| CVE-2026-11429 |
Path Traversal in Altium Git Service Allows Remote Code Execution |
05.06.2026 |
9.4 |
| CVE-2026-11423 |
Path Traversal in Altium Enterprise Server Collaboration Service Allows Privilege Escalation |
05.06.2026 |
9.4 |
| CVE-2026-11419 |
Path Traversal in Altium Enterprise Server Vault UploadController Allows Arbitrary File Write |
05.06.2026 |
9.4 |
| CVE-2026-11420 |
Path Traversal in Altium Enterprise Server NIS Allows Unauthenticated Arbitrary File Write and File Read |
05.06.2026 |
10 |
| CVE-2026-45758 |
Malicious code in guardrails-ai 0.10.1 (supply chain compromise) |
05.06.2026 |
9.6 |
| CVE-2026-45777 |
Open XDMoD Vulnerable to Unauthenticated Remote Code Execution (RCE) via OS Command Injection |
05.06.2026 |
9.3 |
| CVE-2026-45779 |
Open XDMoD Vulnerable to Unauthenticated SQL Injection Leading to Full Database Compromise |
05.06.2026 |
9.3 |
| CVE-2026-11414 |
Unauthenticated File Exfiltration in Altium Enterprise Server Vault Service via Hard-coded Cryptographic Key and Path Traversal |
05.06.2026 |
10 |
| CVE-2026-10580 |
Hippoo Mobile App for WooCommerce <= 1.9.4 - Unauthenticated Authentication Bypass to Administrator Account Takeover via REST API |
06.06.2026 |
9.8 |
| CVE-2026-46389 |
UDS Identity Config has a client authentication bypass in `ClientIdAndKubernetesSecretAuthenticator` |
05.06.2026 |
10 |
| CVE-2026-46395 |
HAX CMS Vulnerable to Private Key Disclosure via Broken HMAC Implementation |
05.06.2026 |
9.3 |
| CVE-2026-46396 |
HAX CMS has a stored XSS via <iframe> that allows access to sensitive client-side data and account takeover |
05.06.2026 |
9.3 |
| CVE-2026-46399 |
Authenticated Remote Code Execution via File Overwrite |
05.06.2026 |
9.4 |
| CVE-2026-46496 |
HAX CMS: Stored XSS via '<video-player>' component allows arbitrary JavaScript execution and token theft |
05.06.2026 |
9.3 |
| CVE-2025-71317 |
NetMan 204 Hard-coded Backdoor Credentials |
05.06.2026 |
9.3 |
| CVE-2025-71318 |
NetMan 204 Missing Authentication for Administrative Functions |
05.06.2026 |
9.3 |
| CVE-2026-45744 |
Termix has an OS Command Injection in File Manager resolvePath endpoint |
05.06.2026 |
9.9 |
| CVE-2026-45746 |
Termix Vulnerable to Arbitrary Command Execution via Session Hijacking |
05.06.2026 |
9 |
| CVE-2026-45748 |
Termix Vulnerable to Remote Code Execution via SSH Tunnel Forward Command Injection |
05.06.2026 |
9.8 |
| CVE-2026-45750 |
Termix Vulnerable to Arbitrary Command Execution in File Manager |
05.06.2026 |
9 |
| CVE-2026-49777 |
WordPress Product Slider Pro for WooCommerce plugin < 3.5.3 - Backdoor vulnerability |
06.06.2026 |
10 |
| CVE-2026-6274 |
Authentication Bypass in DTS Electronics' Redline WR3200 |
05.06.2026 |
9.8 |
| CVE-2026-48907 |
Joomla Extension - joomlacontenteditor.net - Remote Code Execution in JCE extension for Joomla < 2.9.99.5 |
05.06.2026 |
10 |
| CVE-2026-48567 |
Azure HorizonDB Elevation of Privilege Vulnerability |
06.06.2026 |
10 |
| CVE-2026-48579 |
Microsoft Exchange Online Information Disclosure Vulnerability |
05.06.2026 |
9.1 |
| CVE-2025-71316 |
SQLite sqldiff remote code execution via argument injection |
05.06.2026 |
9.2 |
| CVE-2025-67447 |
|
04.06.2026 |
9.8 |
| CVE-2026-10880 |
Unauthenticated SQL Injection in Osnexus Quantastor |
04.06.2026 |
9.8 |
| CVE-2026-25550 |
Seagull Software BarTender Unauthenticated RCE via .NET Remoting Service |
04.06.2026 |
9.3 |
| CVE-2025-67446 |
|
04.06.2026 |
9.8 |
| CVE-2026-10868 |
MISP user edit endpoint mass assignment vulnerability allows unauthorized user account modification |
04.06.2026 |
9 |
| CVE-2026-43986 |
Tautulli vulnerable to unauthenticated SSRF in /image/<hash> via attacker-seeded image hash replay |
04.06.2026 |
9.9 |
| CVE-2019-25727 |
WordPress Plugin ad manager wd 1.0.11 Arbitrary File Download |
04.06.2026 |
9.3 |
| CVE-2019-25729 |
PDF Signer 3.0 Server-Side Template Injection RCE via CSRF Cookie |
04.06.2026 |
9.3 |
| CVE-2019-25738 |
WordPress Hybrid Composer 1.4.6 Unauthenticated Settings Change |
04.06.2026 |
9.3 |
| CVE-2019-25741 |
Mobatek MobaXterm 12.1 Buffer Overflow via Sessions File |
04.06.2026 |
9.3 |
| CVE-2026-8037 |
OS Command Injection Remote Code Execution Vulnerability in Progress LoadMaster, ECS Connection Manager, Object Scale Connection Manager & MOVEit WAF |
05.06.2026 |
9.6 |
| CVE-2026-10840 |
Openshift-pipelines-operator-rh: openshift-pipelines-operator: tekton-scheduler-rolebinding grants system:authenticated write access to kueue and cert-manager resources |
04.06.2026 |
9.6 |
| CVE-2026-4104 |
SQLi in Akmer Informatics' TeknoPass |
04.06.2026 |
9.8 |
| CVE-2026-50214 |
Shared Secret Quota Inflation |
04.06.2026 |
9.3 |
| CVE-2026-50208 |
Permissive TrustAllCerts TLS Verification |
04.06.2026 |
9.2 |
| CVE-2026-50209 |
MDM Server Registration Overriding |
04.06.2026 |
9.3 |
| CVE-2026-49190 |
Missing Per-Instruction Authorization Checks |
04.06.2026 |
9.4 |
| CVE-2026-49191 |
Exposed Hard-coded M3WebServer Backend API Key |
04.06.2026 |
9.3 |
| CVE-2026-49194 |
SCREEN_CLICK Authentication Bypass |
04.06.2026 |
9.4 |
| CVE-2026-41283 |
|
04.06.2026 |
9.9 |
| CVE-2026-49185 |
Instruction Injection via FieldX MDM |
04.06.2026 |
10 |
| CVE-2026-46244 |
netfilter: nft_inner: Fix IPv6 inner_thoff desync |
05.06.2026 |
9.1 |
| CVE-2026-46266 |
inet: RAW sockets using IPPROTO_RAW MUST drop incoming ICMP |
05.06.2026 |
9.1 |
| CVE-2026-35075 |
Hardcoded default Password for Service Account |
03.06.2026 |
9.3 |
| CVE-2026-47065 |
Apache MINA: Critical Deserialization Allow-list Bypass via resolveProxyClass - ZDRES-232 |
04.06.2026 |
9.8 |
| CVE-2026-4035 |
Environment Variable Resolution Vulnerability in mlflow/mlflow |
03.06.2026 |
9.1 |
| CVE-2026-32625 |
LibreChat Exfiltrates Server Secrets via MCP Server URL Injection |
03.06.2026 |
9.6 |
| CVE-2026-42849 |
authentik: Reflected XSS in SFE AutosubmitStage allows IDP account takeover |
03.06.2026 |
9.3 |
| CVE-2026-49448 |
authentik: SourceStage bypass via empty POST |
03.06.2026 |
9.8 |
| CVE-2026-5076 |
ARMember Premium <= 7.3.1 - Insecure Password Reset Mechanism to Unauthenticated Privilege Escalation |
02.06.2026 |
9.8 |
| CVE-2026-0611 |
Spacelabs Healthcare Sentinel 10.5.x < 11.6.0 Unauthenticated RCE via .NET Remoting |
02.06.2026 |
9.2 |
| CVE-2026-42074 |
OpenClaude: Sandbox Bypass via Model-Controlled `dangerouslyDisableSandbox` Input |
02.06.2026 |
9.3 |
| CVE-2026-47117 |
OpenMed < 1.5.2 Remote Code Execution via PII Model Loading |
02.06.2026 |
9.3 |
| CVE-2026-7198 |
CWE-284: Improper Access Control in web services in Progress Sitefinity |
03.06.2026 |
9.8 |
| CVE-2026-7312 |
CWE‑522: Insufficiently Protected Credentials in web services in Progress Sitefinity |
03.06.2026 |
10 |
| CVE-2026-42684 |
WordPress WP Job Portal plugin <= 2.5.1 - SQL Injection vulnerability |
02.06.2026 |
9.3 |
| CVE-2025-53209 |
WordPress Masteriyo LMS PRO plugin <= 2.20.0 - Privilege Escalation Vulnerability |
02.06.2026 |
9.8 |
| CVE-2026-34906 |
Server-Side Template Injection (SSTI) in Wirtualna Uczelnia |
02.06.2026 |
9.3 |
| CVE-2026-8206 |
Kirki 6.0.0 - 6.0.6 - Unauthenticated Privilege Escalation via 'handle_forgot_password' |
02.06.2026 |
9.8 |
| CVE-2026-25879 |
Langroid has Prompt to SQL Injection, Leading to RCE |
02.06.2026 |
9.8 |
| CVE-2018-25427 |
Arm Whois 3.11 Buffer Overflow via SEH Overwrite |
02.06.2026 |
9.3 |
| CVE-2026-40965 |
|
03.06.2026 |
10 |
| CVE-2026-0072 |
|
01.06.2026 |
10 |
| CVE-2026-49121 |
AI Tensor Engine for ROCm (AITER) 0.1.14 Unauthenticated RCE via MessageQueue.recv() Pickle Deserialization |
02.06.2026 |
9.2 |
| CVE-2026-8644 |
IBM WebSphere Application Server is affected by an identity spoofing vulnerability |
01.06.2026 |
9.1 |
| CVE-2026-9311 |
IBM WebSphere Application Server is affected by remote code execution |
02.06.2026 |
9 |
| CVE-2026-9319 |
IBM WebSphere Application Server is affected by a remote code execution vulnerability |
02.06.2026 |
9 |
| CVE-2026-42672 |
WordPress WP Directory Kit plugin <= 1.5.1 - SQL Injection vulnerability |
01.06.2026 |
9.3 |
| CVE-2026-44211 |
Cline Kanban Server has a Cross-Origin WebSocket Hijacking Vulnerability |
04.06.2026 |
9.6 |
| CVE-2026-45131 |
CloudPirates Open Source Helm Charts: GitHub Actions pull_request_target workflow allows secret exfiltration via fork pull requests |
01.06.2026 |
10 |
| CVE-2026-45132 |
CloudPirates Open Source Helm Charts: GitHub Actions workflow leaks PAT and SSH signing key via unsafe credential handling |
01.06.2026 |
10 |
| CVE-2026-0826 |
Poly Voice – Possible Remote Control of Certain Poly Devices |
01.06.2026 |
9.2 |
| CVE-2026-42680 |
WordPress Contest Gallery Pro plugin <= 29.0.1 - Privilege Escalation vulnerability |
01.06.2026 |
9.8 |
| CVE-2026-42682 |
WordPress wpForo Forum plugin <= 3.0.6 - Broken Access Control vulnerability |
01.06.2026 |
9.1 |
| CVE-2026-48866 |
WordPress Gravity Forms plugin <= 2.10.0.1 - Arbitrary File Deletion vulnerability |
01.06.2026 |
9.6 |
| CVE-2026-48879 |
WordPress AIWU plugin <= 1.4.17 - Privilege Escalation vulnerability |
01.06.2026 |
9.8 |
| CVE-2026-8931 |
Critical RCE vulnerability in Disig Web Signer |
01.06.2026 |
9.4 |
| CVE-2026-7858 |
Deserialization of Untrusted Data vulnerability affecting Teamwork Cloud from No Magic Release 2022x through No Magic Release 2026x and Magic Collaboration Studio from CATIA Magic Release 2022x through CATIA Magic Release 2026x |
01.06.2026 |
9.8 |
| CVE-2026-48188 |
SQL Injection via MySQL Quote Method |
01.06.2026 |
9.1 |