|
71
|
9.8 |
CRITICAL
Network
|
apache
|
cxf
|
Apache CXF's EndpointReferenceUtils and W3CMultiSchemaFactory classes construct a SAXParserFactory without the necessary JAXP hardening configurations, enabling out-of-band (OOB)
external entity res…
New
|
CWE-611
XXE
|
CVE-2026-49875
|
2026-06-16 01:32 |
2026-06-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
72
|
6.5 |
MEDIUM
Network
|
google
|
chrome
|
Out of bounds read in Video in Google Chrome on ChromeOS prior to 149.0.7827.115 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive information from pr…
New
|
CWE-125
Out-of-bounds Read
|
CVE-2026-12026
|
2026-06-16 01:32 |
2026-06-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
73
|
8.2 |
HIGH
Network
|
axios
|
axios
|
Axios is a promise based HTTP client for the browser and Node.js. Prior to 0.32.0 and 1.16.0, axios exposes two read-side prototype-pollution gadgets. When Object.prototype is polluted by an upstream…
Update
|
CWE-1321
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
|
CVE-2026-44490
|
2026-06-16 01:31 |
2026-06-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
74
|
7.5 |
HIGH
Network
|
-
|
-
|
Fortra BoKS Manager contains an OS command injection vulnerability in the client upgrade and patch tooling for legacy tar-based client installations. A malicious or compromised legacy tar-installed c…
New
|
CWE-78
OS Command
|
CVE-2026-9863
|
2026-06-16 01:16 |
2026-06-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
75
|
9.8 |
CRITICAL
Network
|
-
|
-
|
Fortra's
Core Privileged Access Manager (BoKS) contains an OS command injection vulnerability in the boks_autoregisterd service. A remote attacker with network access to the service may be able to c…
New
|
CWE-78
OS Command
|
CVE-2026-9862
|
2026-06-16 01:16 |
2026-06-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
76
|
5.3 |
MEDIUM
Network
|
-
|
-
|
Impact: When a user-configured proxy on webpack-dev-server has a broad context (e.g. /) and ws: true, it also intercepts the dev server's own HMR WebSocket and forwards it to the proxy target. This l…
New
|
CWE-346
CWE-441
Origin Validation Error
Confused Deputy
|
CVE-2026-9595
|
2026-06-16 01:16 |
2026-06-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
77
|
5.4 |
MEDIUM
Network
|
-
|
-
|
The Form Builder CP WordPress plugin before 1.2.47 does not properly sanitize a form configuration value before storing it and using it as part of a client-side script execution, allowing authenticat…
New
|
-
|
CVE-2026-9278
|
2026-06-16 01:16 |
2026-06-15 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
78
|
3.4 |
LOW
Network
|
-
|
-
|
The Store Locator WordPress plugin before 1.6.9 does not validate a parameter before using it in a file path, allowing high-privileged users such as administrators to read arbitrary `.php` files from…
New
|
CWE-22
Path Traversal
|
CVE-2026-9062
|
2026-06-16 01:16 |
2026-06-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
79
|
3.5 |
LOW
Network
|
-
|
-
|
The Store Locator WordPress plugin before 1.6.9 does not sanitize and escape store logo metadata before storing it and outputting it on the Store Locator WordPress plugin before 1.6.9 admin page, all…
New
|
CWE-79
Cross-site Scripting
|
CVE-2026-9061
|
2026-06-16 01:16 |
2026-06-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
80
|
6.5 |
MEDIUM
Network
|
-
|
-
|
Mattermost Desktop App versions <=6.1 5.5.13.0 fail to account for attempting to open extremely long URLs in the Mattermost Desktop App which allows a malicious server owner to crash the application …
New
|
CWE-770
Allocation of Resources Without Limits or Throttling
|
CVE-2026-8683
|
2026-06-16 01:16 |
2026-06-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
