CVE-2026-8036 - Local privilege escalation in NI-PAL
Published: Tue, 02 Jun 2026 20:16:41 +0000
CVE ID :CVE-2026-8036
Published : June 2, 2026, 8:16 p.m. | 13 minutes ago
Description :Improper input validation in NI-PAL may allow a local authenticated user to access arbitrary system memory, potentially leading to privilege escalation. This vulnerability affects NI-PAL 26.3.0 and prior versions on Windows and Linux.
Severity: 8.4 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-8035 - NULL pointer dereference in NI-PAL
Published: Tue, 02 Jun 2026 20:16:41 +0000
CVE ID :CVE-2026-8035
Published : June 2, 2026, 8:16 p.m. | 13 minutes ago
Description :Improper input validation in the NI-PAL kernel driver may allow a local authenticated user to cause a denial of service by triggering a crash due to a NULL pointer dereference. This vulnerability affects NI-PAL 26.3.0 and prior versions on Windows and Linux.
Severity: 7.1 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-5385 - GLPI 11.0.0 - Stored XSS in knowledge base
Published: Tue, 02 Jun 2026 20:16:40 +0000
CVE ID :CVE-2026-5385
Published : June 2, 2026, 8:16 p.m. | 13 minutes ago
Description :An unauthenticated user with write access to the knowledge base can store an XSS payload in a knowledge base item.
This issue affects glpi: before 11.0.7.
Severity: 8.4 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-5076 - ARMember Premium <= 7.3.1 - Insecure Password Reset Mechanism to Unauthenticated Privilege Escalation
Published: Tue, 02 Jun 2026 20:16:40 +0000
CVE ID :CVE-2026-5076
Published : June 2, 2026, 8:16 p.m. | 13 minutes ago
Description :The ARMember Premium plugin for WordPress is vulnerable to an insecure password reset mechanism in all versions up to, and including, 7.3.1. The plugin stores a plaintext copy of the password reset key in the `arm_reset_password_key` user meta field when a user requests a password reset. This is in addition to the hashed key that WordPress core stores securely in `wp_users.user_activation_key`. The plaintext key stored in `wp_usermeta` can be used with the plugin's custom `armrp` reset action to set a new password for any user. Combined with another vulnerability such as SQL Injection (CVE-2026-5073, CVE-2026-5074), this makes it possible for unauthenticated attackers to extract the plaintext reset key and take over any user account, including administrators.
Severity: 9.8 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-5074 - ARMember Premium <= 7.3.1 - Authenticated (Subscriber+) SQL Injection via 'sSortDir_0' Parameter
Published: Tue, 02 Jun 2026 20:16:40 +0000
CVE ID :CVE-2026-5074
Published : June 2, 2026, 8:16 p.m. | 13 minutes ago
Description :The ARMember Premium plugin for WordPress is vulnerable to SQL Injection via the 'sSortDir_0' parameter of the `get_private_content_data` AJAX action in all versions up to, and including, 7.3.1. This is due to insufficient sanitization of the user-supplied parameter which is concatenated directly into the ORDER BY clause of an SQL query without a whitelist check. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. Note: The vulnerability can only be exploited if the "User Private Content" addon is enabled, which is disabled by default..
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-5073 - ARMember Premium <= 7.3.1 - Unauthenticated SQL Injection via 'order' Parameter
Published: Tue, 02 Jun 2026 20:16:40 +0000
CVE ID :CVE-2026-5073
Published : June 2, 2026, 8:16 p.m. | 13 minutes ago
Description :The ARMember Premium plugin for WordPress is vulnerable to SQL Injection via the 'order' parameter of the 'arm_directory_paging_action' AJAX action in all versions up to, and including, 7.3.1. This is due to insufficient escaping on the user-supplied 'order' and 'orderby' parameters and the lack of sufficient preparation on the existing SQL query in the `arm_get_directory_members()` function. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Severity: 7.5 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-49120 - Medplum < 5.1.14 SSRF via FHIR Subscription Endpoint
Published: Tue, 02 Jun 2026 20:16:39 +0000
CVE ID :CVE-2026-49120
Published : June 2, 2026, 8:16 p.m. | 13 minutes ago
Description :Medplum before 5.1.14 contains a server-side request forgery vulnerability in the subscription worker that allows authenticated users to perform unauthorized internal network requests by creating FHIR Subscription resources with arbitrary endpoint URLs. Attackers can point subscription endpoints at internal addresses such as cloud instance metadata services, internal databases, or container orchestration endpoints to exfiltrate IAM credentials and patient health records via the POST body containing full FHIR resource payloads.
Severity: 8.5 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-48682 - FastNetMon Out-of-Bounds Read in IPv4 Packet Parser
Published: Tue, 02 Jun 2026 20:16:38 +0000
CVE ID :CVE-2026-48682
Published : June 2, 2026, 8:16 p.m. | 13 minutes ago
Description :FastNetMon Community Edition through 1.2.9 contains an out-of-bounds read in the IPv4 packet parser. In src/simple_packet_parser_ng.cpp, after validating that the packet contains at least sizeof(ipv4_header_t) bytes (20 bytes), the code advances the local_pointer by '4 * ipv4_header->get_ihl()' (line 164) without validating that (a) IHL >= 5 (the minimum valid value per RFC 791), or (b) 4 * IHL bytes are actually available in the packet. The IHL field is 4 bits, allowing values 0-15, so the advance can be 0-60 bytes. An IHL value of 15 with only 20 bytes validated causes a 40-byte over-read. An IHL of 0-4 causes the pointer to not advance past the IP header, resulting in the TCP/UDP header being parsed from IP header data (type confusion). This vulnerability is reachable via any packet capture interface.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-48598 - CRLF injection in Tesla.Multipart disposition parameters allows multipart part header injection
Published: Tue, 02 Jun 2026 20:16:38 +0000
CVE ID :CVE-2026-48598
Published : June 2, 2026, 8:16 p.m. | 13 minutes ago
Description :Improper Encoding or Escaping of Output vulnerability in elixir-tesla tesla allows multipart part header injection via unescaped Content-Disposition parameter values.
Tesla.Multipart.part_headers_for_disposition/1 interpolates each disposition parameter as #{k}="#{v}" with no validation of CR (\r), LF (\n), or double-quote characters. The values come verbatim from the caller via Tesla.Multipart.add_field/4 (the name parameter), Tesla.Multipart.add_file/3, and Tesla.Multipart.add_file_content/4 (both the filename parameter and other disposition opts). A " in the value closes the quoted parameter early; a \r\n ends the Content-Disposition header line and starts a new part header (such as a forged Content-Type), or, after a second \r\n, ends the entire part header block and prepends bytes to the part body. The default-filename path in add_file/3 derives the filename via Path.basename/1, which does not strip CR or LF, so any application forwarding a partially-attacker-controlled file path inherits the same issue.
This issue affects tesla: from 0.8.0 before 1.18.3.
Severity: 2.1 | LOW
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-48597 - Atom table exhaustion via untrusted URL scheme in Tesla.Adapter.Mint
Published: Tue, 02 Jun 2026 20:16:38 +0000
CVE ID :CVE-2026-48597
Published : June 2, 2026, 8:16 p.m. | 13 minutes ago
Description :Allocation of Resources Without Limits or Throttling vulnerability in elixir-tesla tesla allows denial of service via atom table exhaustion in Tesla.Adapter.Mint.
Tesla.Adapter.Mint.open_conn/2 converts the URL scheme of every outgoing request to a BEAM atom via String.to_atom(uri.scheme) with no allow-list validation. BEAM atoms are never garbage-collected and the atom table is bounded (approximately 1,048,576 entries by default). An attacker who can influence the URL of a Tesla request — either via an application-level URL-forwarding feature (webhook, proxy, importer) or via a Location header returned by a server when Tesla.Middleware.FollowRedirects is in the pipeline — can mint one fresh permanent atom per request by varying the scheme string. After enough requests the atom table fills and the VM crashes, taking down the entire application.
This issue affects tesla: from 1.3.0 before 1.18.3.
Severity: 8.2 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-48596 - CRLF injection in Tesla.Multipart.add_content_type_param/2 allows HTTP header injection
Published: Tue, 02 Jun 2026 20:16:38 +0000
CVE ID :CVE-2026-48596
Published : June 2, 2026, 8:16 p.m. | 13 minutes ago
Description :Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting') vulnerability in elixir-tesla tesla allows HTTP header injection via Tesla.Multipart.add_content_type_param/2.
Tesla.Multipart.add_content_type_param/2 appends caller-supplied strings to the multipart content_type_params list without validating for CR (\r) or LF (\n) characters. Tesla.Multipart.headers/1 then joins these params verbatim with "; " to construct the outgoing Content-Type header value. A param containing \r\n splits the header line, allowing arbitrary headers to be injected into the outbound HTTP request. Any application that forwards untrusted input (such as a user-supplied charset or parameter string) into add_content_type_param/2 is affected.
This issue affects tesla: from 0.8.0 before 1.18.3.
Severity: 2.1 | LOW
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-48595 - Authorization header leaks to third-party origin on cross-origin redirect in Tesla.Middleware.FollowRedirects
Published: Tue, 02 Jun 2026 20:16:38 +0000
CVE ID :CVE-2026-48595
Published : June 2, 2026, 8:16 p.m. | 13 minutes ago
Description :Improper Handling of Case Sensitivity vulnerability in elixir-tesla tesla allows credential leakage to a third-party origin on cross-origin redirects.
Tesla.Middleware.FollowRedirects strips security-sensitive headers on cross-origin redirects using a case-sensitive string comparison against a lowercase filter list (@filter_headers ["authorization", "host"]). HTTP header names are case-insensitive per RFC 7230, but Tesla preserves header keys verbatim as supplied by the caller without normalizing case. A header set as {"Authorization", "Bearer …"} (the RFC 7235 canonical casing used by virtually all HTTP libraries and documentation) does not match the lowercase filter entry and is forwarded to the redirect destination. An attacker who can control or influence a Location: response seen by the client (via their own endpoint, a redirect-open upstream, or a compromised origin) receives the bearer token or other Authorization material on the cross-origin request.
This issue affects tesla: from 1.4.0 before 1.18.3.
Severity: 8.2 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-48594 - Decompression bomb in Tesla.Middleware.DecompressResponse and Tesla.Middleware.Compression
Published: Tue, 02 Jun 2026 20:16:38 +0000
CVE ID :CVE-2026-48594
Published : June 2, 2026, 8:16 p.m. | 13 minutes ago
Description :Improper Handling of Highly Compressed Data (Data Amplification) vulnerability in elixir-tesla tesla allows a denial of service via decompression bomb in HTTP response bodies.
When Tesla.Middleware.DecompressResponse or Tesla.Middleware.Compression is included in a Tesla middleware pipeline, HTTP response bodies are decompressed eagerly with no size limit. The decompress_body/2 function in lib/tesla/middleware/compression.ex passes the entire response body to :zlib.gunzip/1 or :zlib.unzip/1 without any cap on the output size. Additionally, compression_algorithms/1 splits the content-encoding header on commas and decompress_body/2 recurses once per token, applying a decompression pass on each iteration. A server advertising content-encoding: gzip, gzip, gzip, gzip causes four recursive decompression passes, yielding exponential amplification: each gzip layer can expand its input roughly 1000x, so a payload of a few hundred bytes on the wire inflates to gigabytes of BEAM heap, exhausting memory and crashing or freezing the calling process.
This issue affects tesla: from 0.6.0 before 1.18.3.
Severity: 8.2 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-47265 - AIOHTTP vulnerable to cross-origin redirect with per-request cookies
Published: Tue, 02 Jun 2026 20:16:37 +0000
CVE ID :CVE-2026-47265
Published : June 2, 2026, 8:16 p.m. | 13 minutes ago
Description :AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.14.0, cookies set with the `cookies` parameter on requests are sent after following a cross-origin redirect. If a developer uses the `cookies` parameter on a per-request basis then sensitive data might be leaked to an attacker if they manage to control a redirect. Version 3.14.0 patches the issue. If unable to upgrade, using a `Cookie` header in the `headers` parameter is not vulnerable.
Severity: 6.6 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-42342 - React Router vulnerable to DoS via unbounded path expansion in __manifest endpoint
Published: Tue, 02 Jun 2026 20:16:36 +0000
CVE ID :CVE-2026-42342
Published : June 2, 2026, 8:16 p.m. | 13 minutes ago
Description :React Router is a router for React. In versions 7.0.0 through 7.14.x of react-router and versions 2.10.0 through 2.17.4 of @remix-run/server-runtime, certain crafted requests can consume disproportionate server resources via unbounded path expansion in the __manifest endpoint, resulting in response time degradation and/or service unavailability for end users. This affects React Router Framework Mode applications as well as Remix applications. This does not impact applications using Declarative Mode (`
Severity: 7.5 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-42211 - React Router's vendored turbo-stream v2 allows arbitrary constructor invocation via TYPE_ERROR deserialization leading to Unauth RCE
Published: Tue, 02 Jun 2026 20:16:36 +0000
CVE ID :CVE-2026-42211
Published : June 2, 2026, 8:16 p.m. | 13 minutes ago
Description :React Router is a router for React. In versions 7.0.0 through 7.14.1, when using Framework Mode, a combination of steps could potentially allow unauthorized remote code execution (RCE) through external requests. This attack requires the application code to have an existing prototype pollution vulnerability, which can then be leveraged in a 2-step attack where the second step triggers unauthorized RCE on the remote server. This does not impact applications using Declarative Mode (`
Severity: 8.1 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-41577 - authentik: SAML source does not validate Conditions, timing, or audience on assertions
Published: Tue, 02 Jun 2026 20:16:36 +0000
CVE ID :CVE-2026-41577
Published : June 2, 2026, 8:16 p.m. | 13 minutes ago
Description :authentik is an open-source identity provider. Prior to versions 2025.12.5 and 2026.2.3, the SAML source response processor (ResponseProcessor.parse()) does not validate the Conditions element on assertions. NotBefore, NotOnOrAfter, and AudienceRestriction are all ignored. This allows replay of expired assertions and acceptance of assertions intended for other service providers. This issue has been patched in versions 2025.12.5 and 2026.2.3.
Severity: 6.9 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-40181 - React Router's same-origin redirect with path starting // causes open redirect via protocol-relative URL reinterpretation
Published: Tue, 02 Jun 2026 20:16:35 +0000
CVE ID :CVE-2026-40181
Published : June 2, 2026, 8:16 p.m. | 13 minutes ago
Description :React Router is a router for React. In versions 7.0.0 through 7.14.0 and 6.7.0 through 6.30.3, certain URLs passed to the redirect function can trigger an open redirect to an external domain due to path values starting with // being reinterpreted as protocol-relative URLs. The level of impact depends on the validation done by the application prior to returning the redirect. This does not impact applications using Declarative Mode (
Severity: 6.6 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-38967 - Crow HTTP Response Header Injection
Published: Tue, 02 Jun 2026 20:16:35 +0000
CVE ID :CVE-2026-38967
Published : June 2, 2026, 8:16 p.m. | 13 minutes ago
Description :CrowCpp Crow through v1.3.1 HTTP is vulnerable to response header injection via unvalidated response header values.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-35202 - Pterodactyl has a database resource limit bypass via race condition in Client API
Published: Tue, 02 Jun 2026 20:16:35 +0000
CVE ID :CVE-2026-35202
Published : June 2, 2026, 8:16 p.m. | 13 minutes ago
Description :Pterodactyl is a free, open-source game server management panel. Prior to version 1.12.3, the Pterodactyl Client API has a logic flaw that lets users bypass their assigned limits for database allocations. This happens because the database locking mechanism used in the controllers is totally broken and doesn't actually lock anything. Version 1.12.3 patches the issue.
Severity: 2.3 | LOW
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-35049 - wire-ios has Persistent Remote DoS via Integer Underflow
Published: Tue, 02 Jun 2026 20:16:35 +0000
CVE ID :CVE-2026-35049
Published : June 2, 2026, 8:16 p.m. | 13 minutes ago
Description :wire-ios is an iOS client for the Wire secure messaging application. Prior to version 4.16.0, upon receiving a crafted malicious Proteus external message with an encrypted payload that is shorter than 16 bytes, the Wire iOS client crashes. The crash is triggered automatically after message receival with no user interaction. Since the malicious message persists in the conversation, the app enters a crash loop on relaunch and cannot be reopened until the local state is wiped. This issue has been fixed with version 4.16.0 which introduces the missing length check and is available via the App Store. No known workarounds are available.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-34993 - AIOHTTP Vulnerable to Deserialization of Untrusted Data
Published: Tue, 02 Jun 2026 20:16:34 +0000
CVE ID :CVE-2026-34993
Published : June 2, 2026, 8:16 p.m. | 13 minutes ago
Description :AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.14.0, using ``CookieJar.load()`` with untrusted input may allow arbitrary code execution. Most applications using this function will be doing so with the user's own data, so this is unlikely to affect many applications. Version 3.14.0 patches the issue. If an application does allow attacker controlled files to be loaded, a workaround on older releases would be to sanitize the files before loading.
Severity: 6.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-34077 - React Router vulnerable to Denial of Service via reflected user input in single-fetch
Published: Tue, 02 Jun 2026 20:16:34 +0000
CVE ID :CVE-2026-34077
Published : June 2, 2026, 8:16 p.m. | 13 minutes ago
Description :React Router is a router for React. In versions 7.7.0 through 7.13.1, when using React Router's unstable React Server Components (RSC) APIs, there is a potential client-side Cross-Site Scripting (XSS) vulnerability in the RSC redirect handling if redirects come from untrusted sources. This does not impact applications that are not using the unstable RSC APIs in React Router. This is patched in version 7.13.2.
Severity: 7.5 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-33553 - Northern.tech CFEngine Enterprise Cross-Site Scripting
Published: Tue, 02 Jun 2026 20:16:34 +0000
CVE ID :CVE-2026-33553
Published : June 2, 2026, 8:16 p.m. | 13 minutes ago
Description :Northern.tech CFEngine Enterprise 3.24.3 before 3.24.4 and 3.27.0 before 3.27.1 allows XSS.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-33245 - React Router vulnerable to XSS in unstable RSC redirect handling via javascript: redirect targets
Published: Tue, 02 Jun 2026 20:16:34 +0000
CVE ID :CVE-2026-33245
Published : June 2, 2026, 8:16 p.m. | 13 minutes ago
Description :React Router is a router for React. In versions 7.7.0 through 7.13.1, when using React Router's unstable React Server Components (RSC) APIs, there is a potential client-side Cross-Site Scripting (XSS) vulnerability in the RSC redirect handling if redirects come from untrusted sources. This does not impact applications that are not using the unstable RSC APIs in React Router. This is patched in version 7.13.2.
Severity: 8.0 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
