Vulnerability - zero redgem

Recent Advisories

Severity	ID	Title	Vendor	Product	Date	Type
MEDIUM 6.9	CVE-2026-50008	Parse Server: Server option routeAllowList is bypassable through batch sub-requests_CVE-2026-50008 Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. From version 9.8.0 to before version 9.9.1-...	parse-community	parse-server >= 9.8.0, < 9.9.1-alpha.3	Jun 12, 2026	CVE
MEDIUM 6.9	CVE-2026-47248	Parse Server: GraphQL “Did you mean” validation suggestions disclose schema to unauthenticated callers_CVE-2026-47248 Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.78 and 9.9.1-alpha.2,...	parse-community	parse-server < 8.6.78	Jun 12, 2026	CVE
MEDIUM 4.3	CVE-2026-47236	Solidtime team page exposes pending invitation and member emails to employees who lack invitations:view/members:view permission_CVE-2026-47236 Solidtime is an open-source time-tracking app. Prior to version 0.12.2, Solidtime defines an explicit invitations:view and members:view permissions...	solidtime-io	solidtime < 0.12.2	Jun 12, 2026	CVE
HIGH 8.7	CVE-2026-47138	Parse Server: Pre-authentication denial of service via client version header regex backtracking_CVE-2026-47138 Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.77 and 9.9.1-alpha.1,...	parse-community	parse-server < 8.6.77	Jun 12, 2026	CVE
HIGH 8.7	CVE-2026-42947	Naxclow IoT Platform Authorization bypass through User-Controlled key_CVE-2026-42947 A flaw in Naxclow's platform’s onboarding workflow allows an attacker to replay a confirm-then-bind sequence to silently reassign a device to an ar...	Naxclow	Smart Doorbell X3 All	Jun 12, 2026	CVE
MEDIUM 6.9	CVE-2026-42932	Naxclow IoT Platform Generation of Predictable Numbers or Identifiers_CVE-2026-42932 Naxclow device identifiers use fixed manufacturing prefixes combined with sequential counters, producing a fully predictable and enumerable identif...	Naxclow	Smart Doorbell X3 All	Jun 12, 2026	CVE
HIGH 7.2	CVE-2026-42306	Moby: Race condition in docker cp allows bind mount redirection to host path_CVE-2026-42306 Moby is an open source container framework. In Docker Engine prior to version 29.5.1, Docker Daemon versions 28.5.2 and prior, and Moby Daemon prio...	moby	moby github.com/docker/docker/daemon <= 28.5.2	Jun 12, 2026	CVE
MEDIUM 6.1	CVE-2026-41568	Moby: Race condition in docker cp allows creation of arbitrary empty files on the host via symlink swap_CVE-2026-41568 Moby is an open source container framework. In Docker Engine prior to version 29.5.1, Docker Daemon versions 28.5.2 and prior, and Moby Daemon prio...	moby	moby github.com/docker/docker/daemon <= 28.5.2	Jun 12, 2026	CVE
CRITICAL 9.2	CVE-2026-28742	Naxclow IoT Platform Use of hard-coded cryptographic key_CVE-2026-28742 Naxclow devices use a uniform request-signing scheme based on a hard-coded, platform-wide salt embedded in every firmware image. Once this salt is ...	Naxclow	Smart Doorbell X3 All	Jun 12, 2026	CVE
HIGH 8.7	CVE-2026-12143	form-data does not escape CR/LF/quote in multipart field names and filenames (CRLF injection)_CVE-2026-12143 form-data is a library for creating readable multipart/form-data streams. In versions through 4.0.5, the `field` argument to `FormData#append` and ...	form-data	form-data	Jun 12, 2026	CVE