CRITICAL - zero redgem

Recent Advisories

Severity	ID	Title	Vendor	Product	Date	Type
CRITICAL 9.9	CVE-2026-49252	deepstream is vulnerable to prototype pollution_CVE-2026-49252 deepstream is a server that allows clients and backend services to sync data, send messages and make rpcs at scale. Versions prior to 10.0.5 are v...	deepstreamIO	deepstream.io < 10.0.5	Jun 18, 2026	CVE
CRITICAL 9.1	CVE-2026-49454	Relyra SAML SignatureValue not cryptographically verified -> authentication bypass_CVE-2026-49454 Relyra is a strict-by-default SAML 2.0 Service Provider library for Elixir and Phoenix. Versions 1.0.0 and 1.1.0 accept forged SAML signatures beca...	szTheory	relyra >= 1.0.0, < 1.2.0	Jun 18, 2026	CVE
CRITICAL 10	CVE-2026-49257	mcp-pinot: Unauthenticated tool invocation via default oauth_enabled=False + host 0.0.0.0 bind_CVE-2026-49257 mcp-pinot is a Python-based Model Context Protocol (MCP) server for interacting with Apache Pinot. In versions 3.0.1 and below, mcp-pinot defaults ...	startreedata	mcp-pinot < 3.1.0	Jun 18, 2026	CVE
CRITICAL 9.8	CVE-2026-54130	M365 Copilot Information Disclosure Vulnerability_CVE-2026-54130 {“lastseen”:””,”description”:””,”published”:”2026-06-18T21:42:39.358Z”,&#82...	Microsoft	Microsoft 365 Copilot -	Jun 18, 2026	CVE
CRITICAL 9.9	CVE-2026-47647	Dynamics 365 Elevation of Privilege Vulnerability_CVE-2026-47647 {“lastseen”:””,”description”:””,”published”:”2026-06-18T21:42:40.084Z”,&#82...	Microsoft	Microsoft Dynamics 365 -	Jun 18, 2026	CVE
CRITICAL 9.8	CVE-2026-40624	AVer PTC cameras Files or Directories Accessible to External Parties_CVE-2026-40624 Improper input validation in AVer PTC500S, PTC115, PTC500+, and PTC115+ cameras may allow a remote, unauthenticated attacker to achieve arbitrary...	AVer	PTC500S *	Jun 18, 2026	CVE
CRITICAL 9.3	CVE-2026-12048	pgAdmin 4: Stored XSS via untrusted error and plan-node text rendered through html-react-parser_CVE-2026-12048 Stored cross-site scripting in pgAdmin 4's error-rendering and plan-node-rendering paths. Text returned by a PostgreSQL server (ErrorResponse messa...	pgadmin.org	pgAdmin 4 6.0	Jun 18, 2026	CVE
CRITICAL 9	CVE-2026-12046	pgAdmin 4: Unauthenticated pickle deserialization in SQL Editor close / update_connection routes enables remote code execution_CVE-2026-12046 Two state-mutating endpoints in pgAdmin 4's SQL Editor blueprint -- DELETE /sqleditor/close/ and POST /sqleditor/initialize/sqleditor/update_connec...	pgadmin.org	pgAdmin 4 6.9	Jun 18, 2026	CVE
CRITICAL 9	CVE-2026-12045	pgAdmin 4: AI Assistant read-only transaction bypass allows unauthorised writes and remote code execution_CVE-2026-12045 Read-only transaction bypass in the pgAdmin 4 AI Assistant allows an attacker who can influence database content that the assistant reads to execut...	pgadmin.org	pgAdmin 4 9.13	Jun 18, 2026	CVE
CRITICAL 9.1	CVE-2026-8713	Avada (Fusion) Builder <= 3.15.3 - Unauthenticated Arbitrary File Deletion via Form Entry Value_CVE-2026-8713 The Avada (Fusion) Builder plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the maybe_dele...	themefusion	Avada (Fusion) Builder	Jun 19, 2026	CVE