Published threat advisories for June 11, 2026

ClipBucket, an open-source video sharing platform, has a blind SQL injection vulnerability in its `actions/progress_video.php` endpoint. This allows unauthenticated users to execute SQL queries, potentially leading to the exfiltration of sensitive data.

NVD published: June 11, 2026

A critical vulnerability in ClipBucket's Remote Play feature allows arbitrary command execution via a specially crafted URL. This impacts organizations using ClipBucket v5 for video sharing by potentially enabling command execution on their servers through unauthenticated access.

NVD published: June 11, 2026

An incorrect privilege assignment in the Hippoo Mobile App for WooCommerce allows privilege escalation. An attacker could gain elevated privileges within the application. This could impact system data and service behavior.

NVD published: June 11, 2026

A critical SQL injection vulnerability in JoomSport allows attackers to access sensitive data by sending specially crafted network requests. This could impact the confidentiality and integrity of data managed by the software. Confirm if JoomSport is in use and assess potential exposure.

NVD published: June 11, 2026

A SQL injection vulnerability in the Product Filter by WBW plugin allows attackers to potentially access sensitive data. If this plugin is in use and reachable, it could lead to data exposure or unauthorized actions. Confirming its presence and exposure is important for risk management.

NVD published: June 11, 2026

A flaw in Google Chrome's Headless implementation could allow a compromised renderer process to escape the browser's sandbox. This may enable an attacker to affect system data and service behavior via a crafted HTML page. The relevance depends on whether the Headless component is used and exposed.

NVD published: June 11, 2026

Cloud Foundry UAA incorrectly accepts SAML assertions that are encrypted but not signed, potentially allowing authentication bypass. This means an attacker could send forged assertions, leading to unauthorized access, if the affected SAML flows are used and `wantAssertionSigned` is set to false.

NVD published: June 11, 2026

An improper access control vulnerability in Hermes WebUI allows unauthenticated remote attackers to hijack initial setup by setting an arbitrary password. This can lead to unauthorized session access and lockout of legitimate operators. The vulnerability's relevance and exposure to business operations should be confirm

NVD published: June 11, 2026

A critical vulnerability exists in Duck Site's deployment workflow that could allow an attacker to deploy unmerged code directly to production. This occurs if a pull request meets conditions that trigger the deploy workflow, which runs with elevated permissions. The primary concern is confirming the relevance and expos

NVD published: June 11, 2026

A vulnerability exists in Quest Bot's deployment workflow that could allow an attacker to deploy malicious code in a production environment, leading to bot compromise. The issue occurs if an attacker can submit a pull request from a specific branch, potentially enabling the build and deployment of attacker-controlled c

NVD published: June 11, 2026

Improper access control in Idira Secrets Manager SaaS Edge may allow unauthenticated attackers to obtain access tokens by manipulating validation mechanisms. While the exact impact and affected data are uncertain, this vulnerability could lead to unauthorized access to sensitive secrets management tokens. Readers shoul

NVD published: June 11, 2026

MariaDB server versions may allow shell command execution if the `wsrep_notify_cmd` configuration is enabled. This occurs when commands are embedded in the name of a joining node, potentially leading to unauthorized command execution. Confirming the use of this software and configuration is important for assessing pote

NVD published: June 11, 2026

The crypton-x509-validation Haskell library has a flaw that could allow TLS clients to accept certificates for domains outside their permitted scope. If reachable, an attacker could impersonate domains, potentially impacting digital trust and identity. It is important to determine if this library is in use and assess i

NVD published: June 11, 2026

A critical vulnerability in Rotaban allows uploading dangerous files to a web server, potentially enabling system control. This affects Rotaban versions before V2026.06.003 and requires authenticated, low-privilege access. The impact depends on the application's deployment and network exposure, necessitating verificati

NVD published: June 11, 2026

A SQL injection vulnerability exists in the `thaipalliative_lte` web application, allowing unauthenticated remote attackers to execute arbitrary SQL commands. This could lead to unauthorized access, modification, or deletion of sensitive data stored in the database. Confirming the presence and exposure of this technolo

NVD published: June 11, 2026

An unrestricted file upload vulnerability in LimRAD NAC allows remote code inclusion, potentially enabling unauthorized access and control. This issue poses a risk if the system is reachable, as it could lead to compromised system integrity and arbitrary command execution. Leaders should focus on identifying affected i

NVD published: June 11, 2026

An expression language injection vulnerability in Apinizer could permit code injection. If reachable, this flaw could enable an attacker to execute arbitrary code on the affected system. This threat is relevant to organizations using Apinizer, potentially impacting their systems if exploitation occurs.

NVD published: June 11, 2026

A critical vulnerability in Dialogflow CX allowed authenticated users to escalate privileges and potentially take over a GCP project by importing a malicious playbook. This issue has been patched, and no customer action is needed.

NVD published: June 11, 2026

Spring for GraphQL applications may allow remote code execution through unsafe deserialization when processing paginated GraphQL queries. An attacker could exploit this by sending a crafted request, potentially leading to compromised applications if specific conditions are met.

NVD published: June 11, 2026