| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-42895 | 0.00 | — | 0.00 | Jun 19, 2026 | Improper neutralization of special elements used in a command ('command injection') in Microsoft Copilot allows an unauthorized attacker to perform tampering over a network. | |||
| CVE-2026-45480 | 0.00 | — | 0.01 | Jun 19, 2026 | Improper authentication in Azure Active Directory allows an unauthorized attacker to elevate privileges over a network. | |||
| CVE-2026-32208 | 0.00 | — | 0.00 | Jun 19, 2026 | Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Edge (Chromium-based) allows an authorized attacker to perform spoofing over a network. | |||
| CVE-2026-48794 | 0.00 | — | 0.00 | Jun 19, 2026 | Authelia is an open-source authentication and authorization server providing two-factor authentication and single sign-on (SSO) for applications via a web portal. In versions 4.36.0 through 4.39.19, due to lack of canonicalization of domains in very specific edge cases, an… | |||
| CVE-2026-48129 | 0.00 | — | 0.00 | Jun 19, 2026 | Kestra is an open-source, event-driven orchestration platform. Prior to versions 1.3.19, 1.2.19, 1.1.19, and 1.0.43, Kestra task `inputFiles` writes rendered file names directly under the task working directory. When a flow forwards untrusted execution or webhook data into an… | |||
| CVE-2026-49346 | 0.00 | — | 0.00 | Jun 19, 2026 | libde265 is an open source implementation of the h.265 video codec. Prior to version 1.1.0, a crafted H.265 bitstream with large SPS dimensions and 16-bit bit depth causes a signed integer overflow in `de265_image_get_buffer()` (`libde265/image.cc:128`). The overflow wraps the… | |||
| CVE-2026-49295 | 0.00 | — | 0.00 | Jun 19, 2026 | libde265 is an open source implementation of the h.265 video codec. Prior to version 1.0.20, a crafted H.265 bitstream can cause an out-of-bounds array write in `decoder_context::process_reference_picture_set()` (`libde265/decctx.cc:1376`). The root cause is a missing aggregate… | |||
| CVE-2026-49337 | 0.00 | — | 0.00 | Jun 19, 2026 | libde265 is an open source implementation of the h.265 video codec. Prior to version 1.0.20, a crafted sequence of H.265 NAL units causes `decoder_context::read_slice_NAL()` (`libde265/decctx.cc:481`) to attach slice headers to a finished picture object that has no active image… | |||
| CVE-2026-48787 | 0.00 | — | 0.00 | Jun 19, 2026 | gin-vue-admin is an AI-assisted basic development platform. In version 2.9.1, an authenticated attacker with access to the code-generation feature and MCP management interface can exploit this vulnerability by injecting attacker-controlled Go source code through POST… | |||
| CVE-2026-54898 | hig | 0.45 | — | 0.00 | Jun 19, 2026 | ### Summary `Oj::Parser#parse` is vulnerable to a heap use-after-free when a SAJ/SAJ2 callback mutates the input JSON string during parsing. The C engine holds a raw `const byte *` pointer into the Ruby string's internal buffer. If a callback (e.g. `hash_start`) resizes the… | ||
| CVE-2026-54897 | hig | 0.45 | — | 0.00 | Jun 19, 2026 | ### Summary `Oj::Doc` iterators (`each_value`, `each_child`, `each_leaf`) are vulnerable to a heap use-after-free. When a Ruby block yielded during iteration calls `doc.close` or `d.close`, the document's heap memory is freed while the C iterator is still running. When control… | ||
| CVE-2026-54896 | hig | 0.45 | — | 0.00 | Jun 19, 2026 | ### Summary `Oj.dump` in object mode is vulnerable to a heap buffer overflow when serializing Exception objects with a large `:indent` value. The serializer allocates a buffer sized for the object's attributes but does not account for the indent bytes added on each write. With… | ||
| CVE-2026-55778 | low | 0.00 | — | 0.00 | Jun 19, 2026 | ### Impact Parse Server's default `fileUpload.fileExtensions` blocklist is intended to prevent uploading files that browsers render as active content (such as HTML and SVG), which can be used to perform stored cross-site scripting (XSS) attacks against other users. The… | ||
| CVE-2026-54592 | hig | 0.45 | — | 0.00 | Jun 19, 2026 | ### Summary `Oj::Doc#each_child`, when invoked recursively over a deeply nested JSON document, overflows a fixed-size stack buffer and aborts the process. This is a denial of service reachable from untrusted JSON. ### Details Two-step chain in `ext/oj/fast.c`: 1.… | ||
| CVE-2026-54528 | hig | 0.38 | — | 0.00 | Jun 19, 2026 | ## Summary `jupyterlab-git` 0.53.0 (latest, 2026-04-30) uses `fnmatch.fnmatchcase()` in `GitHandler.prepare()` (`jupyterlab_git/handlers.py:91`) to enforce the admin-configured `excluded_paths` security control. Because `fnmatchcase` is unconditionally case-sensitive, an… | ||
| CVE-2026-54527 | hig | 0.38 | — | 0.00 | Jun 19, 2026 | Overview Amazon Web Services (AWS) Security has identified a stored cross-site scripting (XSS) issue in the jupyterlab-git JupyterLab extension that can lead to remote code execution (RCE). The issue exists in the PlainTextDiff.ts component, where the createHeader() method… | ||
| CVE-2026-54500 | 0.00 | — | 0.00 | Jun 19, 2026 | ### Summary `Oj.load` in `:object` mode reads uninitialized stack memory (and, for long keys, reads out of bounds) when parsing a JSON object whose key is 254 bytes or longer. The interned bytes can surface to the caller, disclosing process stack memory. ### Details In… | |||
| CVE-2026-54499 | hig | 0.38 | — | 0.00 | Jun 19, 2026 | ### Summary Stanza 1.12.0 attempts to safely load PyTorch checkpoint files using `torch.load(..., weights_only=True)`, but automatically falls back to the fully unsafe `torch.load(..., weights_only=False)` when the safe load raises `pickle.UnpicklingError`. Because the… | ||
| CVE-2026-54317 | hig | 0.45 | — | 0.00 | Jun 19, 2026 | ### Summary The Konnected integration registers an HTTP endpoint, `KonnectedView` (`homeassistant/components/konnected/__init__.py`), that is marked as **not requiring authentication** (`requires_auth = False`). A comment next to that line says auth is instead handled "via the… | ||
| CVE-2026-54297 | hig | 0.38 | — | 0.00 | Jun 19, 2026 | # Uncontrolled Recursion in NestedParamsEncoder Allows Stack Exhaustion DoS via Deeply Nested Query Parameters ## Summary `Faraday::NestedParamsEncoder`, the default nested query parameter encoder/decoder in Faraday, decodes nested query strings without enforcing a maximum… | ||
| CVE-2026-53492 | hig | 0.38 | — | 0.00 | Jun 19, 2026 | ### Impact containerd's CRI implementation improperly trusts Container Device Interface (CDI) annotations found within untrusted checkpoint image metadata during container restoration. When restoring a container from a checkpoint, containerd preserves CDI-related annotations… | ||
| CVE-2026-53489 | hig | 0.38 | — | 0.00 | Jun 19, 2026 | ### Impact A bug was found in containerd where the CRI plugin restores `container.log` from a checkpoint image without validating a symlinked path. This could result in reading an arbitrary file on the host via `kubectl logs`. ### Patches This bug has been fixed in the… | ||
| CVE-2026-53488 | hig | 0.38 | — | 0.00 | Jun 19, 2026 | ### Impact A bug was found in containerd where the CRI plugin propagates labels from an image config (`LABEL` instruction in Dockerfile) to a container without validation. This may result in executing an arbitrary command on the host, via a plugin that consumes container labels… | ||
| CVE-2026-54502 | hig | 0.45 | — | 0.00 | Jun 19, 2026 | ### Summary `Oj.dump` is vulnerable to a stack-based buffer overflow when a large `:indent` value is provided by the developer. `fill_indent` in `dump.h` calls `memset(indent_str, ' ', (size_t)opts->indent)` without validating the size. When `opts->indent` is set to `INT_MAX`… | ||
| CVE-2026-50195 | 0.00 | — | 0.00 | Jun 19, 2026 | ## Impact containerd's CRI checkpoint import process contains a vulnerability where it fails to validate the image references specified within a checkpoint image's configuration. An attacker with permissions to create pods can use a crafted checkpoint image to force containerd… | |||
| CVE-2026-49216 | 0.00 | — | — | Jun 19, 2026 | ### Description The Stimulus controller shipped with `symfony/ux-autocomplete` renders AJAX response items into the dropdown by interpolating the `text` field directly into HTML template literals (`${item[labelField]}`) inside `_createAutocompleteWithRemoteData()`.… | |||
| CVE-2026-49215 | low | 0.00 | — | — | Jun 19, 2026 | ### Description When using `symfony/ux-live-component`, methods annotated with `#[LiveAction]` are invokable from the browser and mutate server-side state via AJAX. `Symfony\UX\LiveComponent\EventListener\LiveComponentSubscriber::isLiveComponentRequest()` gated these… | ||
| CVE-2026-49212 | low | 0.00 | — | — | Jun 19, 2026 | ### Description In `symfony/ux-live-component`, a component's server-side state is exposed to the browser as a set of props (`#[LiveProp]`-annotated properties). Props marked `writable: true` can be freely changed by the client. Read-only props are round-tripped to the browser… | ||
| CVE-2026-49211 | 0.00 | — | — | Jun 19, 2026 | ### Description `Symfony\UX\Autocomplete\Doctrine\EntitySearchUtil::addSearchClause()` builds the `LIKE` expression used by the autocomplete endpoint by wrapping the client-supplied query in `%...%` without escaping the SQL `LIKE` wildcards (`%`, `_`, `\`). The value is passed… | |||
| CVE-2026-49210 | 0.00 | — | — | Jun 19, 2026 | ### Description `Symfony\UX\LiveComponent\Util\ChildComponentPartialRenderer::createHtml()` interpolates the `$childTag` argument directly into the HTML output as a tag name, without escaping or validation. The value originates from client-controlled JSON (`children[id].tag`)… | |||
| CVE-2026-49209 | low | 0.00 | — | — | Jun 19, 2026 | ### Description `Symfony\UX\LiveComponent\Controller\BatchActionController::__invoke()` iterates over the client-supplied `actions` array and issues a full `HttpKernel` sub-request for each entry (event subscribers, validators, Doctrine, rendering). The array size is never… | ||
| CVE-2026-48774 | 0.00 | — | 0.00 | Jun 19, 2026 | ProxySQL is a proxy for MySQL and its forks, as well as PostgreSQL. In versions 3.0.0 through 3.0.8, ProxySQL's GenAI/MCP `run_sql_readonly` tool violates its documented read-only contract for MySQL targets. The tool validates only the full input string with a substring… | |||
| CVE-2026-47262 | 0.00 | — | 0.00 | Jun 19, 2026 | ### Impact A vulnerability in containerd allows a maliciously crafted image to cause a Denial of Service (DoS) condition. When creating a container from this image, memory exhaustion occurs, leading to an Out Of Memory (OOM) kill of the containerd process. This renders the… | |||
| CVE-2026-54899 | hig | 0.45 | — | 0.00 | Jun 19, 2026 | ### Summary Disabling `symbol_keys` on a reused `Oj::Parser` instance triggers a heap use-after-free. When `symbol_keys` is toggled from `true` to `false`, `opt_symbol_keys_set` frees the internal key cache (`cache_free`) but does not clear the pointer. The next `parse` call… | ||
| CVE-2026-48772 | 0.00 | — | 0.00 | Jun 19, 2026 | ProxySQL is a proxy for MySQL and its forks, as well as PostgreSQL. In versions 2.0.0 through 3.0.8, the ProxySQL MySQL frontend accepts the `PROXY UNKNOWN \r\n` PP1 frame as a well-formed PROXY protocol header. The HAProxy PROXY protocol v1… | |||
| CVE-2026-48773 | 0.00 | — | 0.00 | Jun 19, 2026 | ProxySQL is a proxy for MySQL and its forks, as well as PostgreSQL. Versions 2.0.18 through 3.0.8 have a pre-authentication heap memory corruption vulnerability in the MySQL and PostgreSQL protocol first-read paths. A remote unauthenticated client can declare an oversized first… | |||
| CVE-2026-49208 | 0.00 | — | — | Jun 19, 2026 | ### Description When a `#[LiveProp]` is typed as a `DateTimeInterface` and no explicit `format` is configured, `Symfony\UX\LiveComponent\LiveComponentHydrator::hydrateObjectValue()` falls back to `new $className($value)`. The `DateTime` / `DateTimeImmutable` constructors accept… | |||
| CVE-2026-49345 | 0.00 | — | 0.01 | Jun 19, 2026 | Mercator is an open source web application that enables mapping of the information system. Prior to version 2025.05.19, a Server-Side Request Forgery (SSRF) vulnerability exists in Mercator's CVE configuration panel (`/admin/config/parameters`). The `testProvider()` method in… | |||
| CVE-2026-23879 | hig | 0.38 | — | 0.00 | Jun 19, 2026 | ### Summary There exists an **arbitrary file write vulnerability** in `py7zr` (1.1.0, latest), which allows symbolic links to be recreated outside the destination directory via crafted malicious symbolic link chains. When using `extractall` to extract an archive, the library… | ||
| CVE-2026-49344 | 0.00 | — | 0.00 | Jun 19, 2026 | Mercator is an open source web application that enables mapping of the information system. Prior to version 2025.05.19, Mercator's Query Engine (`/admin/queries/execute`) accepts a JSON DSL (`from` / `select` / `filters` / `traverse` / `output`), translates it into an Eloquent… | |||
| CVE-2026-49342 | 0.00 | — | 0.00 | Jun 19, 2026 | YARD is a documentation generation tool for the Ruby programming language. Prior to version 0.9.44, YARD's static cache lookup reads a request path before the router's path cleanup runs. When a server is configured with a document root, a traversal path such as… | |||
| CVE-2026-49340 | 0.00 | — | 0.00 | Jun 19, 2026 | gonic is a music streaming server / free-software subsonic server API implementation. Prior to version 0.21.0, a logic error in `ServeCreateOrUpdatePlaylist` allows any authenticated Subsonic user (including non-admin) to write playlist M3U content to an attacker-controlled… | |||
| CVE-2026-49338 | 0.00 | — | 0.00 | Jun 19, 2026 | gonic is a music streaming server / free-software subsonic server API implementation. Prior to version 0.21.0, the Subsonic API endpoints `/rest/deletePlaylist.view` and `/rest/getPlaylist.view` perform no per-resource authorization. Once authenticated as any user (admin or… | |||
| CVE-2026-27878 | 0.00 | — | 0.00 | Jun 19, 2026 | A TraceQL query in Grafana Tempo with a large exemplars hint value can cause the Tempo instance to allocate an excessive amount of memory, resulting in an out-of-memory crash. This could allow an authenticated user to trigger a denial of service against the Tempo service. | |||
| CVE-2026-9375 | 0.00 | — | 0.00 | Jun 19, 2026 | urllib3 version 2.6.3 is vulnerable to a decompression bomb bypass in its streaming API (`preload_content=False`) when using Brotli support. The issue arises due to three independent code paths in `response.py` that bypass the `max_length` protection introduced in version 2.6.0… | |||
| CVE-2026-12238 | 0.00 | — | 0.00 | Jun 19, 2026 | The WP Go Maps – Most Popular Map Plugin plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 10.1.01. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for… | |||
| CVE-2026-49339 | 0.00 | — | 0.00 | Jun 19, 2026 | gonic is a music streaming server / free-software subsonic server API implementation. The maintainer's fix in commit `6dd71e6a3c966867ef8c900d359a7df75789f410` added an ownership check based on `playlist.UserID`. However, `playlist.UserID` is derived from the first path segment… | |||
| CVE-2026-49336 | 0.00 | — | 0.01 | Jun 19, 2026 | @microsoft/kiota-http-fetchlibrary provides TypeScript libraries for Kiota-generated API clients. In versions 1.0.0-preview.97 through 1.0.0-preview.101, `@microsoft/kiota-http-fetchlibrary`'s `RedirectHandler` is documented as stripping `Authorization` and `Cookie` from… | |||
| CVE-2026-49293 | 0.00 | — | 0.00 | Jun 19, 2026 | js-toml is a TOML parser for JavaScript, fully compliant with the TOML 1.0.0 Spec. Versions up to and including 1.1.0 parse hexadecimal / octal / binary integer literals via a hand-written `parseBigInt` loop that multiplies a `BigInt` accumulator by the radix once per input… | |||
| CVE-2026-49288 | 0.00 | — | 0.00 | Jun 19, 2026 | Statamic is a Laravel and Git powered content management system (CMS). Prior to 5.73.23 and 6.20.0, an authenticated Control Panel user could view metadata and content for resources they don't have permission to view, including entries, assets, users, roles, groups, and other… |
- CVE-2026-42895Jun 19, 2026risk 0.00cvss —epss 0.00
Improper neutralization of special elements used in a command ('command injection') in Microsoft Copilot allows an unauthorized attacker to perform tampering over a network.
- CVE-2026-45480Jun 19, 2026risk 0.00cvss —epss 0.01
Improper authentication in Azure Active Directory allows an unauthorized attacker to elevate privileges over a network.
- CVE-2026-32208Jun 19, 2026risk 0.00cvss —epss 0.00
Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Edge (Chromium-based) allows an authorized attacker to perform spoofing over a network.
- CVE-2026-48794Jun 19, 2026risk 0.00cvss —epss 0.00
Authelia is an open-source authentication and authorization server providing two-factor authentication and single sign-on (SSO) for applications via a web portal. In versions 4.36.0 through 4.39.19, due to lack of canonicalization of domains in very specific edge cases, an…
- CVE-2026-48129Jun 19, 2026risk 0.00cvss —epss 0.00
Kestra is an open-source, event-driven orchestration platform. Prior to versions 1.3.19, 1.2.19, 1.1.19, and 1.0.43, Kestra task `inputFiles` writes rendered file names directly under the task working directory. When a flow forwards untrusted execution or webhook data into an…
- CVE-2026-49346Jun 19, 2026risk 0.00cvss —epss 0.00
libde265 is an open source implementation of the h.265 video codec. Prior to version 1.1.0, a crafted H.265 bitstream with large SPS dimensions and 16-bit bit depth causes a signed integer overflow in `de265_image_get_buffer()` (`libde265/image.cc:128`). The overflow wraps the…
- CVE-2026-49295Jun 19, 2026risk 0.00cvss —epss 0.00
libde265 is an open source implementation of the h.265 video codec. Prior to version 1.0.20, a crafted H.265 bitstream can cause an out-of-bounds array write in `decoder_context::process_reference_picture_set()` (`libde265/decctx.cc:1376`). The root cause is a missing aggregate…
- CVE-2026-49337Jun 19, 2026risk 0.00cvss —epss 0.00
libde265 is an open source implementation of the h.265 video codec. Prior to version 1.0.20, a crafted sequence of H.265 NAL units causes `decoder_context::read_slice_NAL()` (`libde265/decctx.cc:481`) to attach slice headers to a finished picture object that has no active image…
- CVE-2026-48787Jun 19, 2026risk 0.00cvss —epss 0.00
gin-vue-admin is an AI-assisted basic development platform. In version 2.9.1, an authenticated attacker with access to the code-generation feature and MCP management interface can exploit this vulnerability by injecting attacker-controlled Go source code through POST…
- risk 0.45cvss —epss 0.00
### Summary `Oj::Parser#parse` is vulnerable to a heap use-after-free when a SAJ/SAJ2 callback mutates the input JSON string during parsing. The C engine holds a raw `const byte *` pointer into the Ruby string's internal buffer. If a callback (e.g. `hash_start`) resizes the…
- risk 0.45cvss —epss 0.00
### Summary `Oj::Doc` iterators (`each_value`, `each_child`, `each_leaf`) are vulnerable to a heap use-after-free. When a Ruby block yielded during iteration calls `doc.close` or `d.close`, the document's heap memory is freed while the C iterator is still running. When control…
- risk 0.45cvss —epss 0.00
### Summary `Oj.dump` in object mode is vulnerable to a heap buffer overflow when serializing Exception objects with a large `:indent` value. The serializer allocates a buffer sized for the object's attributes but does not account for the indent bytes added on each write. With…
- risk 0.00cvss —epss 0.00
### Impact Parse Server's default `fileUpload.fileExtensions` blocklist is intended to prevent uploading files that browsers render as active content (such as HTML and SVG), which can be used to perform stored cross-site scripting (XSS) attacks against other users. The…
- risk 0.45cvss —epss 0.00
### Summary `Oj::Doc#each_child`, when invoked recursively over a deeply nested JSON document, overflows a fixed-size stack buffer and aborts the process. This is a denial of service reachable from untrusted JSON. ### Details Two-step chain in `ext/oj/fast.c`: 1.…
- risk 0.38cvss —epss 0.00
## Summary `jupyterlab-git` 0.53.0 (latest, 2026-04-30) uses `fnmatch.fnmatchcase()` in `GitHandler.prepare()` (`jupyterlab_git/handlers.py:91`) to enforce the admin-configured `excluded_paths` security control. Because `fnmatchcase` is unconditionally case-sensitive, an…
- risk 0.38cvss —epss 0.00
Overview Amazon Web Services (AWS) Security has identified a stored cross-site scripting (XSS) issue in the jupyterlab-git JupyterLab extension that can lead to remote code execution (RCE). The issue exists in the PlainTextDiff.ts component, where the createHeader() method…
- CVE-2026-54500Jun 19, 2026risk 0.00cvss —epss 0.00
### Summary `Oj.load` in `:object` mode reads uninitialized stack memory (and, for long keys, reads out of bounds) when parsing a JSON object whose key is 254 bytes or longer. The interned bytes can surface to the caller, disclosing process stack memory. ### Details In…
- risk 0.38cvss —epss 0.00
### Summary Stanza 1.12.0 attempts to safely load PyTorch checkpoint files using `torch.load(..., weights_only=True)`, but automatically falls back to the fully unsafe `torch.load(..., weights_only=False)` when the safe load raises `pickle.UnpicklingError`. Because the…
- risk 0.45cvss —epss 0.00
### Summary The Konnected integration registers an HTTP endpoint, `KonnectedView` (`homeassistant/components/konnected/__init__.py`), that is marked as **not requiring authentication** (`requires_auth = False`). A comment next to that line says auth is instead handled "via the…
- risk 0.38cvss —epss 0.00
# Uncontrolled Recursion in NestedParamsEncoder Allows Stack Exhaustion DoS via Deeply Nested Query Parameters ## Summary `Faraday::NestedParamsEncoder`, the default nested query parameter encoder/decoder in Faraday, decodes nested query strings without enforcing a maximum…
- risk 0.38cvss —epss 0.00
### Impact containerd's CRI implementation improperly trusts Container Device Interface (CDI) annotations found within untrusted checkpoint image metadata during container restoration. When restoring a container from a checkpoint, containerd preserves CDI-related annotations…
- risk 0.38cvss —epss 0.00
### Impact A bug was found in containerd where the CRI plugin restores `container.log` from a checkpoint image without validating a symlinked path. This could result in reading an arbitrary file on the host via `kubectl logs`. ### Patches This bug has been fixed in the…
- risk 0.38cvss —epss 0.00
### Impact A bug was found in containerd where the CRI plugin propagates labels from an image config (`LABEL` instruction in Dockerfile) to a container without validation. This may result in executing an arbitrary command on the host, via a plugin that consumes container labels…
- risk 0.45cvss —epss 0.00
### Summary `Oj.dump` is vulnerable to a stack-based buffer overflow when a large `:indent` value is provided by the developer. `fill_indent` in `dump.h` calls `memset(indent_str, ' ', (size_t)opts->indent)` without validating the size. When `opts->indent` is set to `INT_MAX`…
- CVE-2026-50195Jun 19, 2026risk 0.00cvss —epss 0.00
## Impact containerd's CRI checkpoint import process contains a vulnerability where it fails to validate the image references specified within a checkpoint image's configuration. An attacker with permissions to create pods can use a crafted checkpoint image to force containerd…
- CVE-2026-49216Jun 19, 2026risk 0.00cvss —epss —
### Description The Stimulus controller shipped with `symfony/ux-autocomplete` renders AJAX response items into the dropdown by interpolating the `text` field directly into HTML template literals (`${item[labelField]}`) inside `_createAutocompleteWithRemoteData()`.…
- risk 0.00cvss —epss —
### Description When using `symfony/ux-live-component`, methods annotated with `#[LiveAction]` are invokable from the browser and mutate server-side state via AJAX. `Symfony\UX\LiveComponent\EventListener\LiveComponentSubscriber::isLiveComponentRequest()` gated these…
- risk 0.00cvss —epss —
### Description In `symfony/ux-live-component`, a component's server-side state is exposed to the browser as a set of props (`#[LiveProp]`-annotated properties). Props marked `writable: true` can be freely changed by the client. Read-only props are round-tripped to the browser…
- CVE-2026-49211Jun 19, 2026risk 0.00cvss —epss —
### Description `Symfony\UX\Autocomplete\Doctrine\EntitySearchUtil::addSearchClause()` builds the `LIKE` expression used by the autocomplete endpoint by wrapping the client-supplied query in `%...%` without escaping the SQL `LIKE` wildcards (`%`, `_`, `\`). The value is passed…
- CVE-2026-49210Jun 19, 2026risk 0.00cvss —epss —
### Description `Symfony\UX\LiveComponent\Util\ChildComponentPartialRenderer::createHtml()` interpolates the `$childTag` argument directly into the HTML output as a tag name, without escaping or validation. The value originates from client-controlled JSON (`children[id].tag`)…
- risk 0.00cvss —epss —
### Description `Symfony\UX\LiveComponent\Controller\BatchActionController::__invoke()` iterates over the client-supplied `actions` array and issues a full `HttpKernel` sub-request for each entry (event subscribers, validators, Doctrine, rendering). The array size is never…
- CVE-2026-48774Jun 19, 2026risk 0.00cvss —epss 0.00
ProxySQL is a proxy for MySQL and its forks, as well as PostgreSQL. In versions 3.0.0 through 3.0.8, ProxySQL's GenAI/MCP `run_sql_readonly` tool violates its documented read-only contract for MySQL targets. The tool validates only the full input string with a substring…
- CVE-2026-47262Jun 19, 2026risk 0.00cvss —epss 0.00
### Impact A vulnerability in containerd allows a maliciously crafted image to cause a Denial of Service (DoS) condition. When creating a container from this image, memory exhaustion occurs, leading to an Out Of Memory (OOM) kill of the containerd process. This renders the…
- risk 0.45cvss —epss 0.00
### Summary Disabling `symbol_keys` on a reused `Oj::Parser` instance triggers a heap use-after-free. When `symbol_keys` is toggled from `true` to `false`, `opt_symbol_keys_set` frees the internal key cache (`cache_free`) but does not clear the pointer. The next `parse` call…
- CVE-2026-48772Jun 19, 2026risk 0.00cvss —epss 0.00
ProxySQL is a proxy for MySQL and its forks, as well as PostgreSQL. In versions 2.0.0 through 3.0.8, the ProxySQL MySQL frontend accepts the `PROXY UNKNOWN \r\n` PP1 frame as a well-formed PROXY protocol header. The HAProxy PROXY protocol v1…
- CVE-2026-48773Jun 19, 2026risk 0.00cvss —epss 0.00
ProxySQL is a proxy for MySQL and its forks, as well as PostgreSQL. Versions 2.0.18 through 3.0.8 have a pre-authentication heap memory corruption vulnerability in the MySQL and PostgreSQL protocol first-read paths. A remote unauthenticated client can declare an oversized first…
- CVE-2026-49208Jun 19, 2026risk 0.00cvss —epss —
### Description When a `#[LiveProp]` is typed as a `DateTimeInterface` and no explicit `format` is configured, `Symfony\UX\LiveComponent\LiveComponentHydrator::hydrateObjectValue()` falls back to `new $className($value)`. The `DateTime` / `DateTimeImmutable` constructors accept…
- CVE-2026-49345Jun 19, 2026risk 0.00cvss —epss 0.01
Mercator is an open source web application that enables mapping of the information system. Prior to version 2025.05.19, a Server-Side Request Forgery (SSRF) vulnerability exists in Mercator's CVE configuration panel (`/admin/config/parameters`). The `testProvider()` method in…
- risk 0.38cvss —epss 0.00
### Summary There exists an **arbitrary file write vulnerability** in `py7zr` (1.1.0, latest), which allows symbolic links to be recreated outside the destination directory via crafted malicious symbolic link chains. When using `extractall` to extract an archive, the library…
- CVE-2026-49344Jun 19, 2026risk 0.00cvss —epss 0.00
Mercator is an open source web application that enables mapping of the information system. Prior to version 2025.05.19, Mercator's Query Engine (`/admin/queries/execute`) accepts a JSON DSL (`from` / `select` / `filters` / `traverse` / `output`), translates it into an Eloquent…
- CVE-2026-49342Jun 19, 2026risk 0.00cvss —epss 0.00
YARD is a documentation generation tool for the Ruby programming language. Prior to version 0.9.44, YARD's static cache lookup reads a request path before the router's path cleanup runs. When a server is configured with a document root, a traversal path such as…
- CVE-2026-49340Jun 19, 2026risk 0.00cvss —epss 0.00
gonic is a music streaming server / free-software subsonic server API implementation. Prior to version 0.21.0, a logic error in `ServeCreateOrUpdatePlaylist` allows any authenticated Subsonic user (including non-admin) to write playlist M3U content to an attacker-controlled…
- CVE-2026-49338Jun 19, 2026risk 0.00cvss —epss 0.00
gonic is a music streaming server / free-software subsonic server API implementation. Prior to version 0.21.0, the Subsonic API endpoints `/rest/deletePlaylist.view` and `/rest/getPlaylist.view` perform no per-resource authorization. Once authenticated as any user (admin or…
- CVE-2026-27878Jun 19, 2026risk 0.00cvss —epss 0.00
A TraceQL query in Grafana Tempo with a large exemplars hint value can cause the Tempo instance to allocate an excessive amount of memory, resulting in an out-of-memory crash. This could allow an authenticated user to trigger a denial of service against the Tempo service.
- CVE-2026-9375Jun 19, 2026risk 0.00cvss —epss 0.00
urllib3 version 2.6.3 is vulnerable to a decompression bomb bypass in its streaming API (`preload_content=False`) when using Brotli support. The issue arises due to three independent code paths in `response.py` that bypass the `max_length` protection introduced in version 2.6.0…
- CVE-2026-12238Jun 19, 2026risk 0.00cvss —epss 0.00
The WP Go Maps – Most Popular Map Plugin plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 10.1.01. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for…
- CVE-2026-49339Jun 19, 2026risk 0.00cvss —epss 0.00
gonic is a music streaming server / free-software subsonic server API implementation. The maintainer's fix in commit `6dd71e6a3c966867ef8c900d359a7df75789f410` added an ownership check based on `playlist.UserID`. However, `playlist.UserID` is derived from the first path segment…
- CVE-2026-49336Jun 19, 2026risk 0.00cvss —epss 0.01
@microsoft/kiota-http-fetchlibrary provides TypeScript libraries for Kiota-generated API clients. In versions 1.0.0-preview.97 through 1.0.0-preview.101, `@microsoft/kiota-http-fetchlibrary`'s `RedirectHandler` is documented as stripping `Authorization` and `Cookie` from…
- CVE-2026-49293Jun 19, 2026risk 0.00cvss —epss 0.00
js-toml is a TOML parser for JavaScript, fully compliant with the TOML 1.0.0 Spec. Versions up to and including 1.1.0 parse hexadecimal / octal / binary integer literals via a hand-written `parseBigInt` loop that multiplies a `BigInt` accumulator by the radix once per input…
- CVE-2026-49288Jun 19, 2026risk 0.00cvss —epss 0.00
Statamic is a Laravel and Git powered content management system (CMS). Prior to 5.73.23 and 6.20.0, an authenticated Control Panel user could view metadata and content for resources they don't have permission to view, including entries, assets, users, roles, groups, and other…