MEDIUM - zero redgem

Recent Advisories

Severity	ID	Title	Vendor	Product	Date	Type
MEDIUM 6.9	CVE-2026-47248	Parse Server: GraphQL “Did you mean” validation suggestions disclose schema to unauthenticated callers_CVE-2026-47248 Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.78 and 9.9.1-alpha.2,...	parse-community	parse-server < 8.6.78	Jun 12, 2026	CVE
MEDIUM 4.3	CVE-2026-47236	Solidtime team page exposes pending invitation and member emails to employees who lack invitations:view/members:view permission_CVE-2026-47236 Solidtime is an open-source time-tracking app. Prior to version 0.12.2, Solidtime defines an explicit invitations:view and members:view permissions...	solidtime-io	solidtime < 0.12.2	Jun 12, 2026	CVE
MEDIUM 6.9	CVE-2026-42932	Naxclow IoT Platform Generation of Predictable Numbers or Identifiers_CVE-2026-42932 Naxclow device identifiers use fixed manufacturing prefixes combined with sequential counters, producing a fully predictable and enumerable identif...	Naxclow	Smart Doorbell X3 All	Jun 12, 2026	CVE
MEDIUM 6.1	CVE-2026-41568	Moby: Race condition in docker cp allows creation of arbitrary empty files on the host via symlink swap_CVE-2026-41568 Moby is an open source container framework. In Docker Engine prior to version 29.5.1, Docker Daemon versions 28.5.2 and prior, and Moby Daemon prio...	moby	moby github.com/docker/docker/daemon <= 28.5.2	Jun 12, 2026	CVE
MEDIUM 5.1	CVE-2026-10715	Camaleon CMS 2.9.2 – Improper authorization in draft autosave endpoint_CVE-2026-10715 Camaleon CMS 2.9.2 contains an improper authorization vulnerability in the administrator draft autosave endpoint. A low-privileged authenticated us...	Camaleon CMS	Camaleon CMS 2.9.2	Jun 12, 2026	CVE
MEDIUM 5.1	CVE-2026-54357	MISP improper authorization allows organization administrators to modify site administrator user settings_CVE-2026-54357 An improper authorization vulnerability in MISP allowed an authenticated organization administrator to access or modify user settings belonging to ...	misp	misp	Jun 12, 2026	CVE
MEDIUM 6.3	CVE-2026-50552	Koel: Server-Side Request Forgery (SSRF) in radio station creation due to missing validation bail_CVE-2026-50552 Koel is a free, open-source music streaming solution. Prior to version 9.7.1, Koel contains a Server-Side Request Forgery (SSRF) vulnerability in t...	koel	koel < 9.7.1	Jun 12, 2026	CVE
MEDIUM 5.3	CVE-2026-43872	actual-server has a path traversal vulnerability_CVE-2026-43872 Actual is an open-source personal finance application. Prior to version 26.5.0, several endpoints are affected by a path traversal vulnerability. V...	actualbudget	actual < 26.5.0	Jun 12, 2026	CVE
MEDIUM 4.8	CVE-2026-42890	actual Allows Electron to Run As Node_CVE-2026-42890 Actual is an open-source personal finance application. In the macOS desktop application version 25.x (built on Electron 39.2.7), the ELECTRON_RUN_A...	actualbudget	actual < 26.5.0	Jun 12, 2026	CVE
MEDIUM 6.9	CVE-2026-42604	Actual has an OpenID `client_secret` Disclosure via Broken Authorization Guard in `/openid/config`_CVE-2026-42604 Actual is a local-first personal finance tool. The `POST /openid/config` endpoint in Actual Budget's sync-server versions	actualbudget	actual < 26.5.0	Jun 12, 2026	CVE