Total
26 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2026-29042 | 1 Iguazio | 1 Nuclio | 2026-06-17 | N/A | 9.8 CRITICAL |
| Nuclio is a "Serverless" framework for Real-Time Events and Data Processing. Prior to version 1.15.20, the Nuclio Shell Runtime component contains a command injection vulnerability in how it processes user-supplied arguments. When a function is invoked via HTTP, the runtime reads the X-Nuclio-Arguments header and directly incorporates its value into shell commands without any validation or sanitization. This issue has been patched in version 1.15.20. | |||||
| CVE-2026-27120 | 1 Vapor | 1 Leafkit | 2026-06-17 | N/A | 6.1 MEDIUM |
| Leafkit is a templating language with Swift-inspired syntax. Prior to 1.4.1, htmlEscaped in leaf-kit will only escape html special characters if the extended grapheme clusters match, which allows bypassing escaping by using an extended grapheme cluster containing both the special html character and some additional characters. In the case of html attributes, this can lead to XSS if there is a leaf variable in the attribute that is user controlled. This vulnerability is fixed in 1.4.1. | |||||
| CVE-2025-61911 | 1 Python-ldap | 1 Python-ldap | 2026-06-17 | N/A | 6.5 MEDIUM |
| python-ldap is a lightweight directory access protocol (LDAP) client API for Python. In versions prior to 3.4.5, the sanitization method `ldap.filter.escape_filter_chars` can be tricked to skip escaping of special characters when a crafted `list` or `dict` is supplied as the `assertion_value` parameter, and the non-default `escape_mode=1` is configured. The method `ldap.filter.escape_filter_chars` supports 3 different escaping modes. `escape_mode=0` (default) and `escape_mode=2` happen to raise exceptions when a `list` or `dict` object is supplied as the `assertion_value` parameter. However, `escape_mode=1` computes without performing adequate logic to ensure a fully escaped return value. If an application relies on the vulnerable method in the `python-ldap` library to escape untrusted user input, an attacker might be able to abuse the vulnerability to launch ldap injection attacks which could potentially disclose or manipulate ldap data meant to be inaccessible to them. Version 3.4.5 fixes the issue by adding a type check at the start of the `ldap.filter.escape_filter_chars` method to raise an exception when the supplied `assertion_value` parameter is not of type `str`. | |||||
| CVE-2025-50213 | 1 Apache | 1 Apache-airflow-providers-snowflake | 2026-06-17 | N/A | 9.8 CRITICAL |
| Failure to Sanitize Special Elements into a Different Plane (Special Element Injection) vulnerability in Apache Airflow Providers Snowflake. This issue affects Apache Airflow Providers Snowflake: before 6.4.0. Sanitation of table and stage parameters were added in CopyFromExternalStageToSnowflakeOperator to prevent SQL injection Users are recommended to upgrade to version 6.4.0, which fixes the issue. | |||||
| CVE-2024-9940 | 1 Codepeople | 1 Calculated Fields Form | 2026-06-17 | N/A | 5.3 MEDIUM |
| The Calculated Fields Form plugin for WordPress is vulnerable to HTML Injection in all versions up to, and including, 5.2.45. This is due to the plugin not properly neutralizing HTML elements from submitted forms. This makes it possible for unauthenticated attackers to inject arbitrary HTML that will render when the administrator views form submissions in their email. | |||||
| CVE-2024-39243 | 1 Skycaiji | 1 Skycaiji | 2026-06-17 | N/A | 9.8 CRITICAL |
| An issue discovered in skycaiji 2.8 allows attackers to run arbitrary code via crafted POST request to /index.php?s=/admin/develop/editor_save. | |||||
| CVE-2024-39227 | 1 Gl-inet | 56 A1300, A1300 Firmware, Ap1300 and 53 more | 2026-06-17 | N/A | 9.8 CRITICAL |
| GL-iNet products AR750/AR750S/AR300M/AR300M16/MT300N-V2/B1300/MT1300/SFT1200/X750 v4.3.11, MT3000/MT2500/AXT1800/AX1800/A1300/X300B v4.5.16, XE300 v4.3.16, E750 v4.3.12, AP1300/S1300 v4.3.13, and XE3000/X3000 v4.4 were discovered to contain insecure permissions in the endpoint /cgi-bin/glc. This vulnerability allows unauthenticated attackers to execute arbitrary code or possibly a directory traversal via crafted JSON data. | |||||
| CVE-2024-37779 | 2026-06-17 | N/A | 8.8 HIGH | ||
| WoodWing Elvis DAM v6.98.1 was discovered to contain an authenticated remote command execution (RCE) vulnerability via the Apache Ant script functionality. | |||||
| CVE-2024-35373 | 1 Mocodo | 1 Mocodo Online | 2026-06-17 | N/A | 9.8 CRITICAL |
| Mocodo Mocodo Online 4.2.6 and below is vulnerable to Remote Code Execution via /web/rewrite.php. | |||||
| CVE-2024-31812 | 1 Totolink | 2 Ex200, Ex200 Firmware | 2026-06-17 | N/A | 6.5 MEDIUM |
| In TOTOLINK EX200 V4.0.3c.7646_B20201211, an attacker can obtain sensitive information without authorization through the function getWiFiExtenderConfig. | |||||
| CVE-2024-31809 | 1 Totolink | 2 Ex200, Ex200 Firmware | 2026-06-17 | N/A | 8.8 HIGH |
| TOTOLINK EX200 V4.0.3c.7646_B20201211 was discovered to contain a remote code execution (RCE) vulnerability via the FileName parameter in the setUpgradeFW function. | |||||
| CVE-2024-31806 | 1 Totolink | 2 Ex200, Ex200 Firmware | 2026-06-17 | N/A | 6.5 MEDIUM |
| TOTOLINK EX200 V4.0.3c.7646_B20201211 was discovered to contain a Denial-of-Service (DoS) vulnerability in the RebootSystem function which can reboot the system without authorization. | |||||
| CVE-2024-27708 | 1 Airc | 1 Mynet | 2026-06-17 | N/A | 9.6 CRITICAL |
| Iframe injection vulnerability in airc.pt/solucoes-servicos.solucoes MyNET v.26.06 and before allows a remote attacker to execute arbitrary code via the src parameter. | |||||
| CVE-2024-27622 | 1 Cmsmadesimple | 1 Cms Made Simple | 2026-06-17 | N/A | 7.2 HIGH |
| A remote code execution vulnerability has been identified in the User Defined Tags module of CMS Made Simple version 2.2.19 / 2.2.21. This vulnerability arises from inadequate sanitization of user-supplied input in the 'Code' section of the module. As a result, authenticated users with administrative privileges can inject and execute arbitrary PHP code. | |||||
| CVE-2024-24257 | 2026-06-17 | N/A | 7.5 HIGH | ||
| An issue in skteco.com Central Control Attendance Machine web management platform v.3.0 allows an attacker to obtain sensitive information via a crafted script to the csl/user component. | |||||
| CVE-2024-23274 | 1 Apple | 1 Macos | 2026-06-17 | N/A | 7.8 HIGH |
| An injection issue was addressed with improved input validation. This issue is fixed in macOS Monterey 12.7.4, macOS Sonoma 14.4, macOS Ventura 13.6.5. An app may be able to elevate privileges. | |||||
| CVE-2024-23268 | 1 Apple | 1 Macos | 2026-06-17 | N/A | 7.8 HIGH |
| An injection issue was addressed with improved input validation. This issue is fixed in macOS Monterey 12.7.4, macOS Sonoma 14.4, macOS Ventura 13.6.5. An app may be able to elevate privileges. | |||||
| CVE-2024-21503 | 2026-06-17 | N/A | 5.3 MEDIUM | ||
| Versions of the package black before 24.3.0 are vulnerable to Regular Expression Denial of Service (ReDoS) via the lines_with_leading_tabs_expanded function in the strings.py file. An attacker could exploit this vulnerability by crafting a malicious input that causes a denial of service. Exploiting this vulnerability is possible when running Black on untrusted input, or if you habitually put thousands of leading tab characters in your docstrings. | |||||
| CVE-2024-0801 | 1 Arcserve | 1 Udp | 2026-06-17 | N/A | 7.5 HIGH |
| A denial of service vulnerability exists in Arcserve Unified Data Protection 9.2 and 8.1 in ASNative.dll. | |||||
| CVE-2024-0044 | 1 Google | 1 Android | 2026-06-17 | N/A | 6.7 MEDIUM |
| In createSessionInternal of PackageInstallerService.java, there is a possible run-as any app due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | |||||