Total
98 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2026-30933 | 1 Filebrowser | 1 Filebrowser | 2026-06-17 | N/A | 7.5 HIGH |
| FileBrowser Quantum is a free, self-hosted, web-based file manager. Prior to 1.3.1-beta and 1.2.2-stable, the remediation for CVE-2026-27611 is incomplete. Password protected shares still disclose tokenized downloadURL via /public/api/share/info. This vulnerability is fixed in 1.3.1-beta and 1.2.2-stable. | |||||
| CVE-2026-30783 | 5 Apple, Google, Linux and 2 more | 6 Iphone Os, Macos, Android and 3 more | 2026-06-17 | N/A | 9.8 CRITICAL |
| A vulnerability in rustdesk-client RustDesk Client rustdesk-client on Windows, MacOS, Linux, iOS, Android, WebClient (Client signaling, API sync loop, config management modules) allows Privilege Abuse. This vulnerability is associated with program files src/rendezvous_mediator.Rs, src/hbbs_http/sync.Rs and program routines API sync loop, api-server config handling. This issue affects RustDesk Client: through 1.4.5. | |||||
| CVE-2026-29077 | 1 Frappe | 1 Frappe | 2026-06-17 | N/A | 7.1 HIGH |
| Frappe is a full-stack web application framework. Prior to versions 15.98.0 and 14.100.0, due to a lack of validation when sharing documents, a user could share a document with a permission that they themselves didn't have. This issue has been patched in versions 15.98.0 and 14.100.0. | |||||
| CVE-2026-25737 | 1 Budibase | 1 Budibase | 2026-06-17 | N/A | 8.9 HIGH |
| Budibase is a low code platform for creating internal tools, workflows, and admin panels. In 3.24.0 and earlier, an arbitrary file upload vulnerability exists even though file extension restrictions are configured. The restriction is enforced only at the UI level. An attacker can bypass these restrictions and upload malicious files. | |||||
| CVE-2026-23859 | 1 Dell | 1 Wyse Management Suite | 2026-06-17 | N/A | 2.7 LOW |
| Dell Wyse Management Suite, versions prior to WMS 5.5, contain a Client-Side Enforcement of Server-Side Security vulnerability. A high privileged attacker with remote access could potentially exploit this vulnerability to Protection mechanism bypass. | |||||
| CVE-2026-23478 | 1 Cal | 1 Cal.com | 2026-06-17 | N/A | 9.8 CRITICAL |
| Cal.com is open-source scheduling software. From 3.1.6 to before 6.0.7, there is a vulnerability in a custom NextAuth JWT callback that allows attackers to gain full authenticated access to any user's account by supplying a target email address via session.update(). This vulnerability is fixed in 6.0.7. | |||||
| CVE-2026-0808 | 2026-06-17 | N/A | 5.3 MEDIUM | ||
| The Spin Wheel plugin for WordPress is vulnerable to client-side prize manipulation in all versions up to, and including, 2.1.0. This is due to the plugin trusting client-supplied prize selection data without server-side validation or randomization. This makes it possible for unauthenticated attackers to manipulate which prize they win by modifying the 'prize_index' parameter sent to the server, allowing them to always select the most valuable prizes. | |||||
| CVE-2025-9495 | 2026-06-17 | N/A | N/A | ||
| The Vitogate 300 web interface fails to enforce proper server-side authentication and relies on frontend-based authentication controls. This allows an attacker to simply modify HTML elements in the browser’s developer tools to bypass login restrictions. By removing specific UI elements, an attacker can reveal the hidden administration menu, giving them full control over the device. | |||||
| CVE-2025-8792 | 1 Litmuschaos | 1 Litmus | 2026-06-17 | 4.0 MEDIUM | 4.3 MEDIUM |
| A vulnerability classified as problematic has been found in LitmusChaos Litmus up to 3.19.0. Affected is an unknown function. The manipulation leads to client-side enforcement of server-side security. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-7820 | 2026-06-17 | N/A | 7.5 HIGH | ||
| The SKT PayPal for WooCommerce plugin for WordPress is vulnerable to Payment Bypass in all versions up to, and including, 1.4. This is due to the plugin only enforcing client side controls instead of server-side controls when processing payments. This makes it possible for unauthenticated attackers to make confirmed purchases without actually paying for them. | |||||
| CVE-2025-6249 | 2026-06-17 | N/A | 6.7 MEDIUM | ||
| An authentication bypass vulnerability was reported in FileZ client application that could allow a local attacker with elevated permissions access to application data. | |||||
| CVE-2025-6025 | 2026-06-17 | N/A | 7.5 HIGH | ||
| The Order Tip for WooCommerce plugin for WordPress is vulnerable to Unauthenticated Improper Input Validation in all versions up to, and including, 1.5.4. This is due to lack of server-side validation on the `data-tip` attribute, which makes it possible for unauthenticated attackers to apply an excessive or even negative tip amount, resulting in unauthorized discount up to free orders depending on the value submitted. | |||||
| CVE-2025-66507 | 1 Fit2cloud | 1 1panel | 2026-06-17 | N/A | 7.5 HIGH |
| 1Panel is an open-source, web-based control panel for Linux server management. Versions 2.0.13 and below allow an unauthenticated attacker to disable CAPTCHA verification by abusing a client-controlled parameter. Because the server previously trusted this value without proper validation, CAPTCHA protections can be bypassed, enabling automated login attempts and significantly increasing the risk of account takeover (ATO). This issue is fixed in version 2.0.14. | |||||
| CVE-2025-61197 | 2026-06-17 | N/A | 8.9 HIGH | ||
| An issue in Orban Optimod 5950, Optimod 5950HD, Optimod 5750, Optimod 5750HD, Optimod Trio Optimod version 1.0.0.33 - System version 2.5.26 allows a remote attacker to escalate privileges via the application stores user privilege/role information in client-side browser storage | |||||
| CVE-2025-5450 | 1 Ivanti | 2 Connect Secure, Policy Secure | 2026-06-17 | N/A | 6.3 MEDIUM |
| Improper access control in the certificate management component of Ivanti Connect Secure before version 22.7R2.8 and Ivanti Policy Secure before version 22.7R1.5 allows a remote authenticated admin with read-only rights to modify settings that should be restricted. | |||||
| CVE-2025-56694 | 1 Lumasoft | 1 Fotoshare Cloud | 2026-06-17 | N/A | 5.8 MEDIUM |
| Client-side password validation (CWE-602) in lumasoft fotoShare Cloud 2025-03-13 allowing unauthenticated attackers to view password-protected photo albums. | |||||
| CVE-2025-54833 | 1 Opexustech | 1 Foiaxpress Public Access Link | 2026-06-17 | N/A | 5.3 MEDIUM |
| OPEXUS FOIAXpress Public Access Link (PAL) version v11.1.0 allows attackers to bypass account-lockout and CAPTCHA protections. Unauthenticated remote attackers can more easily brute force passwords. | |||||
| CVE-2025-53969 | 2026-06-17 | N/A | 8.8 HIGH | ||
| Cognex In-Sight Explorer and In-Sight Camera Firmware expose a service implementing a proprietary protocol on TCP port 1069 to allow the client-side software, such as the In-Sight Explorer tool, to perform management operations such as changing network settings or modifying users' access to the device. | |||||
| CVE-2025-51682 | 1 Mjobtime | 1 Mjobtime | 2026-06-17 | N/A | 9.8 CRITICAL |
| mJobtime 15.7.2 handles authorization on the client side, which allows an attacker to modify the client-side code and gain access to administrative features. Additionally, they can craft requests based on the client-side code to call these administrative functions directly. | |||||
| CVE-2025-4527 | 1 Digitro | 1 Ngc Explorer | 2026-06-17 | 2.6 LOW | 3.7 LOW |
| A security flaw has been discovered in Dígitro NGC Explorer up to 3.44.15/3.48.21. The impacted element is an unknown function of the component Password Transmission Handler. Performing a manipulation results in client-side enforcement of server-side security. The attack can be initiated remotely. The complexity of an attack is rather high. The exploitability is regarded as difficult. Upgrading to version 3.48.22 is sufficient to resolve this issue. Upgrading the affected component is recommended. The vendor was contacted early about this disclosure but did not respond in any way. | |||||