CVE-2026-27604 - FOSSBilling: Improper API Role Validation (system) Enables Unauthenticated Access to Privileged Admin Functions
Published: Tue, 23 Jun 2026 14:25:20 +0000
CVE ID :CVE-2026-27604
Published : June 23, 2026, 2:25 p.m. | 26 minutes ago
Description :FOSSBilling is a free, open-source billing and client management system. Starting in version 0.5.4 and prior to version 0.8.0, an authorization bypass in the API role handling allows unauthenticated access to privileged `/api/system/*` endpoints. Because `system` resolves to the cron admin identity, attackers can invoke admin API methods without valid credentials, session, or CSRF token. Version 0.8.0 patches the issue. Some workarounds are available. Block external access to `/api/system/*` at reverse proxy/WAF, restrict API access by trusted source IPs only (`api.allowed_ips`), rotate all admin/client API tokens immediately, invalidate active sessions and reset high-privilege credentials, and/or review API request logs for suspicious `/api/system/` access and treat as potential incident.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-28496 - FOSSBilling: Server-side template injection in Twig template rendering enables information disclosure and RCE
Published: Tue, 23 Jun 2026 14:20:50 +0000
CVE ID :CVE-2026-28496
Published : June 23, 2026, 2:20 p.m. | 31 minutes ago
Description :FOSSBilling is a free, open-source billing and client management system. Versions prior to 0.8.0 have a Server-Side Template Injection (SSTI) vulnerability in the template rendering system. Administrators with access to features that render Twig templates (email templates, mass mail campaigns, custom payment adapters, and the `string_render` API endpoint) can inject arbitrary Twig expressions, leading to information disclosure and remote code execution. The vulnerability exists because Twig templates are rendered without a sandbox, allowing access to the full Twig environment, API context, and the application's dependency injection container. Version 0.8.0 patches the issue. Some workarounds are available. Audit existing email templates for suspicious Twig expressions, rotate all admin and client API tokens, and/or block external access to /api/system/* at reverse proxy/WAF to mitigate chaining with GHSA-78x5-c8gw-8279.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-56815 - Pwnlift Symlink Following Vulnerability
Published: Tue, 23 Jun 2026 13:57:34 +0000
CVE ID :CVE-2026-56815
Published : June 23, 2026, 1:57 p.m. | 54 minutes ago
Description :pwnlift before d7a9544, in a privileged deployment, contains a symlink following vulnerability in the upload handler in Components/Pages/Home.razor.
Severity: 7.4 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-35019 - NetComm NF20MESH < R6B032 Hardcoded AES Key Authentication Bypass
Published: Tue, 23 Jun 2026 13:48:49 +0000
CVE ID :CVE-2026-35019
Published : June 23, 2026, 1:48 p.m. | 1 hour, 3 minutes ago
Description :NetComm NF20MESH routers running firmware R6B031 and earlier contain an authentication bypass vulnerability that allows unauthenticated attackers to gain administrative access by exploiting a hardcoded AES-256 key used to encrypt session cookies for the web management interface. Attackers can forge a valid encrypted session cookie using the shared hardcoded key and bypass authentication checks to obtain full administrative control of the management interface while any legitimate administrator session is active.
Severity: 9.2 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-35018 - NetComm NF20MESH < R6B032 Authenticated RCE via OS Command Injection
Published: Tue, 23 Jun 2026 13:46:39 +0000
CVE ID :CVE-2026-35018
Published : June 23, 2026, 1:46 p.m. | 1 hour, 5 minutes ago
Description :NetComm NF20MESH routers running firmware R6B031 and earlier contain an authenticated remote code execution vulnerability that allows authenticated attackers to execute arbitrary commands as root by injecting shell metacharacters into the username JSON parameter processed by the dalStorage_addUserAccount function. Attackers can exploit the unsafe concatenation of user-supplied input into a shell command string passed to rut_doSystemAction without sanitization to achieve full root-level command execution on the underlying operating system.
Severity: 8.8 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-11772 - Reflected XSS in DRIMO CMS
Published: Tue, 23 Jun 2026 13:31:37 +0000
CVE ID :CVE-2026-11772
Published : June 23, 2026, 1:31 p.m. | 1 hour, 20 minutes ago
Description :DRIMO CMS is vulnerable to Reflected XSS via q parameter in searching functionality. An attacker can prepare an URL that, when opened, results in arbitrary JavaScript execution in the victim's browser.
Product is in End Of Life phase and will not receive any updates. However, deleting info.php file mitigates the vulnerability,
Severity: 5.1 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-12969 - Dnsmasq: dnsmasq: out-of-bounds read in find_soa() due to missing extrabytes validation
Published: Tue, 23 Jun 2026 13:28:56 +0000
CVE ID :CVE-2026-12969
Published : June 23, 2026, 1:28 p.m. | 1 hour, 23 minutes ago
Description :An out-of-bounds read vulnerability exists in dnsmasq's find_soa() function in src/rfc1035.c. When parsing NS section records, extract_name() is called with extrabytes=0, failing to validate that 10 additional bytes exist for fixed-length DNS record fields. A remote attacker controlling a DNS zone can exploit this via a crafted NXDOMAIN response to cause a 10-byte heap out-of-bounds read, potentially accessing stale data from prior transactions.
Severity: 5.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-10609 - Openshift/cluster-logging-operator: cluster logging operator creates and forwards serviceaccount tokens without verifying clf creator authorization
Published: Tue, 23 Jun 2026 13:26:43 +0000
CVE ID :CVE-2026-10609
Published : June 23, 2026, 1:26 p.m. | 1 hour, 25 minutes ago
Description :A missing authorization flaw was found in the OpenShift Cluster Logging Operator. The operator creates and forwards ServiceAccount tokens to output destinations without verifying that the ClusterLogForwarder creator has permission to use those credentials, allowing a delegated editor to exfiltrate SA tokens and escalate privileges.
Severity: 6.8 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-4610 - ProfileGrid <= 5.9.9.2 - Authenticated (Subscriber+) Stored Cross-Site Scripting via Message Content
Published: Tue, 23 Jun 2026 12:32:56 +0000
CVE ID :CVE-2026-4610
Published : June 23, 2026, 12:32 p.m. | 2 hours, 19 minutes ago
Description :The ProfileGrid – User Profiles, Groups and Communities plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'pm_author_message' parameter in the pm_send_message_to_author function in all versions up to, and including, 5.9.9.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The vulnerability was partially patched in version 5.9.8.5.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-54892 - Plug: quadratic-time decoding of nested query/body parameters enables denial of service
Published: Tue, 23 Jun 2026 12:31:12 +0000
CVE ID :CVE-2026-54892
Published : June 23, 2026, 12:31 p.m. | 2 hours, 20 minutes ago
Description :Inefficient algorithmic complexity in Plug's nested-parameter decoder allows an unauthenticated remote attacker to cause denial of service. Plug.Conn.Query.decode/4 (and Plug.Conn.Query.decode_each/2) parse query strings and application/x-www-form-urlencoded request bodies. When a key contains many bracketed segments such as a[a][a][a]=1, the decoder walks the brackets and, for each of the N levels, performs a map operation keyed on an ever-growing binary prefix of the key, hashing the full byte range at each step. The total decode cost is therefore quadratic in the number of nesting levels.
With the default Plug.Parsers.URLENCODED body limit of 1,000,000 bytes, a single request can carry roughly 333,000 nesting levels and saturate a BEAM scheduler for minutes. A small number of concurrent requests can saturate all schedulers and render a Plug-based server unresponsive. No authentication or knowledge of application routes is required.
This vulnerability is associated with program files lib/plug/conn/query.ex and program routines Plug.Conn.Query.decode/4, Plug.Conn.Query.decode_each/2, Plug.Conn.Query.split_keys/6, Plug.Conn.Query.insert_keys/3, and Plug.Conn.Query.finalize_pointer/2.
This issue affects plug from 1.15.0 before 1.15.5, 1.16.4, 1.17.2, 1.18.3, and 1.19.3.
Severity: 8.7 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-10857 - Reflected XSS in Akinsoft's e-Commerce
Published: Tue, 23 Jun 2026 12:15:49 +0000
CVE ID :CVE-2026-10857
Published : June 23, 2026, 12:15 p.m. | 2 hours, 36 minutes ago
Description :Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in AKIN Software Computer Import Export Industry and Trade Ltd. E-Commerce allows Reflected XSS.
This issue affects e-Commerce: before 1.25.01.06.
Severity: 6.1 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-56784 - OpenRemote Manager - Cross-Tenant IDOR in Bulk Alarm Deletion
Published: Tue, 23 Jun 2026 12:13:07 +0000
CVE ID :CVE-2026-56784
Published : June 23, 2026, 12:13 p.m. | 2 hours, 38 minutes ago
Description :OpenRemote Manager before 1.24.2 contains an insecure direct object reference vulnerability in the removeAlarms() method that allows authenticated users to delete alarms from other tenants by supplying arbitrary alarm IDs. The bulk deletion endpoint fails to validate that targeted alarm IDs belong to the caller's realm, enabling cross-tenant permanent destruction of safety-critical and security alerts.
Severity: 8.3 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-56762 - Hono - Missing Cookie Name Validation in setCookie()
Published: Tue, 23 Jun 2026 12:13:06 +0000
CVE ID :CVE-2026-56762
Published : June 23, 2026, 12:13 p.m. | 2 hours, 38 minutes ago
Description :Hono before 4.12.12 does not validate cookie names on the write path in the setCookie(), serialize(), and serializeSigned() functions, allowing invalid characters such as control characters (e.g. \r or \n) when an application passes a user-controlled cookie name. This can produce malformed Set-Cookie header values. In modern runtimes such as Node.js and Cloudflare Workers, such invalid header values are rejected and cause a runtime error before the response is sent, so header injection or response splitting could not be reproduced; the issue primarily affects correctness and robustness, resulting in runtime errors (availability) rather than confirmed header injection.
Severity: 6.9 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-56701 - Grav - XML External Entity Injection via SVG Upload
Published: Tue, 23 Jun 2026 12:13:06 +0000
CVE ID :CVE-2026-56701
Published : June 23, 2026, 12:13 p.m. | 2 hours, 38 minutes ago
Description :Grav before 2.0.0-beta.2 contains an XML external entity injection vulnerability in SVG file upload processing that allows authenticated attackers to read arbitrary files. The application uses simplexml_load_string without disabling external entity loading, enabling attackers to inject XXE payloads via malicious SVG files to exfiltrate sensitive data.
Severity: 7.1 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-56379 - ImageMagick - Command Injection via SVG Decoder
Published: Tue, 23 Jun 2026 12:13:05 +0000
CVE ID :CVE-2026-56379
Published : June 23, 2026, 12:13 p.m. | 2 hours, 38 minutes ago
Description :ImageMagick before 7.1.2-15 and 6.9.13-40 contains a command injection vulnerability in the SVG decoder that allows attackers to inject arbitrary MVG drawing commands. Attackers can craft malicious SVG files with injected Magick Vector Graphics commands that execute during rendering.
Severity: 0.0 | NONE
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-56376 - ImageMagick - Heap Use-After-Free in Meta Coder
Published: Tue, 23 Jun 2026 12:13:04 +0000
CVE ID :CVE-2026-56376
Published : June 23, 2026, 12:13 p.m. | 2 hours, 38 minutes ago
Description :ImageMagick before 7.1.2-15 and 6.9.13-40 contains a heap use-after-free in the meta coder: when memory allocation fails, a single byte is written to a stale pointer. Remote attackers can trigger it by processing specially crafted image files, causing a denial of service.
Severity: 6.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-56371 - ImageMagick - Memory Leak in TXT File Processing via Texture Attribute
Published: Tue, 23 Jun 2026 12:13:04 +0000
CVE ID :CVE-2026-56371
Published : June 23, 2026, 12:13 p.m. | 2 hours, 38 minutes ago
Description :ImageMagick before 7.1.2-15 and 6.9.13-40 contains a memory leak in coders/txt.c when processing TXT files with texture attributes: the texture object allocated via ReadImage is not released when GetTypeMetrics fails, leaking memory each time a crafted TXT file with a texture attribute is processed.
Severity: 0.0 | NONE
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-56322 - Capgo - Information Disclosure via Unauthenticated /updates defaultChannel Parameter
Published: Tue, 23 Jun 2026 12:13:03 +0000
CVE ID :CVE-2026-56322
Published : June 23, 2026, 12:13 p.m. | 2 hours, 39 minutes ago
Description :Capgo before 12.128.2 contains an information disclosure vulnerability in the unauthenticated /updates endpoint that resolves the defaultChannel parameter before enforcing privacy restrictions, allowing attackers to enumerate private channels and leak version/config state. Unauthenticated attackers can probe private channel names and distinguish valid channels from nonexistent ones based on response differences, revealing assigned bundle versions and platform-specific configuration details.
Severity: 8.7 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-56315 - picklescan - Remote Code Execution via Unblocked Standard Library Modules
Published: Tue, 23 Jun 2026 12:13:02 +0000
CVE ID :CVE-2026-56315
Published : June 23, 2026, 12:13 p.m. | 2 hours, 39 minutes ago
Description :picklescan before 1.0.4 fails to block at least seven Python standard library modules (including uuid, _osx_support, _aix_support, _pyrepl.pager, and imaplib) exposing eight functions that provide direct arbitrary command execution. Attackers can craft malicious pickle files importing these unblocked modules to achieve remote code execution while bypassing picklescan's safety validation entirely.
Severity: 9.8 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-56301 - Nuxt - Arbitrary File Read via World-Connectable vite-node IPC Socket on Linux
Published: Tue, 23 Jun 2026 12:13:02 +0000
CVE ID :CVE-2026-56301
Published : June 23, 2026, 12:13 p.m. | 2 hours, 39 minutes ago
Description :Nuxt 4.0.0 before 4.4.7 and 3.18.0 before 3.21.7, when running the development server (nuxt dev) on Linux, binds the vite-node IPC server to an abstract-namespace Unix socket without permission restrictions, allowing local users to enumerate and connect. Unprivileged co-resident users can exploit the unprotected module request handler to read arbitrary files such as .env and SSH keys through the SSR plugin pipeline. Production builds are unaffected, as the IPC server runs only in development.
Severity: 6.8 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-56275 - Flowise - Server-Side Request Forgery via Execute Flow Base URL
Published: Tue, 23 Jun 2026 12:13:01 +0000
CVE ID :CVE-2026-56275
Published : June 23, 2026, 12:13 p.m. | 2 hours, 39 minutes ago
Description :Flowise before 3.1.0 contains a server-side request forgery vulnerability in the Execute Flow node that allows attackers to bypass security validation by providing intranet addresses through the base URL field. Attackers can initiate HTTP requests to internal network addresses, access cloud metadata, and enumerate internal services by exploiting the missing secureFetch verification in httpSecurity.ts.
Severity: 6.0 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-56274 - Flowise - Remote Code Execution via MCP Security Bypass in validateCommandFlags and validateArgsForLocalFileAccess
Published: Tue, 23 Jun 2026 12:13:00 +0000
CVE ID :CVE-2026-56274
Published : June 23, 2026, 12:13 p.m. | 2 hours, 39 minutes ago
Description :Flowise before 3.1.2 contains multiple OS command injection vulnerabilities in the Custom MCP Server feature due to incomplete command-flag validation and a regex bypass in local file access restrictions. An attacker with a Flowise account of any role, or API access with view/update permissions for chatflows, can configure a malicious MCP server to bypass the validateCommandFlags blocklist (for example, 'docker build' is not blocked, and 'npx --yes' is not blocked while only '-y' is) and the validateArgsForLocalFileAccess checks, resulting in execution of arbitrary commands on the Flowise host.
Severity: 9.9 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-56263 - Crawl4AI - Stored Cross-Site Scripting in Monitor Dashboard
Published: Tue, 23 Jun 2026 12:13:00 +0000
CVE ID :CVE-2026-56263
Published : June 23, 2026, 12:13 p.m. | 2 hours, 39 minutes ago
Description :Crawl4AI before 0.8.7 contains a stored cross-site scripting vulnerability in the monitor dashboard that renders crawl URLs and error messages via innerHTML without escaping. An attacker can submit a crafted crawl request with malicious markup that executes in an operator's browser when viewing the dashboard.
Severity: 6.1 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-56258 - Crawl4AI - Arbitrary File Write via output_path Symlink and TOCTOU
Published: Tue, 23 Jun 2026 12:12:59 +0000
CVE ID :CVE-2026-56258
Published : June 23, 2026, 12:12 p.m. | 2 hours, 39 minutes ago
Description :Crawl4AI before 0.8.8 contains an arbitrary file write vulnerability in the screenshot and PDF endpoints that allows unauthenticated attackers to write files outside the intended directory via symlink and time-of-check-time-of-use (TOCTOU) attacks on the output_path parameter. Remote attackers can exploit insufficient path validation and symlink following to achieve arbitrary file write and potential code execution on systems where the runtime user has write access to executable or cron locations.
Severity: 9.2 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-56248 - Capgo - Unauthenticated Denial-of-Service via audit_logs RLS Policy
Published: Tue, 23 Jun 2026 12:12:58 +0000
CVE ID :CVE-2026-56248
Published : June 23, 2026, 12:12 p.m. | 2 hours, 39 minutes ago
Description :Cap-go capgo (capgo-backend) before 12.128.12 contains an unauthenticated denial-of-service vulnerability arising from the audit_logs table's Row-Level Security (RLS) policy when accessed via the Supabase PostgREST API. Because the PostgreSQL query planner executes costly logic before RLS rejection, unfiltered queries to the public.audit_logs endpoint using the public anon key consistently trigger statement timeouts (PostgREST error 57014). Under concurrency, this exhausts database resources and causes cascading HTTP 500 failures on unrelated endpoints (e.g. /orgs), resulting in an application-layer denial of service.
Severity: 8.7 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
