CVE-2024-30476 - Dell PowerStore Stored Cross-Site Scripting
CVE ID :CVE-2024-30476
Published : June 16, 2026, 5:16 p.m. | 43 minutes ago
Description :PowerStore contains a Stored Cross-Site Scripting Vulnerability in the PowerStore Manager. A remote authenticated low-privileged malicious actor could potentially exploit this vulnerability, it could lead to script execution in the client browser.
Severity: 5.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2024-30476
Published : June 16, 2026, 5:16 p.m. | 43 minutes ago
Description :PowerStore contains a Stored Cross-Site Scripting Vulnerability in the PowerStore Manager. A remote authenticated low-privileged malicious actor could potentially exploit this vulnerability, it could lead to script execution in the client browser.
Severity: 5.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2024-38487 - API Gateway Container Privilege Escalation
CVE ID :CVE-2024-38487
Published : June 16, 2026, 5:16 p.m. | 43 minutes ago
Description :api-gateway container running with root privilege would allow an attacker to escape the container and access host system to perform unintended actions.
Severity: 7.0 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2024-38487
Published : June 16, 2026, 5:16 p.m. | 43 minutes ago
Description :api-gateway container running with root privilege would allow an attacker to escape the container and access host system to perform unintended actions.
Severity: 7.0 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-71261 - Harvester's SUSE Virtualization Registration Client Vulnerable to MITM and DOS
CVE ID :CVE-2025-71261
Published : June 16, 2026, 5:16 p.m. | 43 minutes ago
Description :An attacker with network-level access between the SUSE Virtualization and Rancher Manager in SUSE Harvester before 1.8.0 could interfere with the TLS handshake and abuse it to bypass TLS as a security control.
Severity: 8.6 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2025-71261
Published : June 16, 2026, 5:16 p.m. | 43 minutes ago
Description :An attacker with network-level access between the SUSE Virtualization and Rancher Manager in SUSE Harvester before 1.8.0 could interfere with the TLS handshake and abuse it to bypass TLS as a security control.
Severity: 8.6 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-10649 - Pacemaker: pacemaker: denial of service via integer overflow in remote message decompression
CVE ID :CVE-2026-10649
Published : June 16, 2026, 5:16 p.m. | 43 minutes ago
Description :A flaw was found in Pacemaker. An unauthenticated remote attacker can exploit an integer overflow vulnerability in the remote message decompression process. By sending a specially crafted compressed remote message before authentication, an attacker can cause memory corruption, leading to a denial of service (DoS) in the CIB remote listener. This can result in the affected service crashing.
Severity: 8.6 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-10649
Published : June 16, 2026, 5:16 p.m. | 43 minutes ago
Description :A flaw was found in Pacemaker. An unauthenticated remote attacker can exploit an integer overflow vulnerability in the remote message decompression process. By sending a specially crafted compressed remote message before authentication, an attacker can cause memory corruption, leading to a denial of service (DoS) in the CIB remote listener. This can result in the affected service crashing.
Severity: 8.6 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-12003 - CPython >3.11 Insecure Input Validation resulting in privilege escalation
CVE ID :CVE-2026-12003
Published : June 16, 2026, 5:16 p.m. | 43 minutes ago
Description :To allow builds of Python to be run from an in-tree layout (rather than an installed file layout), the VPATH variable is defined at build time and used to locate certain landmarks - specifically, Modules/setup.local. When this landmark is found relative to VPATH relative to the executable, Python assumes it is running in a source tree and generates a different default sys.path. This code remains in release builds, so that release-ready builds can be built in-tree. On Windows, since builds are written to 'PCbuild/', the value of VPATH is set to '..\..', which results in a landmark of '..\..\Modules\setup.local'. This path is outside the install directory of Python, and may have different permissions, potentially allowing a low-privilege user to create the landmark and an alternative `Lib` folder that will be discovered by an otherwise restricted install. Such a setup occurs with the legacy default install location for all users (in the now superseded EXE installer), due to how Windows allows all users to create folders in the root directory of their OS drive. Our recommended mitigation on Windows is to migrate away from the legacy installer and use the new [Python install manager](https://www.python.org/downloads/latest/pymanager/) to install for the current user. Installs where the directory two levels above the Python installation directory have equivalent permissions are unaffected (in general, a per-user install cannot be modified at all by other users, removing any escalation of privilege risk, and could be directly modified by a privileged user, making the potential tampering irrelevant). Alternative mitigations might include preemptively creating and restricting access to a `Modules` directory. Be aware that only 3.13 and 3.14 will receive updated legacy installers - earlier fixes are only provided as sources. Platforms other than Windows allow VPATH to be overridden, but as they don't usually use a separated directory in the build for binaries, are unlikely to have a landmark reference outside of the install directory. The landmark detection involving VPATH is a fallback for when a more specific landmark - .\pybuilddir.txt - is absent, and was included for compatibility. Future releases of Python will no longer include the fallback, and so builds will need to generate or preserve the pybuilddir.txt file in order to work in-tree. This landmark file has been generated on Windows since 3.11, and on other platforms for longer.
Severity: 5.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-12003
Published : June 16, 2026, 5:16 p.m. | 43 minutes ago
Description :To allow builds of Python to be run from an in-tree layout (rather than an installed file layout), the VPATH variable is defined at build time and used to locate certain landmarks - specifically, Modules/setup.local. When this landmark is found relative to VPATH relative to the executable, Python assumes it is running in a source tree and generates a different default sys.path. This code remains in release builds, so that release-ready builds can be built in-tree. On Windows, since builds are written to 'PCbuild/', the value of VPATH is set to '..\..', which results in a landmark of '..\..\Modules\setup.local'. This path is outside the install directory of Python, and may have different permissions, potentially allowing a low-privilege user to create the landmark and an alternative `Lib` folder that will be discovered by an otherwise restricted install. Such a setup occurs with the legacy default install location for all users (in the now superseded EXE installer), due to how Windows allows all users to create folders in the root directory of their OS drive. Our recommended mitigation on Windows is to migrate away from the legacy installer and use the new [Python install manager](https://www.python.org/downloads/latest/pymanager/) to install for the current user. Installs where the directory two levels above the Python installation directory have equivalent permissions are unaffected (in general, a per-user install cannot be modified at all by other users, removing any escalation of privilege risk, and could be directly modified by a privileged user, making the potential tampering irrelevant). Alternative mitigations might include preemptively creating and restricting access to a `Modules` directory. Be aware that only 3.13 and 3.14 will receive updated legacy installers - earlier fixes are only provided as sources. Platforms other than Windows allow VPATH to be overridden, but as they don't usually use a separated directory in the build for binaries, are unlikely to have a landmark reference outside of the install directory. The landmark detection involving VPATH is a fallback for when a more specific landmark - .\pybuilddir.txt - is absent, and was included for compatibility. Future releases of Python will no longer include the fallback, and so builds will need to generate or preserve the pybuilddir.txt file in order to work in-tree. This landmark file has been generated on Windows since 3.11, and on other platforms for longer.
Severity: 5.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-12412 - Rejected reason: loading template...
CVE ID :CVE-2026-12412
Published : June 16, 2026, 5:16 p.m. | 43 minutes ago
Description :Rejected reason: loading template...
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-12412
Published : June 16, 2026, 5:16 p.m. | 43 minutes ago
Description :Rejected reason: loading template...
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-24155 - NVIDIA NeMo Code Injection
CVE ID :CVE-2026-24155
Published : June 16, 2026, 5:16 p.m. | 43 minutes ago
Description :NVIDIA NeMo Framework for all platforms contains a code injection vulnerability. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, information disclosure, and data tampering.
Severity: 7.8 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-24155
Published : June 16, 2026, 5:16 p.m. | 43 minutes ago
Description :NVIDIA NeMo Framework for all platforms contains a code injection vulnerability. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, information disclosure, and data tampering.
Severity: 7.8 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-24228 - NVIDIA NeMo Framework Deserialization Vulnerability
CVE ID :CVE-2026-24228
Published : June 16, 2026, 5:16 p.m. | 43 minutes ago
Description :NVIDIA NeMo Framework for Linux contains a vulnerability where an attacker may cause deserialization of untrusted data. A successful exploit of this vulnerability may lead to code execution, escalation of privileges, data tampering, and information disclosure.
Severity: 7.8 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-24228
Published : June 16, 2026, 5:16 p.m. | 43 minutes ago
Description :NVIDIA NeMo Framework for Linux contains a vulnerability where an attacker may cause deserialization of untrusted data. A successful exploit of this vulnerability may lead to code execution, escalation of privileges, data tampering, and information disclosure.
Severity: 7.8 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-39926 - Rejected reason: This CVE ID has been rejected or
CVE ID :CVE-2026-39926
Published : June 16, 2026, 5:16 p.m. | 43 minutes ago
Description :Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-39926
Published : June 16, 2026, 5:16 p.m. | 43 minutes ago
Description :Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-39927 - Rejected reason: This CVE ID has been rejected or
CVE ID :CVE-2026-39927
Published : June 16, 2026, 5:16 p.m. | 43 minutes ago
Description :Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-39927
Published : June 16, 2026, 5:16 p.m. | 43 minutes ago
Description :Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-42089 - yeoman-environment Vulnerable to Arbitrary Package Installation without User Confirmation
CVE ID :CVE-2026-42089
Published : June 16, 2026, 5:16 p.m. | 43 minutes ago
Description :Yeoman Environment provides an API to discover, create, and run generators, and to configure where and how a generator is resolved. Versions 2.9.0 through 6.0.0 install missing local generator packages from caller-supplied package names without user confirmation. In downstream consumers that pass attacker-controlled project configuration into this path, this can result in arbitrary package installation and code execution during CLI bootstrap. The vulnerable method is installLocalGenerators(), which calls repository.install() directly without prompting the user. This issue has been fixed in version 6.0.0.
Severity: 8.6 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-42089
Published : June 16, 2026, 5:16 p.m. | 43 minutes ago
Description :Yeoman Environment provides an API to discover, create, and run generators, and to configure where and how a generator is resolved. Versions 2.9.0 through 6.0.0 install missing local generator packages from caller-supplied package names without user confirmation. In downstream consumers that pass attacker-controlled project configuration into this path, this can result in arbitrary package installation and code execution during CLI bootstrap. The vulnerable method is installLocalGenerators(), which calls repository.install() directly without prompting the user. This issue has been fixed in version 6.0.0.
Severity: 8.6 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-44932 - indirect remote shell command injection via unsanitized DHCP options in wicked
CVE ID :CVE-2026-44932
Published : June 16, 2026, 5:16 p.m. | 43 minutes ago
Description :Passing of unsanitized strings from DHCP replies into the wicked dhcp client before wicked 0.6.79 could be used by attackers operating a malicious DHCP server to execute code on the local machine.
Severity: 8.8 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-44932
Published : June 16, 2026, 5:16 p.m. | 43 minutes ago
Description :Passing of unsanitized strings from DHCP replies into the wicked dhcp client before wicked 0.6.79 could be used by attackers operating a malicious DHCP server to execute code on the local machine.
Severity: 8.8 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-53776 - Perry < 0.5.1166 JWT Expiration Bypass via verify_decode
CVE ID :CVE-2026-53776
Published : June 16, 2026, 5:16 p.m. | 43 minutes ago
Description :Perry before 0.5.1166 contains a JWT validation vulnerability that allows remote attackers to bypass token expiration by exploiting the unconditional setting of validate_exp = false in the verify_decode helper within the stdlib JWT verification path. Attackers in possession of a previously issued bearer token can present expired tokens to any jwt.verify() call and retain authenticated access indefinitely, bypassing force-expired sessions such as user logout or administrative revocation.
Severity: 9.3 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-53776
Published : June 16, 2026, 5:16 p.m. | 43 minutes ago
Description :Perry before 0.5.1166 contains a JWT validation vulnerability that allows remote attackers to bypass token expiration by exploiting the unconditional setting of validate_exp = false in the verify_decode helper within the stdlib JWT verification path. Attackers in possession of a previously issued bearer token can present expired tokens to any jwt.verify() call and retain authenticated access indefinitely, bypassing force-expired sessions such as user logout or administrative revocation.
Severity: 9.3 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-39580 - WordPress Micdrop theme <= 1.3.1 - PHP Object Injection vulnerability
CVE ID :CVE-2026-39580
Published : June 16, 2026, 8:57 p.m. | 1 hour, 3 minutes ago
Description :Unauthenticated PHP Object Injection in Micdrop <= 1.3.1 versions.
Severity: 8.1 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-39580
Published : June 16, 2026, 8:57 p.m. | 1 hour, 3 minutes ago
Description :Unauthenticated PHP Object Injection in Micdrop <= 1.3.1 versions.
Severity: 8.1 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-40736 - WordPress Laurits theme <= 1.5.1 - PHP Object Injection vulnerability
CVE ID :CVE-2026-40736
Published : June 16, 2026, 8:57 p.m. | 1 hour, 3 minutes ago
Description :Unauthenticated PHP Object Injection in Laurits <= 1.5.1 versions.
Severity: 8.1 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-40736
Published : June 16, 2026, 8:57 p.m. | 1 hour, 3 minutes ago
Description :Unauthenticated PHP Object Injection in Laurits <= 1.5.1 versions.
Severity: 8.1 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-40739 - WordPress LuxeDrive theme <= 1.4 - PHP Object Injection vulnerability
CVE ID :CVE-2026-40739
Published : June 16, 2026, 8:57 p.m. | 1 hour, 3 minutes ago
Description :Unauthenticated PHP Object Injection in LuxeDrive <= 1.4 versions.
Severity: 8.1 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-40739
Published : June 16, 2026, 8:57 p.m. | 1 hour, 3 minutes ago
Description :Unauthenticated PHP Object Injection in LuxeDrive <= 1.4 versions.
Severity: 8.1 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-40751 - WordPress Ashtanga theme <= 1.2 - PHP Object Injection vulnerability
CVE ID :CVE-2026-40751
Published : June 16, 2026, 8:57 p.m. | 1 hour, 3 minutes ago
Description :Unauthenticated PHP Object Injection in Ashtanga <= 1.2 versions.
Severity: 8.1 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-40751
Published : June 16, 2026, 8:57 p.m. | 1 hour, 3 minutes ago
Description :Unauthenticated PHP Object Injection in Ashtanga <= 1.2 versions.
Severity: 8.1 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-40754 - WordPress Roisin theme <= 1.4 - PHP Object Injection vulnerability
CVE ID :CVE-2026-40754
Published : June 16, 2026, 8:57 p.m. | 1 hour, 3 minutes ago
Description :Unauthenticated PHP Object Injection in Roisin <= 1.4 versions.
Severity: 8.1 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-40754
Published : June 16, 2026, 8:57 p.m. | 1 hour, 3 minutes ago
Description :Unauthenticated PHP Object Injection in Roisin <= 1.4 versions.
Severity: 8.1 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-40755 - WordPress TechLink theme <= 1.3 - PHP Object Injection vulnerability
CVE ID :CVE-2026-40755
Published : June 16, 2026, 8:57 p.m. | 1 hour, 3 minutes ago
Description :Unauthenticated PHP Object Injection in TechLink <= 1.3 versions.
Severity: 8.1 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-40755
Published : June 16, 2026, 8:57 p.m. | 1 hour, 3 minutes ago
Description :Unauthenticated PHP Object Injection in TechLink <= 1.3 versions.
Severity: 8.1 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-40758 - WordPress Léonie theme <= 1.2.1 - PHP Object Injection vulnerability
CVE ID :CVE-2026-40758
Published : June 16, 2026, 8:57 p.m. | 1 hour, 3 minutes ago
Description :Unauthenticated PHP Object Injection in Léonie <= 1.2.1 versions.
Severity: 8.1 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-40758
Published : June 16, 2026, 8:57 p.m. | 1 hour, 3 minutes ago
Description :Unauthenticated PHP Object Injection in Léonie <= 1.2.1 versions.
Severity: 8.1 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-40759 - WordPress Esmée theme <= 1.4 - PHP Object Injection vulnerability
CVE ID :CVE-2026-40759
Published : June 16, 2026, 8:57 p.m. | 1 hour, 3 minutes ago
Description :Unauthenticated PHP Object Injection in Esmée <= 1.4 versions.
Severity: 8.1 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-40759
Published : June 16, 2026, 8:57 p.m. | 1 hour, 3 minutes ago
Description :Unauthenticated PHP Object Injection in Esmée <= 1.4 versions.
Severity: 8.1 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...