HIGH - zero redgem

Recent Advisories

Severity	ID	Title	Vendor	Product	Date	Type
HIGH 8.7	CVE-2026-47135	vm2: Sandbox escape via unblocked cross-realm Symbol.for keys + missing bridge write-trap symbol checks_CVE-2026-47135 vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, Symbol.for override in setup-sandbox.js only intercepts 2 of 9 dangerous Nod...	patriksimek	vm2 < 3.11.4	Jun 12, 2026	CVE
HIGH 7.5	CVE-2026-46340	Netty: SCTP reassembly nests buffers without bound_CVE-2026-46340 Netty is a network application framework for development of protocol servers and clients. In versions of netty-transport-sctp prior to 4.1.135.Fina...	netty	netty >= 4.2.0.Final, < 4.2.15.Final	Jun 12, 2026	CVE
HIGH 8.7	CVE-2026-45674	Netty Vulnerable to DNS Cache Poisoning via Missing Bailiwick Checks in CNAME Records_CVE-2026-45674 Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, Netty's...	netty	netty >= 4.2.0.Final, < 4.2.15.Final	Jun 12, 2026	CVE
HIGH 7.5	CVE-2026-45416	Netty: SNI handler pre-allocates up to 16 MiB from nine attacker bytes_CVE-2026-45416 Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, SslClie...	netty	netty >= 4.2.0.Final, < 4.2.15.Final	Jun 12, 2026	CVE
HIGH 7.5	CVE-2026-44894	Netty’s Default QUIC token handler accepts any client-supplied token_CVE-2026-44894 Netty is a network application framework for development of protocol servers and clients. NoQuicTokenHandler is the tokenHandler used when the appl...	netty	netty >= 4.2.0.Final, < 4.2.15.Final	Jun 12, 2026	CVE
HIGH 7.5	CVE-2026-44893	Netty: HAProxy SSL TLV parsing leaks retained slice on invalid TLV length_CVE-2026-44893 Netty is a network application framework for development of protocol servers and clients. In netty-codec-haproxy prior to versions 4.1.135.Final an...	netty	netty >= 4.2.0.Final, < 4.2.15.Final	Jun 12, 2026	CVE
HIGH 8.8	CVE-2026-8828	CVE-2026-8828_CVE-2026-8828 A lack of authorization validation in version 1.0.0 or later of the ChromaDB Rust project allows any authenticated users to arbitrarily read, write...	Chroma	ChromaDB 1.0.0	Jun 12, 2026	CVE
HIGH 8.2	CVE-2026-50088	Aqara Developer Portal cross-origin resource sharing_CVE-2026-50088 The Aqara Developer Portal (developer.aqara.com) and shared test environments (developer-test.aqara.com, aiot-test.aqara.com) exhibit cross-origin ...	Aqara	Aqara Developer Portal 2026-04-20	Jun 12, 2026	CVE
HIGH 8.2	CVE-2026-50087	Aqara IAM/SSO Gateway cross-origin resource sharing_CVE-2026-50087 The Aqara IAM/SSO gateway (gw-builder.aqara.com) exhibits a cross-origin request sharing vulnerability, which is an instance of "CWE-942: Permissiv...	Aqara	Aqara IAM/SSO Gateway 2026-04-20	Jun 12, 2026	CVE
HIGH 8.6	CVE-2026-50085	Aqara Board IoT insecure debug API_CVE-2026-50085 The Aqara Board service (op-test.aqara.com) accepts arbitrary MQTT command payloads, and forwards them to the platfom's HiveMQ broker without authe...	Aqara	Board service 2026-04-20	Jun 12, 2026	CVE