2026-11752 |
| matze–wastebin v3.4.1 | An HTML injection vulnerability in the /src/highlight.rs component of matze wastebin v3.4.1 allows attackers to execute arbitrary scripts via a crafted payload. | 2026-06-15 | not yet calculated | CVE-2026-50883 |
| mcp-tool-shop-org–backpropagate | Backpropagate is a Python library for fine-tuning large language models on a single GPU. In versions 1.1.0 and 1.1.1, the optional Reflex web UI exposes a training control plane without authentication: dataset upload, model load, training start/stop, multi-run orchestration, GGUF export, and HuggingFace Hub push. The CLI accepts two operator-facing flags intended as security controls: –auth user:pass – documented as “require HTTP Basic authentication on every request to the UI.” and–share – documented as “expose the UI on a public address; requires –auth.” When –auth user:pass is passed, the CLI prints Auth: enabled (user: <username>) to confirm to the operator that authentication is active, then exports BACKPROPAGATE_UI_AUTH=user:pass to the subprocess that launches the Reflex backend. The Reflex backend (backpropagate/ui_app/**) never reads BACKPROPAGATE_UI_AUTH. No authentication middleware is registered. No request-level guard runs. No WebSocket upgrade guard runs. Any client that reaches the bound port – local or remote, depending on whether –share is used – has full UI access. An inline comment at backpropagate/cli.py:1217-1218 in the v1.1.0 source documents the gap: “For Phase 1 the variable is exported but Reflex doesn’t read it yet.” This comment was internal-facing; the user-facing documentation (README, CHANGELOG, SHIP_GATE) advertised the contract as enforced. An attacker who reaches the bound port can read uploaded datasets, trigger arbitrary training runs against any local base models as well as read their paths, trigger HuggingFace Hub pushes and cause disk-fill DoS. This issue has been fixed in version 1.2.0. If developers cannot immediately upgrade to 1.2.0 run backprop ui with no flags so it binds to localhost, use SSH port-forwarding (ssh -L 7860:localhost:7860 <training-host>) instead of –share for remote access, and audit any host previously launched with –share, re-issuing any HF tokens used during those sessions. | 2026-06-16 | not yet calculated | CVE-2026-48797 |
| Micro-Star International Co., Ltd.–RadiX AX6600 WiFi 6 Tri-Band Gaming Router | RadiX AX6600 WiFi 6 Tri-Band Gaming Router contains an OS command injection vulnerability, which may lead to arbitrary command execution with the root privilege by a user who logs in to the web console as an administrator. | 2026-06-17 | not yet calculated | CVE-2026-53876 |
| Microchip–GridTime 3000 | Improper Neutralization of Input During Web Page Generation (XSS or ‘Cross-site Scripting’) vulnerability in Microchip GridTime 3000 allows Cross-Site Scripting (XSS). This issue affects GridTime 3000: from 1.0r0.03 through 1.1r0.0. | 2026-06-19 | not yet calculated | CVE-2026-12619 |
| Microchip–GridTime 3000 | The GridTime 3000 GNSS Time Server leaks the access token in the URL parameters of some endpoints. This issue affects GridTime 3000: from 1.0r0.03 through 1.1r0.0. | 2026-06-19 | not yet calculated | CVE-2026-12620 |
| Microchip–GridTime 3000 | Improper neutralization of input during web page generation XSS vulnerability in the GridTime 3000 (password reset form) allows XSS. This issue affects GridTime 3000: from 1.0r0.03 before 1.2r0.0. | 2026-06-19 | not yet calculated | CVE-2026-12621 |
| Microchip–GridTime 3000 | The GridTime 3000 GNSS Time Server has an open redirect vulnerability in the password change form submission. This issue affects GridTime 3000: from 1.0r0.03 through 1.1r0.0. | 2026-06-19 | not yet calculated | CVE-2026-12622 |
| Microsoft–HEIF Image Extensions | Microsoft HEIF Image Extensions 1.2.22.0 has an out-of-bounds read because CHEIFItemInfoEntry_GetDataSize can return success while leaving the reported data size as 0. This causes a caller to make a 1-byte allocation. Later, CopyPixels computes copy_size = stride * abs(roi_height) but does not check the source buffer length before a memmove call. | 2026-06-19 | not yet calculated | CVE-2025-62821 |
| microsoft–kiota-typescript | @microsoft/kiota-http-fetchlibrary provides TypeScript libraries for Kiota-generated API clients. In versions 1.0.0-preview.97 through 1.0.0-preview.101, `@microsoft/kiota-http-fetchlibrary`’s `RedirectHandler` is documented as stripping `Authorization` and `Cookie` from cross-origin redirect targets, but the default `scrubSensitiveHeaders` callback in `RedirectHandlerOptions` uses case-sensitive property deletion (`delete headers.Authorization`, `delete headers.Cookie`) on a headers object that `FetchRequestAdapter.getRequestFromRequestInformation` has already lower-cased. The delete therefore targets keys that do not exist, the scrub is a no-op, and any Bearer token or Cookie attached by a kiota-generated SDK is forwarded to an attacker-controlled host across a 30x redirect. This is reachable in the default middleware chain (`MiddlewareFactory.getDefaultMiddlewares`) with no custom configuration, and applies to every kiota-generated TypeScript SDK that uses `BaseBearerTokenAuthenticationProvider` or any other authentication provider that sets the `Authorization` request header. Version 1.0.0-preview.102 patches the issue. | 2026-06-19 | not yet calculated | CVE-2026-49336 |
| Microvert–MEmu Android Emulator 9.2.7.0 | An issue in Microvirt MEmu Android Emulator 9.2.7.0 allows a local attacker to escalate privileges via the MemuService.exe component. | 2026-06-15 | not yet calculated | CVE-2026-36213 |
| Mitsubishi Electric Corporation–Mitsubishi Electric MELSEC iQ-F Series FX5-EIP EtherNet/IP Module FX5-EIP | Integer Overflow or Wraparound vulnerability in the EtherNet/IP function of Mitsubishi Electric MELSEC iQ-F Series FX5-EIP EtherNet/IP module FX5-EIP versions 1.000 and prior allows a remote attacker to cause a denial-of-service (DoS) condition in the affected product by rapidly establishing a large number of TCP connections to it, resulting in an inconsistency in the product’s internal connection management process and triggering improper memory access. | 2026-06-19 | not yet calculated | CVE-2026-8805 |
| Mitsubishi Electric Corporation–Mitsubishi Electric MELSEC iQ-F Series FX5-ENET/IP Ethernet Module FX5-ENET/IP | Expected Behavior Violation vulnerability in Mitsubishi Electric MELSEC iQ-F Series FX5-ENET/IP Ethernet Module FX5-ENET/IP all versions allows a remote attacker to cause a denial-of-service (DoS) condition in the affected product by continuously sending a large number of communication packets to the Ethernet port of the product in a short period of time, increasing the processing load of the product, preventing the internal anomaly-detection processing from being performed, and causing the communication function to stop. | 2026-06-19 | not yet calculated | CVE-2026-8806 |
| Mitsubishi Electric Corporation–Room Air Conditioners (for Japan) MSZ-BKR2223-W | Use of Hard-coded Credentials vulnerability in Mitsubishi Electric Room Air Conditioners (for Japan and outside Japan); Wireless LAN Adapters for Room Air Conditioners (for Japan and outside Japan); Wireless LAN Adapters for Packaged Air Conditioners (for Japan and outside Japan); Refrigerators (for Japan); Heat Pump Water Heaters / HEMS-Compatible Adapters / Wireless LAN Adapters (for Japan); Bathroom Dryer / Heater / Ventilation Systems (for Japan); Adapters for Airflow Ventilation Systems, Heat Pump Chilled / Hot Water Systems, and Ventilation / Air-Conditioning System Air Resorts (for Japan); Lossnay Central Ventilation Systems (for Japan); Smart Switches for Ventilation Fans and Lossnay (for Japan); IH Cooking Heaters (for Japan); and Rice Cookers (for Japan) allows an attacker within Wi-Fi radio range of an affected product to access the affected product using a hard-coded SSID and password, thereby obtaining device data such as operation status, room set temperature, and room temperature; changing the air-conditioner or Wi-Fi settings; or causing Wi-Fi communication to enter a denial-of-service (DoS) condition. | 2026-06-17 | not yet calculated | CVE-2026-5667 |
| Moxa–NPort 6000 Series | A denial-of-service vulnerability exists in NPort devices because of improper access control on the command port. The command interface does not properly validate whether a sender is associated with a valid data port session before accepting break signal commands. A remote attacker with network access can send crafted requests to disrupt serial communication for an active user session. | 2026-06-16 | not yet calculated | CVE-2026-10831 |
| Moxa–NPort 6000-G2 Series | A denial-of-service vulnerability exists in the WebSocket API due to insufficient validation and handling of JSON-based requests. A low-privileged authenticated attacker can send a specially crafted request that causes service disruption and may result in an unexpected device reboot. | 2026-06-16 | not yet calculated | CVE-2026-10825 |
| Moxa–NPort W2150A-W4/W2250A-W4 Series | A format string vulnerability has been found in the “alias” parameter of the Serial Param configuration page in the NPort W2150A-W4/W2250A-W4 Series version 1.5 and prior. This vulnerability stems from insufficient input validation and improper handling of externally supplied format strings. An attacker could exploit this vulnerability by sending crafted input to the web service, causing unintended memory disclosure. Successful exploitation may allow an attacker to leak sensitive memory contents and determine critical memory addresses, potentially bypassing Address Space Layout Randomization (ASLR) protections. | 2026-06-16 | not yet calculated | CVE-2026-10828 |
| Moxa–NPort W2150A-W4/W2250A-W4 Series | A stack-based buffer overflow vulnerability has been found in the NPort W2150A-W4/W2250A-W4 Series version 1.5 and earlier. This vulnerability stems from insufficient input validation of user-supplied input in the “Server location” parameter on the Basic settings page. An attacker could exploit this vulnerability by sending crafted input to the web service, resulting in memory corruption. Successful exploitation of this vulnerability could allow remote code execution on the target system with root privileges. | 2026-06-16 | not yet calculated | CVE-2026-10829 |
| Mozilla–Firefox | Privilege escalation in the Graphics: WebRender component. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, Firefox ESR 115.37, Thunderbird 152, and Thunderbird 140.12. | 2026-06-16 | not yet calculated | CVE-2026-12289 |
| Mozilla–Firefox | Memory safety bug fixed in Firefox 152. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, Firefox ESR 115.37, Thunderbird 152, and Thunderbird 140.12. | 2026-06-16 | not yet calculated | CVE-2026-12290 |
| Mozilla–Firefox | Use-after-free in the Networking: HTTP component. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, Firefox ESR 115.37, Thunderbird 152, and Thunderbird 140.12. | 2026-06-16 | not yet calculated | CVE-2026-12291 |
| Mozilla–Firefox | Incorrect boundary conditions in the Web Audio component. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, Thunderbird 152, and Thunderbird 140.12. | 2026-06-16 | not yet calculated | CVE-2026-12292 |
| Mozilla–Firefox | Use-after-free in the Graphics: WebGPU component. This vulnerability was fixed in Firefox 152 and Thunderbird 152. | 2026-06-16 | not yet calculated | CVE-2026-12293 |
| Mozilla–Firefox | Sandbox escape in the DOM: Workers component. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, Firefox ESR 115.37, Thunderbird 152, and Thunderbird 140.12. | 2026-06-16 | not yet calculated | CVE-2026-12294 |
| Mozilla–Firefox | Sandbox escape in the DOM: Navigation component. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, Firefox ESR 115.37, Thunderbird 152, and Thunderbird 140.12. | 2026-06-16 | not yet calculated | CVE-2026-12295 |
| Mozilla–Firefox | Sandbox escape in the Security: Process Sandboxing component. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, Thunderbird 152, and Thunderbird 140.12. | 2026-06-16 | not yet calculated | CVE-2026-12296 |
| Mozilla–Firefox | Sandbox escape due to incorrect boundary conditions in the Networking component. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, Firefox ESR 115.37, Thunderbird 152, and Thunderbird 140.12. | 2026-06-16 | not yet calculated | CVE-2026-12297 |
| Mozilla–Firefox | Memory safety bug fixed in Firefox 152. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, Thunderbird 152, and Thunderbird 140.12. | 2026-06-16 | not yet calculated | CVE-2026-12298 |
| Mozilla–Firefox | JIT miscompilation in the DOM: Core & HTML component. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, Firefox ESR 115.37, Thunderbird 152, and Thunderbird 140.12. | 2026-06-16 | not yet calculated | CVE-2026-12299 |
| Mozilla–Firefox | Memory safety bug fixed in Firefox 152. This vulnerability was fixed in Firefox 152 and Thunderbird 152. | 2026-06-16 | not yet calculated | CVE-2026-12300 |
| Mozilla–Firefox | Memory safety bug fixed in Firefox 152. This vulnerability was fixed in Firefox 152 and Thunderbird 152. | 2026-06-16 | not yet calculated | CVE-2026-12301 |
| Mozilla–Firefox | Mitigation bypass in the DOM: Security component. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, Firefox ESR 115.37, Thunderbird 152, and Thunderbird 140.12. | 2026-06-16 | not yet calculated | CVE-2026-12302 |
| Mozilla–Firefox | Information disclosure due to incorrect boundary conditions in the Graphics: WebGPU component. This vulnerability was fixed in Firefox 152 and Thunderbird 152. | 2026-06-16 | not yet calculated | CVE-2026-12303 |
| Mozilla–Firefox | Same-origin policy bypass in the Networking: Cookies component. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, Thunderbird 152, and Thunderbird 140.12. | 2026-06-16 | not yet calculated | CVE-2026-12304 |
| Mozilla–Firefox | Memory safety bug fixed in Firefox 152. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, Thunderbird 152, and Thunderbird 140.12. | 2026-06-16 | not yet calculated | CVE-2026-12305 |
| Mozilla–Firefox | Memory safety bug fixed in Firefox 152. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, Thunderbird 152, and Thunderbird 140.12. | 2026-06-16 | not yet calculated | CVE-2026-12306 |
| Mozilla–Firefox | Memory safety bug fixed in Firefox 152. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, Thunderbird 152, and Thunderbird 140.12. | 2026-06-16 | not yet calculated | CVE-2026-12307 |
| Mozilla–Firefox | Memory safety bug fixed in Firefox 152. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, Thunderbird 152, and Thunderbird 140.12. | 2026-06-16 | not yet calculated | CVE-2026-12308 |
| Mozilla–Firefox | Memory safety bug fixed in Firefox 152. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, Thunderbird 152, and Thunderbird 140.12. | 2026-06-16 | not yet calculated | CVE-2026-12309 |
| Mozilla–Firefox | Memory safety bug fixed in Firefox 152. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, Thunderbird 152, and Thunderbird 140.12. | 2026-06-16 | not yet calculated | CVE-2026-12310 |
| Mozilla–Firefox | Information disclosure, sandbox escape in the Security: Process Sandboxing component. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, Thunderbird 152, and Thunderbird 140.12. | 2026-06-16 | not yet calculated | CVE-2026-12311 |
| Mozilla–Firefox | Memory safety bug fixed in Firefox 152. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, Thunderbird 152, and Thunderbird 140.12. | 2026-06-16 | not yet calculated | CVE-2026-12312 |
| Mozilla–Firefox | Information disclosure, sandbox escape in the Security: Process Sandboxing component. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, Thunderbird 152, and Thunderbird 140.12. | 2026-06-16 | not yet calculated | CVE-2026-12313 |
| Mozilla–Firefox | Memory safety bug fixed in Firefox 152. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, Thunderbird 152, and Thunderbird 140.12. | 2026-06-16 | not yet calculated | CVE-2026-12314 |
| Mozilla–Firefox | Mitigation bypass in the DOM: Security component. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, Thunderbird 152, and Thunderbird 140.12. | 2026-06-16 | not yet calculated | CVE-2026-12315 |
| Mozilla–Firefox | Mitigation bypass in the DOM: Security component. This vulnerability was fixed in Firefox 152 and Thunderbird 152. | 2026-06-16 | not yet calculated | CVE-2026-12316 |
| Mozilla–Firefox | Memory safety bug fixed in Firefox 152. This vulnerability was fixed in Firefox 152 and Thunderbird 152. | 2026-06-16 | not yet calculated | CVE-2026-12317 |
| Mozilla–Firefox | Incorrect boundary conditions in the Libraries component in NSS. This vulnerability was fixed in Firefox 152 and Thunderbird 152. | 2026-06-16 | not yet calculated | CVE-2026-12318 |
| Mozilla–Firefox | Denial-of-service in the Audio/Video: Playback component. This vulnerability was fixed in Firefox 152 and Thunderbird 152. | 2026-06-16 | not yet calculated | CVE-2026-12319 |
| Mozilla–Firefox | Information disclosure in the Password Manager component. This vulnerability was fixed in Firefox 152 and Thunderbird 152. | 2026-06-16 | not yet calculated | CVE-2026-12320 |
| Mozilla–Firefox | JIT miscompilation in the JavaScript: WebAssembly component. This vulnerability was fixed in Firefox 152 and Thunderbird 152. | 2026-06-16 | not yet calculated | CVE-2026-12321 |
| Mozilla–Firefox | Clickjacking issue in the Widget: Gtk component. This vulnerability was fixed in Firefox 152 and Thunderbird 152. | 2026-06-16 | not yet calculated | CVE-2026-12322 |
| Mozilla–Firefox | Spoofing issue in the DOM: Core & HTML component. This vulnerability was fixed in Firefox 152 and Thunderbird 152. | 2026-06-16 | not yet calculated | CVE-2026-12323 |
| Mozilla–Firefox | Incorrect boundary conditions in the Graphics: CanvasWebGL component. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, Thunderbird 152, and Thunderbird 140.12. | 2026-06-16 | not yet calculated | CVE-2026-12324 |
| Mozilla–Firefox | Denial-of-service in the Graphics: ImageLib component. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, Firefox ESR 115.37, Thunderbird 152, and Thunderbird 140.12. | 2026-06-16 | not yet calculated | CVE-2026-12325 |
| Mozilla–Firefox | Memory safety bugs present in Firefox 151 and Thunderbird 151. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 152 and Thunderbird 152. | 2026-06-16 | not yet calculated | CVE-2026-12326 |
| Mozilla–Firefox | Memory safety bugs present in Firefox ESR 140.11, Thunderbird ESR 140.11, Firefox 151 and Thunderbird 151. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, Thunderbird 152, and Thunderbird 140.12. | 2026-06-16 | not yet calculated | CVE-2026-12327 |
| Mozilla–Firefox | Memory safety bugs present in Firefox ESR 115.36, Firefox ESR 140.11, Thunderbird ESR 140.11, Firefox 151 and Thunderbird 151. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, Firefox ESR 115.37, Thunderbird 152, and Thunderbird 140.12. | 2026-06-16 | not yet calculated | CVE-2026-12328 |
| Mozilla–Firefox | Memory safety bug fixed in Thunderbird ESR 140.12. This vulnerability was fixed in Firefox ESR 140.12 and Thunderbird 140.12. | 2026-06-16 | not yet calculated | CVE-2026-12329 |
| Mozilla–Firefox | Incorrect boundary conditions in the Internationalization component. This vulnerability was fixed in Firefox ESR 140.12, Firefox ESR 115.37, and Thunderbird 140.12. | 2026-06-16 | not yet calculated | CVE-2026-12330 |
| Mozilla–Firefox for iOS | Firefox for iOS used partial domain matching when attaching cookies to PDF requests, allowing a malicious site on a suffix domain to receive cookies belonging to the target site. This vulnerability was fixed in Firefox for iOS 152.0. | 2026-06-16 | not yet calculated | CVE-2026-53899 |
| Mozilla–Firefox for iOS | Firefox for iOS preserved cookies set on the initial PDF request across cross-origin HTTP redirects in TemporaryDocument, allowing a malicious site to inject arbitrary cookies into requests to an unrelated target domain. This vulnerability was fixed in Firefox for iOS 152.0. | 2026-06-16 | not yet calculated | CVE-2026-53900 |
| Netskope–Netskope Client | Netskope was notified about a potential gap in its Netskope Client for Windows systems where a malicious insider with administrative privileges can potentially tamper with the customer IOCTL by sending crafted IOCTL requests to the driver. A successful exploit can result in the bypassing of all anti-tampering protections for the NSClient.Affected Product(s) and Version(s) * Product Name: Netskope Client * Affected Platform: Windows * Affected Version: All version below R138 | 2026-06-17 | not yet calculated | CVE-2025-15641 |
| Netskope–Netskope Client | Netskope is notified about a potential gap in its Netskoped Client for Windows systems where a malicious insider with admin privileges can lead to bypassing the NSClient Tamper Protections due to weak Discretionary Access Control List (DACLs) on the service object and related registry keys,. * Product Name: Netskope Client * Affected Platform: Windows * Affected Version: All version below R138 | 2026-06-17 | not yet calculated | CVE-2025-15642 |
| Nginx–Nginx Proxy Manager v2.14.0 | Incorrect access control in the “Let’s Encrypt” certificate download endpoint of Nginx Proxy Manager v2.14.0 allows authenticated attackers to obtain the TLS private key material via a crafted GET request. | 2026-06-15 | not yet calculated | CVE-2026-50892 |
| nltk–nltk/nltk | A vulnerability in `nltk.app.wordnet_app` up to version 3.9.3 allows unauthenticated remote shutdown of the local WordNet Browser HTTP server when started in its default mode. The server listens on all interfaces and processes a specific unauthenticated GET request (`/SHUTDOWN%20THE%20SERVER`) to terminate the process immediately via `os._exit(0)`. This results in a denial of service, impacting service availability. The issue arises due to insufficient authentication and protection mechanisms for critical server functions. | 2026-06-17 | not yet calculated | CVE-2026-12199 |
| nodejs–node | A flaw in Node.js Permission Model enforcement allows Bypass via `process.report.writeReport()` Path Misvalidation. This can lead to confidentiality impact or bypass of the intended security boundary under affected configurations. This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**. | 2026-06-18 | not yet calculated | CVE-2026-48617 |
| nodejs–node | A flaw in Node.js HTTP/2 server API can cause servers to keep accepting data even after sending a `GOAWAY` frame. This vulnerability affects two supported release lines: **Node.js 22** and **Node.js 24**. | 2026-06-18 | not yet calculated | CVE-2026-48937 |
| Nokia–Nokia SR Linux | Nokia SR Linux is vulnerable to a local privilege escalation vulnerability. Successful exploitation of this vulnerability may allow an authenticated user to execute arbitrary commands with superuser privilege. | 2026-06-16 | not yet calculated | CVE-2025-9912 |
| Nokia–SR Linux | Nokia SR Linux is vulnerable to local privilege escalation vulnerability due to unsanitized format validation. Successful exploitation of this vulnerability may allow an authenticated user to execute arbitrary commands with superuser privileges. | 2026-06-16 | not yet calculated | CVE-2025-10262 |
| Nuxt–Nuxt | Nuxt before 4.4.7 (and the 3.x branch before 3.21.7) contains a cross-site scripting vulnerability in the NoScript component that writes slot content to innerHTML without escaping. Attackers can inject malicious scripts through untrusted data in NoScript slots, such as route.query parameters, which execute in the document context when the noscript tag is implicitly closed by script tags. | 2026-06-20 | not yet calculated | CVE-2026-56317 |
| Observeinc–Observeinc’s Observe | An issue in Observeinc’s Observe v.2026-01-28 and before allows a remote attacker to obtain sensitive information via the CSV Log export component. | 2026-06-15 | not yet calculated | CVE-2026-39007 |
| OCaml–OCaml-tar | In OCaml-tar before 3.4.0, a crafted archive with ../ path segments in its name allows escaping the current working directory. This is not desired behavior, and tar(1) rejects such extractions, but ocaml-tar decompresses it anyway. The impact is that it allows arbitrary file writes outside of the desired extraction directory (to an attacker that can reach a tar decompression endpoint). | 2026-06-15 | not yet calculated | CVE-2026-45390 |
| OCaml–OCaml-TLS | In OCaml-TLS before 2.1.0, the client implementation does insufficient checks of the certificate provided by the server, which allows impersonation with certificates that are not meant for server authentication (because of KeyUsage and ExtendedKeyUsage). | 2026-06-15 | not yet calculated | CVE-2026-45388 |
| OCaml–OCaml-TLS | In OCaml-TLS before 2.1.0, the server implementation does insufficient checks of the certificate provided by the client (when doing client authentication), which allows impersonation with certificates that are not meant for client authentication (because of KeyUsage and ExtendedKeyUsage). | 2026-06-15 | not yet calculated | CVE-2026-45389 |
| Octopus Deploy–Octopus Server | In affected versions of Octopus Server with certain access levels it was possible to embed a Cross-Site Scripting Payload via artifacts. | 2026-06-19 | not yet calculated | CVE-2026-8296 |
| OpenCPN–OpenCPN | A code injection vulnerability in the wxExecute() function of OpenCPN v5.12.0 allows attackers to execute arbitrary code via embedding shell metacharacters. | 2026-06-15 | not yet calculated | CVE-2025-56814 |
| OpenSIPS–OpenSIPS Control Panel | A Time-Based Blind SQL Injection vulnerability in the alias_management module of OpenSIPS Control Panel (opensips-cp) prior to version 9.3.3 allows authenticated attackers to execute arbitrary SQL commands via the ‘table’ GET parameter in alias_management.php. | 2026-06-15 | not yet calculated | CVE-2026-36670 |
| OpenSolution–Quick.CMS | Quick.CMS deserializes user-controlled data received over plaintext HTTP without ensuring integrity or authenticity. This allows attackers to tamper with serialized payloads in transit and inject malicious objects. Because deserialization is performed without proper validation or class restrictions, crafted payloads can trigger dangerous magic methods (e.g., __wakeup() and __destruct()) and leverage gadget chains, resulting in arbitrary code execution. Exploitation is triggered automatically when an administrator accesses the admin panel. When successfully exploited, this vulnerability allows attackers to execute arbitrary code on the server via manipulated serialized data transmitted over an unprotected channel. This issue was mitigated by limiting the communication to HTTPS in a patch for version 6.8 published on 14.05.2026, deployments without this patch remain vulnerable. | 2026-06-15 | not yet calculated | CVE-2026-11860 |
| Password Manager–Password Manager | Improper handling of HTTP headers that allows a remote attacker to manipulate the value of the Host header using specially crafted requests. A successful exploit could result in the generation of manipulated links or responses, potentially leading to limited information disclosure or compromising the integrity of dependent services. | 2026-06-17 | not yet calculated | CVE-2026-10836 |
| Password Manager–Password Manager | Open redirection vulnerability due to insufficient validation of the X-Forwarded-Host HTTP header. An attacker could create manipulated links that, when opened by a victim, cause the victim to be redirected to domains controlled by the attacker, enabling phishing or deception attacks with limited impact on confidentiality and integrity. | 2026-06-17 | not yet calculated | CVE-2026-10837 |
| Password Manager–Password Manager | Open redirection vulnerability in the authentication system allows an attacker to use manipulated values in the X-Forwarded-Host header to alter the URLs generated by the application. A successful exploit could redirect authenticated users to malicious sites following login procedures or interaction with the interface, resulting in limited impact on confidentiality and integrity. | 2026-06-17 | not yet calculated | CVE-2026-10839 |
| PEVANS–Socket | Socket versions before 2.041 for Perl have an out-of-bounds heap read. In Socket.xs, pack_ip_mreq_source() checks the length of its source argument before the argument is read, so the check tests the byte length carried over from the preceding multiaddr argument instead. Both addresses occupy a 4-byte field, so a valid multiaddr lets a source of any length pass the check, and the source is then copied into the 4-byte imr_sourceaddr field with a fixed-size copy. A source shorter than 4 bytes is not rejected, and the copy reads up to 3 bytes past the end of its buffer. Calling pack_ip_mreq_source() with a source value shorter than 4 bytes copies adjacent heap memory into the returned packed structure. | 2026-06-15 | not yet calculated | CVE-2026-12087 |
| picklescan–picklescan | picklescan before 0.0.25 fails to detect malicious pickle files that use timeit.timeit() in the __reduce__ method, allowing remote code execution. Attackers can craft pickle files that import dangerous libraries like os and execute arbitrary system commands, which evade picklescan detection and execute when pickle.load() is called. | 2026-06-21 | not yet calculated | CVE-2025-71351 |
| picklescan–picklescan | picklescan before 1.0.3 contains a scanning bypass vulnerability in the scan_pytorch function that allows attackers to embed malicious magic numbers via dynamic eval using the __reduce__ trick. Attackers can craft malicious PyTorch payloads that evade picklescan detection while remaining executable, enabling arbitrary code execution when loaded with torch.load(). | 2026-06-17 | not yet calculated | CVE-2026-53875 |
| Plane–Plane | Plane CE 1.3.1 allows a low-privileged project member to submit arbitrary HTML/JS in the description_html field when creating an intake work item through the API v1 intake endpoint. | 2026-06-17 | not yet calculated | CVE-2026-10850 |
| PowerSchool–Employee Access Center | Improper Neutralization of Input During Web Page Generation (XSS or ‘Cross-site Scripting’) vulnerability in PowerSchool Employee Access Center allows Cross-Site Scripting (XSS). This issue affects Employee Access Center: 23.10. It is possible to add in javascript code after the login URL and have it be eval()’d in the page and execute in the context of the user. | 2026-06-16 | not yet calculated | CVE-2026-12425 |
| pragdave–earmark | Improper Neutralization of Script in Attributes in a Web Page vulnerability in pragdave earmark allows stored cross-site scripting via unescaped HTML attribute values. ‘Elixir.Earmark.Transform’:_make_att1/2 in lib/earmark/transform.ex splices attribute values verbatim between two literal ” bytes: [” “, name, “=””, value, “””]. Text nodes are routed through the existing escape function which encodes ” as ", but attribute values never visit that path. A markdown link whose URL or title contains a bare ” closes the attribute early and lets the trailing bytes be parsed by the browser as fresh HTML attributes. For example, [click](http://example.com/?a=x” onerror=”alert(1)) renders as <a href=”http://example.com/?a=x” onerror=”alert(1)”>click</a>, executing arbitrary JavaScript in the victim’s browser. The earmark library is no longer maintained and has been retired on Hex. No patched version will be released. All releases from 1.4.1 onward are affected, and users should migrate to a maintained Markdown library such as MDEx. This issue affects earmark from 1.4.1 onward. | 2026-06-17 | not yet calculated | CVE-2026-48591 |
| prefecthq–prefecthq/prefect | Prefect version 3.6.23 is vulnerable to remote code execution due to improper handling of user-controlled input in the `GitRepository` storage class. The `commit_sha` parameter, which is passed to git commands, lacks validation and does not include a `–` separator to distinguish user input from git flags. This allows attackers to inject arbitrary git flags, such as `–upload-pack`, enabling execution of external programs. Additionally, the `directories` parameter can be exploited to inject git flags during sparse-checkout operations. These vulnerabilities allow any user with deployment creation permissions to execute arbitrary commands on worker machines, compromising shared work pools in multi-tenant environments. | 2026-06-20 | not yet calculated | CVE-2026-5366 |
| Progress Chef–Chef360 | Impact A security issue has been identified in Chef 360 that could allow unauthorized access to protected API endpoints under specific conditions. This issue is due to improper handling of URL-encoded paths during request processing. In certain scenarios, an authenticated request may bypass standard access controls gaining additional privileges, potentially allowing access to API endpoints that are intended to be restricted to higher-permissioned roles. The impact is limited to environments where the affected request patterns can be triggered and depends on specific deployment configuration and access controls in place. Resolution The issue has been addressed through product updates that improve request validation and enforce strict path normalization before authorization checks. Customers are advised to update to the latest available version containing the fix, version 1.7.1 or later. | 2026-06-18 | not yet calculated | CVE-2026-8100 |
| Progress Chef–Chef360 | A static credential embedded in Chef 360 prior to v1.7.0 permitted unauthenticated access to internal message queues. Queue messages contained tenant-specific identifiers. The credential has been rotated and replaced with per-tenant access in subsequent versions, eliminating this access method entirely. | 2026-06-18 | not yet calculated | CVE-2026-8668 |
| Project Firefly III–Project Firefly III v6.5.9 | Incorrect access control in the webhook management component of Project Firefly III v6.5.9 allows attackers to scan internal resources via a crafted POST request. | 2026-06-15 | not yet calculated | CVE-2026-50886 |
| PTC–Windchill PDMLink | A critical remote code execution (RCE) vulnerability has been reported in PTC Windchill PDMlink and PTC FlexPLM. The vulnerability may be exploited through the deserialization of untrusted data. * This advisory also applies to all CPS versions * The identified vulnerability also impacts Windchill and FlexPLM releases prior to 11.0 M030 | 2026-06-18 | not yet calculated | CVE-2026-12569 |
| PublicCMS–PublicCMS | PublicCMS V5.202506.d has a Cross Site Scripting (XSS) vulnerability in the site configuration management module. | 2026-06-15 | not yet calculated | CVE-2026-36521 |
| Python Software Foundation–CPython | To allow builds of Python to be run from an in-tree layout (rather than an installed file layout), the VPATH variable is defined at build time and used to locate certain landmarks – specifically, Modules/setup.local. When this landmark is found relative to VPATH relative to the executable, Python assumes it is running in a source tree and generates a different default sys.path. This code remains in release builds, so that release-ready builds can be built in-tree. On Windows, since builds are written to ‘PCbuild/’, the value of VPATH is set to ‘….’, which results in a landmark of ‘….Modulessetup.local’. This path is outside the install directory of Python, and may have different permissions, potentially allowing a low-privilege user to create the landmark and an alternative `Lib` folder that will be discovered by an otherwise restricted install. Such a setup occurs with the legacy default install location for all users (in the now superseded EXE installer), due to how Windows allows all users to create folders in the root directory of their OS drive. Our recommended mitigation on Windows is to migrate away from the legacy installer and use the new [Python install manager](https://www.python.org/downloads/latest/pymanager/) to install for the current user. Installs where the directory two levels above the Python installation directory have equivalent permissions are unaffected (in general, a per-user install cannot be modified at all by other users, removing any escalation of privilege risk, and could be directly modified by a privileged user, making the potential tampering irrelevant). Alternative mitigations might include preemptively creating and restricting access to a `Modules` directory. Be aware that only 3.13 and 3.14 will receive updated legacy installers – earlier fixes are only provided as sources. Platforms other than Windows allow VPATH to be overridden, but as they don’t usually use a separated directory in the build for binaries, are unlikely to have a landmark reference outside of the install directory. The landmark detection involving VPATH is a fallback for when a more specific landmark – .pybuilddir.txt – is absent, and was included for compatibility. Future releases of Python will no longer include the fallback, and so builds will need to generate or preserve the pybuilddir.txt file in order to work in-tree. This landmark file has been generated on Windows since 3.11, and on other platforms for longer. | 2026-06-16 | not yet calculated | CVE-2026-12003 |
| Quanos Solutions GmbH–SCHEMA ST4 | Quanos SCHEMA ST4 on-premises contains a local privilege escalation vulnerability in the Client Update Service due to insecure deserialization in the .NET Remoting service. The service is configured with TypeFilterLevel.Full and is bound to local interfaces only through named pipes. A local authenticated attacker can connect to the local named pipe, obtain the .NET Remoting endpoint, and send specially crafted serialized objects. Successful exploitation results in arbitrary code execution in the context of the update process with NT AUTHORITYSYSTEM privileges. Network-only exploitation is not possible and local host access with an authenticated user session is required. | 2026-06-17 | not yet calculated | CVE-2026-11857 |
| Quanos Solutions GmbH–SCHEMA ST4 | Quanos SCHEMA ST4 on-premises contains a local privilege escalation vulnerability in the Client Update Service. The update service runs as NT AUTHORITYSYSTEM and exposes a .NET Remoting interface over a named pipe without sufficient access controls or authorization. A local authenticated low-privileged user can connect to the interface and invoke privileged update methods such as Update(). This allows arbitrary file write and delete operations with SYSTEM privileges and can be used to achieve local privilege escalation. | 2026-06-17 | not yet calculated | CVE-2026-11858 |
| radvd-project–radvdump | radvd is a router advertisement daemon for IPv6. Prior to version 2.21, the `radvdump` utility shipped with radvd contains a stack buffer overflow in the Route Information option parser. When processing a crafted ICMPv6 Router Advertisement, `print_ff()` copies up to 2032 bytes from attacker-controlled packet data into a 16-byte `struct in6_addr` on the stack, overflowing by up to 2016 bytes. Note that the main `radvd` daemon is not affected by the vulnerability. Version 2.21 patches the issue. | 2026-06-19 | not yet calculated | CVE-2026-48715 |
| Rakuten–Send Anywhere | An issue was discovered in Rakuten Send Anywhere (File Transfer) for Android (com.estmob.android.sendanywhere) 23.2.9. The vulnerability allows untrusted applications (with no permissions) to force arbitrary file downloads into the app’s scoped storage. The resulting files appear in the application’s trusted Received interface. These conditions establish a vector for arbitrary code execution if the payload is an APK file, or a denial-of-service condition through resource exhaustion from oversized transfers. | 2026-06-15 | not yet calculated | CVE-2025-68713 |
| remotion-dev remotion–remotion-dev remotion v4.0.409 | remotion-dev remotion v4.0.409 was discovered to contain a remote code execution (RCE) vulnerability. | 2026-06-15 | not yet calculated | CVE-2026-30120 |
| remotion-dev remotion–remotion-dev remotion v4.0.409 | remotion-dev remotion v4.0.409 was discovered to contain an arbitrary file write vulnerability. | 2026-06-15 | not yet calculated | CVE-2026-30121 |
| Ricoh Company, Ltd.–Multiple printer drivers | Multiple printer drivers provided by Ricoh Company, Ltd. and KONICA MINOLTA JAPAN, INC. contain a privilege escalation vulnerability. If this vulnerability is exploited, an attacker who can log in to a computer running an affected printer driver could elevate privileges by using a specially crafted driver. | 2026-06-15 | not yet calculated | CVE-2026-50100 |
| Rocket.Chat–Rocket.Chat | Rocket.Chat versions <8.5.1, 8.4.4, 8.3.6, 8.2.6, 8.1.6, 8.0.7, 7.13.9, 7.10.13 has an access control vulnerability in Livechat files. Protected file downloads at /file-upload/:fileId/:name authorize livechat access using rc_room_type=l with rc_rid+rc_token, but the authorization path does not verify that rc_rid matches the requested file’s rid. Furthermore, :fileId is predictable via sequential MongoDB IDs, and :name can be anything, allowing unauthenticated discovery of all uploaded files. | 2026-06-16 | not yet calculated | CVE-2026-48616 |
| Rocket.Chat–Rocket.Chat | Rocket.Chat in versions <8.5.1, <8.4.4, <8.3.6, <8.2.6, <8.1.6, <8.0.7, <7.13.9, and <7.10.13 is vulnerable to unauthenticated file deletion. The deleteFileMessage Meteor method permanently deletes any uploaded file by ID without requiring authentication. When called via an unauthenticated DDP WebSocket connection, Meteor.userId() returns null, causing the authorization check to be skipped. Execution falls through to FileUpload.getStore(‘Uploads’).deleteById(fileID), which removes the file from storage and database unconditionally. File IDs are discoverable from public channel message payloads and download URLs. | 2026-06-16 | not yet calculated | CVE-2026-48929 |
| Rockwell Automation–CompactLogix 5370 | A security issue exists within 1769 CompactLogix controllers due to the missing validation of sequence numbers and source IP addresses in the CIP protocol. This allows attacker to abuse the exposed Connection ID’s visible on the web interface to perform denial-of-service attacks, resulting in a minor fault. | 2026-06-16 | not yet calculated | CVE-2025-11694 |
| Rockwell Automation–CompactLogix 5370 | A sensitive information disclosure security issue exists within the affected CompactLogix controllers. The controller’s web server exposes CIP Connection IDs on the diagnostics webpage, which are accessible to any unauthenticated user on the network. This information can be leveraged by an attacker to construct malicious packets, leading to Denial-of-Service. | 2026-06-16 | not yet calculated | CVE-2026-9307 |
| Rockwell Automation–CompactLogix, ControlLogix | A denial of service security issue exists in the affected product. The security issue stems from a fault occurring when a crafted CIP message is sent. Devices with less memory are more likely to be affected. This can result in a major nonrecoverable fault (MNRF). A program download is required to recover. | 2026-06-16 | not yet calculated | CVE-2026-11317 |
| Rockwell Automation–FactoryTalk Analytics PavilionX | A security issue was identified in Pavilion due to improper authorization enforcement in API endpoints. This vulnerability can allow an unauthorized actor to execute privileged operations, including user/role management and other administrative actions. | 2026-06-16 | not yet calculated | CVE-2025-14272 |
| Rockwell Automation–FactoryTalk Historian SE | An authentication bypass security issue exists within FactoryTalk Historian Site Edition. By continually sending requests to the login endpoint, an attacker may obtain a valid authentication token. | 2026-06-16 | not yet calculated | CVE-2025-13036 |
| Rockwell Automation–FLEX I/O EtherNet/IP Adapters | A denial-of-service security issue exists within the 1794-AENTR adapter due to improper memory handling of CIP protocol requests. This vulnerability can result in the adapter faulting and losing connection to its associated I/O modules, requiring a manual reset to recover. | 2026-06-16 | not yet calculated | CVE-2026-0646 |
| Rockwell Automation–FLEX I/O EtherNet/IP Adapters | An improper authentication security issue exists within the 1794-AENTR adapter’s embedded web server. The vulnerability allows an unauthenticated attacker to change the device’s web interface password by sending a crafted HTTP GET request to a specific endpoint, without any prior authentication being required. If exploited, this could lead to unauthorized access, account takeover, and loss of the device’s embedded web server’s availability. | 2026-06-16 | not yet calculated | CVE-2026-0647 |
| Roy Marples–NetworkConfiguartion/dhcpcd | A NULL pointer dereference occurs in Roy Marples NetworkConfiguration/dhcpcd 10.3.0 while parsing configuration options. In parse_option() (src/if-options.c:1886), the code performs a member access on a NULL pointer of type ‘struct dhcp_opt’ when an unexpected/invalid option token or parsing state causes the lookup to yield NULL. The instrumented fuzzing build reports ‘runtime error: member access within null pointer of type struct dhcp_opt’ and aborts. | 2026-06-15 | not yet calculated | CVE-2025-70102 |
| RTI–Connext Micro | Out-of-bounds Read vulnerability in RTI Connext Micro (Core Libraries) allows Overread Buffers.This issue affects Connext Micro: from 4.0.0 before 4.3.0. | 2026-06-17 | not yet calculated | CVE-2026-30802 |
| RTI–Connext Micro | Integer Underflow (Wrap or Wraparound) vulnerability in RTI Connext Micro (Core Libraries) allows Overread Buffers.This issue affects Connext Micro: from 4.0.0 before 4.3.0. | 2026-06-17 | not yet calculated | CVE-2026-30803 |
| RTI–Connext Professional | Heap-based Buffer Overflow vulnerability in RTI Connext Professional (Core Libraries) allows Overflow Variables and Tags.This issue affects Connext Professional: from 7.4.0 before 7.7.0, from 7.0.0 before 7.3.1.3, from 6.1.0 before 6.1.*, from 6.0.0 before 6.0.*, from 5.3.0 before 5.3.*, from 5.0.0 before 5.2.*. | 2026-06-17 | not yet calculated | CVE-2026-2467 |
| RTI–Connext Professional | Out-of-bounds Write, Out-of-bounds Write, Out-of-bounds Write vulnerability in RTI Connext Professional (Queueing Service,Core Libraries,Persistence Service) allows Overflow Buffers, Overflow Buffers, Overflow Buffers.This issue affects Connext Professional: from 7.4.0 before 7.7.0, from 7.0.0 before 7.3.1.3, from 6.1.0 before 6.1.*. | 2026-06-17 | not yet calculated | CVE-2026-2674 |
| RTI–Connext Professional | Missing Authentication for Critical Function vulnerability in RTI Connext Professional (Security Plugins) allows Fake the Source of Data.This issue affects Connext Professional: from 7.4.0 before 7.7.0, from 7.0.0 before 7.3.1.3, from 6.1.0 before 6.1.*, from 6.0.0 before 6.0.*, from 5.3.0 before 5.3.*. | 2026-06-17 | not yet calculated | CVE-2026-2675 |
| RTI–Connext Professional | Missing Authentication for Critical Function vulnerability in RTI Connext Professional (Security Plugins) allows Identity Spoofing.This issue affects Connext Professional: from 7.4.0 before 7.7.0, from 7.0.0 before 7.3.*, from 6.1.0 before 6.1.*, from 6.0.0 before 6.0.*, from 5.3.0 before 5.3.*. | 2026-06-17 | not yet calculated | CVE-2026-30799 |
| RTI–Connext Professional | Out-of-bounds Read vulnerability in RTI Connext Professional (Core Libraries) allows Overread Buffers.This issue affects Connext Professional: from 7.4.0 before 7.7.0, from 7.0.0 before 7.3.1.3, from 6.1.0 before 6.1.*, from 6.0.0 before 6.0.*, from 5.3.0 before 5.3.*, from 5.0.0 before 5.2.*. | 2026-06-17 | not yet calculated | CVE-2026-3894 |
| RTI–Connext Professional | Buffer Copy without Checking Size of Input (‘Classic Buffer Overflow’) vulnerability in RTI Connext Professional (Web Integration Service) allows Filter Failure through Buffer Overflow.This issue affects Connext Professional: from 7.4.0 before 7.*, from 7.0.0 before 7.3.1.3, from 6.1.2 before 6.1.*. | 2026-06-17 | not yet calculated | CVE-2026-7300 |
| rui314–8cc | 8cc is vulnerable to an Out of Bounds Read due to improper handling of #line directives and GNU linemarkers. The compiler accepts attacker-controlled filename and line number metadata and later uses it without validation when accessing source line arrays. By supplying invalid or oversized line numbers, an attacker can trigger out-of-bounds memory access and a crash. Maintainer of this project was notified early about this vulnerability, but didn’t respond with the details of vulnerability or vulnerable version range. Version corresponding to the commit b480958 was tested and confirmed as vulnerable, other versions were not tested but might also be vulnerable. | 2026-06-18 | not yet calculated | CVE-2026-50643 |
| Ruoyi–Ruoyi 4.8.2 | Ruoyi 4.8.2 is vulnerable to Cross Site Scripting (XSS) at the interface /system/notice/add. | 2026-06-15 | not yet calculated | CVE-2026-37216 |
| Ruoyi–Ruoyi v.4.8.2 | RuoYi v4.8.2 is vulnerable to SQL Injection via the /tool/gen/createTable endpoint. The issue affects the code generation module and may allow an authenticated attacker with administrative privileges to access sensitive database information. | 2026-06-15 | not yet calculated | CVE-2026-38812 |
| SEPPmail AG–Secure Email Gateway | SEPPmail versions before 15.0.5 allow improper handling of attachment filenames during encrypted PDF generation. An attacker can exploit this to create new files outside the intended directory, potentially placing files in web-accessible locations. | 2026-06-18 | not yet calculated | CVE-2026-8811 |
| Shenzhen Liandian Communication Technology LTD–V380 IP Camera / AppFHE1_V1.0.6.0 | A broken authorization boundary in the RTSP media delivery pipeline of Shenzhen Liandian Communication Technology LTD V380 IP Camera firmware AppFHE1_V1.0.6.020230803 enables unauthenticated network actors to bypass the device’s credential-enforced live-view workflow and directly retrieve real-time video stream data. | 2026-06-18 | not yet calculated | CVE-2026-12527 |
| shlink–shlink v5.0.1 | A Server-Side Request Forgery (SSRF) in the automatic short URL title resolution component of shlink v5.0.1 allows attackers to scan internal resources via supplying a crafted longUrl. | 2026-06-15 | not yet calculated | CVE-2026-50887 |
| SignalRGB–SignalRGB kernel driver | In SignalRGB versions prior to 1.3.7.0, the \.SignalIo device object is created without an explicit SDDL security descriptor and without FILE_DEVICE_SECURE_OPEN. This results in overly permissive default access control, allowing any authenticated local user to obtain a handle to the device and issue privileged IOCTLs. | 2026-06-17 | not yet calculated | CVE-2026-8049 |
| SignalRGB–SignalRGB kernel driver | In SignalRGB versions prior to 1.3.7.0, seven of the thirteen IOCTL handlers dereference the SystemBuffer pointer without first verifying that it is non-NULL. Sending an IOCTL with an empty input buffer causes a NULL pointer dereference, resulting in a kernel crash. | 2026-06-17 | not yet calculated | CVE-2026-8050 |
| Significant-Gravitas–AutoGPT | AutoGPT is a workflow automation platform for creating, deploying, and managing continuous artificial intelligence agents. Prior to 0.6.63, AutoGPT’s LoopVideoBLock allows users to input a video file and process the video, such as looping it 5 times or extending the time, and finally writing it to disk. However, there is no limit on the resources that can be allocated during execution. For example, the number of loops is user-controllable and unlimited. When a malicious attacker loops too many times, the generated video is too large, and after writing it to disk, the disk space is exhausted, eventually causing DoS. Version 0.6.63 patches the issue. | 2026-06-18 | not yet calculated | CVE-2025-32392 |
| Significant-Gravitas–AutoGPT | AutoGPT is a workflow automation platform for creating, deploying, and managing continuous artificial intelligence agents. Prior to 0.6.63, `StepThroughItemsBlock` can iterate all the contents in a list and send them to `FileStoreBlock` for downloading one by one. Although `FileStoreBlock` has access time limits for downloading files, `StepThroughItemsBlock` can be used to slowly iterate and download relatively small files (e.g., 100M) multiple times. `StepThroughItemsBlock` does not limit the number of loops. In addition, `FileStoreBlock` does not limit the amount of disk space consumed in the current working directory. When a malicious user chooses to download too many videos, the disk space will eventually run out, causing a DoS. Version 0.6.63 patches the issue. | 2026-06-18 | not yet calculated | CVE-2025-32422 |
| Significant-Gravitas–AutoGPT | AutoGPT is a workflow automation platform for creating, deploying, and managing continuous artificial intelligence agents. Prior to 0.6.63, ScreenshotWebPageBlock will store the captured screenshots in a temporary directory. `StepThroughItemsBlock` can be used to iterate `ScreenshotWebPageBlock` multiple times. `StepThroughItemsBlock` does not limit the number of loops. In addition, `ScreenshotWebPageBlock` does not limit the amount of disk space consumed in the current working directory. When a malicious user chooses to screen shot many web pages, the disk space will eventually run out, causing a DoS. Version 0.6.63 patches the issue. | 2026-06-18 | not yet calculated | CVE-2025-32424 |
| Significant-Gravitas–AutoGPT | AutoGPT is a workflow automation platform for creating, deploying, and managing continuous artificial intelligence agents. Prior to 0.6.63, `AddAudioToVideoBlock` will download and store the video and audio in a temporary directory without deleting before all noded are done. `StepThroughItemsBlock` can be used to iterate `MediaDurationBlock` multiple times. `StepThroughItemsBlock` does not limit the number of loops. In addition, `AddAudioToVideoBlock` does not limit the amount of disk space consumed in the current working directory and does not delete the video after outputing the result. When a malicious user chooses to screen shot many web pages, the disk space will eventually run out, causing a DoS. Version 0.6.63 patches the issue. | 2026-06-18 | not yet calculated | CVE-2025-32436 |
| Significant-Gravitas–AutoGPT | AutoGPT is a workflow automation platform for creating, deploying, and managing continuous artificial intelligence agents. Prior to 0.6.63, `MediaDurationBlock` will download and store the video in a temporary directory without deleting before all noded are done. `StepThroughItemsBlock` can be used to iterate `MediaDurationBlock` multiple times. `StepThroughItemsBlock` does not limit the number of loops. In addition, `MediaDurationBlock ` does not limit the amount of disk space consumed in the current working directory and does not delete the video after outputing the result. When a malicious user chooses to screen shot many web pages, the disk space will eventually run out, causing a DoS. Version 0.6.63 patches the issue. | 2026-06-18 | not yet calculated | CVE-2025-32437 |
| Silver Leaf Technologies, Inc.–Worksnaps.net Worksnaps | Worksnaps before version 1.6.20260201 contains hardcoded cloud credentials and related secret material in the Worksnaps client application binaries. The exposed credentials included AWS access keys, S3 bucket names, and related cloud access information. The originally exposed AWS credentials authenticated as the AWS account root identity and provided access to Worksnaps production cloud resources, including S3 buckets containing sensitive data such as screenshots of user desktops. An attacker with access to the affected client binaries could extract or recover the credentials and use them to access affected Worksnaps cloud resources. | 2026-06-18 | not yet calculated | CVE-2025-10560 |
| SIMA GmbH–Bondix Server | OS command injection in the environment and tunnel configuration functionality in SIMA GmbH Bondix through version 1.25.7.5 on Linux allows an authenticated attacker with configuration write access to execute arbitrary operating-system commands via crafted configuration values passed to server-side scripts. | 2026-06-19 | not yet calculated | CVE-2026-12104 |
| simplcommerce–SimplCommerce | Stored cross-site scripting (XSS) in NewsItemApiController In SimplCommerce prior to commit 6142d3b5 allows an authenticated administrator to execute arbitrary JavaScript via the ShortContent and FullContent fields, which are stored without HTML sanitization and rendered unencoded via @Html.Raw() | 2026-06-17 | not yet calculated | CVE-2026-11975 |
| simplcommerce–SimplCommerce | Cross-site request forgery (CSRF) in NewsItemApiController in SimplCommerce prior to commit 6233d73e allows an unauthenticated remote attacker to create or modify news items as an administrator via a crafted form submitted to `/api/news-items`, due to missing anti-CSRF protection. | 2026-06-17 | not yet calculated | CVE-2026-9591 |
| Sismics–Sismics Docs v.1.11 | Incorrect access control in the share-based read endpoints of Sismics Docs (Teedy) v1.11 allow unauthorized attackers to access sensitive endpoints via a crafted request. | 2026-06-15 | not yet calculated | CVE-2026-50885 |
| SNMP4J-Agent–SNMP4J-Agent 3.8.3 | An issue in SNMP4J-Agent 3.8.3 allows a remote attacker to execute arbitrary code via the snmp4jCfgStoragePath component. | 2026-06-15 | not yet calculated | CVE-2026-39006 |
| Sonatype–Nexus Repository | An authenticated user with the nx-licensing-create privilege can upload a specially crafted license file to execute arbitrary operating system commands as the Nexus process user in Sonatype Nexus Repository 3 versions before 3.92.0. | 2026-06-16 | not yet calculated | CVE-2026-10748 |
| Sonatype–Nexus Repository Manager | Sonatype Nexus Repository Manager before 3.93.0 contains an authorization vulnerability in the proxy repository configuration that allows a delegated repository administrator to disclose stored upstream proxy credentials. | 2026-06-17 | not yet calculated | CVE-2026-10741 |
| Sony Corporation–Optical Disc Archive Software for Windows | Incorrect default permissions issue exists in Optical Disc Archive Software for Windows 5.5.3 and earlier. If this vulnerability is exploited, arbitrary code may be executed with SYSTEM privileges. | 2026-06-16 | not yet calculated | CVE-2026-50255 |
| sourcentis–mercator | Mercator is an open source web application that enables mapping of the information system. Prior to version 2025.05.19, Mercator’s Query Engine (`/admin/queries/execute`) accepts a JSON DSL (`from` / `select` / `filters` / `traverse` / `output`), translates it into an Eloquent query, and returns results as JSON. The controller method `QueryController::execute()` does not enforce an authorization gate, unlike `store()` and `massDestroy()` in the same controller which are correctly protected. As a result, any authenticated account – including the read-only Auditor role – can query models beyond its intended scope, including the `User` model. Additionally, the `password` column, although declared `$hidden`, is not excluded from filter predicates, which allows it to be used in `LIKE` conditions. The `schema()` and `schemaModel()` endpoints of the same controller are similarly unguarded. The Query Engine is read-only; integrity and availability are not affected. Version 2025.05.19 patches the issue. | 2026-06-19 | not yet calculated | CVE-2026-49344 |
| sourcentis–mercator | Mercator is an open source web application that enables mapping of the information system. Prior to version 2025.05.19, a Server-Side Request Forgery (SSRF) vulnerability exists in Mercator’s CVE configuration panel (`/admin/config/parameters`). The `testProvider()` method in `ConfigurationController` passes user-supplied input directly to `curl_init()` without validating the scheme, hostname, or destination IP address. An authenticated user with the `configure` permission can force the Mercator server to issue arbitrary outbound network requests. The suffix `/api/dbInfo` appended to the URL can be bypassed by injecting a `#` fragment character (e.g. `http://TARGET/PATH#`), allowing full control over the target URL. No scheme whitelist, host whitelist, or private/loopback IP block is applied. The `telnet://` scheme can be used for internal port scanning; the `gopher://` scheme enables interaction with unauthenticated internal services (Redis, Memcached), potentially leading to Remote Code Execution under specific deployment conditions. Version 2025.05.19 patches the issue. | 2026-06-19 | not yet calculated | CVE-2026-49345 |
| statping-ng–statping-ng v0.93.0 | Incorrect access control in statping-ng v0.93.0 allows attackers to escalate privileges to Administrator and access sensitive components. | 2026-06-15 | not yet calculated | CVE-2026-50884 |
| SUSE–Rancher | A command injection vulnerability in the Rancher Manager cluster before 2.14.2 import endpoint /v3/import/{token}_{clusterId}.yaml through unsanitized YAML parameters could allow remote attackers to break out of an image, and execute e.g. malicious containers. | 2026-06-19 | not yet calculated | CVE-2026-44939 |
| syracom AG–Secure Login (2FA) for Jira | syracom AG Secure Login (2FA) for Atlassian Jira, Confluence, and Bitbucket 3.4.0.x contains an authentication bypass vulnerability. An attacker with valid credentials for a user account can bypass the two-factor authentication flow by sending HTTP requests with a crafted User-Agent header containing specific strings such as AtlassianMobileApp or JIRA. When such a User-Agent is present, the plugin does not enforce the configured 2FA checks for protected web resources. Successful exploitation allows the attacker to access the affected Atlassian application as the compromised user without completing 2FA. If the compromised account has administrative privileges, the attacker can access administrative functionality and may disable the 2FA plugin or make arbitrary administrative changes. The issue is fixed in version 3.5.0.0. | 2026-06-16 | not yet calculated | CVE-2026-12225 |
| team-alembic–ash_authentication | Authentication Bypass by Spoofing vulnerability in team-alembic AshAuthentication allows account takeover of local users via OAuth2/OIDC sign-in. AshAuthentication’s OAuth2 and OIDC family strategies matched the local user by email address (an upsert on the email field, or a user-defined sign-in filter) rather than by the OpenID Connect iss/sub claim combination. Per OpenID Connect Core §5.7, only iss/sub uniquely and stably identifies an end-user; other claims, including email, MUST NOT be used as unique identifiers. A provider login presenting a victim’s email, including an unverified email, a reused email, or an account with email_verified: false, resolved to and signed in as the victim’s existing local account. An unauthenticated attacker who can register an account on any accepted OAuth provider with the victim’s email (or who benefits from provider-side email reuse or reclamation) obtains the victim’s full local privileges. The fix resolves users by the (strategy, sub) identity stored in a user identity resource, and only links a new sub to an existing local account by email when the provider’s email_verified claim is trusted (trust_email_verified?). This issue affects ash_authentication from 0.1.0 before 4.14.0 and from 5.0.0-rc.0 before 5.0.0-rc.10. | 2026-06-15 | not yet calculated | CVE-2026-49757 |
| Tecrail–Responsive FileManager | Responsive FileManager’s allows an unauthenticated attacker to upload files of any type and extension without restriction using dialog.php endpoint, leading to Remote Code Execution. This project is unmaintained at the time of CVE assignment. The vulnerability was found in the latest release 9.14.0 | 2026-06-15 | not yet calculated | CVE-2026-5482 |
| Teldat–Regesta Smart HD-PLC – TLDPH16D2 | An attacker with access via network to the Regesta Smart HD-PLC of the provider Teldat (in this case, NO registration action is required) who has the vulnerable software could obtain privilege information by using the command Version via the path: /upgrade/query.php?cmd=p+3&3Bversion resulting in a information disclosure. This issue affects Regesta Smart HD-PLC – TLDPH16D2: 11.02.05.10.02. | 2026-06-17 | not yet calculated | CVE-2026-27868 |
| Teldat–Regesta Smart HD-PLC – TLDPH16D2 | An attacker with access via network to the Regesta Smart HD-PLC of the provider Teldat (in this case, NO registration action is required) who has the vulnerable software could, with a Slow Loris attack, cause Denial of Service (DoS) on the web interface of the device. This issue affects Regesta Smart HD-PLC – TLDPH16D2: 11.02.05.10.02. | 2026-06-17 | not yet calculated | CVE-2026-27869 |
| Teldat–Regesta Smart HD-PLC – TLDPH16D2 | An attacker with access via network to the Regesta Smart HD-PLC of the provider Teldat (in this case, registration action IS required) who has the vulnerable software could, introduce arbitrary JavaScript by injecting a Cross-site Scripting (XSS) payload into the ‘Hostname’ field of the configuration file resulting in a XSS in the path /upgrade/query.php?cmd=p+3%3Bversion. This issue affects Regesta Smart HD-PLC – TLDPH16D2: 11.02.05.10.02. | 2026-06-17 | not yet calculated | CVE-2026-27870 |
| Tenda –AC7 v15.03.06.44 | Tenda AC7 v15.03.06.44 contains a stack buffer overflow vulnerability in the /goform/AdvSetMacMtuWan interface via the wanMTU parameter. | 2026-06-19 | not yet calculated | CVE-2026-51843 |
| Tenda –AC7 v15.03.06.44 | Tenda AC7 v15.03.06.44 contains a stack buffer overflow vulnerability in the /goform/AdvSetMacMtuWan interface via the cloneType parameter. | 2026-06-19 | not yet calculated | CVE-2026-51844 |
| Tenda –AC7 v15.03.06.44 | Tenda AC7 v15.03.06.44 contains a stack buffer overflow vulnerability in the /goform/AdvSetMacMtuWan interface via the mac parameter. | 2026-06-19 | not yet calculated | CVE-2026-51845 |
| Tenda –AC7 v15.03.06.44 | In Tenda AC7 v15.03.06.44, the wanSpeed parameter of the route /goform/AdvSetMacMtuWan has a stack buffer overflow vulnerability that can lead to remote arbitrary code execution. | 2026-06-19 | not yet calculated | CVE-2026-51846 |
| Tenda–Tenda 5G03 | Tenda 5G03 V05.03.02.04 (Version 1.0) is vulnerable to Command injection in the function action_unlock_sim via the pin parameter. | 2026-06-15 | not yet calculated | CVE-2026-38060 |
| Tenda–Tenda 5G03 | Tenda 5G03 V05.03.02.04 (Version 1.0) is vulnerable to Command injection in the function action_set_volume via the volume parameter. | 2026-06-15 | not yet calculated | CVE-2026-38061 |
| Tenda–Tenda 5G03 | Tenda 5G03 V05.03.02.04 (Version 1.0) is vulnerable to Command injection in the function action_set_rat_mode via the ratMode parameter. | 2026-06-15 | not yet calculated | CVE-2026-38062 |
| Tenda–Tenda 5G03 | Tenda 5G03 V05.03.02.04 (Version 1.0) is vulnerable to Command injection in the function action_radio_on_with_ia_apn via the ia parameter. | 2026-06-15 | not yet calculated | CVE-2026-38063 |
| Tenda–Tenda 5G03 | Tenda 5G03 V05.03.02.04 (Version 1.0) is vulnerable to Command injection in the function action_dial_call via the dialNumber parameter. | 2026-06-15 | not yet calculated | CVE-2026-38064 |
| Tenda–Tenda 5G03 | Tenda 5G03 V05.03.02.04 (Version 1.0) is vulnerable to Command injection in the function action_ims_on_with_apn via the ims_apn parameter. | 2026-06-15 | not yet calculated | CVE-2026-38065 |
| The Document Foundation–LibreOffice | LibreOffice can import drawings in the DXF format used by CAD software. A heap buffer overflow existed when importing a DXF polyline. The point count taken from the file was truncated to a 16-bit value when the point buffer was sized, while the full count was used to fill it, so a polyline whose point count exceeded the 16-bit range was written past the end of the buffer. In fixed versions such oversized polylines are rejected. | 2026-06-15 | not yet calculated | CVE-2026-6039 |
| The Document Foundation–LibreOffice | A heap use-after-free existed when importing the blank-width characters of an ODF number format. A position value read from the document was not checked against the length of the format-code string, so a malformed number format could be processed against memory outside that string. In fixed versions the position is bounds-checked before use. | 2026-06-15 | not yet calculated | CVE-2026-6040 |
| The Document Foundation–LibreOffice | LibreOffice can import EMF+ graphics, which may be embedded in documents. A heap buffer overflow existed when importing an EMF+ gradient brush. The number of gradient blend points was read from the file and used to compute an allocation size, but that multiplication could overflow, so a small buffer was allocated and then filled as if it were large, writing past its end. In fixed versions the blend-point count is checked against the data actually available before allocating. | 2026-06-15 | not yet calculated | CVE-2026-6045 |
| The Document Foundation–LibreOffice | LibreOffice can import documents in the OOXML format (DOCX). A heap buffer overflow existed when replaying deferred parser events for a text box element. A handler object was assumed to be of one type and written to at that type’s field layout, but it could be a smaller object, so the write landed past the end of the allocation. In fixed versions the type is checked before the write. | 2026-06-15 | not yet calculated | CVE-2026-6047 |
| The Document Foundation–LibreOffice | LibreOffice can import presentations in the legacy binary PPT format. A stack buffer overflow existed when importing a colour-replacement record. Two fixed-size colour tables were filled from the file, but the write position was not reset between the two passes over the record, so a file whose combined colour counts exceeded the table size wrote past the end of the tables on the stack. In fixed versions the unused second pass is no longer read into those tables. | 2026-06-15 | not yet calculated | CVE-2026-8356 |
| The Document Foundation–LibreOffice | LibreOffice Calc compiles cell formulas when opening a spreadsheet. A heap buffer overflow existed when compiling a very long formula made up of many opening tokens. The array that tracks nesting depth was allocated one element too small for that worst case, so such a formula wrote one element past its end. In fixed versions the array is sized to hold the largest possible nesting. | 2026-06-15 | not yet calculated | CVE-2026-8357 |
| The Document Foundation–LibreOffice | LibreOffice Calc can import tracked changes from a spreadsheet document. A heap buffer overflow existed when a document reused the same change identifier for two different kinds of change. The importer then treated one change object as a different, larger type and wrote past the end of its allocation. In fixed versions records with a duplicate identifier are rejected. | 2026-06-15 | not yet calculated | CVE-2026-8358 |
| theonedev–onedev | OneDev is a Git server with CI/CD, kanban, and packages. In versions 15.0.6 and below, TarUtils.untar() creates symbolic links verbatim from TAR entry getLinkName() without validating whether the target is an absolute path. A subsequent file entry in the same archive traverses the symlink, writing to arbitrary server-side locations. This is exploitable by any authenticated user with CI Job write access – no admin interaction required. This is an incomplete fix bypass of CVE-2021-21251 (GHSA-2w6j-wc8c-9mq2): that patch blocked .. path segments but did not address absolute symlink targets. This issue has been fixed in version 15.0.7. | 2026-06-18 | not yet calculated | CVE-2026-49248 |
| ThingsBoard–ThingsBoard | ThingsBoard contains a prototype pollution vulnerability which may lead to arbitrary code execution within a sandboxed context by a user who can log in to the affected product with the tenant administrator privilege (TENANT_ADMIN). | 2026-06-17 | not yet calculated | CVE-2026-53676 |
| ThingsBoard–ThingsBoard v4.3.0.1 | ThingsBoard v4.3.0.1 is vulnerable to an authentication bypass during the OAuth authorization code exchange. The application improperly trusts user-supplied identity data within the user parameter of the /login/oauth2/code/ endpoint. By manipulating the email address in this JSON object, a remote attacker can bypass authentication and gain full access to any existing user account on the platform without possessing the target user’s credentials. This results in a complete account takeover. | 2026-06-15 | not yet calculated | CVE-2026-36537 |
| TIMLEGGE–Crypt::DSA | Crypt::DSA versions before 1.21 for Perl reused the nonce across signatures, leading to private-key recovery. Crypt::DSA::sign caches the per-signature nonce material in the Key object without ever clearing it. The first sign() on a Key object picks a nonce, and every later sign() on that same object reuses it, producing an identical “r”. Keys used to sign more than once with an affected version should be considered compromised. | 2026-06-15 | not yet calculated | CVE-2026-12205 |
| TP-Link Systems Inc.–TL-WR940N v6 | An authenticated OS command injection vulnerability exists in the IPv6 PPPoE configuration handler in TL-WR940N v6 due to improper sanitization of user input. An attacker with administrative access may exploit this issue to execute arbitrary system commands with elevated privileges. | 2026-06-16 | not yet calculated | CVE-2026-11409 |
| TP-Link Systems Inc.–TL-WR940N v6 | An authenticated OS command injection vulnerability exists in the BigPond Cable (BPA) WAN configuration module in TL-WR940N v6 due to improper sanitization of user input. An attacker with administrative access may exploit this issue to execute arbitrary system commands with elevated privileges. | 2026-06-16 | not yet calculated | CVE-2026-11410 |
| UBB Systems–UBB.threads | UBB.threads is vulnerable to Stored XSS via user posts and user profile fields. The application fails to properly sanitize user input, allowing low privileged attackers to inject arbitrary JavaScript that executes in a victim’s browser upon viewing. Because vendor contact attempts were unsuccessful, the vulnerability has only been confirmed in version 7.7.5 but may also affect other versions. | 2026-06-18 | not yet calculated | CVE-2026-54219 |
| UBB Systems–UBB.threads | uBB.threads is vulnerable to a Cross-Site Request Forgery (CSRF) due to a lack of protective mechanisms. This allows an attacker to trick an authenticated user into executing unintended actions. Because vendor contact attempts were unsuccessful, the vulnerability has only been confirmed in version 7.7.5 but may also affect other versions. | 2026-06-18 | not yet calculated | CVE-2026-54220 |
| UBB Systems–UBB.threads | UBB.threads is vulnerable to Reflected XSS. The application improperly handles user input in certain requests, enabling attackers to execute arbitrary JavaScript in the context of a victim’s browser by tricking them into clicking a crafted link. Because vendor contact attempts were unsuccessful, the vulnerability has only been confirmed in version 7.7.5 but may also affect other versions. | 2026-06-18 | not yet calculated | CVE-2026-54221 |
| UBB Systems–UBB.threads | UBB.threads is vulnerable to Blind SQL Injection, allowing attackers with access to the Members in Control Panel to interact with the underlying database. Due to insufficient input sanitization, an attacker can extract sensitive information, such as user credentials, by manipulating SQL queries through time-based or boolean-based techniques. Because vendor contact attempts were unsuccessful, the vulnerability has only been confirmed in version 7.7.5 but may also affect other versions. | 2026-06-18 | not yet calculated | CVE-2026-54222 |
| UBB Systems–UBB.threads | UBB.threads is vulnerable to Path traversal, allowing attackers with privilege to edit templates to read and write any file on the application’s server that application has privileges to, what results in Remote Code Execution. Because vendor contact attempts were unsuccessful, the vulnerability has only been confirmed in version 7.7.5 but may also affect other versions. | 2026-06-18 | not yet calculated | CVE-2026-54223 |
| UBB Systems–UBB.threads | UBB.threads is vulnerable to Denial of Service (DoS). By sending multiple concurrent requests to view any user profile on instances with many registered users, an authenticated attacker can easily exhaust database resources and completely deny access to the application for other users. Because vendor contact attempts were unsuccessful, the vulnerability has only been confirmed in version 7.7.5 but may also affect other versions. | 2026-06-18 | not yet calculated | CVE-2026-54224 |
| umputun–remark42 | Remark42 is a self-hosted comment engine for blogs, articles, or any other place where readers can add comments. Versions 1.6.0 through 1.15.0 contain a Cross-Site Scripting (XSS) vulnerability exploitable through content-type spoofing. The Remark42 image proxy fetches an arbitrary remote URL and re-serves the response from Remark42’s own origin. During the download phase, the proxy determines whether the resource is an image by inspecting only the Content-Type header advertised by the remote server, never examining the actual bytes; during the serving phase, it instead derives the response Content-Type by sniffing those bytes with http.DetectContentType. An attacker can exploit this inconsistency by hosting a URL that advertises Content-Type: image/png while returning an HTML/JavaScript body: the download check accepts it as an image, the serving path sniffs the body and emits Content-Type: text/html, and the browser renders the attacker-controlled HTML/JavaScript as a document within Remark42’s origin. Exploitation requires no Remark42 account on the target instance; the attacker only needs to host the malicious upstream URL and deliver the proxy link to a victim by any means, such as email, direct message, or a link on another website. This issue has been fixed in version 1.16.0. | 2026-06-16 | not yet calculated | CVE-2026-48788 |
| Unknown–Form Builder CP | The Form Builder CP WordPress plugin before 1.2.47 does not properly sanitize a form configuration value before storing it and using it as part of a client-side script execution, allowing authenticated users with Editor-level access and above to perform Stored Cross-Site Scripting attacks against any visitor of a page rendering the affected form, even when the `unfiltered_html` capability is disallowed (e.g. in a multisite network). | 2026-06-15 | not yet calculated | CVE-2026-9278 |
| Unknown–LearnPress | The LearnPress WordPress plugin before 4.3.7 does not gate the `edit` context on one of its REST endpoint behind the `edit_users` capability, allowing unauthenticated visitors to retrieve each returned user’s roles, full capabilities map, extra capabilities, locale, and registration date via a crafted request | 2026-06-17 | not yet calculated | CVE-2026-8383 |
| Unknown–MagicForm | The MagicForm WordPress plugin through 0.1.3 does not properly validate the type of files uploaded through an unauthenticated AJAX action when a form’s per-field extension allowlist is left empty, allowing unauthenticated attackers to upload PHP files and execute arbitrary code on the server. | 2026-06-18 | not yet calculated | CVE-2026-9815 |
| Unknown–Taskbuilder | The Taskbuilder WordPress plugin before 5.0.8 does not properly sanitise a URL parameter before echoing it into inline JavaScript on a frontend page containing one of its shortcodes, leading to a Reflected Cross-Site Scripting vulnerability that can be triggered against any logged-in user. | 2026-06-17 | not yet calculated | CVE-2026-9570 |
| Unknown–weMail: Email Marketing, Email Automation, Newsletters, Subscribers & Email Optins for WooCommerce | The weMail: Email Marketing, Email Automation, Newsletters, Subscribers & Email Optins for WooCommerce WordPress plugin before 2.1.3 does not properly escape a user-supplied parameter before reflecting it into an HTML attribute on a non-nonce-protected AJAX response, allowing unauthenticated attackers to deliver Reflected Cross-Site Scripting against any authenticated user (including administrators) via a crafted URL. | 2026-06-17 | not yet calculated | CVE-2026-8089 |
| Unknown–WP Go Maps | The WP Go Maps WordPress plugin before 10.0.10 does not properly enforce the marker approval filter on the admin-ajax fallback for its datatables route, allowing unauthenticated visitors to retrieve marker records that the site owner has not approved for public display, including their title, category, address and description fields. | 2026-06-15 | not yet calculated | CVE-2026-8385 |
| Unknown–WP Go Maps | The WP Go Maps WordPress plugin before 10.0.10 does not perform any approval-state filtering on its public single-marker REST endpoint, allowing unauthenticated users to retrieve marker records that an administrator has not yet approved for public display, including any PII placed in the address and description fields and the marker’s geographic coordinates. | 2026-06-15 | not yet calculated | CVE-2026-8386 |
| Unknown–WP Hotel Booking | The WP Hotel Booking WordPress plugin before 2.3.1 does not enforce capability checks in several of its AJAX handlers, allowing authenticated users with Subscriber-level access to read other users’ booking line items, enumerate active coupons, and read pricing data. | 2026-06-19 | not yet calculated | CVE-2026-9822 |
| Unknown–WP Magnific Popup | The WP Magnific Popup WordPress plugin through 1.0 does not properly escape user-controlled link URLs before injecting them into the DOM when displaying image load error messages, allowing authenticated attackers with Author-level access or above to perform Stored Cross-Site Scripting attacks against any visiting user. | 2026-06-17 | not yet calculated | CVE-2026-7850 |
| Unknown–WP MAPS PRO | The WP MAPS PRO WordPress plugin before 6.1.1 registers an unauthenticated AJAX action which, given a valid nonce that is publicly emitted on any frontend page enqueuing its map script, unconditionally creates an administrator account and returns a magic-login URL granting interactive admin access. | 2026-06-15 | not yet calculated | CVE-2026-8935 |
| urllib3–urllib3/urllib3 | urllib3 version 2.6.3 is vulnerable to a decompression bomb bypass in its streaming API (`preload_content=False`) when using Brotli support. The issue arises due to three independent code paths in `response.py` that bypass the `max_length` protection introduced in version 2.6.0 to mitigate CVE-2025-66471. Specifically, negative `max_length` values can be produced due to buffer arithmetic in `read()`, `flush_decoder` unconditionally overrides `max_length` to `-1`, and `_flush_decoder()` passes no limit at all, defaulting to unlimited decompression. This allows a malicious HTTP server to trigger an out-of-memory (OOM) condition by decompressing large payloads into memory, leading to a denial of service (DoS). The vulnerability affects urllib3 2.6.3 and Brotli 1.2.0 and impacts applications and libraries using `requests` or `urllib3` to stream content from untrusted sources. | 2026-06-19 | not yet calculated | CVE-2026-9375 |
| vantage6–vantage6 | vantage6 is an open-source infrastructure for privacy preserving analysis. Prior to version 5.0.0, users can reset their MFA token via API routes that send them an email. Currently the number of emails that is sent is not limited. This gives attackers the option to flood someones mailbox with a lot of emails, and would have adverse effects on the SMTP server which may be seen as spam sender. Note resetting the MFA token requires a correct password, so the potential impact for this is very low. Version 5.0.0 fixes the issue. No known workarounds are available. | 2026-06-17 | not yet calculated | CVE-2024-24769 |
| vantage6–vantage6 | vantage6 is an open-source infrastructure for privacy preserving analysis. Prior to version 5.0.0, if an attacker hacks into a vantage6 user’s email account, they can 1) reset the password via email and then 2) reset the 2FA token via email. This way they reduce 2FA to 1FA (email access). Note that most email providers require 2FA to access email, so this issue is not very likely to cause issues. Version 5.0.0 fixes the issue. No known workarounds are available. | 2026-06-17 | not yet calculated | CVE-2024-27928 |
| vantage6–vantage6 | vantage6 is an open-source infrastructure for privacy preserving analysis. Versions prior to 5.0.0 provide an initial user with username `root` and password `root`. This is not ideal because attackers know that almost all vantage6 servers have a user with username `root` that probably has admin rights, and the initial password is very weak and it is possible that administrators forget to reset it. Version 5.0.0 fixes the issue. As a workaround, it is possible to delete the `root` user after it has been used to create other users. | 2026-06-17 | not yet calculated | CVE-2026-54445 |
| vantage6–vantage6 | vantage6 is an open-source infrastructure for privacy preserving analysis. Prior to version 5.0.0, malicious algorithms can potentially access other algorithms input and output files. Version 5.0.0 fixes the issue. As a workaround, verify and restrict the algorithm containers that are allowed to run on the node. | 2026-06-17 | not yet calculated | CVE-2026-54533 |
| Wertheim GmbH–Wertheim SafeController 5400 Hardware for VAULT ROOMS (Safe Deposit Locker System – Microcontroller) | The Wertheim SafeController 5400, Controller 5400 – AssemblyVersion 6.11.8130.22320, uses RS-485 communication between the server and the microcontroller without cryptographic protection. An attacker with access to the communication path between the server and the microcontroller can sniff RS-485 messages and replay previously observed messages. This can be used, for example, to spoof a “quit alarm” message and continuously deactivate the safe alarm. | 2026-06-15 | not yet calculated | CVE-2026-34021 |
| Wertheim GmbH–Wertheim SafeController Family 65000 Hardware for VAULT ROOMS (Safe Deposit Locker System – Microcontroller) | The Wertheim SafeController Family 65000, Controller 65000 – AssemblyVersion 6.11.8130.22319, uses weak custom cryptographic algorithms with hard-coded cryptographic keys to protect communication. An attacker in an adversary-in-the-middle position can decrypt the data traffic. During reassessment, it was possible to break the encryption/decryption routine and decrypt messages without knowledge of the encryption key. It was also possible to gain knowledge about the encryption key by intercepting enough messages. | 2026-06-15 | not yet calculated | CVE-2026-34022 |
| Wertheim GmbH–Wertheim SafeController Software for VAULT ROOMS (Safe Deposit Locker System) | The Wertheim SafeController Software, AssemblyVersion 6.15.8328.28014, contains an incorrect authorization vulnerability in the WebSocket communication used by the SafeController WebMessageBroker. An authenticated attacker with valid low-privileged branch user credentials can manipulate WebSocket messages by specifying controller identifiers belonging to other branches. This allows the attacker to access restricted functions and resources in other branches, including activating boxes outside of the user’s authorized branch. | 2026-06-15 | not yet calculated | CVE-2026-34023 |
| Wertheim GmbH–Wertheim SafeController Software for VAULT ROOMS (Safe Deposit Locker System) | The Wertheim SafeController Software, AssemblyVersion 6.15.8328.28014, contains missing authorization checks on multiple web application endpoints. An authenticated attacker with minimal privileges can access endpoints that are not visible in the frontend but remain directly reachable. This allows the attacker to perform restricted actions such as switching the user’s branch, uploading arbitrary files, downloading arbitrary files, and viewing details of arbitrary branches. | 2026-06-15 | not yet calculated | CVE-2026-34024 |
| Wertheim GmbH–Wertheim SafeController Software for VAULT ROOMS (Safe Deposit Locker System) | The Wertheim SafeController Software, AssemblyVersion 6.15.8328.28014, contains an IP restriction bypass vulnerability in the login process. The application restricts user logins based on the IP address associated with a branch location, but the client IP address is derived from the HTTP X-Forwarded-For header when that header is present. An attacker with valid branch user credentials can manipulate the X-Forwarded-For header during login to spoof the expected branch IP address and obtain a valid authenticated session from an unauthorized network location. | 2026-06-15 | not yet calculated | CVE-2026-34025 |
| Wertheim GmbH–Wertheim SafeController Software for VAULT ROOMS (Safe Deposit Locker System) | Wertheim SafeController Software, AssemblyVersion 6.15.8328.28014, contains a path traversal vulnerability in the documentName parameter of the /safe/selfservice/openselfservicedocument endpoint. The application constructs a file path using attacker-controlled input without sufficient validation, allowing an authenticated attacker with any role or permission level to traverse out of the intended document directory and download arbitrary files accessible to the application. This includes, but is not limited to, application log files containing sensitive information and application binaries. | 2026-06-15 | not yet calculated | CVE-2026-34026 |
| Wertheim GmbH–Wertheim SafeController Software for VAULT ROOMS (Safe Deposit Locker System) | The Wertheim SafeController Software, AssemblyVersion 6.15.8328.28014, contains insufficient server-side file type validation in the /safe/contract/uploadcustomdocuments endpoint. The application validates uploaded files based on the user-controlled HTTP Content-Type value and accepts the upload if this value contains an allowed string such as pdf, jpeg, tiff, or png. An authenticated attacker with any role or permission level can spoof the Content-Type value and upload arbitrary file content. | 2026-06-15 | not yet calculated | CVE-2026-34027 |
| Wertheim GmbH–Wertheim SafeController Software for VAULT ROOMS (Safe Deposit Locker System) | The Wertheim SafeController Software, AssemblyVersion 6.15.8328.28014, exposes web-accessible file paths that are not protected by an authorization scheme. An unauthenticated attacker can directly access HTTP endpoints to download files from locations such as /Resources/CompanyId_[ID]/Audio/ and /SafeData/. | 2026-06-15 | not yet calculated | CVE-2026-34028 |
| Wertheim GmbH–Wertheim SafeController Software for VAULT ROOMS (Safe Deposit Locker System) | The Wertheim SafeController Software, AssemblyVersion 6.15.8328.28014, contains a hard-coded cryptographic key in the SafeSystem.Infrastructure.Security.dll component. An attacker with access to the application files can reverse engineer the DLL and recover the hard-coded cryptographic key. This key can be used to decrypt the licence.whs file, which contains sensitive information about the licensing party and a second key that can be used to decrypt other configuration files. | 2026-06-15 | not yet calculated | CVE-2026-34029 |
| Wertheim GmbH–Wertheim SafeController Software for VAULT ROOMS (Safe Deposit Locker System) | The Wertheim SafeController Software, AssemblyVersion 6.15.8328.28014, does not sufficiently validate the branch code when a new branch is created. The branch code is later used in multiple application functions, including filesystem path generation for uploaded files, profile pictures, and settings. An authenticated attacker with the settings_branches_manage privilege can include path traversal sequences in the branch code and influence the final filesystem location used by affected file operations. This can allow files to be stored in unintended locations, subject to service-account write permissions and branch-code length restrictions. | 2026-06-15 | not yet calculated | CVE-2026-34030 |
| woodpecker-ci–woodpecker | Woodpecker is a CI/CD engine. Starting in version 3.0.0 and prior to version 3.14.1, a vulnerability in Woodpecker CI’s gRPC layer allowed any authenticated agent to impersonate any other agent on the same server by injecting a forged `agent_id` value into outgoing gRPC metadata. The server correctly verified the JWT token but then discarded the verified agent identity in favor of the client-supplied value. Version 3.14.1 patches the issue. As a workaround, disable org agents (`WOODPECKER_DISABLE_USER_AGENT_REGISTRATION=true`) and delete existing ones. | 2026-06-18 | not yet calculated | CVE-2026-50141 |
| Xen–Xen | HVM guest I/O port accesses are subject to either emulation or at least translation. Translations are managed by the device model (via XEN_DOMCTL_ioport_mapping), and hence the linked list used may changed at any time. Traversal of those lists (while handling guest I/O port accesses) therefore needs synchronizing with updates, which was missing so far. | 2026-06-18 | not yet calculated | CVE-2026-42487 |
| Xen–Xen | Some shadow paging errors paths will switch the page-tables without updating the currently running vCPU reference. This causes a mismatch between the loaded page-tables and the mapcache metadata which can lead to corruption of the mapcache. | 2026-06-18 | not yet calculated | CVE-2026-42488 |
| Xen–Xen | [This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] To create and manage guests, domctl operations are used by the control domain, a possible Xenstore domain, or by a domain controlling a particular guest. Some of these operations may not be executed in parallel, so a system-wide lock is used. The way that lock is acquired is, however, not providing any fairness. This is CVE-2026-42489. Furthermore, with XSM/Flask in use, the lock acquire will, for some operations, occur ahead of any permission checking. This is CVE-2026-42490. | 2026-06-18 | not yet calculated | CVE-2026-42489 |
| Xen–Xen | [This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] To create and manage guests, domctl operations are used by the control domain, a possible Xenstore domain, or by a domain controlling a particular guest. Some of these operations may not be executed in parallel, so a system-wide lock is used. The way that lock is acquired is, however, not providing any fairness. This is CVE-2026-42489. Furthermore, with XSM/Flask in use, the lock acquire will, for some operations, occur ahead of any permission checking. This is CVE-2026-42490. | 2026-06-18 | not yet calculated | CVE-2026-42490 |
| YouTransfer–YouTransfer v1.0.6 | An issue in the sendmail transport integration component of YouTransfer v1.0.6 allows attackers to execute arbitrary code via supplying a crafted request. | 2026-06-15 | not yet calculated | CVE-2026-50880 |
| Zhoros–SuperBin v1.0.0 | An issue in Zhoros SuperBin v1.0.0 allows attackers to execute a directory traversal via supplying files with names containing traversal characters. | 2026-06-15 | not yet calculated | CVE-2026-50877 |