Total
2284 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2026-42074 | 1 Gitlawb | 1 Openclaude | 2026-06-03 | N/A | 9.8 CRITICAL |
| OpenClaude is an open-source coding-agent command line interface for cloud and local model providers. Prior to version 0.5.1, the dangerouslyDisableSandbox parameter is exposed as part of the BashTool input schema, meaning the LLM (an untrusted principal per the project's own threat model) can set it to true in any tool_use response. Combined with the default allowUnsandboxedCommands: true setting, a prompt-injected model can escape the sandbox for any arbitrary command, achieving full host-level code execution. This issue has been patched in version 0.5.1. | |||||
| CVE-2024-4428 | 1 Menulux | 1 Managment Portal | 2026-06-03 | N/A | 9.8 CRITICAL |
| Missing Authentication for Critical Function, Missing Authorization vulnerability in Menulux Information Technologies Managment Portal allows Collect Data as Provided by Users. This issue affects Managment Portal: through 21.05.2024. | |||||
| CVE-2024-0949 | 2026-06-03 | N/A | 9.8 CRITICAL | ||
| Missing Authentication, Files or Directories Accessible to External Parties, Use of Hard-coded Credentials vulnerability in Talya Informatics Elektraweb allows Authentication Bypass. This issue affects Elektraweb: before v17.0.68. | |||||
| CVE-2024-0336 | 2026-06-03 | N/A | N/A | ||
| Missing Authentication for Critical Function vulnerability in EMTA Grup PDKS allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects PDKS: from V3.04 before 20240603. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2024-6406 | 2026-06-03 | N/A | N/A | ||
| Missing Authentication for Critical Function, Missing Authorization vulnerability in Yordam Information Technology Mobile Library Application allows Retrieve Embedded Sensitive Data. This issue affects Mobile Library Application: before 5.0. | |||||
| CVE-2018-17924 | 1 Rockwellautomation | 32 1756-en2f Series A, 1756-en2f Series A Firmware, 1756-en2f Series B and 29 more | 2026-06-03 | 7.8 HIGH | 8.6 HIGH |
| Rockwell Automation MicroLogix 1400 Controllers and 1756 ControlLogix Communications Modules An unauthenticated, remote threat actor could send a CIP connection request to an affected device, and upon successful connection, send a new IP configuration to the affected device even if the controller in the system is set to Hard RUN mode. When the affected device accepts this new IP configuration, a loss of communication occurs between the device and the rest of the system as the system traffic is still attempting to communicate with the device via the overwritten IP address. | |||||
| CVE-2024-7015 | 1 Profelis | 1 Passbox | 2026-06-03 | N/A | 9.8 CRITICAL |
| Missing Authentication for Critical Function vulnerability in Profelis Informatics and Consulting PassBox allows Authentication Abuse. This issue affects PassBox: before v1.2. | |||||
| CVE-2020-27285 | 1 Redlion | 1 Crimson | 2026-06-02 | 6.4 MEDIUM | 9.1 CRITICAL |
| The default configuration of Crimson 3.1 (Build versions prior to 3119.001) allows a user to be able to read and modify the database without authentication. | |||||
| CVE-2019-9201 | 1 Phoenixcontact | 16 Axc 1050, Axc 1050 Firmware, Ilc 131 Eth and 13 more | 2026-06-02 | 9.0 HIGH | 9.8 CRITICAL |
| Multiple Phoenix Contact devices allow remote attackers to establish TCP sessions to port 1962 and obtain sensitive information or make changes, as demonstrated by using the Create Backup feature to traverse all directories. | |||||
| CVE-2026-0611 | 2026-06-02 | N/A | 9.8 CRITICAL | ||
| Spacelabs Healthcare Sentinel versions 10.5.x and higher and 11.x.x before 11.6.0 contain an unauthenticated remote code execution vulnerability through a deprecated .NET Remoting HTTP channel exposed on port 8989 that allows attackers to perform arbitrary file read and write operations by supplying valid .NET URI endpoints. Attackers can write ASPX webshells to the IIS wwwroot directory to achieve unauthenticated remote code execution on the system. Port 8989 is not exposed in a default Sentinel installation; exploitation requires that the .NET Remoting port has been explicitly made network-accessible through deliberate configuration or network policy changes. | |||||
| CVE-2020-15798 | 1 Siemens | 20 Simatic Hmi Comfort Panels, Simatic Hmi Comfort Panels Firmware, Simatic Hmi Ktp Mobile Panels and 17 more | 2026-06-02 | 9.3 HIGH | 9.8 CRITICAL |
| A vulnerability has been identified in SIMATIC HMI Comfort Panels (incl. SIPLUS variants) (All versions < V16 Update 3a), SIMATIC HMI KTP Mobile Panels (All versions < V16 Update 3a), SINAMICS GH150 (All versions), SINAMICS GL150 (with option X30) (All versions), SINAMICS GM150 (with option X30) (All versions), SINAMICS SH150 (All versions), SINAMICS SL150 (All versions), SINAMICS SM120 (All versions), SINAMICS SM150 (All versions), SINAMICS SM150i (All versions). Affected devices with enabled telnet service do not require authentication for this service. This could allow a remote attacker to gain full access to the device. (ZDI-CAN-12046) | |||||
| CVE-2016-9369 | 1 Moxa | 51 Nport 5100 Series Firmware, Nport 5100a Series Firmware, Nport 5110 and 48 more | 2026-06-02 | 10.0 HIGH | 9.8 CRITICAL |
| An issue was discovered in Moxa NPort 5110 versions prior to 2.6, NPort 5130/5150 Series versions prior to 3.6, NPort 5200 Series versions prior to 2.8, NPort 5400 Series versions prior to 3.11, NPort 5600 Series versions prior to 3.7, NPort 5100A Series & NPort P5150A versions prior to 1.3, NPort 5200A Series versions prior to 1.3, NPort 5150AI-M12 Series versions prior to 1.2, NPort 5250AI-M12 Series versions prior to 1.2, NPort 5450AI-M12 Series versions prior to 1.2, NPort 5600-8-DT Series versions prior to 2.4, NPort 5600-8-DTL Series versions prior to 2.4, NPort 6x50 Series versions prior to 1.13.11, NPort IA5450A versions prior to v1.4. Firmware can be updated over the network without authentication, which may allow remote code execution. | |||||
| CVE-2025-27853 | 1 Garmin | 2 Empirbus Wireless Display Unit, Empirbus Wireless Display Unit Firmware | 2026-06-02 | N/A | 7.3 HIGH |
| The locally served web site on the Garmin WDU (v1 1.4.6 and v2 5.0) allows its authentication to be bypassed. The WDU web site only performs authentication with the client within the client's browser. The WebSockets used to communicate with the WDU server do not enforce any authentication. An attacker may bypass all authentication mechanisms by directly utilizing the remote APIs available on the websocket. | |||||
| CVE-2026-34072 | 1 Fccview | 1 Cronmaster | 2026-06-02 | N/A | 8.3 HIGH |
| Cr*nMaster (cronmaster) is a Cronjob management UI with human readable syntax, live logging and log history for cronjobs. Prior to version 2.2.0, an authentication bypass in middleware allows unauthenticated requests with an invalid session cookie to be treated as authenticated when the middleware’s session-validation fetch fails. This can result in unauthorized access to protected pages and unauthorized execution of privileged Next.js Server Actions. This issue has been patched in version 2.2.0. | |||||
| CVE-2026-24088 | 1 Qualcomm | 492 Ar9380, Ar9380 Firmware, Csr8811 and 489 more | 2026-06-02 | N/A | 8.2 HIGH |
| Cryptographic Issue while processing a specific partition which allows unauthorized write access to load a customized bootloader. | |||||
| CVE-2026-24090 | 1 Qualcomm | 434 Ar8031, Ar8031 Firmware, Ar8035 and 431 more | 2026-06-02 | N/A | 7.1 HIGH |
| Cryptographic issue while processing partition table entries allows unauthorized modification of boot flow. | |||||
| CVE-2026-10281 | 2026-06-02 | 7.5 HIGH | 7.3 HIGH | ||
| A weakness has been identified in Enderfga claw-orchestrator up to 3.5.5. This affects the function EmbeddedServer of the file src/embedded-server.ts of the component API Endpoint. This manipulation causes missing authentication. The attack may be initiated remotely. The exploit has been made available to the public and could be used for attacks. Upgrading to version 3.5.6 mitigates this issue. Patch name: d0b02a800aa0689d9428cc4cc170e0b6589fb2c3. The affected component should be upgraded. | |||||
| CVE-2026-10283 | 2026-06-02 | 6.5 MEDIUM | 6.3 MEDIUM | ||
| A vulnerability was detected in Bottelet DaybydayCRM up to 2.2.1. Affected is an unknown function of the component Setting Handler. Performing a manipulation results in missing authentication. Remote exploitation of the attack is possible. It is recommended to apply a patch to fix this issue. | |||||
| CVE-2024-8074 | 2026-06-02 | N/A | N/A | ||
| Missing Authentication for Critical Function, Missing Authorization vulnerability in Nomysoft Informatics Nomysem allows Collect Data as Provided by Users. This issue affects Nomysem: before 13.10.2024. | |||||
| CVE-2026-44649 | 2026-06-02 | N/A | 9.8 CRITICAL | ||
| SillyTavern is a locally installed user interface that allows users to interact with text generation large language models, image generation engines, and text-to-speech voice models. Prior to 1.18.0, SillyTavern accepts Remote-User (Authelia) and X-Authentik-Username (Authentik) HTTP headers to automatically log in users when SSO is configured. There is no validation that these headers originate from a trusted reverse proxy. Any network client that can reach the SillyTavern port directly can inject these headers and authenticate as any user, including administrators, without a password. This vulnerability is exploitable only when sso.autheliaAuth: true or sso.authentikAuth: true is set in config.yaml (both default to false). This vulnerability is fixed in 1.18.0. | |||||