Total
358423 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2026-2266 | 1 Github | 1 Enterprise Server | 2026-06-17 | N/A | 5.4 MEDIUM |
| An improper neutralization of input vulnerability was identified in GitHub Enterprise Server that allowed DOM-based cross-site scripting via task list content. The task list content extraction logic did not properly re-encode browser-decoded text nodes before rendering, allowing user-supplied HTML to be injected into the page. An authenticated attacker could craft malicious task list items in issues or pull requests to execute arbitrary scripts in the context of another user's browser session. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.20 and was fixed in versions 3.18.6 and 3.19.3. This vulnerability was reported via the GitHub Bug Bounty program. | |||||
| CVE-2026-2261 | 1 Freebsd | 1 Freebsd | 2026-06-17 | N/A | 7.5 HIGH |
| Due to a programming error, blocklistd leaks a socket descriptor for each adverse event report it receives. Once a certain number of leaked sockets is reached, blocklistd becomes unable to run the helper script: a child process is forked, but this child dereferences a null pointer and crashes before it is able to exec the helper. At this point, blocklistd still records adverse events but is unable to block new addresses or unblock addresses whose database entries have expired. Once a second, much higher number of leaked sockets is reached, blocklistd becomes unable to receive new adverse event reports. An attacker may take advantage of this by triggering a large number of adverse events from sacrificial IP addresses to effectively disable blocklistd before launching an attack. Even in the absence of attacks or probes by would-be attackers, adverse events will occur regularly in the course of normal operations, and blocklistd will gradually run out file descriptors and become ineffective. The accumulation of open sockets may have knock-on effects on other parts of the system, resulting in a general slowdown until blocklistd is restarted. | |||||
| CVE-2026-2260 | 1 Dlink | 2 Dcs-931l, Dcs-931l Firmware | 2026-06-17 | 8.3 HIGH | 7.2 HIGH |
| A vulnerability was found in D-Link DCS-931L up to 1.13.0. This affects an unknown part of the file /goform/setSysAdmin. The manipulation of the argument AdminID results in os command injection. The attack can be executed remotely. The exploit has been made public and could be used. This vulnerability only affects products that are no longer supported by the maintainer. | |||||
| CVE-2026-2259 | 1 Strlen | 1 Lobster | 2026-06-17 | 1.7 LOW | 3.3 LOW |
| A vulnerability has been found in aardappel lobster up to 2025.4. Affected by this issue is the function lobster::Parser::ParseStatements in the library dev/src/lobster/parser.h of the component Parsing. The manipulation leads to memory corruption. The attack can only be performed from a local environment. The exploit has been disclosed to the public and may be used. The identifier of the patch is 2f45fe860d00990e79e13250251c1dde633f1f89. Applying a patch is the recommended action to fix this issue. | |||||
| CVE-2026-2258 | 1 Strlen | 1 Lobster | 2026-06-17 | 1.7 LOW | 3.3 LOW |
| A flaw has been found in aardappel lobster up to 2025.4. Affected by this vulnerability is the function WaveFunctionCollapse in the library dev/src/lobster/wfc.h. Executing a manipulation can lead to memory corruption. The attack can only be executed locally. The exploit has been published and may be used. This patch is called c2047a33e1ac2c42ab7e8704b33f7ea518a11ffd. It is advisable to implement a patch to correct this issue. | |||||
| CVE-2026-2256 | 2026-06-17 | N/A | 6.5 MEDIUM | ||
| A command injection vulnerability in ModelScope's ms-agent versions v1.6.0rc1 and earlier exists, allowing an attacker to execute arbitrary operating system commands through crafted prompt-derived input. | |||||
| CVE-2026-2252 | 1 Xerox | 1 Freeflow Core | 2026-06-17 | N/A | 7.5 HIGH |
| An XML External Entity (XXE) vulnerability allows malicious user to perform Server-Side Request Forgery (SSRF) via crafted XML input containing malicious external entity references. This issue affects Xerox FreeFlow Core versions up to and including 8.0.7. Please consider upgrading to FreeFlow Core version 8.1.0 via the software available on - https://www.support.xerox.com/en-us/product/core/downloads | |||||
| CVE-2026-2251 | 1 Xerox | 1 Freeflow Core | 2026-06-17 | N/A | 9.8 CRITICAL |
| Improper limitation of a pathname to a restricted directory (Path Traversal) vulnerability in Xerox FreeFlow Core allows unauthorized path traversal leading to RCE. This issue affects Xerox FreeFlow Core versions up to and including 8.0.7. Please consider upgrading to FreeFlow Core version 8.1.0 via the software available on - https://www.support.xerox.com/en-us/product/core/downloads https://www.support.xerox.com/en-us/product/core/downloads | |||||
| CVE-2026-2250 | 2026-06-17 | N/A | 7.5 HIGH | ||
| The /dbviewer/ web endpoint in METIS WIC devices is exposed without authentication. A remote attacker can access and export the internal telemetry SQLite database containing sensitive operational data. Additionally, the application is configured with debug mode enabled, causing malformed requests to return verbose Django tracebacks that disclose backend source code, local file paths, and system configuration. | |||||
| CVE-2026-2249 | 2026-06-17 | N/A | 9.8 CRITICAL | ||
| METIS DFS devices (versions <= oscore 2.1.234-r18) expose a web-based shell at the /console endpoint that does not require authentication. Accessing this endpoint allows a remote attacker to execute arbitrary operating system commands with 'daemon' privileges. This results in the compromise of the software, granting unauthorized access to modify configuration, read and alter sensitive data, or disrupt services. | |||||
| CVE-2026-2248 | 2026-06-17 | N/A | 9.8 CRITICAL | ||
| METIS WIC devices (versions <= oscore 2.1.234-r18) expose a web-based shell at the /console endpoint that does not require authentication. Accessing this endpoint allows a remote attacker to execute arbitrary operating system commands with root (UID 0) privileges. This results in full system compromise, allowing unauthorized access to modify system configuration, read sensitive data, or disrupt device operations | |||||
| CVE-2026-2247 | 2026-06-17 | N/A | N/A | ||
| SQL injection vulnerability (SQLi) in Clicldeu SaaS, specifically in the generation of reports, which occurs when a previously authenticated remote attacker executes a malicious payload in the URL generated after downloading the student's report card in the ‘Day-to-day’ section from the mobile application. In the URL of the generated PDF, the session token used does not expire, so it remains valid for days after its generation, and unusual characters can be entered after the ‘id_alu’ parameter, resulting in two types of SQLi: boolean-based blind and time-based blind. Exploiting this vulnerability could allow an attacker to access confidential information in the database. | |||||
| CVE-2026-2246 | 2026-06-17 | 1.7 LOW | 3.3 LOW | ||
| A security vulnerability has been detected in AprilRobotics apriltag up to 3.4.5. Affected by this vulnerability is the function apriltag_detector_detect of the file apriltag.c. The manipulation leads to memory corruption. The attack must be carried out locally. The exploit has been disclosed publicly and may be used. The identifier of the patch is cfac2f5ce1ffe2de25967eb1ab80bc5d99fc1a61. It is suggested to install a patch to address this issue. | |||||
| CVE-2026-2245 | 2026-06-17 | 1.7 LOW | 3.3 LOW | ||
| A vulnerability was identified in CCExtractor up to 183. This affects the function parse_PAT/parse_PMT in the library src/lib_ccx/ts_tables.c of the component MPEG-TS File Parser. Such manipulation leads to out-of-bounds read. The attack can only be performed from a local environment. The exploit is publicly available and might be used. The name of the patch is fd7271bae238ccb3ae8a71304ea64f0886324925. It is best practice to apply a patch to resolve this issue. | |||||
| CVE-2026-2244 | 2026-06-17 | N/A | N/A | ||
| A vulnerability in Google Cloud Vertex AI Workbench from 7/21/2025 to 01/30/2026 allows an attacker to exfiltrate valid Google Cloud access tokens of other users via abuse of a built-in startup script. All instances after January 30th, 2026 have been patched to protect from this vulnerability. No user action is required for this. | |||||
| CVE-2026-2243 | 2026-06-17 | N/A | 5.1 MEDIUM | ||
| A flaw was found in QEMU. A specially crafted VMDK image could trigger an out-of-bounds read vulnerability, potentially leading to a 12-byte leak of sensitive information or a denial of service condition (DoS). | |||||
| CVE-2026-2242 | 1 Janet-lang | 1 Janet | 2026-06-17 | 1.7 LOW | 3.3 LOW |
| A vulnerability was determined in janet-lang janet up to 1.40.1. This impacts the function janetc_if of the file src/core/specials.c. Executing a manipulation can lead to out-of-bounds read. The attack needs to be launched locally. The exploit has been publicly disclosed and may be utilized. This patch is called c43e06672cd9dacf2122c99f362120a17c34b391. It is advisable to implement a patch to correct this issue. | |||||
| CVE-2026-2241 | 1 Janet-lang | 1 Janet | 2026-06-17 | 1.7 LOW | 3.3 LOW |
| A vulnerability was found in janet-lang janet up to 1.40.1. This affects the function os_strftime of the file src/core/os.c. Performing a manipulation results in out-of-bounds read. The attack must be initiated from a local position. The exploit has been made public and could be used. The patch is named 0f285855f0e34f9183956be5f16e045f54626bff. To fix this issue, it is recommended to deploy a patch. | |||||
| CVE-2026-2240 | 1 Janet-lang | 1 Janet | 2026-06-17 | 1.7 LOW | 3.3 LOW |
| A vulnerability has been found in janet-lang janet up to 1.40.1. The impacted element is the function janetc_pop_funcdef of the file src/core/compile.c. Such manipulation leads to out-of-bounds read. The attack must be carried out locally. The exploit has been disclosed to the public and may be used. The name of the patch is 4dd08a4cdef5b1c42d9a2c19fc24412e97ef51d5. A patch should be applied to remediate this issue. | |||||
| CVE-2026-2236 | 2026-06-17 | N/A | 7.5 HIGH | ||
| C&Cm@il developed by HGiga has a SQL Injection vulnerability, allowing unauthenticated remote attackers to inject arbitrary SQL commands to read database contents. | |||||