Total
358423 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2026-1356 | 2026-06-17 | N/A | 4.8 MEDIUM | ||
| The Converter for Media – Optimize images | Convert WebP & AVIF plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 6.5.1 via the PassthruLoader::load_image_source function. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. | |||||
| CVE-2026-1355 | 1 Github | 1 Enterprise Server | 2026-06-17 | N/A | 6.5 MEDIUM |
| A Missing Authorization vulnerability was identified in GitHub Enterprise Server that allowed an attacker to upload unauthorized content to another user’s repository migration export due to a missing authorization check in the repository migration upload endpoint. By supplying the migration identifier, an attacker could overwrite or replace a victim’s migration archive, potentially causing victims to download attacker-controlled repository data during migration restores or automated imports. An attacker would require authentication to the victim's GitHub Enterprise Server instance. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.20 and was fixed in versions 3.19.2, 3.18.5, 3.17.11, 3.16.14, 3.15.18, 3.14.23. This vulnerability was reported via the GitHub Bug Bounty program. | |||||
| CVE-2026-1344 | 1 Tanium | 1 Enforce Recovery Key Portal | 2026-06-17 | N/A | 6.5 MEDIUM |
| Tanium addressed an insecure file permissions vulnerability in Enforce Recovery Key Portal. | |||||
| CVE-2026-1341 | 2026-06-17 | N/A | N/A | ||
| Avation Light Engine Pro exposes its configuration and control interface without any authentication or access control. | |||||
| CVE-2026-1340 | 1 Ivanti | 1 Endpoint Manager Mobile | 2026-06-17 | N/A | 9.8 CRITICAL |
| A code injection in Ivanti Endpoint Manager Mobile allowing attackers to achieve unauthenticated remote code execution. | |||||
| CVE-2026-1337 | 1 Neo4j | 1 Neo4j | 2026-06-17 | N/A | 5.4 MEDIUM |
| Insufficient escaping of unicode characters in query log in Neo4j Enterprise and Community editions prior to 2026.01 can lead to XSS if the user opens the logs in a tool that treats them as HTML. There is no security impact on Neo4j products, but this advisory is released as a precaution to treat the logs as plain text if using versions prior to 2026.01. Proof of concept exploit: https://github.com/JoakimBulow/CVE-2026-1337 | |||||
| CVE-2026-1336 | 2026-06-17 | N/A | 5.3 MEDIUM | ||
| The AI ChatBot with ChatGPT and Content Generator by AYS plugin for WordPress is vulnerable to unauthorized access and modification of data due to missing capability checks on the store_data() and get_chatgpt_api_key() functions in all versions up to, and including, 2.7.5. This makes it possible for unauthenticated attackers to view, modify or delete the plugin's ChatGPT API key. The vulnerability was partially fixed in version 2.7.5 and fully fixed in version 2.7.6 | |||||
| CVE-2026-1335 | 1 3ds | 1 Solidworks Edrawings | 2026-06-17 | N/A | 7.8 HIGH |
| An Out-Of-Bounds Write vulnerability affecting the EPRT file reading procedure in SOLIDWORKS eDrawings from Release SOLIDWORKS Desktop 2025 through Release SOLIDWORKS Desktop 2026 could allow an attacker to execute arbitrary code while opening a specially crafted EPRT file. | |||||
| CVE-2026-1334 | 1 3ds | 1 Solidworks Edrawings | 2026-06-17 | N/A | 7.8 HIGH |
| An Out-Of-Bounds Read vulnerability affecting the EPRT file reading procedure in SOLIDWORKS eDrawings from Release SOLIDWORKS Desktop 2025 through Release SOLIDWORKS Desktop 2026 could allow an attacker to execute arbitrary code while opening a specially crafted EPRT file. | |||||
| CVE-2026-1333 | 1 3ds | 1 Solidworks Edrawings | 2026-06-17 | N/A | 7.8 HIGH |
| A Use of Uninitialized Variable vulnerability affecting the EPRT file reading procedure in SOLIDWORKS eDrawings from Release SOLIDWORKS Desktop 2025 through Release SOLIDWORKS Desktop 2026 could allow an attacker to execute arbitrary code while opening a specially crafted EPRT file. | |||||
| CVE-2026-1332 | 1 Hamastar | 1 Meetinghub Paperless Meetings | 2026-06-17 | N/A | 5.3 MEDIUM |
| MeetingHub developed by HAMASTAR Technology has a Missing Authentication vulnerability, allowing unauthenticated remote attackers to access specific API functions and obtain meeting-related information. | |||||
| CVE-2026-1331 | 1 Hamastar | 1 Meetinghub Paperless Meetings | 2026-06-17 | N/A | 9.8 CRITICAL |
| MeetingHub developed by HAMASTAR Technology has an Arbitrary File Upload vulnerability, allowing unauthenticated remote attackers to upload and execute web shell backdoors, thereby enabling arbitrary code execution on the server. | |||||
| CVE-2026-1330 | 1 Hamastar | 1 Meetinghub Paperless Meetings | 2026-06-17 | N/A | 7.5 HIGH |
| MeetingHub developed by HAMASTAR Technology has an Arbitrary File Read vulnerability, allowing unauthenticated remote attackers to exploit Absolute Path Traversal to download arbitrary system files. | |||||
| CVE-2026-1329 | 1 Tenda | 2 Ax1803, Ax1803 Firmware | 2026-06-17 | 9.0 HIGH | 8.8 HIGH |
| A flaw has been found in Tenda AX1803 1.0.0.1. The affected element is the function fromGetWifiGuestBasic of the file /goform/WifiGuestSet. Executing a manipulation of the argument guestWrlPwd/guestEn/guestSsid/hideSsid/guestSecurity can lead to stack-based buffer overflow. The attack may be launched remotely. The exploit has been published and may be used. | |||||
| CVE-2026-1328 | 1 Totolink | 2 Nr1800x, Nr1800x Firmware | 2026-06-17 | 9.0 HIGH | 8.8 HIGH |
| A vulnerability was detected in Totolink NR1800X 9.1.0u.6279_B20210910. Impacted is the function setWizardCfg of the file /cgi-bin/cstecgi.cgi of the component POST Request Handler. Performing a manipulation of the argument ssid results in buffer overflow. The attack may be initiated remotely. The exploit is now public and may be used. | |||||
| CVE-2026-1327 | 1 Totolink | 2 Nr1800x, Nr1800x Firmware | 2026-06-17 | 6.5 MEDIUM | 6.3 MEDIUM |
| A security vulnerability has been detected in Totolink NR1800X 9.1.0u.6279_B20210910. This issue affects the function setTracerouteCfg of the file /cgi-bin/cstecgi.cgi of the component POST Request Handler. Such manipulation of the argument command leads to command injection. The attack can be launched remotely. The exploit has been disclosed publicly and may be used. | |||||
| CVE-2026-1326 | 1 Totolink | 2 Nr1800x, Nr1800x Firmware | 2026-06-17 | 6.5 MEDIUM | 6.3 MEDIUM |
| A weakness has been identified in Totolink NR1800X 9.1.0u.6279_B20210910. This vulnerability affects the function setWanCfg of the file /cgi-bin/cstecgi.cgi of the component POST Request Handler. This manipulation of the argument Hostname causes command injection. The attack can be initiated remotely. The exploit has been made available to the public and could be used for attacks. | |||||
| CVE-2026-1325 | 1 Sangfor | 1 Operation And Maintenance Security Management System | 2026-06-17 | 5.0 MEDIUM | 5.3 MEDIUM |
| A security flaw has been discovered in Sangfor Operation and Maintenance Security Management System up to 3.0.12. This affects the function edit_pwd_mall of the file /fort/login/edit_pwd_mall. The manipulation of the argument flag results in weak password recovery. It is possible to launch the attack remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2026-1324 | 1 Sangfor | 1 Operation And Maintenance Security Management System | 2026-06-17 | 9.0 HIGH | 8.8 HIGH |
| A vulnerability was identified in Sangfor Operation and Maintenance Management System up to 3.0.12. Affected by this issue is the function SessionController of the file /isomp-protocol/protocol/session of the component SSH Protocol Handler. The manipulation of the argument keypassword leads to os command injection. It is possible to initiate the attack remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2026-1321 | 2026-06-17 | N/A | 8.1 HIGH | ||
| The Membership Plugin – Restrict Content plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 3.2.20. This is due to the `rcp_setup_registration_init()` function accepting any membership level ID via the `rcp_level` POST parameter without validating that the level is active or that payment is required. Combined with the `add_user_role()` method which assigns the WordPress role configured on the membership level without status checks, this makes it possible for unauthenticated attackers to register with any membership level, including inactive levels that grant privileged WordPress roles such as Administrator, or paid levels that charge a sign-up fee. The vulnerability was partially patched in version 3.2.18. | |||||