HIGH - zero redgem

Recent Advisories

Severity	ID	Title	Vendor	Product	Date	Type
HIGH 8.3	CVE-2026-49248	OneDev: RCE through absolute-path symlink following allows low-privileged users to overwrite arbitrary server via TarUtils.untar_CVE-2026-49248 OneDev is a Git server with CI/CD, kanban, and packages. In versions 15.0.6 and below, TarUtils.untar() creates symbolic links verbatim from TAR en...	theonedev	onedev < 15.0.7	Jun 18, 2026	CVE
HIGH 8.1	CVE-2026-43994	Coturn: Stack buffer overflow in decode_oauth_token_gcm()_CVE-2026-43994 Coturn is a free open source implementation of TURN and STUN Server. Versions prior to 4.10.0 contain a stack buffer overflow in decode_oauth_token...	coturn	coturn < 4.10.0	Jun 18, 2026	CVE
HIGH 8.3	CVE-2025-15661	libssh2 – Heap Buffer Over-read via sftp_symlink() in sftp.c_CVE-2025-15661 libssh2 through 1.11.1, fixed in commit 2dae302, contains an out-of-bounds heap read vulnerability in the sftp_symlink() function in src/sftp.c tha...	libssh2	libssh2	Jun 18, 2026	CVE
HIGH 7.6	CVE-2026-46699	conda-smithy vulnerable to misrouted repository invitation by conda-forge-webservices[bot] due to GitHub username takeover leading to unintended write access in conda-forge feedstock repository_CVE-2026-46699 conda-smithy is a tool for combining a conda recipe with configurations to build using freely hosted CI services into a single repository. Prior to...	conda-forge	conda-smithy < 3.61.0	Jun 18, 2026	CVE
HIGH 8.3	CVE-2026-45696	OpenEXR HTJ2K decoder heap buffer over-read in ht_undo_impl() (DoS)_CVE-2026-45696 OpenEXR is the reference implementation and specification for the EXR image format, widely used in the motion picture industry. In versions 3.4.0 t...	AcademySoftwareFoundation	openexr >= 3.4.0, < 3.4.11	Jun 18, 2026	CVE
HIGH 8.6	CVE-2026-8100	CVE-2026-8100_CVE-2026-8100 Impact A security issue has been identified in Chef 360 that could allow unauthorized access to protected API endpoints under specific conditions....	Progress Chef	Chef360	Jun 18, 2026	CVE
HIGH 7.7	CVE-2026-54017	Open WebUI: Path traversal / SSRF in terminal server proxy via encoded path traversal_CVE-2026-54017 Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.6, the terminal-server reverse prox...	open-webui	open-webui < 0.9.6	Jun 18, 2026	CVE
HIGH 7.5	CVE-2026-47633	Microsoft Cost Management Information Disclosure Vulnerability_CVE-2026-47633 {“lastseen”:””,”description”:””,”published”:”2026-06-18T21:37:36.850Z”,&#82...	Microsoft	Microsoft Cost Management -	Jun 18, 2026	CVE
HIGH 7.7	CVE-2026-32174	Azure Bot Service Elevation of Privilege Vulnerability_CVE-2026-32174 {“lastseen”:””,”description”:””,”published”:”2026-06-18T21:39:17.817Z”,&#82...	Microsoft	Azure AI Bot Service -	Jun 18, 2026	CVE
HIGH 8.7	CVE-2026-56078	PraisonAI – Arbitrary File Read and Write via Path Traversal in MultiAgentMonitor_CVE-2026-56078 PraisonAI before 1.5.115 contains a path traversal vulnerability in MultiAgentMonitor that fails to sanitize agent IDs when building file paths. At...	PraisonAI	PraisonAI	Jun 18, 2026	CVE