VYPR

CVEs

38,009 total · page 4 of 761

  • CVE-2026-49440higJun 16, 2026
    risk 0.38cvss epss 0.00

    ## Summary `node:crypto.checkPrime(candidate[, options][, callback])` and `crypto.checkPrimeSync(candidate[, options])` ran no Miller-Rabin rounds at all when the caller left `options.checks` at its default of `0`. In that mode, the only test applied to the candidate was trial…

  • CVE-2026-49402higJun 16, 2026
    risk 0.38cvss epss 0.00

    ## Summary Deno's `node:child_process` implementation provided an `escapeShellArg()` helper used when callers passed `shell: true` to `spawn` / `spawnSync` / `exec` and friends. On Windows, the helper failed to quote arguments that contained `cmd.exe` metacharacters such as…

  • CVE-2026-48491higJun 16, 2026
    risk 0.38cvss epss 0.00

    ## Summary There is a high severity vulnerability in Traefik's domain-fronting protection (`SNICheck`) that allows an unauthenticated client to bypass mutual TLS enforced through wildcard router `TLSOptions`. When a router uses a wildcard host rule such as…

  • CVE-2026-54301higJun 16, 2026
    risk 0.45cvss epss 0.00

    ## Impact An authenticated user with workflow edit access could configure a `Respond to Webhook` node to serve binary content with an attacker-controlled `Content-Type`. The binary response path bypassed the central `Content-Security-Policy` sandbox header, allowing a public…

  • CVE-2026-49444higJun 16, 2026
    risk 0.45cvss epss 0.00

    ## Impact An authenticated user with permission to create or modify workflows containing a Python Code Node could escape the sandbox and achieve arbitrary code execution on the task runner container. This issue only affects instances where the Python Task Runner is enabled. ##…

  • CVE-2026-41523higJun 16, 2026
    risk 0.39cvss epss 0.00

    ### Summary An `assert`-based security check in vLLM's activation function loading allows any unauthenticated attacker to achieve arbitrary code execution on the server by publishing a malicious HuggingFace model, when vLLM runs in Python optimized mode (`python -O` or…

  • CVE-2026-33760higJun 16, 2026
    risk 0.38cvss epss 0.00

    ### Summary Langflow's `/api/v1/monitor` router exposes 7 endpoints that perform read, write, and delete operations on user-owned resources — messages, sessions, build artifacts, and LLM transaction logs — without verifying that the authenticated requester owns the targeted…

  • CVE-2026-44932HigJun 16, 2026
    risk 0.57cvss 8.8epss 0.00

    Passing of unsanitized strings from DHCP replies into the wicked dhcp client before wicked 0.6.79 could be used by attackers operating a malicious DHCP server to execute code on the local machine.

  • CVE-2026-42089HigJun 16, 2026
    risk 0.49cvss 8.6epss 0.00

    Yeoman Environment provides an API to discover, create, and run generators, and to configure where and how a generator is resolved. Versions 2.9.0 through 6.0.0 install missing local generator packages from caller-supplied package names without user confirmation. In downstream…

  • CVE-2026-24228HigJun 16, 2026
    risk 0.51cvss 7.8epss 0.00

    NVIDIA NeMo Framework for Linux contains a vulnerability where an attacker may cause deserialization of untrusted data. A successful exploit of this vulnerability may lead to code execution, escalation of privileges, data tampering, and information disclosure.

  • CVE-2026-24155HigJun 16, 2026
    risk 0.51cvss 7.8epss 0.00

    NVIDIA NeMo Framework for all platforms contains a code injection vulnerability. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, information disclosure, and data tampering.

  • CVE-2026-10649HigJun 16, 2026
    risk 0.49cvss 8.6epss 0.00

    A flaw was found in Pacemaker. An unauthenticated remote attacker can exploit an integer overflow vulnerability in the remote message decompression process. By sending a specially crafted compressed remote message before authentication, an attacker can cause memory corruption,…

  • CVE-2025-71261HigJun 16, 2026
    risk 0.49cvss 8.6epss 0.00

    An attacker with network-level access between the SUSE Virtualization and Rancher Manager in SUSE Harvester before 1.8.0 could interfere with the TLS handshake and abuse it to bypass TLS as a security control.

  • CVE-2024-38487HigJun 16, 2026
    risk 0.45cvss 7.0epss 0.00

    api-gateway container running with root privilege would allow an attacker to escape the container and access host system to perform unintended actions.

  • CVE-2024-24909HigJun 16, 2026
    risk 0.57cvss 8.8epss 0.00

    Dell OpenManage Integration with Microsoft Windows Admin Center contains a Remote Code Execution vulnerability in the gateway plugin. A remote authenticated user could potentially exploit this vulnerability to escalate privileges. The malicious user may gain the ability to run…

  • CVE-2026-48780HigJun 16, 2026
    risk 0.46cvss 8.2epss 0.00

    Forem is open source software for building communities. Prior to commit a2ab6d4, a maliciously crafted email address could allow an attacker to bypass domain allowlist or denylist restrictions and gain access to invite-only forem deployments. The issue is patched as of…

  • CVE-2026-47684HigJun 16, 2026
    risk 0.43cvss 7.7epss 0.00

    Sync-in Server is a secure, open-source platform for file storage, sharing, collaboration, and syncing. Prior to version 2.3.0, the private IP blocklist regex used in the URL download feature does not match IPv4-mapped IPv6 addresses (e.g. ::ffff:127.0.0.1), allowing SSRF…

  • CVE-2026-12398HigJun 16, 2026
    risk 0.49cvss 7.5epss 0.01

    A command injection vulnerability was found in galaxy_ng. The do_git_checkout() function in the legacy role import API (v1) interpolates unsanitized git ref names (branch/tag names) into shell commands executed via subprocess.run() with shell=True. An authenticated user who…

  • CVE-2026-11317HigJun 16, 2026
    risk 0.57cvss epss 0.00

    A denial of service security issue exists in the affected product. The security issue stems from a fault occurring when a crafted CIP message is sent. Devices with less memory are more likely to be affected. This can result in a major nonrecoverable fault (MNRF). A program…

  • CVE-2026-0647HigJun 16, 2026
    risk 0.57cvss epss 0.00

    An improper authentication security issue exists within the 1794-AENTR adapter's embedded web server. The vulnerability allows an unauthenticated attacker to change the device's web interface password by sending a crafted HTTP GET request to a specific endpoint, without any…

  • CVE-2026-0646HigJun 16, 2026
    risk 0.57cvss epss 0.00

    A denial-of-service security issue exists within the 1794-AENTR adapter due to improper memory handling of CIP protocol requests. This vulnerability can result in the adapter faulting and losing connection to its associated I/O modules, requiring a manual reset to…

  • CVE-2025-14272HigJun 16, 2026
    risk 0.54cvss epss 0.00

    A security issue was identified in Pavilion due to improper authorization enforcement in API endpoints. This vulnerability can allow an unauthorized actor to execute privileged operations, including user/role management and other administrative actions.

  • CVE-2025-11694HigJun 16, 2026
    risk 0.57cvss epss 0.00

    A security issue exists within 1769 CompactLogix controllers due to the missing validation of sequence numbers and source IP addresses in the CIP protocol. This allows attacker to abuse the exposed Connection ID’s visible on the web interface to perform denial-of-service…

  • CVE-2026-54299higJun 16, 2026
    risk 0.45cvss epss 0.00

    ## Summary Astro SSR apps with prerendered error pages (`/404` or `/500` using `export const prerender = true`) fetch those pages over HTTP at runtime when an error occurs. The URL for this fetch is derived from `request.url`, which in turn gets its origin from the incoming…

  • CVE-2026-54293higJun 16, 2026
    risk 0.45cvss epss 0.00

    ### Summary nltk.data.load() in NLTK is vulnerable to path traversal via URL-encoded path separators and traversal segments when using the nltk: URL scheme. The unsafe-path regex check is performed before url2pathname() decodes the %xx sequences (a classic decode-after-check /…

  • CVE-2026-54290higJun 16, 2026
    risk 0.38cvss epss 0.00

    ### Summary With `credentials: true` and no explicit `origin` (the default wildcard), the CORS Middleware reflects the request's `Origin` and sends `Access-Control-Allow-Credentials: true`. Any site can then make credentialed cross-origin requests and read the responses,…

  • CVE-2026-50146higJun 16, 2026
    risk 0.45cvss epss 0.00

    ## Summary When a component uses a `client:*` directive, Astro inserts named slot content into a `data-astro-template` attribute without HTML escaping the slot name allowing an attacker to break out of the attribute context and inject arbitrary HTML, resulting in reflected XSS…

  • CVE-2026-12328HigJun 16, 2026
    risk 0.53cvss 8.1epss 0.00

    Memory safety bugs present in Firefox ESR 115.36, Firefox ESR 140.11, Thunderbird ESR 140.11, Firefox 151 and Thunderbird 151. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary…

  • CVE-2026-12327HigJun 16, 2026
    risk 0.47cvss 7.3epss 0.00

    Memory safety bugs present in Firefox ESR 140.11, Thunderbird ESR 140.11, Firefox 151 and Thunderbird 151. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This…

  • CVE-2026-12326HigJun 16, 2026
    risk 0.47cvss 7.3epss 0.00

    Memory safety bugs present in Firefox 151 and Thunderbird 151. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 152 and…

  • CVE-2026-12324HigJun 16, 2026
    risk 0.47cvss 7.3epss 0.00

    Incorrect boundary conditions in the Graphics: CanvasWebGL component. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, Thunderbird 152, and Thunderbird 140.12.

  • CVE-2026-12318HigJun 16, 2026
    risk 0.47cvss 7.3epss 0.00

    Incorrect boundary conditions in the Libraries component in NSS. This vulnerability was fixed in Firefox 152 and Thunderbird 152.

  • CVE-2026-12317HigJun 16, 2026
    risk 0.49cvss 7.5epss 0.00

    Memory safety bug fixed in Thunderbird 152. This vulnerability was fixed in Firefox 152 and Thunderbird 152.

  • CVE-2026-12314HigJun 16, 2026
    risk 0.49cvss 7.5epss 0.00

    Memory safety bug fixed in Thunderbird 152. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, Thunderbird 152, and Thunderbird 140.12.

  • CVE-2026-12312HigJun 16, 2026
    risk 0.49cvss 7.5epss 0.00

    Memory safety bug fixed in Thunderbird 152. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, Thunderbird 152, and Thunderbird 140.12.

  • CVE-2026-12310HigJun 16, 2026
    risk 0.49cvss 7.5epss 0.00

    Memory safety bug fixed in Thunderbird 152. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, Thunderbird 152, and Thunderbird 140.12.

  • CVE-2026-12305HigJun 16, 2026
    risk 0.49cvss 7.5epss 0.00

    Memory safety bug fixed in Thunderbird 152. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, Thunderbird 152, and Thunderbird 140.12.

  • CVE-2026-12289HigJun 16, 2026
    risk 0.57cvss 8.8epss 0.00

    Privilege escalation in the Graphics: WebRender component. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, Firefox ESR 115.37, Thunderbird 152, and Thunderbird 140.12.

  • CVE-2026-12225HigJun 16, 2026
    risk 0.57cvss epss 0.00

    syracom AG Secure Login (2FA) for Atlassian Jira, Confluence, and Bitbucket 3.4.0.x contains an authentication bypass vulnerability. An attacker with valid credentials for a user account can bypass the two-factor authentication flow by sending HTTP requests with a crafted…

  • CVE-2026-10829HigJun 16, 2026
    risk 0.56cvss epss 0.00

    A stack-based buffer overflow vulnerability has been found in the NPort W2150A-W4/W2250A-W4 Series version 1.5 and earlier. This vulnerability stems from insufficient input validation of user-supplied input in the "Server location" parameter on the Basic settings page. An…

  • CVE-2026-8442HigJun 16, 2026
    risk 0.53cvss 8.1epss 0.01

    The WP Review Slider Pro plugin for WordPress is vulnerable to Arbitrary File Deletion in versions up to and including 12.6.8. This is due to missing authorization checks on the wpfb_hide_review and wprp_save_review_admin AJAX handlers combined with insufficient path validation…

  • CVE-2026-8176HigJun 16, 2026
    risk 0.49cvss 7.5epss 0.00

    The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Privilege Escalation to Administrator in versions up to, and including, 5.5.1. The plugin chains three independent flaws that together allow an authenticated Agent…

  • CVE-2026-5416HigJun 16, 2026
    risk 0.57cvss 8.8epss 0.01

    Due to the improper neutralization of special elements used in a name parameter a low privileged remote attacker can exploit a command injection vulnerability in the Managed Ethernet Switch, resulting in full system compromise.

  • CVE-2026-54198HigJun 16, 2026
    risk 0.46cvss 7.1epss 0.00

    Unauthenticated Cross Site Scripting (XSS) in Media LIbrary Assistant <= 3.35 versions.

  • CVE-2026-54191HigJun 16, 2026
    risk 0.46cvss 7.1epss 0.00

    Unauthenticated Cross Site Scripting (XSS) in Pods <= 3.3.8 versions.

  • CVE-2026-52712HigJun 16, 2026
    risk 0.49cvss 7.6epss 0.00

    Subscriber SQL Injection in Attendance Manager <= 0.6.2 versions.

  • CVE-2026-52711HigJun 16, 2026
    risk 0.49cvss 7.5epss 0.00

    Unauthenticated Broken Access Control in WooCommerce POS <= 1.8.14 versions.

  • CVE-2026-39581HigJun 16, 2026
    risk 0.55cvss 8.5epss 0.00

    Subscriber SQL Injection in WP Sessions Time Monitoring Full Automatic <= 1.1.4 versions.

  • CVE-2026-39490HigJun 16, 2026
    risk 0.49cvss 7.5epss 0.00

    Unauthenticated Broken Access Control in JupiterX Core <= 4.14.1 versions.

  • CVE-2026-39437HigJun 16, 2026
    risk 0.46cvss 7.1epss 0.00

    Unauthenticated Cross Site Scripting (XSS) in Min Max Step Quantity Limits Manager for WooCommerce <= 5.2.2 versions.