LOW - zero redgem

Recent Advisories

Severity	ID	Title	Vendor	Product	Date	Type
LOW 3.7	CVE-2026-37977	Keycloak: org.keycloak.protocol.oidc.grants.ciba: keycloak: information disclosure via cors header injection due to unvalidated jwt azp claim_CVE-2026-37977 A flaw was found in Keycloak. A remote attacker can exploit a Cross-Origin Resource Sharing (CORS) header injection vulnerability in Keycloak's Use...	Red Hat	Red Hat Build of Keycloak	Apr 6, 2026	CVE
LOW 3.4	CVE-2026-33404	Pi-hole has a Stored XSS / HTML injection in the Network page/Dashboard_CVE-2026-33404 Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level ad and internet tracker blocking application. From 6.0 to before 6...	pi-hole	web >= 6.0, < 6.5	Apr 6, 2026	CVE
LOW 3.1	CVE-2026-33405	Pi-hole has a Stored HTML Injection in queries.js_CVE-2026-33405 Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level ad and internet tracker blocking application. From 6.0 to before 6...	pi-hole	web >= 6.0, < 6.5	Apr 6, 2026	CVE
LOW 2.3	CVE-2026-34969	Nhost Leaks the Refresh Token via URL Query Parameter in OAuth Provider Callback_CVE-2026-34969 Nhost is an open source Firebase alternative with GraphQL. Prior to 0.48.0, the auth service's OAuth provider callback flow places the refresh toke...	nhost	nhost < 0.48.0	Apr 6, 2026	CVE
LOW 2.3	CVE-2026-34764	Electron has a use-after-free in offscreen shared texture release() callback_CVE-2026-34764 Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. From 33.0.0-alpha.1 to before 39.8.5, 40.8....	electron	electron >= 33.0.0-alpha.1, < 39.8.5	Apr 6, 2026	CVE
LOW 2.1	CVE-2026-35200	Parse Server has a file upload Content-Type override via extension mismatch_CVE-2026-35200 Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 8.6.73 and 9.7.1-alpha.4, a file c...	parse-community	parse-server >= 9.0.0, < 9.7.1-alpha.4	Apr 6, 2026	CVE
LOW 3.7	CVE-2026-35448	WWBN AVideo Provides Unauthenticated Access to Payment Order Data via BlockonomicsYPT check.php_CVE-2026-35448 WWBN AVideo is an open source video platform. In versions 26.0 and prior, the BlockonomicsYPT plugin's check.php endpoint returns payment order dat...	WWBN	AVideo <= 26.0	Apr 6, 2026	CVE
LOW 2.7	CVE-2026-5375	runZero Platform API credential information leak_CVE-2026-5375 An issue that could allow a user with access to a credential to view sensitive fields through an API response has been resolved. This is an instanc...	runZero	Platform	Apr 7, 2026	CVE
LOW 3	CVE-2026-5382	runZero Platform MCP endpoint information leak_CVE-2026-5382 An issue that could expose records outside of the authorized organization scope through the MCP endpoints has been resolved. This is an instance of...	runZero	Platform	Apr 7, 2026	CVE
LOW 2.2	CVE-2026-5381	runZero Platform task information leak_CVE-2026-5381 An issue that could expose task information outside of the authorized organization scope has been resolved. This is an instance of CWE-863: Incorre...	runZero	Platform	Apr 7, 2026	CVE