Total
4391 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-6796 | 1 Baxter | 1 Connex Health Portal | 2026-06-17 | N/A | 8.2 HIGH |
| In Baxter Connex health portal released before 8/30/2024, an improper access control vulnerability has been found that could allow an unauthenticated attacker to gain unauthorized access to Connex portal's database and/or modify content. | |||||
| CVE-2024-6738 | 1 Wisdomgarden | 1 Tronclass | 2026-06-17 | N/A | 5.3 MEDIUM |
| The tumbnail API of Tronclass from WisdomGarden lacks proper access control, allowing unauthenticated remote attackers to obtain certain specific files by modifying the URL. | |||||
| CVE-2024-6737 | 1 Electronic Official Document Management System Project | 1 Electronic Official Document Management System | 2026-06-17 | N/A | 8.8 HIGH |
| The access control in the Electronic Official Document Management System from 2100 TECHNOLOGY is not properly implemented, allowing remote attackers with regular privileges to access the account settings functionality and create an administrator account. | |||||
| CVE-2024-6727 | 2026-06-17 | N/A | 5.4 MEDIUM | ||
| A flaw in versions of Delphix Data Control Tower (DCT) prior to 19.0.0 results in broken authentication through the enable-scale-testing functionality of the application. | |||||
| CVE-2024-6428 | 1 Mattermost | 1 Mattermost | 2026-06-17 | N/A | 5.3 MEDIUM |
| Mattermost versions 9.8.0, 9.7.x <= 9.7.4, 9.6.x <= 9.6.2, 9.5.x <= 9.5.5 fail to prevent specifying a RemoteId when creating a new user which allows an attacker to specify both a remoteId and the user ID, resulting in creating a user with a user-defined user ID. This can cause some broken functionality in User Management such administrative actions against the user not working. | |||||
| CVE-2024-6385 | 1 Gitlab | 1 Gitlab | 2026-06-17 | N/A | 9.6 CRITICAL |
| An issue was discovered in GitLab CE/EE affecting all versions starting from 15.8 prior to 16.11.6, starting from 17.0 prior to 17.0.4, and starting from 17.1 prior to 17.1.2, which allows an attacker to trigger a pipeline as another user under certain circumstances. | |||||
| CVE-2024-6364 | 1 Absolute | 1 Persistence | 2026-06-17 | N/A | 6.4 MEDIUM |
| A vulnerability in Absolute Persistence® versions before 2.8 exists when it is not activated. This may allow a skilled attacker with both physical access to the device, and full hostile network control, to initiate OS commands on the device. To remediate this vulnerability, update the device firmware to the latest available version. Please contact the device manufacturer for upgrade instructions or contact Absolute Security, see reference below. | |||||
| CVE-2024-6221 | 1 Corydolphin | 1 Flask-cors | 2026-06-17 | N/A | 7.5 HIGH |
| A vulnerability in corydolphin/flask-cors version 4.0.1 allows the `Access-Control-Allow-Private-Network` CORS header to be set to true by default. This behavior can expose private network resources to unauthorized external access, leading to significant security risks such as data breaches, unauthorized access to sensitive information, and potential network intrusions. | |||||
| CVE-2024-5840 | 2 Fedoraproject, Google | 2 Fedora, Chrome | 2026-06-17 | N/A | 6.5 MEDIUM |
| Policy bypass in CORS in Google Chrome prior to 126.0.6478.54 allowed a remote attacker to bypass discretionary access control via a crafted HTML page. (Chromium security severity: Medium) | |||||
| CVE-2024-5814 | 1 Wolfssl | 1 Wolfssl | 2026-06-17 | N/A | 5.3 MEDIUM |
| A malicious TLS1.2 server can force a TLS1.3 client with downgrade capability to use a ciphersuite that it did not agree to and achieve a successful connection. This is because, aside from the extensions, the client was skipping fully parsing the server hello. https://doi.org/10.46586/tches.v2024.i1.457-500 | |||||
| CVE-2024-5687 | 1 Mozilla | 1 Firefox | 2026-06-17 | N/A | 5.3 MEDIUM |
| If a specific sequence of actions is performed when opening a new tab, the triggering principal associated with the new tab may have been incorrect. The triggering principal is used to calculate many values, including the `Referer` and `Sec-*` headers, meaning there is the potential for incorrect security checks within the browser in addition to incorrect or misleading information sent to remote websites. *This bug only affects Firefox for Android. Other versions of Firefox are unaffected.* This vulnerability affects Firefox < 127. | |||||
| CVE-2024-5655 | 1 Gitlab | 1 Gitlab | 2026-06-17 | N/A | 9.6 CRITICAL |
| An issue was discovered in GitLab CE/EE affecting all versions starting from 15.8 prior to 16.11.5, starting from 17.0 prior to 17.0.3, and starting from 17.1 prior to 17.1.1, which allows an attacker to trigger a pipeline as another user under certain circumstances. | |||||
| CVE-2024-5650 | 2026-06-17 | N/A | 8.5 HIGH | ||
| DLL Hijacking vulnerability has been found in CENTUM CAMS Log server provided by Yokogawa Electric Corporation. If an attacker is somehow able to intrude into a computer that installed affected product or access to a shared folder, by replacing the DLL file with a tampered one, it is possible to execute arbitrary programs with the authority of the SYSTEM account. The affected products and versions are as follows: CENTUM CS 3000 R3.08.10 to R3.09.50 CENTUM VP R4.01.00 to R4.03.00, R5.01.00 to R5.04.20, R6.01.00 to R6.11.10. | |||||
| CVE-2024-5470 | 1 Gitlab | 1 Gitlab | 2026-06-17 | N/A | 3.8 LOW |
| An issue was discovered in GitLab CE/EE affecting all versions starting from 17.0 prior to 17.0.4 and from 17.1 prior to 17.1.2 where a Guest user with `admin_push_rules` permission may have been able to create project-level deploy tokens. | |||||
| CVE-2024-5430 | 1 Gitlab | 1 Gitlab | 2026-06-17 | N/A | 6.8 MEDIUM |
| An issue was discovered in GitLab CE/EE affecting all versions starting from 16.10 prior to 16.11.5, starting from 17.0 prior to 17.0.3, and starting from 17.1 prior to 17.1.1, which allows a project maintainer can delete the merge request approval policy via graphQL. | |||||
| CVE-2024-5331 | 1 Soflyy | 1 Breakdance | 2026-06-17 | N/A | 4.3 MEDIUM |
| The Breakdance plugin for WordPress is vulnerable to unauthorized access of data in all versions up to, and including, 1.7.2. This makes it possible for authenticated attackers, with Contributor-level access and above, to export form submissions. | |||||
| CVE-2024-5272 | 1 Mattermost | 1 Mattermost Server | 2026-06-17 | N/A | 4.3 MEDIUM |
| Mattermost versions 9.5.x <= 9.5.3, 9.6.x <= 9.6.1, 8.1.x <= 8.1.12 fail to restrict the audience of the "custom_playbooks_playbook_run_updated" webhook event, which allows a guest on a channel with a playbook run linked to see all the details of the playbook run when the run is marked by finished. | |||||
| CVE-2024-5270 | 1 Mattermost | 1 Mattermost Server | 2026-06-17 | N/A | 4.3 MEDIUM |
| Mattermost versions 9.5.x <= 9.5.3, 9.7.x <= 9.7.1, 9.6.x <= 9.6.1 and 8.1.x <= 8.1.12 fail to check if the email signup configuration option is enabled when a user requests to switch from SAML to Email. This allows the user to switch their authentication mail from SAML to email and possibly edit personal details that were otherwise non-editable and provided by the SAML provider. | |||||
| CVE-2024-5257 | 1 Gitlab | 1 Gitlab | 2026-06-17 | N/A | 4.9 MEDIUM |
| An issue was discovered in GitLab CE/EE affecting all versions starting from 17.0 prior to 17.0.4 and from 17.1 prior to 17.1.2 where a Developer user with `admin_compliance_framework` custom role may have been able to modify the URL for a group namespace. | |||||
| CVE-2024-5168 | 2026-06-17 | N/A | 9.8 CRITICAL | ||
| Improper access control vulnerability in Prodys' Quantum Audio codec affecting versions 2.3.4t and below. This vulnerability could allow an unauthenticated user to bypass authentication entirely and execute arbitrary API requests against the web application. | |||||
