CVSS - zero redgem

Recent Advisories

Severity	ID	Title	Vendor	Product	Date	Type
CRITICAL 9.9	CVE-2026-52782	OpenProject: IDOR through /projects//settings/project_storages/ via PATCH parameter “storages_project_storage[project_folder_id]” leads to Access to Unauthorized Resources_CVE-2026-52782 OpenProject is open-source, web-based project management software. Prior to 17.3.3 and 17.4.1, there is an IDOR through /projects//settings/project...	opf	openproject < 17.3.3	Jun 26, 2026	CVE
MEDIUM 6.4	CVE-2026-52781	OpenProject: Stored XSS on openproject.example.com through /api/v3/projects/{project}/work_packages via POST parameter “description”_CVE-2026-52781 OpenProject is open-source, web-based project management software. Prior to 17.3.3 and 17.4.1, the HTML sanitizer grants elements unrestricted dat...	opf	openproject < 17.3.3	Jun 26, 2026	CVE
CRITICAL 9.6	CVE-2026-52780	OpenProject: Cache store poisoning leads to Remote Code Execution (RCE)_CVE-2026-52780 OpenProject is open-source, web-based project management software. Prior to 17.3.3 and 17.4.1, cache store poisoning leads to Remote Code Execution...	opf	openproject < 17.3.3	Jun 26, 2026	CVE
MEDIUM 5.4	CVE-2026-52779	OpenProject: Cross-project authorization bypass allows deleting public Calendar and Team Planner queries from unauthorized projects_CVE-2026-52779 OpenProject is open-source, web-based project management software. Prior to 17.3.3 and 17.4.1, a cross-project IDOR / authorization context confusi...	opf	openproject < 17.3.3	Jun 26, 2026	CVE
HIGH 7.5	CVE-2026-47193	OpenProject: Journal diff endpoint bypasses object, journal, and field visibility checks_CVE-2026-47193 OpenProject is open-source, web-based project management software. Prior to 17.3.3 and 17.4.1, the journal diff endpoint discloses hidden historica...	opf	openproject < 17.3.3	Jun 26, 2026	CVE
MEDIUM 4.3	CVE-2026-55838	RustFS: Missing admin authorization on /rustfs/admin/v3/metrics allows any authenticated user to read server metrics_CVE-2026-55838 RustFS is a distributed object storage system built in Rust. In 1.0.0-beta.7 and earlier, the real-time metrics endpoint at /rustfs/admin/v3/metric...	rustfs	rustfs <= 1.0.0-beta.7	Jun 26, 2026	CVE
HIGH 7.7	CVE-2026-55189	RustFS: FTP frontend skips IAM authorization on object reads_CVE-2026-55189 RustFS is a distributed object storage system built in Rust. From 1.0.0-alpha.1 until 1.0.0-beta.9, when the FTP frontend is enabled, the FTP read ...	rustfs	rustfs >= 1.0.0-alpha.1, <= 1.0.0-beta.8	Jun 26, 2026	CVE
HIGH 8.2	CVE-2026-55188	RustFS: ListRemoteTargetHandler authorization bypass leaks replication target credentials_CVE-2026-55188 RustFS is a distributed object storage system built in Rust. From 1.0.0-alpha.1 until 1.0.0-beta.9, RustFS contains an authorization bypass in the ...	rustfs	rustfs >= 1.0.0-alpha.1, <= 1.0.0-beta.8	Jun 26, 2026	CVE
HIGH 8.6	CVE-2026-49991	RustFS Snowball Auto-Extract: Path Traversal allows cross-bucket object injection_CVE-2026-49991 RustFS is a distributed object storage system built in Rust. In 1.0.0-beta.4, authenticated users with only PutObject permission on their own bucke...	rustfs	rustfs 1.0.0-beta.4	Jun 26, 2026	CVE
MEDIUM 4.3	CVE-2026-49355	OpenProject: Private work package data disclosure through single meeting agenda item API_CVE-2026-49355 OpenProject is open-source, web-based project management software. Prior to 17.4.0, `GET /api/v3/meetings/:meeting_id/agenda_items/:agenda_item_id`...	opf	openproject < 17.4.0	Jun 26, 2026	CVE