|
1861
|
9.1 |
CRITICAL
Network
|
-
|
-
|
A vulnerability in mlflow/mlflow versions prior to 3.11.0 allows for the resolution of environment variables in AI Gateway secrets, which can be exploited to exfiltrate sensitive server-side environm…
|
CWE-201
Insertion of Sensitive Information Into Sent Data
|
CVE-2026-4035
|
2026-06-5 00:25 |
2026-06-3 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1862
|
6.1 |
MEDIUM
Network
|
-
|
-
|
A vulnerability in jupyter-server versions 1.12.0 through 2.17.0 allows an attacker to bypass CORS origin validation when the `allow_origin_pat` configuration is used. The issue arises from the use o…
|
CWE-346
Origin Validation Error
|
CVE-2026-6657
|
2026-06-5 00:25 |
2026-06-4 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1863
|
- |
|
-
|
-
|
A local privilege escalation vulnerability exists in Forcepoint VPN Client that allows a local non-administrative user to escalate privileges to SYSTEM. This issue affects VPN Client for Windows: ver…
|
CWE-250
Execution with Unnecessary Privileges
|
CVE-2025-12694
|
2026-06-5 00:25 |
2026-06-4 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1864
|
8.1 |
HIGH
Network
|
-
|
-
|
HCL Hive Telco Observability is affected by a Required directives missing from the CSP issue is detected in keycloak component of the web application. Missing essential directives can leave a site v…
|
CWE-1027
|
CVE-2025-59874
|
2026-06-5 00:25 |
2026-06-4 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1865
|
- |
|
-
|
-
|
An unauthenticated user with write access to the knowledge base can store an XSS payload in a knowledge base item.
This issue affects glpi: before 11.0.7.
|
CWE-79
Cross-site Scripting
|
CVE-2026-5385
|
2026-06-5 00:23 |
2026-06-3 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1866
|
- |
|
-
|
-
|
An authenticated ERPNext user with Item record edit permissions can persist arbitrary HTML/JavaScript in the item_name, description, or image fields of an Item and trigger unescaped rendering in the …
|
CWE-79
Cross-site Scripting
|
CVE-2026-42839
|
2026-06-5 00:23 |
2026-06-4 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1867
|
- |
|
-
|
-
|
An authenticated user can persist arbitrary HTML/JavaScript in the email_id or mobile_no fields of a Customer record and trigger unescaped rendering in the Point of Sale (POS) interface for every ope…
|
CWE-79
Cross-site Scripting
|
CVE-2026-42840
|
2026-06-5 00:23 |
2026-06-4 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1868
|
- |
|
-
|
-
|
Fixed a VM panic caused by unbounded recursion in the grpcfuse kernel module when a container created deeply nested directories on a bind-mounted host folder and triggered a dentry invalidation event…
|
CWE-674
Uncontrolled Recursion
|
CVE-2026-8936
|
2026-06-5 00:21 |
2026-06-3 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1869
|
5.3 |
MEDIUM
Network
|
-
|
-
|
daphne before 4.2.2 did not pass maxFramePayloadSize or maxMessagePayloadSize to Autobahn's WebSocketServerFactory. Because Autobahn defaults both values to 0 (unlimited), an unauthenticated remote a…
|
CWE-770
Allocation of Resources Without Limits or Throttling
|
CVE-2026-44545
|
2026-06-5 00:21 |
2026-06-3 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1870
|
3.7 |
LOW
Network
|
-
|
-
|
daphne before 4.2.2 reconstructs a raw HTTP request from Twisted's parsed headers and feeds it to autobahn for WebSocket handshake processing. Twisted does not treat \x0b, \x0c, \x1c, \x1d, \x1e, or …
|
CWE-444
HTTP Request Smuggling
|
CVE-2026-44546
|
2026-06-5 00:21 |
2026-06-3 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
