CRITICAL - zero redgem

Recent Advisories

Severity	ID	Title	Vendor	Product	Date	Type
CRITICAL 9.8	CVE-2026-12415	Invoice Generator <= 1.0.0 - Unauthenticated Privilege Escalation via Account Takeover via 'user_id' Parameter_CVE-2026-12415 The Invoice Generator plugin for WordPress is vulnerable to privilege escalation due to a missing capability check on the pravel_invoice_edit_accou...	pravel	Invoice Generator	Jun 27, 2026	CVE
CRITICAL 9.8	CVE-2026-28701	Daktronics Controller Firmware Path Traversal_CVE-2026-28701 Various versions of Daktronics Controller Firmware could allow authenticated and unauthenticated remote users to escape the intended directory and ...	Daktronics	VFC-DMP-5000	Jun 26, 2026	CVE
CRITICAL 9.8	A04B552D-BE53-	Exploit for Missing Authentication for Critical Function in Flowiseai Flowise_A04B552D-BE53-596B-87C1-62CAF8B1227A CVE-2025-58434 Flowiseai Auth Bypass PoC...	N/A	N/A	Jun 26, 2026	GITHUBEXPLOIT
CRITICAL 9.9	CVE-2026-52785	OpenProject: SQL injection in timestamps functionality_CVE-2026-52785 OpenProject is open-source, web-based project management software. Prior to 17.3.3 and 17.4.1, there is a SQL injection in timestamps functionality...	opf	openproject < 17.3.3	Jun 26, 2026	CVE
CRITICAL 9.9	CVE-2026-52782	OpenProject: IDOR through /projects//settings/project_storages/ via PATCH parameter “storages_project_storage[project_folder_id]” leads to Access to Unauthorized Resources_CVE-2026-52782 OpenProject is open-source, web-based project management software. Prior to 17.3.3 and 17.4.1, there is an IDOR through /projects//settings/project...	opf	openproject < 17.3.3	Jun 26, 2026	CVE
CRITICAL 9.6	CVE-2026-52780	OpenProject: Cache store poisoning leads to Remote Code Execution (RCE)_CVE-2026-52780 OpenProject is open-source, web-based project management software. Prior to 17.3.3 and 17.4.1, cache store poisoning leads to Remote Code Execution...	opf	openproject < 17.3.3	Jun 26, 2026	CVE
CRITICAL 9.9	CVE-2026-46386	OpenProject: Pre-authentication RCE in openproject/openproject Docker image via default `SECRET_KEY_BASE=OVERWRITE_ME` and `cookies_serializer = :marshal`_CVE-2026-46386 OpenProject is open-source, web-based project management software. Prior to , the official openproject/openproject Docker image ships ENV SECRET_KE...	opf	openproject >= 8.3.0, < 17.2.4	Jun 26, 2026	CVE
CRITICAL 9.6	CVE-2026-54352	Budibase: Arbitrary file read by workspace-builder via PWA-zip symlink upload_CVE-2026-54352 Budibase is an open-source low-code platform. Prior to 3.39.9, `POST /api/pwa/process-zip` at packages/server/src/api/routes/static.ts:24 accepts a...	Budibase	budibase < 3.39.9	Jun 26, 2026	CVE
CRITICAL 10	CVE-2026-54350	Budibase: Anonymous NoSQL operator injection via published-app query templates_CVE-2026-54350 Budibase is an open-source low-code platform. Prior to 3.39.12, an unauthenticated visitor of any published Budibase app reads every document of t...	Budibase	budibase < 3.39.12	Jun 26, 2026	CVE
CRITICAL 10	CVE-2026-53576	Kestra: Unauthenticated RCE via /configs path-suffix auth-filter bypass_CVE-2026-53576 Kestra is an open-source, event-driven orchestration platform. Prior to 1.0.45 and 1.3.21, the authentication filter for the REST API (@Filter("/ap...	kestra-io	kestra < 1.0.45	Jun 26, 2026	CVE