| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2025-69150 | 0.00 | — | 0.00 | Jun 16, 2026 | Unauthenticated Local File Inclusion in Medeus <= 1.14 versions. | |||
| CVE-2025-69149 | 0.00 | — | 0.00 | Jun 16, 2026 | Unauthenticated Local File Inclusion in Top Dog <= 1.0.5 versions. | |||
| CVE-2025-69147 | 0.00 | — | 0.00 | Jun 16, 2026 | Unauthenticated Local File Inclusion in Putter <= 1.17 versions. | |||
| CVE-2025-69146 | 0.00 | — | 0.00 | Jun 16, 2026 | Unauthenticated Local File Inclusion in Dom <= 1.24 versions. | |||
| CVE-2025-69143 | 0.00 | — | 0.00 | Jun 16, 2026 | Unauthenticated Local File Inclusion in Mission <= 1.22 versions. | |||
| CVE-2025-69142 | 0.00 | — | 0.00 | Jun 16, 2026 | Unauthenticated Local File Inclusion in Abelle <= 1.22 versions. | |||
| CVE-2025-69141 | 0.00 | — | 0.00 | Jun 16, 2026 | Unauthenticated Local File Inclusion in Kelly Young <= 1.1.0 versions. | |||
| CVE-2025-69139 | 0.00 | — | 0.01 | Jun 16, 2026 | Unauthenticated Arbitrary File Deletion in Car Zone <= 3.7 versions. | |||
| CVE-2025-69137 | 0.00 | — | 0.00 | Jun 16, 2026 | Subscriber Broken Access Control in Genemy <= 1.6.6 versions. | |||
| CVE-2025-69136 | 0.00 | — | 0.00 | Jun 16, 2026 | Unauthenticated Local File Inclusion in Wanium <= 1.9.8 versions. | |||
| CVE-2025-69131 | 0.00 | — | 0.00 | Jun 16, 2026 | Unauthenticated Arbitrary File Download in WordPress & WooCommerce Scraper Plugin, Import Data from Any Site <= 1.0.7 versions. | |||
| CVE-2025-69125 | 0.00 | — | 0.00 | Jun 16, 2026 | Unauthenticated Local File Inclusion in Food Drop <= 1.3 versions. | |||
| CVE-2025-69124 | 0.00 | — | 0.00 | Jun 16, 2026 | Unauthenticated Local File Inclusion in Especio <= 1.0 versions. | |||
| CVE-2025-69122 | 0.00 | — | 0.01 | Jun 16, 2026 | Unauthenticated PHP Object Injection in SeaFood Company <= 1.4 versions. | |||
| CVE-2025-69121 | 0.00 | — | 0.00 | Jun 16, 2026 | Unauthenticated Local File Inclusion in Deliciosa <= 1.10.0 versions. | |||
| CVE-2025-69119 | 0.00 | — | 0.00 | Jun 16, 2026 | Unauthenticated Local File Inclusion in Corbesier <= 1.15.0 versions. | |||
| CVE-2025-69118 | 0.00 | — | 0.00 | Jun 16, 2026 | Unauthenticated Local File Inclusion in CopyPress <= 1.4.5 versions. | |||
| CVE-2025-69116 | 0.00 | — | 0.00 | Jun 16, 2026 | Unauthenticated Local File Inclusion in Iona <= 1.0.8 versions. | |||
| CVE-2025-69114 | 0.00 | — | 0.00 | Jun 16, 2026 | Unauthenticated Local File Inclusion in MaxiNet <= 1.2.10 versions. | |||
| CVE-2025-69113 | 0.00 | — | 0.00 | Jun 16, 2026 | Unauthenticated Local File Inclusion in Nexio <= 1.10.0 versions. | |||
| CVE-2025-69112 | 0.00 | — | 0.00 | Jun 16, 2026 | Unauthenticated Local File Inclusion in Planty <= 1.14.0 versions. | |||
| CVE-2025-69109 | 0.00 | — | 0.00 | Jun 16, 2026 | Unauthenticated Local File Inclusion in Raider Spirit <= 1.1.2 versions. | |||
| CVE-2025-69108 | 0.00 | — | 0.01 | Jun 16, 2026 | Unauthenticated PHP Object Injection in Hot Coffee <= 1.7 versions. | |||
| CVE-2025-69107 | — | 0.00 | — | 0.00 | Jun 16, 2026 | Unauthenticated Local File Inclusion in Rosaleen <= 2.8 versions. | ||
| CVE-2025-69105 | 0.00 | — | 0.00 | Jun 16, 2026 | Unauthenticated Local File Inclusion in Modernee <= 1.6.0 versions. | |||
| CVE-2025-69104 | 0.00 | — | 0.00 | Jun 16, 2026 | Unauthenticated Cross Site Scripting (XSS) in Qreatix <= 1.9.4 versions. | |||
| CVE-2025-69103 | 0.00 | — | 0.00 | Jun 16, 2026 | Subscriber Arbitrary Content Deletion in Brikk <= 3.0.0 versions. | |||
| CVE-2025-60085 | 0.00 | — | 0.00 | Jun 16, 2026 | Unauthenticated Local File Inclusion in Learnify <= 1.15.0 versions. | |||
| CVE-2025-58924 | 0.00 | — | 0.00 | Jun 16, 2026 | Unauthenticated Local File Inclusion in Geya <= 1.15 versions. | |||
| CVE-2026-54194 | 0.00 | — | 0.00 | Jun 16, 2026 | Contributor PHP Object Injection in Fusion Builder <= 3.15.4 versions. | |||
| CVE-2026-50019 | 0.00 | — | 0.00 | Jun 16, 2026 | ### Summary If curl is used an external downloader for yt-dlp, cookies may be leaked to an unintended host upon HTTP redirect or when the host for download fragments differs from their parent manifest's. This is the equivalent to [GHSA-v8mc-9377-rwjj](<https://github.com/yt-dlp/… | |||
| CVE-2026-48777 | Cri | 0.53 | — | 0.00 | Jun 16, 2026 | FileBrowser Quantum is a free, self-hosted, web-based file manager. Versions prior to 1.3.2-stable, 1.4.0-beta and 1.4.1-beta are vulnerable to Path Traversal through the publicPatchHandler in backend/http/public.go which joins user-controlled fromPath and toPath body fields… | ||
| CVE-2026-47750 | Hig | 0.44 | 7.8 | 0.00 | Jun 16, 2026 | stable-diffusion.cpp is a pure C/C++ library for running diffusion model (Stable Diffusion, Flux, Wan, Qwen Image, Z-Image, and more) inference. In versions prior to master-584-0a7ae07, the pickle .ckpt parser in src/model.cpp contained a heap buffer overflow vulnerability in… | ||
| CVE-2026-47747 | Hig | 0.44 | 7.8 | 0.00 | Jun 16, 2026 | stable-diffusion.cpp is a pure C/C++ library for running diffusion model (Stable Diffusion, Flux, Wan, Qwen Image, Z-Image, and more) inference. In versions prior to master-584-0a7ae07, the pickle .ckpt parser in src/model.cpp contained a heap buffer overflow vulnerability in… | ||
| CVE-2026-46448 | Med | 0.35 | 5.4 | 0.00 | Jun 16, 2026 | In OpenStack Nova before 33.0.2, the server create API does not strip certain hint data. The resulting instance has no Placement allocation. | ||
| CVE-2026-22313 | — | Cri | 0.59 | 9.1 | 0.01 | Jun 16, 2026 | The device has a webserver that exposes a REST API authenticated with a token on the management network. By exploiting an OS command injection vulnerability an authenticated attacker can send arbitrary commands to the device that are executed with administrative permissions by… | |
| CVE-2026-22312 | — | Hig | 0.56 | 8.6 | 0.00 | Jun 16, 2026 | The device has a webserver that exposes a REST API authenticated with a constant token. The unauthenticated API can be used by an attacker to get access to system settings, modify the configuration and execute some commands (e.g. system reboot). | |
| CVE-2026-12425 | Med | 0.37 | — | 0.00 | Jun 16, 2026 | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in PowerSchool Employee Access Center allows Cross-Site Scripting (XSS). This issue affects Employee Access Center: 23.10. It is possible to add in javascript code after… | ||
| CVE-2026-12117 | 0.00 | — | 0.00 | Jun 16, 2026 | Improper access control in the social login connection endpoint in Devolutions Server 2026.2.5 allows an authenticated vault member to enumerate social login entry metadata to which they are not authorized via a crafted API request. | |||
| CVE-2026-12105 | 0.00 | — | 0.00 | Jun 16, 2026 | Improper access control in Devolutions Server 2026.2.5, 2026.1.21 allows an authenticated user to access attachments via folder duplication with inherited permissions. | |||
| CVE-2026-11890 | 0.00 | — | 0.00 | Jun 16, 2026 | Improper access control in PAM account discovery results in Devolutions Server 2026.2.5, 2026.1.21 allows an authenticated user to retrieve account discovery scan results. | |||
| CVE-2026-10303 | Hig | 0.41 | 7.4 | 0.01 | Jun 16, 2026 | In ServerCo getssl version 2.49 and prior, the ACME challenge token returned to the client was not strictly validated against RFC 8555 before being used in challenge-file handling, allowing a maliciously crafted token to influence local path/filename usage during validation. An… | ||
| CVE-2026-0165 | — | 0.00 | — | 0.00 | Jun 16, 2026 | In several functions of the RTCP packet decoder, there is a possible out-of-bounds read due to a missing bounds check. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is needed for exploitation. | ||
| CVE-2026-0164 | 0.00 | — | 0.00 | Jun 16, 2026 | In Modem, there is a possible out of bounds write due to a missing bounds check. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation. | |||
| CVE-2026-0162 | — | 0.00 | — | 0.00 | Jun 16, 2026 | In ParsePayloads of AudioSdpParser.cpp, there is a possible memory corruption due to type confusion. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation. | ||
| CVE-2026-0161 | — | 0.00 | — | 0.00 | Jun 16, 2026 | In numberOfReportBlocks of RtpSession.cpp, there is a possible out of bounds write due to an integer overflow. This could lead to remote escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | ||
| CVE-2026-0160 | — | 0.00 | — | 0.00 | Jun 16, 2026 | In TextRtpPayloadDecoderNode::DecodeT140 of TextRtpPayloadDecoderNode.cpp, there is a possible out of bounds write due to a missing bounds check. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for… | ||
| CVE-2026-0158 | — | 0.00 | — | 0.00 | Jun 16, 2026 | In Camera, there is a possible unauthorized way to access photos due to a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. | ||
| CVE-2026-0157 | — | 0.00 | — | 0.00 | Jun 16, 2026 | In RtcpHeader::decodeRtcpHeader, there is a possible OOB read due to a missing bounds check. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. | ||
| CVE-2026-0156 | 0.00 | — | 0.00 | Jun 16, 2026 | In checkSsrcCollisionOnRcv of RtpSession.cpp, there is a possible memory safety issue due to a missing null check. This could lead to remote denial of service with no additional execution privileges needed. User interaction is not needed for exploitation. |
- CVE-2025-69150Jun 16, 2026risk 0.00cvss —epss 0.00
Unauthenticated Local File Inclusion in Medeus <= 1.14 versions.
- CVE-2025-69149Jun 16, 2026risk 0.00cvss —epss 0.00
Unauthenticated Local File Inclusion in Top Dog <= 1.0.5 versions.
- CVE-2025-69147Jun 16, 2026risk 0.00cvss —epss 0.00
Unauthenticated Local File Inclusion in Putter <= 1.17 versions.
- CVE-2025-69146Jun 16, 2026risk 0.00cvss —epss 0.00
Unauthenticated Local File Inclusion in Dom <= 1.24 versions.
- CVE-2025-69143Jun 16, 2026risk 0.00cvss —epss 0.00
Unauthenticated Local File Inclusion in Mission <= 1.22 versions.
- CVE-2025-69142Jun 16, 2026risk 0.00cvss —epss 0.00
Unauthenticated Local File Inclusion in Abelle <= 1.22 versions.
- CVE-2025-69141Jun 16, 2026risk 0.00cvss —epss 0.00
Unauthenticated Local File Inclusion in Kelly Young <= 1.1.0 versions.
- CVE-2025-69139Jun 16, 2026risk 0.00cvss —epss 0.01
Unauthenticated Arbitrary File Deletion in Car Zone <= 3.7 versions.
- CVE-2025-69137Jun 16, 2026risk 0.00cvss —epss 0.00
Subscriber Broken Access Control in Genemy <= 1.6.6 versions.
- CVE-2025-69136Jun 16, 2026risk 0.00cvss —epss 0.00
Unauthenticated Local File Inclusion in Wanium <= 1.9.8 versions.
- CVE-2025-69131Jun 16, 2026risk 0.00cvss —epss 0.00
Unauthenticated Arbitrary File Download in WordPress & WooCommerce Scraper Plugin, Import Data from Any Site <= 1.0.7 versions.
- CVE-2025-69125Jun 16, 2026risk 0.00cvss —epss 0.00
Unauthenticated Local File Inclusion in Food Drop <= 1.3 versions.
- CVE-2025-69124Jun 16, 2026risk 0.00cvss —epss 0.00
Unauthenticated Local File Inclusion in Especio <= 1.0 versions.
- CVE-2025-69122Jun 16, 2026risk 0.00cvss —epss 0.01
Unauthenticated PHP Object Injection in SeaFood Company <= 1.4 versions.
- CVE-2025-69121Jun 16, 2026risk 0.00cvss —epss 0.00
Unauthenticated Local File Inclusion in Deliciosa <= 1.10.0 versions.
- CVE-2025-69119Jun 16, 2026risk 0.00cvss —epss 0.00
Unauthenticated Local File Inclusion in Corbesier <= 1.15.0 versions.
- CVE-2025-69118Jun 16, 2026risk 0.00cvss —epss 0.00
Unauthenticated Local File Inclusion in CopyPress <= 1.4.5 versions.
- CVE-2025-69116Jun 16, 2026risk 0.00cvss —epss 0.00
Unauthenticated Local File Inclusion in Iona <= 1.0.8 versions.
- CVE-2025-69114Jun 16, 2026risk 0.00cvss —epss 0.00
Unauthenticated Local File Inclusion in MaxiNet <= 1.2.10 versions.
- CVE-2025-69113Jun 16, 2026risk 0.00cvss —epss 0.00
Unauthenticated Local File Inclusion in Nexio <= 1.10.0 versions.
- CVE-2025-69112Jun 16, 2026risk 0.00cvss —epss 0.00
Unauthenticated Local File Inclusion in Planty <= 1.14.0 versions.
- CVE-2025-69109Jun 16, 2026risk 0.00cvss —epss 0.00
Unauthenticated Local File Inclusion in Raider Spirit <= 1.1.2 versions.
- CVE-2025-69108Jun 16, 2026risk 0.00cvss —epss 0.01
Unauthenticated PHP Object Injection in Hot Coffee <= 1.7 versions.
- CVE-2025-69107Jun 16, 2026risk 0.00cvss —epss 0.00
Unauthenticated Local File Inclusion in Rosaleen <= 2.8 versions.
- CVE-2025-69105Jun 16, 2026risk 0.00cvss —epss 0.00
Unauthenticated Local File Inclusion in Modernee <= 1.6.0 versions.
- CVE-2025-69104Jun 16, 2026risk 0.00cvss —epss 0.00
Unauthenticated Cross Site Scripting (XSS) in Qreatix <= 1.9.4 versions.
- CVE-2025-69103Jun 16, 2026risk 0.00cvss —epss 0.00
Subscriber Arbitrary Content Deletion in Brikk <= 3.0.0 versions.
- CVE-2025-60085Jun 16, 2026risk 0.00cvss —epss 0.00
Unauthenticated Local File Inclusion in Learnify <= 1.15.0 versions.
- CVE-2025-58924Jun 16, 2026risk 0.00cvss —epss 0.00
Unauthenticated Local File Inclusion in Geya <= 1.15 versions.
- CVE-2026-54194Jun 16, 2026risk 0.00cvss —epss 0.00
Contributor PHP Object Injection in Fusion Builder <= 3.15.4 versions.
- CVE-2026-50019Jun 16, 2026risk 0.00cvss —epss 0.00
### Summary If curl is used an external downloader for yt-dlp, cookies may be leaked to an unintended host upon HTTP redirect or when the host for download fragments differs from their parent manifest's. This is the equivalent to [GHSA-v8mc-9377-rwjj](<https://github.com/yt-dlp/…
- risk 0.53cvss —epss 0.00
FileBrowser Quantum is a free, self-hosted, web-based file manager. Versions prior to 1.3.2-stable, 1.4.0-beta and 1.4.1-beta are vulnerable to Path Traversal through the publicPatchHandler in backend/http/public.go which joins user-controlled fromPath and toPath body fields…
- risk 0.44cvss 7.8epss 0.00
stable-diffusion.cpp is a pure C/C++ library for running diffusion model (Stable Diffusion, Flux, Wan, Qwen Image, Z-Image, and more) inference. In versions prior to master-584-0a7ae07, the pickle .ckpt parser in src/model.cpp contained a heap buffer overflow vulnerability in…
- risk 0.44cvss 7.8epss 0.00
stable-diffusion.cpp is a pure C/C++ library for running diffusion model (Stable Diffusion, Flux, Wan, Qwen Image, Z-Image, and more) inference. In versions prior to master-584-0a7ae07, the pickle .ckpt parser in src/model.cpp contained a heap buffer overflow vulnerability in…
- risk 0.35cvss 5.4epss 0.00
In OpenStack Nova before 33.0.2, the server create API does not strip certain hint data. The resulting instance has no Placement allocation.
- risk 0.59cvss 9.1epss 0.01
The device has a webserver that exposes a REST API authenticated with a token on the management network. By exploiting an OS command injection vulnerability an authenticated attacker can send arbitrary commands to the device that are executed with administrative permissions by…
- risk 0.56cvss 8.6epss 0.00
The device has a webserver that exposes a REST API authenticated with a constant token. The unauthenticated API can be used by an attacker to get access to system settings, modify the configuration and execute some commands (e.g. system reboot).
- risk 0.37cvss —epss 0.00
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in PowerSchool Employee Access Center allows Cross-Site Scripting (XSS). This issue affects Employee Access Center: 23.10. It is possible to add in javascript code after…
- CVE-2026-12117Jun 16, 2026risk 0.00cvss —epss 0.00
Improper access control in the social login connection endpoint in Devolutions Server 2026.2.5 allows an authenticated vault member to enumerate social login entry metadata to which they are not authorized via a crafted API request.
- CVE-2026-12105Jun 16, 2026risk 0.00cvss —epss 0.00
Improper access control in Devolutions Server 2026.2.5, 2026.1.21 allows an authenticated user to access attachments via folder duplication with inherited permissions.
- CVE-2026-11890Jun 16, 2026risk 0.00cvss —epss 0.00
Improper access control in PAM account discovery results in Devolutions Server 2026.2.5, 2026.1.21 allows an authenticated user to retrieve account discovery scan results.
- risk 0.41cvss 7.4epss 0.01
In ServerCo getssl version 2.49 and prior, the ACME challenge token returned to the client was not strictly validated against RFC 8555 before being used in challenge-file handling, allowing a maliciously crafted token to influence local path/filename usage during validation. An…
- CVE-2026-0165Jun 16, 2026risk 0.00cvss —epss 0.00
In several functions of the RTCP packet decoder, there is a possible out-of-bounds read due to a missing bounds check. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is needed for exploitation.
- CVE-2026-0164Jun 16, 2026risk 0.00cvss —epss 0.00
In Modem, there is a possible out of bounds write due to a missing bounds check. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation.
- CVE-2026-0162Jun 16, 2026risk 0.00cvss —epss 0.00
In ParsePayloads of AudioSdpParser.cpp, there is a possible memory corruption due to type confusion. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation.
- CVE-2026-0161Jun 16, 2026risk 0.00cvss —epss 0.00
In numberOfReportBlocks of RtpSession.cpp, there is a possible out of bounds write due to an integer overflow. This could lead to remote escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
- CVE-2026-0160Jun 16, 2026risk 0.00cvss —epss 0.00
In TextRtpPayloadDecoderNode::DecodeT140 of TextRtpPayloadDecoderNode.cpp, there is a possible out of bounds write due to a missing bounds check. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for…
- CVE-2026-0158Jun 16, 2026risk 0.00cvss —epss 0.00
In Camera, there is a possible unauthorized way to access photos due to a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.
- CVE-2026-0157Jun 16, 2026risk 0.00cvss —epss 0.00
In RtcpHeader::decodeRtcpHeader, there is a possible OOB read due to a missing bounds check. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.
- CVE-2026-0156Jun 16, 2026risk 0.00cvss —epss 0.00
In checkSsrcCollisionOnRcv of RtpSession.cpp, there is a possible memory safety issue due to a missing null check. This could lead to remote denial of service with no additional execution privileges needed. User interaction is not needed for exploitation.