CVE-2026-48558

2026-06-29

SimpleHelp (SimpleHelp )

SimpleHelp contains an authentication bypass vulnerability in the OIDC authentication flow. When OIDC authentication is configured, identity tokens submitted during login are accepted without verifying their cryptographic signature. In a vulnerable configuration, a remote, unauthenticated attacker can submit a forged token containing arbitrary identity claims to obtain a fully authenticated technician session. In some configurations, this may also allow bypass of multi-factor authentication.

CVSS 10.0 0.7%

CVE-2026-12569

2026-06-25

Windchill and FlexPLM (PTC)

PTC Windchill and FlexPLM contains an improper input validation vulnerability allowing an unauthenticated, remote attacker to execute arbitrary code by sending a malicious request to the network.

CVSS 9.8 1.1%

CVE-2026-20230

2026-06-25

Unified Communications Manager (Cisco)

Cisco Unified Communications Manager (Unified CM) and Cisco Unified Communications Manager Session Management Edition (Unified CM SME) contain a server-side request forgery (SSRF) Vulnerability that could allow an unauthenticated, remote attacker to write files to the underlying operating system that could be used later to elevate to root.

CVSS 8.6 41.7%

CVE-2025-67038

2026-06-23

EDS5000 (Lantronix)

Lantronix EDS5000 contains a code injection vulnerability that could allow attackers to inject arbitrary OS commands into the username parameter. Injected commands are executed with root privileges.

CVSS 9.8 1.1%

CVE-2026-34910

2026-06-23

UniFi OS (Ubiquiti)

Ubiquiti UniFi OS contains an improper input validation vulnerability which could allow a malicious actor with access to the network to conduct command injection.

CVSS 10.0 78.6%

CVE-2026-34909

2026-06-23

UniFi OS (Ubiquiti)

Ubiquiti UniFi OS contains a path traversal vulnerability which could allow a malicious actor with access to the network to access files on the underlying system that could be manipulated to access an underlying account.

CVSS 10.0 2.3%

CVE-2026-34908

2026-06-23

UniFi OS (Ubiquiti)

Ubiquiti UniFi OS contains an improper access control vulnerability which could allow a malicious actor with access to the network to make unauthorized changes to the system.

CVSS 10.0 2.5%

CVE-2026-20253

2026-06-18

Enterprise (Splunk)

Splunk Enterprise contains a missing authentication for critical function vulnerability which could allow an unauthenticated user to create or truncate arbitrary files through a PostgreSQL sidecar service endpoint.

CVSS 9.8 88.2%

CVE-2026-48907

2026-06-16

Joomla Content Editor (Widget Factory)

Widget Factory Joomla Content Editor contains an improper access control vulnerability which could allow for upload and execution of PHP code via the creation of new editor profiles for unauthenticated users.

CVSS 9.8 80.4%

CVE-2026-54420

2026-06-15

cPanel Plugin (LiteSpeed)

LiteSpeed cPanel plugin contains a UNIX symbolic link (Symlink) following vulnerability that could allow a user with FTP or web shell access on a shared hosting server running CloudLinux/CageFS.

CVSS 8.5 1.3%

CVE-2026-20262

2026-06-15

Catalyst SD-WAN Manager (Cisco)

Cisco Catalyst SD-WAN Manager contains a directory or path traversal vulnerability that could allow an authenticated, remote attacker to create a file or overwrite any file on the filesystem of an affected system.

CVSS 6.5 7.7%

CVE-2026-35273

2026-06-12

PeopleSoft Enterprise PeopleTools (Oracle)

Oracle PeopleSoft Enterprise PeopleTools contains a missing authentication for critical function vulnerability which could allow an unauthenticated attacker to obtain takeover of PeopleSoft Enterprise PeopleTools.

CVSS 9.8 92.3%

CVE-2026-10520

2026-06-11

Sentry (Ivanti)

Ivanti Sentry (formerly known as MobileIron Sentry) contains an OS command injection vulnerability which could allow a remote unauthenticated user to achieve root-level remote code execution. This vulnerability can be successfully exploited in cases where the Sentry appliance is in an unmanaged state with its endpoints externally reachable. The use of mTLS with EPMM or restricted HTTPS access through Neurons for MDM makes interfaces inaccessible to external actors.

CVSS 10.0 98.9%

CVE-2026-11645

2026-06-09

Chromium V8 (Google)

Google Chromium V8 out-of-bounds read and write vulnerability that could allow a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. This vulnerability could affect multiple web browsers that utilize Chromium, including, but not limited to, Google Chrome, Microsoft Edge, and Opera.

CVSS 8.8 1.7%

CVE-2026-7473

2026-06-09

Extensible Operating System (Arista)

Arista Extensible Operating System (EOS) contains an incomplete comparison with missing factors vulnerability when the switch incorrectly decapsulate and forwards other unexpected tunneled packet with a destination IP matching its configured decapsulation IP.

CVSS 5.8 0.8%

CVE-2026-20245

2026-06-09

Catalyst SD-WAN Manager (Cisco)

Cisco Catalyst SD-WAN Manager formerly SD-WAN vManage contains an improper encoding or escaping of output vulnerability. This vulnerability could allow an authenticated, local attacker to execute arbitrary commands as root by supplying a crafted file to the affected system.

CVSS 7.8 9.9%

CVE-2026-42271

2026-06-08

LiteLLM (BerriAI)

BerriAI LiteLLM contains a command injection vulnerability that could allow any authenticated user, including holders of low-privilege internal-user keys, to run arbitrary commands on the host.

CVSS 8.8 75.0%

CVE-2026-50751

2026-06-08

Security Gateway (Check Point)

Check Point Security Gateway contains an improper authentication vulnerability in IKEv1 key exchange that could allow an unauthenticated remote attacker to bypass user authentication and establish a remote access VPN connection without a valid user password.

CVSS 9.3 71.1%

CVE-2026-28318

2026-06-05

Serv-U (SolarWinds)

SolarWinds Serv-U contains an uncontrolled resource consumption vulnerability that allows specially crafted POST requests using the Content-Encoding: deflate header to crash the Serv-U service without authentication.

CVSS 7.5 10.7%

CVE-2026-45247

2026-06-03

Mirasvit Full Page Cache Warmer (Mirasvit)

Mirasvit Full Page Cache Warmer contains a deserialization of untrusted data vulnerability that could allow unauthenticated attackers to achieve remote code execution by supplying a crafted serialized PHP object in the CacheWarmer cookie.

CVSS 9.8 27.5%