MEDIUM - zero redgem

Recent Advisories

Severity	ID	Title	Vendor	Product	Date	Type
MEDIUM 6.5	CVE-2026-46551	NocoDB: Missing File Size Enforcement in Upload-by-URL Allows Denial of Service via Disk Exhaustion_CVE-2026-46551 NocoDB is software for building databases as spreadsheets. Prior to 2026.04.4, the uploadViaURL path in the v1/v2 attachment API did not enforce NC...	nocodb	nocodb < 2026.04.4	Jun 23, 2026	CVE
MEDIUM 5.4	CVE-2026-46550	NocoDB: Refresh Token Cookie Set Without `Secure` and `SameSite` Flags_CVE-2026-46550 NocoDB is software for building databases as spreadsheets. Prior to 2026.04.1, the refresh-token cookie was set with httpOnly: true but missing bot...	nocodb	nocodb < 2026.04.1	Jun 23, 2026	CVE
MEDIUM 4.3	CVE-2026-46548	NocoDB: SSRF Protection Bypass in Notification Webhook Plugins (Slack, Discord, Mattermost, Teams)_CVE-2026-46548 NocoDB is software for building databases as spreadsheets. Prior to 2026.04.1, the request-filtering-agent SSRF protection was non-functional in th...	nocodb	nocodb < 2026.04.1	Jun 23, 2026	CVE
MEDIUM 6.1	CVE-2026-46547	NocoDB: Reflected Cross-Site Scripting via Page Leaving Redirect URL_CVE-2026-46547 NocoDB is software for building databases as spreadsheets. Prior to 2026.04.1, a reflected XSS vulnerability exists in the Page Leaving Warning pag...	nocodb	nocodb < 2026.04.1	Jun 23, 2026	CVE
MEDIUM 6.5	CVE-2026-54518	jackson-databind: @JsonView bypass for unwrapped creator parameters in jackson-databind_CVE-2026-54518 jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.21.0 until 2.21.4 and 3....	FasterXML	jackson-databind >= 2.21.0, < 2.21.4	Jun 23, 2026	CVE
MEDIUM 5.5	CVE-2026-48493	Snipe-IT Vulnerable to Privilege Escalation for self via API Permissions Assignment_CVE-2026-48493 Snipe-IT is an IT asset/license management system. In versions prior to 8.6.0, a user with only users.edit can send a PATCH to /api/v1/users/{their...	grokability	snipe-it < 8.6.0	Jun 23, 2026	CVE
MEDIUM 6.9	CVE-2026-47693	Poweradmin: CSV Injection in log export endpoints allows formula execution in spreadsheet applications_CVE-2026-47693 Poweradmin is a web-based DNS administration tool for PowerDNS server. Versions prior to 4.2.4 and 4.3.3 are vulnerable to CSV Injection (Formula I...	poweradmin	poweradmin < 4.2.4	Jun 23, 2026	CVE
MEDIUM 4.9	CVE-2026-12164	Privilege Escalation in Fortra File Integrity Monitoring (FIM)_CVE-2026-12164 Fortra File Integrity Monitoring (FIM), formerly Tripwire Enterprise, versions prior to 9.4.0 may assign incorrect or elevated effective permission...	Fortra	File Integrity Monitoring (FIM)	Jun 23, 2026	CVE
MEDIUM 5.5	CVE-2026-12163	Stored XSS in Fortra File Integrity Monitoring (FIM)_CVE-2026-12163 Fortra File Integrity Monitoring (FIM), formerly Tripwire Enterprise, versions prior to 9.4.0.1 contain a stored cross-site scripting (XSS) vulnera...	Fortra	Fortra File Integrity Monitoring (FIM)	Jun 23, 2026	CVE
MEDIUM 5.9	CVE-2026-55736	Private action arguments can be set by user input in Ash_CVE-2026-55736 Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in ash-project ash allows a user to set the value of a...	ash-project	ash 3.0.0	Jun 23, 2026	CVE