| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-44089 | 0.00 | — | 0.00 | Jun 23, 2026 | Totolink EX1200L router is vulnerable to Buffer Overflow in the login functionality in cgi-bin/cstecgi.cgi endpoint. This vulnerability could be exploited to cause the program to crash and to execute code remotely. This allows the attacker to perform actions as root including… | |||
| CVE-2026-4983 | 0.00 | — | 0.00 | Jun 23, 2026 | Open VSX Registry does not sanitize SVG files uploaded as extension icons prior to storage, and serves them with Content-Type: image/svg+xml without security headers such as Content-Security-Policy or Content-Disposition: attachment. This allows an attacker to publish an… | |||
| CVE-2026-10609 | mod | 0.44 | 6.8 | 0.00 | Jun 23, 2026 | openshift/cluster-logging-operator: Cluster Logging Operator creates and forwards ServiceAccount tokens without verifying CLF creator authorization | ||
| CVE-2026-11374 | 0.00 | — | 0.01 | Jun 23, 2026 | In ManageEngine ADSelfService Plus, RecoveryManager Plus, M365 Manager Plus, and ADAudit Plus, the SSO tickets generated to authenticate that session could be predicted by an unauthenticated user, leading to account takeover. | |||
| CVE-2026-10521 | — | 0.00 | — | 0.00 | Jun 23, 2026 | An high privileged remote attacker can access a hidden configuration method, that should not be accessible by any user, to modify critical program parameters. This can result in a total loss of confidentiality, integrity and availability. | ||
| CVE-2026-9733 | 0.00 | — | 0.00 | Jun 23, 2026 | Mojolicious::Plugin::Web::Auth::OAuth2 versions through 0.17 for Perl have an insecure default state parameter. When no state generator is specified in the constructor, the module defaults to using a SHA-1 hash of predictable and low-entropy sources, including the epoch time… | |||
| CVE-2026-8379 | 0.00 | — | 0.00 | Jun 23, 2026 | The Frontend File Manager Plugin WordPress plugin through 23.6 does not properly enforce its nonce check on the file download handler, allowing unauthenticated attackers to download files uploaded by any user through the Frontend File Manager Plugin WordPress plugin through 23.6… | |||
| CVE-2026-8378 | 0.00 | — | 0.00 | Jun 23, 2026 | The Frontend File Manager Plugin WordPress plugin through 23.6 does not sanitise nor escape a filename submitted to the frontend file-rename endpoint before storing it as post meta and rendering it back on the admin File Manager listing, leading to a Stored Cross-Site Scripting… | |||
| CVE-2026-8172 | 0.00 | — | 0.00 | Jun 23, 2026 | The Simple Basic Contact Form WordPress plugin through 20250114 does not escape user-supplied input before reflecting it into the contact form output on validation errors, leading to a Reflected Cross-Site Scripting vulnerability that unauthenticated attackers can exploit… | |||
| CVE-2026-8163 | 0.00 | — | 0.00 | Jun 23, 2026 | The Infility Global WordPress plugin before 2.15.19 does not properly sanitize and escape some parameters before using them in SQL statements, leading to a SQL Injection vulnerability exploitable by authenticated users with Subscriber-level access and above. | |||
| CVE-2026-7842 | 0.00 | — | 0.00 | Jun 23, 2026 | The Infility Global Infility Global WordPress plugin before 2.15.20 for WordPress does not sanitize or validate the orderby and order parameters in the import_list(), url_detail(), and file_detail() admin page callbacks before using them in SQL queries, allowing authenticated… | |||
| CVE-2026-1840 | hig | 0.49 | 7.5 | 0.01 | Jun 23, 2026 | The Aclara Metrum Cellular Web Interface is vulnerable to unauthorized access due to the absence of authentication controls on critical system functions. This weakness exposes essential configuration settings, allowing attackers to alter operational parameters and trigger system… | ||
| CVE-2026-12866 | 0.00 | — | 0.00 | Jun 23, 2026 | All versions of the package expr-eval are vulnerable to Code Execution via the toJSFunction() API. An attacker can execute arbitrary JavaScript by supplying crafted expressions that are compiled into native code using new Function(). Because user-controlled expressions are… | |||
| CVE-2026-55654 | 0.00 | — | 0.00 | Jun 23, 2026 | A flaw was found in OpenSSH. This vulnerability, a heap out-of-bounds read, occurs during the cleanup of GSSAPI (Generic Security Service Application Programming Interface) indicators when a trailing NULL termination is missing in the auth-indicators array. A remote attacker,… | |||
| CVE-2026-55655 | 0.00 | — | 0.00 | Jun 23, 2026 | A flaw was found in OpenSSH. A local unprivileged attacker on a Linux client host can hijack client-side X11 forwarding connections. This is possible by pre-binding the preferred abstract X socket name when X11 forwarding is enabled and a local UNIX-domain X socket is used. A… | |||
| CVE-2026-55653 | 0.00 | — | 0.00 | Jun 23, 2026 | A flaw was found in OpenSSH. A malicious SSH server can exploit a double free vulnerability in the Diffie-Hellman Group Exchange (DH-GEX) client path. This occurs during FIPS (Federal Information Processing Standards) mode known-group validation when the client processes… | |||
| CVE-2026-11833 | 0.00 | — | 0.00 | Jun 23, 2026 | Overview: A vulnerability has been found in FAST/TOOLS and CI Server. The web server may return a response containing the CI Server setting information. This information could be exploited by an attacker for other attacks. The affected products and versions are as follows: … | |||
| CVE-2026-52801 | hig | 0.38 | — | 0.01 | Jun 23, 2026 | ### Summary The Gogs Mirror Settings functionality provide an alternative way from the well protected New Migration functionality for any authenticated users to import local repositories. This issue stems from a lack of validation of SaveAddress function. ### Details Here is… | ||
| CVE-2026-52800 | hig | 0.38 | — | 0.00 | Jun 23, 2026 | ## Summary In **Gogs 0.14.1**, organization team member management can be performed via **GET requests without CSRF protection**. If a victim who is an **organization owner** is logged in and is tricked into visiting a crafted link, an attacker-controlled user can be added to… | ||
| CVE-2025-55639 | 0.00 | — | 0.00 | Jun 23, 2026 | GPAC MP4Box v2.4 was discovered to contain a NULL pointer dereference in the gf_isom_add_track_kind() function at isomedia/isom_write.c. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted MP4 file. | |||
| CVE-2025-61018 | 0.00 | — | 0.00 | Jun 23, 2026 | An issue in the sqlo_place_dt_set component of openlink virtuoso-opensource v7.2.11 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements. | |||
| CVE-2025-61019 | 0.00 | — | 0.00 | Jun 23, 2026 | An issue in the sqlo_key_part_best component of openlink virtuoso-opensource v7.2.11 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements. | |||
| CVE-2025-61020 | 0.00 | — | 0.00 | Jun 23, 2026 | An issue in the sqlo_strip_in_join component of openlink virtuoso-opensource v7.2.11 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements. | |||
| CVE-2025-61021 | 0.00 | — | 0.00 | Jun 23, 2026 | An issue in the sqlo_natural_join_cond component of openlink virtuoso-opensource v7.2.11 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements. | |||
| CVE-2025-61022 | 0.00 | — | 0.00 | Jun 23, 2026 | An issue in the sqlo_tb_col_preds component of openlink virtuoso-opensource v7.2.11 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements. | |||
| CVE-2025-61023 | 0.00 | — | 0.00 | Jun 23, 2026 | An issue in the st_compare component of openlink virtuoso-opensource v7.2.11 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements. | |||
| CVE-2025-61024 | 0.00 | — | 0.00 | Jun 23, 2026 | An issue in the sqlo_try_in_loop component of openlink virtuoso-opensource v7.2.11 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements. | |||
| CVE-2025-61025 | 0.00 | — | 0.00 | Jun 23, 2026 | An issue in the sslr_qst_get component of openlink virtuoso-opensource v7.2.11 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements. | |||
| CVE-2025-61027 | 0.00 | — | 0.00 | Jun 23, 2026 | An issue in the t_set_push component of openlink virtuoso-opensource v7.2.11 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements. | |||
| CVE-2025-61028 | 0.00 | — | 0.00 | Jun 23, 2026 | An issue in the time_t_to_dt component of openlink virtuoso-opensource v7.2.11 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements. | |||
| CVE-2025-61029 | 0.00 | — | 0.00 | Jun 23, 2026 | An issue in the sqlo_untry component of openlink virtuoso-opensource v7.2.11 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements. | |||
| CVE-2026-12891 | mod | 0.28 | 4.3 | 0.00 | Jun 23, 2026 | gstreamer1-plugins-bad: gstreamer1-plugins-bad: global buffer overflow (OOB read) in H.266/VVC VUI parameter parser | ||
| CVE-2026-13083 | — | mod | 0.45 | 6.9 | 0.00 | Jun 23, 2026 | pen-drive: pen-drive: stored XSS via unescaped cluster data in HTML report | |
| CVE-2026-13757 | mod | 0.40 | 6.2 | 0.00 | Jun 23, 2026 | p11-kit: Stack exhaustion via unbounded recursion in RPC attribute parsing | ||
| CVE-2026-39253 | 0.00 | — | 0.01 | Jun 23, 2026 | An issue in Pivotal CRM v.6.6.04.08 allows a remote attacker to execute arbitrary code via the Pivotal.Core.Common.dll and Pivotal.Engine.Client.Services.Conversion.dll components. | |||
| CVE-2026-52673 | 0.00 | — | 0.00 | Jun 23, 2026 | SQL Injection vulnerability in Cboard v.0.4.2 and before allows a remote attacker to execute arbitrary code via the getDimensionsValues component | |||
| CVE-2026-52799 | hig | 0.38 | — | 0.00 | Jun 22, 2026 | ## Summary In Gogs 0.14.1, `GET /attachments/:uuid` returns the raw attachment file **without verifying whether the requester has view permission for the associated Issue/Comment/Release or the repository**. In a test environment with `REQUIRE_SIGNIN_VIEW = false`, we confirmed… | ||
| CVE-2026-10658 | 0.00 | — | 0.00 | Jun 22, 2026 | A missing length validation in the Zephyr Bluetooth Host ISO receive path can be triggered by malformed HCI ISO data. In bt_iso_recv() (subsys/bluetooth/host/iso.c), when processing PB=START/SINGLE fragments, the code pulls a TS SDU header (8 bytes, ts=1) or a non-TS SDU header… | |||
| CVE-2026-52798 | hig | 0.38 | — | 0.00 | Jun 22, 2026 | # Summary Although `.ipynb` previews are sanitized on the server side via `/-/api/sanitize_ipynb`, the inserted content is **re-rendered on the client side without sanitization** using `marked()` on elements with the `.nb-markdown-cell` class. During this process, links… | ||
| CVE-2026-52796 | — | low | 0.00 | — | 0.00 | Jun 22, 2026 | ### Summary Special template of issue index pattern may cause panic. ### Details in internal/markup/markup.go ```go link = fmt.Sprintf(`%s`, com.Expand(metas["format"], metas), m) ``` Issue index pattern is rendered to link with `com.Expand`. However,… | |
| CVE-2026-10651 | 0.00 | — | 0.00 | Jun 22, 2026 | A malformed Bluetooth Classic SDP attribute can trigger a reachable assertion in Zephyr's SDP parser. In subsys/bluetooth/host/classic/sdp.c, bt_sdp_parse_attribute() accepts an input buffer once it contains the 1-byte attribute type and 2-byte attribute id, but then… | |||
| CVE-2026-50179 | med | 0.19 | — | 0.00 | Jun 22, 2026 | ## Summary `exportToCSV` and `exportQueryToCSV` in `packages/loot-core/src/server/transactions/export/export-to-csv.ts` pass user-controlled `Payee`, `Notes`, `Account`, and `Category` strings to `csv-stringify` with no `cast` callback and no formula-prefix neutralization.… | ||
| CVE-2026-10645 | 0.00 | — | 0.00 | Jun 22, 2026 | Zephyr's ext2 directory-entry parser does not fully validate on-disk directory entry structure before copying the entry name and advancing traversal state. In ext2_fetch_direntry() (subsys/fs/ext2/ext2_diskops.c), the code only checks de_name_len <= EXT2_MAX_FILE_NAME and then… | |||
| CVE-2026-54353 | hig | 0.39 | — | 0.00 | Jun 22, 2026 | Summary Authenticated users with automation permissions can bypass Budibase's SSRF blacklist through DNS rebinding. The outbound fetch flow validates a hostname against the blacklist before the request is sent, but the actual socket connection later performs a separate DNS… | ||
| CVE-2026-54352 | cri | 0.52 | — | 0.00 | Jun 22, 2026 | ## Summary `POST /api/pwa/process-zip` at `packages/server/src/api/routes/static.ts:24` accepts a builder-uploaded `.zip`, extracts it with `extract-zip@2.0.1` into a temp directory, then for each entry listed in `icons.json` validates the icon path, opens it, and streams the… | ||
| CVE-2026-54351 | hig | 0.39 | — | 0.00 | Jun 22, 2026 | ## Summary The webhook trigger endpoint in Budibase is publicly accessible and passes the full HTTP request body into automation execution parameters. A mass assignment vulnerability in `externalTrigger()` allows an attacker to overwrite the internal `appId` property by… | ||
| CVE-2026-49229 | hig | 0.39 | — | 0.00 | Jun 22, 2026 | ### Summary In OpenID multi-user mode, disabling a user only blocks future OpenID login for that identity. Existing Actual session tokens for the disabled user remain valid, so the user can continue calling authenticated server endpoints after an administrator has disabled the… | ||
| CVE-2026-50137 | hig | 0.45 | — | 0.00 | Jun 22, 2026 | ## Summary The Budibase server route `POST /api/attachments/:datasourceId/url` ([`packages/server/src/api/routes/static.ts`](https://github.com/Budibase/budibase/blob/56d2a984/packages/server/src/api/routes/static.ts)) is registered with **only** the `recaptcha` middleware.… | ||
| CVE-2026-50136 | hig | 0.38 | — | 0.00 | Jun 22, 2026 | The application server exposes an unauthenticated endpoint that generates S3 `PutObject` presigned URLs using credentials stored in a workspace datasource. The route is protected only by the recaptcha middleware and does not require authentication, table permission, datasource… | ||
| CVE-2026-50132 | hig | 0.38 | — | 0.00 | Jun 22, 2026 | ## Title **Chat Identity Link Hijacking — Attacker Can Silently Map Their Slack/Discord Identity to Any Authenticated Budibase User's Account** ## Severity **High** — CVSS 3.1: AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N = **7.3** ## Affected Product - **Product:** Budibase -… |
- CVE-2026-44089Jun 23, 2026risk 0.00cvss —epss 0.00
Totolink EX1200L router is vulnerable to Buffer Overflow in the login functionality in cgi-bin/cstecgi.cgi endpoint. This vulnerability could be exploited to cause the program to crash and to execute code remotely. This allows the attacker to perform actions as root including…
- CVE-2026-4983Jun 23, 2026risk 0.00cvss —epss 0.00
Open VSX Registry does not sanitize SVG files uploaded as extension icons prior to storage, and serves them with Content-Type: image/svg+xml without security headers such as Content-Security-Policy or Content-Disposition: attachment. This allows an attacker to publish an…
- risk 0.44cvss 6.8epss 0.00
openshift/cluster-logging-operator: Cluster Logging Operator creates and forwards ServiceAccount tokens without verifying CLF creator authorization
- CVE-2026-11374Jun 23, 2026risk 0.00cvss —epss 0.01
In ManageEngine ADSelfService Plus, RecoveryManager Plus, M365 Manager Plus, and ADAudit Plus, the SSO tickets generated to authenticate that session could be predicted by an unauthenticated user, leading to account takeover.
- CVE-2026-10521Jun 23, 2026risk 0.00cvss —epss 0.00
An high privileged remote attacker can access a hidden configuration method, that should not be accessible by any user, to modify critical program parameters. This can result in a total loss of confidentiality, integrity and availability.
- CVE-2026-9733Jun 23, 2026risk 0.00cvss —epss 0.00
Mojolicious::Plugin::Web::Auth::OAuth2 versions through 0.17 for Perl have an insecure default state parameter. When no state generator is specified in the constructor, the module defaults to using a SHA-1 hash of predictable and low-entropy sources, including the epoch time…
- CVE-2026-8379Jun 23, 2026risk 0.00cvss —epss 0.00
The Frontend File Manager Plugin WordPress plugin through 23.6 does not properly enforce its nonce check on the file download handler, allowing unauthenticated attackers to download files uploaded by any user through the Frontend File Manager Plugin WordPress plugin through 23.6…
- CVE-2026-8378Jun 23, 2026risk 0.00cvss —epss 0.00
The Frontend File Manager Plugin WordPress plugin through 23.6 does not sanitise nor escape a filename submitted to the frontend file-rename endpoint before storing it as post meta and rendering it back on the admin File Manager listing, leading to a Stored Cross-Site Scripting…
- CVE-2026-8172Jun 23, 2026risk 0.00cvss —epss 0.00
The Simple Basic Contact Form WordPress plugin through 20250114 does not escape user-supplied input before reflecting it into the contact form output on validation errors, leading to a Reflected Cross-Site Scripting vulnerability that unauthenticated attackers can exploit…
- CVE-2026-8163Jun 23, 2026risk 0.00cvss —epss 0.00
The Infility Global WordPress plugin before 2.15.19 does not properly sanitize and escape some parameters before using them in SQL statements, leading to a SQL Injection vulnerability exploitable by authenticated users with Subscriber-level access and above.
- CVE-2026-7842Jun 23, 2026risk 0.00cvss —epss 0.00
The Infility Global Infility Global WordPress plugin before 2.15.20 for WordPress does not sanitize or validate the orderby and order parameters in the import_list(), url_detail(), and file_detail() admin page callbacks before using them in SQL queries, allowing authenticated…
- risk 0.49cvss 7.5epss 0.01
The Aclara Metrum Cellular Web Interface is vulnerable to unauthorized access due to the absence of authentication controls on critical system functions. This weakness exposes essential configuration settings, allowing attackers to alter operational parameters and trigger system…
- CVE-2026-12866Jun 23, 2026risk 0.00cvss —epss 0.00
All versions of the package expr-eval are vulnerable to Code Execution via the toJSFunction() API. An attacker can execute arbitrary JavaScript by supplying crafted expressions that are compiled into native code using new Function(). Because user-controlled expressions are…
- CVE-2026-55654Jun 23, 2026risk 0.00cvss —epss 0.00
A flaw was found in OpenSSH. This vulnerability, a heap out-of-bounds read, occurs during the cleanup of GSSAPI (Generic Security Service Application Programming Interface) indicators when a trailing NULL termination is missing in the auth-indicators array. A remote attacker,…
- CVE-2026-55655Jun 23, 2026risk 0.00cvss —epss 0.00
A flaw was found in OpenSSH. A local unprivileged attacker on a Linux client host can hijack client-side X11 forwarding connections. This is possible by pre-binding the preferred abstract X socket name when X11 forwarding is enabled and a local UNIX-domain X socket is used. A…
- CVE-2026-55653Jun 23, 2026risk 0.00cvss —epss 0.00
A flaw was found in OpenSSH. A malicious SSH server can exploit a double free vulnerability in the Diffie-Hellman Group Exchange (DH-GEX) client path. This occurs during FIPS (Federal Information Processing Standards) mode known-group validation when the client processes…
- CVE-2026-11833Jun 23, 2026risk 0.00cvss —epss 0.00
Overview: A vulnerability has been found in FAST/TOOLS and CI Server. The web server may return a response containing the CI Server setting information. This information could be exploited by an attacker for other attacks. The affected products and versions are as follows: …
- risk 0.38cvss —epss 0.01
### Summary The Gogs Mirror Settings functionality provide an alternative way from the well protected New Migration functionality for any authenticated users to import local repositories. This issue stems from a lack of validation of SaveAddress function. ### Details Here is…
- risk 0.38cvss —epss 0.00
## Summary In **Gogs 0.14.1**, organization team member management can be performed via **GET requests without CSRF protection**. If a victim who is an **organization owner** is logged in and is tricked into visiting a crafted link, an attacker-controlled user can be added to…
- CVE-2025-55639Jun 23, 2026risk 0.00cvss —epss 0.00
GPAC MP4Box v2.4 was discovered to contain a NULL pointer dereference in the gf_isom_add_track_kind() function at isomedia/isom_write.c. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted MP4 file.
- CVE-2025-61018Jun 23, 2026risk 0.00cvss —epss 0.00
An issue in the sqlo_place_dt_set component of openlink virtuoso-opensource v7.2.11 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements.
- CVE-2025-61019Jun 23, 2026risk 0.00cvss —epss 0.00
An issue in the sqlo_key_part_best component of openlink virtuoso-opensource v7.2.11 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements.
- CVE-2025-61020Jun 23, 2026risk 0.00cvss —epss 0.00
An issue in the sqlo_strip_in_join component of openlink virtuoso-opensource v7.2.11 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements.
- CVE-2025-61021Jun 23, 2026risk 0.00cvss —epss 0.00
An issue in the sqlo_natural_join_cond component of openlink virtuoso-opensource v7.2.11 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements.
- CVE-2025-61022Jun 23, 2026risk 0.00cvss —epss 0.00
An issue in the sqlo_tb_col_preds component of openlink virtuoso-opensource v7.2.11 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements.
- CVE-2025-61023Jun 23, 2026risk 0.00cvss —epss 0.00
An issue in the st_compare component of openlink virtuoso-opensource v7.2.11 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements.
- CVE-2025-61024Jun 23, 2026risk 0.00cvss —epss 0.00
An issue in the sqlo_try_in_loop component of openlink virtuoso-opensource v7.2.11 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements.
- CVE-2025-61025Jun 23, 2026risk 0.00cvss —epss 0.00
An issue in the sslr_qst_get component of openlink virtuoso-opensource v7.2.11 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements.
- CVE-2025-61027Jun 23, 2026risk 0.00cvss —epss 0.00
An issue in the t_set_push component of openlink virtuoso-opensource v7.2.11 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements.
- CVE-2025-61028Jun 23, 2026risk 0.00cvss —epss 0.00
An issue in the time_t_to_dt component of openlink virtuoso-opensource v7.2.11 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements.
- CVE-2025-61029Jun 23, 2026risk 0.00cvss —epss 0.00
An issue in the sqlo_untry component of openlink virtuoso-opensource v7.2.11 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements.
- risk 0.28cvss 4.3epss 0.00
gstreamer1-plugins-bad: gstreamer1-plugins-bad: global buffer overflow (OOB read) in H.266/VVC VUI parameter parser
- risk 0.45cvss 6.9epss 0.00
pen-drive: pen-drive: stored XSS via unescaped cluster data in HTML report
- risk 0.40cvss 6.2epss 0.00
p11-kit: Stack exhaustion via unbounded recursion in RPC attribute parsing
- CVE-2026-39253Jun 23, 2026risk 0.00cvss —epss 0.01
An issue in Pivotal CRM v.6.6.04.08 allows a remote attacker to execute arbitrary code via the Pivotal.Core.Common.dll and Pivotal.Engine.Client.Services.Conversion.dll components.
- CVE-2026-52673Jun 23, 2026risk 0.00cvss —epss 0.00
SQL Injection vulnerability in Cboard v.0.4.2 and before allows a remote attacker to execute arbitrary code via the getDimensionsValues component
- risk 0.38cvss —epss 0.00
## Summary In Gogs 0.14.1, `GET /attachments/:uuid` returns the raw attachment file **without verifying whether the requester has view permission for the associated Issue/Comment/Release or the repository**. In a test environment with `REQUIRE_SIGNIN_VIEW = false`, we confirmed…
- CVE-2026-10658Jun 22, 2026risk 0.00cvss —epss 0.00
A missing length validation in the Zephyr Bluetooth Host ISO receive path can be triggered by malformed HCI ISO data. In bt_iso_recv() (subsys/bluetooth/host/iso.c), when processing PB=START/SINGLE fragments, the code pulls a TS SDU header (8 bytes, ts=1) or a non-TS SDU header…
- risk 0.38cvss —epss 0.00
# Summary Although `.ipynb` previews are sanitized on the server side via `/-/api/sanitize_ipynb`, the inserted content is **re-rendered on the client side without sanitization** using `marked()` on elements with the `.nb-markdown-cell` class. During this process, links…
- risk 0.00cvss —epss 0.00
### Summary Special template of issue index pattern may cause panic. ### Details in internal/markup/markup.go ```go link = fmt.Sprintf(`%s`, com.Expand(metas["format"], metas), m) ``` Issue index pattern is rendered to link with `com.Expand`. However,…
- CVE-2026-10651Jun 22, 2026risk 0.00cvss —epss 0.00
A malformed Bluetooth Classic SDP attribute can trigger a reachable assertion in Zephyr's SDP parser. In subsys/bluetooth/host/classic/sdp.c, bt_sdp_parse_attribute() accepts an input buffer once it contains the 1-byte attribute type and 2-byte attribute id, but then…
- risk 0.19cvss —epss 0.00
## Summary `exportToCSV` and `exportQueryToCSV` in `packages/loot-core/src/server/transactions/export/export-to-csv.ts` pass user-controlled `Payee`, `Notes`, `Account`, and `Category` strings to `csv-stringify` with no `cast` callback and no formula-prefix neutralization.…
- CVE-2026-10645Jun 22, 2026risk 0.00cvss —epss 0.00
Zephyr's ext2 directory-entry parser does not fully validate on-disk directory entry structure before copying the entry name and advancing traversal state. In ext2_fetch_direntry() (subsys/fs/ext2/ext2_diskops.c), the code only checks de_name_len <= EXT2_MAX_FILE_NAME and then…
- risk 0.39cvss —epss 0.00
Summary Authenticated users with automation permissions can bypass Budibase's SSRF blacklist through DNS rebinding. The outbound fetch flow validates a hostname against the blacklist before the request is sent, but the actual socket connection later performs a separate DNS…
- risk 0.52cvss —epss 0.00
## Summary `POST /api/pwa/process-zip` at `packages/server/src/api/routes/static.ts:24` accepts a builder-uploaded `.zip`, extracts it with `extract-zip@2.0.1` into a temp directory, then for each entry listed in `icons.json` validates the icon path, opens it, and streams the…
- risk 0.39cvss —epss 0.00
## Summary The webhook trigger endpoint in Budibase is publicly accessible and passes the full HTTP request body into automation execution parameters. A mass assignment vulnerability in `externalTrigger()` allows an attacker to overwrite the internal `appId` property by…
- risk 0.39cvss —epss 0.00
### Summary In OpenID multi-user mode, disabling a user only blocks future OpenID login for that identity. Existing Actual session tokens for the disabled user remain valid, so the user can continue calling authenticated server endpoints after an administrator has disabled the…
- risk 0.45cvss —epss 0.00
## Summary The Budibase server route `POST /api/attachments/:datasourceId/url` ([`packages/server/src/api/routes/static.ts`](https://github.com/Budibase/budibase/blob/56d2a984/packages/server/src/api/routes/static.ts)) is registered with **only** the `recaptcha` middleware.…
- risk 0.38cvss —epss 0.00
The application server exposes an unauthenticated endpoint that generates S3 `PutObject` presigned URLs using credentials stored in a workspace datasource. The route is protected only by the recaptcha middleware and does not require authentication, table permission, datasource…
- risk 0.38cvss —epss 0.00
## Title **Chat Identity Link Hijacking — Attacker Can Silently Map Their Slack/Discord Identity to Any Authenticated Budibase User's Account** ## Severity **High** — CVSS 3.1: AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N = **7.3** ## Affected Product - **Product:** Budibase -…