HIGH - zero redgem

Recent Advisories

Severity	ID	Title	Vendor	Product	Date	Type
HIGH 7.5	CVE-2026-54066	SiYuan: Path Traversal via Double URL Encoding in /assets/*path (publish mode arbitrary file─read)_CVE-2026-54066 SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, the patch for CVE-2026-41894 ("Path Traversal via Double URL Encodin...	siyuan-note	siyuan < 3.7.0	Jun 24, 2026	CVE
HIGH 7.5	CVE-2026-52794	Sentry: Inefficient Regular Expression Complexity in sentry_CVE-2026-52794 Sentry is an error tracking and performance monitoring tool. From 24.4.0 until 26.5.2, a Regular Expression Denial of Service (ReDoS) vulnerability...	getsentry	sentry >= 24.4.0, < 26.5.2	Jun 24, 2026	CVE
HIGH 8.9	CVE-2026-50189	Appsmith: RCE via Supervisord XML-RPC Admin Interface Exposed via /supervisor Caddy Route_CVE-2026-50189 Appsmith is a platform to build admin panels, internal tools, and dashboards. Prior to 2.1, Appsmith's bundled supervisord exposes an XML-RPC inter...	appsmithorg	appsmith < 2.1	Jun 24, 2026	CVE
HIGH 7.1	CVE-2026-47110	Tiptap for PHP < 2.1.1 DoS via Malformed href Attribute_CVE-2026-47110 Tiptap for PHP before version 2.1.1 contains an input validation vulnerability that allows authenticated attackers to cause a denial of service by ...	ueberdosis	tiptap-php	Jun 24, 2026	CVE
HIGH 7.8	CVE-2026-10043	MosaicML Composer Deserialization of Untrusted Data Remote Code Execution Vulnerability_CVE-2026-10043 MosaicML Composer Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbi...	MosaicML	Composer 0.32.1	Jun 24, 2026	CVE
HIGH 8.8	MALWAREBYTES:EC...	PixelSmash flaw turns video files into attack tools_MALWAREBYTES:EC34003352AA88477BAACCE9BF91A066 A newly discovered vulnerability in FFmpeg’s MagicYUV decoder can turn a tiny, malformed video into a foothold for attackers. Researchers have dis...	N/A	N/A	Jun 24, 2026	MALWAREBYTES
HIGH 7.5	CVE-2026-53950	@tryghost/activitypub: XSS in Ghost’s ActivityPub client_CVE-2026-53950 @tryghost/activitypub is Ghost’s social/federation client app. Prior to 3.1.0, the ActivityPub client in Ghost was vulnerable to JavaScript injecti...	TryGhost	Ghost < 3.1.0	Jun 24, 2026	CVE
HIGH 8.8	CVE-2026-49247	Jellyfin: Potential Authenticated path traversal in /ClientLog/Document_CVE-2026-49247 Jellyfin is an open source self hosted media server. From 10.9.0 until 10.11.10, the POST /ClientLog/Document endpoint accepts the Authorization he...	jellyfin	jellyfin >= 10.9.0, < 10.11.10	Jun 24, 2026	CVE
HIGH 8.8	CVE-2026-48793	Jellyfin: Potential FFmpeg argument injection via unescaped subtitle file path_CVE-2026-48793 Jellyfin is an open source self hosted media server. Prior to 10.11.10, a potential FFmpeg argument injection vulnerability exists in the subtitle ...	jellyfin	jellyfin < 10.11.10	Jun 24, 2026	CVE
HIGH 7.1	CVE-2026-12760	Denial-of-Service Vulnerability via Malformed IPv4 Fragmentation Handling in TP-Link Tapo C200_CVE-2026-12760 A denial-of-service (DoS) vulnerability has been identified in Tapo C200 v3 in the network packet handling logic due to improper handling of IPv4 f...	TP-Link Systems Inc.	Tapo C200 v3	Jun 24, 2026	CVE