MEDIUM - zero redgem

Recent Advisories

Severity	ID	Title	Vendor	Product	Date	Type
MEDIUM 5.3	CVE-2026-50629	Apache CXF: OAuth2: Log Injection via Unsanitized Client Identifier_CVE-2026-50629 The 'clientId' parameter from incoming HTTP requests is directly concatenated into OAuth2 server log warning messages without sanitizing control ch...	Apache Software Foundation	Apache CXF 4.2.0	Jun 12, 2026	CVE
MEDIUM 6.5	CVE-2026-50623	Apache CXF: Authentication Bypass in OAuth2 TokenIntrospectionService_CVE-2026-50623 An authentication bypass vulnerability exists in the OAuth2 TokenIntrospectionService in Apache CXF. Due to a missing 'throw' keyword in the securi...	Apache Software Foundation	Apache CXF 4.2.0	Jun 12, 2026	CVE
MEDIUM 5.3	CVE-2026-8694	Improper access control on the API documentation endpoint in PowerShell Universal_CVE-2026-8694 Improper access control in Devolutions PowerShell Universal 2026.1.7 and earlier allows an unauthenticated remote attacker to obtain the OpenAPI sp...	Devolutions	PowerShell Universal	Jun 12, 2026	CVE
MEDIUM 5.1	CVE-2026-53722	Nuxt: Reflected XSS in `` via unsanitised `javascript:` or `data:` URL_CVE-2026-53722 Nuxt is an open-source web development framework for Vue.js. Prior to versions 3.21.7 and 4.4.7, did not validate the URL scheme of values bound t...	nuxt	nuxt < 3.21.7	Jun 12, 2026	CVE
MEDIUM 6.9	CVE-2026-47739	Frappe: Stored XSS in Note_CVE-2026-47739 Frappe is a full-stack web application framework. Prior to versions 15.106.0 and 16.16.0, stored XSS in Note was possible due to lack of sanitizati...	frappe	frappe < 15.106.0	Jun 12, 2026	CVE
MEDIUM 5.3	CVE-2026-47244	Netty HTTP/2: Advertised MAX_CONCURRENT_STREAMS are not enforced_CVE-2026-47244 Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, Default...	netty	netty >= 4.2.0.Final, < 4.2.15.Final	Jun 12, 2026	CVE
MEDIUM 6.9	CVE-2026-47141	vm2: NodeVM observability builtins leak host process and HTTP request data_CVE-2026-47141 vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, NodeVM exposes some process-wide observability builtins when they are allowe...	patriksimek	vm2 < 3.11.4	Jun 12, 2026	CVE
MEDIUM 6.8	CVE-2026-45673	Netty: DNS Cache Poisoning due to Predictable PRNG and Default Static Source Port_CVE-2026-45673 Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, Netty's...	netty	netty >= 4.2.0.Final, < 4.2.15.Final	Jun 12, 2026	CVE
MEDIUM 4	CVE-2026-45536	Netty: Unix-socket fd receive leaks descriptors when peer sends two at once_CVE-2026-45536 Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, netty_u...	netty	netty >= 4.2.0.Final, < 4.2.15.Final	Jun 12, 2026	CVE
MEDIUM 6.9	CVE-2026-44205	Frappe: Stored Cross-Site Scripting (XSS) in User Profile through Image Upload_CVE-2026-44205 Frappe is a full-stack web application framework. Prior to version 15.106.0, a stored XSS vulnerability in the user profile image section allows an...	frappe	frappe < 15.106.0	Jun 12, 2026	CVE