|
281
|
9.6 |
CRITICAL
Network
|
-
|
-
|
The Aqara Cloud Production API (open-cn.aqara.com/v3.0/open/api) would authorize any valid developer token for access to any account. This is an instance of "CWE-862: Missing Authorization" with an e…
New
|
CWE-862
Missing Authorization
|
CVE-2026-50084
|
2026-06-13 02:16 |
2026-06-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
282
|
9.1 |
CRITICAL
Network
|
-
|
-
|
The Aqara IAM/SSO Gateway (gw-builder.aqara.com) used a hardcoded OAuth client credential, which is an instance of "CWE-798: Use of Hard-coded Credentials." This issue has an estimated CVSS of CVSS:3…
New
|
CWE-798
Use of Hard-coded Credentials
|
CVE-2026-50083
|
2026-06-13 02:16 |
2026-06-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
283
|
6.5 |
MEDIUM
Network
|
-
|
-
|
The Aqara Cloud Developer Portal (developer.aqara.com) issued a developer token to any email address supplied by the attacker. This is an instance of "CWE-306: Missing Authentication for Critical Fun…
New
|
CWE-306
Missing Authentication for Critical Function
|
CVE-2026-50082
|
2026-06-13 02:16 |
2026-06-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
284
|
5.3 |
MEDIUM
Network
|
-
|
-
|
Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, before reading the first request-line, `HttpObjectDecoder` …
New
|
CWE-444
HTTP Request Smuggling
|
CVE-2026-50020
|
2026-06-13 02:16 |
2026-06-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
285
|
4.3 |
MEDIUM
Network
|
-
|
-
|
NanaZip is the 7-Zip derivative intended for the modern Windows experience. From version 3.0.1000.0 to before version 6.0.1698.0, a heap buffer-overflow read exists in the LVM2 physical-volume metada…
New
|
CWE-125
Out-of-bounds Read
|
CVE-2026-47224
|
2026-06-13 02:16 |
2026-06-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
286
|
9.8 |
CRITICAL
Network
|
-
|
-
|
vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, a sandbox escape vulnerability in vm2 allows arbitrary code execution in the host process when untrusted code is executed with a…
New
|
CWE-913
Improper Control of Dynamically-Managed Code Resources
|
CVE-2026-47210
|
2026-06-13 02:16 |
2026-06-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
287
|
10.0 |
CRITICAL
Network
|
-
|
-
|
vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, NodeVM blocks several dangerous Node.js builtins such as module, worker_threads, cluster, vm, repl, and inspector. However, the …
New
|
CWE-693
Protection Mechanism Failure
|
CVE-2026-47140
|
2026-06-13 02:16 |
2026-06-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
288
|
8.6 |
HIGH
Network
|
-
|
-
|
vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, NodeVM supports excluding public network builtins from the wildcard builtin option. With this configuration direct access to htt…
New
|
CWE-693
Protection Mechanism Failure
|
CVE-2026-47139
|
2026-06-13 02:16 |
2026-06-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
289
|
5.8 |
MEDIUM
Local
|
-
|
-
|
unbounded_spsc is an "unbounded" extension of bounded_spsc_queue. In versions 0.2.0 and prior, sender::send pointer-as-value transmute causes OOB read and fake-Arc drop under TX/RX race. At time of p…
New
|
CWE-125
CWE-415
CWE-704
CWE-787
Out-of-bounds Read
Double Free
Incorrect Type Conversion or Cast
Out-of-bounds Write
|
CVE-2026-46690
|
2026-06-13 02:16 |
2026-06-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
290
|
- |
|
-
|
-
|
A code injection vulnerability in version 0.4.17 or later of the ChromaDB Python project allows an authenticated attacker to run arbitrary code on the server by sending a malicious model repository a…
New
|
CWE-94
Code Injection
|
CVE-2026-45833
|
2026-06-13 02:16 |
2026-06-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
