LiveActive security incident?Get immediate response
CVE archive

June 2024

Browse CVE records published in June 2024, with severity, affected products, CWE, KEV, and source-backed vulnerability context.

Showing 50 of 2844 matching CVEs · Page 1 of 57.

Critical · CVSS 9.8

CVE-2024-36543: Incorrect access control in the Kafka Connect REST API in the STRIMZI Project 0.41.0 and earlier allows an...

Incorrect access control in the Kafka Connect REST API in the STRIMZI Project 0.41.0 and earlier allows an attacker to deny the service for Kafka Mirroring, potentially mirror the topics' content to his Kafka cluster via a malicious connector (bypassing Kafka ACL if it exists), and potentially steal Kafka SASL credentials, by querying the MirrorMaker Kafka REST API.

Published Jun 17, 2024 · Updated Jul 9, 2026

High · CVSS 8.3

CVE-2024-52011: launch-editor vulnerable to command injection via the crafted request on Windows

launch-editor allows users to open files with line numbers in editor from Node.js. Prior to version 2.9.0, due to the insufficient sanitization of the `file` argument in the `launchEditor`, an attacker can execute arbitrary commands on Windows by supplying a filename that contains special characters. This issue has been fixed in the `launch-editor` version 2.9.0, corresponding to vite version 5.4.9.

Published Jun 1, 2026 · Updated Jul 2, 2026

Medium · CVSS 6.5

CVE-2024-51454: IBM Engineering Lifecycle Management - Engineering Workflow Management is impacted by vulnerabilities Host Header Injection observed

IBM Engineering Workflow Management 7.0.2 through 7.0.2 Interim Fix 035, 7.0.3 through 7.0.3 Interim Fix 017, and 7.1 through 7.1 Interim Fix 004 is vulnerable to HTTP header injection, caused by improper validation of input by the HOST headers. This could allow an attacker to conduct various attacks against the vulnerable system, including cross-site scripting, cache poisoning or session hijacking.

Published Jun 22, 2026 · Updated Jun 22, 2026

Critical · CVSS 9.8

CVE-2024-58351: Flowise - Remote Code Execution via overrideConfig Parameter

Flowise before 2.1.4 allows configuration to be injected into the Chainflow during execution via the overrideConfig option, supported in both the frontend web integration and the backend Prediction API. Because this feature is enabled by default with no allow-list of permitted variables and relies on vm2 for sandboxing, an attacker can abuse it to achieve remote code execution and sandbox escape, denial of service by crashing the server, server-side request forgery, prompt injection, and server variable and data exfiltration. These issues are self-targeted and do not persist to other users.

Published Jun 20, 2026 · Updated Jun 20, 2026

Medium · CVSS 5.9

CVE-2024-27928: Vantage6: 2FA can be circumvented with hacked email access

vantage6 is an open-source infrastructure for privacy preserving analysis. Prior to version 5.0.0, if an attacker hacks into a vantage6 user's email account, they can 1) reset the password via email and then 2) reset the 2FA token via email. This way they reduce 2FA to 1FA (email access). Note that most email providers require 2FA to access email, so this issue is not very likely to cause issues. Version 5.0.0 fixes the issue. No known workarounds are available.

Published Jun 17, 2026 · Updated Jun 18, 2026

Low · CVSS 2.1

CVE-2024-24769: Vantage6: No limit on emails sent for password/MFA reset

vantage6 is an open-source infrastructure for privacy preserving analysis. Prior to version 5.0.0, users can reset their MFA token via API routes that send them an email. Currently the number of emails that is sent is not limited. This gives attackers the option to flood someones mailbox with a lot of emails, and would have adverse effects on the SMTP server which may be seen as spam sender. Note resetting the MFA token requires a correct password, so the potential impact for this is very low. Version 5.0.0 fixes the issue. No known workarounds are available.

Published Jun 17, 2026 · Updated Jun 18, 2026

High · CVSS 8.8

CVE-2024-24909: Dell OpenManage Integration with Microsoft Windows Admin Center contains a Remote Code Execution vulnerabil...

Dell OpenManage Integration with Microsoft Windows Admin Center contains a Remote Code Execution vulnerability in the gateway plugin. A remote authenticated user could potentially exploit this vulnerability to escalate privileges. The malicious user may gain the ability to run arbitrary code remotely. This is a high severity vulnerability so Dell recommends customers to upgrade at the earliest opportunity.

Published Jun 16, 2026 · Updated Jun 17, 2026

Low · CVSS 2.9

CVE-2024-58350: Ghidra < 11.2 - Use After Free in Sleigh Backend via Static Initialization Order

Ghidra before 11.2 contains a use after free vulnerability in the Sleigh backend caused by undefined static initialization order of the SleighArchitecture::translators and XmlArchitectureCapability singletons. Attackers can trigger an infinite loop or denial of service during shutdown by exploiting the unsafe destruction order that causes iteration over deallocated memory.

Published Jun 10, 2026 · Updated Jun 10, 2026

Medium · CVSS 4.4

CVE-2024-50562: An Insufficient Session Expiration vulnerability [CWE-613] in FortiOS SSL-VPN version 7.6.0, version 7.4.6...

An Insufficient Session Expiration vulnerability [CWE-613] in FortiOS SSL-VPN version 7.6.0, version 7.4.6 and below, version 7.2.10 and below, 7.0 all versions, 6.4 all versions may allow an attacker in possession of a cookie used to log in the SSL-VPN portal to log in again, although the session has expired or was logged out.

Published Jun 10, 2025 · Updated Jun 9, 2026

High · CVSS 7.5

CVE-2024-1662: Information Disclosure in Porty's PowerBank

Missing Authentication for Critical Function, Missing Authorization vulnerability in PORTY Smart Tech Technology Joint Stock Company PowerBank Application allows Retrieve Embedded Sensitive Data. This issue affects PowerBank Application: before 2.02.

Published Jun 5, 2024 · Updated Jun 5, 2026

Medium · CVSS 6.9

CVE-2024-27891: On affected platforms running Arista EOS with MACsec and egress ACLs configured on the same interfaces, the ACL policies may not be enforced for packets egressing on those ports.

On affected platforms running Arista EOS with MACsec and egress ACLs configured on the same interfaces, the ACL policies may not be enforced for packets egressing on those ports. This can cause outgoing packets to incorrectly be allowed or denied.

Published Jun 4, 2026 · Updated Jun 4, 2026

High · CVSS 8.7

CVE-2024-14036: Dräger Core 1.0.5 Denial of Service via Malformed SDC Message

Dräger Core 1.0.5 and Dräger M540 Converter Service 1.0.9 contain a denial of service vulnerability that allows network-adjacent attackers to trigger high CPU load by sending specially crafted, unencrypted SDC messages during the discovery process. Attackers with access to the hospital network can send malformed SDC packets to exhaust CPU resources in the affected process, causing further SDC messages to no longer be processed.

Published Jun 2, 2026 · Updated Jun 3, 2026

Medium · CVSS 4.1

CVE-2024-47263: An improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability in Backup.R...

An improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability in Backup.Repository webapi component in Synology Hyper Backup before 4.1.2-4036 allows remote authenticated users with administrator privileges to write specific files containing non-sensitive information via unspecified vectors.

Published Jun 3, 2026 · Updated Jun 3, 2026

Critical · CVSS 9.4

CVE-2024-0336: Improper Access Control in EMTA Grups PDKS

Missing Authentication for Critical Function vulnerability in EMTA Grup PDKS allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects PDKS: from V3.04 before 20240603. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

Published Jun 3, 2024 · Updated Jun 3, 2026