Total
359722 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2026-50230 | 2026-06-17 | N/A | 6.1 MEDIUM | ||
| Lyrion Music Server 9.2.0 contains an unauthenticated reflected cross-site scripting vulnerability in the server.log endpoint that allows attackers to inject arbitrary HTML and JavaScript code through the search parameter. Attackers can craft malicious URLs with JavaScript payloads in the search parameter to execute code in users' browsers within the context of the affected application. | |||||
| CVE-2026-50226 | 1 Acer | 2 Connect M6e 5g, Connect M6e 5g Firmware | 2026-06-17 | N/A | 5.3 MEDIUM |
| Fixed AES-128-CBC keys inside the AcerConnect OTA application let attackers forge authorization credentials for arbitrary IMEI numbers. This allows unauthorized actors to list catalog items and extract protected binaries from pre-signed cloud links. | |||||
| CVE-2026-50225 | 1 Acer | 2 Connect M6e 5g, Connect M6e 5g Firmware | 2026-06-17 | N/A | 9.1 CRITICAL |
| The registration path /v1/account/register provides no bot mitigation mechanisms, allowing malicious automated systems to flood the database. | |||||
| CVE-2026-50224 | 1 Acer | 2 Connect M6e 5g, Connect M6e 5g Firmware | 2026-06-17 | N/A | 4.9 MEDIUM |
| The web administration panel binds broadly to the public IPv6 address space on port [::]:8080 without default firewall limits, making internal API endpoints reachable over the WAN. | |||||
| CVE-2026-50223 | 1 Apache | 1 Ofbiz | 2026-06-17 | N/A | 8.8 HIGH |
| Improper Control of Generation of Code ('Code Injection') vulnerability in Apache OFBiz allows a low-privileged authenticated user with Content/DataResource editing privileges to perform template injection attacks that could lead to Remote Code Execution. This issue affects Apache OFBiz: before 24.09.07. Users are recommended to upgrade to version 24.09.07, which fixes the issue. | |||||
| CVE-2026-50219 | 1 Libexpat Project | 1 Libexpat | 2026-06-17 | N/A | 4.9 MEDIUM |
| libexpat before 2.8.2 lacks handler call depth tracking for calls to XML_GetBuffer, XML_Parse, XML_ParseBuffer, XML_ParserFree, or XML_ParserReset from within handlers in cases of a policy violation. Thus, a use-after-free can occur, | |||||
| CVE-2026-50214 | 1 Acer | 2 Connect M6e 5g, Connect M6e 5g Firmware | 2026-06-17 | N/A | 9.8 CRITICAL |
| The /v1/Plan service relies entirely on a shared global API token for full administrative management, allowing arbitrary creation of zero-cost network access plans. | |||||
| CVE-2026-50213 | 1 Acer | 2 Connect M6e 5g, Connect M6e 5g Firmware | 2026-06-17 | N/A | 7.5 HIGH |
| The account validation endpoint /v1/User/validate returns comprehensive user profile data sheets, which can be crawled by iterating predictable identification strings. | |||||
| CVE-2026-50212 | 1 Acer | 2 Connect M6e 5g, Connect M6e 5g Firmware | 2026-06-17 | N/A | 6.5 MEDIUM |
| Weak validation logic within device dissociation API routines allows a remote entity to forcefully unbind unrelated user endpoints, causing severe denial of service. | |||||
| CVE-2026-50211 | 1 Acer | 2 Connect M6e 5g, Connect M6e 5g Firmware | 2026-06-17 | N/A | 9.8 CRITICAL |
| Leftover engineering diagnostics and factory-level diagnostic software remain exposed on retail builds, giving malicious apps write privileges to internal NVRAM registers. | |||||
| CVE-2026-50210 | 1 Acer | 2 Connect M6e 5g, Connect M6e 5g Firmware | 2026-06-17 | N/A | 7.5 HIGH |
| The device encrypts data using AES-CBC with static zero-filled Initialization Vectors (IVs), making it susceptible to replay attacks and known-plaintext decryption. | |||||
| CVE-2026-50209 | 1 Acer | 2 Connect M6e 5g, Connect M6e 5g Firmware | 2026-06-17 | N/A | 7.8 HIGH |
| Broadcast events allow malicious software to rewrite the device's default Mobile Device Management (MDM) endpoint address, shifting administrative ownership to an external attacker. | |||||
| CVE-2026-50208 | 1 Acer | 2 Connect M6e 5g, Connect M6e 5g Firmware | 2026-06-17 | N/A | 9.4 CRITICAL |
| High-risk TrustAllCerts routines disable standard TLS certificate validation. Combined with hard-coded DES symmetric encryption keys, a Man-in-the-Middle (MITM) actor could decrypt network traffic. | |||||
| CVE-2026-50207 | 1 Acer | 2 Connect M6e 5g, Connect M6e 5g Firmware | 2026-06-17 | N/A | 7.8 HIGH |
| The system Binder boundary accepts unverified pass-through AT commands, giving local applications the power to read baseband files or disable cellular connectivity. | |||||
| CVE-2026-50206 | 1 Acer | 2 Connect M6e 5g, Connect M6e 5g Firmware | 2026-06-17 | N/A | 6.8 MEDIUM |
| Incoming VPN network profile settings fail to process special characters safely, enabling command injection via malicious config files. | |||||
| CVE-2026-50205 | 1 Acer | 2 Connect M6e 5g, Connect M6e 5g Firmware | 2026-06-17 | N/A | 8.2 HIGH |
| System log files output unencrypted SMTP server authentication passwords alongside sensitive employee corporate identification data. | |||||
| CVE-2026-50131 | 2026-06-17 | N/A | 8.6 HIGH | ||
| Fedify is a TypeScript library for building federated server apps powered by ActivityPub. Fedify previously addressed SSRF/internal network access in GHSA-p9cg-vqcc-grcx by adding public URL validation before runtime document and media fetching. However, the IPv4 validation logic present starting in version 0.11.2 and prior to versions 1.9.12, 1.10.11, 2.0.19, 2.1.15, and 2.2.4 appears incomplete. The `validatePublicUrl()` protection relies on `isValidPublicIPv4Address()` to reject non-public IPv4 destinations. The function blocks common private and local ranges such as `10.0.0.0/8`, `127.0.0.0/8`, `169.254.0.0/16`, `172.16.0.0/12`, and `192.168.0.0/16`, but it still treats several special-use, reserved, multicast, benchmarking, and carrier-grade NAT IPv4 ranges as valid public destinations. Because this validation is used as an SSRF defense before outbound fetches, this appears to be an incomplete mitigation or bypass class for the previous SSRF issue. Versions 1.9.12, 1.10.11, 2.0.19, 2.1.15, and 2.2.4 contain an updated patch. | |||||
| CVE-2026-50127 | 2026-06-17 | N/A | 5.9 MEDIUM | ||
| Weblate is a web based localization tool. From version 5.15 to before version 2026.6, Weblate's VCS_RESTRICT_PRIVATE did not properly account for some transitional IPv6 ranges, multicast addresses, or some semi-private IPv4 ranges, which allowed some addresses to bypass private range restrictions. This issue has been patched in version 2026.6. | |||||
| CVE-2026-50108 | 2026-06-17 | N/A | 7.5 HIGH | ||
| The Naxclow platform API that returns device relay registration details exposes a persistent credential without verifying that the requester is the legitimate device or owner. An actor able to present a platform-valid request signature can retrieve credentials for arbitrary devices and register on the relay as that device, enabling interception and disruption of its communications. | |||||
| CVE-2026-50101 | 2026-06-17 | N/A | 8.1 HIGH | ||
| Naxclow devices use a server-side, per-device relay credential that never rotates and is re-issued to the device on each boot. Because this credential remains valid indefinitely and cannot be reset or revoked by the legitimate owner, any party that obtains it through any exposure path can maintain persistent access to the device’s relay channel. This enables long-term impersonation or interception, even after factory resets or re-onboarding. | |||||