| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-52943 | — | imp | 0.39 | 7.0 | 0.00 | Jun 24, 2026 | kernel: net: skbuff: fix missing zerocopy reference in pskb_carve helpers | |
| CVE-2026-52944 | — | 0.00 | — | 0.00 | Jun 24, 2026 | kernel: ksmbd: fix FSCTL permission bypass by adding a permission check for FSCTL_SET_SPARSE | ||
| CVE-2026-53091 | imp | 0.38 | 7.0 | 0.00 | Jun 24, 2026 | kernel: net: pull headers in qdisc_pkt_len_segs_init() | ||
| CVE-2026-53100 | low | 0.29 | 5.5 | 0.00 | Jun 24, 2026 | kernel: wifi: mt76: fix deadlock in remain-on-channel | ||
| CVE-2026-53125 | low | 0.29 | 5.5 | 0.00 | Jun 24, 2026 | kernel: md: fix array_state=clear sysfs deadlock | ||
| CVE-2026-53126 | — | low | 0.29 | 5.5 | 0.00 | Jun 24, 2026 | kernel: blk-cgroup: fix disk reference leak in blkcg_maybe_throttle_current() | |
| CVE-2026-53127 | low | 0.29 | 5.5 | 0.00 | Jun 24, 2026 | kernel: block: fix zones_cond memory leak on zone revalidation error paths | ||
| CVE-2026-53128 | 0.00 | — | 0.00 | Jun 24, 2026 | kernel: drbd: Balance RCU calls in drbd_adm_dump_devices() | |||
| CVE-2026-53129 | — | mod | 0.29 | 5.5 | 0.00 | Jun 24, 2026 | kernel: fs/mbcache: cancel shrink work before destroying the cache | |
| CVE-2026-53130 | — | 0.00 | — | 0.00 | Jun 24, 2026 | kernel: fs/omfs: reject s_sys_blocksize smaller than OMFS_DIR_START | ||
| CVE-2026-7574 | 0.00 | — | 0.00 | Jun 23, 2026 | Anthropic Claude Desktop Cowork VM image handling (confirmed across v1.1348.0 through v1.2278.0, including v1.1348.0, v1.1617.0, and v1.2278.0) validates only file presence and a version marker string before booting rootfs.img, but does not verify image content integrity at… | |||
| CVE-2026-5818 | 0.00 | — | 0.00 | Jun 23, 2026 | Incorrect check of function return value in Caliptra Core Runtime Firmware (ActivateFirmwareCmd::activate_fw modules) allows bypass of Caliptra Core's verification of the MCU FW during a hitless update. This issue affects Core Runtime Firmware: from 2.0.0 through 2.0.1, 2.1.0. | |||
| CVE-2026-6458 | 0.00 | — | 0.00 | Jun 23, 2026 | Missing cryptographic step in Caliptra Core Firmware (aes_256_gcm_update module) results in an incorrect GCM authentication tag. When the streaming AES-256-GCM API is used with empty AAD, the hardware GHASH accumulator state is not saved after the first update call, causing the… | |||
| CVE-2026-54329 | hig | 0.38 | — | 0.00 | Jun 23, 2026 | ### Impact A cross-tenant data injection vulnerability was identified in the Snipe-IT Accessories API when Full Multiple Companies Support (FMCS) is enabled. A low-privileged authenticated user belonging to one company can create an accessory record under another company by… | ||
| CVE-2026-55542 | low | 0.00 | — | 0.00 | Jun 23, 2026 | ### Impact Snipe-IT S3 signature image retrieval lacks authorization before temporary URL. On S3-backed deployments, authenticated users who know a signature filename can obtain a 5-minute signed S3 URL because the S3 branch returns before the `authorize()` call used by the… | ||
| CVE-2026-55519 | low | 0.00 | — | — | Jun 23, 2026 | ### Impact A vulnerability was identified in Snipe-IT v8.4.0 (build 21280-g91a95dbc6) that allows any authenticated user with generic asset edit permissions to delete files attached to any asset in the system, regardless of ownership or company assignment. This constitutes an… | ||
| CVE-2026-55483 | med | 0.19 | — | — | Jun 23, 2026 | ### Impact The `store()` method in both the web and API `UsersController` only strips the superuser permission when a non-superuser creates a user. It does not strip the admin permission. This allows any authenticated user with the `users.create` permission to create a new user… | ||
| CVE-2026-55482 | med | 0.19 | — | — | Jun 23, 2026 | ### Impact The `BulkAssetsController::update()` method accepts `company_id` directly from user input without calling `Company::getIdForCurrentUser()`, the standard company-scoping function used by every other controller in the codebase. A non-superadmin user can move assets… | ||
| CVE-2026-50550 | — | med | 0.26 | — | — | Jun 23, 2026 | ### Impact A user who can edit other users could reset a superadmin's 2FA. ### Patches Patched in 8.5.0 | |
| CVE-2026-49976 | — | med | 0.26 | — | — | Jun 23, 2026 | ### Impact The CSV user import in update mode bypasses user-edit authorization. A user with only the `import` permission can overwrite any non-admin user's email by uploading a CSV, then trigger a password reset to take over the account. `UserImporter.php` checks the… | |
| CVE-2026-49870 | med | 0.26 | — | — | Jun 23, 2026 | ### Impact `POST /two-factor` had no rate limiting, lockout, or attempt counter. An attacker with valid credentials can submit unlimited TOTP guesses. The TOTP implementation accepts the current code plus one step on either side (`config/google2fa.php window=1`), so at any… | ||
| CVE-2026-48496 | med | 0.19 | — | — | Jun 23, 2026 | ### Summary An unprivileged process can easily trigger the `processPIDEvents` goroutine to be blocked indefinitely, preventing the goroutine from analyzing any new ELF file. The goroutine stays blocked in the `openat2` syscall forever and the profiler can no longer work… | ||
| CVE-2026-12164 | 0.00 | — | 0.00 | Jun 23, 2026 | Fortra File Integrity Monitoring (FIM), formerly Tripwire Enterprise, versions prior to 9.4.0 may assign incorrect or elevated effective permissions to users created by the tetool import command while FIM is running, particularly when the import also creates or changes roles… | |||
| CVE-2026-48492 | med | 0.19 | — | 0.00 | Jun 23, 2026 | ### Impact The GET /api/v1/{object}/selectlist API endpoint is missing an authorization check. Any user who can log into Snipe-IT - regardless of permissions - can retrieve a paginated list of all user accounts using only their web session cookie. No API token or elevated… | ||
| CVE-2026-48493 | 0.00 | — | 0.00 | Jun 23, 2026 | Snipe-IT is an IT asset/license management system. In versions prior to 8.6.0, a user with only users.edit can send a PATCH to /api/v1/users/{their_own_id} and grant themselves any permission except admin and superuser — for example `assets.view`, `assets.create`,… | |||
| CVE-2026-56785 | 0.00 | — | 0.00 | Jun 23, 2026 | FlatPress versions prior to commit 10be83c, contains a stored cross-site scripting vulnerability in comment and contact forms where name, URL, and email fields are rendered without proper output encoding in Smarty templates. Attackers can inject arbitrary HTML and JavaScript… | |||
| CVE-2026-54588 | 0.00 | — | 0.00 | Jun 23, 2026 | Poweradmin is a web-based DNS administration tool for PowerDNS server. Versions prior to 4.2.4 and 4.3.3 use the attacker-controlled `HTTP_HOST` request header as the authoritative source for building callback URLs in its OIDC, SAML, and logout authentication flows without any… | |||
| CVE-2026-12163 | 0.00 | — | 0.00 | Jun 23, 2026 | Fortra File Integrity Monitoring (FIM), formerly Tripwire Enterprise, versions prior to 9.4.0.1 contain a stored cross-site scripting (XSS) vulnerability in the Asset View UI component. An authenticated user with sufficient privileges to create or modify affected node or… | |||
| CVE-2026-11972 | 0.00 | — | 0.00 | Jun 23, 2026 | When using the "tarfile" module with a file opened in "streaming mode" (mode="r|") the tarfile module did not properly handle EOF, meaning an archive could be parsed in an infinite loop. | |||
| CVE-2026-54517 | — | med | 0.19 | — | 0.00 | Jun 23, 2026 | ## Summary In `BeanDeserializer._deserializeUsingPropertyBased`, the active-view (`@JsonView`) filter was applied only to creator properties; the regular property-buffering branch performed no `prop.visibleInView(activeView)` check. A change making… | |
| CVE-2026-54516 | — | med | 0.19 | — | 0.00 | Jun 23, 2026 | ## Summary `POJOPropertiesCollector._renameProperties()` allows a property with `@JsonProperty("renamed")` on the getter and `@JsonIgnore` on the setter to be renamed rather than dropped. With `MapperFeature.INFER_PROPERTY_MUTATORS` enabled (default), the private backing field… | |
| CVE-2026-54515 | med | 0.19 | — | 0.00 | Jun 23, 2026 | ## Summary In `BeanDeserializerBase.createContextual()`, per-property `@JsonIgnoreProperties` exclusions are applied by `_handleByNameInclusion()`, producing a `contextual` deserializer whose `BeanPropertyMap` has the ignored properties removed. The subsequent per-property… | ||
| CVE-2026-54514 | med | 0.19 | — | 0.00 | Jun 23, 2026 | ## Summary `JDKFromStringDeserializer` constructed `InetSocketAddress` with `new InetSocketAddress(host, port)`, which performs eager DNS name resolution for hostname inputs at deserialization time. An application that binds untrusted JSON into a type containing an… | ||
| CVE-2026-54513 | — | hig | 0.39 | — | 0.01 | Jun 23, 2026 | ## Summary `BasicPolymorphicTypeValidator.Builder.allowIfSubTypeIsArray()` allowlists any array type based only on `clazz.isArray()`, without validating the array's component (element) type against the configured allowlist. A PTV built with `allowIfSubTypeIsArray()` plus an… | |
| CVE-2026-54512 | hig | 0.39 | — | 0.01 | Jun 23, 2026 | `jackson-databind`'s `PolymorphicTypeValidator` (PTV) is the primary safety mechanism guarding polymorphic deserialization. When polymorphic typing is enabled and a type identifier contains generic parameters (i.e. the type ID string contains `<`),… | ||
| CVE-2026-50193 | med | 0.19 | — | 0.01 | Jun 23, 2026 | ### Impact Potential Denial-of-Service when attacker sends deeply nested JSON if (and only if) service: 1. Reads deeply nested (1000s of levels) JSON as `JsonNode` (ObjectMapper.readTree()) 2. Writes out same (or modifided) node using `JsonNode.toString()` which can consume… | ||
| CVE-2026-54518 | — | med | 0.19 | — | 0.00 | Jun 23, 2026 | ## Summary `UnwrappedPropertyHandler.processUnwrappedCreatorProperties()` replays buffered JSON into creator parameters but never consults `prop.visibleInView(activeView)`. The normal property-based creator path gates creator properties on the active view, but this… | |
| CVE-2026-41862 | 0.00 | — | 0.00 | Jun 23, 2026 | Spring Statemachine's Kryo-based persistence backends (JPA, MongoDB, Redis and ZooKeeper) deserialise persisted state-machine contexts without enforcing a class allowlist (CWE-502, deserialisation of untrusted data), which can lead to remote code execution inside the application… | |||
| CVE-2026-23513 | 0.00 | — | 0.00 | Jun 23, 2026 | FOSSBilling is a free, open-source billing and client management system. In versions 0.7.2 and prior, a query-construction flaw in client list endpoints allowed authenticated clients to bypass tenant scoping and retrieve other clients’ data. Details In… | |||
| CVE-2026-11819 | 0.00 | — | 0.00 | Jun 23, 2026 | Module: plugins/modules/keyring_info.py CVSS 3.1: 5.5 MEDIUM — AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N Issue: The module retrieves a passphrase from the OS native keyring (GNOME Keyring, macOS Keychain, Windows Credential Manager) and places it directly into… | |||
| CVE-2025-64105 | 0.00 | — | 0.00 | Jun 23, 2026 | FOSSBilling is a billing and client management system that automates invoicing, payments, and communication for online service businesses. Versions 0.6.21 through 0.7.2 are vulnerable to IDOR through the support ticket creation workflow. By manipulating rel_id when… | |||
| CVE-2026-54555 | 0.00 | — | 0.00 | Jun 23, 2026 | rtk filters and compresses command outputs before they reach your LLM context. Prior to 0.42.2, the permission splitter did not conservatively split or reject several shell constructs that Bash treats as command execution boundaries or nested execution. As a result, a command… | |||
| CVE-2026-55863 | med | 0.26 | — | — | Jun 23, 2026 | ## Summary The `ActionHandler.post()` method in motionEye has no authentication decorator, allowing any unauthenticated attacker to trigger camera actions including snapshots, recording start/stop, and configured action scripts (PTZ controls, alarm triggers, etc.). ##… | ||
| CVE-2026-55249 | 0.00 | — | 0.00 | Jun 23, 2026 | @rtk-ai/rtk-rewrite transparently rewrites shell commands executed via OpenClaw's exec tool to their RTK equivalents. In 1.0.0, the @rtk-ai/rtk-rewrite OpenClaw plugin passes attacker-controlled input directly into a shell-backed execSync() template string without shell-safe… | |||
| CVE-2026-55488 | hig | 0.39 | — | 0.01 | Jun 23, 2026 | ### Summary mEye contains an absolute path traversal vulnerability in multiple media file handlers that allows an attacker to read arbitrary files from the filesystem. The affected handlers accept a user-controlled filename parameter and construct filesystem paths using… | ||
| CVE-2026-55448 | med | 0.19 | — | 0.00 | Jun 23, 2026 | ### Summary `mise` loads `github.credential_command` from local project config before any trust decision, then executes that value with `sh -c` when resolving a GitHub token. An attacker who can place a `.mise.toml` in a repository can execute arbitrary shell commands when the… | ||
| CVE-2026-55441 | hig | 0.39 | — | 0.00 | Jun 23, 2026 | ### Summary mise's trust feature gates config files (`mise.toml`, `.tool-versions`) through `trust_check`, but task-include files are loaded on a path that never reaches it. When a directory has a task-include dir (`mise-tasks/`, `.mise/tasks/`, …) but no config file, mise… | ||
| CVE-2026-55736 | 0.00 | — | 0.00 | Jun 23, 2026 | Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in ash-project ash allows a user to set the value of a private action argument that is intended to be controlled only by trusted server-side code. Action arguments declared with… | |||
| CVE-2026-54557 | med | 0.19 | — | 0.00 | Jun 23, 2026 | ## Summary The mise HTTP backend builds its install symlink destination from the raw resolved version string for non-latest versions. Normal tool install paths use the sanitized version pathname, but the HTTP backend's symlink path uses the raw value. On Unix-like systems, if… | ||
| CVE-2026-54320 | 0.00 | — | 0.00 | Jun 23, 2026 | Daytona is a secure and elastic infrastructure runtime for AI-generated code execution and agent workflows. Prior to 0.184.0, organization invitations could be accepted (and declined) by a user whose email matched the invitation but had not been verified. Daytona authenticates… |
- risk 0.39cvss 7.0epss 0.00
kernel: net: skbuff: fix missing zerocopy reference in pskb_carve helpers
- CVE-2026-52944Jun 24, 2026risk 0.00cvss —epss 0.00
kernel: ksmbd: fix FSCTL permission bypass by adding a permission check for FSCTL_SET_SPARSE
- risk 0.38cvss 7.0epss 0.00
kernel: net: pull headers in qdisc_pkt_len_segs_init()
- risk 0.29cvss 5.5epss 0.00
kernel: wifi: mt76: fix deadlock in remain-on-channel
- risk 0.29cvss 5.5epss 0.00
kernel: md: fix array_state=clear sysfs deadlock
- risk 0.29cvss 5.5epss 0.00
kernel: blk-cgroup: fix disk reference leak in blkcg_maybe_throttle_current()
- risk 0.29cvss 5.5epss 0.00
kernel: block: fix zones_cond memory leak on zone revalidation error paths
- CVE-2026-53128Jun 24, 2026risk 0.00cvss —epss 0.00
kernel: drbd: Balance RCU calls in drbd_adm_dump_devices()
- risk 0.29cvss 5.5epss 0.00
kernel: fs/mbcache: cancel shrink work before destroying the cache
- CVE-2026-53130Jun 24, 2026risk 0.00cvss —epss 0.00
kernel: fs/omfs: reject s_sys_blocksize smaller than OMFS_DIR_START
- CVE-2026-7574Jun 23, 2026risk 0.00cvss —epss 0.00
Anthropic Claude Desktop Cowork VM image handling (confirmed across v1.1348.0 through v1.2278.0, including v1.1348.0, v1.1617.0, and v1.2278.0) validates only file presence and a version marker string before booting rootfs.img, but does not verify image content integrity at…
- CVE-2026-5818Jun 23, 2026risk 0.00cvss —epss 0.00
Incorrect check of function return value in Caliptra Core Runtime Firmware (ActivateFirmwareCmd::activate_fw modules) allows bypass of Caliptra Core's verification of the MCU FW during a hitless update. This issue affects Core Runtime Firmware: from 2.0.0 through 2.0.1, 2.1.0.
- CVE-2026-6458Jun 23, 2026risk 0.00cvss —epss 0.00
Missing cryptographic step in Caliptra Core Firmware (aes_256_gcm_update module) results in an incorrect GCM authentication tag. When the streaming AES-256-GCM API is used with empty AAD, the hardware GHASH accumulator state is not saved after the first update call, causing the…
- risk 0.38cvss —epss 0.00
### Impact A cross-tenant data injection vulnerability was identified in the Snipe-IT Accessories API when Full Multiple Companies Support (FMCS) is enabled. A low-privileged authenticated user belonging to one company can create an accessory record under another company by…
- risk 0.00cvss —epss 0.00
### Impact Snipe-IT S3 signature image retrieval lacks authorization before temporary URL. On S3-backed deployments, authenticated users who know a signature filename can obtain a 5-minute signed S3 URL because the S3 branch returns before the `authorize()` call used by the…
- risk 0.00cvss —epss —
### Impact A vulnerability was identified in Snipe-IT v8.4.0 (build 21280-g91a95dbc6) that allows any authenticated user with generic asset edit permissions to delete files attached to any asset in the system, regardless of ownership or company assignment. This constitutes an…
- risk 0.19cvss —epss —
### Impact The `store()` method in both the web and API `UsersController` only strips the superuser permission when a non-superuser creates a user. It does not strip the admin permission. This allows any authenticated user with the `users.create` permission to create a new user…
- risk 0.19cvss —epss —
### Impact The `BulkAssetsController::update()` method accepts `company_id` directly from user input without calling `Company::getIdForCurrentUser()`, the standard company-scoping function used by every other controller in the codebase. A non-superadmin user can move assets…
- risk 0.26cvss —epss —
### Impact A user who can edit other users could reset a superadmin's 2FA. ### Patches Patched in 8.5.0
- risk 0.26cvss —epss —
### Impact The CSV user import in update mode bypasses user-edit authorization. A user with only the `import` permission can overwrite any non-admin user's email by uploading a CSV, then trigger a password reset to take over the account. `UserImporter.php` checks the…
- risk 0.26cvss —epss —
### Impact `POST /two-factor` had no rate limiting, lockout, or attempt counter. An attacker with valid credentials can submit unlimited TOTP guesses. The TOTP implementation accepts the current code plus one step on either side (`config/google2fa.php window=1`), so at any…
- risk 0.19cvss —epss —
### Summary An unprivileged process can easily trigger the `processPIDEvents` goroutine to be blocked indefinitely, preventing the goroutine from analyzing any new ELF file. The goroutine stays blocked in the `openat2` syscall forever and the profiler can no longer work…
- CVE-2026-12164Jun 23, 2026risk 0.00cvss —epss 0.00
Fortra File Integrity Monitoring (FIM), formerly Tripwire Enterprise, versions prior to 9.4.0 may assign incorrect or elevated effective permissions to users created by the tetool import command while FIM is running, particularly when the import also creates or changes roles…
- risk 0.19cvss —epss 0.00
### Impact The GET /api/v1/{object}/selectlist API endpoint is missing an authorization check. Any user who can log into Snipe-IT - regardless of permissions - can retrieve a paginated list of all user accounts using only their web session cookie. No API token or elevated…
- CVE-2026-48493Jun 23, 2026risk 0.00cvss —epss 0.00
Snipe-IT is an IT asset/license management system. In versions prior to 8.6.0, a user with only users.edit can send a PATCH to /api/v1/users/{their_own_id} and grant themselves any permission except admin and superuser — for example `assets.view`, `assets.create`,…
- CVE-2026-56785Jun 23, 2026risk 0.00cvss —epss 0.00
FlatPress versions prior to commit 10be83c, contains a stored cross-site scripting vulnerability in comment and contact forms where name, URL, and email fields are rendered without proper output encoding in Smarty templates. Attackers can inject arbitrary HTML and JavaScript…
- CVE-2026-54588Jun 23, 2026risk 0.00cvss —epss 0.00
Poweradmin is a web-based DNS administration tool for PowerDNS server. Versions prior to 4.2.4 and 4.3.3 use the attacker-controlled `HTTP_HOST` request header as the authoritative source for building callback URLs in its OIDC, SAML, and logout authentication flows without any…
- CVE-2026-12163Jun 23, 2026risk 0.00cvss —epss 0.00
Fortra File Integrity Monitoring (FIM), formerly Tripwire Enterprise, versions prior to 9.4.0.1 contain a stored cross-site scripting (XSS) vulnerability in the Asset View UI component. An authenticated user with sufficient privileges to create or modify affected node or…
- CVE-2026-11972Jun 23, 2026risk 0.00cvss —epss 0.00
When using the "tarfile" module with a file opened in "streaming mode" (mode="r|") the tarfile module did not properly handle EOF, meaning an archive could be parsed in an infinite loop.
- risk 0.19cvss —epss 0.00
## Summary In `BeanDeserializer._deserializeUsingPropertyBased`, the active-view (`@JsonView`) filter was applied only to creator properties; the regular property-buffering branch performed no `prop.visibleInView(activeView)` check. A change making…
- risk 0.19cvss —epss 0.00
## Summary `POJOPropertiesCollector._renameProperties()` allows a property with `@JsonProperty("renamed")` on the getter and `@JsonIgnore` on the setter to be renamed rather than dropped. With `MapperFeature.INFER_PROPERTY_MUTATORS` enabled (default), the private backing field…
- risk 0.19cvss —epss 0.00
## Summary In `BeanDeserializerBase.createContextual()`, per-property `@JsonIgnoreProperties` exclusions are applied by `_handleByNameInclusion()`, producing a `contextual` deserializer whose `BeanPropertyMap` has the ignored properties removed. The subsequent per-property…
- risk 0.19cvss —epss 0.00
## Summary `JDKFromStringDeserializer` constructed `InetSocketAddress` with `new InetSocketAddress(host, port)`, which performs eager DNS name resolution for hostname inputs at deserialization time. An application that binds untrusted JSON into a type containing an…
- risk 0.39cvss —epss 0.01
## Summary `BasicPolymorphicTypeValidator.Builder.allowIfSubTypeIsArray()` allowlists any array type based only on `clazz.isArray()`, without validating the array's component (element) type against the configured allowlist. A PTV built with `allowIfSubTypeIsArray()` plus an…
- risk 0.39cvss —epss 0.01
`jackson-databind`'s `PolymorphicTypeValidator` (PTV) is the primary safety mechanism guarding polymorphic deserialization. When polymorphic typing is enabled and a type identifier contains generic parameters (i.e. the type ID string contains `<`),…
- risk 0.19cvss —epss 0.01
### Impact Potential Denial-of-Service when attacker sends deeply nested JSON if (and only if) service: 1. Reads deeply nested (1000s of levels) JSON as `JsonNode` (ObjectMapper.readTree()) 2. Writes out same (or modifided) node using `JsonNode.toString()` which can consume…
- risk 0.19cvss —epss 0.00
## Summary `UnwrappedPropertyHandler.processUnwrappedCreatorProperties()` replays buffered JSON into creator parameters but never consults `prop.visibleInView(activeView)`. The normal property-based creator path gates creator properties on the active view, but this…
- CVE-2026-41862Jun 23, 2026risk 0.00cvss —epss 0.00
Spring Statemachine's Kryo-based persistence backends (JPA, MongoDB, Redis and ZooKeeper) deserialise persisted state-machine contexts without enforcing a class allowlist (CWE-502, deserialisation of untrusted data), which can lead to remote code execution inside the application…
- CVE-2026-23513Jun 23, 2026risk 0.00cvss —epss 0.00
FOSSBilling is a free, open-source billing and client management system. In versions 0.7.2 and prior, a query-construction flaw in client list endpoints allowed authenticated clients to bypass tenant scoping and retrieve other clients’ data. Details In…
- CVE-2026-11819Jun 23, 2026risk 0.00cvss —epss 0.00
Module: plugins/modules/keyring_info.py CVSS 3.1: 5.5 MEDIUM — AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N Issue: The module retrieves a passphrase from the OS native keyring (GNOME Keyring, macOS Keychain, Windows Credential Manager) and places it directly into…
- CVE-2025-64105Jun 23, 2026risk 0.00cvss —epss 0.00
FOSSBilling is a billing and client management system that automates invoicing, payments, and communication for online service businesses. Versions 0.6.21 through 0.7.2 are vulnerable to IDOR through the support ticket creation workflow. By manipulating rel_id when…
- CVE-2026-54555Jun 23, 2026risk 0.00cvss —epss 0.00
rtk filters and compresses command outputs before they reach your LLM context. Prior to 0.42.2, the permission splitter did not conservatively split or reject several shell constructs that Bash treats as command execution boundaries or nested execution. As a result, a command…
- risk 0.26cvss —epss —
## Summary The `ActionHandler.post()` method in motionEye has no authentication decorator, allowing any unauthenticated attacker to trigger camera actions including snapshots, recording start/stop, and configured action scripts (PTZ controls, alarm triggers, etc.). ##…
- CVE-2026-55249Jun 23, 2026risk 0.00cvss —epss 0.00
@rtk-ai/rtk-rewrite transparently rewrites shell commands executed via OpenClaw's exec tool to their RTK equivalents. In 1.0.0, the @rtk-ai/rtk-rewrite OpenClaw plugin passes attacker-controlled input directly into a shell-backed execSync() template string without shell-safe…
- risk 0.39cvss —epss 0.01
### Summary mEye contains an absolute path traversal vulnerability in multiple media file handlers that allows an attacker to read arbitrary files from the filesystem. The affected handlers accept a user-controlled filename parameter and construct filesystem paths using…
- risk 0.19cvss —epss 0.00
### Summary `mise` loads `github.credential_command` from local project config before any trust decision, then executes that value with `sh -c` when resolving a GitHub token. An attacker who can place a `.mise.toml` in a repository can execute arbitrary shell commands when the…
- risk 0.39cvss —epss 0.00
### Summary mise's trust feature gates config files (`mise.toml`, `.tool-versions`) through `trust_check`, but task-include files are loaded on a path that never reaches it. When a directory has a task-include dir (`mise-tasks/`, `.mise/tasks/`, …) but no config file, mise…
- CVE-2026-55736Jun 23, 2026risk 0.00cvss —epss 0.00
Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in ash-project ash allows a user to set the value of a private action argument that is intended to be controlled only by trusted server-side code. Action arguments declared with…
- risk 0.19cvss —epss 0.00
## Summary The mise HTTP backend builds its install symlink destination from the raw resolved version string for non-latest versions. Normal tool install paths use the sanitized version pathname, but the HTTP backend's symlink path uses the raw value. On Unix-like systems, if…
- CVE-2026-54320Jun 23, 2026risk 0.00cvss —epss 0.00
Daytona is a secure and elastic infrastructure runtime for AI-generated code execution and agent workflows. Prior to 0.184.0, organization invitations could be accepted (and declined) by a user whose email matched the invitation but had not been verified. Daytona authenticates…