| CVE-2026-58053 |
Gitea act_runner - Container Hardening Bypass via Workflow Container Options |
28.06.2026 |
9.4 |
| CVE-2026-12415 |
Invoice Generator <= 1.0.0 - Unauthenticated Privilege Escalation via Account Takeover via 'user_id' Parameter |
27.06.2026 |
9.8 |
| CVE-2026-31928 |
Daktronics Controller Firmware Use of Hard-coded Credentials |
26.06.2026 |
9.3 |
| CVE-2026-28701 |
Daktronics Controller Firmware Path Traversal |
26.06.2026 |
9.3 |
| CVE-2026-49869 |
Kestra: Unauthenticated Remote Code Execution via Authentication Bypass in `AuthenticationFilter` |
26.06.2026 |
10 |
| CVE-2026-53576 |
Kestra: Unauthenticated RCE via /configs path-suffix auth-filter bypass |
26.06.2026 |
10 |
| CVE-2026-54350 |
Budibase: Anonymous NoSQL operator injection via published-app query templates |
26.06.2026 |
10 |
| CVE-2026-54352 |
Budibase: Arbitrary file read by workspace-builder via PWA-zip symlink upload |
27.06.2026 |
9.6 |
| CVE-2026-46386 |
OpenProject: Pre-authentication RCE in openproject/openproject Docker image via default `SECRET_KEY_BASE=OVERWRITE_ME` and `cookies_serializer = :marshal` |
26.06.2026 |
9.9 |
| CVE-2026-53309 |
ocfs2/dlm: fix off-by-one in dlm_match_regions() region comparison |
28.06.2026 |
9.8 |
| CVE-2026-52780 |
OpenProject: Cache store poisoning leads to Remote Code Execution (RCE) |
27.06.2026 |
9.6 |
| CVE-2026-52782 |
OpenProject: IDOR through /projects/<A>/settings/project_storages/<A_ps_id> via PATCH parameter "storages_project_storage[project_folder_id]" leads to Access to Unauthorized Resources |
26.06.2026 |
9.9 |
| CVE-2026-52785 |
OpenProject: SQL injection in timestamps functionality |
26.06.2026 |
9.9 |
| CVE-2026-33646 |
mise: Arbitrary Code Execution via Tera Templates in .tool-versions Files (Trust Bypass) |
26.06.2026 |
9.6 |
| CVE-2026-45405 |
Dokku: Arbitrary File Write via Tar Symlink Traversal in git:from-archive and certs:add |
26.06.2026 |
9 |
| CVE-2026-45406 |
Dokku: Host RCE via Maliciously Named OpenResty Include Files Injected Through eval |
26.06.2026 |
9 |
| CVE-2026-45408 |
Dokku: OS Command Injection via App Name in Git Pre-Receive Hook |
26.06.2026 |
9 |
| CVE-2026-54636 |
Dokku: OS Command Injection via app.json managed Cron |
26.06.2026 |
9 |
| CVE-2026-54820 |
WordPress JetBooking plugin <= 4.0.4.1 - SQL Injection vulnerability |
26.06.2026 |
9.3 |
| CVE-2026-54825 |
WordPress wpDataTables plugin <= 7.4 - SQL Injection vulnerability |
26.06.2026 |
9.3 |
| CVE-2026-54827 |
WordPress Real Estate 7 theme <= 3.5.9 - SQL Injection vulnerability |
26.06.2026 |
9.3 |
| CVE-2026-54831 |
WordPress GeoDirectory plugin <= 2.8.162 - SQL Injection vulnerability |
26.06.2026 |
9.3 |
| CVE-2026-56027 |
WordPress Booster for WooCommerce plugin <= 8.0.1 - Arbitrary File Upload vulnerability |
26.06.2026 |
9.9 |
| CVE-2026-56028 |
WordPress Easy Elements for Elementor – Addons & Website Templates plugin <= 1.4.9 - Privilege Escalation vulnerability |
26.06.2026 |
9.8 |
| CVE-2026-56030 |
WordPress Paytium plugin <= 5.0.2 - Privilege Escalation vulnerability |
26.06.2026 |
9.8 |
| CVE-2026-56032 |
WordPress Buddyboss Platform plugin <= 3.0.4 - PHP Object Injection vulnerability |
26.06.2026 |
9.8 |
| CVE-2026-56033 |
WordPress Dokan Pro plugin <= 5.0.4 - Privilege Escalation vulnerability |
26.06.2026 |
9.8 |
| CVE-2026-56034 |
WordPress Library Management System plugin <= 3.5.7 - SQL Injection vulnerability |
26.06.2026 |
9.3 |
| CVE-2026-56036 |
WordPress 워드프레스 결제 심플페이 plugin <= 5.5.6 - SQL Injection vulnerability |
26.06.2026 |
9.3 |
| CVE-2026-56057 |
WordPress Uncanny Automator Pro plugin <= 7.3.0.6 - PHP Object Injection vulnerability |
26.06.2026 |
9.8 |
| CVE-2026-56058 |
WordPress Quform plugin <= 2.23.0 - Arbitrary File Upload vulnerability |
26.06.2026 |
9.9 |
| CVE-2026-56059 |
WordPress Travel Booking theme <= 2.2.5 - Arbitrary File Upload vulnerability |
26.06.2026 |
9.9 |
| CVE-2026-56062 |
WordPress Quotes llama plugin <= 3.1.5 - SQL Injection vulnerability |
26.06.2026 |
9.3 |
| CVE-2026-56067 |
WordPress JetSmartFilters plugin <= 3.8.3 - SQL Injection vulnerability |
26.06.2026 |
9.3 |
| CVE-2026-56068 |
WordPress JetEngine plugin <= 3.8.10.2 - SQL Injection vulnerability |
26.06.2026 |
9.3 |
| CVE-2026-56070 |
WordPress Advance Product Search plugin <= 1.4.4 - SQL Injection vulnerability |
26.06.2026 |
9.3 |
| CVE-2026-57658 |
WordPress TemplateSpare plugin <= 4.2.0 - Arbitrary File Upload vulnerability |
26.06.2026 |
9.1 |
| CVE-2026-57878 |
GV-LPC2011/LPC2211 - unauthorized buffer overflow vulnerability (thttpd) |
26.06.2026 |
9.8 |
| CVE-2026-57879 |
GV-LPC2011/LPC2211 - unauthorized buffer overflow via AuthMode/AuthValue path (ssvr) |
26.06.2026 |
9.8 |
| CVE-2026-57880 |
GV-LPC2011/LPC2211 - unauthorized buffer overflow via RTSP Digest username (ssvr) |
26.06.2026 |
9.8 |
| CVE-2026-57881 |
GV-LPC2011/LPC2211 - unauthorized stack-based buffer overflow vulnerability (vlsvr) |
26.06.2026 |
9.8 |
| CVE-2026-9222 |
Setracker2 Children's Smartwatch Ecosystem Use of password hash instead of password for authentication |
26.06.2026 |
9.2 |
| CVE-2025-71327 |
Flowise - Authentication Bypass via Unprotected Registration Endpoint |
26.06.2026 |
9.3 |
| CVE-2025-71333 |
Flowise - Arbitrary File Upload via Unauthenticated /api/v1/attachments Endpoint |
27.06.2026 |
9.3 |
| CVE-2025-71334 |
Flowise - Arbitrary File Access via Missing Chat Flow ID Validation |
26.06.2026 |
9.3 |
| CVE-2025-71336 |
Flowise - Unsandboxed Remote Code Execution via Custom MCP |
25.06.2026 |
9.3 |
| CVE-2025-71338 |
Flowise - Arbitrary File Write to Remote Code Execution via document-store API |
26.06.2026 |
10 |
| CVE-2026-40702 |
EVoke Systems EVoke CSMS Missing Authentication for Critical Function |
26.06.2026 |
9.3 |
| CVE-2026-50548 |
Cursor Desktop sandbox escape via agent-controlled working directory |
25.06.2026 |
9.3 |
| CVE-2026-50549 |
Cursor Desktop sandbox escape via symlink and failed path canonicalization |
25.06.2026 |
9.3 |
| CVE-2026-54088 |
File Browser: Command Injection via Authentication Hook Shell Substitution (Pre-Authentication RCE) |
25.06.2026 |
9.3 |
| CVE-2026-54089 |
File Browser: Authentication Bypass via Proxy Auth Header Forgery |
25.06.2026 |
9.1 |
| CVE-2026-56786 |
RTKLIB 2.4.3 - Out-of-bounds Write in decode_type1033 via Crafted RTCM3 Message |
25.06.2026 |
9.3 |
| CVE-2026-57700 |
WordPress OMGF Pro plugin <= 5.2.6 - Arbitrary File Upload vulnerability |
25.06.2026 |
10 |
| CVE-2026-55413 |
ToolJet - Marketplace Plugin Poisoning Enables Instance-Wide Remote Code Execution |
25.06.2026 |
9.4 |
| CVE-2026-56123 |
socat 1.8.0.0 - 1.8.1.1 Heap Buffer Overflow via SOCKS5 Reply Parser |
26.06.2026 |
9.2 |
| CVE-2026-41120 |
|
26.06.2026 |
9.8 |
| CVE-2026-54823 |
WordPress Widget Options plugin <= 4.2.3 - Remote Code Execution (RCE) vulnerability |
25.06.2026 |
9.9 |
| CVE-2026-54836 |
WordPress Filter & Grids plugin <= 3.11.5 - SQL Injection vulnerability |
25.06.2026 |
9.3 |
| CVE-2026-54843 |
WordPress MDTF plugin <= 1.3.7 - SQL Injection vulnerability |
25.06.2026 |
9.3 |
| CVE-2026-54849 |
WordPress Premmerce Wishlist for WooCommerce plugin <= 1.1.11 - SQL Injection vulnerability |
25.06.2026 |
9.3 |
| CVE-2026-41566 |
Apache Kvrocks: Improper permission for the APPLYBATCH command |
25.06.2026 |
9.4 |
| CVE-2026-46752 |
Apache Kvrocks: Stack buffer overflow in Lua bit.tohex() |
25.06.2026 |
10 |
| CVE-2026-53131 |
netfilter: require Ethernet MAC header before using eth_hdr() |
28.06.2026 |
9.4 |
| CVE-2026-53151 |
rxrpc: Fix the ACK parser to extract the SACK table for parsing |
28.06.2026 |
9.8 |
| CVE-2026-53175 |
inet: frags: fix use-after-free caused by the fqdir_pre_exit() flush |
28.06.2026 |
9.8 |
| CVE-2026-53176 |
IB/isert: Reject login PDUs shorter than ISER_HEADERS_LEN |
28.06.2026 |
9.8 |
| CVE-2026-53186 |
RDMA/srp: bound SRP_RSP sense copy by the received length |
28.06.2026 |
9.1 |
| CVE-2026-53215 |
net: mvpp2: refill RX buffers before XDP or skb use |
28.06.2026 |
9.8 |
| CVE-2026-53216 |
net: mvpp2: limit XDP frame size to the RX buffer |
28.06.2026 |
9.8 |
| CVE-2026-53221 |
ip6_vti: fix incorrect tunnel matching in vti6_tnl_lookup() |
28.06.2026 |
9.8 |
| CVE-2026-53224 |
sctp: validate embedded INIT chunk and address list lengths in cookie |
28.06.2026 |
9.1 |
| CVE-2026-53225 |
sctp: fix uninit-value in __sctp_rcv_asconf_lookup() |
28.06.2026 |
9.1 |
| CVE-2026-53228 |
ipv6: sit: reload inner IPv6 header after GSO offloads |
28.06.2026 |
9.8 |
| CVE-2026-53246 |
sctp: validate cached peer INIT chunk length in COOKIE_ECHO processing |
28.06.2026 |
9.8 |
| CVE-2026-53247 |
net: ethernet: mtk_eth_soc: Fix use-after-free in metadata dst teardown |
28.06.2026 |
9.8 |
| CVE-2026-53260 |
tcp: Add preempt_{disable,enable}_nested() in reqsk_queue_hash_req(). |
28.06.2026 |
9.8 |
| CVE-2026-39948 |
Cacti has SQL Injection via rfilter parameter in RLIKE clauses |
26.06.2026 |
9.3 |
| CVE-2026-39955 |
Cacti has Pre-Authentication SQL Injection via unanchored FILTER_VALIDATE_REGEXP in graph_view.php |
26.06.2026 |
9.8 |
| CVE-2026-39938 |
Cacti: Unauthenticated RCE on Graph Image |
26.06.2026 |
9.8 |
| CVE-2026-39893 |
Cacti: Pre-authentication SQL injection via rfilter RLIKE clause in graph_view.php |
26.06.2026 |
9.8 |
| CVE-2026-50551 |
SiYuan: Stored XSS to RCE via Unsanitized Attribute View Asset Cell Content |
25.06.2026 |
9.9 |
| CVE-2026-54067 |
SiYuan: Stored XSS to RCE via CSS-snippet <style> breakout in renderSnippet() |
25.06.2026 |
9.9 |
| CVE-2026-54069 |
SiYuan: Unauthenticated Admin API Access via Blanket chrome-extension:// Origin Allowlist |
25.06.2026 |
9.2 |
| CVE-2026-54158 |
SiYuan: Stored XSS to RCE via attribute-view cell rendering in genAVValueHTML() |
25.06.2026 |
9.9 |
| CVE-2026-55454 |
Appsmith: Caddy admin API exposed without authentication |
25.06.2026 |
9.9 |
| CVE-2026-55570 |
SiYuan: Stored XSS results to Electron RCE in SiYuan marketplace via unescaped `data-obj` attribute (Bypass for CVE-2026-45375's patch) |
25.06.2026 |
9 |
| CVE-2026-55666 |
Rocket.Chat: Email Parameter Fallback Leads To Account Takeover Within Apple OAuth |
26.06.2026 |
9.3 |
| CVE-2026-33543 |
FOSSBilling: Authentication bypass allows unauthenticated administrator creation |
25.06.2026 |
9.3 |
| CVE-2026-45688 |
Rocket.Chat: Pre-Auth NoSQL Injection in CAS Login Handler leading to Arbitrary CAS/SAML User Session Hijack |
26.06.2026 |
9.1 |
| CVE-2026-45689 |
Rocket.Chat: Pre-Auth NoSQL Injection in OAuth2 Token Endpoint leading to Arbitrary User ATO |
26.06.2026 |
9.1 |
| CVE-2026-46423 |
Rocket.Chat: SAML signature validation skipped when IdP certificate field is empty |
26.06.2026 |
9.3 |
| CVE-2026-52811 |
Gogs: UploadRepoFiles writes outside repo working tree via committed parent sym |
26.06.2026 |
9 |
| CVE-2026-52813 |
Gogs: Path Traversal in organization name results in RCE through Git hooks |
26.06.2026 |
10 |
| CVE-2026-52806 |
Gogs: RCE via git rebase --exec argument injection in pull request merge |
26.06.2026 |
9.9 |
| CVE-2026-49980 |
Rclone: Unauthenticated command execution in `rclone rcd --rc-serve` via inline remote instantiation, bypassing CVE-2026-41179 fix |
27.06.2026 |
9.8 |
| CVE-2026-53943 |
Ghost: Cache-poisoning XSS in Ghost frontend via x-ghost-preview header |
24.06.2026 |
9.6 |
| CVE-2026-52955 |
libceph: Fix potential out-of-bounds access in crush_decode() |
28.06.2026 |
9.8 |
| CVE-2026-52958 |
libceph: Fix potential out-of-bounds access in osdmap_decode() |
28.06.2026 |
9.1 |
| CVE-2026-52982 |
net: usb: rtl8150: fix use-after-free in rtl8150_start_xmit() |
28.06.2026 |
9.8 |
| CVE-2026-52986 |
netfilter: nf_conntrack_sip: don't use simple_strtoul |
28.06.2026 |
9.8 |
| CVE-2026-52989 |
nvmet-tcp: propagate nvmet_tcp_build_pdu_iovec() errors to its callers |
28.06.2026 |
9.8 |
| CVE-2026-52993 |
tipc: fix double-free in tipc_buf_append() |
28.06.2026 |
9.8 |
| CVE-2026-52999 |
netfilter: nfnetlink_osf: fix out-of-bounds read on option matching |
28.06.2026 |
9.1 |
| CVE-2026-53002 |
netfilter: conntrack: remove sprintf usage |
28.06.2026 |
9.8 |
| CVE-2026-53006 |
ipv6: fix possible UAF in icmpv6_rcv() |
28.06.2026 |
9.8 |
| CVE-2026-53010 |
ksmbd: fix use-after-free in smb2_open during durable reconnect |
28.06.2026 |
9.8 |
| CVE-2026-53043 |
ocfs2/dlm: validate qr_numregions in dlm_match_regions() |
28.06.2026 |
9.1 |
| CVE-2026-53045 |
memory: tegra124-emc: Fix dll_change check |
28.06.2026 |
9.8 |
| CVE-2026-53046 |
ksmbd: fix use-after-free from async crypto on Qualcomm crypto engine |
28.06.2026 |
9.8 |
| CVE-2026-53049 |
gfs2: add some missing log locking |
28.06.2026 |
9.8 |
| CVE-2026-53055 |
crypto: hisilicon/sec2 - prevent req used-after-free for sec |
28.06.2026 |
9.8 |
| CVE-2026-53086 |
net: bcmgenet: fix racing timeout handler |
28.06.2026 |
9.8 |
| CVE-2026-53088 |
net: bcmgenet: fix off-by-one in bcmgenet_put_txcb |
28.06.2026 |
9.8 |
| CVE-2026-56121 |
Feast < 0.63.0 Unauthenticated RCE via ApplyFeatureView gRPC Deserialization |
26.06.2026 |
9.3 |
| CVE-2026-12537 |
Unauthenticated Remote Code Execution in Gemini CLI CI/CD Workflows |
24.06.2026 |
10 |
| CVE-2026-56223 |
Capgo - Account Takeover via Cross-Domain SSO Email Assertion in provision-user |
24.06.2026 |
9.3 |
| CVE-2026-56237 |
Capgo - Unauthenticated API Key Generation via Client-Side Parameter Manipulation |
24.06.2026 |
9.3 |
| CVE-2026-52914 |
batman-adv: fix fragment reassembly length accounting |
28.06.2026 |
9.8 |
| CVE-2026-52924 |
sctp: purge outqueue on stale COOKIE-ECHO handling |
28.06.2026 |
9.8 |
| CVE-2026-52931 |
batman-adv: tp_meter: avoid use of uninit sender vars |
28.06.2026 |
9.8 |
| CVE-2026-12416 |
Invoice Generator <= 1.0.0 - Unauthenticated Account Takeover via Weak Password Reset Validation via 'reset_user_id' Parameter |
25.06.2026 |
9.8 |
| CVE-2026-12417 |
SignUp & SignIn <= 1.0.0 - Unauthenticated Privilege Escalation via Weak Password Reset Validation via 'reset_activation_code' Leading to Account Takeover |
24.06.2026 |
9.8 |
| CVE-2026-12485 |
GeoVision GV-I/O Box DVRSearch buffer overflow vulnerabilities in CMD_IP_SET command |
24.06.2026 |
10 |
| CVE-2026-12486 |
GeoVision GV-I/O Box 4E libNetSetObj.so OS command injection vulnerability |
24.06.2026 |
9.1 |
| CVE-2026-12846 |
GeoVision GV-I/O Box DVRSearch buffer overflow vulnerabilities in CMD_IP_SET command |
24.06.2026 |
10 |
| CVE-2026-12847 |
GeoVision GV-I/O Box DVRSearch buffer overflow vulnerabilities in CMD_IP_SET command |
24.06.2026 |
10 |
| CVE-2026-12848 |
GeoVision GV-I/O Box DVRSearch buffer overflow vulnerabilities in CMD_IP_SET command |
24.06.2026 |
10 |
| CVE-2026-12849 |
GeoVision GV-I/O Box 4E libNetSetObj.so OS command injection vulnerability |
24.06.2026 |
9.1 |
| CVE-2026-12850 |
GeoVision GV-I/O Box 4E libNetSetObj.so OS command injection vulnerability |
24.06.2026 |
9.1 |
| CVE-2026-12851 |
GeoVision GV-I/O Box 4E libNetSetObj.so OS command injection vulnerability |
24.06.2026 |
9.1 |
| CVE-2026-54588 |
Poweradmin has Host Header Injection in OIDC redirect_uri, SAML ACS/SLO URL, and Logout Redirect Construction. |
24.06.2026 |
9.6 |
| CVE-2026-11807 |
Eda-server: websocket missing authorization allows credential theft via activation_id spoofing |
27.06.2026 |
9.6 |
| CVE-2026-53753 |
Crawl4AI: AST Sandbox Escape via gi_frame.f_back Chain - Pre-Auth RCE in Docker API |
23.06.2026 |
9.8 |
| CVE-2026-53662 |
immich: One-click account takeover via XSS in login page continue redirect |
23.06.2026 |
9.6 |
| CVE-2026-54157 |
LobeHub: Unauthenticated SSRF in `/webapi/proxy` |
23.06.2026 |
9 |
| CVE-2026-54257 |
Electron: Buffer performs incorrect byte length calculations resulting in heap buffer under/overflow |
23.06.2026 |
9.3 |
| CVE-2026-44789 |
n8n: HTTP Request Node Pagination Prototype Pollution to RCE |
24.06.2026 |
9.4 |
| CVE-2026-44790 |
n8n: Arbitrary File Read via Git Node |
23.06.2026 |
9.4 |
| CVE-2026-44791 |
n8n: XML Node Prototype Pollution Patch Bypass |
23.06.2026 |
9.4 |
| CVE-2026-48519 |
Langflow: Unauthenticated RCE in Shareable Playgrounds |
24.06.2026 |
9.6 |
| CVE-2026-55255 |
Langflow: IDOR Vulnerability in `/api/v1/responses` Endpoint Allows Authenticated Attackers to Access Another User's Flow |
24.06.2026 |
9.9 |
| CVE-2026-55447 |
Langflow: BaseFileComponent-based nodes arbitrary file read with RCE exploit |
24.06.2026 |
9.6 |
| CVE-2026-55450 |
Langflow: Unauthenticated file upload leads to DoS (space exhaustion) and information leak |
23.06.2026 |
9.3 |
| CVE-2026-27604 |
FOSSBilling: Improper API Role Validation (system) Enables Unauthenticated Access to Privileged Admin Functions |
23.06.2026 |
10 |
| CVE-2026-28496 |
FOSSBilling: Server-side template injection in Twig template rendering enables information disclosure and RCE |
23.06.2026 |
9.4 |
| CVE-2026-35019 |
NetComm NF20MESH < R6B032 Hardcoded AES Key Authentication Bypass |
23.06.2026 |
9.2 |
| CVE-2026-44089 |
Buffer Overflow in Totolink EX1200L router |
23.06.2026 |
9.4 |
| CVE-2026-56258 |
Crawl4AI - Arbitrary File Write via output_path Symlink and TOCTOU |
23.06.2026 |
9.2 |
| CVE-2026-56315 |
picklescan - Remote Code Execution via Unblocked Standard Library Modules |
23.06.2026 |
9.3 |
| CVE-2026-11374 |
Account Takeover via Predictable SSO Ticket Generation |
24.06.2026 |
9 |
| CVE-2026-12866 |
|
27.06.2026 |
9.2 |
| CVE-2026-48746 |
vLLM: OpenAI auth bypass |
23.06.2026 |
9.1 |
| CVE-2026-56266 |
Crawl4AI - Server-Side Request Forgery via Direct Crawl Endpoints |
23.06.2026 |
9.2 |
| CVE-2026-44727 |
Jupyter Server: Stored XSS in `NbconvertFileHandler` / `NbconvertPostHandler` via missing `sandbox` CSP |
23.06.2026 |
9.3 |
| CVE-2026-45034 |
PhpSpreadsheet: File::prohibitWrappers bypass |
23.06.2026 |
9.2 |
| CVE-2026-49468 |
LiteLLM: Authentication Bypass via Host Header Injection |
24.06.2026 |
9.5 |
| CVE-2026-10789 |
MCP Extension Code Injection Vulnerability in Autodesk Fusion Desktop |
23.06.2026 |
9.6 |
| CVE-2026-12249 |
Canonical ADSys Trust Store Poisoning via Plaintext HTTP Certificate Auto-Enrollment |
22.06.2026 |
9 |
| CVE-2026-12628 |
Hardcoded credential in the IBM Storage Protect Snapshot For Windows leads to unauthorized access to system |
25.06.2026 |
9.1 |
| CVE-2026-7664 |
Unauthenticated Flow Execution via Webhook Endpoint in Langflow OSS |
23.06.2026 |
9.8 |
| CVE-2026-10561 |
Unauthenticated Remote Code Execution in Langflow OSS PythonREPLComponent via Builtins Injection |
23.06.2026 |
10 |
| CVE-2026-28381 |
Local File Read/Write to Potential Privilege Escalation via Snowflake GET/PUT |
24.06.2026 |
9.6 |
| CVE-2026-56423 |
MISP Core: Broken access control allows instance-wide unauthorized deletion of event reports and sharing groups via bulk deletion endpoints |
23.06.2026 |
9.4 |
| CVE-2026-56425 |
MISP AAD authentication plugin - Improper OAuth State Handling, Missing Session Rotation, Insecure Redirect URI Validation, and Log Injection |
23.06.2026 |
9.3 |
| CVE-2026-56447 |
MISP remote code execution via arbitrary rdkafka configuration path |
22.06.2026 |
9.3 |
| CVE-2026-7165 |
Multiple vulnerabilities in the Assassin game by Gaudire |
22.06.2026 |
9.4 |
| CVE-2026-7166 |
Multiple vulnerabilities in the Assassin game by Gaudire |
22.06.2026 |
9.2 |
| CVE-2026-56422 |
MISP Core: Mass Assignment and Object Re-ownership via Unvalidated Request Fields |
23.06.2026 |
9.4 |
| CVE-2026-11746 |
|
22.06.2026 |
9.4 |