High · CVSS 8.8
An arbitrary file upload vulnerability in the Upload Template function of Dolibarr ERP CRM up to v19.0.1 allows attackers to execute arbitrary code via uploading a crafted .SQL file.
Published Jun 18, 2024 · Updated Jul 9, 2026
High · CVSS 8.4
An issue in htop-dev htop v.2.20 allows a local attacker to cause an out-of-bounds access in the Header_populateFromSettings function.
Published Jun 20, 2024 · Updated Jul 9, 2026
Medium · CVSS 5.4
Cross Site Scripting vulnerability in Tessi Docubase Document Management product 5.x allows a remote attacker to execute arbitrary code via the parameter "sectionContent" related to the functionality of adding notes to an uploaded file.
Published Jun 21, 2024 · Updated Jul 9, 2026
Medium · CVSS 5.5
Cross Site Scripting vulnerability in Moodle CMS v3.10 allows a remote attacker to execute arbitrary code via the Field Name (name parameter) of a new activity.
Published Jun 20, 2024 · Updated Jul 9, 2026
Medium · CVSS 5.4
Cross Site Scripting vulnerability in Tessi Docubase Document Management product 5.x allows a remote attacker to execute arbitrary code via the filename parameter.
Published Jun 21, 2024 · Updated Jul 9, 2026
Medium · CVSS 5.4
Cross Site Scripting vulnerability in Tessi Docubase Document Management product 5.x allows a remote attacker to execute arbitrary code via the idactivity parameter.
Published Jun 21, 2024 · Updated Jul 9, 2026
Medium · CVSS 5.4
Cross Site Scripting vulnerability in Tessi Docubase Document Management product 5.x allows a remote attacker to execute arbitrary code via the page parameter.
Published Jun 21, 2024 · Updated Jul 9, 2026
High · CVSS 8.8
A command injection issue in TOTOLINK A6000R V1.0.1-B20201211.2000 firmware allows a remote attacker to execute arbitrary code via the iface parameter in the vif_enable function.
Published Jun 20, 2024 · Updated Jul 9, 2026
High · CVSS 7.4
libiec61850 v1.5 was discovered to contain a heap overflow via the BerEncoder_encodeLength function at /asn1/ber_encoder.c.
Published Jun 11, 2024 · Updated Jul 9, 2026
Critical · CVSS 9.8
Incorrect access control in the Kafka Connect REST API in the STRIMZI Project 0.41.0 and earlier allows an attacker to deny the service for Kafka Mirroring, potentially mirror the topics' content to his Kafka cluster via a malicious connector (bypassing Kafka ACL if it exists), and potentially steal Kafka SASL credentials, by querying the MirrorMaker Kafka REST API.
Published Jun 17, 2024 · Updated Jul 9, 2026
High · CVSS 8.6
An improper authorization in Fortinet FortiWebManager 7.2.0, FortiWebManager 7.0.0 through 7.0.4, FortiWebManager 6.3.0, FortiWebManager 6.2.3 through 6.2.4, FortiWebManager 6.0.2 allows attacker to execute unauthorized code or commands via HTTP requests or CLI.
Published Jun 3, 2024 · Updated Jul 8, 2026
Medium · CVSS 6.4
An improper authorization in Fortinet FortiWebManager 7.2.0, FortiWebManager 7.0.0 through 7.0.4, FortiWebManager 6.3.0, FortiWebManager 6.2.3 through 6.2.4, FortiWebManager 6.0.2 allows attacker to execute unauthorized code or commands via HTTP requests or CLI.
Published Jun 5, 2024 · Updated Jul 8, 2026
High · CVSS 7.6
An improper authorization in Fortinet FortiWebManager 7.2.0, FortiWebManager 7.0.0 through 7.0.4, FortiWebManager 6.3.0, FortiWebManager 6.2.3 through 6.2.4, FortiWebManager 6.0.2 allows attacker to execute unauthorized code or commands via HTTP requests or CLI.
Published Jun 3, 2024 · Updated Jul 8, 2026
High · CVSS 7.6
An improper authorization in Fortinet FortiWebManager 7.2.0, FortiWebManager 7.0.0 through 7.0.4, FortiWebManager 6.3.0, FortiWebManager 6.2.3 through 6.2.4, FortiWebManager 6.0.2 allows attacker to execute unauthorized code or commands via HTTP requests or CLI.
Published Jun 3, 2024 · Updated Jul 8, 2026
Medium · CVSS 6.1
Jetimob Plataforma Imobiliaria 20240627-0 is vulnerable to Cross Site Scripting (XSS) in the "Pessoas" (persons) section via the field "Profisso" (professor).
Published Jun 10, 2025 · Updated Jul 5, 2026
Medium · CVSS 6.1
Jetimob Plataforma Imobiliaria 20240627-0 is vulnerable to Cross Site Scripting (XSS). In the "Oportunidades" (opportunities) section of the application when creating or editing an "Atividade" (activity), the form field "Descrico" allows injection of JavaScript.
Published Jun 10, 2025 · Updated Jul 5, 2026
Medium · CVSS 6.1
Jetimob Plataforma Imobiliaria 20240627-0 is vulnerable to Cross Site Scripting (XSS) in the field "Ttulo" (title) inside the filter Save option in the "Busca" (search) function.
Published Jun 10, 2025 · Updated Jul 5, 2026
Medium · CVSS 6.1
Jetimob Plataforma Imobiliaria 20240627-0 is vulnerable to Cross Site Scripting (XSS) via the form field "Observaces" (observances) in the "Pessoas" (persons) section when creating or editing either a legal or a natural person.
Published Jun 10, 2025 · Updated Jul 5, 2026
High · CVSS 8.3
launch-editor allows users to open files with line numbers in editor from Node.js. Prior to version 2.9.0, due to the insufficient sanitization of the `file` argument in the `launchEditor`, an attacker can execute arbitrary commands on Windows by supplying a filename that contains special characters. This issue has been fixed in the `launch-editor` version 2.9.0, corresponding to vite version 5.4.9.
Published Jun 1, 2026 · Updated Jul 2, 2026
Medium · CVSS 6.7
The HCL Traveler for Microsoft Outlook libraries are being flagged as potentially malicious software or an unrecognized application.
Published Jun 26, 2026 · Updated Jun 29, 2026
Medium · CVSS 6.5
IBM Engineering Workflow Management 7.0.2 through 7.0.2 Interim Fix 035, 7.0.3 through 7.0.3 Interim Fix 017, and 7.1 through 7.1 Interim Fix 004 is vulnerable to HTTP header injection, caused by improper validation of input by the HOST headers. This could allow an attacker to conduct various attacks against the vulnerable system, including cross-site scripting, cache poisoning or session hijacking.
Published Jun 22, 2026 · Updated Jun 22, 2026
Medium · CVSS 6.5
IBM Db2 on Cloud Pak for Data and Db2 Warehouse on Cloud Pak for Data versions 4.8,5.0,5.1,5.2,5.3 could allow an authenticated user to cause a denial of service when creating new databases due to improper allocation of resources.
Published Jun 22, 2026 · Updated Jun 22, 2026
Critical · CVSS 9.8
Flowise before 2.1.4 allows configuration to be injected into the Chainflow during execution via the overrideConfig option, supported in both the frontend web integration and the backend Prediction API. Because this feature is enabled by default with no allow-list of permitted variables and relies on vm2 for sandboxing, an attacker can abuse it to achieve remote code execution and sandbox escape, denial of service by crashing the server, server-side request forgery, prompt injection, and server variable and data exfiltration. These issues are self-targeted and do not persist to other users.
Published Jun 20, 2026 · Updated Jun 20, 2026
Medium · CVSS 5.9
vantage6 is an open-source infrastructure for privacy preserving analysis. Prior to version 5.0.0, if an attacker hacks into a vantage6 user's email account, they can 1) reset the password via email and then 2) reset the 2FA token via email. This way they reduce 2FA to 1FA (email access). Note that most email providers require 2FA to access email, so this issue is not very likely to cause issues. Version 5.0.0 fixes the issue. No known workarounds are available.
Published Jun 17, 2026 · Updated Jun 18, 2026
Low · CVSS 2.1
vantage6 is an open-source infrastructure for privacy preserving analysis. Prior to version 5.0.0, users can reset their MFA token via API routes that send them an email. Currently the number of emails that is sent is not limited. This gives attackers the option to flood someones mailbox with a lot of emails, and would have adverse effects on the SMTP server which may be seen as spam sender. Note resetting the MFA token requires a correct password, so the potential impact for this is very low. Version 5.0.0 fixes the issue. No known workarounds are available.
Published Jun 17, 2026 · Updated Jun 18, 2026
Medium · CVSS 4.3
Missing Authorization vulnerability in Shareaholic allows Exploiting Incorrectly Configured Access Control Security Levels.
This issue affects Shareaholic: from n/a through 9.7.11.
Published Jun 17, 2026 · Updated Jun 17, 2026
High · CVSS 7.1
Unauthenticated Cross Site Scripting (XSS) in my flatonica <= 0.0.8 versions.
Published Jun 17, 2026 · Updated Jun 17, 2026
Medium · CVSS 4.3
Cross-Site request forgery (CSRF) vulnerability in Andy Moyle Emergency Password Reset allows Cross Site Request Forgery.
This issue affects Emergency Password Reset: from n/a through 8.0.
Published Jun 17, 2026 · Updated Jun 17, 2026
High · CVSS 7.5
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in QuantumCloud Conversational Forms for ChatBot allows Path Traversal.
This issue affects Conversational Forms for ChatBot: from n/a through 1.1.8.
Published Jun 17, 2026 · Updated Jun 17, 2026
Medium · CVSS 6.5
Missing Authorization vulnerability in ali2woo AliNext allows Exploiting Incorrectly Configured Access Control Security Levels.
This issue affects AliNext: from n/a through 3.3.5.
Published Jun 17, 2026 · Updated Jun 17, 2026
High · CVSS 8.8
Dell OpenManage Integration with Microsoft Windows Admin Center contains a Remote Code Execution vulnerability in the gateway plugin. A remote authenticated user could potentially exploit this vulnerability to escalate privileges. The malicious user may gain the ability to run arbitrary code remotely. This is a high severity vulnerability so Dell recommends customers to upgrade at the earliest opportunity.
Published Jun 16, 2026 · Updated Jun 17, 2026
Critical · CVSS 9.9
Subscriber Arbitrary File Upload in Grip <= 1.0.9 versions.
Published Jun 17, 2026 · Updated Jun 17, 2026
High · CVSS 7.4
update_disk_psu_baseline.sh requires password in plain text
Published Jun 16, 2026 · Updated Jun 16, 2026
Medium · CVSS 6.7
Dell Peripheral Manager, versions from 1.5.1 to 1.7.2, contain an uncontrolled search path element vulnerability. An attacker could potentially exploit this vulnerability through preloading malicious executable, leading to arbitrary code execution.
Published Jun 16, 2026 · Updated Jun 16, 2026
Medium · CVSS 5.4
PowerStore contains a Stored Cross-Site Scripting Vulnerability in the PowerStore Manager. A remote authenticated low-privileged malicious actor could potentially exploit this vulnerability, it could lead to script execution in the client browser.
Published Jun 16, 2026 · Updated Jun 16, 2026
High · CVSS 7
api-gateway container running with root privilege would allow an attacker to escape the container and access host system to perform unintended actions.
Published Jun 16, 2026 · Updated Jun 16, 2026
Medium · CVSS 6.7
Dell Peripheral Manager, versions prior to 1.7.3, contain an uncontrolled search path element vulnerability. An attacker could potentially exploit this vulnerability through preloading malicious dll., leading to arbitrary code execution.
Published Jun 16, 2026 · Updated Jun 16, 2026
Medium · CVSS 4.3
Cross-Site request forgery (CSRF) vulnerability in Magepeople inc. WpEvently allows Cross Site Request Forgery.
This issue affects WpEvently: from n/a through 4.1.2.
Published Jun 11, 2026 · Updated Jun 11, 2026
Medium · CVSS 5.3
Improper input validation for DIMM serial presence detect (SPD) metadata could allow an attacker with physical access, ring0 access on a system with a non-compliant DIMM, or control over the Root of Trust for BIOS update, to potentially overwrite guest memory resulting in loss of guest data integrity.
Published Jun 10, 2026 · Updated Jun 10, 2026
Low · CVSS 2.9
Ghidra before 11.2 contains a use after free vulnerability in the Sleigh backend caused by undefined static initialization order of the SleighArchitecture::translators and XmlArchitectureCapability singletons. Attackers can trigger an infinite loop or denial of service during shutdown by exploiting the unsafe destruction order that causes iteration over deallocated memory.
Published Jun 10, 2026 · Updated Jun 10, 2026
Medium · CVSS 4.4
An Insufficient Session Expiration vulnerability [CWE-613] in FortiOS SSL-VPN version 7.6.0, version 7.4.6 and below, version 7.2.10 and below, 7.0 all versions, 6.4 all versions may allow an attacker in possession of a cookie used to log in the SSL-VPN portal to log in again, although the session has expired or was logged out.
Published Jun 10, 2025 · Updated Jun 9, 2026
High · CVSS 7.5
Missing Authentication for Critical Function, Missing Authorization vulnerability in PORTY Smart Tech Technology Joint Stock Company PowerBank Application allows Retrieve Embedded Sensitive Data.
This issue affects PowerBank Application: before 2.02.
Published Jun 5, 2024 · Updated Jun 5, 2026
Critical · CVSS 9.6
Affected platforms running Arista EOS with OpenConfig configured, a gNMI Set request can be run when it should have been rejected. This can result in unexpected configuration being applied to the switch.
Published Jun 4, 2026 · Updated Jun 4, 2026
Critical · CVSS 9.6
Affected platforms running Arista EOS with OpenConfig configured, a gNMI Set request can be run when it should have been rejected. This can result in unexpected configuration being applied to the switch.
Published Jun 4, 2026 · Updated Jun 4, 2026
Medium · CVSS 6.9
On affected platforms running Arista EOS with MACsec and egress ACLs configured on the same interfaces, the ACL policies may not be enforced for packets egressing on those ports. This can cause outgoing packets to incorrectly be allowed or denied.
Published Jun 4, 2026 · Updated Jun 4, 2026
Unknown · CVSS Not scored
In Arista’s EOS when in 802.1X mode, multi-auth unauthenticated hosts might be allowed access to a switch port if there exists an EAPOL capable device in the fallback VLAN.
Published Jun 4, 2026 · Updated Jun 4, 2026
High · CVSS 8.7
Dräger Core 1.0.5 and Dräger M540 Converter Service 1.0.9 contain a denial of service vulnerability that allows network-adjacent attackers to trigger high CPU load by sending specially crafted, unencrypted SDC messages during the discovery process. Attackers with access to the hospital network can send malformed SDC packets to exhaust CPU resources in the affected process, causing further SDC messages to no longer be processed.
Published Jun 2, 2026 · Updated Jun 3, 2026
Medium · CVSS 4.1
An improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability in Backup.Repository webapi component in Synology Hyper Backup before 4.1.2-4036 allows remote authenticated users with administrator privileges to write specific files containing non-sensitive information via unspecified vectors.
Published Jun 3, 2026 · Updated Jun 3, 2026
Medium · CVSS 4.3
An improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability in Backup Task functionality in Synology Hyper Backup before 4.1.2-4036 allows remote authenticated users to write specific files via unspecified vectors.
Published Jun 3, 2026 · Updated Jun 3, 2026
Critical · CVSS 9.4
Missing Authentication for Critical Function vulnerability in EMTA Grup PDKS allows Exploiting Incorrectly Configured Access Control Security Levels.
This issue affects PDKS: from V3.04 before 20240603. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
Published Jun 3, 2024 · Updated Jun 3, 2026