| CVE-2026-33560 | The DMP-5000 file service exposes authenticated arbitrary file upload functionality. There are exposed endpoints which allows authenticated users to upload files of any type without validation. No file extension filtering or content inspection is enforced which allows executable binaries and scripts to be accepted and written directly to the server. | No Score | |
| CVE-2026-31928 | The DMP-5000 devices are shipped with a default administrative web account with weak authentication controls, which are not required to be changed during initial configuration or operation. Using these accounts provides full system access. | No Score | |
| CVE-2026-28701 | Various versions of Daktronics Controller Firmware could allow authenticated and unauthenticated remote users to escape the intended directory and enumerate arbitrary file system paths. | No Score | |
| CVE-2026-8661 | Server-Side Cross-Site Scripting and Server-Side Request Forgery vulnerability in the markdown_to_pdf action of Rapid7 InsightConnect Markdown Plugin version 3.1.4 and earlier on Linux allows remote attackers to execute JavaScript server-side and make arbitrary outbound HTTP requests via crafted content embedded in Markdown input. The PDF rendering engine does not restrict script execution or outbound network access. | medium | 2026-06-26 |
| CVE-2026-50745 | A missing sanitisation vulnerability exists with user input in the stats-video.php script. The way URLs to this script were constructed did not follow best practices, and the output of the Smarty custom helper function url was neither properly encoded nor sanitised, allowing user‑supplied input to be reflected without escaping. | medium | 2026-06-26 |
| CVE-2026-50742 | A stored XSS vulnerabilities exists in the `maintenance-acl-check.php` and `maintenance-banners-check.php` tools of Revive Adserver 6.0.7. The issue was caused by entity names being displayed without proper escaping when inconsistencies were detected. Whether the XSS payload is executed when an administrator uses the affected maintenance tools is not entirely under the attacker's control. | medium | 2026-06-26 |
| CVE-2026-50741 | Bypass to the fix for CVE-2026-34916. Variants of such vectors have been also reported by phucrio and offsetmd. The fix can be bypassed either by sending a disallowed but otherwise valid plugin identifier as `type`, or using the `ox.setChannelTargeting` XML-RPC API method. | high | 2026-06-26 |
| CVE-2026-50740 | A missing sanitisation vulnerability of user input in the zone-include.php script exists in Revive Adserver 6.0.7 and earlier. A low‑privileged user could exploit the refresh parameter of the iFrame invocation tag to perform reflected XSS attacks. | medium | 2026-06-26 |
| CVE-2026-50739 | A bypass for CVE‑2026‑34913 exists with proper ownership validation that had not been applied to the reverse operation of linking campaigns and trackers through the `tracker-campaigns.php` script in Revive Adserver 6.0.7 and earlier. As a result, a low‑privileged user could link their trackers to campaigns owned by other managers on the same instance, leading to inconsistent ownership relationships. | medium | 2026-06-26 |
| CVE-2026-48936 | A flaw in Node.js Permission API can cause a local server to be started (via a Unix domain socket), even without the `--allow-net` permission. This vulnerability affects one supported release line: **Node.js 26**. | low | 2026-06-26 |
| CVE-2026-48935 | A flaw in Node.js Permission API can cause a file metadata to be modified even on a path that was set as read-only with e.g. `--allow-fs-read`. This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**. | low | 2026-06-26 |
| CVE-2026-48934 | A flaw in Node.js TLS host verification can cause an attacker to bypass certification validation. This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**. | medium | 2026-06-26 |
| CVE-2026-48930 | A flaw in Node.js TLS hostname handling can cause Embedded-nul hostnames can lead to silent authority rebinding due to c-string truncation in resolver bindings. This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**. | medium | 2026-06-26 |
| CVE-2026-48928 | A inconsistency in Node.js hostname matching can cause a trust-policy bypass in multi-context mTLS setups. This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**. | medium | 2026-06-26 |
| CVE-2026-48618 | A flaw in Node.js TLS hostname handling can cause Node.js unicode dot separator handling can lead to tls wildcard-depth authentication bypass due to resolver and verifier hostname normalization mismat. This can lead to confidentiality impact or bypass of the intended security boundary under affected configurations. This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**. | high | 2026-06-26 |
| CVE-2026-13226 | The Groundhogg — CRM, Newsletters, and Marketing Automation plugin for WordPress is vulnerable to generic SQL Injection via the 'after' parameter in all versions up to, and including, 4.5.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Sales Manager-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. The AJAX handler wp_ajax_groundhogg_get_contacts_table has its capability check commented out and performs no nonce verification, meaning any authenticated user regardless of role can reach the vulnerable code path. | high | 2026-06-26 |
| CVE-2026-9222 | Setracker2 Android Companion App com.tgelec.setracker versions 3.1.5 and prior only require the... | critical | |
| CVE-2026-13083 | A flaw was found in the Pen Drive report generator. Cluster-sourced data is rendered into HTML... | medium | |
| CVE-2026-7511 | PKCS7_verify signer confusion allows forged signatures, where the signer associated with a... | medium | |
| CVE-2026-6331 | HMAC zero-length tag forgery in EVP_DigestVerifyFinal, where a zero-length tag could be accepted... | low | |
| CVE-2026-40702 | WebSocket endpoints lack proper authentication mechanisms, enabling attackers to impersonate... | critical | |
| CVE-2026-12992 | A flaw was found in Apicurio Registry. The WSDLReaderAccessor creates a wsdl4j WSDLReader without... | high | |
| CVE-2026-11800 | A flaw was found in Keycloak. This JWT algorithm confusion vulnerability in the JWT Authorization... | high | |
| CVE-2026-10098 | OCSP CertID serial-number length-confusion in wolfSSL_OCSP_resp_find_status allows a same-issuer... | medium | |
| CVE-2025-71324 | Flowise before 3.0.6 contains an arbitrary file read vulnerability in the chatId parameter of the... | high | |
| CVE-2026-9221 | The Setracker2 Android Companion App (com.tgelec.setracker) versions 3.1.5 and earlier uses MD5 to generate a request signature for authenticating communications between the mobile client and the backend REST API. Attackers could potentially reverse the signature to recover the session ID. With the session ID exposed, an attacker could impersonate the legitimate user and issue authenticated API requests. | high | 2026-06-26 |
| CVE-2026-9220 | Setracker2 Android Companion App com.tgelec.setracker versions 3.1.5 and prior encrypts requests between the watch and its backend with static hardcoded AES keys and initialization vectors. This allows an attacker to decrypt Setracker2 watch traffic. | high | 2026-06-26 |
| CVE-2026-9219 | Setracker2 Android Companion App com.tgelec.setracker versions 3.1.5 and prior have a predictable registration ID derived from IMEI. The enrollment system lacks additional authentication before assignment. If an attacker is able to obtain the registration ID, they would be able to arbitrarily enroll watches belonging to other users. | high | 2026-06-26 |
| CVE-2026-13322 | A flaw was found in KubeVirt's downward metrics virtio-serial server. The server reads guest requests using textproto.Reader.ReadLine(), which buffers input indefinitely until a newline character is received, with no length limit or read deadline. A user with access to a VM guest that has the downward metrics virtio-serial device configured can write a continuous byte stream to the device, causing unbounded memory allocation in the virt-handler process until it is OOM-killed. | low | 2026-06-26 |
| CVE-2026-13318 | A server-side request forgery (SSRF) flaw was found in KubeVirt's virt-api port-forward handler. When processing a port-forward request to a VirtualMachineInstance (VMI), virt-api reads the target IP from vmi.Status.Interfaces[0].IP and passes it directly to net.Dial() without validation. For VMIs using non-masquerade network bindings (bridge or secondary-only), this IP is reported by the QEMU guest agent running inside the VM and is fully controllable by the VM owner. An attacker with kubevirt.io:edit permissions can create a VM with a modified guest agent that reports an arbitrary IP address, then request port-forward to establish a bidirectional TCP tunnel from virt-api's cluster-internal network position to any routable destination, bypassing NetworkPolicy isolation. | medium | 2026-06-26 |
| CVE-2026-13218 | A flaw was found in KubeVirt's virt-handler network cache handling. The WriteToCachedFile function writes data to a launcher-rooted path using os.WriteFile and os.Chown without symlink protection. A user with access to the virt-launcher container can plant a symlink at the cache file path, causing virt-handler to follow it and overwrite an arbitrary host file with JSON content and change its ownership. | medium | 2026-06-26 |
| CVE-2026-12993 | A flaw was found in Apicurio Registry. The DocumentBuilderAccessor correctly blocks external DTD and schema access but does not disable DOCTYPE declarations or enable FEATURE_SECURE_PROCESSING. An attacker with artifact-write permission can upload XML documents with internal entity-expansion payloads (billion-laughs variant) that cause CPU and heap exhaustion, partially mitigated by the JAXP default 64,000 entity-expansion limit. | medium | 2026-06-26 |
| CVE-2026-40941 | Cacti is an open source performance and fault management framework. Versions 1.2.30 and prior have a package import signature validation bypass allows which allows self-signed packages. This issue has been fixed in version 1.2.31. | high | 2026-06-25 |
| CVE-2026-40084 | Cacti is an open source performance and fault management framework. Versions 1.2.30 and prior are vulnerable to Path Traversal through the Report format_file Parameter, causing arbitrary file read. This vulnerability occurs in two stages. In the first stage (stored injection), lib/html_reports.php at line 283 stores $save['format_file'] = $post['format_file'] directly into the database without any validation. In the second stage (file read), lib/reports.php at line 667 concatenates CACTI_PATH_FORMATS . '/' . $format_file, and line 670 then calls file($format_file), reading arbitrary files from the filesystem. This issue has been fixed in version 1.2.31. | medium | 2026-06-25 |
| CVE-2026-40083 | Cacti is an open source performance and fault management framework. Versions 1.2.30 and prior have SQL Injection through unsanitized unserialize+implode in managers.php. At line 756 of managers.php, the application assigns $selected_items by calling cacti_unserialize(stripslashes(gnrv('selected_graphs_array'))). The cacti_unserialize() function calls unserialize() with allowed_classes set to false, which prevents object injection but still allows arbitrary string arrays to be deserialized. Then, at lines 760 to 766, the deserialized array values are passed directly into db_execute('DELETE FROM snmpagent_managers WHERE id IN (' . implode(',', $selected_items) . ')'), where they are imploded into the SQL statement without any integer validation, resulting in SQL Injection when using SNMP agent management permissions. This issue has been fixed in version 1.2.31. | high | 2026-06-25 |
| CVE-2026-40082 | Cacti is an open source performance and fault management framework. Versions 1.2.30 and prior have missing session_regenerate_id() after login, leading to Session Fixation. session_regenerate_id() is NOT called after successful login. The login flow at auth_login.php:203-207 directly sets $_SESSION[SESS_USER_ID] without rotating the session ID. The session cookie configuration is otherwise good (httponly=true, samesite=Strict, secure=true for HTTPS at include/global.php:513-537), but these do not prevent session fixation via same-site vectors. This issue has been fixed in version 1.2.31. | medium | 2026-06-25 |
| CVE-2026-40080 | Cacti is an open source performance and fault management framework. Versions 1.2.30 and prior are vulnerable to Open Redirect through a substring check rather than a host check at str_contains($referer, CACTI_PATH_URL). When the user's login_opts == '1' (redirect to referer after login), the function used $_SERVER['HTTP_REFERER'] directly. An attacker could craft a referer such as https://evil.com/cacti/. Where CACTI_PATH_URL is /cacti/, the substring matches and the user is redirected to evil.com after login. The pre-existing validate_redirect_url() helper at lib/html_utility.php performed proper validation but was not invoked from auth_login_redirect(). This issue has been fixed in version 1.2.31. | medium | 2026-06-25 |
| CVE-2026-8720 | wc_Blake2bHmacFinal and wc_Blake2sHmacFinal discard the message when the key length exceeds the block size, producing a MAC that is independent of the input. When the supplied key is longer than the BLAKE2 block size the key-hashing branch reinitialized the running hash state, discarding the accumulated message data, so the resulting MAC depended only on the key and not on the message being authenticated. This bug is specific to the HMAC-BLAKE2 APIs that were added in wolfSSL version 5.9.0. | medium | 2026-06-25 |
| CVE-2026-7532 | iPAddress name constraints bypass when WOLFSSL_IP_ALT_NAME is not defined. IP address name constraints are not enforced in that configuration, allowing a certificate to bypass an issuing CA's IP address constraints. | medium | 2026-06-25 |
| CVE-2026-6330 | The ML-KEM ARM64 NEON ciphertext comparison only compares half of the input, breaking the Fujisaki-Okamoto transform's implicit rejection and weakening IND-CCA2 security on that code path. The constant-time comparison effectively ignored part of the re-encrypted ciphertext, so a decapsulating party could fail to detect a manipulated ciphertext and proceed without the standard's required implicit rejection. | medium | 2026-06-25 |
| CVE-2026-6329 | PKCS#12 MAC verification uses an attacker-controlled comparison length, weakening the integrity check on the MAC and allowing a mismatched MAC to be accepted. The PKCS#12 verify path compared the locally computed HMAC against the MAC parsed from the PKCS#12 structure using a length taken directly from the attacker-supplied input, without first verifying that it equals the length of the digest actually produced by the configured algorithm. A truncated or zero-length stored MAC could therefore be accepted, defeating the integrity protection of the MAC. | medium | 2026-06-25 |
| CVE-2026-6325 | Out-of-bounds write in SetSuitesHashSigAlgo when processing an oversized signature algorithms list, allowing a write past the bounds of the destination buffer. | low | 2026-06-25 |
| CVE-2026-6092 | When HAVE_ENCRYPT_THEN_MAC is configured, the implementation could fall back to MAC-then-Encrypt rather than enforcing Encrypt-then-MAC. | low | 2026-06-25 |
| CVE-2026-55962 | TLS 1.3 post-handshake authentication (PHA) issue where a server could accept a client's Finished message without the client having sent a Certificate and CertificateVerify. The post-handshake-auth exemption that allows an empty/absent peer certificate was only intended for the initial handshake, but it was also being applied while a post-handshake CertificateRequest was still outstanding. The check is now scoped to the initial handshake only: on the server, once a post-handshake CertificateRequest has been sent (certReqCtx is set), a peer certificate and a valid CertificateVerify are required again before the Finished is accepted, with empty-certificate handling following the configured verify mode (FAIL_IF_NO_PEER_CERT) just as during first-handshake client authentication. Only affects TLS 1.3 servers built with post-handshake authentication support (WOLFSSL_POST_HANDSHAKE_AUTH / --enable-postauth, included in --enable-all) that enable WOLFSSL_VERIFY_POST_HANDSHAKE and request a client certificate after the handshake via wolfSSL_request_certificate(). Clients, and servers that do not use post-handshake authentication, are unaffected. | medium | 2026-06-25 |
| CVE-2026-54479 | The WebSocket backend uses charging station identifiers to uniquely associate sessions but allows multiple endpoints to connect using the same session identifier. This implementation results in predictable session identifiers. This vulnerability may allow unauthorized users to authenticate as other users or enable a malicious actor to cause a denial-of-service condition by overwhelming the backend with valid session requests. | medium | 2026-06-25 |
| CVE-2026-50176 | The WebSocket Application Programming Interface lacks restrictions on the number of authentication requests. This absence of rate limiting may allow an attacker to conduct denial-of-service attacks or brute-force attacks to gain unauthorized access. | high | 2026-06-25 |
| CVE-2026-44622 | Charging station authentication identifiers are publicly accessible via web-based mapping platforms. | medium | 2026-06-25 |
| CVE-2026-22879 | vtk vtk-dicom vtkDICOMItem::NewDataElement heap-based buffer overflow vulnerability | high | 2026-06-26 |
| CVE-2026-13283 | Use after free in AdFilter in Google Chrome on Android prior to 149.0.7827.201 allowed a remote attacker who convinced a user to engage in specific UI gestures to execute arbitrary code via a crafted HTML page. (Chromium security severity: High) | high | 2026-06-25 |
| CVE-2026-13282 | Use after free in Payments in Google Chrome on Android prior to 149.0.7827.201 allowed a local attacker to potentially exploit heap corruption via physical access to the device. (Chromium security severity: High) | medium | 2026-06-26 |
