Security - zero redgem

Recent Advisories

Severity	ID	Title	Vendor	Product	Date	Type
MEDIUM 5.9	CVE-2026-50202	Steeltoe’s static JWKS cache shared across schemes and never invalidated_CVE-2026-50202 Steeltoe is an open source project that provides a collection of libraries that helps users build cloud-native applications. In Steeltoe.Security.A...	SteeltoeOSS	Steeltoe.Security.Authentication.CloudFoundryBase < 3.4.0	Jun 17, 2026	CVE
MEDIUM 6.5	CVE-2026-50201	Steeltoe’s sensitive actuators (heapdump/env) only require Restricted permission_CVE-2026-50201 Steeltoe is an open source project that provides a collection of libraries that helps users build cloud-native applications. In Steeltoe.Management...	SteeltoeOSS	Steeltoe.Management.Endpoint < 4.2.0	Jun 17, 2026	CVE
HIGH 7.1	CVE-2026-48759	TypeBot: Cross-Workspace Theme Template IDOR (Modification and Deletion)_CVE-2026-48759 TypeBot is a chatbot builder tool. Versions 3.15.2 and below have an Insecure Direct Object Reference vulnerability through cross-workspace Theme T...	baptisteArno	typebot.io < 3.16.0	Jun 17, 2026	CVE
HIGH 7.5	CVE-2026-45617	LiquidJS: ReDoS via Quadratic Backtracking in `strip_html` Filter Regex_CVE-2026-45617 LiquidJS is a Shopify/GitHub Pages compatible template engine written in pure JavaScript. In versions 10.25.7 and below, the built-in strip_html fi...	harttle	liquidjs < 10.26.0	Jun 17, 2026	CVE
MEDIUM 5.3	CVE-2026-44646	LiquidJS: `{% render %}` tag silently bypasses per-render `ownPropertyOnly:true` via `Context.spawn()`_CVE-2026-44646 LiquidJS is a Shopify/GitHub Pages compatible template engine written in pure JavaScript. In versions 10.25.7 and below, Context.spawn() creates a ...	harttle	liquidjs < 10.26.0	Jun 17, 2026	CVE
MEDIUM 6.5	CVE-2026-44645	LiquidJS has a renderLimit DoS guard bypass via empty `{% for %}` body_CVE-2026-44645 LiquidJS is a Shopify/GitHub Pages compatible template engine written in pure JavaScript. In versions 10.25.7 and below, the renderLimit option can...	harttle	liquidjs < 10.26.0	Jun 17, 2026	CVE
MEDIUM 6.1	CVE-2026-44644	LiquidJS’s strip_html filter bypass via newline characters in HTML tags enables XSS_CVE-2026-44644 LiquidJS is a Shopify/GitHub Pages compatible template engine written in pure JavaScript. Versions 10.25.7 and below are vulnerable to XSS through ...	harttle	liquidjs < 10.26.0	Jun 17, 2026	CVE
MEDIUM 6.5	CVE-2026-12568	Arbitrary File Write in postman_download module_CVE-2026-12568 The postman_download module uses the workspace name field from the Postman API to construct the local directory path without sanitization. If a mal...	Black Lantern Security	BBOT 2.1.0	Jun 17, 2026	CVE
LOW 2.2	CVE-2026-12567	Symlink-following arbitrary write via github_workflows module_CVE-2026-12567 The github_workflows module constructs local directory paths from user-controlled repository names without validating for symlinks. A local attacke...	Black Lantern Security	BBOT 2.0.0	Jun 17, 2026	CVE
LOW 3.1	CVE-2026-12566	SSRF via unvalidated WWW-Authenticate realm in docker_pull module_CVE-2026-12566 The docker_pull module uses the realm parameter from a Docker registry's WWW-Authenticate response header as the authentication endpoint without va...	Black Lantern Security	BBOT 2.0.0	Jun 17, 2026	CVE