MEDIUM - zero redgem

Recent Advisories

Severity	ID	Title	Vendor	Product	Date	Type
MEDIUM 6.5	CVE-2026-9822	WP Hotel Booking < 2.3.1 - Subscriber+ Missing Authorization in Multiple AJAX Handlers_CVE-2026-9822 The WP Hotel Booking WordPress plugin before 2.3.1 does not enforce capability checks in several of its AJAX handlers, allowing authenticated users...	Unknown	WP Hotel Booking	Jun 19, 2026	CVE
MEDIUM 6.1	CVE-2026-4110	Ultimate WooCommerce Auction Pro <= 2.4.5 - Reflected XSS via uwa_auctions_bids_list_CVE-2026-4110 The ultimate-woocommerce-auction-pro WordPress plugin through 2.4.5 does not sanitise and escape a parameter before outputting it back in the page,...	Unknown	ultimate-woocommerce-auction-pro	Jun 22, 2026	CVE
MEDIUM 5.3	CVE-2026-10530	Pie Register < 3.8.4.10 - Unauthenticated Email Verification Bypass via Predictable Token_CVE-2026-10530 The Pie Register WordPress plugin before 3.8.4.10 does not use sufficiently random values when generating its account verification tokens, allowin...	Unknown	Pie Register	Jun 22, 2026	CVE
MEDIUM 5.4	CVE-2025-62198	Apache Atlas: Stored XSS in Create Entity page_CVE-2025-62198 An authenticated user can perform XSS. This issue affects Apache Atlas versions 2.4.0 and earlier. Users are recommended to upgrade to version 2....	Apache Software Foundation	Apache Atlas	Jun 22, 2026	CVE
MEDIUM 6.9	CVE-2026-55602	http-proxy-middleware `router` host+path substring matching allows Host-header-driven backend routing bypass_CVE-2026-55602 http-proxy-middleware is node.js http-proxy middleware. From 0.16.0 until 2.0.10, 3.0.6, and 4.1.0, http-proxy-middleware documents router proxy-ta...	chimurai	http-proxy-middleware >= 4.0.0, < 4.1.0	Jun 22, 2026	CVE
MEDIUM 4.8	CVE-2026-54289	Hono: Lambda@Edge adapter keeps only the last value of a repeated request header, dropping the rest_CVE-2026-54289 Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.25, on AWS Lambda@Edge, CloudFront delivers a r...	honojs	hono < 4.12.25	Jun 22, 2026	CVE
MEDIUM 5.3	CVE-2026-54287	Hono: AWS Lambda adapter merges multiple `Set-Cookie` headers into one value, dropping cookies on ALB single-header and Lattice_CVE-2026-54287 Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.25, on AWS Lambda, the ALB single-header respon...	honojs	hono < 4.12.25	Jun 22, 2026	CVE
MEDIUM 5.9	CVE-2026-54286	Hono: Path traversal in `serve-static` on Windows via encoded backslash (`%5C`)_CVE-2026-54286 Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.25, on Windows hosts, an encoded backslash (%5C...	honojs	hono < 4.12.25	Jun 22, 2026	CVE
MEDIUM 5.3	CVE-2026-54285	opentelemetry-js: Unbounded memory allocation in W3C Baggage propagation_CVE-2026-54285 opentelemetry-js is the OpenTelemetry JavaScript Client. Prior to 2.8.0, W3CBaggagePropagator.extract() in @opentelemetry/core does not enforce siz...	open-telemetry	opentelemetry-js < 2.8.0	Jun 22, 2026	CVE
MEDIUM 6.6	CVE-2026-54278	AIOHTTP: Unread Compressed Request Bodies Bypass client_max_size During Cleanup_CVE-2026-54278 AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to 3.14.1, during cleanup it is possible for a compressed req...	aio-libs	aiohttp < 3.14.1	Jun 22, 2026	CVE