Baileys has message upsert / hist sync spoofing and app state corruption when using maliciously crafted protocolMessage payload

Impact Any baileys session under the latest version false in socket config. There are no workarounds for the app state sync jamming...

Critical Unauthenticated Authentication Bypass Vulnerability Patched in UpdraftPlus WordPress Plugin

On June 2nd, 2026, we received a submission for a critical Unauthenticated Authentication Bypass vulnerability in UpdraftPlus, a WordPress plugin with more than 3 million active installations. Although the plugin has such a large install base, the vulnerability is only exploitable on sites that...

ROOT-APP-NPM-CVE-2026-0000 CVE-2026-0000 in @rootio/react-leaflet-heatmap-layer - Patched by Root

Root has patched CVE-2026-0000 in the @rootio/react-leaflet-heatmap-layer package for Root:npm. Multiple fixed versions available...

ROOT-OS-DEBIAN-11-CVE-2026-34000 CVE-2026-34000 in rootio-xorg-server - Patched by Root

Root has patched CVE-2026-34000 in the rootio-xorg-server package for Root:Debian:11. Multiple fixed versions available...

CVE-2026-25089

creationtimestamp| type| source ---|---|--- 2026-06-10 05:00:00+00:00| seen| https://www.cert.se/2026/06/patchtisdag-juni-2026-samlad-information-om-manadens-sakerhetsuppdateringar.html 2026-06-10 09:00:04+00:00| published-proof-of-concept| Telegram/ZHpMnVOz2cJfIOonPjLT3mqz43XsQAtrT-ty2tkYMtXDqE...

CVE-2025-62850 QuTS hero

A NULL pointer dereference vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to launch a denial-of-service DoS attack. We have already fixed the vulnerability in the...

PT-2026-48365

Name of the Vulnerable Software and Affected Versions File Station versions prior to 5.5.6.5208 Description A NULL pointer dereference allows a remote attacker with a user account to launch a denial-of-service DoS attack. A NULL pointer dereference occurs when a program attempts to read or write ...

PT-2026-48544

Name of the Vulnerable Software and Affected Versions Baileys versions prior to 6.7.22 Baileys versions prior to 7.0.0-rc12 Description An authentication-bypass-by-spoofing flaw allows a remote unauthenticated attacker to send a maliciously crafted protocolMessage payload via the...

Security Bulletin: IBM Watson Discovery Cartridge affected by vulnerabilities in dompurify-3.2.6.tgz

Summary IBM Watson Discovery Cartridge affected by vulnerabilities in dompurify-3.2.6.tgz Vulnerability Details CVEID:CVE-2026-41238 DESCRIPTION: DOMPurify is a DOM-only cross-site scripting sanitizer for HTML, MathML, and SVG. Versions 3.0.1 through 3.3.3 are vulnerable to a prototype...

CVE-2026-46479 Flowise: Evaluation create+update mass-assignment allows cross-workspace evaluation takeover

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, evaluation create and update mass-assignment allows cross-workspace evaluation takeover. This issue has been patched in version 3.1.2...

CVE-2026-45776

OpenXDMoD is an open framework for collecting and analyzing HPC metrics. Prior to version 11.0.3, a flaw in Open XDMoD's access control logic allows an attacker to submit a crafted HTTPS POST request that sets a session variable used for authorization decisions. If an installation of Open XDMoD...

CVE-2026-42539

IRIS is a web collaborative platform that helps incident responders share technical details during investigations. Versions prior to 2.4.28 return sensitive data to the user which are not required for the client’s operation. Version 2.4.28 contains a patch...

CVE-2026-42538

IRIS is a web collaborative platform that helps incident responders share technical details during investigations. Versions prior to 2.4.28 do not properly validate uploaded files. The application can therefore be misused to host phishing pages, amongst other things. This also creates another...

Photon OS 5.0: Dnsmasq PHSA-2026-5.0-0866

An update of the dnsmasq package has been released. %NASLMINLEVEL 80900 C Tenable, Inc. The descriptive text and package checks in this plugin were extracted from VMware Security Advisory PHSA-2026-5.0-0866. The text itself is copyright C VMware, Inc. include'compat.inc'; if description...

CVE-2026-45779

OpenXDMoD is an open framework for collecting and analyzing HPC metrics. An SQL injection vulnerability exists in Open XDMoD versions prior to 10.0.3 that allows an unauthenticated remote attacker to execute arbitrary SQL statements. Exploitation requires no authentication or user interaction and...

CVE-2026-5803

A security flaw has been discovered in bigsk1 openai-realtime-ui up to 188ccde27fdf3d8fab8da81f3893468f53b2797c. The affected element is an unknown function of the file server.js of the component API Proxy Endpoint. Performing a manipulation of the argument Query results in server-side request...

CVE-2026-10661

A vulnerability has been found in ahujasid blender-mcp up to 7636d13bded82eca58eb93c3f4cd8708dfdfbe8b. Impacted is the function Open of the file src/blendermcp/server.py. The manipulation of the argument inputimageurl leads to injection. Remote exploitation of the attack is possible. The exploit...

CVE-2026-45739

Strawberry GraphQL is a library for creating GraphQL APIs. In versions 0.288.4 through 0.315.3, Strawberry's bundled GraphiQL template wrote values from the GraphiQL headers editor into the browser URL query string. If a user entered a sensitive header, such as Authorization: Bearer , the value...

CVE-2026-5831

A security flaw has been discovered in Agions taskflow-ai up to 2.1.8. This impacts an unknown function of the file src/mcp/server/handlers.ts of the component terminalexecute. Performing a manipulation results in os command injection. The attack is possible to be carried out remotely. Upgrading ...

CVE-2026-46356

Fleet is open source device management software. Prior to version 4.80.1, a vulnerability in Fleet's IP extraction logic allows unauthenticated attackers to bypass API rate limiting by spoofing client IP headers. This may allow brute-force login attempts or other abuse against Fleet instances...