|
5051
|
5.5 |
MEDIUM
Local
|
apple
|
macos
|
A parsing issue in the handling of directory paths was addressed with improved path validation. This issue is fixed in macOS Sequoia 15.4. An app may be able to access sensitive user data.
|
CWE-22
Path Traversal
|
CVE-2025-24268
|
2026-06-12 21:38 |
2026-06-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
5052
|
8.8 |
HIGH
Local
|
apple
|
macos
|
This issue was addressed with improved checks to prevent unauthorized actions. This issue is fixed in macOS Sequoia 15.4. An app may be able to break out of its sandbox.
|
CWE-693
Protection Mechanism Failure
|
CVE-2025-24284
|
2026-06-12 21:38 |
2026-06-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
5053
|
5.5 |
MEDIUM
Local
|
apple
|
macos
|
The issue was addressed with improved checks. This issue is fixed in macOS Sequoia 15.4, macOS Sonoma 14.7.5, macOS Ventura 13.7.5. A malicious app may be able to access private information.
|
CWE-693
Protection Mechanism Failure
|
CVE-2025-30431
|
2026-06-12 21:38 |
2026-06-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
5054
|
5.5 |
MEDIUM
Local
|
apple
|
macos
|
A privacy issue was addressed by removing the vulnerable code. This issue is fixed in macOS Sequoia 15.4. An app may be able to access sensitive user data.
|
CWE-359
Exposure of Private Personal Information to an Unauthorized Actor
|
CVE-2025-30459
|
2026-06-12 21:37 |
2026-06-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
5055
|
7.8 |
HIGH
Local
|
apple
|
macos
|
The issue was addressed with improved checks. This issue is fixed in macOS Sequoia 15.4. An app may be able to bypass launch constraint protections and execute malicious code with elevated privileges.
|
CWE-269
Improper Privilege Management
|
CVE-2025-31272
|
2026-06-12 21:37 |
2026-06-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
5056
|
5.5 |
MEDIUM
Local
|
apple
|
macos
|
An access issue was addressed with additional sandbox restrictions. This issue is fixed in macOS Tahoe 26.1. A malicious app may be able to access sensitive user data.
|
CWE-284
Improper Access Control
|
CVE-2025-43339
|
2026-06-12 21:37 |
2026-06-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
5057
|
5.5 |
MEDIUM
Local
|
apple
|
macos
|
This issue was addressed with improved handling of symlinks. This issue is fixed in macOS Sequoia 15.4. An app may be able to access protected user data.
|
CWE-59
Link Following
|
CVE-2025-46293
|
2026-06-12 21:36 |
2026-06-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
5058
|
5.3 |
MEDIUM
Network
|
apple
|
ipados iphone_os macos
|
An authorization issue was addressed with improved state management. This issue is fixed in iOS 18.4 and iPadOS 18.4, macOS Sequoia 15.4. An app may be able to leak sensitive user information.
|
CWE-284
Improper Access Control
|
CVE-2025-46308
|
2026-06-12 21:36 |
2026-06-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
5059
|
7.5 |
HIGH
Network
|
apple
|
macos
|
A permissions issue was addressed with additional restrictions. This issue is fixed in macOS Tahoe 26.1. An app may be able to access protected user data.
|
CWE-284
Improper Access Control
|
CVE-2025-46315
|
2026-06-12 21:35 |
2026-06-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
5060
|
8.1 |
HIGH
Network
|
-
|
-
|
SolidInvoice is an open-source invoicing platform. Prior to version 2.3.17, the company logo upload feature accepts any file type without validation. An authenticated administrator can upload an SVG …
|
CWE-79 CWE-434
Cross-site Scripting Unrestricted Upload of File with Dangerous Type
|
CVE-2026-46489
|
2026-06-12 20:16 |
2026-06-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
5061
|
9.8 |
CRITICAL
Network
|
-
|
-
|
Improper neutralization of special elements used in an expression language statement ('expression language injection') vulnerability in Soagen Informatics Technologies Software and Consulting Inc. Ap…
|
CWE-917
Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')
|
CVE-2026-11561
|
2026-06-12 19:16 |
2026-06-11 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
5062
|
- |
-
|
-
|
-
|
QTS, QuTS hero, QuTScloud are not affected.
We have already fixed the vulnerability in the following version:
|
CWE-472
External Control of Assumed-Immutable Web Parameter
|
CVE-2025-59382
|
2026-06-12 11:16 |
2026-06-10 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
5063
|
7.5 |
HIGH
Network
|
nlnetlabs
|
routinator
|
When Routinator encounters a file via RRDP using a specifically crafted Document Type Definition, Routinator crashes.
|
CWE-755
Improper Handling of Exceptional Conditions
|
CVE-2026-49235
|
2026-06-12 10:37 |
2026-06-9 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
5064
|
7.5 |
HIGH
Network
|
nlnetlabs
|
routinator
|
Routinator does not properly check the module component of rsync URIs, which are used to create the file system paths for the Routinator cache. This allows for path traversal by having a module name …
|
CWE-22
Path Traversal
|
CVE-2026-49233
|
2026-06-12 10:33 |
2026-06-9 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
5065
|
7.5 |
HIGH
Network
|
nlnetlabs
|
routinator
|
When sending a specifically crafted non-UTF-8 string as select-asn query parameter to the /api/v1/origins endpoint, Routinator crashes.
This only affects users who allow API access from untrusted n…
|
CWE-20 NVD-CWE-noinfo
Improper Input Validation
|
CVE-2026-49234
|
2026-06-12 10:28 |
2026-06-9 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
5066
|
6.5 |
MEDIUM
Network
|
nsa
|
ghidra
|
Ghidra before 12.2 contains an unauthenticated path traversal vulnerability in the IsfServer that accepts TCP connections and passes client-supplied namespace strings directly to filesystem operation…
|
CWE-22
Path Traversal
|
CVE-2026-52756
|
2026-06-12 10:18 |
2026-06-10 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
5067
|
4.4 |
MEDIUM
Local
|
nsa
|
ghidra
|
Ghidra before 12.1 contains a heap-use-after-free vulnerability in the decompiler's HighVariable::merge() function during the variable merging pass. Attackers can trigger this vulnerability by crafti…
|
CWE-416
Use After Free
|
CVE-2026-52757
|
2026-06-12 10:10 |
2026-06-10 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
5068
|
4.3 |
MEDIUM
Network
|
jenkins
|
jenkins
|
Jenkins 2.567 and earlier, LTS 2.555.2 and earlier does not ensure that the "from" parameter in the "Delegate to servlet container" security realm is safe to redirect to after login, allowing attacke…
|
CWE-601
Open Redirect
|
CVE-2026-53440
|
2026-06-12 10:03 |
2026-06-10 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
5069
|
5.3 |
MEDIUM
Network
|
jenkins
|
jenkins
|
Jenkins 2.567 and earlier, LTS 2.555.2 and earlier does not encrypt secrets from POST config.xml submissions before storing them in job configurations unencrypted in job config.xml files on the Jenki…
|
CWE-311
Missing Encryption of Sensitive Data
|
CVE-2026-53442
|
2026-06-12 09:59 |
2026-06-10 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
5070
|
7.2 |
HIGH
Network
|
apache
|
answer
|
Improper Restriction of Security Token Assignment vulnerability in Apache Answer.
This issue affects Apache Answer: through 2.0.0.
Previously issued administrative tokens were not invalidated after…
|
CWE-1259
Improper Restriction of Security Token Assignment
|
CVE-2026-25700
|
2026-06-12 09:50 |
2026-06-11 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
5071
|
8.3 |
HIGH
Network
|
plane
|
plane
|
Plane is an open-source project management tool. Prior to version 1.3.1, there is a cross-workspace asset authorization bypass lets any authenticated user read, copy, delete, and overwrite assets in …
|
CWE-639 CWE-862
Authorization Bypass Through User-Controlled Key Missing Authorization
|
CVE-2026-46558
|
2026-06-12 09:49 |
2026-06-11 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
5072
|
5.3 |
MEDIUM
Network
|
openfga
|
helm_charts openfga
|
OpenFGA is an authorization/permission engine built for developers. Prior to version 1.16.0, when iterator caching is enabled, two distinct check requests can produce the same cache key, leading to O…
|
CWE-345 CWE-668
Insufficient Verification of Data Authenticity Exposure of Resource to Wrong Sphere
|
CVE-2026-48096
|
2026-06-12 09:46 |
2026-06-11 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
5073
|
- |
-
|
-
|
-
|
Rejected reason: This CVE Record has been rejected by the Zephyr Project CNA. Subsequent analysis determined that the addressed defect is not reachable in any released version of Zephyr: on every sup…
|
-
|
CVE-2026-10676
|
2026-06-12 09:16 |
2026-06-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
5074
|
9.8 |
CRITICAL
Network
|
fortinet
|
fortisandbox fortisandbox_cloud fortisandbox_paas
|
A improper neutralization of special elements used in an os command ('os command injection') vulnerability in Fortinet FortiSandbox 5.0.0 through 5.0.5, FortiSandbox 4.4.0 through 4.4.8, FortiSandbox…
|
CWE-78
OS Command
|
CVE-2026-25089
|
2026-06-12 06:39 |
2026-06-10 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
5075
|
6.5 |
MEDIUM
Network
|
fortinet
|
fortiportal
|
A improper access control vulnerability in Fortinet FortiPortal 7.4.0 through 7.4.7, FortiPortal 7.2.0 through 7.2.8, FortiPortal 7.0 all versions may allow attacker to improper access control via <i…
|
CWE-284
Improper Access Control
|
CVE-2026-49938
|
2026-06-12 06:32 |
2026-06-10 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
5076
|
6.7 |
MEDIUM
Local
|
fortinet
|
fortios fortiproxy
|
An Internal Asset Exposed to Unsafe Debug Access Level or State vulnerability [CWE-1244] vulnerability in Fortinet FortiOS 7.6.0 through 7.6.2, FortiOS 7.4.0 through 7.4.7, FortiOS 7.2.0 through 7.2.…
|
CWE-1244
Internal Asset Exposed to Unsafe Debug Access Level or State
|
CVE-2025-67862
|
2026-06-12 06:31 |
2026-06-10 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
5077
|
- |
-
|
-
|
-
|
In Duck Site before version 1.0.1, the repository has a deploy workflow that runs after the build workflow completes. The build workflow runs on pull requests, while the deploy workflow runs with pac…
|
CWE-829
Inclusion of Functionality from Untrusted Control Sphere
|
CVE-2026-47174
|
2026-06-12 06:16 |
2026-06-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
5078
|
8.8 |
HIGH
Network
|
-
|
-
|
mcp-server-kubernetes is a Model Context Protocol server for Kubernetes cluster management. Prior to version 3.6.0, mcp-server-kubernetes exposes three environment variables (ALLOW_ONLY_READONLY_TOOL…
|
CWE-863
Incorrect Authorization
|
CVE-2026-46519
|
2026-06-12 06:01 |
2026-06-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
5079
|
6.1 |
MEDIUM
Network
|
-
|
-
|
mcp-server-kubernetes is a Model Context Protocol server for Kubernetes cluster management. Prior to version 3.7.0, the kubectl_generic tool in mcp-server-kubernetes passes user-supplied flags direct…
|
CWE-88
Argument Injection
|
CVE-2026-47250
|
2026-06-12 06:01 |
2026-06-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
5080
|
- |
-
|
-
|
-
|
Quest Bot is an opensource modern Discord Bot built for moderation, utilities and support. Prior to version 1.0.1, any guild member who can invoke slash commands can use /automod add, /automod remove…
|
CWE-862
Missing Authorization
|
CVE-2026-47163
|
2026-06-12 05:58 |
2026-06-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
5081
|
- |
-
|
-
|
-
|
Quest Bot is an opensource modern Discord Bot built for moderation, utilities and support. Prior to version 1.0.3, a user with Manage Server / ManageGuild, but without Manage Roles or Administrator, …
|
CWE-266
Incorrect Privilege Assignment
|
CVE-2026-47169
|
2026-06-12 05:58 |
2026-06-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
5082
|
7.7 |
HIGH
Network
|
-
|
-
|
Garlic-Hub manages digital signage network — devices, content, and playlists — from a single self-hosted interface. Prior to version 1.1, authenticated users can cause the server to issue arbitrary H…
|
CWE-918
Server-Side Request Forgery (SSRF)
|
CVE-2026-47170
|
2026-06-12 05:58 |
2026-06-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
5083
|
- |
-
|
-
|
-
|
Quest Bot is an opensource modern Discord Bot built for moderation, utilities and support. Prior to version 1.0.3, a normal user can create a reminder whose message contains @everyone or @here. When …
|
CWE-116
Improper Encoding or Escaping of Output
|
CVE-2026-47171
|
2026-06-12 05:58 |
2026-06-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
5084
|
- |
-
|
-
|
-
|
Quest Bot is an opensource modern Discord Bot built for moderation, utilities and support. Prior to version 1.0.3, the repository has a privileged deploy workflow that runs after the unprivileged bui…
|
CWE-829
Inclusion of Functionality from Untrusted Control Sphere
|
CVE-2026-47172
|
2026-06-12 05:58 |
2026-06-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
5085
|
- |
-
|
-
|
-
|
Quest Bot is an opensource modern Discord Bot built for moderation, utilities and support. Prior to version 1.0.4, a user who can configure bot settings can enable logging and choose a logging channe…
|
CWE-200
Information Exposure
|
CVE-2026-47176
|
2026-06-12 05:58 |
2026-06-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
5086
|
- |
-
|
-
|
-
|
Quest Bot is an opensource modern Discord Bot built for moderation, utilities and support. Prior to version 1.0.4, a user who can configure bot settings can set the ticket transcript channel to a cha…
|
CWE-200
Information Exposure
|
CVE-2026-47177
|
2026-06-12 05:58 |
2026-06-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
5087
|
- |
-
|
-
|
-
|
Quest Bot is an opensource modern Discord Bot built for moderation, utilities and support. Prior to version 1.0.5, the AutoMod remove flow looks up and deletes rules by global database ID without ver…
|
CWE-639
Authorization Bypass Through User-Controlled Key
|
CVE-2026-47189
|
2026-06-12 05:58 |
2026-06-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
5088
|
- |
-
|
-
|
-
|
Idira Endpoint Privilege Manager Agent versions prior to 26.5 exhibit improper access control within high-privileged agent components. A local, low-privileged attacker could exploit this by manipulat…
|
CWE-269
Improper Privilege Management
|
CVE-2026-45176
|
2026-06-12 05:56 |
2026-06-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
5089
|
- |
-
|
-
|
-
|
Idira Secrets Manager SaaS Edge versions prior to 1.8 exhibit improper access control within its internal authentication components. A remote, unauthenticated attacker could exploit this by submittin…
|
CWE-284
Improper Access Control
|
CVE-2026-45177
|
2026-06-12 05:56 |
2026-06-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
5090
|
- |
-
|
-
|
-
|
Idira Secrets Manager Self-Hosted versions 13.8.0 and lower exhibit improper access control within internal cluster endpoints. A remote, authenticated attacker possessing standard node-level credenti…
|
CWE-284
Improper Access Control
|
CVE-2026-45178
|
2026-06-12 05:56 |
2026-06-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
5091
|
7.6 |
HIGH
Network
|
-
|
-
|
An integer overflow flaw was found in the SASL I/O layer of 389 Directory Server (389-ds-base). In sasl_io_start_packet(), adding sizeof(uint32_t) to a crafted SASL packet length prefix of 0xFFFFFFFC…
|
CWE-190
Integer Overflow or Wraparound
|
CVE-2026-11774
|
2026-06-12 05:56 |
2026-06-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
5092
|
6.5 |
MEDIUM
Network
|
-
|
-
|
An out-of-bounds write vulnerability was found in GStreamer's H.266/VVC PPS picture partition parser in gst-plugins-bad. In the multi-slice-in-tile processing of gst_h266_parser_parse_picture_partiti…
|
CWE-787
Out-of-bounds Write
|
CVE-2026-53701
|
2026-06-12 05:56 |
2026-06-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
5093
|
6.5 |
MEDIUM
Network
|
-
|
-
|
A stack buffer overflow flaw was found in the GStreamer H.265 codec parser library (gst-plugins-bad). When parsing a buffering period SEI message, the parser uses an incorrect loop bound derived from…
|
CWE-787
Out-of-bounds Write
|
CVE-2026-53702
|
2026-06-12 05:56 |
2026-06-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
5094
|
- |
-
|
-
|
-
|
Idira Endpoint Privilege Manager Agent versions prior to 26.5 exhibit improper access control within internal agent validation processes. A local attacker could potentially bypass built-in security c…
|
CWE-295
Improper Certificate Validation
|
CVE-2026-45175
|
2026-06-12 05:56 |
2026-06-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
5095
|
- |
-
|
-
|
-
|
FPDI is a collection of PHP classes that facilitate reading pages from existing PDF documents and using them as templates in FPDF. Prior to version 2.6.7, an attacker can upload a small, malicious PD…
|
CWE-400 CWE-770
Uncontrolled Resource Consumption Allocation of Resources Without Limits or Throttling
|
CVE-2026-45802
|
2026-06-12 05:51 |
2026-06-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
5096
|
5.3 |
MEDIUM
Network
|
-
|
-
|
CodexBar before 0.33.0 contains a credential forwarding vulnerability that allows network-adjacent attackers to intercept sensitive credentials by issuing cross-origin or HTTP-downgrade redirects to …
|
CWE-522
Insufficiently Protected Credentials
|
CVE-2026-49949
|
2026-06-12 05:50 |
2026-06-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
5097
|
4.3 |
MEDIUM
Network
|
-
|
-
|
Summarize before 0.17.0 contains a resource exhaustion vulnerability that allows remote attackers to cause disk exhaustion by serving media responses that bypass the enforced size limit through missi…
|
CWE-770
Allocation of Resources Without Limits or Throttling
|
CVE-2026-53781
|
2026-06-12 05:50 |
2026-06-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
5098
|
7.4 |
HIGH
Network
|
-
|
-
|
Summarize before 0.17.0 contains a server-side request forgery vulnerability that allows attackers who control a podcast RSS feed to direct the host to fetch transcript content from loopback addresse…
|
CWE-918
Server-Side Request Forgery (SSRF)
|
CVE-2026-53782
|
2026-06-12 05:50 |
2026-06-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
5099
|
9.1 |
CRITICAL
Network
|
-
|
-
|
Metrics::Any::Adapter::DogStatsd versions before 0.04 for Perl does not protect against metric injections.
The statsd protocol (and extensions such as dogstatsd) allow mutiple metrics,separated by n…
|
CWE-93
CRLF Injection
|
CVE-2026-50638
|
2026-06-12 05:16 |
2026-06-11 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
5100
|
8.2 |
HIGH
Network
|
-
|
-
|
Metrics::Any::Adapter::Statsd versions before 0.04 for Perl does not protect against metric injections.
The statsd protocol (and extensions) allow mutiple metrics,separated by newlines, to be sent p…
|
CWE-93
CRLF Injection
|
CVE-2026-50637
|
2026-06-12 05:16 |
2026-06-11 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|