Total
361770 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2026-42908 | 1 Microsoft | 14 Windows 10 1607, Windows 10 1809, Windows 10 21h2 and 11 more | 2026-06-17 | N/A | 7.5 HIGH |
| Out-of-bounds read in Windows RDP allows an unauthorized attacker to disclose information over a network. | |||||
| CVE-2026-44779 | 1 Discourse | 1 Discourse | 2026-06-17 | N/A | 4.3 MEDIUM |
| Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.4, 2026.3.0-latest to before 2026.3.1, and 2026.4.0-latest to before 2026.4.1, bot debug endpoints disclose whisper translation audit logs. This issue has been patched in versions 2026.1.4, 2026.3.1, 2026.4.1, and 2026.5.0-latest.1. | |||||
| CVE-2026-42913 | 1 Microsoft | 7 Remote Desktop Client, Windows 11 23h2, Windows 11 24h2 and 4 more | 2026-06-17 | N/A | 7.5 HIGH |
| Heap-based buffer overflow in Remote Desktop Client allows an unauthorized attacker to execute code over a network. | |||||
| CVE-2026-7850 | 2026-06-17 | N/A | 5.9 MEDIUM | ||
| The WP Magnific Popup WordPress plugin through 1.0 does not properly escape user-controlled link URLs before injecting them into the DOM when displaying image load error messages, allowing authenticated attackers with Author-level access or above to perform Stored Cross-Site Scripting attacks against any visiting user. | |||||
| CVE-2026-9570 | 2026-06-17 | N/A | 7.1 HIGH | ||
| The Taskbuilder WordPress plugin before 5.0.8 does not properly sanitise a URL parameter before echoing it into inline JavaScript on a frontend page containing one of its shortcodes, leading to a Reflected Cross-Site Scripting vulnerability that can be triggered against any logged-in user. | |||||
| CVE-2026-8383 | 2026-06-17 | N/A | 5.3 MEDIUM | ||
| The LearnPress WordPress plugin before 4.3.7 does not gate the `edit` context on one of its REST endpoint behind the `edit_users` capability, allowing unauthenticated visitors to retrieve each returned user's roles, full capabilities map, extra capabilities, locale, and registration date via a crafted request | |||||
| CVE-2026-8089 | 2026-06-17 | N/A | 7.1 HIGH | ||
| The weMail: Email Marketing, Email Automation, Newsletters, Subscribers & Email Optins for WooCommerce WordPress plugin before 2.1.3 does not properly escape a user-supplied parameter before reflecting it into an HTML attribute on a non-nonce-protected AJAX response, allowing unauthenticated attackers to deliver Reflected Cross-Site Scripting against any authenticated user (including administrators) via a crafted URL. | |||||
| CVE-2026-47190 | 1 Metal3 | 1 Ip-address-manager | 2026-06-17 | N/A | 4.4 MEDIUM |
| IPAM is the IP address Manager for Cluster API Provider Metal3. Prior to versions 1.11.7, 1.12.4, and 1.13.0, the IPAM controller's ClusterRole granted full CRUD permissions (create, delete, get, list, patch, update, watch) on core/v1 Secrets. The controller never accesses Secrets during normal operation. If the controller pod were compromised (e.g. via supply chain attack or container escape), an attacker could leverage these excessive permissions to read, modify, or delete Secrets in the namespace, potentially exposing credentials and other sensitive data. This issue has been patched in versions 1.11.7, 1.12.4, and 1.13.0. | |||||
| CVE-2026-53471 | 1 Kebev2v | 1 Migration Assessment | 2026-06-17 | N/A | 9.6 CRITICAL |
| A flaw was found in migration-planner. The agent-API middleware processes JSON Web Tokens (JWTs) for authentication, but its UpdateSourceInventory and UpdateAgentStatus handlers fail to validate the source_id claim within these tokens against the requested source ID. This oversight allows an authenticated attacker with a valid agent token to manipulate data across different tenants, leading to a complete collapse of tenant isolation. This could result in unauthorized overwriting of victim inventory, planting of malicious credential URLs, or corruption of migration assessments. | |||||
| CVE-2025-69108 | 2026-06-17 | N/A | 9.8 CRITICAL | ||
| Unauthenticated PHP Object Injection in Hot Coffee <= 1.7 versions. | |||||
| CVE-2025-69136 | 2026-06-17 | N/A | 8.1 HIGH | ||
| Unauthenticated Local File Inclusion in Wanium <= 1.9.8 versions. | |||||
| CVE-2024-32949 | 2026-06-17 | N/A | 8.3 HIGH | ||
| Missing Authorization vulnerability in Prince Integrate Google Drive allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Integrate Google Drive: from n/a through 1.3.8. | |||||
| CVE-2025-69125 | 2026-06-17 | N/A | 8.1 HIGH | ||
| Unauthenticated Local File Inclusion in Food Drop <= 1.3 versions. | |||||
| CVE-2025-69118 | 2026-06-17 | N/A | 8.1 HIGH | ||
| Unauthenticated Local File Inclusion in CopyPress <= 1.4.5 versions. | |||||
| CVE-2025-69110 | 2026-06-17 | N/A | 8.1 HIGH | ||
| Unauthenticated Local File Inclusion in AirSupply <= 2.0.0 versions. | |||||
| CVE-2025-69143 | 2026-06-17 | N/A | 8.1 HIGH | ||
| Unauthenticated Local File Inclusion in Mission <= 1.22 versions. | |||||
| CVE-2025-69121 | 2026-06-17 | N/A | 8.1 HIGH | ||
| Unauthenticated Local File Inclusion in Deliciosa <= 1.10.0 versions. | |||||
| CVE-2025-60218 | 2026-06-17 | N/A | 9.9 CRITICAL | ||
| Subscriber Arbitrary File Upload in PT Luxa Addons <= 1.2.2 versions. | |||||
| CVE-2025-69149 | 2026-06-17 | N/A | 8.1 HIGH | ||
| Unauthenticated Local File Inclusion in Top Dog <= 1.0.5 versions. | |||||
| CVE-2025-69137 | 2026-06-17 | N/A | 6.5 MEDIUM | ||
| Subscriber Broken Access Control in Genemy <= 1.6.6 versions. | |||||