tapic - zero redgem

Recent Advisories

Severity	ID	Title	Vendor	Product	Date	Type
MEDIUM 5.3	CVE-2026-53949	Ghost Content API filter bypass reveals private fields_CVE-2026-53949 Ghost is a Node.js content management system. From 5.46.1 until 6.21.2, the validation applied to filters on the public API endpoints could be part...	TryGhost	Ghost >= 5.46.1, < 6.21.2	Jun 24, 2026	CVE
MEDIUM 5.4	CVE-2026-53948	Ghost: File Upload Content-Type Spoofing_CVE-2026-53948 Ghost is a Node.js content management system. From 6.19.4 until 6.21.1, insufficient validation of the client-supplied Content-Type on Ghost's Admi...	TryGhost	Ghost >= 6.19.4, < 6.21.1	Jun 24, 2026	CVE
MEDIUM 5.3	CVE-2026-53947	Ghost: Member existence leak via magic link sign-in response_CVE-2026-53947 Ghost is a Node.js content management system. From 5.18.0 until 6.21.1, a discrepancy in responses from the members signin endpoints made it possib...	TryGhost	Ghost >= 5.18.0, < 6.21.1	Jun 24, 2026	CVE
MEDIUM 5.4	CVE-2026-53946	Ghost: Mobiledoc image-size fetch SSRF_CVE-2026-53946 Ghost is a Node.js content management system. From 6.19.4 until 6.21.1, when re-rendering posts, Ghost would refetch missing image dimensions by is...	TryGhost	Ghost >= 6.19.4, < 6.21.1	Jun 24, 2026	CVE
MEDIUM 4	CVE-2026-53945	Ghost: Server-side request forgery via DNS rebinding in external request handling_CVE-2026-53945 Ghost is a Node.js content management system. From 6.0.9 until 6.21.1, Ghost’s private-IP check for outbound HTTP requests could be bypassed via DN...	TryGhost	Ghost >= 6.0.9, < 6.21.1	Jun 24, 2026	CVE
MEDIUM 5.8	CVE-2026-53944	Ghost: Private IP filtering bypass to make server-side requests to internal services_CVE-2026-53944 Ghost is a Node.js content management system. From 6.0.9 until 6.21.1, when making an external request, it is possible to bypass the IP filter that...	TryGhost	Ghost >= 6.0.9, < 6.21.1	Jun 24, 2026	CVE
CRITICAL 9.6	CVE-2026-53943	Ghost: Cache-poisoning XSS in Ghost frontend via x-ghost-preview header_CVE-2026-53943 Ghost is a Node.js content management system. From until 6.37.0, when Ghost is behind a shared caching layer that results in cached content being ...	TryGhost	Ghost >= 4.0.0, < 6.37.0	Jun 24, 2026	CVE
CRITICAL 9.8	CVE-2026-49980	Rclone: Unauthenticated command execution in `rclone rcd –rc-serve` via inline remote instantiation, bypassing CVE-2026-41179 fix_CVE-2026-49980 Rclone is a command-line program to sync files and directories to and from different cloud storage providers. From 1.46.0 until 1.74.3, rclone rcd ...	rclone	rclone >= 1.46.0, < 1.74.3	Jun 24, 2026	CVE
HIGH 8.8	CVE-2026-49247	Jellyfin: Potential Authenticated path traversal in /ClientLog/Document_CVE-2026-49247 Jellyfin is an open source self hosted media server. From 10.9.0 until 10.11.10, the POST /ClientLog/Document endpoint accepts the Authorization he...	jellyfin	jellyfin >= 10.9.0, < 10.11.10	Jun 24, 2026	CVE
LOW 1.7	CVE-2026-49246	Jellyfin: Potential MKV attachment filename path traversal to RCE_CVE-2026-49246 Jellyfin is an open source self hosted media server. Prior to 10.11.10, a specifically crafted MKV file containing forged filename tags can be leve...	jellyfin	jellyfin < 10.11.10	Jun 24, 2026	CVE