| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-39481 | Hig | 0.47 | 7.2 | 0.00 | Jun 15, 2026 | Author PHP Object Injection in Modula Image Gallery <= 2.14.18 versions. | ||
| CVE-2026-39480 | Hig | 0.49 | 7.5 | 0.00 | Jun 15, 2026 | Unauthenticated Sensitive Data Exposure in Backup Migration <= 2.1.1 versions. | ||
| CVE-2026-39478 | Hig | 0.57 | 8.8 | 0.00 | Jun 15, 2026 | Contributor PHP Object Injection in Anti-Malware Security and Brute-Force Firewall <= 4.23.87 versions. | ||
| CVE-2026-39474 | Hig | 0.50 | 8.8 | 0.00 | Jun 15, 2026 | Contributor PHP Object Injection in Post Duplicator <= 3.0.10 versions. | ||
| CVE-2026-39472 | Hig | 0.47 | 7.2 | 0.00 | Jun 15, 2026 | Shop manager PHP Object Injection in WooCommerce PDF Invoices & Packing Slips < 5.9.0 versions. | ||
| CVE-2026-39471 | Hig | 0.47 | 7.2 | 0.00 | Jun 15, 2026 | Author PHP Object Injection in ShortPixel Image Optimizer <= 6.4.3 versions. | ||
| CVE-2026-39470 | Hig | 0.47 | 7.2 | 0.00 | Jun 15, 2026 | Shop manager Privilege Escalation in WooCommerce Cart Abandonment Recovery < 2.1.0 versions. | ||
| CVE-2026-39463 | Hig | 0.46 | 7.1 | 0.00 | Jun 15, 2026 | Unauthenticated Cross Site Scripting (XSS) in ManageWP Worker <= 4.9.31 versions. | ||
| CVE-2026-39450 | Hig | 0.46 | 7.1 | 0.00 | Jun 15, 2026 | Subscriber Broken Authentication in FunnelKit Automations <= 3.7.3 versions. | ||
| CVE-2026-39449 | Hig | 0.46 | 7.1 | 0.00 | Jun 15, 2026 | Unauthenticated Cross Site Scripting (XSS) in Contact Form to Any API <= 3.0.3 versions. | ||
| CVE-2026-39447 | Hig | 0.39 | 7.1 | 0.00 | Jun 15, 2026 | Unauthenticated Cross Site Scripting (XSS) in Simply Schedule Appointments <= 1.6.10.6 versions. | ||
| CVE-2026-39435 | Hig | 0.46 | 7.1 | 0.00 | Jun 15, 2026 | Unauthenticated Cross Site Scripting (XSS) in CformsII <= 15.1.3 versions. | ||
| CVE-2026-39434 | Hig | 0.47 | 7.2 | 0.00 | Jun 15, 2026 | Shop manager PHP Object Injection in CTX Feed <= 6.6.26 versions. | ||
| CVE-2026-34902 | Hig | 0.46 | 7.1 | 0.00 | Jun 15, 2026 | Unauthenticated Cross Site Scripting (XSS) in WooCommerce Product Table Lite <= 4.6.3 versions. | ||
| CVE-2026-34900 | Hig | 0.46 | 7.1 | 0.00 | Jun 15, 2026 | Unauthenticated Cross Site Scripting (XSS) in GiveWP <= 4.14.2 versions. | ||
| CVE-2026-34898 | Hig | 0.49 | 7.5 | 0.00 | Jun 15, 2026 | Unauthenticated Broken Access Control in Event Tickets Manager for WooCommerce <= 1.5.3 versions. | ||
| CVE-2026-34891 | Hig | 0.49 | 7.5 | 0.00 | Jun 15, 2026 | Unauthenticated Sensitive Data Exposure in IDPay Payment Gateway for Woocommerce <= 2.2.5 versions. | ||
| CVE-2026-34886 | Hig | 0.49 | 7.5 | 0.00 | Jun 15, 2026 | Unauthenticated Broken Access Control in Simple Membership <= 4.7.1 versions. | ||
| CVE-2026-27407 | Hig | 0.47 | 7.2 | 0.00 | Jun 15, 2026 | Editor Privilege Escalation in AI Engine <= 3.4.9 versions. | ||
| CVE-2026-27333 | Hig | 0.53 | 8.1 | 0.00 | Jun 15, 2026 | Unauthenticated Deserialization of untrusted data in Paid Videochat Turnkey Site <= 7.3.23 versions. | ||
| CVE-2026-27089 | Hig | 0.49 | 7.5 | 0.00 | Jun 15, 2026 | Unauthenticated Bypass Vulnerability in WpTravelly <= 2.1.7 versions. | ||
| CVE-2026-25425 | Hig | 0.49 | 7.5 | 0.00 | Jun 15, 2026 | Unauthenticated Broken Access Control in User Registration <= 5.1.2 versions. | ||
| CVE-2026-24637 | Hig | 0.55 | 8.5 | 0.00 | Jun 15, 2026 | Contributor SQL Injection in PowerPress Podcasting <= 11.15.10 versions. | ||
| CVE-2026-23970 | Hig | 0.46 | 7.1 | 0.00 | Jun 15, 2026 | Unauthenticated Cross Site Scripting (XSS) in Redirection for Contact Form 7 <= 3.2.8 versions. | ||
| CVE-2025-68872 | Hig | 0.46 | 7.1 | 0.00 | Jun 15, 2026 | Unauthenticated Cross Site Scripting (XSS) in Eli's WordCents adSense Widget with Analytics <= 1.3.03.27 versions. | ||
| CVE-2025-68851 | Hig | 0.46 | 7.1 | 0.00 | Jun 15, 2026 | Unauthenticated Cross Site Scripting (XSS) in Okay Toolkit <= 2.3 versions. | ||
| CVE-2025-68840 | Hig | 0.46 | 7.1 | 0.00 | Jun 15, 2026 | Unauthenticated Cross Site Scripting (XSS) in iRobots.txt SEO <= 1.1.2 versions. | ||
| CVE-2025-59133 | Hig | 0.49 | 7.5 | 0.00 | Jun 15, 2026 | Custom role Insecure Direct Object References (IDOR) in Projectopia <= 5.1.25.2 versions. | ||
| CVE-2026-54283 | hig | 0.38 | — | 0.00 | Jun 15, 2026 | ### Summary `request.form()` accepts `max_fields` and `max_part_size` to bound resource consumption while parsing form data. These limits are enforced for `multipart/form-data`, but silently ignored for `application/x-www-form-urlencoded`. An unauthenticated attacker can… | ||
| CVE-2026-54281 | hig | 0.38 | — | 0.00 | Jun 15, 2026 | ### Impact An authentication bypass vulnerability exists in `@nestjs/platform-fastify` (confirmed on version `11.1.24`, the latest available release at time of report). When middleware is registered through NestJS's `MiddlewareConsumer.forRoutes()` API on the Fastify adapter,… | ||
| CVE-2026-53539 | hig | 0.38 | — | 0.00 | Jun 15, 2026 | ### Summary When parsing `application/x-www-form-urlencoded` bodies, `QuerystringParser` located the field separator with a two step lookup: it first scanned the entire remaining buffer for `&`, and only when no `&` existed anywhere ahead did it fall back to scanning for `;`.… | ||
| CVE-2026-49853 | hig | 0.38 | — | — | Jun 15, 2026 | ## Summary When SimpleAsyncHTTPClient follows a 3xx redirect, it shallow-copies the original HTTPRequest, rewrites the URL, decrements max_redirects, and removes only the Host header. It does not clear Authorization, auth_username, auth_password, or auth_mode when the redirect… | ||
| CVE-2026-49855 | hig | 0.38 | — | — | Jun 15, 2026 | Tornado's gzip decompression routines work in limited-size chunks, but have no overall limit for the total size of decompressed chunks that they will accumulate (There has always been a limit for the total *compressed* size). This allows a malicious server to consume effectively… | ||
| CVE-2026-53705 | Hig | 0.49 | 7.6 | 0.00 | Jun 15, 2026 | A flaw was found in GStreamer's WavPack audio decoder in gst-plugins-good. When processing a specially crafted WavPack file, an integer overflow in the buffer size calculation (4 * block_samples * channels) in gst_wavpack_dec_handle_frame() causes a very small heap allocation.… | ||
| CVE-2026-53704 | Hig | 0.46 | 7.1 | 0.00 | Jun 15, 2026 | A flaw was found in GStreamer's RealMedia demuxer in the gst-plugins-ugly package. When processing a RealMedia file containing a specially crafted FILEINFO metadata section, the demuxer parses variable-name and variable-value pairs using re_skip_pascal_string() without… | ||
| CVE-2026-53703 | Hig | 0.46 | 7.1 | 0.00 | Jun 15, 2026 | A vulnerability was found in the GStreamer RealMedia demuxer (gst-plugins-ugly). When processing a RealMedia (.rm) file, the demuxer parses MDPR (media properties) chunks to configure audio streams. For audio stream header versions 4 and 5, the parser reads fields such as codec… | ||
| CVE-2026-52722 | Hig | 0.46 | 7.1 | 0.00 | Jun 15, 2026 | A signed integer overflow vulnerability was found in GStreamer's VMnc decoder. A crafted VMnc stream with large cursor dimensions can overflow signed integer payload-size arithmetic, bypassing a length check and leading to out-of-bounds reads. A remote attacker could trick a… | ||
| CVE-2026-52720 | Hig | 0.57 | 8.8 | 0.00 | Jun 15, 2026 | A heap buffer overflow vulnerability was found in GStreamer's librfb (RFB/VNC client). The rectangle bounds check incorrectly validates area rather than individual dimensions, allowing a malicious VNC server to send a rectangle that extends beyond the framebuffer. A remote… | ||
| CVE-2026-52719 | Hig | 0.46 | 7.1 | 0.00 | Jun 15, 2026 | An out-of-bounds read vulnerability was found in the VA JPEG decoder in GStreamer's gst-plugins-bad. The JPEG parser reads a segment length value from the bitstream without validating it against available data. A remote attacker could trick a user into opening a specially… | ||
| CVE-2026-50891 | Hig | 0.53 | 8.1 | 0.00 | Jun 15, 2026 | Incorrect access control in the /admin/api/config component of Filestash v0.4.0 allows attackers to escalate privileges via sending a crafted request. | ||
| CVE-2026-50889 | Hig | 0.49 | 7.5 | 0.00 | Jun 15, 2026 | An input handling flaw in the HTTP refresh token process of LLDAP v0.6.2 allows attackers to cause a Denial of Service (DoS) via sending a crafted refresh-token header. | ||
| CVE-2026-50888 | Hig | 0.53 | 8.1 | 0.00 | Jun 15, 2026 | An authenticated Server-Side Request Forgery (SSRF) in the custom scraper subsystem component of Benjamin Jonard Koillection v1.8.0 allows attackers to scan internal resources via supplying a crafted URL. | ||
| CVE-2026-50885 | Hig | 0.49 | 7.5 | 0.00 | Jun 15, 2026 | Incorrect access control in the share-based read endpoints of Sismics Docs (Teedy) v1.11 allow unauthorized attackers to access sensitive endpoints via a crafted request. | ||
| CVE-2026-50884 | Hig | 0.57 | 8.8 | 0.00 | Jun 15, 2026 | Incorrect access control in statping-ng v0.93.0 allows attackers to escalate privileges to Administrator and access sensitive components. | ||
| CVE-2026-50882 | — | Hig | 0.49 | 7.5 | 0.00 | Jun 15, 2026 | An issue in the /api/v0/pastes endpoint of anna-is-cute paste v0.1.1 allows attackers to cause a Denial of Service (DoS) via a crafted POST request. | |
| CVE-2026-50881 | Hig | 0.53 | 8.1 | 0.00 | Jun 15, 2026 | Incorrect access control in the impworks Bonsai v6.0 allows authenticated attackers with Editor privileges to escalate privileges to Administrator and execute unauthorized account, password, and configuration changes. | ||
| CVE-2026-50879 | Hig | 0.49 | 7.5 | 0.00 | Jun 15, 2026 | An issue in the uploadPostHandler component of Andrei Marcu linx-server v2.3.8 allows attackers to cause a Denial of Service (DoS) via a crafted POST request. | ||
| CVE-2026-50878 | Hig | 0.49 | 7.5 | 0.00 | Jun 15, 2026 | An issue in the attachment handling component of Feuerhamster MailForm v1.1.0 allows attackers to cause a Denial of Service (DoS) via a crafted request. | ||
| CVE-2026-50877 | Hig | 0.49 | 7.5 | 0.01 | Jun 15, 2026 | An issue in Zhoros SuperBin v1.0.0 allows attackers to execute a directory traversal via supplying files with names containing traversal characters. | ||
| CVE-2026-50875 | Hig | 0.53 | 8.1 | 0.00 | Jun 15, 2026 | Incorrect access control in the /{form}/webhooks/{webhook} endpoint of Deck9 Input v2.0.1 allows authenticated attackers to arbitrarily modify or delete another tenant's webhook via a crafted request. |
- risk 0.47cvss 7.2epss 0.00
Author PHP Object Injection in Modula Image Gallery <= 2.14.18 versions.
- risk 0.49cvss 7.5epss 0.00
Unauthenticated Sensitive Data Exposure in Backup Migration <= 2.1.1 versions.
- risk 0.57cvss 8.8epss 0.00
Contributor PHP Object Injection in Anti-Malware Security and Brute-Force Firewall <= 4.23.87 versions.
- risk 0.50cvss 8.8epss 0.00
Contributor PHP Object Injection in Post Duplicator <= 3.0.10 versions.
- risk 0.47cvss 7.2epss 0.00
Shop manager PHP Object Injection in WooCommerce PDF Invoices & Packing Slips < 5.9.0 versions.
- risk 0.47cvss 7.2epss 0.00
Author PHP Object Injection in ShortPixel Image Optimizer <= 6.4.3 versions.
- risk 0.47cvss 7.2epss 0.00
Shop manager Privilege Escalation in WooCommerce Cart Abandonment Recovery < 2.1.0 versions.
- risk 0.46cvss 7.1epss 0.00
Unauthenticated Cross Site Scripting (XSS) in ManageWP Worker <= 4.9.31 versions.
- risk 0.46cvss 7.1epss 0.00
Subscriber Broken Authentication in FunnelKit Automations <= 3.7.3 versions.
- risk 0.46cvss 7.1epss 0.00
Unauthenticated Cross Site Scripting (XSS) in Contact Form to Any API <= 3.0.3 versions.
- risk 0.39cvss 7.1epss 0.00
Unauthenticated Cross Site Scripting (XSS) in Simply Schedule Appointments <= 1.6.10.6 versions.
- risk 0.46cvss 7.1epss 0.00
Unauthenticated Cross Site Scripting (XSS) in CformsII <= 15.1.3 versions.
- risk 0.47cvss 7.2epss 0.00
Shop manager PHP Object Injection in CTX Feed <= 6.6.26 versions.
- risk 0.46cvss 7.1epss 0.00
Unauthenticated Cross Site Scripting (XSS) in WooCommerce Product Table Lite <= 4.6.3 versions.
- risk 0.46cvss 7.1epss 0.00
Unauthenticated Cross Site Scripting (XSS) in GiveWP <= 4.14.2 versions.
- risk 0.49cvss 7.5epss 0.00
Unauthenticated Broken Access Control in Event Tickets Manager for WooCommerce <= 1.5.3 versions.
- risk 0.49cvss 7.5epss 0.00
Unauthenticated Sensitive Data Exposure in IDPay Payment Gateway for Woocommerce <= 2.2.5 versions.
- risk 0.49cvss 7.5epss 0.00
Unauthenticated Broken Access Control in Simple Membership <= 4.7.1 versions.
- risk 0.47cvss 7.2epss 0.00
Editor Privilege Escalation in AI Engine <= 3.4.9 versions.
- risk 0.53cvss 8.1epss 0.00
Unauthenticated Deserialization of untrusted data in Paid Videochat Turnkey Site <= 7.3.23 versions.
- risk 0.49cvss 7.5epss 0.00
Unauthenticated Bypass Vulnerability in WpTravelly <= 2.1.7 versions.
- risk 0.49cvss 7.5epss 0.00
Unauthenticated Broken Access Control in User Registration <= 5.1.2 versions.
- risk 0.55cvss 8.5epss 0.00
Contributor SQL Injection in PowerPress Podcasting <= 11.15.10 versions.
- risk 0.46cvss 7.1epss 0.00
Unauthenticated Cross Site Scripting (XSS) in Redirection for Contact Form 7 <= 3.2.8 versions.
- risk 0.46cvss 7.1epss 0.00
Unauthenticated Cross Site Scripting (XSS) in Eli's WordCents adSense Widget with Analytics <= 1.3.03.27 versions.
- risk 0.46cvss 7.1epss 0.00
Unauthenticated Cross Site Scripting (XSS) in Okay Toolkit <= 2.3 versions.
- risk 0.46cvss 7.1epss 0.00
Unauthenticated Cross Site Scripting (XSS) in iRobots.txt SEO <= 1.1.2 versions.
- risk 0.49cvss 7.5epss 0.00
Custom role Insecure Direct Object References (IDOR) in Projectopia <= 5.1.25.2 versions.
- risk 0.38cvss —epss 0.00
### Summary `request.form()` accepts `max_fields` and `max_part_size` to bound resource consumption while parsing form data. These limits are enforced for `multipart/form-data`, but silently ignored for `application/x-www-form-urlencoded`. An unauthenticated attacker can…
- risk 0.38cvss —epss 0.00
### Impact An authentication bypass vulnerability exists in `@nestjs/platform-fastify` (confirmed on version `11.1.24`, the latest available release at time of report). When middleware is registered through NestJS's `MiddlewareConsumer.forRoutes()` API on the Fastify adapter,…
- risk 0.38cvss —epss 0.00
### Summary When parsing `application/x-www-form-urlencoded` bodies, `QuerystringParser` located the field separator with a two step lookup: it first scanned the entire remaining buffer for `&`, and only when no `&` existed anywhere ahead did it fall back to scanning for `;`.…
- risk 0.38cvss —epss —
## Summary When SimpleAsyncHTTPClient follows a 3xx redirect, it shallow-copies the original HTTPRequest, rewrites the URL, decrements max_redirects, and removes only the Host header. It does not clear Authorization, auth_username, auth_password, or auth_mode when the redirect…
- risk 0.38cvss —epss —
Tornado's gzip decompression routines work in limited-size chunks, but have no overall limit for the total size of decompressed chunks that they will accumulate (There has always been a limit for the total *compressed* size). This allows a malicious server to consume effectively…
- risk 0.49cvss 7.6epss 0.00
A flaw was found in GStreamer's WavPack audio decoder in gst-plugins-good. When processing a specially crafted WavPack file, an integer overflow in the buffer size calculation (4 * block_samples * channels) in gst_wavpack_dec_handle_frame() causes a very small heap allocation.…
- risk 0.46cvss 7.1epss 0.00
A flaw was found in GStreamer's RealMedia demuxer in the gst-plugins-ugly package. When processing a RealMedia file containing a specially crafted FILEINFO metadata section, the demuxer parses variable-name and variable-value pairs using re_skip_pascal_string() without…
- risk 0.46cvss 7.1epss 0.00
A vulnerability was found in the GStreamer RealMedia demuxer (gst-plugins-ugly). When processing a RealMedia (.rm) file, the demuxer parses MDPR (media properties) chunks to configure audio streams. For audio stream header versions 4 and 5, the parser reads fields such as codec…
- risk 0.46cvss 7.1epss 0.00
A signed integer overflow vulnerability was found in GStreamer's VMnc decoder. A crafted VMnc stream with large cursor dimensions can overflow signed integer payload-size arithmetic, bypassing a length check and leading to out-of-bounds reads. A remote attacker could trick a…
- risk 0.57cvss 8.8epss 0.00
A heap buffer overflow vulnerability was found in GStreamer's librfb (RFB/VNC client). The rectangle bounds check incorrectly validates area rather than individual dimensions, allowing a malicious VNC server to send a rectangle that extends beyond the framebuffer. A remote…
- risk 0.46cvss 7.1epss 0.00
An out-of-bounds read vulnerability was found in the VA JPEG decoder in GStreamer's gst-plugins-bad. The JPEG parser reads a segment length value from the bitstream without validating it against available data. A remote attacker could trick a user into opening a specially…
- risk 0.53cvss 8.1epss 0.00
Incorrect access control in the /admin/api/config component of Filestash v0.4.0 allows attackers to escalate privileges via sending a crafted request.
- risk 0.49cvss 7.5epss 0.00
An input handling flaw in the HTTP refresh token process of LLDAP v0.6.2 allows attackers to cause a Denial of Service (DoS) via sending a crafted refresh-token header.
- risk 0.53cvss 8.1epss 0.00
An authenticated Server-Side Request Forgery (SSRF) in the custom scraper subsystem component of Benjamin Jonard Koillection v1.8.0 allows attackers to scan internal resources via supplying a crafted URL.
- risk 0.49cvss 7.5epss 0.00
Incorrect access control in the share-based read endpoints of Sismics Docs (Teedy) v1.11 allow unauthorized attackers to access sensitive endpoints via a crafted request.
- risk 0.57cvss 8.8epss 0.00
Incorrect access control in statping-ng v0.93.0 allows attackers to escalate privileges to Administrator and access sensitive components.
- risk 0.49cvss 7.5epss 0.00
An issue in the /api/v0/pastes endpoint of anna-is-cute paste v0.1.1 allows attackers to cause a Denial of Service (DoS) via a crafted POST request.
- risk 0.53cvss 8.1epss 0.00
Incorrect access control in the impworks Bonsai v6.0 allows authenticated attackers with Editor privileges to escalate privileges to Administrator and execute unauthorized account, password, and configuration changes.
- risk 0.49cvss 7.5epss 0.00
An issue in the uploadPostHandler component of Andrei Marcu linx-server v2.3.8 allows attackers to cause a Denial of Service (DoS) via a crafted POST request.
- risk 0.49cvss 7.5epss 0.00
An issue in the attachment handling component of Feuerhamster MailForm v1.1.0 allows attackers to cause a Denial of Service (DoS) via a crafted request.
- risk 0.49cvss 7.5epss 0.01
An issue in Zhoros SuperBin v1.0.0 allows attackers to execute a directory traversal via supplying files with names containing traversal characters.
- risk 0.53cvss 8.1epss 0.00
Incorrect access control in the /{form}/webhooks/{webhook} endpoint of Deck9 Input v2.0.1 allows authenticated attackers to arbitrarily modify or delete another tenant's webhook via a crafted request.