MEDIUM - zero redgem

Recent Advisories

Severity	ID	Title	Vendor	Product	Date	Type
MEDIUM 5.1	CVE-2026-54357	MISP improper authorization allows organization administrators to modify site administrator user settings_CVE-2026-54357 An improper authorization vulnerability in MISP allowed an authenticated organization administrator to access or modify user settings belonging to ...	misp	misp	Jun 12, 2026	CVE
MEDIUM 6.3	CVE-2026-50552	Koel: Server-Side Request Forgery (SSRF) in radio station creation due to missing validation bail_CVE-2026-50552 Koel is a free, open-source music streaming solution. Prior to version 9.7.1, Koel contains a Server-Side Request Forgery (SSRF) vulnerability in t...	koel	koel < 9.7.1	Jun 12, 2026	CVE
MEDIUM 5.3	CVE-2026-43872	actual-server has a path traversal vulnerability_CVE-2026-43872 Actual is an open-source personal finance application. Prior to version 26.5.0, several endpoints are affected by a path traversal vulnerability. V...	actualbudget	actual < 26.5.0	Jun 12, 2026	CVE
MEDIUM 4.8	CVE-2026-42890	actual Allows Electron to Run As Node_CVE-2026-42890 Actual is an open-source personal finance application. In the macOS desktop application version 25.x (built on Electron 39.2.7), the ELECTRON_RUN_A...	actualbudget	actual < 26.5.0	Jun 12, 2026	CVE
MEDIUM 6.9	CVE-2026-42604	Actual has an OpenID `client_secret` Disclosure via Broken Authorization Guard in `/openid/config`_CVE-2026-42604 Actual is a local-first personal finance tool. The `POST /openid/config` endpoint in Actual Budget's sync-server versions	actualbudget	actual < 26.5.0	Jun 12, 2026	CVE
MEDIUM 6.7	THN:8A77AE01FE4...	China-Linked Hackers Backdoored Linux Login Software to Hide for Nearly a Decade_THN:8A77AE01FE4F3132EEE7710ECBA05C6E ![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhxJqmKAQv_I_7JkmQwoIVSx2BkRPUEb9TTNOd2RkNqTg3tcLyZszN8KiXfUUeIBSPSoxjzMAn2inE6TL791l...	N/A	N/A	Jun 12, 2026	THN
MEDIUM 6.5	CVE-2026-7184	Mattermost Remote Cluster PATCH API Leaks Authentication Tokens_CVE-2026-7184 Mattermost versions 11.6.x	Mattermost	Mattermost 11.6.0	Jun 12, 2026	CVE
MEDIUM 6.7	CVE-2026-6739	Mattermost: Delegated admins could patch protected default system roles_CVE-2026-6739 Mattermost versions 11.6.x	Mattermost	Mattermost 11.6.0	Jun 12, 2026	CVE
MEDIUM 4.3	CVE-2026-6689	Missing {{invite_user}} permission check on team creation allows unprivileged users to set open-invite and allowed-domains team settings_CVE-2026-6689 Mattermost versions 11.6.x	Mattermost	Mattermost 11.6.0	Jun 12, 2026	CVE
MEDIUM 5.3	CVE-2026-6046	Plugin bot username conflict allows user account to be used as bot identity in Mattermost Server_CVE-2026-6046 Mattermost versions 11.6.x	Mattermost	Mattermost 11.6.0	Jun 12, 2026	CVE