Total
6365 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2026-3120 | 2026-06-17 | N/A | 7.2 HIGH | ||
| Improper Control of Generation of Code ('Code Injection') vulnerability in Profelis Information and Consulting Trade and Industry Limited Company SambaBox allows OS Command Injection. This issue affects SambaBox: from 5.1 before 5.3. | |||||
| CVE-2026-3070 | 1 Remyandrade | 1 Modern Image Gallery App | 2026-06-17 | 5.0 MEDIUM | 4.3 MEDIUM |
| A vulnerability was detected in SourceCodester Modern Image Gallery App 1.0. Affected by this vulnerability is an unknown functionality of the file upload.php. The manipulation of the argument filename results in cross site scripting. The attack may be launched remotely. The exploit is now public and may be used. | |||||
| CVE-2026-3054 | 1 Alinto | 1 Sogo | 2026-06-17 | 5.0 MEDIUM | 4.3 MEDIUM |
| A vulnerability was identified in Alinto SOGo 5.12.3/5.12.4. This impacts an unknown function. The manipulation of the argument hint leads to cross site scripting. The attack can be initiated remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2026-3050 | 1 Horilla | 1 Horilla | 2026-06-17 | 4.0 MEDIUM | 3.5 LOW |
| A flaw has been found in horilla-opensource horilla up to 1.0.2. Impacted is an unknown function of the file static/assets/js/global.js of the component Leads Module. This manipulation of the argument Notes causes cross site scripting. The attack is possible to be carried out remotely. The exploit has been published and may be used. Upgrading to version 1.0.3 is recommended to address this issue. Patch name: fc5c8e55988e89273012491b5f097b762b474546. It is suggested to upgrade the affected component. | |||||
| CVE-2026-3043 | 1 Admerc | 1 Event Management System | 2026-06-17 | 5.0 MEDIUM | 4.3 MEDIUM |
| A flaw has been found in itsourcecode Event Management System 1.0. The impacted element is an unknown function of the file /admin/navbar.php. Executing a manipulation of the argument page can lead to cross site scripting. The attack may be performed from remote. The exploit has been published and may be used. | |||||
| CVE-2026-3041 | 2026-06-17 | 3.3 LOW | 2.4 LOW | ||
| A security vulnerability has been detected in xingfuggz BaykeShop up to 1.3.20. Impacted is an unknown function of the file src/baykeshop/contrib/article/templates/baykeshop/sidebar/custom.html of the component Article Sidebar Module. Such manipulation of the argument sidebar.content leads to cross site scripting. The attack can be executed remotely. The exploit has been disclosed publicly and may be used. The project was informed of the problem early through an issue report but has not responded yet. | |||||
| CVE-2026-3028 | 1 Huayi-tec | 1 Jeewms | 2026-06-17 | 5.0 MEDIUM | 4.3 MEDIUM |
| A vulnerability was determined in erzhongxmu JEEWMS up to 3.7. This vulnerability affects the function doAdd of the file src/main/java/com/jeecg/demo/controller/JeecgListDemoController.java. This manipulation of the argument Name causes cross site scripting. The attack may be initiated remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2026-3027 | 1 Jeewms | 1 Jeewms | 2026-06-17 | 5.0 MEDIUM | 4.3 MEDIUM |
| A vulnerability was found in erzhongxmu JEEWMS up to 3.7. This affects an unknown part of the file src/main/webapp/plug-in/ueditor/jsp/getContent.jsp of the component UEditor. The manipulation of the argument myEditor results in cross site scripting. The attack can be launched remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2026-39918 | 2026-06-17 | N/A | 9.8 CRITICAL | ||
| Vvveb prior to 1.0.8.1 contains a code injection vulnerability in the installation endpoint where the subdir POST parameter is written unsanitized into the env.php configuration file without escaping or validation. Attackers can inject arbitrary PHP code by breaking out of the string context in the define statement to achieve unauthenticated remote code execution as the web server user. | |||||
| CVE-2026-39891 | 1 Praison | 1 Praisonai | 2026-06-17 | N/A | 8.8 HIGH |
| PraisonAI is a multi-agent teams system. Prior to 4.5.115, the create_agent_centric_tools() function returns tools (like acp_create_file) that process file content using template rendering. When user input from agent.start() is passed directly into these tools without escaping, template expressions in the input are executed rather than treated as literal text. This vulnerability is fixed in 4.5.115. | |||||
| CVE-2026-39881 | 1 Vim | 1 Vim | 2026-06-17 | N/A | 5.0 MEDIUM |
| Vim is an open source, command line text editor. Prior to 9.2.0316, a command injection vulnerability in Vim's netbeans interface allows a malicious netbeans server to execute arbitrary Ex commands when Vim connects to it, via unsanitized strings in the defineAnnoType and specialKeys protocol messages. This vulnerability is fixed in 9.2.0316. | |||||
| CVE-2026-39846 | 1 B3log | 1 Siyuan | 2026-06-17 | N/A | 9.0 CRITICAL |
| SiYuan is a personal knowledge management system. Prior to 3.6.4, a malicious note synced to another user can trigger remote code execution in the SiYuan Electron desktop client. The root cause is that table caption content is stored without safe escaping and later unescaped into rendered HTML, creating a stored XSS sink. Because the desktop renderer runs with nodeIntegration enabled and contextIsolation disabled, attacker-controlled JavaScript executes with access to Node.js APIs. In practice, an attacker can import a crafted note into a synced workspace, wait for the victim to sync, and achieve code execution when the victim opens the note. This vulnerability is fixed in 3.6.4. | |||||
| CVE-2026-39842 | 1 Openremote | 1 Openremote | 2026-06-17 | N/A | 9.9 CRITICAL |
| OpenRemote is an open-source IoT platform. Versions 1.21.0 and below contain two interrelated expression injection vulnerabilities in the rules engine that allow arbitrary code execution on the server. The JavaScript rules engine executes user-supplied scripts via Nashorn's ScriptEngine.eval() without sandboxing, class filtering, or access restrictions, and the authorization check in RulesResourceImpl only restricts Groovy rules to superusers while leaving JavaScript rules unrestricted for any user with the write:rules role. Additionally, the Groovy rules engine has a GroovyDenyAllFilter security filter that is defined but never registered, as the registration code is commented out, rendering the SandboxTransformer ineffective for superuser-created Groovy rules. A non-superuser attacker with the write:rules role can create JavaScript rulesets that execute with full JVM access, enabling remote code execution as root, arbitrary file read, environment variable theft including database credentials, and complete multi-tenant isolation bypass to access data across all realms. This issue has been fixed in version 1.22.0. | |||||
| CVE-2026-39465 | 2026-06-17 | N/A | 9.1 CRITICAL | ||
| Editor Remote Code Execution (RCE) in Responsive Slider by MetaSlider <= 3.106.0 versions. | |||||
| CVE-2026-39440 | 2026-06-17 | N/A | 9.9 CRITICAL | ||
| Improper Control of Generation of Code ('Code Injection') vulnerability in Funnelforms LLC FunnelFormsPro allows Remote Code Inclusion.This issue affects FunnelFormsPro: from n/a through 3.8.1. | |||||
| CVE-2026-39421 | 1 Maxkb | 1 Maxkb | 2026-06-17 | N/A | 6.3 MEDIUM |
| MaxKB is an open-source AI assistant for enterprise. Versions 2.7.1 and below contain a sandbox escape vulnerability in the ToolExecutor component. By leveraging Python's ctypes library to execute raw system calls, an authenticated attacker with workspace privileges can bypass the LD_PRELOAD-based sandbox.so module to achieve arbitrary code execution via direct kernel system calls, enabling full network exfiltration and container compromise. The library intercepts critical standard system functions such as execve, system, connect, and open. It also intercepts mprotect to prevent PROT_EXEC (executable memory) allocations within the sandboxed Python processes, but pkey_mprotect is not blocked. This issue has been fixed in version 2.8.0. | |||||
| CVE-2026-39337 | 1 Churchcrm | 1 Churchcrm | 2026-06-17 | N/A | 10.0 CRITICAL |
| ChurchCRM is an open-source church management system. Prior to 7.1.0, critical pre-authentication remote code execution vulnerability in ChurchCRM's setup wizard allows unauthenticated attackers to inject arbitrary PHP code during the initial installation process, leading to complete server compromise. The "$dbPassword" variable is not sanitized. This vulnerability exists due to an incomplete fix for CVE-2025-62521. This vulnerability is fixed in 7.1.0. | |||||
| CVE-2026-39311 | 2026-06-17 | N/A | 6.8 MEDIUM | ||
| Trilium Notes is a cross-platform, hierarchical note taking application focused on building large personal knowledge bases. Versions 0.102.1 and prior contain a critical security flaw where lack of SVG sanitization combined with a disabled Content Security Policy (CSP) and a publicly reachable backend execution API results in an unauthenticated Remote Code Execution (RCE). The vulnerability arises from an insecure-by-design architecture: Trilium serves SVG attachments with the image/svg+xml MIME type without any sanitization, and it explicitly disables Helmet's Content Security Policy middleware, removing the primary defense against script execution in served assets. Because the malicious SVG runs under the Same-Origin Policy, it can issue a fetch('/') to extract the csrfToken from the document body. With that token, it can send a signed request to /api/script/exec to execute arbitrary Node.js code on the server. An attacker can compromise the entire server instance simply by tricking an authenticated user into viewing a shared SVG attachment. The issue has been fixed in version 0.102.2. | |||||
| CVE-2026-39087 | 2026-06-17 | N/A | 9.8 CRITICAL | ||
| ntfy before 2.22.0 allows SSRF because of an unanchored regular expression. | |||||
| CVE-2026-39052 | 2026-06-17 | N/A | 6.5 MEDIUM | ||
| Oinone Pamirs 7.0.0 contains a code execution vulnerability via ScriptRunner. The method ScriptRunner.run(String expression, String type, Map<String, Object> context) evaluates attacker-controlled script expressions through the underlying script engine without sandboxing or allowlist restrictions. | |||||