Total
498 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-8032 | 1 Mozilla | 2 Firefox, Thunderbird | 2026-06-17 | N/A | 8.1 HIGH |
| XSLT document loading did not correctly propagate the source document which bypassed its CSP. This vulnerability was fixed in Firefox 141, Firefox ESR 128.13, Firefox ESR 140.1, Thunderbird 141, Thunderbird 128.13, and Thunderbird 140.1. | |||||
| CVE-2025-6427 | 1 Mozilla | 1 Firefox | 2026-06-17 | N/A | 9.1 CRITICAL |
| An attacker was able to bypass the `connect-src` directive of a Content Security Policy by manipulating subdocuments. This would have also hidden the connections from the Network tab in Devtools. This vulnerability was fixed in Firefox 140 and Thunderbird 140. | |||||
| CVE-2025-69264 | 1 Pnpm | 1 Pnpm | 2026-06-17 | N/A | 8.8 HIGH |
| pnpm is a package manager. Versions 10.0.0 through 10.25 allow git-hosted dependencies to execute arbitrary code during pnpm install, circumventing the v10 security feature "Dependency lifecycle scripts execution disabled by default". While pnpm v10 blocks postinstall scripts via the onlyBuiltDependencies mechanism, git dependencies can still execute prepare, prepublish, and prepack scripts during the fetch phase, enabling remote code execution without user consent or approval. This issue is fixed in version 10.26.0. | |||||
| CVE-2025-68668 | 1 N8n | 1 N8n | 2026-06-17 | N/A | 9.9 CRITICAL |
| n8n is an open source workflow automation platform. From version 1.0.0 to before 2.0.0, a sandbox bypass vulnerability exists in the Python Code Node that uses Pyodide. An authenticated user with permission to create or modify workflows can exploit this vulnerability to execute arbitrary commands on the host system running n8n, using the same privileges as the n8n process. This issue has been patched in version 2.0.0. Workarounds for this issue involve disabling the Code Node by setting the environment variable NODES_EXCLUDE: "[\"n8n-nodes-base.code\"]", disabling Python support in the Code node by setting the environment variable N8N_PYTHON_ENABLED=false, which was introduced in n8n version 1.104.0, and configuring n8n to use the task runner based Python sandbox via the N8N_RUNNERS_ENABLED and N8N_NATIVE_PYTHON_RUNNER environment variables. | |||||
| CVE-2025-67485 | 1 Machphy | 1 Mad-proxy | 2026-06-17 | N/A | 5.3 MEDIUM |
| mad-proxy is a Python-based HTTP/HTTPS proxy server for detection and blocking of malicious web activity using custom security policies. Versions 0.3 and below allow attackers to bypass HTTP/HTTPS traffic interception rules, potentially exposing sensitive traffic. This issue does not have a fix at the time of publication. | |||||
| CVE-2025-67460 | 1 Zoom | 1 Rooms | 2026-06-17 | N/A | 7.8 HIGH |
| Protection Mechanism Failure of Software Downgrade in Zoom Rooms for Windows before 6.6.0 may allow an unauthenticated user to conduct an escalation of privilege via local access. | |||||
| CVE-2025-66479 | 2026-06-17 | N/A | N/A | ||
| Anthropic Sandbox Runtime is a lightweight sandboxing tool for enforcing filesystem and network restrictions on arbitrary processes at the OS level, without requiring a container. Prior to 0.0.16, due to a bug in sandboxing logic, sandbox-runtime did not properly enforce a network sandbox if the sandbox policy did not configure any allowed domains. This could allow sandboxed code to make network requests outside of the sandbox. A patch for this was released in v0.0.16. | |||||
| CVE-2025-66204 | 1 Wbce | 1 Wbce Cms | 2026-06-17 | N/A | 8.1 HIGH |
| WBCE CMS is a content management system. Version 1.6.4 contains a brute-force protection bypass where an attacker can indefinitely reset the counter by modifying `X-Forwarded-For` on each request, gaining unlimited password guessing attempts, effectively bypassing all brute-force protection. The application fully trusts the `X-Forwarded-For` header without validating it or restricting its usage. This issue is fixed in version 1.6.5. | |||||
| CVE-2025-65319 | 1 Blixhq | 1 Bluemail | 2026-06-17 | N/A | 9.1 CRITICAL |
| When using the attachment interaction functionality, Blue Mail 1.140.103 and below saves documents to a file system without a Mark-of-the-Web tag, which allows attackers to bypass the built-in file protection mechanisms of both Windows OS and third-party software. | |||||
| CVE-2025-65318 | 1 Canarymail | 1 Canary Mail | 2026-06-17 | N/A | 9.1 CRITICAL |
| When using the attachment interaction functionality, Canary Mail 5.1.40 and below saves documents to a file system without a Mark-of-the-Web tag, which allows attackers to bypass the built-in file protection mechanisms of both Windows OS and third-party software. | |||||
| CVE-2025-65100 | 2026-06-17 | N/A | N/A | ||
| Isar is an integration system for automated root filesystem generation. In versions 0.11-rc1 and 0.11, defining ISAR_APT_SNAPSHOT_DATE alone does not set the correct timestamp value for security distribution, leading to missed security updates. This issue has been patched via commit 738bcbb. | |||||
| CVE-2025-64763 | 1 Envoyproxy | 1 Envoy | 2026-06-17 | N/A | 3.7 LOW |
| Envoy is a high-performance edge/middle/service proxy. In 1.33.12, 1.34.10, 1.35.6, 1.36.2, and earlier, when Envoy is configured in TCP proxy mode to handle CONNECT requests, it accepts client data before issuing a 2xx response and forwards that data to the upstream TCP connection. If a forwarding proxy upstream from Envoy then responds with a non-2xx status, this can cause a de-synchronized CONNECT tunnel state. By default Envoy continues to allow early CONNECT data to avoid disrupting existing deployments. The envoy.reloadable_features.reject_early_connect_data runtime flag can be set to reject CONNECT requests that send data before a 2xx response when intermediaries upstream from Envoy may reject establishment of a CONNECT tunnel. | |||||
| CVE-2025-62453 | 1 Microsoft | 1 Visual Studio Code | 2026-06-17 | N/A | 5.0 MEDIUM |
| Improper validation of generative ai output in GitHub Copilot and Visual Studio Code allows an authorized attacker to bypass a security feature locally. | |||||
| CVE-2025-60711 | 1 Microsoft | 1 Edge Chromium | 2026-06-17 | N/A | 6.3 MEDIUM |
| Protection mechanism failure in Microsoft Edge (Chromium-based) allows an unauthorized attacker to execute code over a network. | |||||
| CVE-2025-59849 | 1 Hcltechsw | 2 Hcl Devops Deploy, Hcl Launch | 2026-06-17 | N/A | 4.7 MEDIUM |
| Improper management of Content Security Policy in HCL BigFix Remote Control Lite Web Portal (versions 10.1.0.0326 and lower) may allow the execution of malicious code in web pages. | |||||
| CVE-2025-59033 | 2026-06-17 | N/A | 7.4 HIGH | ||
| The Microsoft vulnerable driver block list is implemented as Windows Defender Application Control (WDAC) policy. Entries that specify only the to-be-signed (TBS) part of the code signer certificate are properly blocked, but entries that specify the signing certificate's TBS hash along with a 'FileAttribRef' qualifier (such as file name or version) may not be blocked, whether hypervisor-protected code integrity (HVCI) is enabled or not. NOTE: The vendor disputes this CVE ID assignment and states that the driver blocklist is intended for use with HVCI. | |||||
| CVE-2025-58406 | 1 Cgm | 1 Clininet | 2026-06-17 | N/A | 4.3 MEDIUM |
| The CGM CLININET application respond without essential security HTTP headers, exposing users to client‑side attacks such as clickjacking, MIME sniffing, unsafe caching, weak cross‑origin isolation, and missing transport security controls. | |||||
| CVE-2025-55886 | 2026-06-17 | N/A | 6.5 MEDIUM | ||
| An Insecure Direct Object Reference (IDOR) vulnerability was discovered in ARD. The flaw exists in the `fe_uid` parameter of the payment history API endpoint. An authenticated attacker can manipulate this parameter to access the payment history of other users without authorization. | |||||
| CVE-2025-55249 | 1 Hcltech | 1 Aion | 2026-06-17 | N/A | 3.5 LOW |
| HCL AION is affected by a Missing Security Response Headers vulnerability. The absence of standard security headers may weaken the application’s overall security posture and increase its susceptibility to common web-based attacks. | |||||
| CVE-2025-54917 | 1 Microsoft | 15 Windows 10 1507, Windows 10 1607, Windows 10 1809 and 12 more | 2026-06-17 | N/A | 4.3 MEDIUM |
| Protection mechanism failure in Windows MapUrlToZone allows an unauthorized attacker to bypass a security feature over a network. | |||||