HIGH - zero redgem

Recent Advisories

Severity	ID	Title	Vendor	Product	Date	Type
HIGH 7.5	CVE-2026-46702	Russh: Post-decompression SSH packet size was not bounded, allowing remote oversized compressed packets_CVE-2026-46702 Russh is a Rust SSH client & server library. From version 0.34.0 to before version 0.61.1, when SSH compression is enabled, russh accepted compress...	Eugeny	russh >= 0.34.0, < 0.61.1	Jun 10, 2026	CVE
HIGH 8.7	CVE-2026-46689	Kanidm: Unauthenticated process abort via SCIM filter stack exhaustion_CVE-2026-46689 Kanidm is an identity management platform. Prior to version 1.9.3, a single unauthenticated GET to any /scim/v1/... endpoint with a ?filter= query ...	kanidm	kanidm < 1.9.3	Jun 10, 2026	CVE
HIGH 7.5	CVE-2026-46673	Russh: Unchecked CryptoVec allocation and growth handling is reachable from local agent inputs in current russh releases and from remote SSH traffic in historical pre-0.58.0 releases_CVE-2026-46673 Russh is a Rust SSH client & server library. Prior to version 0.60.3, CryptoVec used unchecked capacity growth, unchecked length arithmetic, and un...	Eugeny	russh < 0.60.3	Jun 10, 2026	CVE
HIGH 8.7	CVE-2026-46669	`openvm-pairing` pairing check missing proper subfield check on scaling factor_CVE-2026-46669 OpenVM is a performant and modular zkVM framework built for customization and extensibility. Prior to version 1.6.0, the openvm-pairing guest libra...	openvm-org	openvm < 1.6.0	Jun 10, 2026	CVE
HIGH 8.9	CVE-2026-46654	Plonky3 MultiField32Challenger: transcript malleability and challenge entropy loss_CVE-2026-46654 Plonky3 is a toolkit for polynomial IOPs (PIOPs). Prior to versions 0.4.3 and 0.5.3, an attacker controlling prover-side observations can craft dis...	Plonky3	Plonky3 < 0.4.3	Jun 10, 2026	CVE
HIGH 7.7	CVE-2026-44692	Authenticated Sharp users can download unrelated Laravel Storage objects through the generic download endpoint_CVE-2026-44692 Sharp is a content management framework built for Laravel as a package. Prior to version 9.22.0, Sharp exposes a generic download endpoint that aut...	code16	sharp < 9.22.0	Jun 10, 2026	CVE
HIGH 7.5	CVE-2026-42542	TDengine has an integer underflow in uvConnMayGetUserInfo() allows unauthenticated remote crash (DoS)_CVE-2026-42542 TDengine is an open source, time-series database optimized for Internet of Things devices. In versions 3.4.0.0 through 3.4.1.5, an unauthenticated ...	taosdata	TDengine >= 3.4.0.0, < 3.4.1.6	Jun 10, 2026	CVE
HIGH 7	CVE-2026-42462	Fedify has an LD-Signature Bypass via JSON-LD Named-Graph Restructuring_CVE-2026-42462 Fedify is a TypeScript library for building federated server apps powered by ActivityPub. Prior to versions 1.9.11, 1.10.10, 2.0.18, 2.1.14, and 2....	fedify-dev	fedify >= 2.2.0, < 2.2.3	Jun 10, 2026	CVE
HIGH 7.5	CVE-2026-10143	kafka-python prior to 2.3.2 DoS via SCRAM Iteration Count in scram.py_CVE-2026-10143 kafka-python prior to 2.3.2 contains a denial-of-service vulnerability in SCRAM authentication handling that allows a malicious or machine-in-the-m...	Dana Powers	kafka-python	Jun 10, 2026	CVE
HIGH 7.5	CVE-2026-10142	kafka-python prior to 2.3.2 Denial of Service via Protocol Parser Frame Length_CVE-2026-10142 kafka-python prior to 2.3.2 contains a denial-of-service vulnerability in the protocol parser that allows a malicious broker or machine-in-the-midd...	Dana Powers	kafka-python	Jun 10, 2026	CVE