|
181
|
8.2 |
HIGH
Network
|
-
|
-
|
LiamBindle MQTT-C through version 1.1.6 contains a heap-based out-of-bounds read and integer underflow in the mqtt_unpack_publish_response() function in src/mqtt.c that allows a remote unauthenticate…
New
|
CWE-125
CWE-191
Out-of-bounds Read
Integer Underflow (Wrap or Wraparound)
|
CVE-2026-54412
|
2026-06-17 00:36 |
2026-06-15 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
182
|
8.2 |
HIGH
Network
|
-
|
-
|
driftregion iso14229 through 0.9.0 contains an integer underflow and downstream out-of-bounds read in the Handle_0x27_SecurityAccess() function in iso14229.c that allows a remote unauthenticated atta…
New
|
CWE-125
CWE-191
Out-of-bounds Read
Integer Underflow (Wrap or Wraparound)
|
CVE-2026-54413
|
2026-06-17 00:36 |
2026-06-15 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
183
|
- |
|
-
|
-
|
syracom AG Secure Login (2FA) for Atlassian Jira, Confluence, and Bitbucket 3.4.0.x contains an authentication bypass vulnerability. An attacker with valid credentials for a user account can bypass t…
New
|
CWE-288
Authentication Bypass Using an Alternate Path or Channel
|
CVE-2026-12225
|
2026-06-17 00:36 |
2026-06-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
184
|
- |
|
-
|
-
|
A session fixation vulnerability has been identified in osTicket v1.18.2. This security flaw allows an attacker to hijack a victim’s account by keeping the initial session identifier (OSTSESSID) acti…
New
|
CWE-38
|
CVE-2026-9507
|
2026-06-17 00:36 |
2026-06-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
185
|
- |
|
-
|
-
|
Actual is a local-first personal finance tool. The `POST /openid/config` endpoint in Actual Budget's sync-server versions <= 26.4.0 exposes the full OpenID Connect configuration—including the OAuth2 …
Update
|
CWE-863
Incorrect Authorization
|
CVE-2026-42604
|
2026-06-17 00:35 |
2026-06-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
186
|
- |
|
-
|
-
|
Actual is an open-source personal finance application. In the macOS desktop application version 25.x (built on Electron 39.2.7), the ELECTRON_RUN_AS_NODE fuse is not disabled, allowing an attacker wh…
Update
|
CWE-94
Code Injection
|
CVE-2026-42890
|
2026-06-17 00:35 |
2026-06-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
187
|
- |
|
-
|
-
|
Actual is an open-source personal finance application. Prior to version 26.5.0, several endpoints are affected by a path traversal vulnerability. Version 26.5.0 fixes the issue.
Update
|
CWE-22
Path Traversal
|
CVE-2026-43872
|
2026-06-17 00:35 |
2026-06-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
188
|
9.1 |
CRITICAL
Network
|
-
|
-
|
In OCaml-TLS before 2.1.0, the client implementation does insufficient checks of the certificate provided by the server, which allows impersonation with certificates that are not meant for server aut…
New
|
CWE-295
Improper Certificate Validation
|
CVE-2026-45388
|
2026-06-17 00:35 |
2026-06-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
189
|
9.1 |
CRITICAL
Network
|
-
|
-
|
In OCaml-TLS before 2.1.0, the server implementation does insufficient checks of the certificate provided by the client (when doing client authentication), which allows impersonation with certificate…
New
|
-
|
CVE-2026-45389
|
2026-06-17 00:35 |
2026-06-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
190
|
9.1 |
CRITICAL
Network
|
-
|
-
|
In OCaml-tar before 3.4.0, a crafted archive with ../ path segments in its name allows escaping the current working directory. This is not desired behavior, and tar(1) rejects such extractions, but o…
New
|
CWE-22
Path Traversal
|
CVE-2026-45390
|
2026-06-17 00:35 |
2026-06-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
