Published threat advisories for June 10, 2026

Boxlite, a service for running untrusted code, has a vulnerability allowing a malicious container image to write arbitrary files to the host system, potentially leading to remote code execution. This requires a user to load the crafted image, and the issue is patched in version 0.9.0.

NVD published: June 10, 2026

A critical vulnerability in the Boxlite sandbox service allows malicious code within a container to gain unauthorized write access to read-only directories by remounting them. This could compromise the integrity of the sandbox environment. The relevance and exposure of this issue should be confirmed.

NVD published: June 10, 2026

A vulnerability in a Perl metrics library allows metric injection and tag manipulation due to insufficient input validation. This could corrupt collected data, leading to inaccurate reporting. Uncertainty exists regarding its relevance and exposure to internal systems.

NVD published: June 10, 2026

A critical vulnerability in the Fission Kubernetes serverless framework allows authenticated users with specific RBAC permissions to run privileged containers. This could enable container escape, granting access to the host filesystem and network, potentially leading to node or cluster compromise.

NVD published: June 10, 2026

A vulnerability in the Fission serverless framework allows a low-privilege attacker with limited Kubernetes cluster access to potentially escalate privileges. By manipulating Fission's Environment Custom Resource Definition, an attacker could gain elevated access, leading to compromise of cluster resources and sensitiv

NVD published: June 10, 2026

A critical vulnerability in Fission, a Kubernetes-native serverless framework, allows authenticated users to inject malicious specifications into container execution. This could lead to unauthorized code execution or access to cluster resources. The issue is present in versions prior to 1.24.0, and has been patched in

NVD published: June 10, 2026

A security flaw in the open-source Fission framework, used for deploying serverless functions on Kubernetes, allows an authenticated attacker to inject dangerous fields into generated pods. This could lead to unauthorized access, data compromise, and service disruption. Organizations using Fission should verify if thei

NVD published: June 10, 2026

A critical vulnerability in the Fission serverless framework allows unauthenticated callers to invoke any function by guessing its name and namespace, bypassing intended access controls. This bypass occurs because the Fission router registers internal routes for all functions, regardless of HTTP triggers. If the router

NVD published: June 10, 2026

An unauthenticated network-reachable user can create or truncate arbitrary files via a PostgreSQL sidecar service endpoint in Splunk Enterprise and Splunk Cloud Platform. This could impact system integrity and availability, necessitating an assessment of affected deployments and their reachability.

NVD published: June 10, 2026

A critical SQL injection vulnerability exists in migration-planner, allowing authenticated users to upload malicious spreadsheets that execute embedded SQL commands. This can lead to arbitrary file reading, potentially exposing sensitive credentials and compromising the SaaS environment.

NVD published: June 10, 2026

A vulnerability in migration-planner's agent-API allows an authenticated attacker to bypass tenant isolation by manipulating JWT claims, potentially overwriting inventory or corrupting migration data.

NVD published: June 10, 2026

An improper access control vulnerability in migration-planner's API allows an authenticated attacker to download sensitive OVA images belonging to other users, potentially exposing agent tokens and source configurations. This could lead to unauthorized access and modification of victim sources.

NVD published: June 10, 2026

Roxy-WI, a web interface for managing network servers, contains a vulnerability allowing an authenticated user to inject arbitrary HAProxy directives. This can lead to remote code execution on load balancers by executing commands as the HAProxy user during health checks, as input is not properly validated before config

NVD published: June 10, 2026

A vulnerability in Roxy-WI, a web interface for managing servers, allows an attacker to write arbitrary files to any location on the system. This can lead to the execution of commands with root privileges, potentially resulting in a complete compromise of affected load balancers and impacting the services they manage.

NVD published: June 10, 2026

Roxy-WI, a web interface for managing servers, has a vulnerability where logged-in users can install or reconfigure components on any server in the database. This bypasses access controls, potentially allowing unauthorized modifications to server functions and data. Organizations using Roxy-WI should assess their expos

NVD published: June 10, 2026

Roxy-WI, a web interface for managing server infrastructure, contains a vulnerability that allows authenticated users to silently modify the monitoring checks of other tenants. This could disrupt service availability or lead to unauthorized changes to critical monitoring configurations. A patch is not yet publicly avai

NVD published: June 10, 2026

The Doctreat Core WordPress plugin has a critical vulnerability allowing unauthenticated users to gain administrator privileges by exploiting its registration function, potentially leading to full site compromise. This issue is reachable from the internet, making it a significant concern for sites using the plugin.

NVD published: June 10, 2026

A WordPress plugin that handles file uploads has a vulnerability allowing unauthenticated users to upload any file type, bypassing intended restrictions. This could lead to unauthorized code execution on the site. The plugin's relevance and exposure should be confirmed.

NVD published: June 10, 2026

A critical remote code execution vulnerability exists in QNAP QTS, a network-attached storage operating system. If reachable, this flaw could allow an unauthenticated attacker to gain unauthorized control of affected systems, impacting data confidentiality, integrity, and availability. Confirmation of exposure and prom

NVD published: June 10, 2026