|
621
|
10.0 |
CRITICAL
Network
|
-
|
-
|
Kestra is an open-source, event-driven orchestration platform. Prior to 1.0.45 and 1.3.21, AuthenticationFilter in Kestra OSS uses request.getPath().endsWith("/configs") to whitelist the public confi…
New
|
CWE-78 CWE-184 CWE-287 CWE-918
OS Command Incomplete Blacklist Improper Authentication Server-Side Request Forgery (SSRF)
|
CVE-2026-49869
|
2026-06-30 03:51 |
2026-06-27 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
622
|
7.7 |
HIGH
Network
|
-
|
-
|
Kestra is an open-source, event-driven orchestration platform. Prior to 1.0.45 and 1.3.23, the local internal-storage backend validates user-supplied paths for .. traversal before it converts Windows…
New
|
CWE-22 CWE-180 CWE-200
Path Traversal Incorrect Behavior Order: Validate Before Canonicalize Information Exposure
|
CVE-2026-49984
|
2026-06-30 03:51 |
2026-06-27 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
623
|
10.0 |
CRITICAL
Network
|
-
|
-
|
Kestra is an open-source, event-driven orchestration platform. Prior to 1.0.45 and 1.3.21, the authentication filter for the REST API (@Filter("/api/v1/**")) treats any request whose path ends in /co…
New
|
CWE-94 CWE-288
Code Injection Authentication Bypass Using an Alternate Path or Channel
|
CVE-2026-53576
|
2026-06-30 03:51 |
2026-06-27 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
624
|
7.7 |
HIGH
Local
|
-
|
-
|
HCL Traveler for Microsoft Outlook (HTMO) is susceptible to vulnerabilities due to .NET Framework 4.5 being out of service. Since .NET Framework 4.5 has reached end-of-life and no longer receives se…
New
|
CWE-1104
Use of Unmaintained Third Party Components
|
CVE-2023-37524
|
2026-06-30 03:51 |
2026-06-27 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
625
|
5.5 |
MEDIUM
Local
|
-
|
-
|
HCL Traveler for Microsoft Outlook (HTMO) is susceptible to a sensitive data exposure vulnerability which could allow an attacker to exploit application information to then attempt additional attacks…
New
|
CWE-532
Inclusion of Sensitive Information in Log Files
|
CVE-2025-59868
|
2026-06-30 03:51 |
2026-06-27 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
626
|
5.1 |
MEDIUM
Local
|
-
|
-
|
A flaw was found in spice-vdagent. A malicious or compromised SPICE host can trigger an integer overflow by sending a specially crafted message. This vulnerability can lead to a heap buffer overflow,…
New
|
CWE-190
Integer Overflow or Wraparound
|
CVE-2026-57965
|
2026-06-30 03:51 |
2026-06-29 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
627
|
4.4 |
MEDIUM
Local
|
-
|
-
|
A path traversal vulnerability was found in spice-vdagent. This flaw allows a malicious or compromised SPICE host to write arbitrary files to any location on the guest operating system. This occurs b…
New
|
CWE-22
Path Traversal
|
CVE-2026-57966
|
2026-06-30 03:51 |
2026-06-29 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
628
|
4.3 |
MEDIUM
Network
|
-
|
-
|
HCL DevOps Deploy / HCL Launch is susceptible to an exposure of sensitive information vulnerability in output logs. This exposure could allow an attacker with access to the logs to potentially obtain…
New
|
CWE-532
Inclusion of Sensitive Information in Log Files
|
CVE-2026-56457
|
2026-06-30 03:51 |
2026-06-29 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
629
|
5.4 |
MEDIUM
Network
|
cacti
|
cacti
|
Cacti is an open source performance and fault management framework. Versions 1.2.30 and prior have missing session_regenerate_id() after login, leading to Session Fixation. session_regenerate_id() is…
Update
|
CWE-384
Session Fixation
|
CVE-2026-40082
|
2026-06-30 03:50 |
2026-06-26 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
630
|
4.4 |
MEDIUM
Network
|
envoyproxy
|
envoy
|
Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to 1.35.11, 1.36.7, 1.37.3, and 1.38.1, a structural flaw was identified in DefaultCertValidator::verifySu…
Update
|
CWE-158
Improper Neutralization of Null Byte or NUL Character
|
CVE-2026-47778
|
2026-06-30 03:49 |
2026-06-27 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|