Total
2925 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-50726 | 1 Argoproj | 1 Argo Cd | 2026-06-17 | N/A | 6.4 MEDIUM |
| Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. "Local sync" is an Argo CD feature that allows developers to temporarily override an Application's manifests with locally-defined manifests. Use of the feature should generally be limited to highly-trusted users, since it allows the user to bypass any merge protections in git. An improper validation bug allows users who have `create` privileges but not `override` privileges to sync local manifests on app creation. All other restrictions, including AppProject restrictions are still enforced. The only restriction which is not enforced is that the manifests come from some approved git/Helm/OCI source. The bug was introduced in 1.2.0-rc1 when the local manifest sync feature was added. The bug has been patched in Argo CD versions 2.10.3, 2.9.8, and 2.8.12. Users are advised to upgrade. Users unable to upgrade may mitigate the risk of branch protection bypass by removing `applications, create` RBAC access. The only way to eliminate the issue without removing RBAC access is to upgrade to a patched version. | |||||
| CVE-2023-50705 | 1 Efacec | 2 Uc 500e, Uc 500e Firmware | 2026-06-17 | N/A | 5.3 MEDIUM |
| An attacker could create malicious requests to obtain sensitive information about the web server. | |||||
| CVE-2023-50457 | 1 Zammad | 1 Zammad | 2026-06-17 | N/A | 4.3 MEDIUM |
| An issue was discovered in Zammad before 6.2.0. When listing tickets linked to a knowledge base answer, or knowledge base answers of a ticket, a user could see entries for which they lack permissions. | |||||
| CVE-2023-50363 | 1 Qnap | 2 Qts, Quts Hero | 2026-06-17 | N/A | 7.4 HIGH |
| An incorrect authorization vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated users to bypass intended access restrictions via a network. We have already fixed the vulnerability in the following versions: QTS 5.1.6.2722 build 20240402 and later QuTS hero h5.1.6.2734 build 20240414 and later | |||||
| CVE-2023-4997 | 1 Prointegra | 1 Uptimedc | 2026-06-17 | N/A | 8.8 HIGH |
| Improper authorisation of regular users in ProIntegra Uptime DC software (versions below 2.0.0.33940) allows them to change passwords of all other users including administrators leading to a privilege escalation. | |||||
| CVE-2023-4853 | 2 Quarkus, Redhat | 13 Quarkus, Build Of Optaplanner, Build Of Quarkus and 10 more | 2026-06-17 | N/A | 8.1 HIGH |
| A flaw was found in Quarkus where HTTP security policies are not sanitizing certain character permutations correctly when accepting requests, resulting in incorrect evaluation of permissions. This issue could allow an attacker to bypass the security policy altogether, resulting in unauthorized endpoint access and possibly a denial of service. | |||||
| CVE-2023-4814 | 1 Trellix | 1 Data Loss Prevention | 2026-06-17 | N/A | 7.1 HIGH |
| A Privilege escalation vulnerability exists in Trellix Windows DLP endpoint for windows which can be abused to delete any file/folder for which the user does not have permission to. | |||||
| CVE-2023-4812 | 1 Gitlab | 1 Gitlab | 2026-06-17 | N/A | 7.6 HIGH |
| An issue has been discovered in GitLab EE affecting all versions starting from 15.3 before 16.5.6, all versions starting from 16.6 before 16.6.4, all versions starting from 16.7 before 16.7.2. The required CODEOWNERS approval could be bypassed by adding changes to a previously approved merge request. | |||||
| CVE-2023-4658 | 1 Gitlab | 1 Gitlab | 2026-06-17 | N/A | 3.1 LOW |
| An issue has been discovered in GitLab EE affecting all versions starting from 8.13 before 16.4.3, all versions starting from 16.5 before 16.5.3, all versions starting from 16.6 before 16.6.1. It was possible for an attacker to abuse the `Allowed to merge` permission as a guest user, when granted the permission through a group. | |||||
| CVE-2023-4617 | 2026-06-17 | N/A | 10.0 CRITICAL | ||
| Incorrect authorization vulnerability in HTTP POST method in Govee Home application on Android and iOS allows remote attacker to control devices owned by other users via changing "device", "sku" and "type" fields' values. This issue affects Govee Home applications on Android and iOS in versions before 5.9. | |||||
| CVE-2023-4532 | 1 Gitlab | 1 Gitlab | 2026-06-17 | N/A | 4.3 MEDIUM |
| An issue has been discovered in GitLab affecting all versions starting from 16.2 before 16.2.8, all versions starting from 16.3 before 16.3.5, all versions starting from 16.4 before 16.4.1. Users were capable of linking CI/CD jobs of private projects which they are not a member of. | |||||
| CVE-2023-4379 | 1 Gitlab | 1 Gitlab | 2026-06-17 | N/A | 8.1 HIGH |
| An issue has been discovered in GitLab EE affecting all versions starting from 15.3 prior to 16.2.8, 16.3 prior to 16.3.5, and 16.4 prior to 16.4.1. Code owner approval was not removed from merge requests when the target branch was updated. | |||||
| CVE-2023-4317 | 1 Gitlab | 1 Gitlab | 2026-06-17 | N/A | 4.3 MEDIUM |
| An issue has been discovered in GitLab affecting all versions starting from 9.2 before 16.4.3, all versions starting from 16.5 before 16.5.3, all versions starting from 16.6 before 16.6.1. It was possible for a user with the Developer role to update a pipeline schedule from an unprotected branch to a protected branch. | |||||
| CVE-2023-4242 | 1 Full | 1 Full - Customer | 2026-06-17 | N/A | 4.3 MEDIUM |
| The FULL - Customer plugin for WordPress is vulnerable to Information Disclosure via the /health REST route in versions up to, and including, 2.2.3 due to improper authorization. This allows authenticated attackers with subscriber-level permissions and above to obtain sensitive information about the site configuration as disclosed by the WordPress health check. | |||||
| CVE-2023-4227 | 1 Moxa | 2 Iologik E4200, Iologik E4200 Firmware | 2026-06-17 | N/A | 5.3 MEDIUM |
| A vulnerability has been identified in the ioLogik 4000 Series (ioLogik E4200) firmware versions v1.6 and prior, which can be exploited by malicious actors to potentially gain unauthorized access to the product. This could lead to security breaches, data theft, and unauthorized manipulation of sensitive information. The vulnerability is attributed to the presence of an unauthorized service, which could potentially enable unauthorized access to the. device. | |||||
| CVE-2023-4194 | 4 Debian, Fedoraproject, Linux and 1 more | 4 Debian Linux, Fedora, Linux Kernel and 1 more | 2026-06-17 | N/A | 5.5 MEDIUM |
| A flaw was found in the Linux kernel's TUN/TAP functionality. This issue could allow a local user to bypass network filters and gain unauthorized access to some resources. The original patches fixing CVE-2023-1076 are incorrect or incomplete. The problem is that the following upstream commits - a096ccca6e50 ("tun: tun_chr_open(): correctly initialize socket uid"), - 66b2c338adce ("tap: tap_open(): correctly initialize socket uid"), pass "inode->i_uid" to sock_init_data_uid() as the last parameter and that turns out to not be accurate. | |||||
| CVE-2023-4107 | 1 Mattermost | 1 Mattermost | 2026-06-17 | N/A | 6.7 MEDIUM |
| Mattermost fails to properly validate the requesting user permissions when updating a system admin, allowing a user manager to update a system admin's details such as email, first name and last name. | |||||
| CVE-2023-49982 | 1 Oretnom23 | 1 School Fees Management System | 2026-06-17 | N/A | 8.8 HIGH |
| Broken access control in the component /admin/management/users of School Fees Management System v1.0 allows attackers to escalate privileges and perform Administrative actions, including adding and deleting user accounts. | |||||
| CVE-2023-49949 | 1 Passwork | 1 Passwork | 2026-06-17 | N/A | 8.1 HIGH |
| Passwork before 6.2.0 allows remote authenticated users to bypass 2FA by sending all one million of the possible 6-digit codes. | |||||
| CVE-2023-49947 | 1 Forgejo | 1 Forgejo | 2026-06-17 | N/A | 7.5 HIGH |
| Forgejo before 1.20.5-1 allows 2FA bypass when docker login uses Basic Authentication. | |||||