Total
35740 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-3689 | 1 Zoneland | 1 O2oa | 2026-06-17 | 2.6 LOW | 3.7 LOW |
| A vulnerability classified as problematic has been found in Zhejiang Land Zongheng Network Technology O2OA up to 20240403. Affected is an unknown function of the file /x_portal_assemble_surface/jaxrs/portal/list?v=8.2.3-4-43f4fe3. The manipulation leads to information disclosure. It is possible to launch the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. VDB-260478 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2024-3679 | 1 Squirrly | 1 Wp Seo Plugin | 2026-06-17 | N/A | 5.3 MEDIUM |
| The Premium SEO Pack – WP SEO Plugin plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.6.002. This makes it possible for unauthenticated attackers to view limited information from password protected posts through the social meta data. | |||||
| CVE-2024-3651 | 1 Kjd | 1 Internationalized Domain Names In Applications | 2026-06-17 | N/A | 7.5 HIGH |
| A vulnerability was identified in the kjd/idna library, specifically within the `idna.encode()` function, affecting version 3.6. The issue arises from the function's handling of crafted input strings, which can lead to quadratic complexity and consequently, a denial of service condition. This vulnerability is triggered by a crafted input that causes the `idna.encode()` function to process the input with considerable computational load, significantly increasing the processing time in a quadratic manner relative to the input size. | |||||
| CVE-2024-3584 | 1 Qdrant | 1 Qdrant | 2026-06-17 | N/A | 7.5 HIGH |
| qdrant/qdrant version 1.9.0-dev is vulnerable to path traversal due to improper input validation in the `/collections/{name}/snapshots/upload` endpoint. By manipulating the `name` parameter through URL encoding, an attacker can upload a file to an arbitrary location on the system, such as `/root/poc.txt`. This vulnerability allows for the writing and overwriting of arbitrary files on the server, potentially leading to a full takeover of the system. The issue is fixed in version 1.9.0. | |||||
| CVE-2024-3569 | 1 Mintplexlabs | 1 Anythingllm | 2026-06-17 | N/A | 7.5 HIGH |
| A Denial of Service (DoS) vulnerability exists in the mintplex-labs/anything-llm repository when the application is running in 'just me' mode with a password. An attacker can exploit this vulnerability by making a request to the endpoint using the [validatedRequest] middleware with a specially crafted 'Authorization:' header. This vulnerability leads to uncontrolled resource consumption, causing a DoS condition. | |||||
| CVE-2024-3544 | 1 Progress | 1 Loadmaster | 2026-06-17 | N/A | 7.5 HIGH |
| Unauthenticated attackers can perform actions, using SSH private keys, by knowing the IP address and having access to the same network of one of the machines in the HA or Cluster group. This vulnerability has been closed by enhancing LoadMaster partner communications to require a shared secret that must be exchanged between the partners before communication can proceed. | |||||
| CVE-2024-3505 | 1 Jfrog | 1 Artifactory | 2026-06-17 | N/A | 4.3 MEDIUM |
| JFrog Artifactory Self-Hosted versions below 7.77.3, are vulnerable to sensitive information disclosure whereby a low-privileged authenticated user can read the proxy configuration. This does not affect JFrog cloud deployments. | |||||
| CVE-2024-3504 | 1 Lunary | 1 Lunary | 2026-06-17 | N/A | 6.5 MEDIUM |
| An improper access control vulnerability exists in lunary-ai/lunary versions up to and including 1.2.2, where an admin can update any organization user to the organization owner. This vulnerability allows the elevated user to delete projects within the organization. The issue is resolved in version 1.2.7. | |||||
| CVE-2024-3493 | 1 Rockwellautomation | 16 1756-en4tr, 1756-en4tr Firmware, Compact Guardlogix 5380 and 13 more | 2026-06-17 | N/A | 8.6 HIGH |
| A specific malformed fragmented packet type (fragmented packets may be generated automatically by devices that send large amounts of data) can cause a major nonrecoverable fault (MNRF) Rockwell Automation's ControlLogix 5580, Guard Logix 5580, CompactLogix 5380, and 1756-EN4TR. If exploited, the affected product will become unavailable and require a manual restart to recover it. Additionally, an MNRF could result in a loss of view and/or control of connected devices. | |||||
| CVE-2024-3454 | 1 Csa-iot | 1 Matter | 2026-06-17 | N/A | 3.5 LOW |
| An implementation issue in the Connectivity Standards Alliance Matter 1.2 protocol as used in the connectedhomeip SDK allows a third party to disclose information about devices part of the same fabric (footprinting), even though the protocol is designed to prevent access to such information. | |||||
| CVE-2024-3305 | 1 Utarit | 1 Soliclub | 2026-06-17 | N/A | 7.5 HIGH |
| Authorization Bypass Through User-Controlled Key, Missing Authorization vulnerability in Utarit Information SoliClub allows Retrieve Embedded Sensitive Data. This issue affects SoliClub: before 4.4.0 for iOS, before 5.2.1 for Android. | |||||
| CVE-2024-3303 | 1 Gitlab | 1 Gitlab | 2026-06-17 | N/A | 6.4 MEDIUM |
| An issue was discovered in GitLab EE affecting all versions starting from 16.0 prior to 17.6.5, starting from 17.7 prior to 17.7.4, and starting from 17.8 prior to 17.8.2, which allows an attacker to exfiltrate contents of a private issue using prompt injection. | |||||
| CVE-2024-3297 | 1 Csa-iot | 1 Matter | 2026-06-17 | N/A | 6.5 MEDIUM |
| An issue in the Certificate Authenticated Session Establishment (CASE) protocol for establishing secure sessions between two devices, as implemented in the Matter protocol versions before Matter 1.1 allows an attacker to replay manipulated CASE Sigma1 messages to make the device unresponsive until the device is power-cycled. | |||||
| CVE-2024-3279 | 1 Mintplexlabs | 1 Anythingllm | 2026-06-17 | N/A | 9.1 CRITICAL |
| An improper access control vulnerability exists in the mintplex-labs/anything-llm application, specifically within the import endpoint. This vulnerability allows an anonymous attacker, without an account in the application, to import their own database file, leading to the deletion or spoofing of the existing `anythingllm.db` file. By exploiting this vulnerability, attackers can serve malicious data to users or collect information about them. The vulnerability stems from the application's failure to properly restrict access to the data-import functionality, allowing unauthorized database manipulation. | |||||
| CVE-2024-3270 | 1 Thingsboard | 1 Thingsboard | 2026-06-17 | 4.7 MEDIUM | 3.8 LOW |
| A vulnerability classified as problematic was found in ThingsBoard up to 3.6.2. This vulnerability affects unknown code of the component AdvancedFeature. The manipulation leads to improper access controls. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-259282 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure and replied to be planning to fix this issue in version 3.7. | |||||
| CVE-2024-3228 | 1 Wpkube | 1 Kiwi Social Share | 2026-06-17 | N/A | 5.3 MEDIUM |
| The Social Sharing Plugin – Kiwi plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 2.1.7 via the 'kiwi-nw-pinterest' class. This makes it possible for unauthenticated attackers to view limited content from password protected posts. | |||||
| CVE-2024-3175 | 1 Google | 1 Chrome | 2026-06-17 | N/A | 6.3 MEDIUM |
| Insufficient data validation in Extensions in Google Chrome prior to 120.0.6099.62 allowed a remote attacker to perform privilege escalation via a crafted Chrome Extension. (Chromium security severity: Low) | |||||
| CVE-2024-3174 | 1 Google | 1 Chrome | 2026-06-17 | N/A | 8.8 HIGH |
| Inappropriate implementation in V8 in Google Chrome prior to 119.0.6045.105 allowed a remote attacker to potentially exploit object corruption via a crafted HTML page. (Chromium security severity: High) | |||||
| CVE-2024-3172 | 1 Google | 1 Chrome | 2026-06-17 | N/A | 8.8 HIGH |
| Insufficient data validation in DevTools in Google Chrome prior to 121.0.6167.85 allowed a remote attacker who convinced a user to engage in specific UI gestures to execute arbitrary code via a crafted HTML page. (Chromium security severity: High) | |||||
| CVE-2024-3164 | 1 Dotcms | 1 Dotcms | 2026-06-17 | N/A | 4.5 MEDIUM |
| In dotCMS dashboard, the Tools and Log Files tabs under System → Maintenance Portlet, which is and always has been an Admin portlet, is accessible to anyone with that portlet and not just to CMS Admins. Users that get site admin but not a system admin, should not have access to the System Maintenance → Tools portlet. This would share database username and password under Log Files and download DB Dump and other dotCMS Content under Tools. Nothing in the System → Maintenance should be displayed for users with site admin role. Only system admins must have access to System Maintenance. OWASP Top 10 - A01) Broken Access Control OWASP Top 10 - A04) Insecure Design | |||||
