| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-54309 | hig | 0.45 | — | 0.00 | Jun 16, 2026 | ## Impact When `@n8n/mcp-browser` is run in HTTP transport mode, the MCP endpoint accepts session initialization and tool invocation requests without any authentication. Any network-reachable client, or any website visited by the user, can establish an MCP session and invoke… | ||
| CVE-2026-54305 | hig | 0.38 | — | 0.00 | Jun 16, 2026 | ## Impact Three EE endpoints used by the Dynamic Credentials feature accepted any authenticated n8n session without performing per-resource ownership or scope checks on the target workflow or credential. An authenticated user with no project membership or credential sharing… | ||
| CVE-2026-48616 | 0.00 | — | 0.00 | Jun 16, 2026 | Rocket.Chat versions <8.5.1, 8.4.4, 8.3.6, 8.2.6, 8.1.6, 8.0.7, 7.13.9, 7.10.13 has an access control vulnerability in Livechat files. Protected file downloads at /file-upload/:fileId/:name authorize livechat access using rc_room_type=l with rc_rid+rc_token, but the… | |||
| CVE-2026-48929 | 0.00 | — | 0.01 | Jun 16, 2026 | Rocket.Chat in versions <8.5.1, <8.4.4, <8.3.6, <8.2.6, <8.1.6, <8.0.7, <7.13.9, and <7.10.13 is vulnerable to unauthenticated file deletion. The deleteFileMessage Meteor method permanently deletes any uploaded file by ID without requiring authentication. When called via an… | |||
| CVE-2026-54307 | hig | 0.38 | — | 0.00 | Jun 16, 2026 | ## Impact A member-level user with editor access to a shared workflow could reference credentials they do not own via specific public API endpoints. Credential ownership checks were only enforced partially leading to cross-user credential access. This issue affects instances… | ||
| CVE-2026-54314 | 0.00 | — | 0.00 | Jun 16, 2026 | ## Impact The Compression node's Decompress operation expanded attacker-controlled archives into memory without enforcing limits on decompressed output size. An unauthenticated attacker could send a small compressed archive to a public webhook workflow using this node, causing… | |||
| CVE-2026-48782 | 0.00 | — | 0.00 | Jun 16, 2026 | Pydantic AI is a Python agent framework for building applications and workflows with Generative AI. In versions 1.56.0 through 1.101.0, 2.0.0b1, and 2.0.0b2, the cloud-metadata blocklist could be bypassed by encoding the metadata IP in an IPv6 transition form that the previous… | |||
| CVE-2026-54302 | hig | 0.38 | — | 0.00 | Jun 16, 2026 | ## Impact An authenticated user with workflow edit access could inject arbitrary JavaScript into the Chat Trigger's generated page by setting a malicious `webhookId`. When a logged-in user visited the chat URL, the injected code executed in the n8n origin with that user's… | ||
| CVE-2026-54303 | 0.00 | — | 0.00 | Jun 16, 2026 | ## Impact An endpoint in the Meta and Microsoft Teams trigger nodes reflects a query parameter into the HTTP response without sanitization or Content-Security-Policy headers, enabling reflected XSS in the n8n origin when a logged-in user visits a crafted URL. ## Patches The… | |||
| CVE-2026-54312 | hig | 0.45 | — | 0.00 | Jun 16, 2026 | ## Impact An authenticated user with permission to create or modify workflows could achieve global prototype pollution via the Microsoft SQL node by supplying a crafted value as the table parameter. This pollutes `Object.prototype` process-wide for the lifetime of the n8n server… | ||
| CVE-2026-48788 | 0.00 | — | 0.00 | Jun 16, 2026 | Remark42 is a self-hosted comment engine for blogs, articles, or any other place where readers can add comments. Versions 1.6.0 through 1.15.0 contain a Cross-Site Scripting (XSS) vulnerability exploitable through content-type spoofing. The Remark42 image proxy fetches an… | |||
| CVE-2026-48745 | 0.00 | — | 0.00 | Jun 16, 2026 | Traccar Client is a GPS tracking mobile app for sending location updates to private servers using the open-source Traccar platform. In versions 9.7.19 and below, a single crafted deep link can silently hijack all GPS tracking parameters and redirect telemetry to an… | |||
| CVE-2026-47277 | 0.00 | — | 0.00 | Jun 16, 2026 | Runtipi is a personal homeserver orchestrator. In versions 4.9.1 through 4.9.3, Runtipi serves marketplace app logos from files inside cloned app-store repositories through an unauthenticated endpoint, which leads to arbitrary file read through app-store logo symlinks. The path… | |||
| CVE-2026-48783 | 0.00 | — | 0.00 | Jun 16, 2026 | Postiz is an AI social media scheduling tool. Versions prior to 2.21.8 contained an unauthenticated endpoint that accepted a signed token and applied subscription-enforcement side effects to the organization referenced in that token's claims, without verifying the token's… | |||
| CVE-2026-48781 | 0.00 | — | 0.00 | Jun 16, 2026 | Postiz is an AI social media scheduling tool. In versions prior to 2.21.8, the Skool integration callback signed an attacker-controlled JSON blob into a session-shape JWT using the application's JWT_SECRET, and the auth middleware trusted every claim in that JWT without… | |||
| CVE-2026-54322 | hig | 0.38 | — | 0.00 | Jun 16, 2026 | ### Summary Daytona's organization role update and delete endpoints authorized the caller as an owner of the organization named in the request path, but resolved and mutated the target role by its identifier alone, without verifying the role belonged to that organization. An… | ||
| CVE-2026-52846 | 0.00 | — | 0.00 | Jun 16, 2026 | ### Summary Caddy’s `stripHTML` template function cannot reliably remove all HTML tags from input strings. Certain malformed HTML, such as `<<>img src=x onerror=alert()>`, can bypass the tag-stripping logic, potentially leaving dangerous content in the output if it is later… | |||
| CVE-2026-52845 | hig | 0.38 | — | 0.00 | Jun 16, 2026 | ### Summary `forward_auth copy_headers` deletes the exact client-supplied identity header before copying the trusted value from the auth gateway. But when the request later goes through `php_fastcgi`, Caddy normalizes HTTP headers into CGI variables by replacing `-` with `_`. … | ||
| CVE-2026-52844 | hig | 0.38 | — | 0.00 | Jun 16, 2026 | ### Summary On Windows, Caddy `path` matchers treat `/private\secret.txt` as outside `/private/*`, but `file_server` later resolves the same request path as `private\secret.txt` on disk. An unauthenticated remote client can request `/private%5csecret.txt` and bypass Caddy… | ||
| CVE-2026-25470 | 0.00 | — | 0.00 | Jun 16, 2026 | Improper Control of Generation of Code ('Code Injection') vulnerability in ACPT ACPT (Pro) - Custom Post Types Plugin for WordPress allows Remote Code Inclusion. This issue affects ACPT (Pro) - Custom Post Types Plugin for WordPress: from n/a through 2.0.47. | |||
| CVE-2026-39598 | 0.00 | — | 0.00 | Jun 16, 2026 | Unrestricted Upload of File with Dangerous Type vulnerability in Kodezen LLC Academy LMS Pro allows Upload a Web Shell to a Web Server. This issue affects Academy LMS Pro: from n/a before 3.5.2. | |||
| CVE-2026-49073 | 0.00 | — | 0.00 | Jun 16, 2026 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in wpWax Directorist Booking allows Blind SQL Injection. This issue affects Directorist Booking: from n/a through 3.0.3. | |||
| CVE-2026-48055 | — | 0.00 | — | 0.01 | Jun 16, 2026 | Streambert is a cross-platform Electron Desktop App to stream and download any video media. In versions 2.4.0 and prior, a high-severity Zip Slip vulnerability was identified in Streambert's subtitle extraction logic. The application does not sanitize archive entry filenames… | ||
| CVE-2026-50574 | hig | 0.39 | — | 0.00 | Jun 16, 2026 | ### Summary If aria2c is used as an external downloader for a fragmented manifest format (such as an HLS/DASH stream), yt-dlp passes insufficiently sanitized input to aria2c that allows an attacker to perform an arbitrary file write. On Windows platforms, this can lead to… | ||
| CVE-2026-54321 | hig | 0.38 | — | 0.00 | Jun 16, 2026 | ### Summary Sandbox previews that were switched from public to private could remain reachable without authentication for a short period after the change, due to a cached visibility state that was not invalidated when the sandbox's visibility changed. ### Impact When a sandbox… | ||
| CVE-2026-53622 | hig | 0.38 | — | 0.00 | Jun 16, 2026 | ## Summary There is a critical vulnerability in Traefik's HTTP/3 (QUIC) TLS configuration selection that allows unauthenticated clients to bypass router-specific mTLS enforcement. When HTTP/3 is enabled on an entrypoint, the TLS handshake selects the applicable TLS… | ||
| CVE-2026-11409 | 0.00 | — | 0.03 | Jun 16, 2026 | An authenticated OS command injection vulnerability exists in the IPv6 PPPoE configuration handler in TL-WR940N v6 due to improper sanitization of user input. An attacker with administrative access may exploit this issue to execute arbitrary system commands with elevated… | |||
| CVE-2026-11410 | 0.00 | — | 0.03 | Jun 16, 2026 | An authenticated OS command injection vulnerability exists in the BigPond Cable (BPA) WAN configuration module in TL-WR940N v6 due to improper sanitization of user input. An attacker with administrative access may exploit this issue to execute arbitrary system commands with… | |||
| CVE-2026-53755 | hig | 0.38 | — | 0.00 | Jun 16, 2026 | ### Summary The Docker API server applied its SSRF destination check to the crawl target URL only, not to the proxy address. An unauthenticated request could supply a proxy pointing at an internal IP and route the browser through it, reaching internal services and… | ||
| CVE-2026-53754 | hig | 0.38 | — | 0.00 | Jun 16, 2026 | ### Summary The Docker API server's SSRF protection (`validate_webhook_url` / `validate_url_destination` in `deploy/docker/utils.py`) used an explicit IPv4/IPv6 CIDR blocklist that missed several address families. An attacker could reach internal services and cloud metadata… | ||
| CVE-2026-50023 | hig | 0.39 | — | 0.01 | Jun 16, 2026 | ### Summary A vulnerability exists in yt-dlp that allows a remote attacker to write arbitrary OS-shortcut files (such as `.desktop`, `.url`, `.webloc`) to the user's filesystem, bypassing the remediation for `CVE-2024-38519`. ### Details The fix for `CVE-2024-38519` enforced… | ||
| CVE-2026-49113 | 0.00 | — | 0.00 | Jun 16, 2026 | Subscriber Arbitrary Code Execution in Cornerstone < 7.8.8 versions. | |||
| CVE-2026-49080 | 0.00 | — | 0.00 | Jun 16, 2026 | Unauthenticated SQL Injection in wpDataTables <= 7.3.6 versions. | |||
| CVE-2026-49057 | 0.00 | — | 0.00 | Jun 16, 2026 | Unauthenticated Broken Access Control in JobSearch <= 3.2.7 versions. | |||
| CVE-2026-48869 | 0.00 | — | 0.00 | Jun 16, 2026 | Unauthenticated Cross Site Scripting (XSS) in Enfold <= 7.1.4 versions. | |||
| CVE-2026-40761 | 0.00 | — | 0.00 | Jun 16, 2026 | Unauthenticated PHP Object Injection in Valeska <= 1.2.2 versions. | |||
| CVE-2026-40760 | 0.00 | — | 0.00 | Jun 16, 2026 | Unauthenticated PHP Object Injection in Behold <= 1.5 versions. | |||
| CVE-2026-40759 | 0.00 | — | 0.00 | Jun 16, 2026 | Unauthenticated PHP Object Injection in Esmée <= 1.4 versions. | |||
| CVE-2026-40758 | 0.00 | — | 0.00 | Jun 16, 2026 | Unauthenticated PHP Object Injection in Léonie <= 1.2.1 versions. | |||
| CVE-2026-40755 | 0.00 | — | 0.00 | Jun 16, 2026 | Unauthenticated PHP Object Injection in TechLink <= 1.3 versions. | |||
| CVE-2026-40754 | 0.00 | — | 0.00 | Jun 16, 2026 | Unauthenticated PHP Object Injection in Roisin <= 1.4 versions. | |||
| CVE-2026-40751 | 0.00 | — | 0.00 | Jun 16, 2026 | Unauthenticated PHP Object Injection in Ashtanga <= 1.2 versions. | |||
| CVE-2026-40739 | 0.00 | — | 0.00 | Jun 16, 2026 | Unauthenticated PHP Object Injection in LuxeDrive <= 1.4 versions. | |||
| CVE-2026-40736 | 0.00 | — | 0.00 | Jun 16, 2026 | Unauthenticated PHP Object Injection in Laurits <= 1.5.1 versions. | |||
| CVE-2026-39580 | 0.00 | — | 0.00 | Jun 16, 2026 | Unauthenticated PHP Object Injection in Micdrop <= 1.3.1 versions. | |||
| CVE-2026-39578 | 0.00 | — | 0.00 | Jun 16, 2026 | Unauthenticated PHP Object Injection in Valiance <= 1.2 versions. | |||
| CVE-2026-39577 | 0.00 | — | 0.00 | Jun 16, 2026 | Unauthenticated PHP Object Injection in Playroom <= 1.4.1 versions. | |||
| CVE-2026-39568 | 0.00 | — | 0.00 | Jun 16, 2026 | Unauthenticated Local File Inclusion in Mr. SEO <= 2.0 versions. | |||
| CVE-2026-39567 | 0.00 | — | 0.00 | Jun 16, 2026 | Unauthenticated PHP Object Injection in Santé <= 1.5.1 versions. | |||
| CVE-2026-39557 | 0.00 | — | 0.00 | Jun 16, 2026 | Unauthenticated PHP Object Injection in NeoBeat <= 1.7 versions. |
- risk 0.45cvss —epss 0.00
## Impact When `@n8n/mcp-browser` is run in HTTP transport mode, the MCP endpoint accepts session initialization and tool invocation requests without any authentication. Any network-reachable client, or any website visited by the user, can establish an MCP session and invoke…
- risk 0.38cvss —epss 0.00
## Impact Three EE endpoints used by the Dynamic Credentials feature accepted any authenticated n8n session without performing per-resource ownership or scope checks on the target workflow or credential. An authenticated user with no project membership or credential sharing…
- CVE-2026-48616Jun 16, 2026risk 0.00cvss —epss 0.00
Rocket.Chat versions <8.5.1, 8.4.4, 8.3.6, 8.2.6, 8.1.6, 8.0.7, 7.13.9, 7.10.13 has an access control vulnerability in Livechat files. Protected file downloads at /file-upload/:fileId/:name authorize livechat access using rc_room_type=l with rc_rid+rc_token, but the…
- CVE-2026-48929Jun 16, 2026risk 0.00cvss —epss 0.01
Rocket.Chat in versions <8.5.1, <8.4.4, <8.3.6, <8.2.6, <8.1.6, <8.0.7, <7.13.9, and <7.10.13 is vulnerable to unauthenticated file deletion. The deleteFileMessage Meteor method permanently deletes any uploaded file by ID without requiring authentication. When called via an…
- risk 0.38cvss —epss 0.00
## Impact A member-level user with editor access to a shared workflow could reference credentials they do not own via specific public API endpoints. Credential ownership checks were only enforced partially leading to cross-user credential access. This issue affects instances…
- CVE-2026-54314Jun 16, 2026risk 0.00cvss —epss 0.00
## Impact The Compression node's Decompress operation expanded attacker-controlled archives into memory without enforcing limits on decompressed output size. An unauthenticated attacker could send a small compressed archive to a public webhook workflow using this node, causing…
- CVE-2026-48782Jun 16, 2026risk 0.00cvss —epss 0.00
Pydantic AI is a Python agent framework for building applications and workflows with Generative AI. In versions 1.56.0 through 1.101.0, 2.0.0b1, and 2.0.0b2, the cloud-metadata blocklist could be bypassed by encoding the metadata IP in an IPv6 transition form that the previous…
- risk 0.38cvss —epss 0.00
## Impact An authenticated user with workflow edit access could inject arbitrary JavaScript into the Chat Trigger's generated page by setting a malicious `webhookId`. When a logged-in user visited the chat URL, the injected code executed in the n8n origin with that user's…
- CVE-2026-54303Jun 16, 2026risk 0.00cvss —epss 0.00
## Impact An endpoint in the Meta and Microsoft Teams trigger nodes reflects a query parameter into the HTTP response without sanitization or Content-Security-Policy headers, enabling reflected XSS in the n8n origin when a logged-in user visits a crafted URL. ## Patches The…
- risk 0.45cvss —epss 0.00
## Impact An authenticated user with permission to create or modify workflows could achieve global prototype pollution via the Microsoft SQL node by supplying a crafted value as the table parameter. This pollutes `Object.prototype` process-wide for the lifetime of the n8n server…
- CVE-2026-48788Jun 16, 2026risk 0.00cvss —epss 0.00
Remark42 is a self-hosted comment engine for blogs, articles, or any other place where readers can add comments. Versions 1.6.0 through 1.15.0 contain a Cross-Site Scripting (XSS) vulnerability exploitable through content-type spoofing. The Remark42 image proxy fetches an…
- CVE-2026-48745Jun 16, 2026risk 0.00cvss —epss 0.00
Traccar Client is a GPS tracking mobile app for sending location updates to private servers using the open-source Traccar platform. In versions 9.7.19 and below, a single crafted deep link can silently hijack all GPS tracking parameters and redirect telemetry to an…
- CVE-2026-47277Jun 16, 2026risk 0.00cvss —epss 0.00
Runtipi is a personal homeserver orchestrator. In versions 4.9.1 through 4.9.3, Runtipi serves marketplace app logos from files inside cloned app-store repositories through an unauthenticated endpoint, which leads to arbitrary file read through app-store logo symlinks. The path…
- CVE-2026-48783Jun 16, 2026risk 0.00cvss —epss 0.00
Postiz is an AI social media scheduling tool. Versions prior to 2.21.8 contained an unauthenticated endpoint that accepted a signed token and applied subscription-enforcement side effects to the organization referenced in that token's claims, without verifying the token's…
- CVE-2026-48781Jun 16, 2026risk 0.00cvss —epss 0.00
Postiz is an AI social media scheduling tool. In versions prior to 2.21.8, the Skool integration callback signed an attacker-controlled JSON blob into a session-shape JWT using the application's JWT_SECRET, and the auth middleware trusted every claim in that JWT without…
- risk 0.38cvss —epss 0.00
### Summary Daytona's organization role update and delete endpoints authorized the caller as an owner of the organization named in the request path, but resolved and mutated the target role by its identifier alone, without verifying the role belonged to that organization. An…
- CVE-2026-52846Jun 16, 2026risk 0.00cvss —epss 0.00
### Summary Caddy’s `stripHTML` template function cannot reliably remove all HTML tags from input strings. Certain malformed HTML, such as `<<>img src=x onerror=alert()>`, can bypass the tag-stripping logic, potentially leaving dangerous content in the output if it is later…
- risk 0.38cvss —epss 0.00
### Summary `forward_auth copy_headers` deletes the exact client-supplied identity header before copying the trusted value from the auth gateway. But when the request later goes through `php_fastcgi`, Caddy normalizes HTTP headers into CGI variables by replacing `-` with `_`. …
- risk 0.38cvss —epss 0.00
### Summary On Windows, Caddy `path` matchers treat `/private\secret.txt` as outside `/private/*`, but `file_server` later resolves the same request path as `private\secret.txt` on disk. An unauthenticated remote client can request `/private%5csecret.txt` and bypass Caddy…
- CVE-2026-25470Jun 16, 2026risk 0.00cvss —epss 0.00
Improper Control of Generation of Code ('Code Injection') vulnerability in ACPT ACPT (Pro) - Custom Post Types Plugin for WordPress allows Remote Code Inclusion. This issue affects ACPT (Pro) - Custom Post Types Plugin for WordPress: from n/a through 2.0.47.
- CVE-2026-39598Jun 16, 2026risk 0.00cvss —epss 0.00
Unrestricted Upload of File with Dangerous Type vulnerability in Kodezen LLC Academy LMS Pro allows Upload a Web Shell to a Web Server. This issue affects Academy LMS Pro: from n/a before 3.5.2.
- CVE-2026-49073Jun 16, 2026risk 0.00cvss —epss 0.00
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in wpWax Directorist Booking allows Blind SQL Injection. This issue affects Directorist Booking: from n/a through 3.0.3.
- CVE-2026-48055Jun 16, 2026risk 0.00cvss —epss 0.01
Streambert is a cross-platform Electron Desktop App to stream and download any video media. In versions 2.4.0 and prior, a high-severity Zip Slip vulnerability was identified in Streambert's subtitle extraction logic. The application does not sanitize archive entry filenames…
- risk 0.39cvss —epss 0.00
### Summary If aria2c is used as an external downloader for a fragmented manifest format (such as an HLS/DASH stream), yt-dlp passes insufficiently sanitized input to aria2c that allows an attacker to perform an arbitrary file write. On Windows platforms, this can lead to…
- risk 0.38cvss —epss 0.00
### Summary Sandbox previews that were switched from public to private could remain reachable without authentication for a short period after the change, due to a cached visibility state that was not invalidated when the sandbox's visibility changed. ### Impact When a sandbox…
- risk 0.38cvss —epss 0.00
## Summary There is a critical vulnerability in Traefik's HTTP/3 (QUIC) TLS configuration selection that allows unauthenticated clients to bypass router-specific mTLS enforcement. When HTTP/3 is enabled on an entrypoint, the TLS handshake selects the applicable TLS…
- CVE-2026-11409Jun 16, 2026risk 0.00cvss —epss 0.03
An authenticated OS command injection vulnerability exists in the IPv6 PPPoE configuration handler in TL-WR940N v6 due to improper sanitization of user input. An attacker with administrative access may exploit this issue to execute arbitrary system commands with elevated…
- CVE-2026-11410Jun 16, 2026risk 0.00cvss —epss 0.03
An authenticated OS command injection vulnerability exists in the BigPond Cable (BPA) WAN configuration module in TL-WR940N v6 due to improper sanitization of user input. An attacker with administrative access may exploit this issue to execute arbitrary system commands with…
- risk 0.38cvss —epss 0.00
### Summary The Docker API server applied its SSRF destination check to the crawl target URL only, not to the proxy address. An unauthenticated request could supply a proxy pointing at an internal IP and route the browser through it, reaching internal services and…
- risk 0.38cvss —epss 0.00
### Summary The Docker API server's SSRF protection (`validate_webhook_url` / `validate_url_destination` in `deploy/docker/utils.py`) used an explicit IPv4/IPv6 CIDR blocklist that missed several address families. An attacker could reach internal services and cloud metadata…
- risk 0.39cvss —epss 0.01
### Summary A vulnerability exists in yt-dlp that allows a remote attacker to write arbitrary OS-shortcut files (such as `.desktop`, `.url`, `.webloc`) to the user's filesystem, bypassing the remediation for `CVE-2024-38519`. ### Details The fix for `CVE-2024-38519` enforced…
- CVE-2026-49113Jun 16, 2026risk 0.00cvss —epss 0.00
Subscriber Arbitrary Code Execution in Cornerstone < 7.8.8 versions.
- CVE-2026-49080Jun 16, 2026risk 0.00cvss —epss 0.00
Unauthenticated SQL Injection in wpDataTables <= 7.3.6 versions.
- CVE-2026-49057Jun 16, 2026risk 0.00cvss —epss 0.00
Unauthenticated Broken Access Control in JobSearch <= 3.2.7 versions.
- CVE-2026-48869Jun 16, 2026risk 0.00cvss —epss 0.00
Unauthenticated Cross Site Scripting (XSS) in Enfold <= 7.1.4 versions.
- CVE-2026-40761Jun 16, 2026risk 0.00cvss —epss 0.00
Unauthenticated PHP Object Injection in Valeska <= 1.2.2 versions.
- CVE-2026-40760Jun 16, 2026risk 0.00cvss —epss 0.00
Unauthenticated PHP Object Injection in Behold <= 1.5 versions.
- CVE-2026-40759Jun 16, 2026risk 0.00cvss —epss 0.00
Unauthenticated PHP Object Injection in Esmée <= 1.4 versions.
- CVE-2026-40758Jun 16, 2026risk 0.00cvss —epss 0.00
Unauthenticated PHP Object Injection in Léonie <= 1.2.1 versions.
- CVE-2026-40755Jun 16, 2026risk 0.00cvss —epss 0.00
Unauthenticated PHP Object Injection in TechLink <= 1.3 versions.
- CVE-2026-40754Jun 16, 2026risk 0.00cvss —epss 0.00
Unauthenticated PHP Object Injection in Roisin <= 1.4 versions.
- CVE-2026-40751Jun 16, 2026risk 0.00cvss —epss 0.00
Unauthenticated PHP Object Injection in Ashtanga <= 1.2 versions.
- CVE-2026-40739Jun 16, 2026risk 0.00cvss —epss 0.00
Unauthenticated PHP Object Injection in LuxeDrive <= 1.4 versions.
- CVE-2026-40736Jun 16, 2026risk 0.00cvss —epss 0.00
Unauthenticated PHP Object Injection in Laurits <= 1.5.1 versions.
- CVE-2026-39580Jun 16, 2026risk 0.00cvss —epss 0.00
Unauthenticated PHP Object Injection in Micdrop <= 1.3.1 versions.
- CVE-2026-39578Jun 16, 2026risk 0.00cvss —epss 0.00
Unauthenticated PHP Object Injection in Valiance <= 1.2 versions.
- CVE-2026-39577Jun 16, 2026risk 0.00cvss —epss 0.00
Unauthenticated PHP Object Injection in Playroom <= 1.4.1 versions.
- CVE-2026-39568Jun 16, 2026risk 0.00cvss —epss 0.00
Unauthenticated Local File Inclusion in Mr. SEO <= 2.0 versions.
- CVE-2026-39567Jun 16, 2026risk 0.00cvss —epss 0.00
Unauthenticated PHP Object Injection in Santé <= 1.5.1 versions.
- CVE-2026-39557Jun 16, 2026risk 0.00cvss —epss 0.00
Unauthenticated PHP Object Injection in NeoBeat <= 1.7 versions.