Total
2945 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-32220 | 1 Milesight | 2 Ncr\/camera, Ncr\/camera Firmware | 2026-06-17 | N/A | 8.2 HIGH |
| Milesight NCR/camera version 71.8.0.6-r5 allows authentication bypass through an unspecified method. | |||||
| CVE-2023-32219 | 1 Mazda | 2 Mazda, Mazda Firmware | 2026-06-17 | N/A | 6.5 MEDIUM |
| A Mazda model (2015-2016) can be unlocked via an unspecified method. | |||||
| CVE-2023-32069 | 1 Xwiki | 1 Xwiki | 2026-06-17 | N/A | 9.9 CRITICAL |
| XWiki Platform is a generic wiki platform. Starting in version 3.3-milestone-2 and prior to versions 14.10.4 and 15.0-rc-1, it's possible for a user to execute anything with the right of the author of the XWiki.ClassSheet document. This has been patched in XWiki 15.0-rc-1 and 14.10.4. There are no known workarounds. | |||||
| CVE-2023-32061 | 1 Discourse | 1 Discourse | 2026-06-17 | N/A | 5.4 MEDIUM |
| Discourse is an open source discussion platform. Prior to version 3.0.4 of the `stable` branch and version 3.1.0.beta5 of the `beta` and `tests-passed` branches, the lack of restrictions on the iFrame tag makes it easy for an attacker to exploit the vulnerability and hide subsequent comments from other users. This issue is patched in version 3.0.4 of the `stable` branch and version 3.1.0.beta5 of the `beta` and `tests-passed` branches. There are no known workarounds. | |||||
| CVE-2023-32060 | 1 Dhis2 | 1 Dhis 2 | 2026-06-17 | N/A | 6.5 MEDIUM |
| DHIS2 Core contains the service layer and Web API for DHIS2, an information system for data capture. Starting in the 2.35 branch and prior to versions 2.36.13, 2.37.8, 2.38.2, and 2.39.0, when the Category Option Combination Sharing settings are configured to control access to specific tracker program events or program stages, the `/trackedEntityInstances` and `/events` API endpoints may include all events regardless of the sharing settings applied to the category option combinations. When this specific configuration is present, users may have access to events which they should not be able to see based on the sharing settings of the category options. The events will not appear in the user interface for web-based Tracker Capture or Capture applications, but if the Android Capture App is used they will be displayed to the user. Versions 2.36.13, 2.37.8, 2.38.2, and 2.39.0 contain a fix for this issue. No workaround is known. | |||||
| CVE-2023-31997 | 1 Ui | 3 Cloud Key Gen2, Cloud Key Gen2 Plus, Unifi Os | 2026-06-17 | N/A | 9.0 CRITICAL |
| UniFi OS 3.1 introduces a misconfiguration on consoles running UniFi Network that allows users on a local network to access MongoDB. Applicable Cloud Keys that are both (1) running UniFi OS 3.1 and (2) hosting the UniFi Network application. "Applicable Cloud Keys" include the following: Cloud Key Gen2 and Cloud Key Gen2 Plus. | |||||
| CVE-2023-31726 | 1 Alistgo | 1 Alist | 2026-06-17 | N/A | 7.5 HIGH |
| AList 3.15.1 is vulnerable to Incorrect Access Control, which can be exploited by attackers to obtain sensitive information. | |||||
| CVE-2023-31704 | 1 Oretnom23 | 1 Online Computer And Laptop Store | 2026-06-17 | N/A | 9.8 CRITICAL |
| Sourcecodester Online Computer and Laptop Store 1.0 is vulnerable to Incorrect Access Control, which allows remote attackers to elevate privileges to the administrator's role. | |||||
| CVE-2023-31597 | 1 Zammad | 1 Zammad | 2026-06-17 | N/A | 6.5 MEDIUM |
| An issue in Zammad v5.4.0 allows attackers to bypass e-mail verification using an arbitrary address and manipulate the data of the generated user. Attackers are also able to gain unauthorized access to existing tickets. | |||||
| CVE-2023-31435 | 1 Evasys | 1 Evasys | 2026-06-17 | N/A | 8.1 HIGH |
| Multiple components (such as Onlinetemplate-Verwaltung, Liste aller Teilbereiche, Umfragen anzeigen, and questionnaire previews) in evasys before 8.2 Build 2286 and 9.x before 9.0 Build 2401 allow authenticated attackers to read and write to unauthorized data by accessing functions directly. | |||||
| CVE-2023-31403 | 1 Sap | 1 Business One | 2026-06-17 | N/A | 9.6 CRITICAL |
| SAP Business One installation - version 10.0, does not perform proper authentication and authorization checks for SMB shared folder. As a result, any malicious user can read and write to the SMB shared folder. Additionally, the files in the folder can be executed or be used by the installation process leading to considerable impact on confidentiality, integrity and availability. | |||||
| CVE-2023-31250 | 1 Drupal | 1 Drupal | 2026-06-17 | N/A | 6.5 MEDIUM |
| The file download facility doesn't sufficiently sanitize file paths in certain situations. This may result in users gaining access to private files that they should not have access to. Some sites may require configuration changes following this security release. Review the release notes for your Drupal version if you have issues accessing private files after updating. | |||||
| CVE-2023-31226 | 1 Huawei | 1 Emui | 2026-06-17 | N/A | 7.5 HIGH |
| The SDK for the MediaPlaybackController module has improper permission verification. Successful exploitation of this vulnerability may affect confidentiality. | |||||
| CVE-2023-31141 | 1 Amazon | 2 Opensearch, Opensearch Security | 2026-06-17 | N/A | 4.8 MEDIUM |
| OpenSearch is open-source software suite for search, analytics, and observability applications. Prior to versions 1.3.10 and 2.7.0, there is an issue with the implementation of fine-grained access control rules (document-level security, field-level security and field masking) where they are not correctly applied to the queries during extremely rare race conditions potentially leading to incorrect access authorization. For this issue to be triggered, two concurrent requests need to land on the same instance exactly when query cache eviction happens, once every four hours. OpenSearch 1.3.10 and 2.7.0 contain a fix for this issue. | |||||
| CVE-2023-31138 | 1 Dhis2 | 1 Dhis 2 | 2026-06-17 | N/A | 7.1 HIGH |
| DHIS2 Core contains the service layer and Web API for DHIS2, an information system for data capture. Starting in the 2.36 branch and prior to versions 2.37.9.1, 2.38.3.1, and 2.39.1.2, using object model traversal in the payload of a PATCH request, authenticated users with write access to an object may be able to modify related objects that they should not have access to. DHIS2 implementers should upgrade to a supported version of DHIS2 to receive a patch: 2.37.9.1, 2.38.3.1, or 2.39.1.2. It is possible to work around this issue by blocking all PATCH requests on a reverse proxy, but this may cause some issues with the functionality of built-in applications using legacy PATCH requests. | |||||
| CVE-2023-30995 | 2 Ibm, Linux | 2 Aspera Faspex, Linux Kernel | 2026-06-17 | N/A | 7.5 HIGH |
| IBM Aspera Faspex 4.0 through 4.4.2 and 5.0 through 5.0.5 could allow a malicious actor to bypass IP whitelist restrictions using a specially crafted HTTP request. IBM X-Force ID: 254268. | |||||
| CVE-2023-30955 | 1 Palantir | 1 Foundry Workspace-server | 2026-06-17 | N/A | 4.3 MEDIUM |
| A security defect was identified in Foundry workspace-server that enabled a user to bypass an authorization check and view settings related to 'Developer Mode'. This enabled users with insufficient privilege the ability to view and interact with Developer Mode settings in a limited capacity. A fix was deployed with workspace-server 7.7.0. | |||||
| CVE-2023-30840 | 1 Linuxfoundation | 1 Fluid | 2026-06-17 | N/A | 5.8 MEDIUM |
| Fluid is an open source Kubernetes-native distributed dataset orchestrator and accelerator for data-intensive applications. Starting in version 0.7.0 and prior to version 0.8.6, if a malicious user gains control of a Kubernetes node running fluid csi pod (controlled by the `csi-nodeplugin-fluid` node-daemonset), they can leverage the fluid-csi service account to modify specs of all the nodes in the cluster. However, since this service account lacks `list node` permissions, the attacker may need to use other techniques to identify vulnerable nodes. Once the attacker identifies and modifies the node specs, they can manipulate system-level-privileged components to access all secrets in the cluster or execute pods on other nodes. This allows them to elevate privileges beyond the compromised node and potentially gain full privileged access to the whole cluster. To exploit this vulnerability, the attacker can make all other nodes unschedulable (for example, patch node with taints) and wait for system-critical components with high privilege to appear on the compromised node. However, this attack requires two prerequisites: a compromised node and identifying all vulnerable nodes through other means. Version 0.8.6 contains a patch for this issue. As a workaround, delete the `csi-nodeplugin-fluid` daemonset in `fluid-system` namespace and avoid using CSI mode to mount FUSE file systems. Alternatively, using sidecar mode to mount FUSE file systems is recommended. | |||||
| CVE-2023-30771 | 1 Apache | 1 Iotdb Web Workbench | 2026-06-17 | N/A | 9.8 CRITICAL |
| Incorrect Authorization vulnerability in Apache Software Foundation Apache IoTDB.This issue affects the iotdb-web-workbench component on 0.13.3. iotdb-web-workbench is an optional component of IoTDB, providing a web console of the database. This problem is fixed from version 0.13.4 of iotdb-web-workbench onwards. | |||||
| CVE-2023-30705 | 1 Samsung | 1 Galaxy Store | 2026-06-17 | N/A | 6.8 MEDIUM |
| Improper sanitization of incoming intent in Galaxy Store prior to version 4.5.56.6?allows local attackers to access privileged content providers as Galaxy Store permission. | |||||