| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-42014 | Med | 0.36 | 6.6 | 0.00 | Jun 16, 2026 | A flaw was found in GnuTLS. The `gnutls_pkcs11_token_set_pin` function, used for changing the Security Officer PIN, can lead to a use-after-free vulnerability. This occurs when an attacker attempts to change the PIN with a NULL old PIN for a token that lacks a protected… | ||
| CVE-2026-1767 | Med | 0.36 | 5.6 | 0.00 | Jun 16, 2026 | A flaw was found in the GNOME localsearch (previously known as tracker-miners) MP3 Extractor `tracker-extract-mp3` component. A remote attacker could exploit this heap buffer overflow vulnerability by providing a specially crafted MP3 file containing malformed ID3 tags. This… | ||
| CVE-2026-1766 | Med | 0.36 | 5.6 | 0.00 | Jun 16, 2026 | A flaw was found in GNOME localsearch (previously known as tracker-miners) MP3 Extractor, specifically within the tracker-extract-mp3 component. This heap buffer overflow vulnerability occurs when processing specially crafted MP3 files containing malformed ID3v2.3 COMM (Comment)… | ||
| CVE-2026-1765 | Med | 0.36 | 5.6 | 0.00 | Jun 16, 2026 | A flaw was found in the `tracker-extract-mp3` component of GNOME localsearch (previously known as tracker-miners). This vulnerability, a heap buffer overflow, occurs when processing specially crafted MP3 files. A remote attacker could exploit this by providing a malicious MP3… | ||
| CVE-2026-1764 | Med | 0.36 | 5.6 | 0.00 | Jun 16, 2026 | A flaw was found in GNOME localsearch (previously known as tracker-miners) MP3 Extractor. When processing specially crafted MP3 files containing ID3v2.4 tags, a missing bounds check in the `extract_performers_tags` function can lead to a heap buffer overflow. This vulnerability… | ||
| CVE-2026-12162 | Med | 0.36 | 5.5 | 0.00 | Jun 16, 2026 | Improper host validation in the social login autofill feature in Devolutions Remote Desktop Manager 2026.2.8 allows an attacker to disclose stored social login credentials via a crafted web entry pointing to a provider lookalike domain. | ||
| CVE-2026-12161 | Hig | 0.57 | 8.8 | 0.00 | Jun 16, 2026 | Improper input validation in the SSH Elevate Shell feature in Devolutions Remote Desktop Manager 2026.2.7 allows an authenticated user with permission to create or modify a shared SSH entry to execute arbitrary commands on a remote SSH host using stored elevation credentials… | ||
| CVE-2026-9262 | Med | 0.42 | 6.5 | 0.00 | Jun 16, 2026 | Use of a non-secure protocol as the default FTP configuration in Canon EOS Network Setting Tool Version 1.5.0 or earlier | ||
| CVE-2026-9261 | Med | 0.44 | 6.8 | 0.00 | Jun 16, 2026 | Use of weak SSH cryptographic algorithms in Canon EOS Network Setting Tool Version 1.5.0 or earlier | ||
| CVE-2026-9260 | Med | 0.40 | 6.2 | 0.00 | Jun 16, 2026 | Use of hard-coded cryptographic keys in Canon EOS Network Setting Tool Version 1.5.0 or earlier | ||
| CVE-2026-9259 | Med | 0.42 | 6.5 | 0.00 | Jun 16, 2026 | Improper validation of server certificates in Canon EOS Network Setting Tool Version 1.5.0 or earlier | ||
| CVE-2026-9258 | Med | 0.42 | 6.5 | 0.00 | Jun 16, 2026 | Improper validation of SSH host keys in Canon EOS Network Setting Tool Version 1.5.0 or earlier | ||
| CVE-2026-12505 | imp | 0.51 | 7.8 | 0.00 | Jun 16, 2026 | cifs-utils: local privilege escalation via forged cifs.spnego key description in cifs.upcall | ||
| CVE-2026-46655 | imp | 0.51 | 7.8 | — | Jun 16, 2026 | virtio-win: viosock.sys: integer overflow in VIOSockSelect leads to heap-based buffer overflow | ||
| CVE-2026-53430 | Hig | 0.50 | — | 0.00 | Jun 15, 2026 | Improper Handling of Highly Compressed Data (Data Amplification) vulnerability in elixir-grpc grpc (GRPC.Compressor.Gzip, GRPC.Message modules) allows a denial of service via a gzip decompression bomb. This vulnerability is associated with program files… | ||
| CVE-2026-48854 | Hig | 0.50 | — | 0.00 | Jun 15, 2026 | Allocation of Resources Without Limits or Throttling vulnerability in elixir-grpc grpc allows unauthenticated attackers to exhaust the BEAM's memory and crash the server by streaming a large or slow-trickle unary request body. 'Elixir.GRPC.Server.Adapters.Cowboy.Handler':read_fu… | ||
| CVE-2026-48853 | Cri | 0.53 | — | 0.01 | Jun 15, 2026 | Deserialization of Untrusted Data and Allocation of Resources Without Limits or Throttling vulnerabilities in elixir-grpc grpc allow unauthenticated attackers to crash the BEAM node via atom table exhaustion and, when a decoded term flows into a call site that invokes it,… | ||
| CVE-2026-48723 | Hig | 0.44 | 7.8 | 0.01 | Jun 15, 2026 | The browserstack-cypress-cli is BrowserStack's CLI which allows users to run Cypress tests on BrowserStack. Versions prior to 1.36.4 are vulnerable to OS command injection via the cypress_config_file configuration parameter. In readCypressConfigUtil.js, the loadJsFile() function… | ||
| CVE-2026-48599 | Hig | 0.42 | — | 0.00 | Jun 15, 2026 | Authorization Bypass Through User-Controlled Key vulnerability in elixir-grpc grpc allows authenticated attackers to access or modify resources belonging to other users by smuggling a conflicting value for any path-bound field via the query string or request body. In… | ||
| CVE-2026-12205 | Cri | 0.59 | 9.1 | 0.00 | Jun 15, 2026 | Crypt::DSA versions before 1.21 for Perl reused the nonce across signatures, leading to private-key recovery. Crypt::DSA::sign caches the per-signature nonce material in the Key object without ever clearing it. The first sign() on a Key object picks a nonce, and every later… | ||
| CVE-2026-5064 | — | Hig | 0.55 | — | 0.00 | Jun 15, 2026 | Potential security vulnerabilities have been identified in the HP One Agent for certain HP PC products, which might allow for escalation of privilege and/or denial of service. HP is releasing software updates to mitigate these potential vulnerabilities. | |
| CVE-2026-48714 | Cri | 0.52 | 9.1 | 0.00 | Jun 15, 2026 | i18next-http-middleware is a middleware to be used with Node.js web frameworks like express or Fastify and also for Deno. In versions prior to 3.9.7, the missingKeyHandler blocked the literal request-body keys __proto__, constructor, and prototype (added in 3.9.3, see… | ||
| CVE-2026-48713 | Cri | 0.52 | 9.1 | 0.00 | Jun 15, 2026 | Versions prior to 2.6.6 are vulnerable to prototype pollution via crafted missing-key strings when used to persist missing translation keys (e.g. via i18next-http-middleware's missingKeyHandler exposed to untrusted input). Backend.writeFile() splits each queued missing-key… | ||
| CVE-2026-48157 | Med | 0.40 | 6.1 | 0.00 | Jun 15, 2026 | Slim is a PHP micro framework that enables users to write simple web applications and APIs. In versions 4.4.0 through 4.15, if an application uses HttpException::setTitle() and/or setDescription() to include untrusted/request-derived data in the error title or description (e.g.… | ||
| CVE-2026-48017 | Hig | 0.50 | 8.8 | 0.01 | Jun 15, 2026 | DbGate is cross-platform database manager. In versions 7.1.8 and prior, the POST /runners/load-reader endpoint in DbGate accepts a functionName parameter that is directly interpolated into a JavaScript code template without any sanitization or validation. An authenticated user… | ||
| CVE-2026-12087 | Cri | 0.52 | 9.1 | 0.00 | Jun 15, 2026 | Socket versions before 2.041 for Perl have an out-of-bounds heap read. In Socket.xs, pack_ip_mreq_source() checks the length of its source argument before the argument is read, so the check tests the byte length carried over from the preceding multiaddr argument instead. Both… | ||
| CVE-2026-11832 | Cri | 0.59 | 9.1 | 0.00 | Jun 15, 2026 | Dancer2::Plugin::Auth::OAuth versions before 0.22 for Perl default to a predictable nonce. The default nonce was generated using an MD5 hash of the epoch time, which is predictable. | ||
| CVE-2026-9691 | Cri | 0.64 | 9.8 | 0.00 | Jun 15, 2026 | Unauthenticated PHP Object Injection in Integration for ActiveCampaign and Contact Form 7, WPForms, Elementor, Ninja Forms <= 1.1.1 versions. | ||
| CVE-2026-52703 | Cri | 0.62 | 9.6 | 0.00 | Jun 15, 2026 | Unauthenticated Path Traversal in FastDup <= 2.7.2 versions. | ||
| CVE-2026-52702 | Hig | 0.46 | 7.1 | 0.00 | Jun 15, 2026 | Unauthenticated Cross Site Scripting (XSS) in SEO Redirection <= 9.17 versions. | ||
| CVE-2026-52700 | Hig | 0.55 | 8.5 | 0.00 | Jun 15, 2026 | Subscriber SQL Injection in WCMultiShipping <= 3.0.2 versions. | ||
| CVE-2026-52699 | Hig | 0.49 | 7.5 | 0.00 | Jun 15, 2026 | Unauthenticated Insecure Direct Object References (IDOR) in VikRentCar <= 1.4.5 versions. | ||
| CVE-2026-52697 | Hig | 0.55 | 8.5 | 0.00 | Jun 15, 2026 | Subscriber SQL Injection in Taskbuilder <= 5.0.7 versions. | ||
| CVE-2026-52695 | Hig | 0.49 | 7.5 | 0.00 | Jun 15, 2026 | Unauthenticated Sensitive Data Exposure in ABC Crypto Checkout <= 1.8.2 versions. | ||
| CVE-2026-52694 | Hig | 0.49 | 7.5 | 0.00 | Jun 15, 2026 | Unauthenticated Sensitive Data Exposure in Signature Add-On for WooCommerce <= 2.0 versions. | ||
| CVE-2026-52693 | Cri | 0.60 | 9.3 | 0.00 | Jun 15, 2026 | Unauthenticated SQL Injection in eCommerce Product Catalog <= 3.5.5 versions. | ||
| CVE-2026-52692 | Hig | 0.49 | 7.5 | 0.00 | Jun 15, 2026 | Unauthenticated Sensitive Data Exposure in Affiliates Manager <= 2.9.50 versions. | ||
| CVE-2026-49781 | Cri | 0.64 | 9.8 | 0.00 | Jun 15, 2026 | Unauthenticated PHP Object Injection in OttoKit <= 1.1.27 versions. | ||
| CVE-2026-49780 | Hig | 0.50 | 8.8 | 0.00 | Jun 15, 2026 | Customer Privilege Escalation in Dokan <= 5.0.2 versions. | ||
| CVE-2026-49776 | Cri | 0.60 | 9.3 | 0.00 | Jun 15, 2026 | Unauthenticated SQL Injection in GPTranslate – Multilingual AI Translation for WordPress: Automatically Translate Websites <= 2.32.6 versions. | ||
| CVE-2026-49775 | Med | 0.42 | 6.5 | 0.00 | Jun 15, 2026 | Unauthenticated Broken Access Control in Welcart e-Commerce <= 2.11.28 versions. | ||
| CVE-2026-49773 | Med | 0.42 | 6.5 | 0.00 | Jun 15, 2026 | Subscriber Cross Site Scripting (XSS) in FV Flowplayer Video Player < 7.5.51.7212 versions. | ||
| CVE-2026-49770 | Cri | 0.64 | 9.8 | 0.00 | Jun 15, 2026 | Unauthenticated PHP Object Injection in WP Travel Engine <= 6.7.12 versions. | ||
| CVE-2026-49769 | Cri | 0.64 | 9.8 | 0.00 | Jun 15, 2026 | Unauthenticated PHP Object Injection in wpForo Forum <= 3.1.0 versions. | ||
| CVE-2026-49768 | Cri | 0.64 | 9.8 | 0.00 | Jun 15, 2026 | Unauthenticated PHP Object Injection in Happyforms <= 1.26.13 versions. | ||
| CVE-2026-49766 | Cri | 0.64 | 9.9 | 0.01 | Jun 15, 2026 | Subscriber Arbitrary File Deletion in WP User Manager <= 2.9.16 versions. | ||
| CVE-2026-49765 | Cri | 0.64 | 9.8 | 0.00 | Jun 15, 2026 | Unauthenticated PHP Object Injection in Integration for Mailchimp and Contact Form 7, WPForms, Elementor, Ninja Forms <= 1.1.8 versions. | ||
| CVE-2026-49764 | Cri | 0.64 | 9.8 | 0.00 | Jun 15, 2026 | Unauthenticated Broken Authentication in RegistrationMagic <= 6.0.8.6 versions. | ||
| CVE-2026-49763 | Cri | 0.64 | 9.8 | 0.00 | Jun 15, 2026 | Unauthenticated PHP Object Injection in Integration for Contact Form 7 HubSpot <= 1.3.7 versions. | ||
| CVE-2026-49112 | Hig | 0.42 | 7.5 | 0.00 | Jun 15, 2026 | Unauthenticated Path Traversal in Shared Files <= 1.7.64 versions. |
- risk 0.36cvss 6.6epss 0.00
A flaw was found in GnuTLS. The `gnutls_pkcs11_token_set_pin` function, used for changing the Security Officer PIN, can lead to a use-after-free vulnerability. This occurs when an attacker attempts to change the PIN with a NULL old PIN for a token that lacks a protected…
- risk 0.36cvss 5.6epss 0.00
A flaw was found in the GNOME localsearch (previously known as tracker-miners) MP3 Extractor `tracker-extract-mp3` component. A remote attacker could exploit this heap buffer overflow vulnerability by providing a specially crafted MP3 file containing malformed ID3 tags. This…
- risk 0.36cvss 5.6epss 0.00
A flaw was found in GNOME localsearch (previously known as tracker-miners) MP3 Extractor, specifically within the tracker-extract-mp3 component. This heap buffer overflow vulnerability occurs when processing specially crafted MP3 files containing malformed ID3v2.3 COMM (Comment)…
- risk 0.36cvss 5.6epss 0.00
A flaw was found in the `tracker-extract-mp3` component of GNOME localsearch (previously known as tracker-miners). This vulnerability, a heap buffer overflow, occurs when processing specially crafted MP3 files. A remote attacker could exploit this by providing a malicious MP3…
- risk 0.36cvss 5.6epss 0.00
A flaw was found in GNOME localsearch (previously known as tracker-miners) MP3 Extractor. When processing specially crafted MP3 files containing ID3v2.4 tags, a missing bounds check in the `extract_performers_tags` function can lead to a heap buffer overflow. This vulnerability…
- risk 0.36cvss 5.5epss 0.00
Improper host validation in the social login autofill feature in Devolutions Remote Desktop Manager 2026.2.8 allows an attacker to disclose stored social login credentials via a crafted web entry pointing to a provider lookalike domain.
- risk 0.57cvss 8.8epss 0.00
Improper input validation in the SSH Elevate Shell feature in Devolutions Remote Desktop Manager 2026.2.7 allows an authenticated user with permission to create or modify a shared SSH entry to execute arbitrary commands on a remote SSH host using stored elevation credentials…
- risk 0.42cvss 6.5epss 0.00
Use of a non-secure protocol as the default FTP configuration in Canon EOS Network Setting Tool Version 1.5.0 or earlier
- risk 0.44cvss 6.8epss 0.00
Use of weak SSH cryptographic algorithms in Canon EOS Network Setting Tool Version 1.5.0 or earlier
- risk 0.40cvss 6.2epss 0.00
Use of hard-coded cryptographic keys in Canon EOS Network Setting Tool Version 1.5.0 or earlier
- risk 0.42cvss 6.5epss 0.00
Improper validation of server certificates in Canon EOS Network Setting Tool Version 1.5.0 or earlier
- risk 0.42cvss 6.5epss 0.00
Improper validation of SSH host keys in Canon EOS Network Setting Tool Version 1.5.0 or earlier
- risk 0.51cvss 7.8epss 0.00
cifs-utils: local privilege escalation via forged cifs.spnego key description in cifs.upcall
- risk 0.51cvss 7.8epss —
virtio-win: viosock.sys: integer overflow in VIOSockSelect leads to heap-based buffer overflow
- risk 0.50cvss —epss 0.00
Improper Handling of Highly Compressed Data (Data Amplification) vulnerability in elixir-grpc grpc (GRPC.Compressor.Gzip, GRPC.Message modules) allows a denial of service via a gzip decompression bomb. This vulnerability is associated with program files…
- risk 0.50cvss —epss 0.00
Allocation of Resources Without Limits or Throttling vulnerability in elixir-grpc grpc allows unauthenticated attackers to exhaust the BEAM's memory and crash the server by streaming a large or slow-trickle unary request body. 'Elixir.GRPC.Server.Adapters.Cowboy.Handler':read_fu…
- risk 0.53cvss —epss 0.01
Deserialization of Untrusted Data and Allocation of Resources Without Limits or Throttling vulnerabilities in elixir-grpc grpc allow unauthenticated attackers to crash the BEAM node via atom table exhaustion and, when a decoded term flows into a call site that invokes it,…
- risk 0.44cvss 7.8epss 0.01
The browserstack-cypress-cli is BrowserStack's CLI which allows users to run Cypress tests on BrowserStack. Versions prior to 1.36.4 are vulnerable to OS command injection via the cypress_config_file configuration parameter. In readCypressConfigUtil.js, the loadJsFile() function…
- risk 0.42cvss —epss 0.00
Authorization Bypass Through User-Controlled Key vulnerability in elixir-grpc grpc allows authenticated attackers to access or modify resources belonging to other users by smuggling a conflicting value for any path-bound field via the query string or request body. In…
- risk 0.59cvss 9.1epss 0.00
Crypt::DSA versions before 1.21 for Perl reused the nonce across signatures, leading to private-key recovery. Crypt::DSA::sign caches the per-signature nonce material in the Key object without ever clearing it. The first sign() on a Key object picks a nonce, and every later…
- risk 0.55cvss —epss 0.00
Potential security vulnerabilities have been identified in the HP One Agent for certain HP PC products, which might allow for escalation of privilege and/or denial of service. HP is releasing software updates to mitigate these potential vulnerabilities.
- risk 0.52cvss 9.1epss 0.00
i18next-http-middleware is a middleware to be used with Node.js web frameworks like express or Fastify and also for Deno. In versions prior to 3.9.7, the missingKeyHandler blocked the literal request-body keys __proto__, constructor, and prototype (added in 3.9.3, see…
- risk 0.52cvss 9.1epss 0.00
Versions prior to 2.6.6 are vulnerable to prototype pollution via crafted missing-key strings when used to persist missing translation keys (e.g. via i18next-http-middleware's missingKeyHandler exposed to untrusted input). Backend.writeFile() splits each queued missing-key…
- risk 0.40cvss 6.1epss 0.00
Slim is a PHP micro framework that enables users to write simple web applications and APIs. In versions 4.4.0 through 4.15, if an application uses HttpException::setTitle() and/or setDescription() to include untrusted/request-derived data in the error title or description (e.g.…
- risk 0.50cvss 8.8epss 0.01
DbGate is cross-platform database manager. In versions 7.1.8 and prior, the POST /runners/load-reader endpoint in DbGate accepts a functionName parameter that is directly interpolated into a JavaScript code template without any sanitization or validation. An authenticated user…
- risk 0.52cvss 9.1epss 0.00
Socket versions before 2.041 for Perl have an out-of-bounds heap read. In Socket.xs, pack_ip_mreq_source() checks the length of its source argument before the argument is read, so the check tests the byte length carried over from the preceding multiaddr argument instead. Both…
- risk 0.59cvss 9.1epss 0.00
Dancer2::Plugin::Auth::OAuth versions before 0.22 for Perl default to a predictable nonce. The default nonce was generated using an MD5 hash of the epoch time, which is predictable.
- risk 0.64cvss 9.8epss 0.00
Unauthenticated PHP Object Injection in Integration for ActiveCampaign and Contact Form 7, WPForms, Elementor, Ninja Forms <= 1.1.1 versions.
- risk 0.62cvss 9.6epss 0.00
Unauthenticated Path Traversal in FastDup <= 2.7.2 versions.
- risk 0.46cvss 7.1epss 0.00
Unauthenticated Cross Site Scripting (XSS) in SEO Redirection <= 9.17 versions.
- risk 0.55cvss 8.5epss 0.00
Subscriber SQL Injection in WCMultiShipping <= 3.0.2 versions.
- risk 0.49cvss 7.5epss 0.00
Unauthenticated Insecure Direct Object References (IDOR) in VikRentCar <= 1.4.5 versions.
- risk 0.55cvss 8.5epss 0.00
Subscriber SQL Injection in Taskbuilder <= 5.0.7 versions.
- risk 0.49cvss 7.5epss 0.00
Unauthenticated Sensitive Data Exposure in ABC Crypto Checkout <= 1.8.2 versions.
- risk 0.49cvss 7.5epss 0.00
Unauthenticated Sensitive Data Exposure in Signature Add-On for WooCommerce <= 2.0 versions.
- risk 0.60cvss 9.3epss 0.00
Unauthenticated SQL Injection in eCommerce Product Catalog <= 3.5.5 versions.
- risk 0.49cvss 7.5epss 0.00
Unauthenticated Sensitive Data Exposure in Affiliates Manager <= 2.9.50 versions.
- risk 0.64cvss 9.8epss 0.00
Unauthenticated PHP Object Injection in OttoKit <= 1.1.27 versions.
- risk 0.50cvss 8.8epss 0.00
Customer Privilege Escalation in Dokan <= 5.0.2 versions.
- risk 0.60cvss 9.3epss 0.00
Unauthenticated SQL Injection in GPTranslate – Multilingual AI Translation for WordPress: Automatically Translate Websites <= 2.32.6 versions.
- risk 0.42cvss 6.5epss 0.00
Unauthenticated Broken Access Control in Welcart e-Commerce <= 2.11.28 versions.
- risk 0.42cvss 6.5epss 0.00
Subscriber Cross Site Scripting (XSS) in FV Flowplayer Video Player < 7.5.51.7212 versions.
- risk 0.64cvss 9.8epss 0.00
Unauthenticated PHP Object Injection in WP Travel Engine <= 6.7.12 versions.
- risk 0.64cvss 9.8epss 0.00
Unauthenticated PHP Object Injection in wpForo Forum <= 3.1.0 versions.
- risk 0.64cvss 9.8epss 0.00
Unauthenticated PHP Object Injection in Happyforms <= 1.26.13 versions.
- risk 0.64cvss 9.9epss 0.01
Subscriber Arbitrary File Deletion in WP User Manager <= 2.9.16 versions.
- risk 0.64cvss 9.8epss 0.00
Unauthenticated PHP Object Injection in Integration for Mailchimp and Contact Form 7, WPForms, Elementor, Ninja Forms <= 1.1.8 versions.
- risk 0.64cvss 9.8epss 0.00
Unauthenticated Broken Authentication in RegistrationMagic <= 6.0.8.6 versions.
- risk 0.64cvss 9.8epss 0.00
Unauthenticated PHP Object Injection in Integration for Contact Form 7 HubSpot <= 1.3.7 versions.
- risk 0.42cvss 7.5epss 0.00
Unauthenticated Path Traversal in Shared Files <= 1.7.64 versions.