news - zero redgem

Recent Advisories

Severity	ID	Title	Vendor	Product	Date	Type
HIGH 7.7	CVE-2026-46394	HAX CMS Vulnerable to Command Injection using Git.php_CVE-2026-46394 HAX CMS helps manage microsite universe with PHP or NodeJs backends. Prior to version 26.0.0, an OS command injection vulnerability exists in the G...	haxtheweb	haxcms-php < 26.0.0	Jun 5, 2026	CVE
HIGH 7.1	CVE-2026-46393	HAXcms createSite SSRF Enables Arbitrary File Read_CVE-2026-46393 HAX CMS helps manage microsite universe with PHP or NodeJs backends. An authenticated Server-Side Request Forgery (SSRF) vulnerability in versions ...	haxtheweb	haxcms-nodejs < 26.0.0	Jun 5, 2026	CVE
HIGH 8.7	CVE-2026-46392	HAX CMS PHP Has a Stored XSS via Case-Sensitivity Mismatch in HTML Upload Validation_CVE-2026-46392 HAX CMS helps manage microsite universe with PHP or NodeJs backends. Prior to version 26.0.0 of HAX CMS PHP, the `saveFile` endpoint validates uplo...	haxtheweb	haxcms-php < 26.0.0	Jun 5, 2026	CVE
HIGH 8.7	CVE-2026-46391	HAX open-apis: Credential Theft via Server-Side Request Forgery (SSRF) in open-apis_CVE-2026-46391 HAX CMS helps manage microsite universe with PHP or NodeJs backends. Starting in version 9.0.1 and prior to version 26.0.0 of @haxtheweb/open-apis,...	haxtheweb	@haxtheweb/open-apis >= 9.0.1, < 26.0.0	Jun 5, 2026	CVE
MEDIUM 6.9	CVE-2026-46390	HAX CMS has Unauthenticated Git Access via User-Controlled Key_CVE-2026-46390 HAX CMS helps manage microsite universe with PHP or NodeJs backends. Starting in version 2.0.0 and prior to version 26.0.0, the gitlist plugin is e...	haxtheweb	haxcms-php >= 2.0.0, < 26.0.0	Jun 5, 2026	CVE
CRITICAL 10	CVE-2026-46389	UDS Identity Config has a client authentication bypass in `ClientIdAndKubernetesSecretAuthenticator`_CVE-2026-46389 UDS Identity Config builds the Keycloak configuration image (realm, plugins, theme, truststore, JARs) consumed by UDS Core's Identity deployment. I...	defenseunicorns	uds-identity-config >= 0.11.0, < 0.26.1	Jun 5, 2026	CVE
CRITICAL 9.8	CVE-2026-10580	Hippoo Mobile App for WooCommerce <= 1.9.4 - Unauthenticated Authentication Bypass to Administrator Account Takeover via REST API_CVE-2026-10580 The Hippoo Mobile App for WooCommerce plugin for WordPress is vulnerable to Authentication Bypass leading to Administrator Account Takeover in all ...	hippooo	Hippoo Mobile App for WooCommerce	Jun 5, 2026	CVE
NONE	MSSECURE:E1EAFC...	Securing CI/CD in an agentic world: Claude Code Github action case_MSSECURE:E1EAFCDAA5DF186F9FDB99A1F9C2ED1C Microsoft Threat Intelligence discovered that Anthropic's Claude Code GitHub Action could expose CI/CD workflow secrets when AI agents process untr...	N/A	N/A	Jun 5, 2026	MSSECURE
NONE	HACKREAD:1FC85E...	Atlas Menu Data Breach Exposes 64,000 GTA V and CS2 Cheat Service Users_HACKREAD:1FC85EA1FE1F8DE63B49601B3A576F6F Atlas Menu Data Breach exposes 64,000 GTA V and CS2 cheat service users, leaking emails, IPs, support tickets and hashed passwords.	N/A	N/A	Jun 5, 2026	HACKREAD
NONE	THN:4D2A4B53EC1...	IronWorm and New Miasma Worm Variant Hit npm in Supply Chain Attacks_THN:4D2A4B53EC1F983BEA9EEC8241B5079D ![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjFimSGBOnvlCj_r6fiLdzK6V8DLTIQYjROKxHgQH8QxyRVIL3NDpQe9lBISjqCSjcZNl6VPhHVFtdJ8gPe2F...	N/A	N/A	Jun 5, 2026	THN