VYPR

CVEs

345,217 total · page 102 of 6,905

  • CVE-2026-0269MedJun 10, 2026
    risk 0.30cvss epss 0.00

    A memory corruption vulnerability in the processing of tunnel traffic in Palo Alto Networks PAN-OS® software allows an authenticated user to initiate system reboots using a maliciously crafted packet. Repeated attempts to initiate a reboot causes the firewall to enter…

  • CVE-2026-0268MedJun 10, 2026
    risk 0.29cvss epss 0.00

    A security control bypass vulnerability in Prisma Access Agent for Linux allows a local attacker to route network traffic outside the VPN tunnel. This does not impact Prisma Access Agent on Windows, macOS, iOS, Android, or ChromeOS.

  • CVE-2026-0267MedJun 10, 2026
    risk 0.29cvss epss 0.00

    An information exposure vulnerability in the Palo Alto Networks GlobalProtect app on macOS enables a local user to learn the configured passcodes for disabling, disconnecting, or uninstalling the GlobalProtect app. After the passcode is known, the user can perform these actions…

  • CVE-2026-0266LowJun 10, 2026
    risk 0.07cvss epss 0.00

    A cross-site scripting (XSS) vulnerability in Palo Alto Networks PAN-OS® software enables a malicious authenticated administrator to store a JavaScript payload using the web interface. This issue is applicable to PAN-OS software on PA-Series and VM-Series firewalls and on…

  • CVE-2022-48575LowJun 10, 2026
    risk 0.23cvss 3.5epss 0.00

    A person with access to a Mac may be able to bypass Login Window. A consistency issue was addressed with improved state handling. This issue is fixed in macOS Monterey 12.4.

  • CVE-2022-26758HigJun 10, 2026
    risk 0.46cvss 7.1epss 0.00

    A malicious application may cause unexpected changes in memory shared between processes. A memory corruption issue was addressed with improved state management. This issue is fixed in macOS Monterey 12.4.

  • CVE-2026-47768Jun 10, 2026
    risk 0.00cvss epss 0.00

    `internal/web/operators.go:251` — after `handleOperatorCreateAPIKey` mints a fresh 32-byte bearer token, the redirect points the operator's browser at: /ui/operators/?new_key=&key_name= The raw API key ends up: - in the browser's URL history - in the…

  • CVE-2026-11908Jun 10, 2026
    risk 0.00cvss epss 0.00

    Mentioned in Drupal. See https://www.drupal.org/security for vendor details.

  • CVE-2026-11909Jun 10, 2026
    risk 0.00cvss epss 0.00

    Mentioned in Drupal. See https://www.drupal.org/security for vendor details.

  • CVE-2026-11913Jun 10, 2026
    risk 0.00cvss epss 0.00

    Mentioned in Drupal. See https://www.drupal.org/security for vendor details.

  • CVE-2026-11914Jun 10, 2026
    risk 0.00cvss epss 0.00

    Mentioned in Drupal. See https://www.drupal.org/security for vendor details.

  • CVE-2026-11915Jun 10, 2026
    risk 0.00cvss epss 0.00

    Mentioned in Drupal. See https://www.drupal.org/security for vendor details.

  • CVE-2026-47764higJun 10, 2026
    risk 0.38cvss epss 0.00

    InstallDestination.write_to_fs() in src/pdm/installers/installers.py overrides the base class to add symlink/hardlink support but replaces the safe _path_with_destdir() (which validates via Path.resolve() + is_relative_to()) with a bare os.path.join() that performs no path…

  • CVE-2026-47763Jun 10, 2026
    risk 0.00cvss epss 0.00

    ## Summary PDM writes several project-local state or configuration files without symlink protection. If a malicious repository places those files as symlinks, local PDM operations can overwrite the symlink targets. This creates an arbitrary file clobber primitive relative to…

  • CVE-2026-6893HigJun 10, 2026
    risk 0.49cvss 7.5epss 0.01

    A flaw was found in dracut. A remote attacker on the adjacent network can exploit this vulnerability by providing specially crafted DHCP (Dynamic Host Configuration Protocol) options, such as a malicious hostname, to a system using dracut's legacy DHCP path. These options are…

  • CVE-2026-50127MedJun 10, 2026
    risk 0.31cvss 5.9epss 0.00

    Weblate is a web based localization tool. From version 5.15 to before version 2026.6, Weblate's VCS_RESTRICT_PRIVATE did not properly account for some transitional IPv6 ranges, multicast addresses, or some semi-private IPv4 ranges, which allowed some addresses to bypass private…

  • CVE-2026-46683MedJun 10, 2026
    risk 0.38cvss epss 0.00

    Snappy is a PHP library allowing thumbnail, snapshot or PDF generation from a url or a html page. Prior to version 1.7.0, there is a SSRF and local file read vulnerability via the xsl-style-sheet option. This issue has been patched in version 1.7.0.

  • CVE-2026-46643HigJun 10, 2026
    risk 0.42cvss epss 0.00

    Snappy is a PHP library allowing thumbnail, snapshot or PDF generation from a url or a html page. Prior to version 1.7.1, on POSIX, escapeshellarg(‘/usr/bin/wkhtmltopdf’) returns the literal string ‘/usr/bin/wkhtmltopdf’ with the single-quote characters included.…

  • CVE-2026-46529HigJun 10, 2026
    risk 0.48cvss epss 0.01

    Atril Document Viewer is the default document reader of the MATE desktop environment for Linux. A single-click remote code execution vulnerability in versions prior to 1.26.3 and 1.28.4 allows an attacker to achieve arbitrary code execution as the user by tricking them into…

  • CVE-2026-45106MedJun 10, 2026
    risk 0.23cvss 4.6epss 0.00

    Weblate is a web based localization tool. Prior to version 2026.5, Weblate's live search preview renders unit source and context as HTML without escaping. Any contributor whose content reaches those fields stores HTML and CSS that runs inside the authenticated editor of every…

  • CVE-2026-1220HigJun 10, 2026
    risk 0.49cvss 7.5epss 0.00

    Race in V8 in Google Chrome prior to 144.0.7559.99 allowed a remote attacker to potentially exploit type confusion via a crafted HTML page. (Chromium security severity: High)

  • CVE-2026-47751Jun 10, 2026
    risk 0.00cvss epss 0.00

    Due to the combination of checking out PR head branches (attacker-controlled), reading `.mcp.json` from the working directory via default setting sources, and unconditionally enabling all project MCP servers via `enableAllProjectMcpServers`, it was possible for an attacker who…

  • CVE-2026-48063criJun 10, 2026
    risk 0.52cvss epss 0.00

    ### Impact Any baileys session under the latest version (< 7.0.0-rc12, and < 6.7.22) can be sent a malicious payload via the placeholderResendMessage and trigger a fake `messages.upsert` event with a **fake message key and payload**. This allows anyone to spoof messages. The…

  • CVE-2026-50639MedJun 10, 2026
    risk 0.42cvss 6.5epss 0.00

    Metrics::Any::Adapter::SignalFx versions before 0.04 for Perl does not protect against metric injections. The statsd protocol (and extensions such as dogstatsd) allow mutiple metrics,separated by newlines, to be sent per packet. Metrics::Any::Adapter::SignalFx which extends…

  • CVE-2026-50638CriJun 10, 2026
    risk 0.59cvss 9.1epss 0.00

    Metrics::Any::Adapter::DogStatsd versions before 0.04 for Perl does not protect against metric injections. The statsd protocol (and extensions such as dogstatsd) allow mutiple metrics,separated by newlines, to be sent per packet. Metrics::Any::Adapter::DogStatsd which extends…

  • CVE-2026-50637HigJun 10, 2026
    risk 0.53cvss 8.2epss 0.00

    Metrics::Any::Adapter::Statsd versions before 0.04 for Perl does not protect against metric injections. The statsd protocol (and extensions) allow mutiple metrics,separated by newlines, to be sent per packet. The send method does not validate the contents of the metric names…

  • CVE-2026-11626MedJun 10, 2026
    risk 0.35cvss epss 0.00

    CleanWipe Removal Tool (macOS), prior to 16.0.0.65, may be susceptible to an Local Privilege Escalation vulnerability, which is a type of issue whereby an attacker with limited privilege access on an affected system can escalate their privileges to gain administrative control.

  • CVE-2026-10740MedJun 10, 2026
    risk 0.34cvss 5.3epss 0.00

    Unbounded memory allocation in the CRYPTO frame reassembler in s2n-quic before 1.8.2 may allow an unauthenticated remote actor to cause a denial of service (degraded availability) by sending crafted QUIC Initial packets. To remediate this issue, users should upgrade to v1.8.2.

  • CVE-2026-48061Jun 10, 2026
    risk 0.00cvss epss 0.00

    ### Summary `AllowedHostsMiddleware` trusts the `X-Forwarded-Host` header as a fallback when the `Host` header is absent. Since `X-Forwarded-Host` is a client-controllable header, an attacker can bypass the allowed hosts validation by omitting the `Host` header and supplying an…

  • CVE-2026-48060higJun 10, 2026
    risk 0.38cvss epss 0.00

    # Overview Litestar instances which use a template engine in conjunction with CSRF protection are vulnerable to HTML Injection which can be escalated to Cross Site Scripting due to the contents of the CSRF cookie being excluded from automatic escaping by the template engine…

  • CVE-2026-48058Jun 10, 2026
    risk 0.00cvss epss 0.00

    `internal/web/session.go` and `internal/web/oidc.go` set `HttpOnly` and `SameSite=Lax` on every cookie but never `Secure`. A single plaintext request to the origin (operator on a LAN, mistyped URL, HTTP→HTTPS not strictly enforced, reverse proxy misconfiguration) discloses the…

  • CVE-2026-48025Jun 10, 2026
    risk 0.00cvss epss 0.00

    `internal/pki/resolver.go:36-64` constructs a `CAManager` with the plaintext `ed25519.PrivateKey` after unwrapping via the master key; `internal/pki/ca.go:13-16` stores it. Callers at `internal/api/enroll.go:116`, `internal/api/updates.go:297`, and…

  • CVE-2026-9151HigJun 10, 2026
    risk 0.55cvss epss 0.01

    An OS command injection vulnerability exists in the VPN module of TP-Link Archer AX12 v1, AX17 v1. AX18 v1, and AX1300 v1.6 routers. This vulnerability allows an adjacent, authenticated attacker to execute arbitrary commands on the device by importing a specially crafted VPN…

  • CVE-2026-50570HigJun 10, 2026
    risk 0.48cvss 8.5epss 0.00

    Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes. Prior to version 1.25.0, Fission added PodSpec safety validation for tenant-facing Environment and Function CRDs (ValidatePodSpecSafety /…

  • CVE-2026-50569MedJun 10, 2026
    risk 0.21cvss 4.3epss 0.00

    Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes. Prior to version 1.25.0, HTTPTriggerSpec.Validate() validated Methods, FunctionReference, Host, IngressConfig, and CorsConfig, but…

  • CVE-2026-50568LowJun 10, 2026
    risk 0.16cvss 3.6epss 0.00

    Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes. Prior to version 1.25.0, SanitizeFilePath in pkg/utils/utils.go validated that a path stayed under a safe directory by calling…

  • CVE-2026-50567HigJun 10, 2026
    risk 0.43cvss 7.7epss 0.00

    Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes. Prior to version 1.25.0, Unarchive in pkg/utils/zip.go joined each archive entry name with the destination directory via filepath.Join…

  • CVE-2026-50566CriJun 10, 2026
    risk 0.57cvss 9.9epss 0.00

    Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes. Prior to version 1.24.0, a tenant with environments.fission.io create/update RBAC can run privileged / allowPrivilegeEscalation /…

  • CVE-2026-50565MedJun 10, 2026
    risk 0.25cvss 4.9epss 0.00

    Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes. Prior to version 1.24.0, Fission builder pods were created with ServiceAccountName: fission-builder and no AutomountServiceAccountToken:…

  • CVE-2026-50564CriJun 10, 2026
    risk 0.57cvss 9.9epss 0.00

    Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes. Prior to version 1.24.0, Fission's Environment CRD exposes spec.runtime.podSpec and spec.builder.podSpec, which are merged into the…

  • CVE-2026-50563CriJun 10, 2026
    risk 0.57cvss 9.9epss 0.00

    Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes. Prior to version 1.24.0, Fission's Container Executor path lets a tenant supply Function.spec.podspec directly; the executor merges it…

  • CVE-2026-50545CriJun 10, 2026
    risk 0.57cvss 9.9epss 0.00

    Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes. Prior to version 1.24.0, the Environment.spec.runtime.podSpec / spec.builder.podSpec passthrough lacked validation, and MergePodSpec…

  • CVE-2026-49824HigJun 10, 2026
    risk 0.48cvss 8.5epss 0.00

    Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes. Prior to version 1.24.0, the Fission Function admission webhook (pkg/webhook/function.go) validated that spec.secrets[].namespace and…

  • CVE-2026-49823HigJun 10, 2026
    risk 0.43cvss 7.7epss 0.00

    Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes. Prior to version 1.24.0, a Fission Function spec carries three reference types — Secret, ConfigMap, and Package. The first two were…

  • CVE-2026-49822HigJun 10, 2026
    risk 0.43cvss 7.7epss 0.00

    Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes. Prior to version 1.24.0, a low-privilege developer who could create a KubernetesWatchTrigger (KWT) in their own namespace was able to…

  • CVE-2026-49821HigJun 10, 2026
    risk 0.43cvss 7.7epss 0.00

    Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes. Prior to version 1.24.0, Fission's buildermgr controller processed Package CRDs without verifying that Package.spec.environment.namespace…

  • CVE-2026-48556Jun 10, 2026
    risk 0.00cvss epss

    Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.

  • CVE-2026-46642MedJun 10, 2026
    risk 0.33cvss 6.1epss 0.00

    draw.io is a configurable diagramming and whiteboarding application. Prior to version 29.7.12, a crafted .drawio file can execute arbitrary JavaScript in the editor's origin when the file is opened. The vulnerability is not in the label sanitizer (which works correctly on the…

  • CVE-2026-46618MedJun 10, 2026
    risk 0.38cvss epss 0.00

    Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes. Prior to version 1.23.0, before the round-1 security sweep, pkg/builder/builder.go passed Environment.spec.builder.command directly into…

  • CVE-2026-46617HigJun 10, 2026
    risk 0.50cvss epss 0.00

    Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes. Prior to version 1.23.0, Fission runtime pods were created with ServiceAccountName: fission-fetcher, and the fission-fetcher…