Rocket.Chat versions <8.5.1, 8.4.4, 8.3.6, 8.2.6, 8.1.6, 8.0.7, 7.13.9, 7.10.13 has an access control vulnerability in Livechat files. Protected file downloads at /file-upload/:fileId/:name authorize…
Jun 17, 2026
Jun 18, 2026
Jun 17, 2026
Jun 18, 2026
CVE-2026-48055
— Streambert: Arbitrary File Write (Zip Slip) via Subtitle Extraction
Streambert is a cross-platform Electron Desktop App to stream and download any video media. In versions 2.4.0 and prior, a high-severity Zip Slip vulnerability was identified in Streambert's subtitle…
Remote
|
Path Traversal
Jun 17, 2026
Jun 17, 2026
Jun 17, 2026
Jun 17, 2026
CVE-2026-47340
— Apache DolphinScheduler: An incorrect authorization vulnerability allows authenticated us…
Allow authenticated users to access alert instances associated with alert groups they do not have permission to access. in Apache DolphinScheduler.
This issue affects Apache DolphinScheduler: before…
Jun 17, 2026
Jun 17, 2026
Jun 17, 2026
Jun 17, 2026
CVE-2026-47277
— Runtipi: Unauthenticated arbitrary file read through app-store logo symlinks
Runtipi is a personal homeserver orchestrator. In versions 4.9.1 through 4.9.3, Runtipi serves marketplace app logos from files inside cloned app-store repositories through an unauthenticated endpoin…
Jun 17, 2026
Jun 17, 2026
Jun 17, 2026
Jun 17, 2026
CVE-2026-45436
— WordPress WPBakery Page Builder plugin <= 8.7.2 - Broken Access Control vulnerability
Subscriber Broken Access Control in WPBakery Page Builder <= 8.7.2 versions.
Jun 17, 2026
Jun 17, 2026
Jun 17, 2026
Jun 17, 2026
CVE-2026-44587
— CarrierWave has a denylisted_content_type bypass via Unescaped Regex Metacharacters
CarrierWave is a framework to upload files from Ruby applications. In versions prior to 2.2.7 and 3.1.3, the content_type_denylist check fails to escape regex metacharacters in string entries, causin…
Jun 17, 2026
Jun 18, 2026
Jun 17, 2026
Jun 18, 2026
CVE-2026-42629
— WordPress PowerPack Pro for Elementor plugin < v2.13.0 - Broken Authentication vulnerabil…
Unauthenticated Broken Authentication in PowerPack Pro for Elementor < v2.13.0 versions.
Jun 17, 2026
Jun 17, 2026
Jun 17, 2026
Jun 17, 2026
CVE-2026-42385
— WordPress Profile Builder Pro plugin <= 3.15.0 - Cross Site Scripting (XSS) vulnerability
Unauthenticated Cross Site Scripting (XSS) in Profile Builder Pro <= 3.15.0 versions.
Jun 17, 2026
Jun 17, 2026
Jun 17, 2026
Jun 17, 2026
CVE-2026-42380
— WordPress AI Lab theme < 5.4.2 - PHP Object Injection vulnerability
Unauthenticated PHP Object Injection in AI Lab < 5.4.2 versions.
Remote
|
Injection
Jun 17, 2026
Jun 17, 2026
Jun 17, 2026
Jun 17, 2026
CVE-2026-42357
— Apache DolphinScheduler: Incorrect Authorization vulnerability allows users to access wor…
Incorrect Authorization vulnerability allows users to access workflow instance information belonging to projects they do not have permission to access.
This issue affects Apache DolphinScheduler ver…
Jun 17, 2026
Jun 17, 2026
Jun 17, 2026
Jun 17, 2026
CVE-2026-41557
— WordPress Kapee theme < 1.7.1 - Cross Site Scripting (XSS) vulnerability
Unauthenticated Cross Site Scripting (XSS) in Kapee < 1.7.1 versions.
Remote
|
Cross-Site Scripting
Jun 17, 2026
Jun 17, 2026
Jun 17, 2026
Jun 17, 2026
CVE-2026-41280
— Apache DolphinScheduler: Incorrect Authorization vulnerability allows users with system l…
Incorrect Authorization vulnerability allows users with system login privileges to delete task definitions in unauthorized projects
This issue affects Apache DolphinScheduler versions prior to 3.4.2…
Jun 17, 2026
Jun 17, 2026
Jun 17, 2026
Jun 17, 2026
CVE-2026-40783
— WordPress Blocksy Companion Pro plugin <= 2.1.37 - Remote Code Execution (RCE) vulnerabil…
Contributor Remote Code Execution (RCE) in Blocksy Companion Pro <= 2.1.37 versions.
Remote
|
Injection
Jun 17, 2026
Jun 17, 2026
Jun 17, 2026
Jun 17, 2026
CVE-2026-40768
— WordPress Salon booking system plugin <= 10.30.24 - Insecure Direct Object References (ID…
Unauthenticated Insecure Direct Object References (IDOR) in Salon booking system <= 10.30.24 versions.
Jun 17, 2026
Jun 17, 2026
Jun 17, 2026
Jun 17, 2026
CVE-2026-40765
— WordPress collectchat plugin <= 2.4.9 - Cross Site Scripting (XSS) vulnerability
Unauthenticated Cross Site Scripting (XSS) in collectchat <= 2.4.9 versions.
Jun 17, 2026
Jun 17, 2026
Jun 17, 2026
Jun 17, 2026
CVE-2026-40761
— WordPress Valeska theme <= 1.2.2 - PHP Object Injection vulnerability
Unauthenticated PHP Object Injection in Valeska <= 1.2.2 versions.
Remote
|
Injection
Jun 17, 2026
Jun 17, 2026
Jun 17, 2026
Jun 17, 2026
CVE-2026-40760
— WordPress Behold theme <= 1.5 - PHP Object Injection vulnerability
Unauthenticated PHP Object Injection in Behold <= 1.5 versions.
Remote
|
Injection
Jun 17, 2026
Jun 17, 2026
Jun 17, 2026
Jun 17, 2026
CVE-2026-40759
— WordPress Esmée theme <= 1.4 - PHP Object Injection vulnerability
Unauthenticated PHP Object Injection in Esmée <= 1.4 versions.
Remote
|
Injection
Jun 17, 2026
Jun 17, 2026
Jun 17, 2026
Jun 17, 2026
CVE-2026-40758
— WordPress Léonie theme <= 1.2.1 - PHP Object Injection vulnerability
Unauthenticated PHP Object Injection in Léonie <= 1.2.1 versions.
Remote
|
Injection
Jun 17, 2026
Jun 17, 2026
Jun 17, 2026
Jun 17, 2026
CVE-2026-40755
— WordPress TechLink theme <= 1.3 - PHP Object Injection vulnerability
Unauthenticated PHP Object Injection in TechLink <= 1.3 versions.
Remote
|
Injection
Jun 17, 2026
Jun 17, 2026
Jun 17, 2026
Jun 17, 2026