Total
128 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-59259 | 1 Microsoft | 15 Windows 10 1507, Windows 10 1607, Windows 10 1809 and 12 more | 2026-06-17 | N/A | 6.5 MEDIUM |
| Improper validation of specified type of input in Windows Local Session Manager (LSM) allows an authorized attacker to deny service over a network. | |||||
| CVE-2025-59257 | 1 Microsoft | 4 Windows 11 24h2, Windows 11 25h2, Windows Server 2022 23h2 and 1 more | 2026-06-17 | N/A | 6.5 MEDIUM |
| Improper validation of specified type of input in Windows Local Session Manager (LSM) allows an authorized attacker to deny service over a network. | |||||
| CVE-2025-58729 | 1 Microsoft | 16 Windows 10 1507, Windows 10 1607, Windows 10 1809 and 13 more | 2026-06-17 | N/A | 6.5 MEDIUM |
| Improper validation of specified type of input in Windows Local Session Manager (LSM) allows an authorized attacker to deny service over a network. | |||||
| CVE-2025-58084 | 1 Mattermost | 1 Mattermost Desktop | 2026-06-17 | N/A | 3.5 LOW |
| Mattermost Desktop App versions <= 5.13.0 fail to validate URLs external to the configured Mattermost servers, allowing an attacker on a server the user has configured to crash the user's application by sending the user a malformed URL. | |||||
| CVE-2025-55701 | 1 Microsoft | 16 Windows 10 1507, Windows 10 1607, Windows 10 1809 and 13 more | 2026-06-17 | N/A | 7.8 HIGH |
| Improper validation of specified type of input in Microsoft Windows allows an authorized attacker to elevate privileges locally. | |||||
| CVE-2025-54525 | 1 Mattermost | 1 Confluence | 2026-06-17 | N/A | 7.5 HIGH |
| Mattermost Confluence Plugin version <1.5.0 fails to handle unexpected request body which allows attackers to crash the plugin via constant hit to create channel subscription endpoint with an invalid request body. | |||||
| CVE-2025-53627 | 1 Meshtastic | 1 Meshtastic Firmware | 2026-06-17 | N/A | 5.3 MEDIUM |
| Meshtastic is an open source mesh networking solution. The Meshtastic firmware (starting from version 2.5) introduces asymmetric encryption (PKI) for direct messages, but when the `pki_encrypted` flag is missing, the firmware silently falls back to legacy AES-256-CTR channel encryption. This was an intentional decision to maintain backwards compatibility. However, the end-user applications, like Web app, iOS/Android app, and applications built on top of Meshtastic using the SDK, did not have a way to differentiate between end-to-end encrypted DMs and the legacy DMs. This creates a downgrade attack path where adversaries who know a shared channel key can craft and inject spoofed direct messages that are displayed as if they were PKC encrypted. Users are not given any feedback of whether a direct message was decrypted with PKI or with legacy symmetric encryption, undermining the expected security guarantees of the PKI rollout. Version 2.7.15 fixes this issue. | |||||
| CVE-2025-52883 | 2026-06-17 | N/A | 5.3 MEDIUM | ||
| Meshtastic-Android is an Android application for the mesh radio software Meshtastic. Prior to version 2.5.21, an attacker is able to send an unencrypted direct message to a victim impersonating any other node of the mesh. This message will be displayed in the same chat that the victim normally communicates with the other node and it will appear as using PKC, while it is not. This means that the victim will be provided with a false sense of security due to the green padlock displayed when using PKC and they'll read the attacker's message as legitimate. Version 2.5.21 contains a patch for the issue. It is suggested to implement a stricter control on whether a message has been received using PKC or using the shared Meshtastic channel key. Moreover, instead of showing no green padlock icon in the chat with no PKC, consider using an explicit indicator like, for example, the yellow half-open padlock displayed when in HAM mode. This remediation, however, applies to the client applications rather than the Meshtastic firmware. | |||||
| CVE-2025-4645 | 1 Axis | 233 A1210 \(-b\), A1214, A1601 and 230 more | 2026-06-17 | N/A | 6.7 MEDIUM |
| An ACAP configuration file lacked sufficient input validation, which could allow for arbitrary code execution. This vulnerability can only be exploited if the Axis device is configured to allow the installation of unsigned ACAP applications, and if an attacker convinces the victim to install a malicious ACAP application. | |||||
| CVE-2025-46342 | 1 Kyverno | 1 Kyverno | 2026-06-17 | N/A | 8.5 HIGH |
| Kyverno is a policy engine designed for cloud native platform engineering teams. Prior to versions 1.13.5 and 1.14.0, it may happen that policy rules using namespace selector(s) in their match statements are mistakenly not applied during admission review request processing due to a missing error propagation in function `GetNamespaceSelectorsFromNamespaceLister` in `pkg/utils/engine/labels.go`. As a consequence, security-critical mutations and validations are bypassed, potentially allowing attackers with K8s API access to perform malicious operations. This issue has been patched in versions 1.13.5 and 1.14.0. | |||||
| CVE-2025-42929 | 2026-06-17 | N/A | 8.1 HIGH | ||
| Due to missing input validation, an attacker with high privilege access to ABAP reports could delete the content of arbitrary database tables, if the tables are not protected by an authorization group. This leads to a high impact on integrity and availability of the database. | |||||
| CVE-2025-42916 | 2026-06-17 | N/A | 8.1 HIGH | ||
| Due to missing input validation, an attacker with high privilege access to ABAP reports could delete the content of arbitrary database tables, if the tables are not protected by an authorization group. This leads to a high impact on integrity and availability of the database but no impact on confidentiality. | |||||
| CVE-2025-41729 | 2026-06-17 | N/A | 7.5 HIGH | ||
| An unauthenticated remote attacker can send a specially crafted Modbus read command to the device which leads to a denial of service. | |||||
| CVE-2025-41650 | 2026-06-17 | N/A | 7.5 HIGH | ||
| An unauthenticated remote attacker can exploit input validation in cmd services of the devices, allowing them to disrupt system operations and potentially cause a denial-of-service. | |||||
| CVE-2025-41395 | 1 Mattermost | 1 Mattermost Server | 2026-06-17 | N/A | 6.5 MEDIUM |
| Mattermost versions 10.4.x <= 10.4.2, 10.5.x <= 10.5.0, 9.11.x <= 9.11.10 fail to properly validate the props used by the RetrospectivePost custom post type in the Playbooks plugin, which allows an attacker to create a specially crafted post with maliciously crafted props and cause a denial of service (DoS) of the web app for all users. | |||||
| CVE-2025-40911 | 2026-06-17 | N/A | 6.5 MEDIUM | ||
| Net::CIDR::Set versions 0.10 through 0.13 for Perl does not properly handle leading zero characters in IP CIDR address strings, which could allow attackers to bypass access control that is based on IP addresses. Leading zeros are used to indicate octal numbers, which can confuse users who are intentionally using octal notation, as well as users who believe they are using decimal notation. Net::CIDR::Set used code from Net::CIDR::Lite, which had a similar vulnerability CVE-2021-47154. | |||||
| CVE-2025-40910 | 2026-06-17 | N/A | 6.5 MEDIUM | ||
| Net::IP::LPM version 1.10 for Perl does not properly consider leading zero characters in IP CIDR address strings, which could allow attackers to bypass access control that is based on IP addresses. Leading zeros are used to indicate octal numbers, which can confuse users who are intentionally using octal notation, as well as users who believe they are using decimal notation. | |||||
| CVE-2025-3070 | 1 Google | 1 Chrome | 2026-06-17 | N/A | 6.5 MEDIUM |
| Insufficient validation of untrusted input in Extensions in Google Chrome prior to 135.0.7049.52 allowed a remote attacker to perform privilege escalation via a crafted HTML page. (Chromium security severity: Medium) | |||||
| CVE-2025-32901 | 2026-06-17 | N/A | 4.3 MEDIUM | ||
| In KDE Connect before 1.33.0 on Android, malicious device IDs (sent via broadcast UDP) could cause an application crash. | |||||
| CVE-2025-32442 | 1 Fastify | 1 Fastify | 2026-06-17 | N/A | 7.5 HIGH |
| Fastify is a fast and low overhead web framework, for Node.js. In versions 5.0.0 to 5.3.0 as well as version 4.29.0, applications that specify different validation strategies for different content types have a possibility to bypass validation by providing a _slightly altered_ content type such as with different casing or altered whitespacing before `;`. This was patched in v5.3.1, but the initial patch did not cover all problems. This has been fully patched in v5.3.2 and v4.29.1. A workaround involves not specifying individual content types in the schema. | |||||