| Severity | Description | ||||||
|---|---|---|---|---|---|---|---|
| CVE-2026-56334 | Medium | 4.3 v3 | - | - | -No fix available yet | 2026-06-30 | Capgo before 12.128.2 lacks an UPDATE row-level security policy for the build_requests table, preventing API-key and anonymous access from persisting builder status updates. Attackers can exploit this missing policy to cause build status and error details to remain unpersisted, leaving build_requests rows stuck in pending state with null last_error values. |
| CVE-2026-14156 | Medium | 6.5 v3 | - | - | -No fix available yet | 2026-06-30 | Insufficient policy enforcement in StorageAccessAPI in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to bypass same origin policy via a crafted HTML page. (Chromium security severity: Low) |
| CVE-2026-14155 | Medium | 6.5 v3 | - | - | -No fix available yet | 2026-06-30 | Insufficient policy enforcement in StorageAccessAPI in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Low) |
| CVE-2026-14061 | Medium | 6.5 v3 | - | - | -No fix available yet | 2026-06-30 | Inappropriate implementation in Dawn in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Low) |
| CVE-2026-14052 | Medium | 4.3 v3 | - | - | -No fix available yet | 2026-06-30 | Insufficient policy enforcement in FileSystem in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to bypass discretionary access control via a crafted HTML page. (Chromium security severity: Low) |
| CVE-2026-14035 | Medium | 6.5 v3 | - | - | -No fix available yet | 2026-06-30 | Insufficient policy enforcement in Bluetooth in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Low) |
| CVE-2026-14034 | Medium | 4.3 v3 | - | - | -No fix available yet | 2026-06-30 | Inappropriate implementation in WebXR in Google Chrome on Android prior to 150.0.7871.47 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page. (Chromium security severity: Low) |
| CVE-2026-14003 | Medium | 4.3 v3 | - | - | -No fix available yet | 2026-06-30 | Insufficient policy enforcement in Extensions in Google Chrome prior to 150.0.7871.47 allowed an attacker who convinced a user to install a malicious extension to leak cross-origin data via a crafted Chrome Extension. (Chromium security severity: Medium) |
| CVE-2026-13954 | Medium | 6.5 v3 | - | - | -No fix available yet | 2026-06-30 | Insufficient policy enforcement in XML in Google Chrome on Android prior to 150.0.7871.47 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium) |
| CVE-2026-13949 | Medium | 6.5 v3 | - | - | -No fix available yet | 2026-06-30 | Insufficient policy enforcement in Payments in Google Chrome on Android prior to 150.0.7871.47 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium) |
| CVE-2026-13936 | Medium | 6.5 v3 | - | - | -No fix available yet | 2026-06-30 | Inappropriate implementation in Passwords in Google Chrome on Android prior to 150.0.7871.47 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium) |
| CVE-2026-13933 | Medium | 5.3 v3 | - | - | -No fix available yet | 2026-06-30 | Insufficient policy enforcement in Passwords in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium) |
| CVE-2026-13932 | Medium | 6.5 v3 | - | - | -No fix available yet | 2026-06-30 | Inappropriate implementation in Sharing in Google Chrome on Android prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium) |
| CVE-2026-13931 | Medium | 6.5 v3 | - | - | -No fix available yet | 2026-06-30 | Inappropriate implementation in Media in Google Chrome on Windows prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium) |
| CVE-2026-13914 | Medium | 5.5 v3 | - | - | -No fix available yet | 2026-06-30 | Inappropriate implementation in Passwords in Google Chrome on Mac prior to 150.0.7871.47 allowed a local attacker to obtain potentially sensitive information from process memory via a malicious file. (Chromium security severity: Medium) |
| CVE-2026-13897 | High | 8.8 v3 | - | - | -No fix available yet | 2026-06-30 | Insufficient policy enforcement in Chromecast in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to perform privilege escalation via a crafted HTML page. (Chromium security severity: Medium) |
| CVE-2026-13864 | High | 8.1 v3 | - | - | -No fix available yet | 2026-06-30 | Insufficient policy enforcement in WebHID in Google Chrome prior to 150.0.7871.47 allowed an attacker who convinced a user to install a malicious extension to perform privilege escalation via a crafted Chrome Extension. (Chromium security severity: Medium) |
| CVE-2026-13828 | Medium | 6.5 v3 | - | - | -No fix available yet | 2026-06-30 | Inappropriate implementation in Enterprise in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: High) |
| CVE-2026-13800 | High | 7.8 v3 | - | - | -No fix available yet | 2026-06-30 | Inappropriate implementation in Updater in Google Chrome on Windows prior to 150.0.7871.47 allowed a local attacker to perform OS-level privilege escalation via a malicious file. (Chromium security severity: High) |
| CVE-2025-24816 | Medium | 6.5 v3 | 0.2% | - | -No fix available yet | 2026-06-30 | Nokia MantaRay is subject to an Improper Access Control vulnerability due to insufficient authorization within the API. Successful exploitation could allow an authenticated attacker to retrieve confidential information beyond their assigned privileges. |
| CVE-2026-51221 | High | 7.5 v3 | 0.2% | - | -No fix available yet | 2026-06-29 | A buffer overflow in the Get_Attribute_List function of EIPStackGroup OpENer commit 76b95c allows attackers to cause a Denial of Service (DoS) via supplying a crafted Common Packet Format (CPF) packet. |
| CVE-2026-43713 | Medium | 6.5 v3 | 0.2% | - | Fix available | 2026-06-29 | A permissions issue was addressed with additional restrictions. This issue is fixed in Safari 26.5.2, iOS 26.5.2 and iPadOS 26.5.2, macOS Tahoe 26.5.2. Visiting a website may leak sensitive data. |
| CVE-2026-43701 | High | 7.1 v3 | 0.2% | - | Fix available | 2026-06-29 | The issue was addressed with improved checks. This issue is fixed in Safari 26.5.2, iOS 26.5.2 and iPadOS 26.5.2, macOS Tahoe 26.5.2. A malicious website may be able to process restricted web content outside the sandbox. |
| CVE-2026-56290 | Critical | 10.0 v4 | 0.2% | - | -No fix available yet | 2026-06-29 | The Joomla extension Page Builder CK is vulnerable to an unauthenticated arbitrary file upload that allows uploading executable files and leads to full RCE. |
| CVE-2026-49049 | High | 7.5 v3 | 0.2% | - | -No fix available yet | 2026-06-29 | The Helix3 plugin for Joomla exposes an ajax handler task, that allows unauthenticated attackers to delete arbitrary files, write arbitrary JSON files and update template parameters. |
| CVE-2026-13568 | High | 7.3 v3 | 0.3% | - | -No fix available yet | 2026-06-29 | A weakness has been identified in SourceCodester Inventory Management System 1.0. This vulnerability affects unknown code of the file /api/users_handler.php of the component User Registration Endpoint. This manipulation of the argument role causes improper access controls. Remote exploitation of the attack is possible. The exploit has been made available to the public and could be used for attacks. |
| CVE-2026-13553 | High | 7.3 v3 | 0.5% | - | -No fix available yet | 2026-06-29 | A flaw has been found in itsourcecode Online Hotel Management System 1.0. Affected is an unknown function of the file /admin/mod_amenities/controller.php?action=add. Executing a manipulation of the argument image can lead to unrestricted upload. It is possible to launch the attack remotely. The exploit has been published and may be used. |
| CVE-2026-13547 | High | 7.3 v3 | 0.3% | - | -No fix available yet | 2026-06-29 | A vulnerability was determined in Hanwang e-Face General Management Platform 6.3.5.4. This issue affects some unknown processing of the file /manage/resourceUpload/upload.do. Executing a manipulation of the argument File can lead to unrestricted upload. The attack may be launched remotely. The exploit has been publicly disclosed and may be utilized. |
| CVE-2026-13544 | Medium | 6.3 v3 | 0.2% | - | -No fix available yet | 2026-06-29 | A flaw has been found in Feehi CMS up to 2.1.1. Affected by this issue is some unknown functionality of the file /api/users of the component API. This manipulation causes improper access controls. The attack can be initiated remotely. The exploit has been published and may be used. The project was informed of the problem early through an issue report but has not responded yet. |
| CVE-2026-50132 | High | 7.3 v3 | 0.2% | - | Fix available | 2026-06-26 | Budibase is an open-source low-code platform. Prior to 3.39.0, `GET /api/chat-links/:instance/:token/handoff` is a public endpoint (no auth required) that performs a permanent, state-changing operation: it binds an external chat identity (Slack/Discord/MS Teams) to an authenticated Budibase user account, with no consent UI and no CSRF protection. The session token in the URL is created by the attacker (from their own /link slash command) and embeds the attacker's externalUserId. When an authenticated Budibase victim visits the URL, their account is silently and permanently linked to the attacker's Slack/Discord identity. The server responds with "Authentication succeeded." — no indication of what was linked. This vulnerability is fixed in 3.39.0. |
| CVE-2026-56823 | Medium | 5.4 v3 | 0.1% | - | -No fix available yet | 2026-06-26 | AutoGPT is a workflow automation platform for creating, deploying, and managing continuous artificial intelligence agents. Prior to , the `POST /api/integrations/webhooks/{webhook_id}/ping` endpoint fetches the target webhook by primary key alone without verifying that the webhook belongs to the authenticated user. Any authenticated user can supply an arbitrary webhook_id to confirm webhook existence, leak the webhook's OAuth provider type, and in some cases trigger a ping delivery on behalf of another user. This vulnerability is fixed in . |
| CVE-2026-48529 | Medium | 6.0 v3 | 0.2% | - | -No fix available yet | 2026-06-26 | GitHub MCP Server is GitHub's official MCP Server. From 0.22.0 until 1.1.2, when running in HTTP mode with --lockdown-mode enabled, the RepoAccessCache is implemented as a process-global singleton initialized with the first authenticated user's GraphQL client. All subsequent requests from different users share this singleton and their lockdown-related GraphQL queries are executed using the first user's credentials. The singleton is never updated to reflect later users' tokens. This vulnerability is fixed in 1.1.2. |
| CVE-2026-50744 | Medium | 4.3 v3 | 0.2% | - | Fix available | 2026-06-26 | A bypass to the admin‑only restriction of the XML‑RPC API in Revive Adserver 6.0.7. The API response for the ox.login method returned a session ID cookie in the HTTP headers, and although the method correctly returned an error, the associated session was not invalidated. As a result, the leaked session ID could be used to perform subsequent API calls without restrictions. |
| CVE-2026-50739 | Medium | 4.3 v3 | 0.3% | - | Fix available | 2026-06-26 | A bypass for CVE‑2026‑34913 exists with proper ownership validation that had not been applied to the reverse operation of linking campaigns and trackers through the `tracker-campaigns.php` script in Revive Adserver 6.0.7 and earlier. As a result, a low‑privileged user could link their trackers to campaigns owned by other managers on the same instance, leading to inconsistent ownership relationships. |
| CVE-2026-48936 | Low | 3.3 v3 | 0.1% | - | -No fix available yet | 2026-06-26 | A flaw in Node.js Permission API can cause a local server to be started (via a Unix domain socket), even without the `--allow-net` permission. This vulnerability affects one supported release line: **Node.js 26**. |
| CVE-2026-48930 | Critical | 9.8 v3 | 0.4% | - | Fix available | 2026-06-26 | A flaw in Node.js TLS hostname handling can cause Embedded-nul hostnames can lead to silent authority rebinding due to c-string truncation in resolver bindings. This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**. |
| CVE-2026-48928 | Medium | 5.4 v3 | 0.2% | - | Fix available | 2026-06-26 | A inconsistency in Node.js hostname matching can cause a trust-policy bypass in multi-context mTLS setups. This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**. |
| CVE-2026-56050 | Medium | 6.5 v3 | 0.2% | - | -No fix available yet | 2026-06-25 | Improper Access Control vulnerability in Themeisle PPOM for WooCommerce allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects PPOM for WooCommerce: from n/a through 33.0.18. |
| CVE-2026-46733 | High | 7.8 v3 | 0.1% | - | Fix available | 2026-06-25 | Dell Display and Peripheral Manager (DDPM Windows), versions prior to 2.3, contain an Improper Access Control vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Code execution. |
| CVE-2026-12490 | High | 7.5 v3 | 0.1% | - | Fix available | 2026-06-25 | When a provide-xfr is given with a tls-auth-name, a secondary requesting a transfer should provide a client certificate with that name. However, no client certificate is needed when the request comes in over TLS over the regular tls-port (and not the tls-auth-port) or over over TCP over the regular port, when the other conditions of the provide-xfr rule match. |
| CVE-2026-52810 | High | 7.1 v4 | 0.4% | - | -No fix available yet | 2026-06-24 | Gogs is an open source self-hosted Git service. Prior to 0.14.3, Git smart HTTP authorizes POST …/git-receive-pack using the client-supplied service query string (so ?service=git-upload-pack is evaluated as read access) while routing still runs git receive-pack, allowing push where only read should be allowed. This vulnerability is fixed in 0.14.3. |
| CVE-2026-31978 | Medium | 6.5 v3 | 0.4% | - | -No fix available yet | 2026-06-24 | motionEye (mEye) is an online interface for motion software, which is a video surveillance program with motion detection. Versions prior to 0.44.0 are vulnerable to path traversal in the picture and movie API endpoints, suhc as /picture/{id}/preview/{filename}. Neither the API handlers, nor the mediafiles.py functions such as get_media_preview() check for .. sequences in the filename parameter, except for get_media_content(). This allows an authenticated user with normal (non-admin) privileges to read arbitrary files from the filesystem as the motionEye process user, such as: /etc/passwd, /etc/shadow, motionEye config files containing password hashes and plaintext passwords, SSH keys, and other cameras' surveillance footage. This issue has been fixed in version 0.44.0. |
| CVE-2026-27708 | High | 7.1 v4 | 0.3% | - | -No fix available yet | 2026-06-24 | FOSSBilling is a free, open-source billing and client management system. In versions 0.7.2 and prior, the Servicecustom Client API's __call method accepts an order_id parameter and fetches the associated order without verifying the authenticated client owns it, potentially exposing cross-client data through IDOR. An authenticated client can access any other client's custom service by guessing sequential order IDs. This can lead to a confidentiality breach — attackers can read client PII (name, email, phone, address, company details, VAT number) and service configuration data belonging to other clients. This issue has been fixed in version 0.8.0. |
| CVE-2026-56302 | Medium | 6.5 v3 | 0.2% | - | -No fix available yet | 2026-06-24 | Capgo before 12.128.2 contains an unsecured images bucket lacking any row level security controls, allowing unauthenticated attackers to read, insert, and delete stored app icons. Remote attackers can exploit this misconfiguration to delete all icons and leak sensitive app IDs and user IDs. |
| CVE-2026-56257 | High | 7.1 v3 | 0.2% | - | -No fix available yet | 2026-06-24 | Capgo before 12.128.2 allows direct patching of public.apps.owner_org through PostgREST, bypassing the transfer_app() workflow and creating split-brain ownership. Attackers can directly update apps.owner_org while leaving app_versions.owner_org unchanged, enabling old-org keys to retain access to version data while new-org keys control the app record. |
| CVE-2026-47279 | Medium | 6.9 v4 | 0.2% | - | -No fix available yet | 2026-06-23 | NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, the public shared-view relation endpoints accepted a caller-supplied column ID without verifying that the column was visible in the shared view, so anyone holding a share UUID could read links from any LTAR column on the view's table — including columns the view owner had hidden. publicMmList, publicHmList, and relDataList already ensured that the requested column belonged to the view's model, but did not check the view-column entry's show flag. This vulnerability is fixed in 2026.05.1. |
| CVE-2026-54761 | High | 7.1 v3 | 0.3% | - | Fix available | 2026-06-23 | Traefik is an HTTP reverse proxy and load balancer. Prior to 3.6.21 and 3.7.5, there is a high severity vulnerability in Traefik's Kubernetes Gateway provider affecting the crossProviderNamespaces allowlist. For HTTPRoute rules that declare multiple (WRR) backendRefs, Traefik evaluates the allowlist against the target backendRef.namespace instead of the route's own namespace. As a result, an HTTPRoute created in a namespace that is not allow-listed can reference a cross-provider TraefikService such as api@internal, dashboard@internal or rest@internal by pointing backendRef.namespace at an allow-listed namespace covered by a Gateway API ReferenceGrant, exposing internal Traefik services on the data plane. Exploitation requires the ability to create an accepted HTTPRoute and a matching Refer |
| CVE-2026-54015 | Medium | 6.4 v3 | 0.2% | - | Fix available | 2026-06-23 | Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.6, Open WebUI's prompt version-history endpoints authorize the prompt_id in the URL but then act on caller-supplied history IDs without verifying that the history row belongs to that prompt (history_entry.prompt_id == prompt.id). This affects /api/v1/prompts/id/{prompt_id}/history/diff, /api/v1/prompts/id/{prompt_id}/update/version, and /api/v1/prompts/id/{prompt_id}/history/{history_id}. An authenticated user with access to any prompt they control, plus a victim prompt_history.id, can read or delete another user's private prompt history. This vulnerability is fixed in 0.9.6. |
| CVE-2026-54012 | High | 7.1 v3 | 0.2% | - | Fix available | 2026-06-23 | Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.6, Open WebUI lets a user who can create, update, or import workspace models store arbitrary meta.knowledge entries on their model without checking whether they own or can read the referenced files. Open WebUI then treats meta.knowledge entries of type file as an authorization source in two places: the built-in view_file tool reads the file's extracted text, and has_access_to_file()'s model branch authorizes the file content and file delete endpoints. A malicious model owner can therefore attach another user's file ID to their model metadata and read or delete that private file. This vulnerability is fixed in 0.9.6. |
| CVE-2026-54010 | High | 8.3 v3 | 0.2% | - | Fix available | 2026-06-23 | Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.6, Open WebUI lets an authenticated user attach arbitrary file_id values to their own chat message without checking whether they own or can read those files. If the attacker then shares that chat and grants themselves read access, has_access_to_file() treats the victim file as accessible through the shared chat, and the file endpoints read or delete the victim file. This vulnerability is fixed in 0.9.6. |
- MediumCVSS 4.3 v3·EPSS -·No fix yet
Capgo before 12.128.2 lacks an UPDATE row-level security policy for the build_requests table, preventing API-key and anonymous access from persisting builder status updates. Attackers can exploit this missing policy to cause build status and error details to remain unpersisted, leaving build_requests rows stuck in pending state with null last_error values.
Published 2026-06-30
- MediumCVSS 6.5 v3·EPSS -·No fix yet
Insufficient policy enforcement in StorageAccessAPI in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to bypass same origin policy via a crafted HTML page. (Chromium security severity: Low)
Published 2026-06-30
- MediumCVSS 6.5 v3·EPSS -·No fix yet
Insufficient policy enforcement in StorageAccessAPI in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Low)
Published 2026-06-30
- MediumCVSS 6.5 v3·EPSS -·No fix yet
Inappropriate implementation in Dawn in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Low)
Published 2026-06-30
- MediumCVSS 4.3 v3·EPSS -·No fix yet
Insufficient policy enforcement in FileSystem in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to bypass discretionary access control via a crafted HTML page. (Chromium security severity: Low)
Published 2026-06-30
- MediumCVSS 6.5 v3·EPSS -·No fix yet
Insufficient policy enforcement in Bluetooth in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Low)
Published 2026-06-30
- MediumCVSS 4.3 v3·EPSS -·No fix yet
Inappropriate implementation in WebXR in Google Chrome on Android prior to 150.0.7871.47 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page. (Chromium security severity: Low)
Published 2026-06-30
- MediumCVSS 4.3 v3·EPSS -·No fix yet
Insufficient policy enforcement in Extensions in Google Chrome prior to 150.0.7871.47 allowed an attacker who convinced a user to install a malicious extension to leak cross-origin data via a crafted Chrome Extension. (Chromium security severity: Medium)
Published 2026-06-30
- MediumCVSS 6.5 v3·EPSS -·No fix yet
Insufficient policy enforcement in XML in Google Chrome on Android prior to 150.0.7871.47 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium)
Published 2026-06-30
- MediumCVSS 6.5 v3·EPSS -·No fix yet
Insufficient policy enforcement in Payments in Google Chrome on Android prior to 150.0.7871.47 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium)
Published 2026-06-30
- MediumCVSS 6.5 v3·EPSS -·No fix yet
Inappropriate implementation in Passwords in Google Chrome on Android prior to 150.0.7871.47 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium)
Published 2026-06-30
- MediumCVSS 5.3 v3·EPSS -·No fix yet
Insufficient policy enforcement in Passwords in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium)
Published 2026-06-30
- MediumCVSS 6.5 v3·EPSS -·No fix yet
Inappropriate implementation in Sharing in Google Chrome on Android prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)
Published 2026-06-30
- MediumCVSS 6.5 v3·EPSS -·No fix yet
Inappropriate implementation in Media in Google Chrome on Windows prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)
Published 2026-06-30
- MediumCVSS 5.5 v3·EPSS -·No fix yet
Inappropriate implementation in Passwords in Google Chrome on Mac prior to 150.0.7871.47 allowed a local attacker to obtain potentially sensitive information from process memory via a malicious file. (Chromium security severity: Medium)
Published 2026-06-30
- HighCVSS 8.8 v3·EPSS -·No fix yet
Insufficient policy enforcement in Chromecast in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to perform privilege escalation via a crafted HTML page. (Chromium security severity: Medium)
Published 2026-06-30
- HighCVSS 8.1 v3·EPSS -·No fix yet
Insufficient policy enforcement in WebHID in Google Chrome prior to 150.0.7871.47 allowed an attacker who convinced a user to install a malicious extension to perform privilege escalation via a crafted Chrome Extension. (Chromium security severity: Medium)
Published 2026-06-30
- MediumCVSS 6.5 v3·EPSS -·No fix yet
Inappropriate implementation in Enterprise in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: High)
Published 2026-06-30
- HighCVSS 7.8 v3·EPSS -·No fix yet
Inappropriate implementation in Updater in Google Chrome on Windows prior to 150.0.7871.47 allowed a local attacker to perform OS-level privilege escalation via a malicious file. (Chromium security severity: High)
Published 2026-06-30
- MediumCVSS 6.5 v3·EPSS 0.2%·No fix yet
Nokia MantaRay is subject to an Improper Access Control vulnerability due to insufficient authorization within the API. Successful exploitation could allow an authenticated attacker to retrieve confidential information beyond their assigned privileges.
Published 2026-06-30
- HighCVSS 7.5 v3·EPSS 0.2%·No fix yet
A buffer overflow in the Get_Attribute_List function of EIPStackGroup OpENer commit 76b95c allows attackers to cause a Denial of Service (DoS) via supplying a crafted Common Packet Format (CPF) packet.
Published 2026-06-29
- MediumCVSS 6.5 v3·EPSS 0.2%·Fix available
A permissions issue was addressed with additional restrictions. This issue is fixed in Safari 26.5.2, iOS 26.5.2 and iPadOS 26.5.2, macOS Tahoe 26.5.2. Visiting a website may leak sensitive data.
Published 2026-06-29
- HighCVSS 7.1 v3·EPSS 0.2%·Fix available
The issue was addressed with improved checks. This issue is fixed in Safari 26.5.2, iOS 26.5.2 and iPadOS 26.5.2, macOS Tahoe 26.5.2. A malicious website may be able to process restricted web content outside the sandbox.
Published 2026-06-29
- CriticalCVSS 10.0 v4·EPSS 0.2%·No fix yet
The Joomla extension Page Builder CK is vulnerable to an unauthenticated arbitrary file upload that allows uploading executable files and leads to full RCE.
Published 2026-06-29
- HighCVSS 7.5 v3·EPSS 0.2%·No fix yet
The Helix3 plugin for Joomla exposes an ajax handler task, that allows unauthenticated attackers to delete arbitrary files, write arbitrary JSON files and update template parameters.
Published 2026-06-29
- HighCVSS 7.3 v3·EPSS 0.3%·No fix yet
A weakness has been identified in SourceCodester Inventory Management System 1.0. This vulnerability affects unknown code of the file /api/users_handler.php of the component User Registration Endpoint. This manipulation of the argument role causes improper access controls. Remote exploitation of the attack is possible. The exploit has been made available to the public and could be used for attacks.
Published 2026-06-29
- HighCVSS 7.3 v3·EPSS 0.5%·No fix yet
A flaw has been found in itsourcecode Online Hotel Management System 1.0. Affected is an unknown function of the file /admin/mod_amenities/controller.php?action=add. Executing a manipulation of the argument image can lead to unrestricted upload. It is possible to launch the attack remotely. The exploit has been published and may be used.
Published 2026-06-29
- HighCVSS 7.3 v3·EPSS 0.3%·No fix yet
A vulnerability was determined in Hanwang e-Face General Management Platform 6.3.5.4. This issue affects some unknown processing of the file /manage/resourceUpload/upload.do. Executing a manipulation of the argument File can lead to unrestricted upload. The attack may be launched remotely. The exploit has been publicly disclosed and may be utilized.
Published 2026-06-29
- MediumCVSS 6.3 v3·EPSS 0.2%·No fix yet
A flaw has been found in Feehi CMS up to 2.1.1. Affected by this issue is some unknown functionality of the file /api/users of the component API. This manipulation causes improper access controls. The attack can be initiated remotely. The exploit has been published and may be used. The project was informed of the problem early through an issue report but has not responded yet.
Published 2026-06-29
- HighCVSS 7.3 v3·EPSS 0.2%·Fix available
Budibase is an open-source low-code platform. Prior to 3.39.0, `GET /api/chat-links/:instance/:token/handoff` is a public endpoint (no auth required) that performs a permanent, state-changing operation: it binds an external chat identity (Slack/Discord/MS Teams) to an authenticated Budibase user account, with no consent UI and no CSRF protection. The session token in the URL is created by the attacker (from their own /link slash command) and embeds the attacker's externalUserId. When an authenticated Budibase victim visits the URL, their account is silently and permanently linked to the attacker's Slack/Discord identity. The server responds with "Authentication succeeded." — no indication of what was linked. This vulnerability is fixed in 3.39.0.
Published 2026-06-26
- MediumCVSS 5.4 v3·EPSS 0.1%·No fix yet
AutoGPT is a workflow automation platform for creating, deploying, and managing continuous artificial intelligence agents. Prior to , the `POST /api/integrations/webhooks/{webhook_id}/ping` endpoint fetches the target webhook by primary key alone without verifying that the webhook belongs to the authenticated user. Any authenticated user can supply an arbitrary webhook_id to confirm webhook existence, leak the webhook's OAuth provider type, and in some cases trigger a ping delivery on behalf of another user. This vulnerability is fixed in .
Published 2026-06-26
- MediumCVSS 6.0 v3·EPSS 0.2%·No fix yet
GitHub MCP Server is GitHub's official MCP Server. From 0.22.0 until 1.1.2, when running in HTTP mode with --lockdown-mode enabled, the RepoAccessCache is implemented as a process-global singleton initialized with the first authenticated user's GraphQL client. All subsequent requests from different users share this singleton and their lockdown-related GraphQL queries are executed using the first user's credentials. The singleton is never updated to reflect later users' tokens. This vulnerability is fixed in 1.1.2.
Published 2026-06-26
- MediumCVSS 4.3 v3·EPSS 0.2%·Fix available
A bypass to the admin‑only restriction of the XML‑RPC API in Revive Adserver 6.0.7. The API response for the ox.login method returned a session ID cookie in the HTTP headers, and although the method correctly returned an error, the associated session was not invalidated. As a result, the leaked session ID could be used to perform subsequent API calls without restrictions.
Published 2026-06-26
- MediumCVSS 4.3 v3·EPSS 0.3%·Fix available
A bypass for CVE‑2026‑34913 exists with proper ownership validation that had not been applied to the reverse operation of linking campaigns and trackers through the `tracker-campaigns.php` script in Revive Adserver 6.0.7 and earlier. As a result, a low‑privileged user could link their trackers to campaigns owned by other managers on the same instance, leading to inconsistent ownership relationships.
Published 2026-06-26
- CVSS 3.3 v3·EPSS 0.1%·No fix yet
A flaw in Node.js Permission API can cause a local server to be started (via a Unix domain socket), even without the `--allow-net` permission. This vulnerability affects one supported release line: **Node.js 26**.
Published 2026-06-26
- CriticalCVSS 9.8 v3·EPSS 0.4%·Fix available
A flaw in Node.js TLS hostname handling can cause Embedded-nul hostnames can lead to silent authority rebinding due to c-string truncation in resolver bindings. This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**.
Published 2026-06-26
- MediumCVSS 5.4 v3·EPSS 0.2%·Fix available
A inconsistency in Node.js hostname matching can cause a trust-policy bypass in multi-context mTLS setups. This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**.
Published 2026-06-26
- MediumCVSS 6.5 v3·EPSS 0.2%·No fix yet
Improper Access Control vulnerability in Themeisle PPOM for WooCommerce allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects PPOM for WooCommerce: from n/a through 33.0.18.
Published 2026-06-25
- HighCVSS 7.8 v3·EPSS 0.1%·Fix available
Dell Display and Peripheral Manager (DDPM Windows), versions prior to 2.3, contain an Improper Access Control vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Code execution.
Published 2026-06-25
- HighCVSS 7.5 v3·EPSS 0.1%·Fix available
When a provide-xfr is given with a tls-auth-name, a secondary requesting a transfer should provide a client certificate with that name. However, no client certificate is needed when the request comes in over TLS over the regular tls-port (and not the tls-auth-port) or over over TCP over the regular port, when the other conditions of the provide-xfr rule match.
Published 2026-06-25
- HighCVSS 7.1 v4·EPSS 0.4%·No fix yet
Gogs is an open source self-hosted Git service. Prior to 0.14.3, Git smart HTTP authorizes POST …/git-receive-pack using the client-supplied service query string (so ?service=git-upload-pack is evaluated as read access) while routing still runs git receive-pack, allowing push where only read should be allowed. This vulnerability is fixed in 0.14.3.
Published 2026-06-24
- MediumCVSS 6.5 v3·EPSS 0.4%·No fix yet
motionEye (mEye) is an online interface for motion software, which is a video surveillance program with motion detection. Versions prior to 0.44.0 are vulnerable to path traversal in the picture and movie API endpoints, suhc as /picture/{id}/preview/{filename}. Neither the API handlers, nor the mediafiles.py functions such as get_media_preview() check for .. sequences in the filename parameter, except for get_media_content(). This allows an authenticated user with normal (non-admin) privileges to read arbitrary files from the filesystem as the motionEye process user, such as: /etc/passwd, /etc/shadow, motionEye config files containing password hashes and plaintext passwords, SSH keys, and other cameras' surveillance footage. This issue has been fixed in version 0.44.0.
Published 2026-06-24
- HighCVSS 7.1 v4·EPSS 0.3%·No fix yet
FOSSBilling is a free, open-source billing and client management system. In versions 0.7.2 and prior, the Servicecustom Client API's __call method accepts an order_id parameter and fetches the associated order without verifying the authenticated client owns it, potentially exposing cross-client data through IDOR. An authenticated client can access any other client's custom service by guessing sequential order IDs. This can lead to a confidentiality breach — attackers can read client PII (name, email, phone, address, company details, VAT number) and service configuration data belonging to other clients. This issue has been fixed in version 0.8.0.
Published 2026-06-24
- MediumCVSS 6.5 v3·EPSS 0.2%·No fix yet
Capgo before 12.128.2 contains an unsecured images bucket lacking any row level security controls, allowing unauthenticated attackers to read, insert, and delete stored app icons. Remote attackers can exploit this misconfiguration to delete all icons and leak sensitive app IDs and user IDs.
Published 2026-06-24
- HighCVSS 7.1 v3·EPSS 0.2%·No fix yet
Capgo before 12.128.2 allows direct patching of public.apps.owner_org through PostgREST, bypassing the transfer_app() workflow and creating split-brain ownership. Attackers can directly update apps.owner_org while leaving app_versions.owner_org unchanged, enabling old-org keys to retain access to version data while new-org keys control the app record.
Published 2026-06-24
- MediumCVSS 6.9 v4·EPSS 0.2%·No fix yet
NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, the public shared-view relation endpoints accepted a caller-supplied column ID without verifying that the column was visible in the shared view, so anyone holding a share UUID could read links from any LTAR column on the view's table — including columns the view owner had hidden. publicMmList, publicHmList, and relDataList already ensured that the requested column belonged to the view's model, but did not check the view-column entry's show flag. This vulnerability is fixed in 2026.05.1.
Published 2026-06-23
- HighCVSS 7.1 v3·EPSS 0.3%·Fix available
Traefik is an HTTP reverse proxy and load balancer. Prior to 3.6.21 and 3.7.5, there is a high severity vulnerability in Traefik's Kubernetes Gateway provider affecting the crossProviderNamespaces allowlist. For HTTPRoute rules that declare multiple (WRR) backendRefs, Traefik evaluates the allowlist against the target backendRef.namespace instead of the route's own namespace. As a result, an HTTPRoute created in a namespace that is not allow-listed can reference a cross-provider TraefikService such as api@internal, dashboard@internal or rest@internal by pointing backendRef.namespace at an allow-listed namespace covered by a Gateway API ReferenceGrant, exposing internal Traefik services on the data plane. Exploitation requires the ability to create an accepted HTTPRoute and a matching Refer
Published 2026-06-23
- MediumCVSS 6.4 v3·EPSS 0.2%·Fix available
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.6, Open WebUI's prompt version-history endpoints authorize the prompt_id in the URL but then act on caller-supplied history IDs without verifying that the history row belongs to that prompt (history_entry.prompt_id == prompt.id). This affects /api/v1/prompts/id/{prompt_id}/history/diff, /api/v1/prompts/id/{prompt_id}/update/version, and /api/v1/prompts/id/{prompt_id}/history/{history_id}. An authenticated user with access to any prompt they control, plus a victim prompt_history.id, can read or delete another user's private prompt history. This vulnerability is fixed in 0.9.6.
Published 2026-06-23
- HighCVSS 7.1 v3·EPSS 0.2%·Fix available
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.6, Open WebUI lets a user who can create, update, or import workspace models store arbitrary meta.knowledge entries on their model without checking whether they own or can read the referenced files. Open WebUI then treats meta.knowledge entries of type file as an authorization source in two places: the built-in view_file tool reads the file's extracted text, and has_access_to_file()'s model branch authorizes the file content and file delete endpoints. A malicious model owner can therefore attach another user's file ID to their model metadata and read or delete that private file. This vulnerability is fixed in 0.9.6.
Published 2026-06-23
- HighCVSS 8.3 v3·EPSS 0.2%·Fix available
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.6, Open WebUI lets an authenticated user attach arbitrary file_id values to their own chat message without checking whether they own or can read those files. If the attacker then shares that chat and grants themselves read access, has_access_to_file() treats the victim file as accessible through the shared chat, and the file endpoints read or delete the victim file. This vulnerability is fixed in 0.9.6.
Published 2026-06-23
Uses NVD data but is not endorsed or certified by the NVD. EPSS scores courtesy of FIRST.org (https://www.first.org/epss). Source: CISA KEV Catalog.