MEDIUM - zero redgem

Recent Advisories

Severity	ID	Title	Vendor	Product	Date	Type
MEDIUM 5	CVE-2026-58057	Flowise – Custom MCP Environment Variable Denylist Bypass via Case Sensitivity_CVE-2026-58057 Flowise before 3.1.3 validates Custom MCP stdio environment variables against a denylist using a case-sensitive comparison, so on Windows, where en...	Flowise	Flowise	Jun 28, 2026	CVE
MEDIUM 5.4	CVE-2026-58055	nghttp2 nghttpx – HTTP Request/Response Smuggling via Upgrade Request with Content-Length_CVE-2026-58055 nghttp2's nghttpx proxy through 1.69.0 forwards an HTTP/1.1 Upgrade request that also carries a Content-Length header and body onto reusable keep-a...	nghttp2	nghttp2	Jun 28, 2026	CVE
MEDIUM 6.5	CVE-2026-58051	libssh2 – Free of Uninitialized Pointer in publickey List Cleanup_CVE-2026-58051 libssh2 through 1.11.1 grows its publickey list with SSH2_REALLOC but does not zero-initialize new entries before parsing populates them, so a pars...	libssh2	libssh2	Jun 28, 2026	CVE
MEDIUM 4.3	9A2D458D-9B05-	TLS1.2_Exploit-Scripts_9A2D458D-9B05-57CD-B884-F823B4CD8735 Breaking TLS 1.2 — Penetration Testing Lab & Exploit Scripts This repository is the companion lab to the Medium article: Breaking TLS 1.2: A Penetr...	N/A	N/A	Jun 27, 2026	GITHUBEXPLOIT
MEDIUM 5.3	CED4BCD6-8E56-	Exploit for CVE-2026-12432_CED4BCD6-8E56-5FF9-A68C-174EFA9EBB61 CVE-2026-12432: WP Full Stripe Free = 8.4.4 - Published: June 26, 2026 - Last Updated: June 27, 2026 - Researcher: Netwurm - VTDR e.V.i.G. Vulnerab...	N/A	N/A	Jun 27, 2026	GITHUBEXPLOIT
MEDIUM 6.1	CVE-2026-13245	MaxButtons <= 9.8.5 - Reflected Cross-Site Scripting via 'view' Parameter_CVE-2026-13245 The MaxButtons – Create buttons plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'view' parameter in all versions up to...	maxfoundry	MaxButtons – Create buttons	Jun 27, 2026	CVE
MEDIUM 5.3	CVE-2026-12404	NEX-Forms <= 9.2.2 - Missing Authorization to Unauthenticated Sensitive Information Disclosure via CSVExport Class_CVE-2026-12404 The NEX-Forms – Ultimate Forms Plugin for WordPress plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including...	webaways	NEX-Forms – Ultimate Forms Plugin for WordPress	Jun 27, 2026	CVE
MEDIUM 5.3	CVE-2026-9242	RegistrationMagic <= 6.0.8.6 - Authenticated (Subscriber+) Authentication Bypass via Forged PayPal IPN Request_CVE-2026-9242 The RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login plugin for WordPress is vulnerable to Authentication ...	metagauss	RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login	Jun 27, 2026	CVE
MEDIUM 4.3	CVE-2026-9233	Quiz and Survey Master (QSM) <= 11.1.4 - Missing Authorization to Authenticated (Contributor+) Arbitrary Modification via qsm_insert_quiz_template AJAX Action_CVE-2026-9233 The Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker plugin for WordPress is vulnerable to authorization bypass in all versions up to, and...	expresstech	Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker	Jun 27, 2026	CVE
MEDIUM 6.5	CVE-2026-3462	Frisbii Pay <= 1.8.9 - Missing Authorization to Authenticated (Subscriber+) Payment Token Modification_CVE-2026-3462 The Frisbii Pay plugin for WordPress is vulnerable to unauthorized modification of data due to missing capability checks on the 'upload_csv' and 'p...	reepaydenmark	Frisbii Pay	Jun 27, 2026	CVE