CRITICAL - zero redgem

Recent Advisories

Severity	ID	Title	Vendor	Product	Date	Type
CRITICAL 9.8	A04B552D-BE53-	Exploit for Missing Authentication for Critical Function in Flowiseai Flowise_A04B552D-BE53-596B-87C1-62CAF8B1227A CVE-2025-58434 Flowiseai Auth Bypass PoC...	N/A	N/A	Jun 26, 2026	GITHUBEXPLOIT
CRITICAL 9.9	CVE-2026-52785	OpenProject: SQL injection in timestamps functionality_CVE-2026-52785 OpenProject is open-source, web-based project management software. Prior to 17.3.3 and 17.4.1, there is a SQL injection in timestamps functionality...	opf	openproject < 17.3.3	Jun 26, 2026	CVE
CRITICAL 9.9	CVE-2026-52782	OpenProject: IDOR through /projects//settings/project_storages/ via PATCH parameter “storages_project_storage[project_folder_id]” leads to Access to Unauthorized Resources_CVE-2026-52782 OpenProject is open-source, web-based project management software. Prior to 17.3.3 and 17.4.1, there is an IDOR through /projects//settings/project...	opf	openproject < 17.3.3	Jun 26, 2026	CVE
CRITICAL 9.6	CVE-2026-52780	OpenProject: Cache store poisoning leads to Remote Code Execution (RCE)_CVE-2026-52780 OpenProject is open-source, web-based project management software. Prior to 17.3.3 and 17.4.1, cache store poisoning leads to Remote Code Execution...	opf	openproject < 17.3.3	Jun 26, 2026	CVE
CRITICAL 9.9	CVE-2026-46386	OpenProject: Pre-authentication RCE in openproject/openproject Docker image via default `SECRET_KEY_BASE=OVERWRITE_ME` and `cookies_serializer = :marshal`_CVE-2026-46386 OpenProject is open-source, web-based project management software. Prior to , the official openproject/openproject Docker image ships ENV SECRET_KE...	opf	openproject >= 8.3.0, < 17.2.4	Jun 26, 2026	CVE
CRITICAL 9.6	CVE-2026-54352	Budibase: Arbitrary file read by workspace-builder via PWA-zip symlink upload_CVE-2026-54352 Budibase is an open-source low-code platform. Prior to 3.39.9, `POST /api/pwa/process-zip` at packages/server/src/api/routes/static.ts:24 accepts a...	Budibase	budibase < 3.39.9	Jun 26, 2026	CVE
CRITICAL 10	CVE-2026-54350	Budibase: Anonymous NoSQL operator injection via published-app query templates_CVE-2026-54350 Budibase is an open-source low-code platform. Prior to 3.39.12, an unauthenticated visitor of any published Budibase app reads every document of t...	Budibase	budibase < 3.39.12	Jun 26, 2026	CVE
CRITICAL 10	CVE-2026-53576	Kestra: Unauthenticated RCE via /configs path-suffix auth-filter bypass_CVE-2026-53576 Kestra is an open-source, event-driven orchestration platform. Prior to 1.0.45 and 1.3.21, the authentication filter for the REST API (@Filter("/ap...	kestra-io	kestra < 1.0.45	Jun 26, 2026	CVE
CRITICAL 10	CVE-2026-49869	Kestra: Unauthenticated Remote Code Execution via Authentication Bypass in `AuthenticationFilter`_CVE-2026-49869 Kestra is an open-source, event-driven orchestration platform. Prior to 1.0.45 and 1.3.21, AuthenticationFilter in Kestra OSS uses request.getPath(...	kestra-io	kestra < 1.0.45	Jun 26, 2026	CVE
CRITICAL 9.1	CVE-2025-64152	Apache IoTDB: Path Traversal Vulnerability_CVE-2025-64152 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apache IoTDB. This issue affects Apache IoTDB: fro...	Apache Software Foundation	Apache IoTDB 1.0.0	Jun 26, 2026	CVE