Total
358423 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2026-0961 | 1 Wireshark | 1 Wireshark | 2026-06-17 | N/A | 5.5 MEDIUM |
| BLF file parser crash in Wireshark 4.6.0 to 4.6.2 and 4.4.0 to 4.4.12 allows denial of service | |||||
| CVE-2026-0960 | 1 Wireshark | 1 Wireshark | 2026-06-17 | N/A | 4.7 MEDIUM |
| HTTP3 protocol dissector infinite loop in Wireshark 4.6.0 to 4.6.2 allows denial of service | |||||
| CVE-2026-0959 | 1 Wireshark | 1 Wireshark | 2026-06-17 | N/A | 5.3 MEDIUM |
| IEEE 802.11 protocol dissector crash in Wireshark 4.6.0 to 4.6.2 and 4.4.0 to 4.4.12 allows denial of service | |||||
| CVE-2026-0958 | 1 Gitlab | 1 Gitlab | 2026-06-17 | N/A | 7.5 HIGH |
| GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.4 before 18.6.6, 18.7 before 18.7.4, and 18.8 before 18.8.4 that could have allowed an unauthenticated user to cause denial of service through memory or CPU exhaustion by bypassing JSON validation middleware limits. | |||||
| CVE-2026-0953 | 2026-06-17 | N/A | 9.8 CRITICAL | ||
| The Tutor LMS Pro plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 3.9.5 via the Social Login addon. This is due to the plugin failing to verify that the email provided in the authentication request matches the email from the validated OAuth token. This makes it possible for unauthenticated attackers to log in as any existing user, including administrators, by supplying a valid OAuth token from their own account along with the victim's email address. | |||||
| CVE-2026-0950 | 2026-06-17 | N/A | 5.3 MEDIUM | ||
| The Spectra Gutenberg Blocks – Website Builder for the Block Editor plugin for WordPress is vulnerable to Information Disclosure in all versions up to, and including, 2.19.17. This is due to the plugin failing to check `post_password_required()` before rendering post excerpts in the `render_excerpt()` function and the `uagb_get_excerpt()` helper function. This makes it possible for unauthenticated attackers to read excerpts of password-protected posts by simply viewing any page that contains a Spectra Post Grid, Post Masonry, Post Carousel, or Post Timeline block. | |||||
| CVE-2026-0949 | 1 Enterprisedb | 1 Postgres Enterprise Manager | 2026-06-17 | N/A | 6.5 MEDIUM |
| PEM versions prior to 9.8.1 are affected by a stored Cross-site Scripting (XSS) vulnerability that allows users with access to the Manage Charts menu to inject arbitrary JavaScript when creating a new chart, which is then executed by any user accessing the chart. By default only the superuser and users with pem_admin or pem_super_admin privileges are able to access the Manage Charts menu. | |||||
| CVE-2026-0948 | 1 Jaseerkinangattil | 1 Microsoft Entra Id Sso Login | 2026-06-17 | N/A | 6.5 MEDIUM |
| Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal Microsoft Entra ID SSO Login allows Privilege Escalation.This issue affects Microsoft Entra ID SSO Login: from 0.0.0 before 1.0.4. | |||||
| CVE-2026-0947 | 1 Bordeaux-metropole | 1 At Internet Piano Analytics | 2026-06-17 | N/A | 4.8 MEDIUM |
| Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal AT Internet Piano Analytics allows Cross-Site Scripting (XSS).This issue affects AT Internet Piano Analytics: from 0.0.0 before 1.0.1, from 2.0.0 before 2.3.1. | |||||
| CVE-2026-0946 | 1 Bordeaux-metropole | 1 At Internet Smarttag | 2026-06-17 | N/A | 6.1 MEDIUM |
| Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal AT Internet SmartTag allows Cross-Site Scripting (XSS).This issue affects AT Internet SmartTag: from 0.0.0 before 1.0.1. | |||||
| CVE-2026-0945 | 1 Role Delegation Project | 1 Role Delegation | 2026-06-17 | N/A | 8.8 HIGH |
| Privilege Defined With Unsafe Actions vulnerability in Drupal Role Delegation allows Privilege Escalation.This issue affects Role Delegation: from 1.3.0 before 1.5.0. | |||||
| CVE-2026-0944 | 1 Metadrop | 1 Group Invite | 2026-06-17 | N/A | 5.3 MEDIUM |
| Improper Check for Unusual or Exceptional Conditions vulnerability in Drupal Group invite allows Forceful Browsing.This issue affects Group invite: from 0.0.0 before 2.3.9, from 3.0.0 before 3.0.4, from 4.0.0 before 4.0.4. | |||||
| CVE-2026-0943 | 1 Jv | 1 Harfbuzz\ | 2026-06-17 | N/A | 7.5 HIGH |
| HarfBuzz::Shaper versions before 0.032 for Perl contains a bundled library with a null pointer dereference vulnerability. Versions before 0.032 contain HarfBuzz 8.4.0 or earlier bundled as hb_src.tar.gz in the source tarball, which is affected by CVE-2026-22693. | |||||
| CVE-2026-0942 | 2026-06-17 | N/A | 5.3 MEDIUM | ||
| The Rede Itaú for WooCommerce — Payment PIX, Credit Card and Debit plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the clearOrderLogs() function in all versions up to, and including, 5.1.5. This makes it possible for unauthenticated attackers to delete the Rede Order Logs metadata from all WooCommerce orders. | |||||
| CVE-2026-0939 | 2026-06-17 | N/A | 5.3 MEDIUM | ||
| The Rede Itaú for WooCommerce plugin for WordPress is vulnerable to order status manipulation due to insufficient verification of data authenticity in all versions up to, and including, 5.1.2. This is due to the plugin failing to verify the authenticity of payment callbacks. This makes it possible for unauthenticated attackers to manipulate WooCommerce order statuses, either marking unpaid orders as paid, or failed. | |||||
| CVE-2026-0936 | 2026-06-17 | N/A | 5.0 MEDIUM | ||
| An Insertion of Sensitive Information into Log File vulnerability in B&R PVI client versions prior to 6.5 may be abused by an authenticated local attacker to gather credential information which is processed by the PVI client application. The logging function of the PVI client application is disabled by default and must be explicitly enabled by the user. | |||||
| CVE-2026-0933 | 1 Cloudflare | 1 Wrangler | 2026-06-17 | N/A | 9.9 CRITICAL |
| SummaryA command injection vulnerability (CWE-78) has been found to exist in the `wrangler pages deploy` command. The issue occurs because the `--commit-hash` parameter is passed directly to a shell command without proper validation or sanitization, allowing an attacker with control of `--commit-hash` to execute arbitrary commands on the system running Wrangler. Root causeThe commitHash variable, derived from user input via the --commit-hash CLI argument, is interpolated directly into a shell command using template literals (e.g., execSync(`git show -s --format=%B ${commitHash}`)). Shell metacharacters are interpreted by the shell, enabling command execution. ImpactThis vulnerability is generally hard to exploit, as it requires --commit-hash to be attacker controlled. The vulnerability primarily affects CI/CD environments where `wrangler pages deploy` is used in automated pipelines and the --commit-hash parameter is populated from external, potentially untrusted sources. An attacker could exploit this to: * Run any shell command. * Exfiltrate environment variables. * Compromise the CI runner to install backdoors or modify build artifacts. Credits Disclosed responsibly by kny4hacker. Mitigation * Wrangler v4 users are requested to upgrade to Wrangler v4.59.1 or higher. * Wrangler v3 users are requested to upgrade to Wrangler v3.114.17 or higher. * Users on Wrangler v2 (EOL) should upgrade to a supported major version. | |||||
| CVE-2026-0929 | 2026-06-17 | N/A | 4.3 MEDIUM | ||
| The RegistrationMagic WordPress plugin before 6.0.7.2 does not have proper capability checks, allowing subscribers and above to create forms on the site. | |||||
| CVE-2026-0927 | 2026-06-17 | N/A | 5.3 MEDIUM | ||
| The KiviCare – Clinic & Patient Management System (EHR) plugin for WordPress is vulnerable to arbitrary file uploads due to missing authorization checks in the uploadMedicalReport() function in all versions up to, and including, 3.6.15. This makes it possible for unauthenticated attackers to upload text files and PDF documents to the affected site's server which may be leveraged for further attacks such as hosting malicious content or phishing pages via PDF files. | |||||
| CVE-2026-0926 | 2026-06-17 | N/A | 9.8 CRITICAL | ||
| The Prodigy Commerce plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3.3.0 via the 'parameters[template_name]' parameter. This makes it possible for unauthenticated attackers to include and read arbitrary files or execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included. | |||||