Total
295 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2026-52692 | 2026-06-15 | N/A | 7.5 HIGH | ||
| Unauthenticated Sensitive Data Exposure in Affiliates Manager <= 2.9.50 versions. | |||||
| CVE-2026-42667 | 2026-06-15 | N/A | 7.5 HIGH | ||
| Unauthenticated Sensitive Data Exposure in Bookly <= 27.4 versions. | |||||
| CVE-2026-42384 | 2026-06-15 | N/A | 7.5 HIGH | ||
| Unauthenticated Sensitive Data Exposure in Simply Schedule Appointments < 1.6.11.2 versions. | |||||
| CVE-2026-40789 | 2026-06-15 | N/A | 7.5 HIGH | ||
| Unauthenticated Sensitive Data Exposure in Amelia <= 2.2 versions. | |||||
| CVE-2026-39480 | 2026-06-15 | N/A | 7.5 HIGH | ||
| Unauthenticated Sensitive Data Exposure in Backup Migration <= 2.1.1 versions. | |||||
| CVE-2026-49082 | 2026-06-15 | N/A | 7.4 HIGH | ||
| Subscriber Sensitive Data Exposure in Chatway Live Chat – AI Chatbot, Customer Support, FAQ & Helpdesk Customer Service & Chat Buttons <= 1.4.8 versions. | |||||
| CVE-2026-48965 | 2026-06-15 | N/A | 6.5 MEDIUM | ||
| Subscriber Sensitive Data Exposure in XCloner <= 4.8.6 versions. | |||||
| CVE-2026-52695 | 2026-06-15 | N/A | 7.5 HIGH | ||
| Unauthenticated Sensitive Data Exposure in ABC Crypto Checkout <= 1.8.2 versions. | |||||
| CVE-2026-7184 | 2026-06-15 | N/A | 6.5 MEDIUM | ||
| Mattermost versions 11.6.x <= 11.6.1, 11.5.x <= 11.5.4, 10.11.x <= 10.11.15 fail to sanitize the Remote Cluster API response on PATCH operations, which allows authenticated users with the {{manage_secure_connections}} permission to obtain remote cluster authentication tokens via a PATCH request to the remote cluster endpoint.. Mattermost Advisory ID: MMSA-2026-00662 | |||||
| CVE-2026-49064 | 2026-06-15 | N/A | 7.5 HIGH | ||
| Insertion of Sensitive Information Into Sent Data vulnerability in Stiofan GetPaid allows Retrieve Embedded Sensitive Data. This issue affects GetPaid: from n/a through 2.8.49. | |||||
| CVE-2026-44487 | 1 Axios | 1 Axios | 2026-06-12 | N/A | 7.5 HIGH |
| Axios is a promise based HTTP client for the browser and Node.js. Prior to 0.32.0 and 1.16.0, Axios’s Node.js HTTP adapter may forward a Proxy-Authorization header to a redirected origin during specific proxy-to-direct redirect flows. This affects Node.js usage, where an initial HTTP request is sent through an authenticated HTTP proxy, redirects are followed, and the redirected URL is no longer proxied. Under affected redirect shapes, the final origin can receive the proxy credential that was intended only for the outbound proxy. This vulnerability is fixed in 0.32.0 and 1.16.0. | |||||
| CVE-2026-46481 | 2026-06-09 | N/A | 8.3 HIGH | ||
| OpenMetadata is a unified metadata platform. Prior to version 1.12.4, a non-admin SSO user can trigger a TEST_CONNECTION workflow for a Database Service and receive, in the HTTP 201 response of POST /api/v1/automations/workflows, both the cleartext database password in request.connection.config.password and the ingestion bot JWT in openMetadataServerConnection.securityConfig.jwtToken. The leaked ingestion-bot token can then be reused as Authorization: Bearer <jwt> to access sensitive service APIs with bot-level privileges. This issue has been patched in version 1.12.4. | |||||
| CVE-2026-42539 | 2026-06-08 | N/A | 6.5 MEDIUM | ||
| IRIS is a web collaborative platform that helps incident responders share technical details during investigations. Versions prior to 2.4.28 return sensitive data to the user which are not required for the client’s operation. Version 2.4.28 contains a patch. | |||||
| CVE-2026-45739 | 1 Strawberry | 1 Strawberry Graphql | 2026-06-05 | N/A | 3.1 LOW |
| Strawberry GraphQL is a library for creating GraphQL APIs. In versions 0.288.4 through 0.315.3, Strawberry's bundled GraphiQL template wrote values from the GraphiQL headers editor into the browser URL query string. If a user entered a sensitive header, such as `Authorization: Bearer <token>`, the value could become visible in browser history, copied links, and server/proxy/CDN access logs after a page reload or shared request. Version 0.315.4 patches the issue. | |||||
| CVE-2026-4035 | 1 Lfprojects | 1 Mlflow | 2026-06-04 | N/A | 7.7 HIGH |
| A vulnerability in mlflow/mlflow versions prior to 3.11.0 allows for the resolution of environment variables in AI Gateway secrets, which can be exploited to exfiltrate sensitive server-side environment credentials to an attacker-controlled endpoint. This issue arises because the `api_key` field in gateway secrets can accept `$ENV_VAR` references, which are resolved against the MLflow server's environment during runtime. The resolved secrets are then sent in provider authentication headers to the configured upstream `api_base`. This vulnerability can be exploited by low-privileged authenticated users in basic-auth deployments or by unauthenticated users in default deployments without `basic-auth`. The impact includes potential leakage of sensitive credentials such as cloud artifact credentials (`AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`), which could lead to artifact poisoning and cross-boundary code execution in downstream environments. The issue is fixed in version 3.11.0. | |||||
| CVE-2026-44653 | 1 Librechat | 1 Librechat | 2026-06-04 | N/A | 6.5 MEDIUM |
| LibreChat is an enhanced ChatGPT clone that supports multiple AI providers. In versions up to and including 0.8.3, users with only `VIEW` access to an MCP server can retrieve the server's decrypted admin-managed secrets through `GET /api/mcp/servers` and `GET /api/mcp/servers/:serverName`. The returned config includes plaintext values for `apiKey.key` and `oauth.client_secret`. This allows viewers of a shared MCP server to exfiltrate the underlying provider credentials. Version 0.8..4 contains a patch. Other remediations include: never returning decrypted admin-managed secrets to non-owners; redacting apiKey.key and oauth.client_secret from all API responses consider returning only boolean presence indicators for secrets, similar to the auth-values route pattern; and, if owners need to edit configs without re-entering secrets, preserving secrets server-side and returning placeholders instead of plaintext. | |||||
| CVE-2026-35447 | 2026-06-02 | N/A | N/A | ||
| NamelessMC is website software for Minecraft servers. In version 2.2.4, the profile page (modules/Core/pages/profile.php) processes wall post submissions and replies before verifying whether the viewer is authorized to access the profile. This allows any user with the profile.post permission to write wall posts to private or blocking profiles. Additionally, the reply branch does not verify that the target wall post belongs to the current profile, enabling attackers to inject replies into arbitrary wall posts owned by other profiles via a restricted profile URL. This is patched in version 2.2.5. | |||||
| CVE-2026-45582 | 1 N8n-mcp | 1 N8n-mcp | 2026-06-01 | N/A | 6.5 MEDIUM |
| n8n-MCP is an MCP server that provides AI assistants access to n8n node documentation, properties, and operations. Prior to 2.51.3, the workflow telemetry sanitizer could retain partial fragments of URL-shaped node parameters before sending workflow data to the project's anonymous telemetry backend. Values placed in HTTP-Request-style node parameters — such as customer or tenant identifiers, short secrets embedded in query strings, and signed request parameters — could therefore appear in stored telemetry, contrary to the collection boundary documented in PRIVACY.md. This vulnerability is fixed in 2.51.3. | |||||
| CVE-2026-42673 | 2026-06-01 | N/A | 7.5 HIGH | ||
| Insertion of Sensitive Information Into Sent Data vulnerability in Logtivity Activity Logs Activity Logs, User Activity Tracking, Multisite Activity Log from Logtivity allows Retrieve Embedded Sensitive Data. This issue affects Activity Logs, User Activity Tracking, Multisite Activity Log from Logtivity: from n/a through 3.3.6. | |||||
| CVE-2026-49370 | 1 Jetbrains | 1 Youtrack | 2026-06-01 | N/A | 3.4 LOW |
| In JetBrains YouTrack before 2026.1.13162 information disclosure was possible on fetchApp requests | |||||