Total
4147 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-46308 | 1 Apple | 3 Ipados, Iphone Os, Macos | 2026-06-12 | N/A | 5.3 MEDIUM |
| An authorization issue was addressed with improved state management. This issue is fixed in iOS 18.4 and iPadOS 18.4, macOS Sequoia 15.4. An app may be able to leak sensitive user information. | |||||
| CVE-2025-46315 | 1 Apple | 1 Macos | 2026-06-12 | N/A | 7.5 HIGH |
| A permissions issue was addressed with additional restrictions. This issue is fixed in macOS Tahoe 26.1. An app may be able to access protected user data. | |||||
| CVE-2026-49938 | 1 Fortinet | 1 Fortiportal | 2026-06-11 | N/A | 6.5 MEDIUM |
| A improper access control vulnerability in Fortinet FortiPortal 7.4.0 through 7.4.7, FortiPortal 7.2.0 through 7.2.8, FortiPortal 7.0 all versions may allow attacker to improper access control via <insert attack vector here> | |||||
| CVE-2026-45177 | 2026-06-11 | N/A | N/A | ||
| Idira Secrets Manager SaaS Edge versions prior to 1.8 exhibit improper access control within its internal authentication components. A remote, unauthenticated attacker could exploit this by submitting a specially crafted request. Under specific circumstances, this could allow the attacker to manipulate internal validation mechanisms, potentially leading to a bypass of identity verification and the unauthorized acquisition of an access token. CyberArk Security Bulletin: CA26-20 | |||||
| CVE-2026-45178 | 2026-06-11 | N/A | N/A | ||
| Idira Secrets Manager Self-Hosted versions 13.8.0 and lower exhibit improper access control within internal cluster endpoints. A remote, authenticated attacker possessing standard node-level credentials could leverage these endpoints to potentially retrieve unauthorized secrets or cause a denial of service (DoS). CyberArk Security Bulletin: CA26-20 | |||||
| CVE-2026-47907 | 3 Adobe, Apple, Microsoft | 3 Dreamweaver, Macos, Windows | 2026-06-11 | N/A | 8.2 HIGH |
| Dreamweaver Desktop versions 21.7 and earlier are affected by an Improper Access Control vulnerability that could lead to arbitrary file system read. An attacker could exploit this vulnerability to access sensitive files and directories outside the intended access scope. Exploitation of this issue requires user interaction in that a victim must open a malicious file. Scope is changed. | |||||
| CVE-2025-43407 | 1 Apple | 5 Ipados, Iphone Os, Macos and 2 more | 2026-06-11 | N/A | 7.8 HIGH |
| This issue was addressed with improved entitlements. This issue is fixed in iOS 18.7.2 and iPadOS 18.7.2, iOS 26.1 and iPadOS 26.1, macOS Sequoia 15.7.2, macOS Sonoma 14.8.2, macOS Tahoe 26.1, tvOS 26.1, visionOS 26.1. An app may be able to break out of its sandbox. | |||||
| CVE-2026-45654 | 1 Microsoft | 4 Windows 11 24h2, Windows 11 25h2, Windows 11 26h1 and 1 more | 2026-06-11 | N/A | 7.9 HIGH |
| Protection mechanism failure in Windows Secure Boot allows an authorized attacker to bypass a security feature locally. | |||||
| CVE-2026-41006 | 1 Vmware | 1 Spring Hateoas | 2026-06-11 | N/A | 7.5 HIGH |
| Spring HATEOAS's internal PropertyUtils.createObjectFromProperties method, used by the Collection+JSON and UBER media type deserializers, performs bean property binding via reflection without consulting Jackson access-control annotations. Affected versions: Spring HATEOAS 1.5.0 through 1.5.6; 2.3.0 through 2.3.4; 2.4.0 through 2.4.1; 2.5.0 through 2.5.2; 3.0.0 through 3.0.3. | |||||
| CVE-2026-41092 | 1 Microsoft | 13 Windows 10 1607, Windows 10 1809, Windows 10 21h2 and 10 more | 2026-06-11 | N/A | 7.8 HIGH |
| Improper access control in Microsoft Kinect allows an authorized attacker to elevate privileges locally. | |||||
| CVE-2026-42829 | 1 Microsoft | 3 Windows 11 24h2, Windows 11 25h2, Windows 11 26h1 | 2026-06-11 | N/A | 7.8 HIGH |
| Improper access control in Windows Administrator Protection allows an authorized attacker to bypass a security feature locally. | |||||
| CVE-2026-41847 | 1 Vmware | 1 Spring Framework | 2026-06-11 | N/A | 4.8 MEDIUM |
| Spring WebFlux applications may be vulnerable to a security bypass when using the Kotlin Router DSL. Affected versions: Spring Framework 5.3.0 through 5.3.48. | |||||
| CVE-2026-46695 | 2026-06-11 | N/A | 10.0 CRITICAL | ||
| Boxlite is a sandbox service that allows users to create lightweight virtual machines (Boxes) and launch OCI containers within them to run untrusted code. Prior to version 0.9.0, Boxlite does not restrict the kernel capabilities available inside the container, malicious code can remount the directory in rw mode, thereby gaining write access to that directory. This allows malicious code to perform arbitrary write operations on directories that should be read-only. This issue has been patched in version 0.9.0. | |||||
| CVE-2026-46441 | 1 Flowiseai | 1 Flowise | 2026-06-11 | N/A | 9.6 CRITICAL |
| Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, a mass assignment vulnerability exists in the assistant update endpoint of FlowiseAI. The endpoint allows authenticated users to modify server-controlled properties such as workspaceId, createdDate, and updatedDate when updating an assistant resource. Due to missing server-side validation and authorization checks, an attacker can manipulate the workspaceId field and reassign assistants to arbitrary workspaces. This breaks tenant isolation in multi-workspace environments. This issue has been patched in version 3.1.2. | |||||
| CVE-2026-42863 | 1 Flowiseai | 1 Flowise | 2026-06-11 | N/A | 8.1 HIGH |
| Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, a mass assignment vulnerability exists in the chatflow update endpoint of FlowiseAI. The endpoint allows clients to modify server-controlled properties such as deployed, isPublic, workspaceId, createdDate, and updatedDate when updating a chatflow object. Due to missing server-side validation and authorization checks, an authenticated user can manipulate internal attributes of a chatflow and reassign it to another workspace. This allows cross-workspace resource reassignment and unauthorized modification of deployment and visibility settings. This issue has been patched in version 3.1.2. | |||||
| CVE-2026-42862 | 1 Flowiseai | 1 Flowise | 2026-06-11 | N/A | 5.0 MEDIUM |
| Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, a mass assignment vulnerability exists in the tool update endpoint of FlowiseAI. The endpoint allows authenticated users to modify server-controlled properties such as workspaceId, createdDate, and updatedDate when updating a tool resource. Due to missing server-side validation and authorization checks, an attacker can manipulate the workspaceId field and reassign tools to arbitrary workspaces. This breaks tenant isolation in multi-workspace environments. This issue has been patched in version 3.1.2. | |||||
| CVE-2026-42861 | 1 Flowiseai | 1 Flowise | 2026-06-11 | N/A | 9.6 CRITICAL |
| Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, a mass assignment vulnerability exists in the variable update endpoint of FlowiseAI. The endpoint allows authenticated users to modify server-controlled properties such as workspaceId, createdDate, and updatedDate when updating a variable resource. Due to missing server-side validation and authorization checks, an attacker can manipulate the workspaceId field and reassign variables to arbitrary workspaces. This behavior may break tenant isolation in multi-workspace environments. This issue has been patched in version 3.1.2. | |||||
| CVE-2026-45776 | 1 Buffalo | 1 Open Xdmod | 2026-06-10 | N/A | 4.3 MEDIUM |
| OpenXDMoD is an open framework for collecting and analyzing HPC metrics. Prior to version 11.0.3, a flaw in Open XDMoD's access control logic allows an attacker to submit a crafted HTTPS POST request that sets a session variable used for authorization decisions. If an installation of Open XDMoD includes the optional Job Performance (SUPReMM) module, an attacker could bypass intended data access restrictions and view other users' compute job efficiency metrics. All deployments of Open XDMoD prior to version 11.0.3 that contain the optional Job Performance (SUPReMM) module are impacted. This issue was reported privately on 2026-04-06, and at this time there is no evidence that this vulnerability has been exploited in the wild. The vulnerability was patched in Open XDMoD 11.0.3 on 2026-05-12. As a workaround, apply the patch manually. | |||||
| CVE-2026-45658 | 1 Microsoft | 13 Windows 10 1607, Windows 10 1809, Windows 10 21h2 and 10 more | 2026-06-10 | N/A | 7.8 HIGH |
| Protection mechanism failure in Windows BitLocker allows an unauthorized attacker to bypass a security feature with a physical attack. | |||||
| CVE-2026-49824 | 2026-06-10 | N/A | 8.5 HIGH | ||
| Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes. Prior to version 1.24.0, the Fission Function admission webhook (pkg/webhook/function.go) validated that spec.secrets[].namespace and spec.configmaps[].namespace equalled the function's own namespace but performed no equivalent check on spec.environment.namespace. This issue has been patched in version 1.24.0. | |||||