Security

Today's CVEs

Sunday, 21 June 2026 (UTC) · 81 published

SeverityCVESummaryCWEPublished
Critical 10CVE-2026-10561IBM Langflow OSS 1.0.0 through 1.9.3 has an vulnerability due to an improper isolation of Python execution combined with an authentication bCWE-9422 Jun 13:22
Critical 9.6CVE-2026-28381The Snowflake datasource allows for GET/PUT commands, which can allow any user with access to run queries against the data source to read/wr22 Jun 13:20
Critical 9.4CVE-2026-56423MISP Core contained broken access-control checks in the bulk deletion flows for Event Reports and Sharing Groups. The affected deleteSelectiCWE-86222 Jun 11:56
Critical 9.3CVE-2026-56425The Azure Active Directory (AAD) authentication implementation contained multiple weaknesses in its OAuth 2.0 authorization flow that could CWE-38422 Jun 12:25
Critical 9.3CVE-2026-56447MISP allowed an authenticated site administrator to set the Kafka_rdkafka_config setting to an arbitrary filesystem path. MISP subsequently CWE-82922 Jun 12:39
Critical 9.4CVE-2026-7165The vulnerability is present in the ‘/addJugador’ endpoint: * The 'keyJugador' and 'keyJugadorObjectiu' parameters allow the modification ofCWE-2022 Jun 12:46
Critical 9.2CVE-2026-7166Vulnerability involving the exposure of sensitive data provided without adequate protection. The API exposes email and phone number data froCWE-20022 Jun 12:47
Critical 9.4CVE-2026-56422Multiple MISP core controllers and model capture paths accepted client-controlled request fields such as primary keys (id) and ownership/scoCWE-63922 Jun 11:43
Critical 9.4CVE-2026-11746A vulnerability has been identified in centraldogma-server versions prior to 0.84.0, where enabling ZooKeeper replication without setting re22 Jun 02:35
High 8.8CVE-2026-12602Incorrect default permissions in ArubaSign, affecting versions prior to v4.6.6. The vulnerability is caused by the assignment of inappropriaCWE-27622 Jun 12:34
High 7.7CVE-2026-42129The Loki datasource plugin's callResource handler contains a path traversal vulnerability. An authenticated Viewer-role user can escape the 22 Jun 13:18
High 8.8CVE-2026-54099A flaw was found in the Windows Machine Config Operator (WMCO) for Red Hat OpenShift Container Platform. The WICD CSR auto-approver validateCWE-26922 Jun 12:46
High 8.3CVE-2026-54100A flaw was found in the Windows Machine Config Operator (WMCO) for Red Hat OpenShift Container Platform. WMCO establishes SSH connections toCWE-29522 Jun 12:46
High 7.1CVE-2026-56424MISP core contained multiple broken access-control flaws where authorization checks were performed against the wrong entity, or where ownersCWE-63922 Jun 12:17
High 8.7CVE-2026-56446MISP allowed a site administrator to configure an arbitrary filesystem path for the NDJSON error log used by JsonLogTool. Because log entrieCWE-9422 Jun 12:31
High 8.3CVE-2026-56448A path traversal vulnerability exists in AIL Framework before the release containing commit 0041456af25da0cdea1c1c4624e46baff2731d8f. An autCWE-2222 Jun 12:54
High 7CVE-2026-6653Use After Free in libxml2's xmlParseInternalSubset from GNOME libxml2 version 2.9.11 to 2.11.0 allows a remote attacker to cause a denial-ofCWE-41622 Jun 12:40
High 7.3CVE-2026-9029The geomap panel's XYZ tile layer has a sanitize-then-interpolate ordering bug. sanitizeTextPanelContent() runs on the raw template string b22 Jun 13:18
High 7.8CVE-2023-45795A cross-site scripting vulnerability in the Builder Component of Pilz PASvisu before 1.14.1 allows a local unauthenticated attacker to injecCWE-7922 Jun 09:06
High 8.1CVE-2023-45796A stored cross-site scripting vulnerability in the Runtime component of Pilz PASvisu before 1.14.1 and PMI v8xx up to and including 2.0.3399CWE-7922 Jun 09:04
High 8.7CVE-2025-4994The SafeLine SL6 and SL6+ devices integrated into elevator emergency intercom systems are vulnerable to an authentication bypass. This vulneCWE-30522 Jun 08:10
High 7.7CVE-2026-12581EasyFlow .NET developed by Digiwin has a Session Fixation vulnerability. If unauthenticated remote attackers replace a specific session ID fCWE-38422 Jun 09:30
High 7.5CVE-2026-44914Apache NiFi 1.12.0 through 2.9.0 are missing authorization when replacing Process Groups that include extension components with specific ReqCWE-86222 Jun 07:38
High 7.1CVE-2026-4259The ultimate-woocommerce-auction-pro WordPress plugin through 2.4.5 does not sanitise and escape a parameter before outputting it back in th22 Jun 06:00
High 7.1CVE-2026-6858The Transbank Webpay WordPress plugin before 1.14.0 does not sanitize and escape logs to be displayed, allowing unauthenticated users to per22 Jun 06:00
High 8.8CVE-2026-8157The Vitepos WordPress plugin before 3.4.2 does not properly restrict the roles that can be assigned when creating new users via one of its R22 Jun 06:00
High 7.3CVE-2026-6645An insecure process execution vulnerability exists in the pc-printer-updater.exe component of the PaperCut Print Deploy Client for Windows. CWE-42722 Jun 03:24
High 8.8CVE-2026-11745A vulnerability has been identified in centraldogma-server-mirror-git versions prior to 0.84.0, where the Git mirror SSH client does not ver22 Jun 02:33
High 7.1CVE-2026-8918A permissive list of allowed inputs in ASUS Armoury Crate allows a local administrator to perform arbitrary memory read/write operations or CWE-18322 Jun 02:00
High 8.7CVE-2026-12806A vulnerability has been found in Edimax BR-6478AC V2 1.23. The impacted element is the function formWlSiteSurvey of the file /goform/formWlCWE-12021 Jun 19:30
Medium 6.5CVE-2024-54178IBM Db2 on Cloud Pak for Data and Db2 Warehouse on Cloud Pak for Data versions 4.8,5.0,5.1,5.2,5.3 could allow an authenticated user to causCWE-77022 Jun 13:15
Medium 6CVE-2025-2669IBM Db2 on Cloud Pak for Data and Db2 Warehouse on Cloud Pak for Data versions 4.8, 5.0, 5.1, 5.2, 5.3 could allow a privileged user to perfCWE-29522 Jun 13:18
Medium 5.4CVE-2025-33128IBM Engineering Workflow Management 7.0.3 through 7.0.3 Interim Fix 020, and 7.1 through 7.1 Interim Fix 007 is vulnerable to cross-site scrCWE-7922 Jun 13:20
Medium 5.4CVE-2026-10601The Tempo and Loki datasource plugins construct backend HTTP requests by interpolating user-supplied input into URL paths without sanitizati22 Jun 13:18
Medium 5.4CVE-2026-5139Mattermost versions 11.7.x <= 11.7.0, 11.6.x <= 11.6.2, 11.5.x <= 11.5.5, 10.11.x <= 10.11.17 fail to enforce administrator authorization onCWE-86222 Jun 13:34
Medium 5.1CVE-2026-56450AIL did not restrict repeated failed attempts to verify a two-factor authentication (OTP) code. An attacker who had reached the 2FA verificaCWE-30722 Jun 13:02
Medium 6.4CVE-2026-6062Mattermost versions 11.7.x <= 11.7.0, 11.6.x <= 11.6.2, 11.5.x <= 11.5.5, 10.11.x <= 10.11.17 Fail to validate channel ownership of an existCWE-63922 Jun 13:40
Medium 6.4CVE-2026-6673Mattermost versions 11.7.x <= 11.7.0, 11.6.x <= 11.6.2, 11.5.x <= 11.5.5, 10.11.x <= 10.11.17 fail to authenticate Atlassian Connect installCWE-30622 Jun 13:38
Medium 6.9CVE-2026-7167The vulnerability arises when the system fails to properly validate the 'email' field during the authentication process, allowing unverifiedCWE-20022 Jun 12:50
Medium 4.3CVE-2026-9162Mattermost versions 11.7.x <= 11.7.0, 11.6.x <= 11.6.2, 11.5.x <= 11.5.5, 10.11.x <= 10.11.17 fail to invalidate cached authentication stateCWE-61322 Jun 13:36
Medium 5.1CVE-2026-12580EasyFlow .NET developed by Digiwin has a Stored Cross-Site Scripting vulnerability, allowing authenticated remote attackers to inject persisCWE-7922 Jun 09:26
Medium 5.1CVE-2026-12862Untrusted user data was passed verbatim to Excel exports for administrators. This allowed formula injection which can be used to compromise CWE-14822 Jun 08:26
Medium 5.1CVE-2026-12863An unvalidated redirect was contained in Venueless' social login functionality and could be exploited for phishing using trusted domains.CWE-60122 Jun 08:41
Medium 5.2CVE-2026-44913Improper escaping of database table names in the CaptureChangeMySQL Processor included with Apache NiFi 1.2.0 through 2.9.0 allows for injecCWE-11622 Jun 07:36
Medium 6.3CVE-2026-54665Apache NiFi 0.0.1 through 2.9.0 support building qualified URLs from one of several HTTP request headers that provide an alternative to the CWE-34622 Jun 07:34
Medium 5.3CVE-2026-7859The Motors WordPress plugin before 1.4.110 does not have proper authorisation and CSRF checks on one of its AJAX actions, allowing unauthent22 Jun 06:00
Medium 6.9CVE-2026-11748A vulnerability has been identified in centraldogma-server-auth-shiro versions prior to 0.84.0, where the SearchFirstActiveDirectoryRealm su22 Jun 02:37
Medium 4.8CVE-2026-12822A vulnerability was identified in langflow-ai langflow up to 1.9.3. This affects an unknown function of the component Bundle URL Loader. TheCWE-9421 Jun 23:30
Medium 4.8CVE-2026-12823A security flaw has been discovered in Browserbase up to 20260526. This impacts an unknown function of the component Autobrowse Trace ArtifaCWE-27621 Jun 23:45
Medium 5.3CVE-2026-12815A vulnerability has been found in coollabsio coolify 4.0.0. Impacted is an unknown function of the component Image Name Handler. Such manipuCWE-7821 Jun 23:00
Medium 5.3CVE-2026-12821A vulnerability was determined in FlowiseAI Flowise up to 3.1.2. The impacted element is an unknown function of the file packages/componentsCWE-2221 Jun 23:15
Medium 5.3CVE-2026-12813A vulnerability was detected in activepieces up to 0.83.0. This vulnerability affects the function handleUrlFile in the library packages/serCWE-91821 Jun 22:30
Medium 5.3CVE-2026-12814A flaw has been found in Comfast CF-WR631AX V3 up to 2.7.0.8. This issue affects the function system of the file /cgi-bin/mbox-config?sectioCWE-7821 Jun 22:45
Medium 5.3CVE-2026-12811A weakness has been identified in kortix-ai suna up to 0.8.38. Affected by this issue is the function router.replace/router.push of the fileCWE-7921 Jun 22:00
Medium 5.1CVE-2026-12812A security vulnerability has been detected in Radware Cyber Controller up to 10.11.0. This affects an unknown part of the component HTML RepCWE-8021 Jun 22:15
Medium 5.3CVE-2026-12809A vulnerability was identified in Edimax BR-6478AC V2 1.23. Affected is the function wiz_5in1_redirect of the file /goform/wiz_5in1_redirectCWE-7721 Jun 21:30
Medium 5.3CVE-2026-12810A security flaw has been discovered in Edimax BR-6478AC V2 1.23. Affected by this vulnerability is the function mp of the file /goform/mp ofCWE-7721 Jun 21:45
Medium 5.3CVE-2026-12808A vulnerability was determined in Edimax BR-6478AC V2 1.23. This impacts the function stainfo of the file /goform/stainfo of the component PCWE-7721 Jun 20:45
Medium 5.3CVE-2026-12807A vulnerability was found in Edimax BR-6478AC V2 1.23. This affects the function setWAN of the file /goform/setWAN of the component POST ReqCWE-7721 Jun 19:45
Medium 5.3CVE-2026-12805A flaw has been found in OFFIS DCMTK up to 3.7.0. The affected element is the function XMLNode::parseFile in the library ofstd/libsrc/ofxml.CWE-12221 Jun 19:15
Medium 5.3CVE-2026-12804A vulnerability was detected in lemonldap-ng up to 2.23.0. Impacted is an unknown function in the library lemonldap-ng-portal/lib/Lemonldap/CWE-60121 Jun 18:30
Medium 6.9CVE-2026-56411xmlwf in libexpat before 2.8.2 has an integer overflow in endDoctypeDecl via NOTATION declarations.CWE-19021 Jun 15:56
Medium 4.9CVE-2026-56412libexpat before 2.8.2 does not consider XML_TOK_DATA_CHARS in doCdataSection and thus lacks handler call depth tracking for various calls frCWE-41621 Jun 15:58
Medium 6.9CVE-2026-56403libexpat before 2.8.2 has an integer overflow in storeAtts.CWE-19021 Jun 15:43
Medium 6.9CVE-2026-56404libexpat before 2.8.2 has an integer overflow in addBinding.CWE-19021 Jun 15:45
Medium 6.9CVE-2026-56405libexpat before 2.8.2 has an integer overflow in getAttributeId.CWE-19021 Jun 15:47
Medium 6.9CVE-2026-56406libexpat before 2.8.2 has an integer overflow in XML_ParseBuffer because it lacked a check that was present in XML_Parse.CWE-19021 Jun 15:48
Medium 6.9CVE-2026-56407libexpat before 2.8.2 has an integer overflow in doProlog that is related to storeEntityValue and entity textLen.CWE-19021 Jun 15:49
Medium 6.9CVE-2026-56408libexpat before 2.8.2 has an integer overflow in copyString.CWE-19021 Jun 15:51
Medium 6.5CVE-2026-56409xmlwf in libexpat before 2.8.2 has an integer overflow for the output filename when -d outputDir is used.CWE-19021 Jun 15:52
Medium 6.9CVE-2026-56410xmlwf in libexpat before 2.8.2 has an integer overflow in resolveSystemId.CWE-19021 Jun 15:55
Low 2CVE-2026-12888An HTML injection vulnerability exists in the Google Chat webhook notification sent by Thinkst Applied Research Canarytokens, enabling InterCWE-7422 Jun 13:05
Low 3.8CVE-2026-8074Mattermost versions 11.7.x <= 11.7.0, 10.11.x <= 10.11.17 fail to enforce bot-specific permission checks on the user active status endpoint,CWE-86322 Jun 13:37
Low 2.3CVE-2026-44911Authorization handling for component configuration verification requests in Apache NiFi 1.15.0 through 2.9.0 allows clients with read accessCWE-86322 Jun 07:37
UnscoredCVE-2025-66389GitHub Copilot 1.372.0 allows filesystem access outside of a workspace folder (without user approval) via a file-handler URI parameter to fe22 Jun 00:00
UnscoredCVE-2026-11373Net::Statsite::Client versions through 1.1.0 for Perl allow metric injections. Net::Statsite::Client is a client for the statsite protocol, CWE-9322 Jun 11:28
UnscoredCVE-2025-62198An authenticated user can perform XSS. This issue affects Apache Atlas versions 2.4.0 and earlier. Users are recommended to upgrade to versiCWE-8022 Jun 07:47
UnscoredCVE-2025-66336Apache Doris MCP Server contains a SQL injection vulnerability in a metadata query path. A user-controlled database name is directly interpoCWE-8922 Jun 06:55
UnscoredCVE-2026-10530The Pie Register WordPress plugin before 3.8.4.10 does not use sufficiently random values when generating its account verification tokens, a22 Jun 06:00
UnscoredCVE-2026-4110The ultimate-woocommerce-auction-pro WordPress plugin through 2.4.5 does not sanitise and escape a parameter before outputting it back in th22 Jun 06:00
UnscoredCVE-2026-12845** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. Reason: This candidate was issued in error. Notes: All references and descriptions in this ca21 Jun 22:53

Updated 22 Jun 2026 14:47 UTC. Each row links to a generated advisory page.