HIGH - zero redgem

Recent Advisories

Severity	ID	Title	Vendor	Product	Date	Type
HIGH 8.6	CVE-2026-47209	vm2: Bridge Proxy set trap ignores receiver parameter, enabling host object property injection via prototype chain_CVE-2026-47209 vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, the BaseHandler.set trap in bridge.js (line 1231) ignores the receiver param...	patriksimek	vm2 < 3.11.4	Jun 12, 2026	CVE
HIGH 8.6	CVE-2026-47139	vm2: NodeVM network builtin exclusions bypass via internal _http_client and _http_server_CVE-2026-47139 vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, NodeVM supports excluding public network builtins from the wildcard builtin ...	patriksimek	vm2 < 3.11.4	Jun 12, 2026	CVE
HIGH 8.7	CVE-2026-47135	vm2: Sandbox escape via unblocked cross-realm Symbol.for keys + missing bridge write-trap symbol checks_CVE-2026-47135 vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, Symbol.for override in setup-sandbox.js only intercepts 2 of 9 dangerous Nod...	patriksimek	vm2 < 3.11.4	Jun 12, 2026	CVE
HIGH 7.5	CVE-2026-46340	Netty: SCTP reassembly nests buffers without bound_CVE-2026-46340 Netty is a network application framework for development of protocol servers and clients. In versions of netty-transport-sctp prior to 4.1.135.Fina...	netty	netty >= 4.2.0.Final, < 4.2.15.Final	Jun 12, 2026	CVE
HIGH 8.7	CVE-2026-45674	Netty Vulnerable to DNS Cache Poisoning via Missing Bailiwick Checks in CNAME Records_CVE-2026-45674 Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, Netty's...	netty	netty >= 4.2.0.Final, < 4.2.15.Final	Jun 12, 2026	CVE
HIGH 7.5	CVE-2026-45416	Netty: SNI handler pre-allocates up to 16 MiB from nine attacker bytes_CVE-2026-45416 Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, SslClie...	netty	netty >= 4.2.0.Final, < 4.2.15.Final	Jun 12, 2026	CVE
HIGH 7.5	CVE-2026-44894	Netty’s Default QUIC token handler accepts any client-supplied token_CVE-2026-44894 Netty is a network application framework for development of protocol servers and clients. NoQuicTokenHandler is the tokenHandler used when the appl...	netty	netty >= 4.2.0.Final, < 4.2.15.Final	Jun 12, 2026	CVE
HIGH 7.5	CVE-2026-44893	Netty: HAProxy SSL TLV parsing leaks retained slice on invalid TLV length_CVE-2026-44893 Netty is a network application framework for development of protocol servers and clients. In netty-codec-haproxy prior to versions 4.1.135.Final an...	netty	netty >= 4.2.0.Final, < 4.2.15.Final	Jun 12, 2026	CVE
HIGH 8.8	CVE-2026-8828	CVE-2026-8828_CVE-2026-8828 A lack of authorization validation in version 1.0.0 or later of the ChromaDB Rust project allows any authenticated users to arbitrarily read, write...	Chroma	ChromaDB 1.0.0	Jun 12, 2026	CVE
HIGH 8.2	CVE-2026-50088	Aqara Developer Portal cross-origin resource sharing_CVE-2026-50088 The Aqara Developer Portal (developer.aqara.com) and shared test environments (developer-test.aqara.com, aiot-test.aqara.com) exhibit cross-origin ...	Aqara	Aqara Developer Portal 2026-04-20	Jun 12, 2026	CVE