CVE Field Guide

Critical CVEs

CVE	Title	Updated	Score
CVE-2026-35075	Hardcoded default Password for Service Account	03.06.2026	9.3
CVE-2026-47065	Apache MINA: Critical Deserialization Allow-list Bypass via resolveProxyClass - ZDRES-232	03.06.2026	9.8
CVE-2026-4035	Environment Variable Resolution Vulnerability in mlflow/mlflow	03.06.2026	9.1
CVE-2026-32625	LibreChat Exfiltrates Server Secrets via MCP Server URL Injection	03.06.2026	9.6
CVE-2026-42849	authentik: Reflected XSS in SFE AutosubmitStage allows IDP account takeover	02.06.2026	9.3
CVE-2026-49448	authentik: SourceStage bypass via empty POST	03.06.2026	9.8
CVE-2026-5076	ARMember Premium <= 7.3.1 - Insecure Password Reset Mechanism to Unauthenticated Privilege Escalation	02.06.2026	9.8
CVE-2026-0611	Spacelabs Healthcare Sentinel 10.5.x < 11.6.0 Unauthenticated RCE via .NET Remoting	02.06.2026	9.2
CVE-2026-42074	OpenClaude: Sandbox Bypass via Model-Controlled `dangerouslyDisableSandbox` Input	02.06.2026	9.3
CVE-2026-47117	OpenMed < 1.5.2 Remote Code Execution via PII Model Loading	02.06.2026	9.3
CVE-2026-7198	CWE-284: Improper Access Control in web services in Progress Sitefinity	03.06.2026	9.8
CVE-2026-7312	CWE‑522: Insufficiently Protected Credentials in web services in Progress Sitefinity	03.06.2026	10
CVE-2026-42684	WordPress WP Job Portal plugin <= 2.5.1 - SQL Injection vulnerability	02.06.2026	9.3
CVE-2025-53209	WordPress Masteriyo LMS PRO plugin <= 2.20.0 - Privilege Escalation Vulnerability	02.06.2026	9.8
CVE-2026-34906	Server-Side Template Injection (SSTI) in Wirtualna Uczelnia	02.06.2026	9.3
CVE-2026-8206	Kirki 6.0.0 - 6.0.6 - Unauthenticated Privilege Escalation via 'handle_forgot_password'	02.06.2026	9.8
CVE-2026-25879	Langroid has Prompt to SQL Injection, Leading to RCE	02.06.2026	9.8
CVE-2018-25427	Arm Whois 3.11 Buffer Overflow via SEH Overwrite	02.06.2026	9.3
CVE-2026-40965		03.06.2026	10
CVE-2026-0072		01.06.2026	10
CVE-2026-49121	AI Tensor Engine for ROCm (AITER) 0.1.14 Unauthenticated RCE via MessageQueue.recv() Pickle Deserialization	02.06.2026	9.2
CVE-2026-8644	IBM WebSphere Application Server is affected by an identity spoofing vulnerability	01.06.2026	9.1
CVE-2026-9311	IBM WebSphere Application Server is affected by remote code execution	02.06.2026	9
CVE-2026-9319	IBM WebSphere Application Server is affected by a remote code execution vulnerability	02.06.2026	9
CVE-2026-42672	WordPress WP Directory Kit plugin <= 1.5.1 - SQL Injection vulnerability	01.06.2026	9.3
CVE-2026-44211	Cline Kanban Server has a Cross-Origin WebSocket Hijacking Vulnerability	01.06.2026	9.6
CVE-2026-45131	CloudPirates Open Source Helm Charts: GitHub Actions pull_request_target workflow allows secret exfiltration via fork pull requests	01.06.2026	10
CVE-2026-45132	CloudPirates Open Source Helm Charts: GitHub Actions workflow leaks PAT and SSH signing key via unsafe credential handling	01.06.2026	10
CVE-2026-0826	Poly Voice – Possible Remote Control of Certain Poly Devices	01.06.2026	9.2
CVE-2026-42680	WordPress Contest Gallery Pro plugin <= 29.0.1 - Privilege Escalation vulnerability	01.06.2026	9.8
CVE-2026-42682	WordPress wpForo Forum plugin <= 3.0.6 - Broken Access Control vulnerability	01.06.2026	9.1
CVE-2026-48866	WordPress Gravity Forms plugin <= 2.10.0.1 - Arbitrary File Deletion vulnerability	01.06.2026	9.6
CVE-2026-48879	WordPress AIWU plugin <= 1.4.17 - Privilege Escalation vulnerability	01.06.2026	9.8
CVE-2026-8931	Critical RCE vulnerability in Disig Web Signer	01.06.2026	9.4
CVE-2026-7858	Deserialization of Untrusted Data vulnerability affecting Teamwork Cloud from No Magic Release 2022x through No Magic Release 2026x and Magic Collaboration Studio from CATIA Magic Release 2022x through CATIA Magic Release 2026x	01.06.2026	9.8
CVE-2026-48188	SQL Injection via MySQL Quote Method	01.06.2026	9.1
CVE-2026-10187	Totolink N300RH Web Management wireless.so setWiFiBasicConfig stack-based overflow	02.06.2026	9.3
CVE-2018-25412	Delta Sql 1.8.2 Arbitrary File Upload via docs_upload.php	02.06.2026	9.3
CVE-2026-45372	cpp-httplib: HTTP header value percent-decoding in server-side `parse_header` enables CRLF injection	01.06.2026	9.9
CVE-2026-45697	Formie: Pre-authenticated server-side template injection in Hidden fields	01.06.2026	9.8
CVE-2026-44649	SillyTavern: Authentication Bypass via SSO Header Injection	02.06.2026	9.8
CVE-2026-44650	SillyTavern: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')	29.05.2026	9.1
CVE-2026-47744	Shopper: Authorization bypass and RBAC privilege escalation in team settings	29.05.2026	9.9
CVE-2026-9051	Authentication Bypass Vulnerability in NI SystemLink Enterprise	29.05.2026	9.3
CVE-2026-45625	Arcane: Missing admin authorization on git repository endpoints allows non-admin users to exfiltrate stored Git credentials and tamper with GitOps configs	01.06.2026	9.9
CVE-2026-45628	Dokploy: Command Injection via Unescaped Branch Fields in Deployment Pipeline	29.05.2026	9.6
CVE-2026-45629	Dokploy: Authenticated Remote Code Execution via Command Injection in /listen-deployment WebSocket Endpoint	02.06.2026	9.9
CVE-2026-45630	Dokploy: Authenticated Remote Code Execution via Command Injection in updateTraefikConfig Echo Statement	01.06.2026	9
CVE-2026-45631	Dokploy: Pre-Auth Admin Takeover via Hardcoded Authentication Secret	01.06.2026	10
CVE-2026-45632	Dokploy: Schedule Authorization Bypass Enables Host/Server Command Execution	02.06.2026	9.9
CVE-2026-45633	Dokploy: Command Injection in /docker-container-logs Endpoint	29.05.2026	9.9
CVE-2026-45661	Dokploy: Remote Code Execution through Path Traversal	02.06.2026	9.9
CVE-2026-45668	Trilium Notes : Note Import to RCE via #docName Path Traversal (Safe Import Enabled)	29.05.2026	9.3
CVE-2026-5386	KMW CCTV Security Cameras Unverified Password Change	29.05.2026	9.1
CVE-2026-7786	Jinan USR IOT Technology Limited (PUSR) USR-W610 RS232/485 to Wi-Fi/Ethernet Converter Use of Hard-coded Credentials	29.05.2026	9.8
CVE-2026-44962		29.05.2026	10
CVE-2026-45663	Dokploy: Remote Code Execution via destinationPath in Container File Upload	29.05.2026	9.9
CVE-2026-10042	manga-image-translator RCE via Unsafe Pickle Deserialization in Share Model	29.05.2026	9.2
CVE-2026-4290	WP Travel Pro <= 10.6.0 - Missing Authorization to Unauthenticated Arbitrary User Deletion Including Administrators	29.05.2026	9.1
CVE-2026-46376	FreePBX: Unauthenticated Use of Hard-Coded Credentials Vulnerability in FreePBX UCP Interface	29.05.2026	9.3
CVE-2026-10071	Interinfo｜DreamMaker - Arbitrary File Upload	29.05.2026	9.3
CVE-2026-45043	RustFS: ImportIam Allows Creation of Backdoor Service Accounts Under Any Parent Including Root	02.06.2026	9.3
CVE-2026-45312	RAGFlow: Server-Side Template Injection in Prompt Generator leads to Remote Code Execution	02.06.2026	9.9
CVE-2026-8326	Remote Spark SparkView Path Traversal in RDP Drive Redirection leading to RCE	29.05.2026	10
CVE-2026-9508	Incorrect Permission Assignment for Critical Resource vulnerability in Suprema's BioStar	29.05.2026	10
CVE-2025-41269		29.05.2026	9.3
CVE-2025-41270		29.05.2026	9.3
CVE-2025-41272		29.05.2026	9.3
CVE-2025-41273		29.05.2026	9.3
CVE-2025-41274		29.05.2026	9.3
CVE-2025-41275		29.05.2026	9.3
CVE-2025-41276		29.05.2026	9.3
CVE-2025-41277		29.05.2026	9.3
CVE-2026-9559		29.05.2026	9.9
CVE-2026-49201	Acer Wave 7 router: Hardcoded Cryptographic Key	29.05.2026	10
CVE-2026-9558		29.05.2026	9.9
CVE-2026-49197	Predator Connect W6x: Improper Authentication	29.05.2026	10
CVE-2026-49199	Predator Connect W6x: RCE via MQTT	29.05.2026	10
CVE-2026-49200	Acer Wave 7 router: Broken Access Control	29.05.2026	10
CVE-2026-3655	OTP Login With Phone Number, OTP Verification <= 1.8.60 - Unauthenticated Authentication Bypass via Firebase OTP Verification	29.05.2026	9.8
CVE-2026-8732	WP Maps Pro <= 6.1.0 - Unauthenticated Privilege Escalation via Administrator Account Creation to wpgmp_temp_access_ajax AJAX Action	29.05.2026	9.8
CVE-2026-8809	Advanced Custom Fields: Extended <= 0.9.2.5 - Unauthenticated Privilege Escalation via Validation Bypass to '_acf_post_id' Parameter	29.05.2026	9.8
CVE-2026-44848	Portainer: Missing authorization on Docker plugin endpoints allows host RCE	01.06.2026	9.4
CVE-2026-44849	Portainer: Endpoint security bypass via Swarm service create/update	29.05.2026	9.4
CVE-2026-34311		29.05.2026	9.8
CVE-2026-45288	Marten has an SQL injection vulnerability in its full-text search regConfig parameter	30.05.2026	9.8
CVE-2026-46775		29.05.2026	9.9
CVE-2026-46817		29.05.2026	9.8
CVE-2026-46819		29.05.2026	9.1
CVE-2026-46822		29.05.2026	9.9
CVE-2026-46824		29.05.2026	9.9
CVE-2026-46833		29.05.2026	9
CVE-2026-46839		29.05.2026	9.9
CVE-2026-46840		29.05.2026	10
CVE-2026-9645	ScadaBR Authenticated Remote Code Execution	29.05.2026	9.9
CVE-2026-9037	Download of code without integrity check in XCharge C6	29.05.2026	9.3
CVE-2026-45039	RustFS: Internode RPC HMAC secret falls back to public default credential, enabling peer impersonation	30.05.2026	9.8
CVE-2026-43898	SandboxJS: Sandbox escape via Function.caller leakage of internal call op	28.05.2026	10
CVE-2026-45058	electerm: Import unsafe bookmark data could lead to unsafe operation when click local type bookmark	30.05.2026	9.4
CVE-2026-45311	CodeWhale: run_tests Tool Enables RCE via Malicious Repository Without Approval	01.06.2026	9.6
CVE-2026-45323	MeshCore Card: XSS vulnerability through meshcore node name	29.05.2026	9.6
CVE-2026-45353	electerm: Local code through electerm's single-instance socket	28.05.2026	9.3
CVE-2026-45374	CodeWhale: task_create Insecure Defaults Enable RCE via Prompt Injection in Project Files	30.05.2026	9.6
CVE-2026-24444	SDMC NE6037 Hardcoded Password via mgmt.php/npcmd.php	28.05.2026	9.3
CVE-2026-44477	CloudNativePG: Metrics exporter allows privilege escalation to PostgreSQL superuser and OS RCE	28.05.2026	9.4
CVE-2026-45261	GitButler: Link injection via forge integration enables arbitrary script execution	30.05.2026	9.3
CVE-2026-44672	mapfish-print: Remote Code Injection (RCE) in Dynamic table	28.05.2026	9.3
CVE-2026-8979	Authentication Bypass	28.05.2026	9.3
CVE-2026-8980	Privilege Escalation	28.05.2026	9.3
CVE-2026-46115	block: add pgmap check to biovec_phys_mergeable	30.05.2026	9.8
CVE-2026-46119	libceph: Fix slab-out-of-bounds access in auth message processing	01.06.2026	9.1
CVE-2026-46135	nvmet-tcp: fix race between ICReq handling and queue teardown	30.05.2026	9.8
CVE-2026-46137	mptcp: pm: ADD_ADDR rtx: fix potential data-race	30.05.2026	9.8
CVE-2026-46155	smb/client: fix out-of-bounds read in smb2_compound_op()	30.05.2026	9.1
CVE-2026-46185	smb/client: fix out-of-bounds read in symlink_data()	01.06.2026	9.1
CVE-2026-46195	smb: client: validate dacloffset before building DACL pointers	30.05.2026	9.8
CVE-2026-4408	Samba: remote code execution in samr	03.06.2026	9
CVE-2026-32998		29.05.2026	9.4
CVE-2026-32999		28.05.2026	9.1
CVE-2026-9739		28.05.2026	9.4
CVE-2026-45083	Goobi viewer: Unauthenticated Solr Streaming Expression Proxy	28.05.2026	9.8
CVE-2026-44590	Sherlock: Command Injection via pull_request_target in validate_modified_targets.yml	28.05.2026	9.3
CVE-2026-8362	Gladinet Triofox Stack-based Buffer Overflow in WOSDefaultHttpModule.dll	28.05.2026	9.8
CVE-2026-8363	Gladinet Triofox Stack-based Buffer Overflow in WOSDeviceDropFolder.dll	28.05.2026	9.8
CVE-2026-8364	Gladinet Triofox Missing Authentication for Critical Functions	28.05.2026	9.8
CVE-2026-44887	Unauthenticated RCE via Python Config File Injection in SaveConfigFile() (Path)	28.05.2026	9.8
CVE-2026-44888	Unauthenticated RCE via Python Config File Injection in SaveConfigFile() (Interger)	28.05.2026	9.8
CVE-2026-45102	OneUptime: RCE due to Node.js' vm module escape via error objects and infinite recursion	30.05.2026	9.9
CVE-2026-45087	Dalfox: Unauthenticated Remote Code Execution via `found-action` in Dalfox Server Mode	28.05.2026	10
CVE-2026-46425	Budibase: SCIM endpoints lack role-based authorization, BASIC users CRUD tenant users	28.05.2026	9.9
CVE-2026-48150	Budibase: Workspace-scoped builder escalates to global admin via /api/public/v1/roles/assign	27.05.2026	9

Latest Updates

CVE	Title	Updated	Score
CVE-2022-31114	backpack/crud Vulnerable to Cross-site Scripting	03.06.2026
CVE-2026-36574		03.06.2026
CVE-2026-36576		03.06.2026
CVE-2026-36748		03.06.2026
CVE-2026-37462		03.06.2026
CVE-2026-3276	Potential DoS via quadratic complexity in unicodedata.normalize()	03.06.2026
CVE-2026-42317	GLPI vulnerable to arbitrary files deletion by technician	03.06.2026
CVE-2026-42318	GLPI Vulnerable to Arbitrary Item Deletion via Planning Endpoint	03.06.2026
CVE-2026-42320	GLPI vulnerable to arbitrary file access	03.06.2026
CVE-2026-42321	GLPI has stored XSS in asset locks	03.06.2026
CVE-2026-44281	GLPI vulnerable to unauthorized reading of a specific asset object	03.06.2026
CVE-2026-6657	CORS Origin Validation Bypass in jupyter-server	03.06.2026
CVE-2022-49036		03.06.2026	7.8
CVE-2022-49042		03.06.2026	7.8
CVE-2023-52951		03.06.2026	5.9
CVE-2024-47263		03.06.2026	4.1
CVE-2024-47273		03.06.2026	4.3
CVE-2025-60477		03.06.2026
CVE-2025-70100		03.06.2026
CVE-2025-70101		03.06.2026
CVE-2026-10729	HTML injection in the notification email for "Slow Redirect" and "Cloned Website" Canarytokens	03.06.2026
CVE-2026-35193	Potential exposure of private data via missing Vary: Authorization in UpdateCacheMiddleware	03.06.2026
CVE-2026-37460		03.06.2026
CVE-2026-44545	Unbounded WebSocket message and frame sizes can cause unauthenticated remote denial of service	03.06.2026	5.3
CVE-2026-44546	Header injection via WebSocket upgrade parser differential allows ASGI scope header spoofing	03.06.2026	3.7
CVE-2026-47324	Stored XSS in Multiple Points in ProjectsAndPrograms school-management-system	03.06.2026
CVE-2026-47325	Weak password policy in ProjectsAndPrograms school-management-system	03.06.2026
CVE-2026-48587	Potential exposure of private data via whitespace padding in Vary header	03.06.2026
CVE-2026-5241	Policy Bypass in LightGlue Nested Config Resolution in huggingface/transformers	03.06.2026
CVE-2026-6873	Signed cookie salt namespace collision in django.http.HttpRequest.get_signed_cookie	03.06.2026
CVE-2026-7666	Potential unencrypted email transmission via STARTTLS in the SMTP backend	03.06.2026
CVE-2026-8404	Potential exposure of private data via case-sensitive Cache-Control directives in UpdateCacheMiddleware	03.06.2026
CVE-2025-41259	SWUpdate Untrusted Script Execution via Signed Update TOCTOU	03.06.2026
CVE-2026-10722	cilium ebpf LoadCollectionSpec/LoadCollectionSpecFromReader btf.go loadRawSpec integer overflow	03.06.2026
CVE-2026-35075	Hardcoded default Password for Service Account	03.06.2026
CVE-2026-35076	Arbitrary file delete vulnerability in method bac-scanresult	03.06.2026
CVE-2026-35077	Arbitrary file delete vulnerability in method ugw-delete-file	03.06.2026
CVE-2026-35078	Arbitrary file delete vulnerability in method ugw-logstop	03.06.2026
CVE-2026-35079	Arbitrary file delete vulnerability in method ugw-restore	03.06.2026
CVE-2026-35080	Arbitrary file delete vulnerability in method ugw-restoreinfo	03.06.2026
CVE-2026-35081	Arbitrary process termination vulnerability in method ugw-logstop	03.06.2026
CVE-2026-35082	Local file inclusion vulnerability and deletion in ugw-logread method	03.06.2026
CVE-2026-35083	Stack buffer overflow in method bac-deviceobject	03.06.2026
CVE-2026-35084	Stack buffer overflow in method dali-devconfig	03.06.2026
CVE-2026-35085	Stack buffer overflow in method gdv-serverconfig	03.06.2026
CVE-2025-14771	File Disclosure in ABB T-MAC Plus web application and in ABB T-MAC plus Server - Default IIS Web Site	03.06.2026	9.9
CVE-2025-14772	Broken Access Control in ABB T-MAC Plus web application	03.06.2026	8.8
CVE-2025-14773	Stored Cross-Site Scripting in ABB T-MAC Plus web application	03.06.2026	8
CVE-2025-14774	Communication analysis between the Card Reader and TP2CardReaderService daemon	03.06.2026	7.4
CVE-2025-15655	WordPress School Management plugin <= 93.2.0 - SQL Injection vulnerability	03.06.2026	7.6
CVE-2025-15656	WordPress School Management plugin <= 93.2.0 - Privilege Escalation vulnerability	03.06.2026	8.8
CVE-2026-41032	Phoenix Contact: Unauthenticated log download vulnerability in the firmware of CHARX SEC-3xxx charging controllers	03.06.2026	7.5
CVE-2026-47065	Apache MINA: Critical Deserialization Allow-list Bypass via resolveProxyClass - ZDRES-232	03.06.2026	9.8
CVE-2025-15654	WordPress Prague plugin <= 2.2.8 - Cross Site Scripting (XSS) vulnerability	03.06.2026	7.1
CVE-2026-4035	Environment Variable Resolution Vulnerability in mlflow/mlflow	03.06.2026
CVE-2026-5078	morgan vulnerable to Log Forging via unneutralized control characters in :remote-user	03.06.2026	5.3
CVE-2026-50052		03.06.2026
CVE-2026-50031		03.06.2026	7.5
CVE-2026-10703	EIPStackGroup OpENer SendRRData cipmessagerouter.c CreateMessageRouterRequestStructure use after free	03.06.2026
CVE-2026-10704	SourceCodester Pizzafy E-Commerce System Administrative Control Panel admin_class_novo.php login sql injection	03.06.2026
CVE-2026-10705	dask HLL hyperloglog.py nunique_approx resource consumption	03.06.2026
CVE-2026-10693	SourceCodester Online Boat Reservation System Administrative Endpoint improper authorization	03.06.2026
CVE-2026-10694	SourceCodester Online Food Ordering System index.php include file inclusion	03.06.2026
CVE-2026-9334	Cpanel::JSON::XS versions before 4.41 for Perl allow type confusion via duplicate object keys when dupkeys_as_arrayref is enabled	03.06.2026
CVE-2026-9516	Cpanel::JSON::XS versions before 4.41 for Perl allow denial of service via UTF-8 BOM prefixed input when a decode filter callback throws	03.06.2026
CVE-2026-10690	wonderwhy-er DesktopCommanderMCP read_file filesystem.ts readFileFromUrl server-side request forgery	03.06.2026
CVE-2026-10691	wonderwhy-er DesktopCommanderMCP start_search search-manager.ts redos	03.06.2026
CVE-2026-10692	johnhuang316 code-index-mcp search_code_advanced is_safe_regex_pattern redos	03.06.2026
CVE-2026-7421	Passeum Ticketing <= 1.0 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'shop_name' Setting	03.06.2026	4.4
CVE-2026-9732	EmergencyWP <= 1.4.2 - Cross-Site Request Forgery to Plugin Settings Update	03.06.2026	4.3
CVE-2026-10688	ahujasid blender-mcp server.py execute_blender_code code injection	03.06.2026
CVE-2026-10719	Open Seachest/Seachest NVMe show Format Descriptors Vulnerability	03.06.2026
CVE-2026-32625	LibreChat Exfiltrates Server Secrets via MCP Server URL Injection	03.06.2026	9.6
CVE-2026-35482	alf.io has an Authenticated RCE via Extension Script Sandbox Escape	03.06.2026	8
CVE-2026-40108	GLPI Vulnerable to Stored XSS in ITIL Costs	03.06.2026
CVE-2026-41412	alf.io vulnerable to Arbitrary File Read and Exfil via simpleHttpClient Extension Script	03.06.2026	4.9
CVE-2026-44653	LibreChat Shared MCP Server View Leaks Decrypted Admin Secrets	02.06.2026	6.5
CVE-2026-44654	LibreChat: Shared-agent editor can globally delete owner's file records — breaks owner's other private agents	03.06.2026
CVE-2026-10662	ahujasid blender-mcp ZIP File server.py requests.get server-side request forgery	03.06.2026
CVE-2026-10717	Open-Seachest/Seachest show SCSI Defect List Vulnerability	03.06.2026
CVE-2026-10718	Open Seachest/Seachest NVMe Trim (Deallocate) Vulnerability	03.06.2026
CVE-2026-25861	QloApps 1.7.0 Weak Password Hashing via MD5 in Tools.php	03.06.2026
CVE-2026-27145	Inefficient candidate hostname parsing in crypto/x509	02.06.2026
CVE-2026-31942	LibreChat has IDOR in API Keys Management that allows any authenticated user to overwrite other users' API keys	03.06.2026	7.1
CVE-2026-42504	Quadratic complexity in WordDecoder.DecodeHeader in mime	03.06.2026
CVE-2026-42507	Arbitrary inputs are included in errors without any escaping in net/textproto	02.06.2026
CVE-2021-4480	Dräger Protector Software Local Privilege Escalation via Insecure File Permissions	03.06.2026
CVE-2021-4481	Dräger Protector Software Local Privilege Escalation via Insecure File Permissions	02.06.2026
CVE-2022-4992	Dräger Infinity M540 VG4.1.1 Spoofed Network Message Handling DoS/Tampering	03.06.2026
CVE-2024-14036	Dräger Core 1.0.5 Denial of Service via Malformed SDC Message	03.06.2026
CVE-2025-15653	Dräger Zeus IE Anesthesia Workstation USB Interface Privilege Escalation	03.06.2026
CVE-2026-10650	warmcat libwebsockets SSH Protocol sshd.c lws_ssh_parse_plaintext resource consumption	03.06.2026
CVE-2026-10661	ahujasid blender-mcp server.py open injection	03.06.2026
CVE-2026-35212	OpenCTI has XSS in the rendering of email-message observable body data	03.06.2026
CVE-2026-42029		02.06.2026
CVE-2026-8936	Unbounded recursion in grpcfuse kernel module allows container to crash Docker Desktop VM	03.06.2026
CVE-2026-10619	sayan365 student-management-system improper authentication	03.06.2026
CVE-2026-10620	code-projects Student Admission System index.php sql injection	03.06.2026
CVE-2026-10624	SourceCodester Human Resource Management Employee View detailview.php resource injection	03.06.2026
CVE-2026-41569	authentik: WS-Federation wreply origin bypass can exfiltrate signed login responses to attacker-controlled endpoints	03.06.2026
CVE-2026-42849	authentik: Reflected XSS in SFE AutosubmitStage allows IDP account takeover	02.06.2026	9.3
CVE-2026-45289	CloudburstMC Protocol: Partially missing validation for FULL type authentication tokens	03.06.2026	5.3
CVE-2026-47201	authentik: XML Signature Wrapping in SAML Source ACS allows authentication as arbitrary federated user	03.06.2026	8.5
CVE-2026-49143	BrowserStack Runner 0.9.5 Unauthenticated RCE via /_log HTTP Handler	03.06.2026
CVE-2026-49144	BrowserStack Runner 0.9.5 Path Traversal via _default HTTP Handler	03.06.2026
CVE-2026-49443	authentik: `UserSourceConnection.user` and `GroupSourceConnection.group` are changeable through the API	03.06.2026	8.8
CVE-2026-49448	authentik: SourceStage bypass via empty POST	03.06.2026	9.8
CVE-2019-25721	Dräger Infinity M300 VG2.3.1 Network-Based Denial of Service	03.06.2026
CVE-2019-25722	Dräger SC Monitoring Devices Hard-coded Credentials and DoS	03.06.2026
CVE-2019-25723	Dräger Perseus A500 2.00-2.02 DoS via Medibus Interface	03.06.2026
CVE-2019-25724	Dräger Infinity M300 VG2.x Network-Based Denial of Service	03.06.2026
CVE-2021-4478	Dräger CC-Vision Basic and CC-Vision E-Cal Out-of-Bounds Write via Malicious GDT File	03.06.2026
CVE-2021-4479	Dräger Atlan A350 1.00-1.01 DoS via Medibus Interface	03.06.2026
CVE-2025-64390		02.06.2026
CVE-2026-10584	HTTPS Fallback to HTTP in Graph Explorer	03.06.2026	5.9
CVE-2026-10607	DedeCMS flink.php dede_htmlspecialchars sql injection	03.06.2026
CVE-2026-10608	DedeCMS carbuyaction.php RemoveXSS sql injection	02.06.2026
CVE-2026-10616	nextlevelbuilder GoClaw Team Task Completion team_tasks_lifecycle.go TeamTasksTool.executeComplete authorization	03.06.2026
CVE-2026-10617	nextlevelbuilder GoClaw Webhook Verification auth.go resolveAuth missing authentication	03.06.2026
CVE-2026-10701	Incorrect boundary conditions in the Graphics: Text component	02.06.2026
CVE-2026-10702	JIT miscompilation in the JavaScript Engine: JIT component	03.06.2026
CVE-2026-1829	Content Visibility for Divi Builder <= 4.02 - Authenticated (Contributor+) Remote Code Execution	03.06.2026	8.8
CVE-2026-28299	SolarWinds Web Help Desk Denial-of-Service Vulnerability	02.06.2026	8.2
CVE-2026-30586		02.06.2026
CVE-2026-33245	React Router vulnerable to XSS in unstable RSC redirect handling via javascript: redirect targets	02.06.2026	8
CVE-2026-33553		02.06.2026
CVE-2026-34077	React Router vulnerable to Denial of Service via reflected user input in single-fetch	03.06.2026	7.5
CVE-2026-34993	AIOHTTP Vulnerable to Deserialization of Untrusted Data	03.06.2026	6.4
CVE-2026-35049	wire-ios has Persistent Remote DoS via Integer Underflow	03.06.2026	6.5
CVE-2026-35202	Pterodactyl has a database resource limit bypass via race condition in Client API	03.06.2026
CVE-2026-38967		02.06.2026
CVE-2026-40181	React Router's same-origin redirect with path starting // causes open redirect via protocol-relative URL reinterpretation	02.06.2026
CVE-2026-41577	authentik: SAML source does not validate Conditions, timing, or audience on assertions	03.06.2026
CVE-2026-42211	React Router's vendored turbo-stream v2 allows arbitrary constructor invocation via TYPE_ERROR deserialization leading to Unauth RCE	03.06.2026	8.1
CVE-2026-42342	React Router vulnerable to DoS via unbounded path expansion in __manifest endpoint	03.06.2026	7.5
CVE-2026-47265	AIOHTTP vulnerable to cross-origin redirect with per-request cookies	03.06.2026
CVE-2026-48594	Decompression bomb in Tesla.Middleware.DecompressResponse and Tesla.Middleware.Compression	03.06.2026
CVE-2026-48595	Authorization header leaks to third-party origin on cross-origin redirect in Tesla.Middleware.FollowRedirects	02.06.2026
CVE-2026-48596	CRLF injection in Tesla.Multipart.add_content_type_param/2 allows HTTP header injection	03.06.2026
CVE-2026-48597	Atom table exhaustion via untrusted URL scheme in Tesla.Adapter.Mint	03.06.2026
CVE-2026-48598	CRLF injection in Tesla.Multipart disposition parameters allows multipart part header injection	03.06.2026
CVE-2026-48682		02.06.2026
CVE-2026-49120	Medplum < 5.1.14 SSRF via FHIR Subscription Endpoint	03.06.2026
CVE-2026-5073	ARMember Premium <= 7.3.1 - Unauthenticated SQL Injection via 'order' Parameter	02.06.2026	7.5
CVE-2026-5074	ARMember Premium <= 7.3.1 - Authenticated (Subscriber+) SQL Injection via 'sSortDir_0' Parameter	02.06.2026	6.5
CVE-2026-5076	ARMember Premium <= 7.3.1 - Insecure Password Reset Mechanism to Unauthenticated Privilege Escalation	02.06.2026	9.8
CVE-2026-5385	GLPI 11.0.0 - Stored XSS in knowledge base	03.06.2026
CVE-2026-8035	NULL pointer dereference in NI-PAL	03.06.2026
CVE-2026-8036	Local privilege escalation in NI-PAL	03.06.2026
CVE-2026-24221		02.06.2026	7.8
CVE-2026-24237		02.06.2026	7.8
CVE-2026-33244	React Router has stored XSS via unescaped Location header in prerendered redirect HTML	02.06.2026	5.4
CVE-2026-35447	NamelessMC: Private or blocking profile pages can be bypassed with direct POST requests, and reply handling allows cross-profile writes	02.06.2026
CVE-2026-40571	NamelessMC: Reactions on private or blocking profile posts can be modified without proper authorization	03.06.2026