|
61
|
8.8 |
HIGH
Network
|
-
|
-
|
Mattermost versions 11.6.x <= 11.6.1, 11.5.x <= 11.5.4, 10.11.x <= 10.11.15, 10.11.x <= 10.11.16 Mattermost fails to require role-management authorization when setting the scheme_admin flag on group …
New
|
CWE-863
Incorrect Authorization
|
CVE-2026-7387
|
2026-06-13 02:16 |
2026-06-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
62
|
6.5 |
MEDIUM
Network
|
-
|
-
|
Mattermost versions 11.6.x <= 11.6.1, 11.5.x <= 11.5.4, 10.11.x <= 10.11.15 fail to sanitize the Remote Cluster API response on PATCH operations, which allows authenticated users with the {{manage_se…
New
|
CWE-201
Insertion of Sensitive Information Into Sent Data
|
CVE-2026-7184
|
2026-06-13 02:16 |
2026-06-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
63
|
7.6 |
HIGH
Network
|
-
|
-
|
Mattermost versions 11.6.x <= 11.6.1, 11.5.x <= 11.5.4, 10.11.x <= 10.11.15, 10.11.x <= 10.11.16 Mattermost fails to sanitize FileInfo.Name received from federated peers during shared channel file sy…
New
|
CWE-22
Path Traversal
|
CVE-2026-6961
|
2026-06-13 02:16 |
2026-06-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
64
|
6.7 |
MEDIUM
Network
|
-
|
-
|
Mattermost versions 11.6.x <= 11.6.1, 11.5.x <= 11.5.4, 10.11.x <= 10.11.15, 10.11.x <= 10.11.16 fail to require system-level permission when patching protected default system roles, which allows aut…
New
|
CWE-863
Incorrect Authorization
|
CVE-2026-6739
|
2026-06-13 02:16 |
2026-06-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
65
|
4.3 |
MEDIUM
Network
|
-
|
-
|
Mattermost versions 11.6.x <= 11.6.1, 11.5.x <= 11.5.4, 10.11.x <= 10.11.15, 10.11.x <= 10.11.16 Fail to enforce PermissionInviteUser when setting AllowOpenInvite or AllowedDomains during team creati…
New
|
CWE-862
Missing Authorization
|
CVE-2026-6689
|
2026-06-13 02:16 |
2026-06-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
66
|
5.3 |
MEDIUM
Network
|
-
|
-
|
Mattermost versions 11.6.x <= 11.6.1, 11.5.x <= 11.5.4, 10.11.x <= 10.11.15, 10.11.x <= 10.11.16 fail to validate that a username returned during bot registration belongs to a bot account, which allo…
New
|
CWE-200
Information Exposure
|
CVE-2026-6046
|
2026-06-13 02:16 |
2026-06-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
67
|
6.5 |
MEDIUM
Network
|
-
|
-
|
Capgo Console prior to 12.28.2 contains a denial-of-service vulnerability in its account deletion flow that allows an attacker to block authentication and onboarding functions by triggering account d…
New
|
CWE-284
Improper Access Control
|
CVE-2026-53982
|
2026-06-13 02:16 |
2026-06-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
68
|
9.1 |
CRITICAL
Network
|
-
|
-
|
Aqara Home Android (com.lumiunited.aqarahome) 6.0.0 (and white-label clients embedding the same liblumidevsdk.so) uses hard-coded cryptographic keys, which is an instance of "CWE-321: Use of Hard-cod…
New
|
CWE-321
Use of Hard-coded Cryptographic Key
|
CVE-2026-50091
|
2026-06-13 02:16 |
2026-06-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
69
|
9.3 |
CRITICAL
Network
|
-
|
-
|
The Aqara Cloud OAuth Authorization Endpoint (open-cn.aqara.com/oauth/authorize) is vulnerable to a redirect bypass due to lax controls on domain matching, which is an instance of "CWE-1289: Improper…
New
|
CWE-1289
Improper Validation of Unsafe Equivalence in Input
|
CVE-2026-50090
|
2026-06-13 02:16 |
2026-06-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
70
|
6.1 |
MEDIUM
Network
|
-
|
-
|
The Aqara IAM/SSO Gateway (gw-builder.aqara.com) provides an open redirect, which is an instance of "CWE-601: URL Redirection to Untrusted Site," with an estimated CVSS of CVSS:3.1/AV:N/AC:L/PR:N/UI:…
New
|
CWE-601
Open Redirect
|
CVE-2026-50089
|
2026-06-13 02:16 |
2026-06-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
