Published threat advisories for June 16, 2026

A path traversal vulnerability exists in FileBrowser Quantum, a self-hosted file manager. This flaw allows an attacker with a public share link that permits modifications to move, copy, or rename files outside the intended shared directory. The issue stems from improper path handling before sanitization, enabling unaut

NVD published: June 16, 2026

A critical vulnerability exists in a device's web server REST API, allowing authenticated attackers to execute arbitrary commands with administrative privileges. While this flaw could lead to a complete system compromise, it is currently classified as unlikely to be externally exploitable as it resides on a management

NVD published: June 16, 2026

A JWT validation vulnerability in Perry allows remote attackers to bypass token expiration, potentially granting indefinite authenticated access using previously issued tokens. This could circumvent session invalidation mechanisms like logouts or revocations, posing a significant risk to systems relying on this JWT ver

NVD published: June 16, 2026

An authentication bypass exists in FactoryTalk Historian Site Edition, allowing an attacker to obtain a valid token by sending continuous requests to the login endpoint. The primary concern is understanding if this affects your systems, as FactoryTalk Historian Site Edition is typically isolated within internal network

NVD published: June 16, 2026

A vulnerability in the DOM security component can allow attackers to bypass security measures in web browsers and email clients. This could lead to unauthorized access and modification of data if a user interacts with malicious content. Affected applications have been updated to address this issue.

NVD published: June 16, 2026

A critical vulnerability exists in the DOM security component of certain widely used web and email software, allowing for a mitigation bypass. This could lead to significant compromise of user data and system integrity if exploited, particularly given its high severity and the potential for unauthorized access and exec

NVD published: June 16, 2026

A same-origin policy bypass vulnerability exists in the Networking: Cookies component of certain web browser and email client software. If reachable, this could allow unauthorized access to sensitive information or manipulation of web content by a malicious website. This could occur when a user interacts with compromis

NVD published: June 16, 2026

An unrestricted file upload vulnerability exists in the Kids Online Store, enabling authenticated users to upload web shells to the server. This could allow for arbitrary code execution and potentially a full system compromise. The issue arises from inadequate restrictions on file types that can be uploaded, making the

NVD published: June 16, 2026

An unauthenticated SQL injection vulnerability exists in the GEO my WordPress plugin. This could allow an attacker to execute arbitrary SQL commands, potentially leading to unauthorized access or manipulation of database information, affecting service availability.

NVD published: June 16, 2026

A critical code injection vulnerability in RD Station allows remote code inclusion. This means an attacker could potentially execute arbitrary code on a system, leading to unauthorized access or compromise. It's important to confirm if this technology is in use and assess any potential exposure.

NVD published: June 16, 2026

A Blind SQL Injection vulnerability in The Events Calendar plugin may allow an attacker to inject malicious database commands and potentially access sensitive information. This issue is reachable via network requests and affects the underlying database. Organizations should confirm if this plugin is in use and assess p

NVD published: June 16, 2026

An unauthenticated SQL injection vulnerability exists in the InPost Gallery plugin, allowing attackers to execute arbitrary SQL commands and potentially access sensitive data. This is a critical issue for websites using the plugin, as it could lead to unauthorized data access or service disruption. Confirmation of its

NVD published: June 16, 2026