CVE-2026-11849 - IEI Integration Corp|iRM-IEI Remote Management - Hard-coded Credentials
CVE ID :CVE-2026-11849
Published : June 12, 2026, 11:16 a.m. | 2 hours, 16 minutes ago
Description :The iRM-IEI Remote Management developed by IEI Integration Corp has a Hardcoded Credentials vulnerability, allowing unauthenticated remote attackers to exploit hard-coded credentials to gain administrative privileges on the database.
Severity: 9.8 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-11849
Published : June 12, 2026, 11:16 a.m. | 2 hours, 16 minutes ago
Description :The iRM-IEI Remote Management developed by IEI Integration Corp has a Hardcoded Credentials vulnerability, allowing unauthenticated remote attackers to exploit hard-coded credentials to gain administrative privileges on the database.
Severity: 9.8 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-9266 - Moxa Firmware Missing Required Cryptographic Step Vulnerability
CVE ID :CVE-2026-9266
Published : June 12, 2026, 11:16 a.m. | 2 hours, 16 minutes ago
Description :A Missing Required Cryptographic Step vulnerability has been identified in Moxa's embedded Linux firmware for industrial computers and controllers. This vulnerability represents an incomplete remediation of CVE-2026-0714. The firmware introduced TPM2 parameter encryption as a countermeasure against CVE-2026-0714. However, an omission in the authorization session configuration causes the parameter encryption to provide no effective protection. An attacker with invasive physical access to the device can still capture TPM communications on the SPI bus and derive the LUKS disk encryption key in plaintext. While successful exploitation results in full compromise of the encrypted disk volume, the attack requires invasive physical access, including opening the device and attaching external equipment to the SPI bus. Remote exploitation is not possible, and the attack does not affect any downstream systems.
Severity: 7.0 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-9266
Published : June 12, 2026, 11:16 a.m. | 2 hours, 16 minutes ago
Description :A Missing Required Cryptographic Step vulnerability has been identified in Moxa's embedded Linux firmware for industrial computers and controllers. This vulnerability represents an incomplete remediation of CVE-2026-0714. The firmware introduced TPM2 parameter encryption as a countermeasure against CVE-2026-0714. However, an omission in the authorization session configuration causes the parameter encryption to provide no effective protection. An attacker with invasive physical access to the device can still capture TPM communications on the SPI bus and derive the LUKS disk encryption key in plaintext. While successful exploitation results in full compromise of the encrypted disk volume, the attack requires invasive physical access, including opening the device and attaching external equipment to the SPI bus. Remote exploitation is not possible, and the attack does not affect any downstream systems.
Severity: 7.0 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-47195 - Quest Bot: Per-channel permission overwrite bypass in purge and slowmode commands.
CVE ID :CVE-2026-47195
Published : June 12, 2026, 1:16 p.m. | 15 minutes ago
Description :Quest Bot is an opensource Discord Bot. Prior to version 1.1.6, the purge and slowmode commands check only guild-level permissions on the invoking member. They do not check the member’s effective permissions in the channel where the command is run. A user denied channel-level moderation permissions can still delete messages or change slowmode through the bot. This issue has been patched in version 1.1.6.
Severity: 7.1 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-47195
Published : June 12, 2026, 1:16 p.m. | 15 minutes ago
Description :Quest Bot is an opensource Discord Bot. Prior to version 1.1.6, the purge and slowmode commands check only guild-level permissions on the invoking member. They do not check the member’s effective permissions in the channel where the command is run. A user denied channel-level moderation permissions can still delete messages or change slowmode through the bot. This issue has been patched in version 1.1.6.
Severity: 7.1 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-47196 - Quest Bot: Empty automod rule causes every guild message to be deleted
CVE ID :CVE-2026-47196
Published : June 12, 2026, 1:16 p.m. | 15 minutes ago
Description :Quest Bot is an opensource Discord Bot. Prior to version 1.1.6, the automod add command trims user input but does not reject an empty result. Adding a rule containing only whitespace stores an empty word. The message listener later checks content.includes(""), which is always true, causing the bot to delete every non-bot guild message. This issue has been patched in version 1.1.6.
Severity: 8.4 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-47196
Published : June 12, 2026, 1:16 p.m. | 15 minutes ago
Description :Quest Bot is an opensource Discord Bot. Prior to version 1.1.6, the automod add command trims user input but does not reject an empty result. Adding a rule containing only whitespace stores an empty word. The message listener later checks content.includes(""), which is always true, causing the bot to delete every non-bot guild message. This issue has been patched in version 1.1.6.
Severity: 8.4 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-47197 - Quest Bot: Discord moderation role hierarchy bypass in ban, kick, mute, unmute, warn, and nickname commands
CVE ID :CVE-2026-47197
Published : June 12, 2026, 1:16 p.m. | 15 minutes ago
Description :Quest Bot is an opensource Discord Bot. Prior to version 1.1.6, a moderator with the relevant Discord permission bit can use the bot to moderate users above them in the Discord role hierarchy, as long as the bot itself outranks the target. This bypasses Discord’s normal role hierarchy protections and lets lower-ranked moderators ban, kick, timeout, untimeout, warn, or rename higher-ranked users. This issue has been patched in version 1.1.6.
Severity: 7.2 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-47197
Published : June 12, 2026, 1:16 p.m. | 15 minutes ago
Description :Quest Bot is an opensource Discord Bot. Prior to version 1.1.6, a moderator with the relevant Discord permission bit can use the bot to moderate users above them in the Discord role hierarchy, as long as the bot itself outranks the target. This bypasses Discord’s normal role hierarchy protections and lets lower-ranked moderators ban, kick, timeout, untimeout, warn, or rename higher-ranked users. This issue has been patched in version 1.1.6.
Severity: 7.2 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-48485 - Quest Bot: Stored warn reasons can still trigger bot-powered mass mentions through `/warns`.
CVE ID :CVE-2026-48485
Published : June 12, 2026, 1:16 p.m. | 15 minutes ago
Description :Quest Bot is an opensource Discord Bot. Prior to version 1.1.6, the latest release suppresses mentions when creating, unbanning, unwarning, kicking, muting, and unmuting, but stored warning reasons are still printed by /warns without mention suppression. A moderator can create a warning with @everyone or @here in the reason, then make the bot later output that reason through /warns, causing a mass ping if the bot has permission. This issue has been patched in version 1.1.6.
Severity: 2.1 | LOW
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-48485
Published : June 12, 2026, 1:16 p.m. | 15 minutes ago
Description :Quest Bot is an opensource Discord Bot. Prior to version 1.1.6, the latest release suppresses mentions when creating, unbanning, unwarning, kicking, muting, and unmuting, but stored warning reasons are still printed by /warns without mention suppression. A moderator can create a warning with @everyone or @here in the reason, then make the bot later output that reason through /warns, causing a mass ping if the bot has permission. This issue has been patched in version 1.1.6.
Severity: 2.1 | LOW
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-49347 - Quest Bot: Ticket creation has no per-user open-ticket limit or cooldown
CVE ID :CVE-2026-49347
Published : June 12, 2026, 1:16 p.m. | 15 minutes ago
Description :Quest Bot is an opensource Discord Bot. Prior to version 1.1.8, any user who can access the ticket panel can repeatedly create new ticket channels. The latest release still creates a new database ticket and Discord channel for every completed ticket modal submission, without checking whether the same user already has an open ticket and without applying a cooldown. This issue has been patched in version 1.1.8.
Severity: 5.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-49347
Published : June 12, 2026, 1:16 p.m. | 15 minutes ago
Description :Quest Bot is an opensource Discord Bot. Prior to version 1.1.8, any user who can access the ticket panel can repeatedly create new ticket channels. The latest release still creates a new database ticket and Discord channel for every completed ticket modal submission, without checking whether the same user already has an open ticket and without applying a cooldown. This issue has been patched in version 1.1.8.
Severity: 5.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-50085 - Aqara Board IoT insecure debug API
CVE ID :CVE-2026-50085
Published : June 12, 2026, 4:16 p.m. | 1 hour, 18 minutes ago
Description :The Aqara Board service (op-test.aqara.com) accepts arbitrary MQTT command payloads, and forwards them to the platfom's HiveMQ broker without authentication. This is an instance of "CWE-306: Missing Authentication for Critical Function" and has an estimated CVSS ofCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L (8.6 High). When combined with CVE-2026-50082, CVE-50083, and CVE-50084, this can lead to a fully unauthenticated, remote takeover of affected devices.
Severity: 8.6 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-50085
Published : June 12, 2026, 4:16 p.m. | 1 hour, 18 minutes ago
Description :The Aqara Board service (op-test.aqara.com) accepts arbitrary MQTT command payloads, and forwards them to the platfom's HiveMQ broker without authentication. This is an instance of "CWE-306: Missing Authentication for Critical Function" and has an estimated CVSS ofCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L (8.6 High). When combined with CVE-2026-50082, CVE-50083, and CVE-50084, this can lead to a fully unauthenticated, remote takeover of affected devices.
Severity: 8.6 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-50086 - Aqara unauthenticated AES oracle
CVE ID :CVE-2026-50086
Published : June 12, 2026, 4:16 p.m. | 1 hour, 18 minutes ago
Description :The Aqara IAM/SSO gateway (gw-builder.aqara.com) exposes bidirectional AES round-trups against the platform's signing key without authentication. This is an instance of "CWE-306: Missing Authentication for Critical Function" and "CWE-327: Use of a Broken or Risky Cryptographic Algorithm," and has an estimated CVSS of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N (7.5 High).
Severity: 10.0 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-50086
Published : June 12, 2026, 4:16 p.m. | 1 hour, 18 minutes ago
Description :The Aqara IAM/SSO gateway (gw-builder.aqara.com) exposes bidirectional AES round-trups against the platform's signing key without authentication. This is an instance of "CWE-306: Missing Authentication for Critical Function" and "CWE-327: Use of a Broken or Risky Cryptographic Algorithm," and has an estimated CVSS of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N (7.5 High).
Severity: 10.0 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-50087 - Aqara IAM/SSO Gateway cross-origin resource sharing
CVE ID :CVE-2026-50087
Published : June 12, 2026, 4:16 p.m. | 1 hour, 18 minutes ago
Description :The Aqara IAM/SSO gateway (gw-builder.aqara.com) exhibits a cross-origin request sharing vulnerability, which is an instance of "CWE-942: Permissive Cross-domain Policy with Untrusted Domains," and has an estimated CVSS of CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N (8.2 High).
Severity: 8.2 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-50087
Published : June 12, 2026, 4:16 p.m. | 1 hour, 18 minutes ago
Description :The Aqara IAM/SSO gateway (gw-builder.aqara.com) exhibits a cross-origin request sharing vulnerability, which is an instance of "CWE-942: Permissive Cross-domain Policy with Untrusted Domains," and has an estimated CVSS of CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N (8.2 High).
Severity: 8.2 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-50088 - Aqara Developer Portal cross-origin resource sharing
CVE ID :CVE-2026-50088
Published : June 12, 2026, 4:16 p.m. | 1 hour, 18 minutes ago
Description :The Aqara Developer Portal (developer.aqara.com) and shared test environments (developer-test.aqara.com, aiot-test.aqara.com) exhibit cross-origin request sharing, which is an instance of "CWE-942: Permissive Cross-domain Policy with Untrusted Domains," and has an estimated CVSS of CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N (8.2 High).
Severity: 8.2 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-50088
Published : June 12, 2026, 4:16 p.m. | 1 hour, 18 minutes ago
Description :The Aqara Developer Portal (developer.aqara.com) and shared test environments (developer-test.aqara.com, aiot-test.aqara.com) exhibit cross-origin request sharing, which is an instance of "CWE-942: Permissive Cross-domain Policy with Untrusted Domains," and has an estimated CVSS of CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N (8.2 High).
Severity: 8.2 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-50089 - Aqara IAM/SSO Gateway open redirect
CVE ID :CVE-2026-50089
Published : June 12, 2026, 4:16 p.m. | 1 hour, 18 minutes ago
Description :The Aqara IAM/SSO Gateway (gw-builder.aqara.com) provides an open redirect, which is an instance of "CWE-601: URL Redirection to Untrusted Site," with an estimated CVSS of CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N (6.1 Medium), which can be used to set up a phishing attack.
Severity: 6.1 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-50089
Published : June 12, 2026, 4:16 p.m. | 1 hour, 18 minutes ago
Description :The Aqara IAM/SSO Gateway (gw-builder.aqara.com) provides an open redirect, which is an instance of "CWE-601: URL Redirection to Untrusted Site," with an estimated CVSS of CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N (6.1 Medium), which can be used to set up a phishing attack.
Severity: 6.1 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-50090 - Aqara OAuth redirect_uri validation bypass
CVE ID :CVE-2026-50090
Published : June 12, 2026, 4:16 p.m. | 1 hour, 18 minutes ago
Description :The Aqara Cloud OAuth Authorization Endpoint (open-cn.aqara.com/oauth/authorize) is vulnerable to a redirect bypass due to lax controls on domain matching, which is an instance of "CWE-1289: Improper Validation of Unsafe Equivalence in Input" and has an estimated CVSS of CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N (9.3 Critical).
Severity: 9.3 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-50090
Published : June 12, 2026, 4:16 p.m. | 1 hour, 18 minutes ago
Description :The Aqara Cloud OAuth Authorization Endpoint (open-cn.aqara.com/oauth/authorize) is vulnerable to a redirect bypass due to lax controls on domain matching, which is an instance of "CWE-1289: Improper Validation of Unsafe Equivalence in Input" and has an estimated CVSS of CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N (9.3 Critical).
Severity: 9.3 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-50091 - Aqara Home Android SDK hardcoded keys
CVE ID :CVE-2026-50091
Published : June 12, 2026, 4:16 p.m. | 1 hour, 18 minutes ago
Description :Aqara Home Android (com.lumiunited.aqarahome) 6.0.0 (and white-label clients embedding the same liblumidevsdk.so) uses hard-coded cryptographic keys, which is an instance of "CWE-321: Use of Hard-coded Cryptographic Key" and has an estimated CVSS of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N (9.1 Critical).
Severity: 9.1 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-50091
Published : June 12, 2026, 4:16 p.m. | 1 hour, 18 minutes ago
Description :Aqara Home Android (com.lumiunited.aqarahome) 6.0.0 (and white-label clients embedding the same liblumidevsdk.so) uses hard-coded cryptographic keys, which is an instance of "CWE-321: Use of Hard-coded Cryptographic Key" and has an estimated CVSS of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N (9.1 Critical).
Severity: 9.1 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-50560 - Netty susceptible to HTTP/2 Reset Attack with different on-the-wire signature
CVE ID :CVE-2026-50560
Published : June 12, 2026, 4:16 p.m. | 1 hour, 18 minutes ago
Description :Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, Netty HTTP/2 max header size handling produces an attack similar to HTTP/2 Rapid Reset. There is a setting in the http2 specification called `SETTINGS_MAX_HEADER_LIST_SIZE`. When a client sends that setting to Netty, it appears that Netty will behave as follows: read the request; proxy the request to the origin; attempt to produce a response; and create an exception while writing the headers for the response. Functionally, this should be similar to the http2 reset attack, but with a different on-the-wire signature. Versions 4.1.135.Final and 4.2.15.Final patch the issue.
Severity: 6.9 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-50560
Published : June 12, 2026, 4:16 p.m. | 1 hour, 18 minutes ago
Description :Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, Netty HTTP/2 max header size handling produces an attack similar to HTTP/2 Rapid Reset. There is a setting in the http2 specification called `SETTINGS_MAX_HEADER_LIST_SIZE`. When a client sends that setting to Netty, it appears that Netty will behave as follows: read the request; proxy the request to the origin; attempt to produce a response; and create an exception while writing the headers for the response. Functionally, this should be similar to the http2 reset attack, but with a different on-the-wire signature. Versions 4.1.135.Final and 4.2.15.Final patch the issue.
Severity: 6.9 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-53568 - Frappe: Stored XSS in Frappe Report/List View via 'set_link_title_field_value'
CVE ID :CVE-2026-53568
Published : June 12, 2026, 4:16 p.m. | 1 hour, 18 minutes ago
Description :Frappe is a full-stack web application framework. Prior to versions 15.107.2 and 16.17.4, there is a stored XSS vulnerablity in Frappe Report/List View. This issue has been patched in versions 15.107.2 and 16.17.4.
Severity: 6.9 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-53568
Published : June 12, 2026, 4:16 p.m. | 1 hour, 18 minutes ago
Description :Frappe is a full-stack web application framework. Prior to versions 15.107.2 and 16.17.4, there is a stored XSS vulnerablity in Frappe Report/List View. This issue has been patched in versions 15.107.2 and 16.17.4.
Severity: 6.9 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-5792 - Authentication Bypass in Related Digital's Related Marketing Cloud (RMC)
CVE ID :CVE-2026-5792
Published : June 12, 2026, 4:16 p.m. | 1 hour, 18 minutes ago
Description :Authentication bypass by spoofing vulnerability in Hedef Media Promotion Interactive Media Marketing Inc. Related Marketing Cloud (RMC) allows Brute Force. This issue affects Related Marketing Cloud (RMC): through 12052026.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-5792
Published : June 12, 2026, 4:16 p.m. | 1 hour, 18 minutes ago
Description :Authentication bypass by spoofing vulnerability in Hedef Media Promotion Interactive Media Marketing Inc. Related Marketing Cloud (RMC) allows Brute Force. This issue affects Related Marketing Cloud (RMC): through 12052026.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-8828 - ChromaDB Authorization Bypass
CVE ID :CVE-2026-8828
Published : June 12, 2026, 4:16 p.m. | 1 hour, 18 minutes ago
Description :A lack of authorization validation in version 1.0.0 or later of the ChromaDB Rust project allows any authenticated users to arbitrarily read, write, update, or delete data in any tenant's collection regardless of which tenant they belong to.
Severity: 8.8 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-8828
Published : June 12, 2026, 4:16 p.m. | 1 hour, 18 minutes ago
Description :A lack of authorization validation in version 1.0.0 or later of the ChromaDB Rust project allows any authenticated users to arbitrarily read, write, update, or delete data in any tenant's collection regardless of which tenant they belong to.
Severity: 8.8 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-9638 - Crypt::PBKDF2 versions before 0.261630 for Perl generate insecure random values for salts
CVE ID :CVE-2026-9638
Published : June 12, 2026, 4:16 p.m. | 1 hour, 18 minutes ago
Description :Crypt::PBKDF2 versions before 0.261630 for Perl generate insecure random values for salts. These versions use the built-in rand function, which is predictable and unsuitable for cryptography.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-9638
Published : June 12, 2026, 4:16 p.m. | 1 hour, 18 minutes ago
Description :Crypt::PBKDF2 versions before 0.261630 for Perl generate insecure random values for salts. These versions use the built-in rand function, which is predictable and unsuitable for cryptography.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-9641 - Crypt::PBKDF2 versions before 0.261630 for Perl have a weak default algorithm and number of iterations
CVE ID :CVE-2026-9641
Published : June 12, 2026, 4:16 p.m. | 1 hour, 18 minutes ago
Description :Crypt::PBKDF2 versions before 0.261630 for Perl have a weak default algorithm and number of iterations. The default algorithm is HMAC-SHA1, which should only be used for legacy systems. These versions default to using 1000 iterations. Depending on the chosen algorithm, 220,000 to 1,400,000 iterations should be used.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-9641
Published : June 12, 2026, 4:16 p.m. | 1 hour, 18 minutes ago
Description :Crypt::PBKDF2 versions before 0.261630 for Perl have a weak default algorithm and number of iterations. The default algorithm is HMAC-SHA1, which should only be used for legacy systems. These versions default to using 1000 iterations. Depending on the chosen algorithm, 220,000 to 1,400,000 iterations should be used.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-3433 - Mattermost fails to scope role_updated websocket events to authorized team and channel members
CVE ID :CVE-2026-3433
Published : June 12, 2026, 5:16 p.m. | 18 minutes ago
Description :Mattermost versions 11.6.x <= 11.6.1, 11.5.x <= 11.5.4, 10.11.x <= 10.11.15, 10.11.x <= 10.11.16 fail to restrict role_updated websocket event broadcasts to members of the affected team or channel which allows an authenticated attacker with guest-level access to observe permission scheme change notifications for private teams they are not a member of via the websocket connection.. Mattermost Advisory ID: MMSA-2026-00616
Severity: 4.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-3433
Published : June 12, 2026, 5:16 p.m. | 18 minutes ago
Description :Mattermost versions 11.6.x <= 11.6.1, 11.5.x <= 11.5.4, 10.11.x <= 10.11.15, 10.11.x <= 10.11.16 fail to restrict role_updated websocket event broadcasts to members of the affected team or channel which allows an authenticated attacker with guest-level access to observe permission scheme change notifications for private teams they are not a member of via the websocket connection.. Mattermost Advisory ID: MMSA-2026-00616
Severity: 4.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...