|
491
|
5.5 |
MEDIUM
Local
|
apple
|
macos
|
An access issue was addressed with additional sandbox restrictions. This issue is fixed in macOS Tahoe 26.1. A malicious app may be able to access sensitive user data.
New
|
CWE-284
Improper Access Control
|
CVE-2025-43339
|
2026-06-12 21:37 |
2026-06-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
492
|
5.5 |
MEDIUM
Local
|
apple
|
macos
|
This issue was addressed with improved handling of symlinks. This issue is fixed in macOS Sequoia 15.4. An app may be able to access protected user data.
New
|
CWE-59
Link Following
|
CVE-2025-46293
|
2026-06-12 21:36 |
2026-06-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
493
|
5.3 |
MEDIUM
Network
|
apple
|
ipados
iphone_os
macos
|
An authorization issue was addressed with improved state management. This issue is fixed in iOS 18.4 and iPadOS 18.4, macOS Sequoia 15.4. An app may be able to leak sensitive user information.
New
|
CWE-284
Improper Access Control
|
CVE-2025-46308
|
2026-06-12 21:36 |
2026-06-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
494
|
7.5 |
HIGH
Network
|
apple
|
macos
|
A permissions issue was addressed with additional restrictions. This issue is fixed in macOS Tahoe 26.1. An app may be able to access protected user data.
New
|
CWE-284
Improper Access Control
|
CVE-2025-46315
|
2026-06-12 21:35 |
2026-06-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
495
|
8.1 |
HIGH
Network
|
-
|
-
|
SolidInvoice is an open-source invoicing platform. Prior to version 2.3.17, the company logo upload feature accepts any file type without validation. An authenticated administrator can upload an SVG …
New
|
CWE-79
CWE-434
Cross-site Scripting
Unrestricted Upload of File with Dangerous Type
|
CVE-2026-46489
|
2026-06-12 20:16 |
2026-06-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
496
|
9.8 |
CRITICAL
Network
|
-
|
-
|
Improper neutralization of special elements used in an expression language statement ('expression language injection') vulnerability in Soagen Informatics Technologies Software and Consulting Inc. Ap…
New
|
CWE-917
Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')
|
CVE-2026-11561
|
2026-06-12 19:16 |
2026-06-11 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
497
|
- |
|
-
|
-
|
QTS, QuTS hero, QuTScloud are not affected.
We have already fixed the vulnerability in the following version:
Update
|
CWE-472
External Control of Assumed-Immutable Web Parameter
|
CVE-2025-59382
|
2026-06-12 11:16 |
2026-06-10 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
498
|
7.5 |
HIGH
Network
|
nlnetlabs
|
routinator
|
When Routinator encounters a file via RRDP using a specifically crafted Document Type Definition, Routinator crashes.
Update
|
CWE-755
Improper Handling of Exceptional Conditions
|
CVE-2026-49235
|
2026-06-12 10:37 |
2026-06-9 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
499
|
7.5 |
HIGH
Network
|
nlnetlabs
|
routinator
|
Routinator does not properly check the module component of rsync URIs, which are used to create the file system paths for the Routinator cache. This allows for path traversal by having a module name …
Update
|
CWE-22
Path Traversal
|
CVE-2026-49233
|
2026-06-12 10:33 |
2026-06-9 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
500
|
7.5 |
HIGH
Network
|
nlnetlabs
|
routinator
|
When sending a specifically crafted non-UTF-8 string as select-asn query parameter to the /api/v1/origins endpoint, Routinator crashes.
This only affects users who allow API access from untrusted n…
Update
|
CWE-20
NVD-CWE-noinfo
Improper Input Validation
|
CVE-2026-49234
|
2026-06-12 10:28 |
2026-06-9 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
