|
5001
|
6.5 |
MEDIUM
Network
|
apache
|
apache-airflow-providers-samba
|
The Apache Airflow Samba provider's `GCSToSambaOperator` joined GCS object names to the SMB destination path without a containment check, so an object named with `../` segments resolved a write path …
|
CWE-22
Path Traversal
|
CVE-2026-49818
|
2026-06-13 00:51 |
2026-06-9 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
5002
|
9.8 |
CRITICAL
Network
|
qnap
|
qumagie
|
An authorization bypass through user-controlled key vulnerability has been reported to affect QuMagie. The remote attackers can then exploit the vulnerability to gain unintended privileges.
We have …
|
CWE-639
Authorization Bypass Through User-Controlled Key
|
CVE-2026-44083
|
2026-06-13 00:47 |
2026-06-9 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
5003
|
6.5 |
MEDIUM
Network
|
qnap
|
qts quts_hero
|
A buffer overflow vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to mod…
|
CWE-121
Stack-based Buffer Overflow
|
CVE-2025-62858
|
2026-06-13 00:44 |
2026-06-9 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
5004
|
5.4 |
MEDIUM
Network
|
microsoft
|
sharepoint_server
|
Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network.
|
CWE-502 CWE-79
Deserialization of Untrusted Data Cross-site Scripting
|
CVE-2026-48560
|
2026-06-13 00:41 |
2026-06-10 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
5005
|
4.6 |
MEDIUM
Network
|
microsoft
|
sharepoint_server
|
Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network.
|
CWE-79
Cross-site Scripting
|
CVE-2026-48562
|
2026-06-13 00:38 |
2026-06-10 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
5006
|
6.1 |
MEDIUM
Network
|
qnap
|
qts quts_hero
|
A cross-site scripting (XSS) vulnerability has been reported to affect several QNAP operating system versions. The remote attackers can then exploit the vulnerability to bypass security mechanisms or…
|
CWE-79
Cross-site Scripting
|
CVE-2026-41539
|
2026-06-13 00:37 |
2026-06-9 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
5007
|
7.5 |
HIGH
Network
|
qnap
|
qumagie
|
A missing authorization vulnerability has been reported to affect QuMagie. The remote attackers can then exploit the vulnerability to access unauthorized data or perform unauthorized actions.
We hav…
|
CWE-862
Missing Authorization
|
CVE-2026-26236
|
2026-06-13 00:35 |
2026-06-9 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
5008
|
7.8 |
HIGH
Local
|
siemens
|
sinec_ins
|
A vulnerability has been identified in SINEC INS (All versions < V1.0 SP2 Update 6). The affected system includes a binary that is configured with the cap_dac_override capability. This capability all…
|
CWE-250
Execution with Unnecessary Privileges
|
CVE-2026-46748
|
2026-06-13 00:33 |
2026-06-9 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
5009
|
- |
-
|
-
|
-
|
Incomplete input validation and improperly configured folder permissions within Idira Privileged Session Manager (PSM) versions prior to 15.0.3, 14.6.3, 14.2.5, and 14.0.5, an authenticated, low-priv…
|
CWE-22
Path Traversal
|
CVE-2026-45171
|
2026-06-13 00:30 |
2026-06-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
5010
|
- |
-
|
-
|
-
|
Due to incomplete input validation in Idira Privileged Session Manager for SSH (PSMP) versions prior to 15.0.2, 14.6.3, 14.2.5, and 14.0.6, an authenticated, low-privileged user could potentially exe…
|
CWE-78
OS Command
|
CVE-2026-45172
|
2026-06-13 00:30 |
2026-06-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
5011
|
- |
-
|
-
|
-
|
Idira Identity Browser Extension (Chrome, Firefox, and Edge builds) versions prior to 26.8.1 exhibit an origin validation flaw within its internal web-page verification routines. If an authenticated …
|
CWE-346
Origin Validation Error
|
CVE-2026-45173
|
2026-06-13 00:30 |
2026-06-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
5012
|
- |
-
|
-
|
-
|
Idira Endpoint Privilege Manager Linux Agent versions prior to 26.5 allow a local attacker to potentially compromise the agent daemon initialization. CyberArk Security Bulletin: CA26-19
|
CWE-404
Improper Resource Shutdown or Release
|
CVE-2026-45174
|
2026-06-13 00:30 |
2026-06-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
5013
|
- |
-
|
-
|
-
|
Idira Privilege Cloud Connector versions prior 1.1.100504 under specific conditions and configuration scenarios, TLS certificate validation may not be fully enforced. CyberArk Security Bulletin: CA26…
|
CWE-295
Improper Certificate Validation
|
CVE-2026-45170
|
2026-06-13 00:30 |
2026-06-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
5014
|
- |
-
|
-
|
-
|
Idira Privileged Access Manager (PAM) Self-Hosted Vault versions prior to 15.0.3, 14.6.5, 14.2.7, and 14.0.8 exhibit a validation vulnerability. Under specific circumstances and configuration scenari…
|
CWE-400
Uncontrolled Resource Consumption
|
CVE-2026-45169
|
2026-06-13 00:30 |
2026-06-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
5015
|
5.3 |
MEDIUM
Network
|
siemens
|
sinec_ins
|
A vulnerability has been identified in SINEC INS (All versions < V1.0 SP2 Update 6). The affected application does not properly sanitize path input in the `GET /api/sftp/uploadFiles` endpoint used fo…
|
CWE-26
Path Traversal: '/dir/../filename'
|
CVE-2026-46747
|
2026-06-13 00:28 |
2026-06-9 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
5016
|
7.8 |
HIGH
Local
|
adobe
|
format_plugins
|
Format Plugins versions 1.1.2 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of …
|
CWE-122
Heap-based Buffer Overflow
|
CVE-2026-48292
|
2026-06-13 00:19 |
2026-06-10 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
5017
|
7.4 |
HIGH
Network
|
-
|
-
|
A race condition in AbstractOAuthDataProvider allows concurrent requests using the same Refresh Token to bypass single-use semantics and generate multiple valid Access Tokens, when 'recycleRefreshTok…
|
CWE-367
Time-of-check Time-of-use (TOCTOU) Race Condition
|
CVE-2026-50631
|
2026-06-13 00:16 |
2026-06-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
5018
|
6.5 |
MEDIUM
Network
|
-
|
-
|
A CRLF injection vulnerability exists in the OAuth2 AuthorizationUtils class. When constructing the WWW-Authenticate response header, the 'realm' parameter is concatenated without sanitizing Carriage…
|
CWE-113
HTTP Response Splitting
|
CVE-2026-50630
|
2026-06-13 00:16 |
2026-06-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
5019
|
- |
-
|
-
|
-
|
Quest Bot is an opensource modern Discord Bot built for moderation, utilities and support. Prior to version 1.0.3, a normal user can create a ticket with a reason containing @everyone, @here, user me…
|
CWE-116
Improper Encoding or Escaping of Output
|
CVE-2026-47173
|
2026-06-13 00:16 |
2026-06-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
5020
|
5.0 |
MEDIUM
Network
|
-
|
-
|
An integer underflow vulnerability was found in MIT krb5 in the berval2tl_data() function in plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c. The function performs an unsigned subtraction (bv_len - 2)…
|
CWE-191
Integer Underflow (Wrap or Wraparound)
|
CVE-2026-11850
|
2026-06-13 00:16 |
2026-06-11 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
5021
|
7.8 |
HIGH
Local
|
adobe
|
format_plugins
|
Format Plugins versions 1.1.2 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of …
|
CWE-122
Heap-based Buffer Overflow
|
CVE-2026-48291
|
2026-06-13 00:15 |
2026-06-10 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
5022
|
9.8 |
CRITICAL
Network
|
siemens
|
sinec_ins
|
A vulnerability has been identified in SINEC INS (All versions < V1.0 SP2 Update 6). The affected application uses a password hashing implementation with a static, hardcoded salt shared across all us…
|
CWE-760
Use of a One-Way Hash with a Predictable Salt
|
CVE-2026-46749
|
2026-06-13 00:15 |
2026-06-9 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
5023
|
10.0 |
CRITICAL
Network
|
adobe
|
campaign
|
Adobe Campaign Classic (ACC) versions 7.4.3 build 9394 and earlier are affected by an Incorrect Authorization vulnerability that could result in arbitrary code execution in the context of the current…
|
CWE-863
Incorrect Authorization
|
CVE-2026-48303
|
2026-06-13 00:02 |
2026-06-10 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
5024
|
5.5 |
MEDIUM
Local
|
adobe
|
acrobat acrobat_reader
|
Acrobat Reader versions 24.001.30365, 26.001.21651 and earlier are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this v…
|
CWE-125
Out-of-bounds Read
|
CVE-2026-47961
|
2026-06-12 23:43 |
2026-06-10 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
5025
|
7.8 |
HIGH
Local
|
adobe
|
acrobat acrobat_reader
|
Acrobat Reader versions 24.001.30365, 26.001.21651 and earlier are affected by a Stack-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current …
|
CWE-121
Stack-based Buffer Overflow
|
CVE-2026-47959
|
2026-06-12 23:41 |
2026-06-10 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
5026
|
- |
-
|
-
|
-
|
Rejected reason: Reserved but no longer needed.
|
-
|
CVE-2026-54102
|
2026-06-12 23:16 |
2026-06-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
5027
|
- |
-
|
-
|
-
|
Rejected reason: Reserved but no longer needed.
|
-
|
CVE-2026-54101
|
2026-06-12 23:16 |
2026-06-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
5028
|
9.9 |
CRITICAL
Network
|
-
|
-
|
Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes. Prior to version 1.24.0, a tenant with environments.fissi…
|
CWE-250 CWE-269
Execution with Unnecessary Privileges Improper Privilege Management
|
CVE-2026-50566
|
2026-06-12 23:16 |
2026-06-11 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
5029
|
8.8 |
HIGH
Network
|
-
|
-
|
A privilege escalation vulnerability in Apache OFBiz allows a low-privileged authenticated user to obtain higher privileges
This issue affects Apache OFBiz: before 24.09.07.
Users are recommended…
|
CWE-285
Improper Authorization
|
CVE-2026-47342
|
2026-06-12 23:16 |
2026-06-11 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
5030
|
- |
-
|
-
|
-
|
Atril Document Viewer is the default document reader of the MATE desktop environment for Linux. A single-click remote code execution vulnerability in versions prior to 1.26.3 and 1.28.4 allows an att…
|
CWE-77 CWE-88 CWE-829
Command Injection Argument Injection Inclusion of Functionality from Untrusted Control Sphere
|
CVE-2026-46529
|
2026-06-12 23:16 |
2026-06-11 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
5031
|
7.0 |
HIGH
Network
|
-
|
-
|
Axios is a promise based HTTP client for the browser and Node.js. From 0.19.0 to before 0.31.1 and 1.15.2, Axios contains prototype-pollution gadgets in request config processing. If another vulnerab…
|
CWE-94 CWE-1321
Code Injection Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
|
CVE-2026-44495
|
2026-06-12 23:16 |
2026-06-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
5032
|
7.5 |
HIGH
Network
|
vmware
|
spring_for_graphql
|
The Spring GraphQL annotation detection mechanism for @Controller data fetchers may not correctly resolve annotations on methods within type hierarchies. This can be an issue if such annotations are …
|
CWE-284
Improper Access Control
|
CVE-2026-41856
|
2026-06-12 23:14 |
2026-06-11 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
5033
|
8.1 |
HIGH
Network
|
vmware
|
spring_for_graphql
|
Spring for GraphQL applications that have enabled the WebSocket transport are vulnerable to Cross-Site WebSocket Hijacking. An attacker can trick an authenticated user into visiting a malicious page,…
|
CWE-346
Origin Validation Error
|
CVE-2026-41700
|
2026-06-12 23:13 |
2026-06-11 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
5034
|
7.5 |
HIGH
Network
|
sqlfluff
|
sqlfluff
|
SQLFluff is a modular SQL linter and auto-formatter with support for multiple dialects and templated code. Prior to version 4.1.0, in deployments where untrusted users can provide SQL queries to be l…
|
CWE-674
Uncontrolled Recursion
|
CVE-2026-46373
|
2026-06-12 23:10 |
2026-06-10 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
5035
|
7.5 |
HIGH
Network
|
sqlfluff
|
sqlfluff
|
SQLFluff is a modular SQL linter and auto-formatter with support for multiple dialects and templated code. Prior to version 4.2.0, in deployments where untrusted users can provide SQL queries to be l…
|
CWE-400
Uncontrolled Resource Consumption
|
CVE-2026-46374
|
2026-06-12 23:01 |
2026-06-10 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
5036
|
7.5 |
HIGH
Network
|
pipecat
|
pipecat
|
Pipecat is an open-source Python framework for building real-time voice and multimodal conversational agents. From version 0.0.90 to before version 1.2.0, a path traversal vulnerability exists in Pip…
|
CWE-22
Path Traversal
|
CVE-2026-44716
|
2026-06-12 23:00 |
2026-06-10 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
5037
|
6.5 |
MEDIUM
Network
|
qnap
|
file_station
|
A NULL pointer dereference vulnerability has been reported to affect File Station 6. If a remote attacker gains a user account, they can then exploit the vulnerability to launch a denial-of-service (…
|
CWE-476
NULL Pointer Dereference
|
CVE-2026-22899
|
2026-06-12 22:49 |
2026-06-10 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
5038
|
6.5 |
MEDIUM
Network
|
qnap
|
file_station
|
An allocation of resources without limits or throttling vulnerability has been reported to affect File Station 6. If a remote attacker gains a user account, they can then exploit the vulnerability to…
|
CWE-770
Allocation of Resources Without Limits or Throttling
|
CVE-2026-24720
|
2026-06-12 22:49 |
2026-06-10 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
5039
|
4.4 |
MEDIUM
Local
|
qnap
|
license_center
|
A path traversal vulnerability has been reported to affect License Center. If a local attacker gains an administrator account, they can then exploit the vulnerability to read the contents of unexpect…
|
CWE-22
Path Traversal
|
CVE-2025-62851
|
2026-06-12 22:47 |
2026-06-10 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
5040
|
8.1 |
HIGH
Network
|
qnap
|
file_station
|
An incorrect authorization vulnerability has been reported to affect File Station 6. If a remote attacker gains a user account, they can then exploit the vulnerability to bypass intended access restr…
|
CWE-863
Incorrect Authorization
|
CVE-2026-24724
|
2026-06-12 22:47 |
2026-06-10 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
5041
|
9.3 |
CRITICAL
Network
|
-
|
-
|
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WBW Plugins Product Filter by WBW allows Blind SQL Injection.
This issue affects Product Filter …
|
CWE-89
SQL Injection
|
CVE-2026-39494
|
2026-06-12 22:13 |
2026-06-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
5042
|
9.3 |
CRITICAL
Network
|
-
|
-
|
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Beardev JoomSport allows Blind SQL Injection.
This issue affects JoomSport: from n/a through 5.7…
|
CWE-89
SQL Injection
|
CVE-2026-42647
|
2026-06-12 22:13 |
2026-06-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
5043
|
7.1 |
HIGH
Network
|
-
|
-
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in iova.Mihai SliceWP allows Stored XSS.
This issue affects SliceWP: from n/a through 1.2.6.
|
CWE-79
Cross-site Scripting
|
CVE-2026-42653
|
2026-06-12 22:13 |
2026-06-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
5044
|
9.8 |
CRITICAL
Network
|
-
|
-
|
Incorrect Privilege Assignment vulnerability in Hippoo Mobile App for WooCommerce allows Privilege Escalation.
This issue affects Hippoo Mobile App for WooCommerce: from n/a through 1.9.4.
|
CWE-266
Incorrect Privilege Assignment
|
CVE-2026-49060
|
2026-06-12 22:13 |
2026-06-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
5045
|
6.4 |
MEDIUM
Network
|
-
|
-
|
The Presto Player plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'link_url' parameter of the [presto_player_overlay] shortcode in versions up to, and including, 4.2.0 This …
|
CWE-79
Cross-site Scripting
|
CVE-2026-9125
|
2026-06-12 22:13 |
2026-06-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
5046
|
8.8 |
HIGH
Network
|
-
|
-
|
Inappropriate implementation in Mojo in Google Chrome on Windows prior to 149.0.7827.115 allowed a local attacker to perform OS-level privilege escalation via a malicious file. (Chromium security sev…
|
CWE-269
Improper Privilege Management
|
CVE-2026-12018
|
2026-06-12 22:08 |
2026-06-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
5047
|
8.1 |
HIGH
Network
|
qnap
|
file_station
|
A buffer overflow vulnerability has been reported to affect File Station 5. If a remote attacker gains a user account, they can then exploit the vulnerability to modify memory or crash processes.
We…
|
CWE-121
Stack-based Buffer Overflow
|
CVE-2026-26239
|
2026-06-12 21:53 |
2026-06-10 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
5048
|
9.1 |
CRITICAL
Network
|
qnap
|
file_station
|
A buffer overflow vulnerability has been reported to affect File Station 5. The remote attackers can then exploit the vulnerability to modify memory or crash processes.
We have already fixed the vul…
|
CWE-121
Stack-based Buffer Overflow
|
CVE-2026-26240
|
2026-06-12 21:52 |
2026-06-10 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
5049
|
9.1 |
CRITICAL
Network
|
qnap
|
file_station
|
A buffer overflow vulnerability has been reported to affect File Station 5. The remote attackers can then exploit the vulnerability to modify memory or crash processes.
We have already fixed the vul…
|
CWE-121
Stack-based Buffer Overflow
|
CVE-2026-26241
|
2026-06-12 21:51 |
2026-06-10 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
5050
|
10.0 |
CRITICAL
Network
|
ivanti
|
standalone_sentry
|
An OS Command Injection vulnerability in Ivanti Sentry before the R10.5.2, R10.6.2 and R10.7.1 versions allows a remote unauthenticated user to achieve root-level remote code execution
|
CWE-78
OS Command
|
CVE-2026-10520
|
2026-06-12 21:42 |
2026-06-10 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|