Published threat advisories for June 12, 2026

An authenticated editor can exploit a flaw in ApostropheCMS, a Node.js content management system, to bypass authorization checks. This prototype pollution vulnerability could allow unauthenticated users to access sensitive content or features for the duration of the application process, impacting internet-facing conten

NVD published: June 12, 2026

A critical vulnerability in Nezha Monitoring allows unauthenticated access to sensitive configuration files by exploiting improper URL handling. This could lead to the disclosure of private system details if the monitoring tool is reachable. This issue has been patched in version 2.0.13.

NVD published: June 12, 2026

Nezha Monitoring, a server management tool, contains a critical vulnerability allowing a user with RoleMember access to execute arbitrary commands across all servers within the system, including those of other tenants. This could lead to widespread system compromise and operational disruption. This issue is resolved in

NVD published: June 12, 2026

A vulnerability in the `sanitize-html` library, used by ApostropheCMS, can allow attacker-controlled content within an `xmp` element to be rendered as live HTML or JavaScript. This bypasses intended security, potentially leading to stored cross-site scripting if unsanitized user input is displayed to others. The issue

NVD published: June 12, 2026

A vulnerability in Naxclow devices allows attackers to obtain a persistent relay credential. This credential, which is re-issued on each boot and never rotates, enables long-term impersonation or interception of device communications, even after resets. Organizations should confirm if they use affected Naxclow devices

NVD published: June 12, 2026

A vulnerability in Naxclow devices allows attackers to forge requests and impersonate devices or accounts by exploiting a hard-coded salt and unencrypted control traffic. This could enable unauthorized operations across the platform.

NVD published: June 12, 2026

A critical authentication bypass vulnerability in SimpleHelp's OIDC flow allows unauthenticated attackers to forge identity tokens, gaining unauthorized technician access and potentially bypassing multi-factor authentication. This issue requires immediate attention to confirm relevance and exposure within your environm

NVD published: June 12, 2026

Aqara Home Android applications and white-label clients using the same SDK contain hard-coded cryptographic keys, which could allow attackers to access or modify sensitive data. This vulnerability is critical and requires verifying if the affected technology is relevant and exposed within the environment.

NVD published: June 12, 2026

A vulnerability in Aqara Cloud's OAuth authorization endpoint allows redirect bypass due to lax domain matching, potentially enabling attackers to redirect users to malicious sites and compromise sensitive information.

NVD published: June 12, 2026

The Aqara IAM/SSO gateway has a vulnerability that allows unauthenticated parties to perform cryptographic operations, potentially leading to unauthorized access. This is because it exposes AES encryption/decryption functions without requiring authentication. Organizations should confirm if this gateway is relevant to

NVD published: June 12, 2026

A critical authorization vulnerability exists in the Aqara Cloud Production API, where a valid developer token can grant access to any account. This "missing authorization" flaw (CWE-862) could allow unauthorized account access and, when combined with other vulnerabilities, potentially lead to a complete remote takeove

NVD published: June 12, 2026

A hard-coded OAuth client credential in the Aqara IAM/SSO Gateway could allow unauthenticated remote takeover of devices, especially when combined with other vulnerabilities. This critical flaw exposes a potential entry point for attackers.

NVD published: June 12, 2026

A code injection vulnerability in ChromaDB allows an authenticated attacker with specific permissions to execute arbitrary code on the server by sending a malicious model repository. This could impact server integrity and availability.

NVD published: June 12, 2026

An improper restriction of excessive authentication attempts vulnerability in the Pause+ Mobile App allows for authentication bypass. If reachable, this could lead to unauthorized access to the application's functions and potentially sensitive information. It is important to determine if this mobile app is deployed and

NVD published: June 12, 2026

An unauthenticated arbitrary file upload vulnerability exists in Amasty Order Attributes for Magento 2, allowing attackers to place any file type on the server. This could lead to remote code execution if the media directory allows PHP execution, or enable malware hosting and cross-site scripting.

NVD published: June 12, 2026

A critical vulnerability in the Node.js vm2 library allows arbitrary code execution in the host process when untrusted code is executed with async support. This sandbox escape occurs when a Promise interacts with certain JavaScript APIs, breaking the security boundary. Applications using the affected vm2 versions could

NVD published: June 12, 2026

The vm2 Node.js sandbox library has a critical vulnerability allowing code to escape its sandbox and execute arbitrary commands on the host system. This could impact system data and service behavior if an attacker can reach and exploit it, making it important to confirm if this technology is in use and exposed within y

NVD published: June 12, 2026

A vulnerability in the vm2 Node.js sandboxing library allowed sandboxed code to execute commands on the host system by bypassing restrictions on certain Node.js built-ins. This could lead to compromise of the underlying application or infrastructure. The issue has been patched in version 3.11.4.

NVD published: June 12, 2026

A vulnerability in the vm2 Node.js sandbox allows bypassing security checks, potentially enabling code execution. This issue arises from a flawed strict equality check that can be circumvented, leading to unintended configurations. Readers should confirm if their Node.js applications use vm2 and are affected by this by

NVD published: June 12, 2026

A critical vulnerability in the Node.js vm2 sandbox library allows attackers to escape the sandbox and execute arbitrary code by manipulating JavaScript's `Buffer` object and Node.js's error handling. This could impact system integrity if the library is used in deployed applications.

NVD published: June 12, 2026

The Yarbo mobile applications contain hard-coded credentials that provide access to cloud MQTT brokers. These brokers carry real-time telemetry for the global Yarbo robot fleet, and the credentials allow unauthorized subscription to telemetry and publishing of commands to any robot. This vulnerability is critical becau

NVD published: June 12, 2026

The iRM-IEI Remote Management system contains hard-coded credentials, allowing unauthenticated remote attackers to gain administrative privileges on its database. This vulnerability could expose sensitive data and compromise system integrity. Identification of affected systems and their reachability is crucial.

NVD published: June 12, 2026

A JNDI Injection vulnerability in Apache CXF's JCA integration module could allow for code execution. This is a critical vulnerability that could be exploited if an attacker can manipulate JCA deployment descriptors or runtime parameters. The main concern is confirming relevance and exposure to this vulnerability.

NVD published: June 12, 2026

An improper input validation vulnerability in UniFi OS devices allows a low-privilege network attacker to execute commands, potentially compromising the device. This issue is critical due to the common use of UniFi OS for network management and control, which may expose these devices to reachability.

NVD published: June 12, 2026

An improper input validation vulnerability in certain UniFi OS devices can be exploited by a low-privilege attacker with network access to escalate privileges, potentially leading to unauthorized control and data access. The relevance and exposure of affected devices require confirmation.

NVD published: June 12, 2026

An Improper Input Validation vulnerability in the UID Enterprise Agent could allow a low-privilege, network-accessible attacker to execute commands on a host device. This is a concern because unauthorized command execution can impact system integrity and availability.

NVD published: June 12, 2026

An argument injection vulnerability in WordPress Toolkit, used within cPanel & WHM, allows authenticated users to bypass authorization and execute arbitrary commands as other accounts. This could impact system integrity and data security if the affected technology is reachable and relevant.

NVD published: June 12, 2026