Critical · CVSS 9.8
Insecure Permissions vulnerability in JLINK Unionman Technology Co. Ltd Jlink AX1800 v.1.0 allows a remote attacker to escalate privileges via a crafted command.
Published Jun 17, 2024 · Updated Jul 9, 2026
Critical · CVSS 9.8
An issue in JLINK Unionman Technology Co. Ltd Jlink AX1800 v.1.0 allows a remote attacker to execute arbitrary code via the router's authentication mechanism.
Published Jun 17, 2024 · Updated Jul 9, 2026
Unknown · CVSS Not scored
A Stored Cross-Site Scripting (XSS) vulnerability was found in Multilaser RE 170 using firmware 2.2.6733.
Published Jun 30, 2023 · Updated Jul 9, 2026
Unknown · CVSS Not scored
An authentication bypass in Intelbras Switch SG 2404 MR in firmware 1.00.54 allows an unauthenticated attacker to download the backup file of the device, exposing critical information about the device configuration.
Published Jun 30, 2023 · Updated Jul 9, 2026
Unknown · CVSS Not scored
Maxprint Maxlink 1200G v3.4.11E has an OS command injection vulnerability in the "Diagnostic tool" functionality of the device.
Published Jun 30, 2023 · Updated Jul 9, 2026
Unknown · CVSS Not scored
An arbitrary file upload vulnerability in the /fileUpload.lib.php component of Chamilo 1.11.* up to v1.11.18 allows attackers to execute arbitrary code via uploading a crafted SVG file.
Published Jun 13, 2023 · Updated Jul 9, 2026
Unknown · CVSS Not scored
angular-ui-notification v0.1.0, v0.2.0, and v0.3.6 was discovered to contain a cross-site scripting (XSS) vulnerability.
Published Jun 30, 2023 · Updated Jul 9, 2026
Unknown · CVSS Not scored
TP-Link Archer AX10(EU)_V1.2_230220 was discovered to contain a buffer overflow via the function FUN_131e8 - 0x132B4.
Published Jun 16, 2023 · Updated Jul 9, 2026
Critical · CVSS 9.8
bloofox v0.5.2.1 was discovered to contain a SQL injection vulnerability via the lid parameter at admin/index.php?mode=settings&page=lang&action=edit.
Published Jun 14, 2023 · Updated Jul 9, 2026
Unknown · CVSS Not scored
Elenos ETG150 FM transmitter running on version 3.12 was discovered to be leaking SMTP credentials and other sensitive information by exploiting the publicly accessible Memcached service. The attack can occur over the public Internet in some cases.
Published Jun 23, 2023 · Updated Jul 9, 2026
Unknown · CVSS Not scored
Improper Access Control leads to adding a high-privilege user affecting Elenos ETG150 FM transmitter running on version 3.12 by exploiting user's role within the admin profile. An attack could occur over the public Internet in some cases.
Published Jun 23, 2023 · Updated Jul 9, 2026
Unknown · CVSS Not scored
Improper Access Control leads to privilege escalation affecting Elenos ETG150 FM transmitter running on version 3.12 by exploiting user's role in the user profile. An attack could occur over the public Internet in some cases.
Published Jun 23, 2023 · Updated Jul 9, 2026
High · CVSS 8.8
D-Link DIR-842V2 v1.0.3 was discovered to contain a command injection vulnerability via the iperf3 diagnostics function.
Published Jun 7, 2023 · Updated Jul 9, 2026
High · CVSS 8.8
An issue in D-Link DIR-842V2 v1.0.3 allows attackers to execute arbitrary commands via importing a crafted file.
Published Jun 7, 2023 · Updated Jul 9, 2026
Medium · CVSS 6.5
A misconfiguration in the default settings of MikroTik RouterOS 7 and fixed in v7.14 allows incoming IPv6 UDP traceroute packets.
Published Jun 30, 2025 · Updated Jul 5, 2026
Critical · CVSS 9.8
An issue in NCR Terminal Handler v.1.5.1 allows a remote attacker to escalate privileges via a crafted POST request to the grantRolesToUsers, grantRolesToGroups, and grantRolesToOrganization SOAP API component.
Published Jun 23, 2025 · Updated Jul 5, 2026
Unknown · CVSS Not scored
GL.iNET GL-AR750S-Ext firmware v3.215 inserts the admin authentication token into a GET request when the OpenVPN Server config file is downloaded. The token is then left in the browser history or access logs, potentially allowing attackers to bypass authentication via session replay.
Published Jun 13, 2023 · Updated Jul 5, 2026
Unknown · CVSS Not scored
GL.iNET GL-AR750S-Ext firmware v3.215 uses an insecure protocol in its communications which allows attackers to eavesdrop via a man-in-the-middle attack.
Published Jun 13, 2023 · Updated Jul 5, 2026
Critical · CVSS 9.8
A unrestricted file upload vulnerability was discovered in the ‘Browse and upload images’ feature of the CKEditor v1.2.3 plugin for Redmine, which allows arbitrary files to be uploaded to the server.
Published Jun 13, 2023 · Updated Jul 5, 2026
High · CVSS 7.5
An access control issue in Makves DCAP v3.0.0.122 allows unauthenticated attackers to obtain cleartext credentials via a crafted web request to the product API.
Published Jun 21, 2023 · Updated Jul 5, 2026
High · CVSS 7.2
A command injection vulnerability was found in the ping functionality of the MitraStar GPT-2741GNAC router (firmware version AR_g5.8_110WVN0b7_2). The vulnerability allows an authenticated user to execute arbitrary OS commands by sending specially crafted input to the router via the ping function.
Published Jun 6, 2023 · Updated Jul 5, 2026
Medium · CVSS 4.6
The AES Key-IV pair used by the TP-Link TAPO C200 camera V3 (EU) on firmware version 1.1.22 Build 220725 is reused across all cameras. An attacker with physical access to a camera is able to extract and decrypt sensitive data containing the Wifi password and the TP-LINK account credential of the victim.
Published Jun 6, 2023 · Updated Jul 5, 2026
High · CVSS 7.1
A cross-site scripting (XSS) vulnerability in the component /Login.php of c3crm up to v3.0.4 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the login_error parameter.
Published Jun 25, 2025 · Updated Jul 5, 2026
Medium · CVSS 5.4
A stored Cross-site scripting (XSS) vulnerability in Wolters Kluwer TeamMate+ 35.0.11.0 allows remote attackers to inject arbitrary web script or HTML.
Published Jun 16, 2023 · Updated Jul 5, 2026
Unknown · CVSS Not scored
Sage X3 version 12.14.0.50-0 is vulnerable to Cross Site Scripting (XSS). Some parts of the Web application are dynamically built using user's inputs. Yet, those inputs are not verified nor filtered by the application, so they mathed the expected format. Therefore, when HTML/JavaScript code is injected into those fields, this code will be saved by the application and executed by the web browser of the user viewing the web page. Several injection points have been identified on the application. The major one requires the user to be authenticated with a common account, he can then target an Administrator. All others endpoints need the malicious user to be authenticated as an Administrator. Therefore, the impact is diminished.
Published Jun 22, 2023 · Updated Jul 5, 2026
Unknown · CVSS Not scored
Sage X3 version 12.14.0.50-0 is vulnerable to CSV Injection.
Published Jun 22, 2023 · Updated Jul 5, 2026
Critical · CVSS 9.8
There is a command injection vulnerability in the Netgear R6250 router with Firmware Version 1.0.4.48. If an attacker gains web management privileges, they can inject commands into the post request parameters, thereby gaining shell privileges.
Published Jun 6, 2023 · Updated Jul 5, 2026
High · CVSS 8.8
There is a command injection vulnerability in the Tenda G103 Gigabit GPON Terminal with firmware version V1.0.0.5. If an attacker gains web management privileges, they can inject commands gaining shell privileges.
Published Jun 6, 2023 · Updated Jul 5, 2026
Critical · CVSS 9.8
TOTOLINK X5000R V9.1.0cu.2350_B20230313 was discovered to contain a command injection via the setWanCfg function.
Published Jun 6, 2023 · Updated Jul 5, 2026
Medium · CVSS 5.5
The BT21 x BTS Wallpaper app 12 for Android allows unauthorized applications to actively request permission to insert data into the database that records information about a user's personal preferences and will be loaded into memory to be read and used when the application is opened. By injecting data, the attacker can force the application to load malicious image URLs and display them in the UI. As the amount of data increases, it will eventually cause the application to trigger an OOM error and crash, resulting in a persistent denial of service attack.
Published Jun 2, 2023 · Updated Jul 5, 2026
High · CVSS 7.8
The BT21 x BTS Wallpaper app 12 for Android allows unauthorized apps to actively request permission to modify data in the database that records information about a user's personal preferences and will be loaded into memory to be read and used when the app is opened. An attacker could tamper with this data to cause an escalation of privilege attack.
Published Jun 2, 2023 · Updated Jul 5, 2026
High · CVSS 8.7
Traefik before 2.10.5 and 3.0.0-beta4 is affected by a denial-of-service vulnerability in HTTP/2 request handling inherited from the Go standard library's HTTP/2 implementation (CVE-2023-44487 / CVE-2023-39325, the 'Rapid Reset' technique). A remote attacker can rapidly create and cancel HTTP/2 streams to exhaust server resources and cause service unavailability.
Published Jun 23, 2026 · Updated Jun 30, 2026
High · CVSS 7.7
HCL Traveler for Microsoft Outlook (HTMO) is susceptible to vulnerabilities due to .NET Framework 4.5 being out of service. Since .NET Framework 4.5 has reached end-of-life and no longer receives security updates, it may expose the application to publicly known security weaknesses through vulnerable third-party components.
Published Jun 27, 2026 · Updated Jun 29, 2026
Low · CVSS 1.8
An observable timing discrepancy in the ASP could allow a privileged attacker to perform a brute-force attack against the hash message authentication code, allowing arbitrary message input, potentially leading to a loss of data integrity.
Published Jun 26, 2026 · Updated Jun 26, 2026
Medium · CVSS 5.6
An observable timing discrepancy in the ASP could allow a privileged attacker to perform a brute-force attack against the hash message authentication code, allowing the input of an arbitrary message, potentially leading to a loss of data integrity.
Published Jun 26, 2026 · Updated Jun 26, 2026
High · CVSS 7.5
A flaw was found in dogtag-pki and pki-core. The token authentication scheme can be bypassed with a LDAP injection. By passing the query string parameter sessionID=*, an attacker can authenticate with an existing session saved in the LDAP directory server, which may lead to escalation of privilege.
Published Jun 11, 2024 · Updated Jun 26, 2026
Medium · CVSS 5.3
IBM Db2 on Cloud Pak for Data and Db2 Warehouse on Cloud Pak for Data versions 4.8, 5.0, 5.1, 5.2, and 5.3 could allow an authenticated user to bypass client-side validation and manipulate input data using man in the middle techniques.
Published Jun 22, 2026 · Updated Jun 23, 2026
High · CVSS 8.7
Joomla com_booking component 2.4.9 contains an information disclosure vulnerability that allows unauthenticated attackers to enumerate user accounts by exploiting the getUserData function in the customer controller. Attackers can send GET requests to index.php with option=com_booking, controller=customer, task=getUserData, and an id parameter to retrieve user names, usernames, and email addresses through brute force enumeration.
Published Jun 19, 2026 · Updated Jun 23, 2026
High · CVSS 8.5
Chromacam 4.0.3.0 contains an unquoted service path vulnerability in the PsyFrameGrabberService that allows local attackers to execute arbitrary code by placing malicious executables in unquoted path directories. Attackers with write access to C:\ or subdirectories like C:\Program Files (x86)\Personify\ can place a malicious Program.exe or PsyFrameGrabberService.exe file that executes with LocalSystem privileges when the service starts automatically at boot.
Published Jun 19, 2026 · Updated Jun 23, 2026
High · CVSS 8.1
A stored cross-site scripting vulnerability in the Runtime component of Pilz PASvisu before 1.14.1 and PMI v8xx up to and including 2.0.33992 allows a low-privileged remote unauthenticated attacker to manipulate process data with potential impact on integrity and/or availability.
Published Jun 22, 2026 · Updated Jun 22, 2026
High · CVSS 7.8
A cross-site scripting vulnerability in the Builder Component of Pilz PASvisu before 1.14.1 allows a local unauthenticated attacker to inject malicious javascript and gain full control over the device.
Published Jun 22, 2026 · Updated Jun 22, 2026
Medium · CVSS 5.3
Authorization bypass through User-Controlled key vulnerability in Essential Plugin WP Logo Showcase Responsive Slider and Carousel allows Exploiting Incorrectly Configured Access Control Security Levels.
This issue affects WP Logo Showcase Responsive Slider and Carousel: from n/a through 3.6.
Published Jun 11, 2026 · Updated Jun 11, 2026
High · CVSS 7.1
Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in WPVibes WP Mail Log allows DOM-Based XSS.
This issue affects WP Mail Log: from n/a through 1.0.2.
Published Jun 11, 2026 · Updated Jun 11, 2026
High · CVSS 7.5
An issue was discovered in Malwarebytes 4.x and 5.x (and Nebula 2020-10-21 and later). There is a Heap buffer overflow in various buffer encryption utilities.
Published Jun 9, 2026 · Updated Jun 9, 2026
Medium · CVSS 6.2
An issue was discovered in Malwarebytes 4.x and 5.x (and Nebula 2020-10-21 and later). A large number of Firefox preference files can cause the parser to ignore other browser configuration files, leading to a denial of service.
Published Jun 9, 2026 · Updated Jun 9, 2026
High · CVSS 8.2
The utility functions used by Malwarebytes EDR 1.0.11 on Linux for calculating a cryptographic hash of data bytes truncate the hashed data if it exceeds 4GB. This leads to an integer wrap-around if the data is larger than the maximum unsigned integer value (32-bit). Attackers could create a colliding hash value for two different strings by attaching 4GB of data to a string that is less than 4GB in size.
Published Jun 9, 2026 · Updated Jun 9, 2026
High · CVSS 8.7
WordPress Augmented-Reality plugin contains a remote code execution vulnerability in the elFinder connector that allows unauthenticated attackers to upload and execute arbitrary PHP files. Attackers can send POST requests to the connector.minimal.php endpoint with mkfile and put commands to create malicious PHP files in the file_manager directory and execute them on the server.
Published Jun 8, 2026 · Updated Jun 9, 2026
Critical · CVSS 9.8
WordPress Seotheme contains a remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary PHP code by uploading malicious files to the theme directory. Attackers can access the uploaded PHP shell at /wp-content/themes/seotheme/mar.php to execute system commands and upload additional files for persistent access.
Published Jun 8, 2026 · Updated Jun 8, 2026
High · CVSS 7.2
WordPress Sonaar Music Plugin 4.7 contains a stored cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts through the comment functionality. Attackers can submit JavaScript payloads in the comment parameter to wp-comments-post.php which are stored and executed in the browsers of users viewing the affected playlist pages.
Published Jun 8, 2026 · Updated Jun 8, 2026
High · CVSS 8.2
On affected platforms running Arista EOS with 802.1x authentication configured on the access/trunk ports, and routing enabled on the access VLAN of the ports, a malicious supplicant may be able to bypass the requirement to perform 802.1x authentication.
Published Jun 4, 2026 · Updated Jun 4, 2026