news - zero redgem

Recent Advisories

Severity	ID	Title	Vendor	Product	Date	Type
MEDIUM 6.1	CVE-2026-4110	Ultimate WooCommerce Auction Pro <= 2.4.5 - Reflected XSS via uwa_auctions_bids_list_CVE-2026-4110 The ultimate-woocommerce-auction-pro WordPress plugin through 2.4.5 does not sanitise and escape a parameter before outputting it back in the page,...	Unknown	ultimate-woocommerce-auction-pro	Jun 22, 2026	CVE
MEDIUM 5.3	CVE-2026-10530	Pie Register < 3.8.4.10 - Unauthenticated Email Verification Bypass via Predictable Token_CVE-2026-10530 The Pie Register WordPress plugin before 3.8.4.10 does not use sufficiently random values when generating its account verification tokens, allowin...	Unknown	Pie Register	Jun 22, 2026	CVE
HIGH 8.1	CVE-2025-66336	Apache Doris MCP Server: SQL injection leading the authentication bypass_CVE-2025-66336 Apache Doris MCP Server contains a SQL injection vulnerability in a metadata query path. A user-controlled database name is directly interpolated i...	Apache Software Foundation	Apache Doris MCP Server 0.1.0	Jun 22, 2026	CVE
MEDIUM 5.4	CVE-2025-62198	Apache Atlas: Stored XSS in Create Entity page_CVE-2025-62198 An authenticated user can perform XSS. This issue affects Apache Atlas versions 2.4.0 and earlier. Users are recommended to upgrade to version 2....	Apache Software Foundation	Apache Atlas	Jun 22, 2026	CVE
HIGH 7.5	CVE-2025-66389	CVE-2025-66389_CVE-2025-66389 GitHub Copilot 1.372.0 allows filesystem access outside of a workspace folder (without user approval) via a file-handler URI parameter to fetch_web...	n/a	n/a n/a	Jun 22, 2026	CVE
HIGH 7.3	CVE-2026-10845	IBM WebSphere Application Server is affected by an authentication bypass vulnerability_CVE-2026-10845 IBM WebSphere Application Server 8.5 and 9.0 could allow a remote attacker to bypass authentication and gain unauthorized access to JAX-WS applicat...	IBM	WebSphere Application Server 8.5.0	Jun 22, 2026	CVE
HIGH 7	CVE-2026-56109	ALSA Library < 1.2.16.1 Double-Free via parse_def() in conf.c_CVE-2026-56109 The Advanced Linux Sound Architecture (ALSA) library before 1.2.16.1 contains a double-free vulnerability in parse_def() in src/conf.c that allows ...	alsa-project	alsa-lib	Jun 22, 2026	CVE
MEDIUM 6.9	CVE-2026-55602	http-proxy-middleware `router` host+path substring matching allows Host-header-driven backend routing bypass_CVE-2026-55602 http-proxy-middleware is node.js http-proxy middleware. From 0.16.0 until 2.0.10, 3.0.6, and 4.1.0, http-proxy-middleware documents router proxy-ta...	chimurai	http-proxy-middleware >= 4.0.0, < 4.1.0	Jun 22, 2026	CVE
HIGH 8.1	CVE-2026-55388	piscina: Prototype Pollution Gadget → RCE via inherited options.filename_CVE-2026-55388 piscina is a node.js worker pool implementation. Prior to 6.0.0-rc.2, 5.2.0, and 4.9.3, piscina's constructor and run() paths read the filename opt...	piscinajs	piscina < 4.9.3	Jun 22, 2026	CVE
HIGH 7.1	CVE-2026-54290	Hono: CORS Middleware reflects any Origin with credentials when `origin` defaults to the wildcard_CVE-2026-54290 Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.25, with credentials: true and no explicit orig...	honojs	hono < 4.12.25	Jun 22, 2026	CVE