CVE Field Guide

Critical CVEs

CVE Title Updated Score
CVE-2026-11717 18.06.2026 9.3
CVE-2026-11718 18.06.2026 9.3
CVE-2026-54419 PIAF-HMS multiple unauthenticated SQL injection vulnerabilities via mysql_query 18.06.2026 9.3
CVE-2026-8024 Deserialization vulnerability in ibaPDA and ibaDatCoordinator 18.06.2026 9.3
CVE-2025-10560 Hardcoded cloud credentials in Worksnaps client application binaries expose production cloud resources 18.06.2026 9.3
CVE-2026-28573 18.06.2026 10
CVE-2026-55742 Cotonti CSRF in admin.rights.php allows privilege escalation 18.06.2026 9.4
CVE-2026-55740 SQL Injection in Nur-Alam39 bus-ticket bus_info.php via busid parameter 18.06.2026 9.3
CVE-2026-12569 Remote Code Execution (RCE) vulnerability in Windchill PDMlink 18.06.2026 9.3
CVE-2026-48768 TypeBot: Unauthenticated arbitrary s3 object write in generate-upload-url via unsanitized fileName 17.06.2026 9.3
CVE-2026-48814 Network-AI: Empty default secret still authorizes all requests (Incomplete fix for CVE-2026-46701) 17.06.2026 9.1
CVE-2026-54387 Tinyproxy - HTTP Request Smuggling via CL/TE Desynchronization 18.06.2026 9.3
CVE-2026-54388 Tinyproxy - HTTP Request Smuggling via Duplicate Content-Length Headers 17.06.2026 9.3
CVE-2026-55200 libssh2 - Out-of-Bounds Write via Unchecked packet_length in transport.c 18.06.2026 9.2
CVE-2026-55196 Hermes WebUI < 0.51.409 - Unauthenticated Passkey Registration via Authentication Bypass 17.06.2026 9.1
CVE-2026-20266 OS Command Injection in the btool Configuration Helper in Splunk AI Toolkit 17.06.2026 9.1
CVE-2026-53805 NVIDIA SIL GEN3C Unauthenticated RCE via Pickle Deserialization in Inference API 17.06.2026 9.3
CVE-2025-71320 picklescan - Remote Code Execution via Incomplete Disallowed Inputs 17.06.2026 9.3
CVE-2025-71321 picklescan - Arbitrary File Writing via distutils Module Bypass 17.06.2026 9.3
CVE-2025-71323 picklescan - Remote Code Execution via Unblocked ctypes Module 17.06.2026 9.3
CVE-2025-71325 picklescan - Detection Bypass via STACK_GLOBAL Opcode Parsing Logic Flaw 17.06.2026 9.3
CVE-2026-20181 Cisco Identity Services Engine Remote Code Execution Vulnerability 18.06.2026 9.1
CVE-2026-3490 picklescan - Universal Blocklist Bypass via pkgutil.resolve_name 17.06.2026 10
CVE-2026-53873 picklescan - Arbitrary Code Execution via profile.run() Blocklist Bypass 17.06.2026 9.3
CVE-2026-53874 picklescan - Arbitrary Code Execution via Obfuscated eval Call 17.06.2026 9.3
CVE-2026-42055 NGINX ngx_http_proxy_v2_module and ngx_http_grpc_module vulnerability 18.06.2026 9.2
CVE-2026-42530 NGINX Open-Source ngx_http_v3_module vulnerability 18.06.2026 9.2
CVE-2026-47103 Python StateMachine 3.0.0 < 3.2.0 RCE via SCXML eval() Injection 18.06.2026 9.3
CVE-2026-54812 WordPress Motors plugin <= 1.4.109 - SQL Injection vulnerability 17.06.2026 9.3
CVE-2026-55743 OpenHuman desktop agent shell tool sandbox bypass leads to arbitrary command execution 17.06.2026 9.4
CVE-2025-59554 WordPress Advanced Ads – Tracking plugin < 3.0.7 - SQL Injection vulnerability 17.06.2026 9.3
CVE-2025-60229 WordPress Lagom theme <= 2.0 - PHP Object Injection vulnerability 17.06.2026 9.8
CVE-2025-60230 WordPress The Barber Shop theme <= 1.9 - PHP Object Injection vulnerability 17.06.2026 9.8
CVE-2025-60231 WordPress The Hospital theme <= 1.8.1 - PHP Object Injection vulnerability 17.06.2026 9.8
CVE-2025-60236 WordPress Creatify theme <= 1.5 - PHP Object Injection vulnerability 17.06.2026 9.8
CVE-2025-69111 WordPress Reisen theme <= 1.4.1 - PHP Object Injection vulnerability 17.06.2026 9.8
CVE-2025-69127 WordPress Plumbing theme <= 1.6 - PHP Object Injection vulnerability 17.06.2026 9.8
CVE-2026-49108 WordPress Moderno theme < 1.43 - PHP Object Injection vulnerability 17.06.2026 9.8
CVE-2026-54808 WordPress WP Travel Gutenberg Blocks plugin <= 3.9.4 - SQL Injection vulnerability 17.06.2026 9.3
CVE-2026-54809 WordPress GIFT4U plugin <= 1.0.10 - SQL Injection vulnerability 17.06.2026 9.3
CVE-2026-54815 WordPress Cargo Shipping Location for WooCommerce plugin <= 5.6 - SQL Injection vulnerability 17.06.2026 9.3
CVE-2026-54819 WordPress Listdom plugin <= 5.4.0 - SQL Injection vulnerability 17.06.2026 9.3
CVE-2024-52488 WordPress Grip theme <= 1.0.9 - Arbitrary Plugin Activation/Deactivation to RCE vulnerability 17.06.2026 9.9
CVE-2025-60205 WordPress ThemeREX Addons plugin <= 2.36.1.1 - PHP Object Injection vulnerability 17.06.2026 9.8
CVE-2025-60218 WordPress PT Luxa Addons Plugin <= 1.2.2 - Arbitrary File Upload Vulnerability 17.06.2026 9.9
CVE-2025-69129 WordPress WordPress & WooCommerce Scraper Plugin, Import Data from Any Site plugin <= 1.0.7 - Arbitrary File Upload vulnerability 17.06.2026 10
CVE-2025-69179 WordPress Support Ticket Management System plugin <= 1.9 - Privilege Escalation vulnerability 17.06.2026 9.8
CVE-2026-22327 WordPress Restaurt theme <= 1.0.4 - Arbitrary File Upload vulnerability 17.06.2026 9.9
CVE-2026-22332 WordPress Tutor LMS Pro plugin <= 3.9.6 - SQL Injection vulnerability 17.06.2026 9.3
CVE-2026-22340 WordPress WPJobster theme <= 6.3.5 - SQL Injection vulnerability 17.06.2026 9.3
CVE-2026-24611 WordPress MetForm Pro plugin <= 3.9.1 - Broken Access Control vulnerability 17.06.2026 9.1
CVE-2026-25446 WordPress WishList Member X plugin <= 3.29.0 - Arbitrary File Upload vulnerability 17.06.2026 9.9
CVE-2026-27041 WordPress Unlimited Elements for Elementor (Premium) plugin <= 2.0.6 - Arbitrary File Upload vulnerability 17.06.2026 9.9
CVE-2026-39589 WordPress Webenvo theme <= 0.0.6 - Arbitrary File Upload vulnerability 17.06.2026 9.9
CVE-2026-39596 WordPress Blocksy Companion Pro plugin < 2.1.29 - SQL Injection vulnerability 17.06.2026 9.3
CVE-2026-40725 WordPress WooCommerce Product Filters plugin < 2.0.6 - PHP Object Injection vulnerability 17.06.2026 9.8
CVE-2026-40746 WordPress Restaurant Zone theme <= 0.7.8 - Arbitrary File Upload vulnerability 17.06.2026 9.9
CVE-2026-40747 WordPress Ecommerce Zone theme <= 0.9.7 - Arbitrary File Upload vulnerability 17.06.2026 9.9
CVE-2026-40748 WordPress Kids Gift Shop theme <= 0.5.4 - Arbitrary File Upload vulnerability 17.06.2026 9.9
CVE-2026-40749 WordPress Charity Zone theme <= 1.1.1 - Arbitrary File Upload vulnerability 17.06.2026 9.9
CVE-2026-40783 WordPress Blocksy Companion Pro plugin <= 2.1.37 - Remote Code Execution (RCE) vulnerability 17.06.2026 9.9
CVE-2026-42380 WordPress AI Lab theme < 5.4.2 - PHP Object Injection vulnerability 17.06.2026 9.8
CVE-2026-48875 WordPress JetSmartFilters plugin <= 3.8.1 - SQL Injection vulnerability 17.06.2026 9.3
CVE-2026-49058 WordPress LoginPress Pro plugin <= 6.2.2 - Privilege Escalation vulnerability 17.06.2026 9.8
CVE-2026-49075 WordPress JetEngine plugin <= 3.8.9.1 - PHP Object Injection vulnerability 17.06.2026 9.8
CVE-2026-49076 WordPress JetEngine plugin <= 3.8.9.1 - SQL Injection vulnerability 17.06.2026 9.3
CVE-2026-49079 WordPress JetSearch plugin <= 3.5.17 - SQL Injection vulnerability 17.06.2026 9.3
CVE-2026-49084 WordPress JetEngine plugin < 3.8.9.1 - SQL Injection vulnerability 17.06.2026 9.3
CVE-2026-49107 WordPress Thrive Apprentice plugin < 10.8.10.2 - PHP Object Injection vulnerability 17.06.2026 9.8
CVE-2026-49767 WordPress wpForo Forum plugin <= 3.1.0 - Broken Authentication vulnerability 17.06.2026 9.8
CVE-2026-52705 WordPress SigmaForms Pro – AI Generated Forms plugin <= 1.4.5 - Arbitrary File Upload vulnerability 17.06.2026 9
CVE-2026-52706 WordPress JetEngine plugin <= 3.8.10 - PHP Object Injection vulnerability 17.06.2026 9.8
CVE-2026-54186 WordPress JobSearch plugin <= 3.2.9 - SQL Injection vulnerability 17.06.2026 9.3
CVE-2026-54187 WordPress JetEngine plugin <= 3.8.10.1 - SQL Injection vulnerability 17.06.2026 9.3
CVE-2026-54803 WordPress SMS Alert Order Notifications plugin <= 3.9.4 - Privilege Escalation vulnerability 17.06.2026 9.8
CVE-2026-54806 WordPress WP Activity Log plugin <= 5.6.3.1 - PHP Object Injection vulnerability 17.06.2026 9.8
CVE-2026-54807 WordPress Registration Form for WooCommerce plugin <= 1.0.9 - Privilege Escalation vulnerability 17.06.2026 9.8
CVE-2026-54811 WordPress WP eMember plugin < v10.9.4 - SQL Injection vulnerability 17.06.2026 9.3
CVE-2026-0063 18.06.2026 10
CVE-2026-0064 17.06.2026 10
CVE-2026-0068 18.06.2026 10
CVE-2026-0071 18.06.2026 10
CVE-2026-0081 18.06.2026 10
CVE-2026-0082 18.06.2026 10
CVE-2026-0083 18.06.2026 10
CVE-2026-0092 18.06.2026 10
CVE-2026-10094 Path Traversal vulnerability affecting SOLIDWORKS Visualize from SOLIDWORKS Desktop Release 2024 through SOLIDWORKS Desktop Release 2026 17.06.2026 9.8
CVE-2026-28575 17.06.2026 10
CVE-2026-28576 17.06.2026 10
CVE-2026-28587 17.06.2026 10
CVE-2026-28615 18.06.2026 10
CVE-2026-48797 Backpropagate: backprop ui --auth and backprop ui --share do not enforce authentication 18.06.2026 9.3
CVE-2026-48616 17.06.2026 9.3
CVE-2026-48745 Traccar Client: silent configuration hijack via unverified deep link redirects all GPS telemetry 17.06.2026 9.3
CVE-2025-69108 WordPress Hot Coffee theme <= 1.7 - PHP Object Injection vulnerability 17.06.2026 9.8
CVE-2025-69122 WordPress SeaFood Company theme <= 1.4 - PHP Object Injection vulnerability 17.06.2026 9.8
CVE-2026-25470 WordPress ACPT (Pro) - Custom Post Types plugin for WordPress plugin <= 2.0.47 - Remote Code Execution (RCE) vulnerability 17.06.2026 10
CVE-2026-27395 WordPress Support Board plugin < 3.8.9 - Privilege Escalation vulnerability 17.06.2026 9.8
CVE-2026-27429 WordPress Nifty theme <= 1.4.1 - PHP Object Injection vulnerability 17.06.2026 9.8
CVE-2026-39438 WordPress ListingPro plugin <= 2.9.10 - SQL Injection vulnerability 17.06.2026 9.3
CVE-2026-39529 WordPress Elementra theme <= 1.0.9 - PHP Object Injection vulnerability 17.06.2026 9.8
CVE-2026-48055 Streambert: Arbitrary File Write (Zip Slip) via Subtitle Extraction 17.06.2026 10
CVE-2026-48781 Postiz has cross-tenant SUPERADMIN takeover via Skool-provider JWT forgery 18.06.2026 9.9
CVE-2026-49080 WordPress wpDataTables plugin <= 7.3.6 - SQL Injection vulnerability 17.06.2026 9.3
CVE-2026-54194 WordPress Fusion Builder plugin <= 3.15.4 - PHP Object Injection vulnerability 17.06.2026 9.8
CVE-2026-35263 18.06.2026 9.9
CVE-2026-35268 18.06.2026 9.9
CVE-2026-35270 18.06.2026 9.1
CVE-2026-35278 18.06.2026 9.8
CVE-2026-35280 17.06.2026 9.9
CVE-2026-35281 17.06.2026 9.9
CVE-2026-35282 17.06.2026 9.9
CVE-2026-35283 17.06.2026 9.9
CVE-2026-35284 17.06.2026 9.9
CVE-2026-35285 17.06.2026 9.9
CVE-2026-35286 18.06.2026 9.8
CVE-2026-35292 18.06.2026 10
CVE-2026-35293 17.06.2026 9.8
CVE-2026-35294 17.06.2026 9.9
CVE-2026-35296 17.06.2026 9.8
CVE-2026-35298 18.06.2026 9.1
CVE-2026-35300 18.06.2026 9.8
CVE-2026-35301 18.06.2026 10
CVE-2026-35304 17.06.2026 9.8
CVE-2026-35305 17.06.2026 9.3
CVE-2026-35306 17.06.2026 9.3
CVE-2026-35307 17.06.2026 10
CVE-2026-35308 17.06.2026 10
CVE-2026-35309 17.06.2026 9.8
CVE-2026-35310 17.06.2026 9.8
CVE-2026-35312 17.06.2026 9.8
CVE-2026-35313 17.06.2026 9.9
CVE-2026-35316 17.06.2026 9.9
CVE-2026-35319 17.06.2026 9.8
CVE-2026-35320 17.06.2026 9
CVE-2026-35321 17.06.2026 9.9
CVE-2026-35323 17.06.2026 9.9
CVE-2026-46765 17.06.2026 9.9
CVE-2026-46766 17.06.2026 9.8
CVE-2026-46767 17.06.2026 9.9
CVE-2026-46773 17.06.2026 9.8
CVE-2026-46774 17.06.2026 9.8
CVE-2026-46777 17.06.2026 9.1
CVE-2026-46778 17.06.2026 10
CVE-2026-46779 17.06.2026 9.9
CVE-2026-46781 17.06.2026 10
CVE-2026-46782 17.06.2026 9.9
CVE-2026-46783 17.06.2026 9.8
CVE-2026-46784 17.06.2026 9.1
CVE-2026-46785 17.06.2026 9.3
CVE-2026-46786 17.06.2026 9.6
CVE-2026-46789 17.06.2026 9.6
CVE-2026-46792 17.06.2026 9.9
CVE-2026-46793 17.06.2026 9.9
CVE-2026-46794 17.06.2026 9.9
CVE-2026-46795 17.06.2026 9.3
CVE-2026-46797 17.06.2026 9.8
CVE-2026-46798 17.06.2026 10
CVE-2026-46799 17.06.2026 9.8
CVE-2026-46800 17.06.2026 10
CVE-2026-46801 17.06.2026 9.8
CVE-2026-46802 17.06.2026 9.9
CVE-2026-46803 17.06.2026 10
CVE-2026-46805 17.06.2026 9.3
CVE-2026-46807 17.06.2026 9.8
CVE-2026-46809 17.06.2026 9.1
CVE-2026-46813 17.06.2026 9.8
CVE-2026-46814 17.06.2026 9.9
CVE-2026-46832 18.06.2026 9.9
CVE-2026-46838 17.06.2026 9.9
CVE-2026-46844 17.06.2026 9.9
CVE-2026-46845 17.06.2026 9.8
CVE-2026-46846 17.06.2026 10
CVE-2026-46847 17.06.2026 9.9
CVE-2026-46850 18.06.2026 9.9
CVE-2026-46852 18.06.2026 9.9
CVE-2026-46853 18.06.2026 9.6
CVE-2026-46854 18.06.2026 9.9
CVE-2026-46855 18.06.2026 9.9
CVE-2026-46856 18.06.2026 9.6
CVE-2026-46857 18.06.2026 9.8
CVE-2026-46858 17.06.2026 9.1
CVE-2026-46859 18.06.2026 9.8
CVE-2026-46860 18.06.2026 9.8
CVE-2026-46861 18.06.2026 9.6
CVE-2026-46872 17.06.2026 9
CVE-2026-46875 18.06.2026 9.1
CVE-2026-46878 18.06.2026 9.8
CVE-2026-46879 18.06.2026 9.8
CVE-2026-46880 18.06.2026 9.8
CVE-2026-46881 18.06.2026 9.8
CVE-2026-46882 18.06.2026 9.8
CVE-2026-46883 18.06.2026 9.8
CVE-2026-46884 18.06.2026 9.8
CVE-2026-46887 18.06.2026 9.8
CVE-2026-46889 18.06.2026 9.8
CVE-2026-46890 18.06.2026 9.8
CVE-2026-46892 18.06.2026 9.1
CVE-2026-46893 18.06.2026 9.9
CVE-2026-46895 18.06.2026 9.9
CVE-2026-46896 18.06.2026 9.1
CVE-2026-46897 18.06.2026 9.9
CVE-2026-46899 18.06.2026 9.6
CVE-2026-46900 18.06.2026 9.9
CVE-2026-46901 18.06.2026 9.9
CVE-2026-46902 18.06.2026 9.8
CVE-2026-46904 18.06.2026 9.8
CVE-2026-46905 18.06.2026 9.8
CVE-2026-46906 18.06.2026 9.6
CVE-2026-46907 18.06.2026 9.9
CVE-2026-46908 18.06.2026 9.9
CVE-2026-46909 18.06.2026 9.8
CVE-2026-46910 17.06.2026 9.1
CVE-2026-46911 18.06.2026 9.6
CVE-2026-46912 17.06.2026 9.3
CVE-2026-46913 18.06.2026 9.3
CVE-2026-46918 17.06.2026 9.9
CVE-2026-46919 18.06.2026 9.8
CVE-2026-46930 17.06.2026 9.1
CVE-2026-46933 16.06.2026 9.9
CVE-2026-46944 18.06.2026 9.1
CVE-2026-46945 17.06.2026 9.1
CVE-2026-46946 16.06.2026 9.1
CVE-2026-46949 17.06.2026 9.1
CVE-2026-46963 17.06.2026 9.9
CVE-2026-46964 17.06.2026 9.9
CVE-2026-46978 18.06.2026 10
CVE-2026-22313 OS Commands Executed with Administrative Permissions in Radiflow iSAP Smart Collector 17.06.2026 9.1
CVE-2026-48777 FileBrowser Quantum: Path Traversal in public share PATCH allows file ops outside shared directory 17.06.2026 9.3
CVE-2026-53776 Perry < 0.5.1166 JWT Expiration Bypass via verify_decode 16.06.2026 9.3
CVE-2025-13036 Rockwell Automation FactoryTalk Historian Site Edition - Authentication Bypass 16.06.2026 9.2
CVE-2026-40750 WordPress Kids Online Store theme <= 0.8.9 - Arbitrary File Upload vulnerability 16.06.2026 9.9
CVE-2026-39574 WordPress InPost Gallery plugin <= 2.1.4.6 - SQL Injection vulnerability 16.06.2026 9.3
CVE-2026-49772 WordPress The Events Calendar plugin 6.15.12-6.16.2 - SQL Injection vulnerability 16.06.2026 9.3
CVE-2026-49774 WordPress RD Station plugin <= 5.6.0 - Remote Code Execution (RCE) vulnerability 16.06.2026 9.9
CVE-2026-52715 WordPress GEO my WordPress plugin <= 4.5.5 - SQL Injection vulnerability 16.06.2026 9.3
CVE-2026-48853 Remote code execution and denial of service via unsafe Erlang term deserialization in elixir-grpc/grpc 17.06.2026 9.2
CVE-2026-48713 i18next-fs-backend: Prototype pollution via crafted missing-key string 16.06.2026 9.1
CVE-2026-48714 i18next-http-middleware missingKeyHandler does not reject keys whose segments contain prototype-polluting names 16.06.2026 9.1
CVE-2026-27053 WordPress Broadcast Live Video plugin < 7.1.3 - PHP Object Injection vulnerability 16.06.2026 9.8
CVE-2026-34901 WordPress iControlWP plugin <= 5.5.3 - Privilege Escalation vulnerability 16.06.2026 9.8
CVE-2026-39441 WordPress Feed KuantoKusta for WooCommerce – Free plugin <= 5.3 - SQL Injection vulnerability 16.06.2026 9.3
CVE-2026-39465 WordPress Responsive Slider by MetaSlider plugin <= 3.106.0 - Remote Code Execution (RCE) vulnerability 16.06.2026 9.1
CVE-2026-39492 WordPress WP Maps plugin <= 4.9.1 - SQL Injection vulnerability 16.06.2026 9.3
CVE-2026-39493 WordPress Simply Schedule Appointments plugin <= 1.6.9.27 - SQL Injection vulnerability 16.06.2026 9.3
CVE-2026-39502 WordPress Form Maker by 10Web plugin <= 1.15.38 - SQL Injection vulnerability 15.06.2026 9.3
CVE-2026-39511 WordPress WP Photo Album Plus plugin <= 9.1.08.001 - SQL Injection vulnerability 16.06.2026 9.3
CVE-2026-39512 WordPress GeoDirectory plugin <= 2.8.152 - SQL Injection vulnerability 16.06.2026 9.3
CVE-2026-39519 WordPress GeekyBot plugin <= 1.2.0 - SQL Injection vulnerability 16.06.2026 9.3
CVE-2026-39530 WordPress SpeakOut! Email Petitions plugin <= 4.6.5 - SQL Injection vulnerability 16.06.2026 9.3
CVE-2026-39583 WordPress Datalogics Ecommerce Delivery plugin <= 2.6.62 - Privilege Escalation vulnerability 16.06.2026 9.8
CVE-2026-39591 WordPress WP-BusinessDirectory plugin <= 4.0.0 - Arbitrary File Upload vulnerability 16.06.2026 9.9
CVE-2026-40771 WordPress Contest Gallery plugin <= 28.1.6 - SQL Injection vulnerability 16.06.2026 9.3
CVE-2026-40772 WordPress GeekyBot plugin <= 1.2.2 - Arbitrary File Upload vulnerability 16.06.2026 10
CVE-2026-40798 WordPress wpForo Forum plugin <= 3.0.4 - SQL Injection vulnerability 16.06.2026 9.3
CVE-2026-42381 WordPress Funnel Builder by FunnelKit plugin <= 3.15.0.1 - SQL Injection vulnerability 16.06.2026 9.3
CVE-2026-42386 WordPress Order Delivery Date for WooCommerce plugin <= 4.5.1 - SQL Injection vulnerability 16.06.2026 9.3
CVE-2026-42639 WordPress GD Rating System plugin <= 3.6.2 - SQL Injection vulnerability 16.06.2026 9.3
CVE-2026-42665 WordPress WP Data Access plugin <= 5.5.70 - SQL Injection vulnerability 16.06.2026 9.3
CVE-2026-45439 WordPress Realtyna Organic IDX plugin plugin <= 5.1.0 - SQL Injection vulnerability 16.06.2026 9.3
CVE-2026-48836 WordPress Easy Invoice plugin <= 2.1.19 - Remote Code Execution (RCE) vulnerability 16.06.2026 10
CVE-2026-48881 WordPress TrueBooker plugin <= 1.1.9 - Broken Access Control vulnerability 16.06.2026 9.1
CVE-2026-48886 WordPress JS Help Desk plugin <= 3.0.9 - SQL Injection vulnerability 16.06.2026 9.3
CVE-2026-49067 WordPress Advanced 301 and 302 Redirect plugin <= 1.6.9 - SQL Injection vulnerability 16.06.2026 9.3
CVE-2026-49085 WordPress WP Insightly for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms plugin <= 1.1.4 - PHP Object Injection vulnerability 16.06.2026 9.8
CVE-2026-49104 WordPress Integration for Keap/infusionsoft and Contact Form 7, WPForms, Elementor, Formidable, Ninja Forms plugin <= 1.2.1 - PHP Object Injection vulnerability 16.06.2026 9.8
CVE-2026-49105 WordPress WP Zendesk for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms plugin <= 1.1.4 - PHP Object Injection vulnerability 15.06.2026 9.8
CVE-2026-49106 WordPress Integration for Contact Form 7 and Constant Contact plugin <= 1.1.6 - PHP Object Injection vulnerability 16.06.2026 9.8
CVE-2026-49109 WordPress Integration for Salesforce and Contact Form 7, WPForms, Elementor, Formidable, Ninja Forms plugin <= 1.4.3 - PHP Object Injection vulnerability 16.06.2026 9.8
CVE-2026-49763 WordPress Integration for Contact Form 7 HubSpot plugin <= 1.3.7 - PHP Object Injection vulnerability 15.06.2026 9.8
CVE-2026-49764 WordPress RegistrationMagic plugin <= 6.0.8.6 - Broken Authentication vulnerability 15.06.2026 9.8
CVE-2026-49765 WordPress Integration for Mailchimp and Contact Form 7, WPForms, Elementor, Ninja Forms plugin <= 1.1.8 - PHP Object Injection vulnerability 16.06.2026 9.8
CVE-2026-49766 WordPress WP User Manager plugin <= 2.9.16 - Arbitrary File Deletion vulnerability 16.06.2026 9.9
CVE-2026-49768 WordPress Happyforms plugin <= 1.26.13 - PHP Object Injection vulnerability 16.06.2026 9.8
CVE-2026-49769 WordPress wpForo Forum plugin <= 3.1.0 - PHP Object Injection vulnerability 16.06.2026 9.8
CVE-2026-49770 WordPress WP Travel Engine plugin <= 6.7.12 - PHP Object Injection vulnerability 16.06.2026 9.8
CVE-2026-49776 WordPress GPTranslate – Multilingual AI Translation for WordPress: Automatically Translate Websites plugin <= 2.32.6 - SQL Injection vulnerability 16.06.2026 9.3
CVE-2026-49781 WordPress OttoKit plugin <= 1.1.27 - PHP Object Injection vulnerability 16.06.2026 9.8
CVE-2026-52693 WordPress eCommerce Product Catalog plugin <= 3.5.5 - SQL Injection vulnerability 15.06.2026 9.3
CVE-2026-52703 WordPress FastDup plugin <= 2.7.2 - Path Traversal vulnerability 16.06.2026 9.6
CVE-2026-9691 WordPress Integration for ActiveCampaign and Contact Form 7, WPForms, Elementor, Ninja Forms plugin <= 1.1.1 - PHP Object Injection vulnerability 16.06.2026 9.8
CVE-2026-48114 Metacat has an unauthenticated SQL injection vulnerability 15.06.2026 9.8
CVE-2026-49952 Discuz! X5.0 Authentication Bypass via dbbak.php Encryption Oracle 16.06.2026 9.3
CVE-2026-9862 Core Privileged Access Manager (BoKS) autoregistration service command injection vulnerability 15.06.2026 9.8
CVE-2018-25436 WordPress Plugin Baggage Freight Shipping Australia 0.1.0 Arbitrary File Upload 15.06.2026 9.3
CVE-2026-52704 WordPress WooCommerce PDF Invoice Builder plugin <= 2.0.8 - Remote Code Execution (RCE) vulnerability 15.06.2026 10
CVE-2026-49757 OAuth2/OIDC account takeover in AshAuthentication via email-based user matching 15.06.2026 9.2
CVE-2026-5482 Remote Code Execution via Unrestricted File Upload in Responsive FileManager 15.06.2026 9.3
CVE-2026-12183 17.06.2026 9.3
CVE-2026-11624 15.06.2026 9.4
CVE-2026-46716 Nezha Monitoring: RoleMember can run shell on every server (cross-tenant RCE) via POST /api/v1/cron 15.06.2026 9.9
CVE-2026-53519 Nezha Monitoring: Pre-auth path traversal via /dashboard.. prefix confusion leaks jwt_secret_key 15.06.2026 9.1
CVE-2026-53609 Apostrophe has Server-Side Prototype Pollution in apos.util.set via patch operators that leads to process-wide authorization bypass 15.06.2026 9.1
CVE-2026-44990 Apostrophe has default XSS via `xmp` raw-text passthrough in `sanitize-html` 15.06.2026 9.3
CVE-2026-28742 Naxclow IoT Platform Use of hard-coded cryptographic key 12.06.2026 9.2
CVE-2026-50101 Naxclow IoT Platform Not using password aging 12.06.2026 9.2
CVE-2026-48558 SimpleHelp Authentication Bypass via Missing OIDC JWT Signature Verification 13.06.2026 9.5
CVE-2026-45833 12.06.2026 9.4
CVE-2026-50083 Aqara hardcoded OAuth client credentials 12.06.2026 9.1
CVE-2026-50084 Aqara API cross-account access 12.06.2026 9.6
CVE-2026-50086 Aqara unauthenticated AES oracle 12.06.2026 10
CVE-2026-50090 Aqara OAuth redirect_uri validation bypass 12.06.2026 9.3
CVE-2026-50091 Aqara Home Android SDK hardcoded keys 12.06.2026 9.1
CVE-2026-10557 Yarbo Android/iOS Mobile Application and Cloud Infrastructure Use of Hard-coded Credentials 12.06.2026 9.3
CVE-2026-47131 vm2: Sandbox Escape 13.06.2026 10
CVE-2026-47137 vm2: GHSA-8hg8-63c5-gwmx patch bypass: nesting:true without explicit require still allows full RCE 13.06.2026 10
CVE-2026-47140 vm2: NodeVM builtin denylist bypass via process and inspector/promises allows host code execution 13.06.2026 10
CVE-2026-47208 vm2: Sandbox Breakout Using Promise Species 13.06.2026 10
CVE-2026-47210 vm2 sandbox escape via JSPI-backed Promise `.finally()` species bypass 13.06.2026 9.8
CVE-2026-53787 Amasty Order Attributes for Magento 2 < 4.0.0 Unauthenticated Arbitrary File Upload 13.06.2026 9.3
CVE-2026-54133 jmespath.php has CompilerRuntime code injection via unescaped function names 12.06.2026 9.8
CVE-2026-6853 OTP Bypass in Başbelen Group's Pause+ Mobile App 12.06.2026 9.8
CVE-2026-11849 IEI Integration Corp|iRM-IEI Remote Management - Hard-coded Credentials 12.06.2026 9.3
CVE-2026-11535 12.06.2026 9.4
CVE-2026-47365 12.06.2026 9.9
CVE-2026-47367 12.06.2026 9.9
CVE-2026-47369 13.06.2026 9.9
CVE-2026-47370 13.06.2026 9.9
CVE-2026-48611 12.06.2026 9.8
CVE-2026-42846 ClipBucket: Remote Play URL Command Injection 12.06.2026 9.8
CVE-2026-45060 ClipBucket: Blind SQL Injection in progress_video.php 12.06.2026 9.8
CVE-2026-39494 WordPress Product Filter by WBW plugin <= 3.1.2 - SQL Injection vulnerability 12.06.2026 9.3
CVE-2026-42647 WordPress JoomSport plugin <= 5.7.7 - SQL Injection vulnerability 12.06.2026 9.3
CVE-2026-49060 WordPress Hippoo Mobile App for WooCommerce plugin <= 1.9.4 - Privilege Escalation vulnerability 12.06.2026 9.8
CVE-2026-41005 UAA accepts SAML Encrypted Assertions authentication bypass 13.06.2026 9
CVE-2026-49973 Hermes WebUI < 0.51.358 Unauthenticated Password Takeover via /api/settings 13.06.2026 9.2
CVE-2026-45177 Idira Secrets Manager SaaS Edge: Authentication Bypass of an internal validation mechanism 11.06.2026 9.1
CVE-2026-47172 Quest Bot: Untrusted pull request code can be built and deployed by privileged `workflow_run` deployment. 11.06.2026 9.5
CVE-2026-47174 Duck Site: Untrusted pull request code can trigger privileged production deployment 11.06.2026 9.5

Latest Updates

CVE Title Updated Score
CVE-2025-27511 GeoServer DB2 DataStore Extension has a JNDI Vulnerability via Store Connection 18.06.2026 7.2
CVE-2025-52465 GeoServer has an arbitrary file write vulnerability in its Master Password Dump Page 18.06.2026 7.2
CVE-2025-58175 GeoServer has a Server-Side Request Forgery (SSRF) Vulnerability in its XML Entity Resolution 18.06.2026 6.5
CVE-2026-11791 389-ds-base: 389-ds-base: use-after-free in schema reload via attr_syntax_swap_ht() 18.06.2026
CVE-2026-22551 18.06.2026
CVE-2026-44688 18.06.2026
CVE-2026-44691 18.06.2026
CVE-2026-46580 18.06.2026
CVE-2026-12039 Docker Sandboxes network egress allowlist bypass via unfiltered DNS resolution 18.06.2026
CVE-2026-12527 18.06.2026
CVE-2026-12539 Docker Sandboxes ICMP egress restriction bypass after daemon restart 18.06.2026
CVE-2026-42487 x86 HVM I/O port list traversal 18.06.2026
CVE-2026-42488 x86: mismatched mapcache metadata 18.06.2026
CVE-2026-42489 domctl lock open to abuse 18.06.2026
CVE-2026-42490 domctl lock open to abuse 18.06.2026
CVE-2026-50141 Woodpecker gRPC agent_id metadata can be spoofed- cross-tenant agent impersonation 18.06.2026
CVE-2026-56012 WordPress Media LIbrary Assistant plugin <= 3.35 - SQL Injection vulnerability 18.06.2026 8.5
CVE-2026-9158 18.06.2026
CVE-2026-54219 Stored XSS in UBB.threads 18.06.2026
CVE-2026-54220 Cross-Site Request Forgery in UBB.threads 18.06.2026
CVE-2026-54221 Reflected XSS in UBB.threads 18.06.2026
CVE-2026-54222 Blind SQL Injection in UBB.threads 18.06.2026
CVE-2026-54223 Remote Code Execution via arbitrary file read and write in UBB.threads 18.06.2026
CVE-2026-54224 Denial of Service in UBB.threads 18.06.2026
CVE-2026-11717 18.06.2026
CVE-2026-11718 18.06.2026
CVE-2026-11719 18.06.2026
CVE-2026-11958 Local privilege escalation in ANSSI’s DFIR-ORC 18.06.2026
CVE-2026-40455 SQL Injection in LMS 18.06.2026
CVE-2026-40456 OS Command Injection in LMS 18.06.2026
CVE-2026-40457 Reflected XSS in LMS 18.06.2026
CVE-2026-56009 WordPress Bricksable for Bricks Builder plugin <= 1.6.83 - Cross Site Scripting (XSS) vulnerability 18.06.2026 5.9
CVE-2026-8461 Heap out-of-bounds write via odd slice_height in FFmpeg MagicYUV decoder 18.06.2026 8.8
CVE-2026-44942 libzypp .repo files can have an optional path which can lead to path traversal attacks 18.06.2026 6.5
CVE-2026-54419 PIAF-HMS multiple unauthenticated SQL injection vulnerabilities via mysql_query 18.06.2026 9.8
CVE-2026-56007 WordPress Ocean Product Sharing plugin <= 2.2.2 - Cross Site Scripting (XSS) vulnerability 18.06.2026 5.9
CVE-2026-8024 Deserialization vulnerability in ibaPDA and ibaDatCoordinator 18.06.2026
CVE-2025-10560 Hardcoded cloud credentials in Worksnaps client application binaries expose production cloud resources 18.06.2026
CVE-2026-2021 Slideshow Gallery LITE <= 1.8.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'alwaysauto' Shortcode Attribute 18.06.2026 6.4
CVE-2026-50643 Out‑of‑Bounds Read in 8cc 18.06.2026
CVE-2026-8039 Fancy Testimonials <= 1.0 - Authenticated (Author+) Stored Cross-Site Scripting 18.06.2026 6.4
CVE-2026-8811 Path traversal in PDF generation module 18.06.2026
CVE-2026-11395 CF7 to Webhook <= 5.0.0 - Unauthenticated Server-Side Request Forgery via CF7 Field Placeholder in Webhook URL Host 18.06.2026 7.2
CVE-2026-12098 PowerPress Podcasting plugin by Blubrry <= 11.16.8 - Authenticated (Author+) Stored Cross-Site Scripting via 'embed' Episode Meta Field 18.06.2026 6.4
CVE-2026-12102 UsersWP <= 1.2.63 - Insecure Direct Object Reference to Authenticated (Editor+) Arbitrary User Avatar/Banner Reset via 'user_id' Parameter 18.06.2026 2.7
CVE-2026-12111 Appointment Booking Calendar <= 1.4.01 - Authenticated (Contributor+) Sensitive Information Exposure via 'id' Parameter 18.06.2026 4.3
CVE-2026-12136 SysBasics Customize My Account for WooCommerce <= 4.3.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes 18.06.2026 6.4
CVE-2026-12137 SysBasics Customize My Account for WooCommerce <= 4.3.6 - Reflected Cross-Site Scripting via 'tab' Parameter 18.06.2026 6.1
CVE-2026-28573 18.06.2026
CVE-2026-55741 Cotonti CSRF in admin.config.php allows unauthorized configuration changes 18.06.2026 8.8
CVE-2026-55742 Cotonti CSRF in admin.rights.php allows privilege escalation 18.06.2026 9.6
CVE-2026-55744 Cotonti CSRF in PFS allows forced arbitrary file upload 18.06.2026 8.1
CVE-2026-55745 Cotonti CSRF in PFS folder edit allows unauthorized folder modification 18.06.2026 5.4
CVE-2026-55746 Cotonti stored XSS via PFS folder title 18.06.2026 7.6
CVE-2026-9815 MagicForm <= 0.1.3 - Unauthenticated Arbitrary File Upload to RCE 18.06.2026
CVE-2026-10029 Event Koi Lite <= 1.3.13.1 - Missing Authorization to Unauthenticated Sensitive Information Exposure via REST API Endpoints 18.06.2026 5.3
CVE-2026-10623 PressPrimer Quiz <= 2.3.0 - Insecure Direct Object Reference to Authenticated (Custom+) Arbitrary Modification via 'quiz_id', 'item_id', and 'rule_id' Parameters 18.06.2026 4.3
CVE-2026-10736 Tutor LMS <= 3.9.11 - Authenticated (Administrator+) SQL Injection via 'data' Parameter 18.06.2026 4.9
CVE-2026-11357 Kadence Blocks <= 3.7.5 - Authenticated (Contributor+) Sensitive Information Exposure via Block Editor proData Localization 18.06.2026 4.3
CVE-2026-11358 Orbit Fox: Duplicate Page, Menu Icons, SVG Support, Cookie Notice, Custom Fonts & More <= 3.0.6 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'menu-item-icon' Parameter 18.06.2026 4.4
CVE-2026-11360 Advanced Order Export For WooCommerce <= 4.0.10 - Authenticated (Shop Manager+) SQL Injection via 'sort_direction' Parameter 18.06.2026 4.9
CVE-2026-11402 Services Section Block <= 1.4.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'link' Block Attribute 18.06.2026 6.4
CVE-2026-11776 Form Maker by 10Web <= 1.15.43 - Authenticated (Adminsitrator+) SQL Injection via 'groupids' Parameter 18.06.2026 4.9
CVE-2026-11777 Form Maker by 10Web <= 1.15.43 - Authenticated (Administrator+) SQL Injection via 'name' Parameter 18.06.2026 4.9
CVE-2026-11784 Optimole – Optimize Images | Convert WebP & AVIF | CDN & Lazy Load | Image Optimization <= 4.2.6 - Cross-Site Request Forgery via 'optml_replace_file' AJAX Action 18.06.2026 4.3
CVE-2026-12093 Simple Membership <= 4.7.5 - Missing Authorization to Unauthenticated Arbitrary Member Account Deactivation via Forged Stripe 'charge.refunded' Webhook 18.06.2026 5.3
CVE-2026-12120 FireBox Popups <= 3.1.7 - Unauthenticated Sensitive Information Exposure in 'form_id' Parameter 18.06.2026 5.3
CVE-2026-55740 SQL Injection in Nur-Alam39 bus-ticket bus_info.php via busid parameter 18.06.2026 9.8
CVE-2026-9199 Equalize Digital Accessibility Checker <= 1.42.1 - Missing Authorization to Authenticated (Author+) Arbitrary Accessibility Issue Modification via 'largeBatch' Parameter 18.06.2026 4.3
CVE-2026-9860 Offload, AI & Optimize with Cloudflare Images <= 1.10.2 - Authenticated (Author+) Remote Code Execution via 'api-key' / 'account-id' Parameters in cf_images_do_setup AJAX Action 18.06.2026 8.8
CVE-2026-10023 Dokan: AI Powered WooCommerce Multivendor Marketplace Solution <= 5.0.3 - Insecure Direct Object Reference to Authenticated (Custom+) Arbitrary Order Modification via Multiple AJAX Handlers 18.06.2026 4.3
CVE-2026-12407 E2Pdf <= 1.32.26 - Missing Authorization to Authenticated (Custom+) Arbitrary Option Update / Privilege Escalation via 'screen_action' Parameter 18.06.2026 8.8
CVE-2026-12505 Cifs-utils: local privilege escalation via forged cifs.spnego key description in cifs.upcall 18.06.2026
CVE-2026-12569 Remote Code Execution (RCE) vulnerability in Windchill PDMlink 18.06.2026
CVE-2026-48764 TypeBot has SSRF in HTTP request and script fetch flows via DNS rebinding bypass 18.06.2026 8.2
CVE-2026-48768 TypeBot: Unauthenticated arbitrary s3 object write in generate-upload-url via unsanitized fileName 17.06.2026 9.3
CVE-2026-45357 LiquidJS: Memory and render limit bypass via unbounded width padding in `date` filter (strftime) 18.06.2026 7.5
CVE-2026-53676 18.06.2026
CVE-2024-24769 Vantage6: No limit on emails sent for password/MFA reset 18.06.2026
CVE-2024-27928 Vantage6: 2FA can be circumvented with hacked email access 18.06.2026
CVE-2026-12565 Path Traversal (Zip-Slip) in unarchive module 18.06.2026 5.3
CVE-2026-12566 SSRF via unvalidated WWW-Authenticate realm in docker_pull module 18.06.2026 3.1
CVE-2026-12567 Symlink-following arbitrary write via github_workflows module 18.06.2026 2.2
CVE-2026-12568 Arbitrary File Write in postman_download module 18.06.2026 6.5
CVE-2026-44644 LiquidJS's strip_html filter bypass via newline characters in HTML tags enables XSS 18.06.2026 6.1
CVE-2026-44645 LiquidJS has a renderLimit DoS guard bypass via empty `{% for %}` body 17.06.2026 6.5
CVE-2026-44646 LiquidJS: `{% render %}` tag silently bypasses per-render `ownPropertyOnly:true` via `Context.spawn()` 18.06.2026 5.3
CVE-2026-45617 LiquidJS: ReDoS via Quadratic Backtracking in `strip_html` Filter Regex 17.06.2026 7.5
CVE-2026-48759 TypeBot: Cross-Workspace Theme Template IDOR (Modification and Deletion) 18.06.2026 7.1
CVE-2026-50201 Steeltoe's sensitive actuators (heapdump/env) only require Restricted permission 18.06.2026 6.5
CVE-2026-50202 Steeltoe's static JWKS cache shared across schemes and never invalidated 18.06.2026 5.9
CVE-2026-50267 Steeltoe: TLS private keys written to /tmp with default permissions, never deleted 17.06.2026 4.7
CVE-2026-50268 Steeltoe: OAEP setting silently selects PKCS#1 v1.5 padding 18.06.2026 1.9
CVE-2026-54445 Vantage6: Set admin user and password from environment or configuration 17.06.2026
CVE-2026-54533 vantage6 node has an Improper Access Control issue 18.06.2026
CVE-2026-12530 Improper neutralization of argument delimiters in AWS Bedrock AgentCore Python SDK install_packages() 18.06.2026
CVE-2026-48820 CakePHP: View::element() is missing a path containment check 18.06.2026
CVE-2026-48989 Windows-MCP: HTTP transports expose unauthenticated PowerShell control with wildcard CORS 17.06.2026
CVE-2026-48990 joserfc: b64=false RFC7797 JWS payloads bypass JWSRegistry payload-size limits during deserialization 18.06.2026 5.3
CVE-2026-48991 XianYuLauncher: Legacy Microsoft account OAuth sign-in flow lacks PKCE and state validation 18.06.2026 5.5
CVE-2026-48997 e107: Command Injection via shell expansion in ImageMagick resize destination path 18.06.2026 7.1
CVE-2026-50194 Steeltoe vulnerable to management-port isolation bypass via spoofed Host header 17.06.2026 8.2
CVE-2026-50196 Steeltoe.Discovery.Eureka: Unrecognized DataCenterInfo.Name poisons entire registry fetch 18.06.2026 7.5
CVE-2026-50200 Steeltoe's env sanitizer misses connection strings — leaks embedded DB passwords 17.06.2026 7.5
CVE-2026-54386 marimo < 0.23.9 XSS via file Query Parameter in assets.py 18.06.2026
CVE-2026-8049 CVE-2026-8049 18.06.2026
CVE-2026-8050 CVE-2026-8050 18.06.2026
CVE-2026-48821 Shaarli: DOM-based Cross-Site Scripting (XSS) in Thumbnail Synchronizer 18.06.2026 5.8
CVE-2026-48979 PHP Standard Library: HTTP/2 server-side missing content-length validation enables request smuggling 18.06.2026 7.5
CVE-2026-48988 markdown-it: Quadratic complexity DoS in smartquotes rule via replaceAt string operations 17.06.2026 5.3
CVE-2026-49133 Typemill < 2.24.0 Path Traversal via ControllerApiImage::getPagemedia() 18.06.2026
CVE-2026-11407 Pimcore CMS 12.3.8 Twig Sandbox Bypass via SecurityPolicy checkMethodAllowed 18.06.2026
CVE-2026-32682 NGINX Gateway Fabric vulnerability 18.06.2026 6.5
CVE-2026-48814 Network-AI: Empty default secret still authorizes all requests (Incomplete fix for CVE-2026-46701) 17.06.2026 9.1
CVE-2026-48817 Starlette: Arbitrary HTTP method dispatched to `HTTPEndpoint` attributes via `getattr` 18.06.2026 5.3
CVE-2026-48822 Shaarli has Stored Cross-Site Scripting (XSS) via Markdown Reference Links 17.06.2026 5.8
CVE-2026-48823 Shaarli has Stored Cross-Site Scripting (XSS) via Tags Search 18.06.2026 4.8
CVE-2026-50107 NGINX Gateway Fabric vulnerability 18.06.2026 8.1
CVE-2026-54387 Tinyproxy - HTTP Request Smuggling via CL/TE Desynchronization 18.06.2026
CVE-2026-54388 Tinyproxy - HTTP Request Smuggling via Duplicate Content-Length Headers 17.06.2026
CVE-2026-10696 17.06.2026
CVE-2026-10741 Nexus Repository Manager - Incorrect Authorization allows credential disclosure via proxy repository configuration 17.06.2026
CVE-2026-12529 SourceCodester CET Automated Grading System with AI Predictive Analytics Student Self-Registration Endpoint index.php access control 17.06.2026
CVE-2026-55199 libssh2 - Pre-Authentication DoS via SSH_MSG_EXT_INFO Handler 18.06.2026
CVE-2026-55200 libssh2 - Out-of-Bounds Write via Unchecked packet_length in transport.c 18.06.2026
CVE-2026-55201 Evil-WinRM - Path Traversal in download_dir() Function 18.06.2026
CVE-2026-55202 Tinyproxy - Stathost Detection Bypass via Host Header Manipulation 17.06.2026
CVE-2026-48818 Starlette: SSRF and NTLM credential theft via UNC paths in StaticFiles on Windows 17.06.2026 7.5
CVE-2026-53869 Hermes Agent < 0.16.0 - DNS Rebinding Bypass via WebSocket Endpoints 17.06.2026
CVE-2026-53870 Hermes Agent < 0.16.0 - Sensitive File Permission Vulnerability in Store Files 17.06.2026
CVE-2026-53871 Hermes WebUI < 0.51.368 - Profile-Scoped Authorization Bypass via Forged hermes_profile Cookie 18.06.2026
CVE-2026-55196 Hermes WebUI < 0.51.409 - Unauthenticated Passkey Registration via Authentication Bypass 17.06.2026
CVE-2026-55197 Hermes WebUI < 0.51.443 - Broken Access Control in /api/session Endpoint 17.06.2026
CVE-2026-55198 Hermes WebUI < 0.51.443 - Cross-Profile Session Data Exfiltration via Session Export Endpoint 17.06.2026
CVE-2026-11525 undici vulnerable to Set-Cookie SameSite attribute downgrade via permissive substring matching 17.06.2026 3.7
CVE-2026-2674 Out-of-bounds Write vulnerability in RTI Connext Professional (Queueing Service,Core Libraries,Persistence Service) allows Overflow Buffers. 17.06.2026