category_cve - zero redgem

Recent Advisories

Severity	ID	Title	Vendor	Product	Date	Type
HIGH 8.1	CVE-2026-58372	SeaweedFS < 4.34 - Cross-Bucket Object Deletion via DeleteObjects Request-Body Keys_CVE-2026-58372 SeaweedFS before 4.34 contains a path traversal vulnerability in the S3 gateway DeleteMultipleObjectsHandler that allows authenticated S3 principal...	seaweedfs	seaweedfs	Jun 30, 2026	CVE
LOW 3.1	CVE-2026-58371	SeaweedFS < 4.30 - Cross-Origin Information Disclosure via Unvalidated JSONP callback Parameter_CVE-2026-58371 SeaweedFS before 4.30 reflects the callback query parameter verbatim into responses served with Content-Type application/javascript in the shared w...	seaweedfs	seaweedfs	Jun 30, 2026	CVE
HIGH 8.1	CVE-2026-58370	Woodpecker < 3.15.0 - GitLab Approval Gate Bypass via Spoofable Commit Author Name_CVE-2026-58370 Woodpecker before 3.15.0 matches the ApprovalAllowedUsers bypass list against pipeline.Author. For the GitLab forge driver, pipeline.Author is popu...	woodpecker-ci	woodpecker	Jun 30, 2026	CVE
MEDIUM 5.3	CVE-2026-58369	Woodpecker < 3.15.0 - Unauthenticated NULL Pointer Dereference in /api/orgs/lookup Enables Log-Flooding Denial of Service_CVE-2026-58369 Woodpecker before 3.15.0 registers the /api/orgs/lookup/*org_full_name endpoint without authentication middleware, and the LookupOrg handler uncond...	woodpecker-ci	woodpecker	Jun 30, 2026	CVE
MEDIUM 6.5	CVE-2026-58176	RuoYi-Vue-Plus – Missing Authorization on Workflow Task Management Endpoints_CVE-2026-58176 RuoYi-Vue-Plus through 5.6.2, fixed in commit 88d03d9, exposes workflow task management endpoints under /workflow/task (FlwTaskController) without ...	dromara	RuoYi-Vue-Plus	Jun 30, 2026	CVE
MEDIUM 6.5	CVE-2026-58174	Hermes WebUI < 0.51.521 - Cross-Profile Authorization Bypass via Unset Session Profile on Import_CVE-2026-58174 Hermes WebUI before 0.51.521 validates the workspace of an imported session under the active named profile but constructs the Session object withou...	nesquena	hermes-webui	Jun 30, 2026	CVE
MEDIUM 6.5	CVE-2026-58173	Vibe-Trading < 0.1.10 - Path Traversal via Persistent Memory Type_CVE-2026-58173 Vibe-Trading before 0.1.10 contains a path traversal vulnerability that allows attackers to write files outside the intended memory root directory ...	HKUDS	Vibe-Trading	Jun 30, 2026	CVE
CRITICAL 9.1	CVE-2026-58172	Ocelot – IP Allow/Block List Bypass for WebSocket Upgrade Requests_CVE-2026-58172 Ocelot through 24.1.0, fixed in commit f156fd4, contains a security control bypass vulnerability that allows denied clients to circumvent IP-based ...	ThreeMammals	Ocelot	Jun 30, 2026	CVE
MEDIUM 4.2	CVE-2026-58171	Vibe-Trading < 0.1.10 - Path Traversal via Swarm Run Identifier_CVE-2026-58171 Vibe-Trading before 0.1.10 constructs the swarm run directory by joining a caller-supplied run identifier onto the runs base directory without vali...	HKUDS	Vibe-Trading	Jun 30, 2026	CVE
HIGH 8.3	CVE-2026-58170	Vibe-Trading < 0.1.10 - Path Traversal in Proposal Identifier Allows Forging Live Trading Mandates_CVE-2026-58170 Vibe-Trading before 0.1.10 builds the proposal file path by joining a caller-supplied proposal identifier onto the broker proposals directory witho...	HKUDS	Vibe-Trading	Jun 30, 2026	CVE