25 vulnerabilities across 15 products scored HIGH or above on June 01, 2026.

  • EMERGENCY: 5
  • CRITICAL: 12
  • HIGH: 8

[EMERGENCY] npm/vitest

1 CVE | CVSS 3.1: 9.8 | AAS 16.7

npm Vitest is affected by a critical arbitrary file read vulnerability (CVE-2026-47429, CVSS 9.8) on Windows systems when the Vitest UI server is exposed to the network. The issue impacts users running Vitest UI or Browser Mode on Windows who have configured the UI server to be accessible over the network, potentially allowing attackers to read sensitive files. Security teams should update affected systems immediately and ensure the Vitest UI server is not exposed to untrusted networks; consult https://github.com/advisories/GHSA-5xrq-8626-4rwp for remediation details.

Vendor Advisory


[EMERGENCY] ibm/websphere_application_server

4 CVEs | CVSS 3.1: 9.1 | AAS 16.1

IBM WebSphere Application Server versions 8.5 and 9.0 contain identity spoofing vulnerabilities, including multiple exploitable issues (CVE-2026-8644, CVE-2026-9311, CVE-2026-9319, CVE-2026-9330, CVSS 9.1). The vulnerabilities could allow attackers to spoof identities and gain unauthorized access to affected systems. Security teams should apply patches immediately and consult IBM’s advisory at https://www.ibm.com/support/pages/node/7274740 for complete remediation guidance.

Vendor Advisory


[CRITICAL] npm/dompurify

1 CVE | CVSS 3.1: 8.2 | AAS 14.6

npm DOMPurify version 3.4.4 is vulnerable to cross-site scripting (XSS) bypass through a selectedcontent re-cloning mechanism (CVE-2026-47423, CVSS 8.2). The vulnerability allows attackers to circumvent DOMPurify’s sanitization by exploiting how browsers re-clone selected option elements, potentially executing arbitrary JavaScript in affected applications. Applications using DOMPurify 3.4.4 should update immediately; consult https://github.com/advisories/GHSA-87xg-pxx2-7hvx for patch availability and additional details.

Vendor Advisory


[CRITICAL] rocketgenius_inc./gravity_forms

1 CVE | CVSS 3.1: 9.6 | AAS 14.2

Rocketgenius Inc. Gravity Forms WordPress plugin versions through 2.10.0.1 are vulnerable to path traversal allowing arbitrary file deletion (CVE-2026-48866, CVSS 9.6). The exploitable vulnerability could allow attackers to delete critical files and compromise WordPress installations running affected versions of the plugin. Organizations using Gravity Forms should update to a patched version immediately; refer to https://patchstack.com/database/wordpress/plugin/gravityforms/vulnerability/wordpress-gravity-forms-plugin-2-10-0-1-arbitrary-file-deletion-vulnerability?_s_id=cve for remediation details.

Vendor Advisory


[CRITICAL] apache_software_foundation/apache_solr

1 CVE | CVSS 3.1: 9.8 | AAS 14.1

Apache Software Foundation Apache Solr versions 9.4.0 through 9.10.1 and 10.0.0 contain hardcoded credentials in the Basic Authentication setup tool that allow remote attackers to gain full administrative cluster access using publicly known default credentials (CVE-2026-44825, CVSS 9.8). The vulnerability affects organizations running the affected versions of Solr and can be exploited by unauthenticated remote attackers. Security teams should upgrade to a patched version immediately or, as a temporary measure, delete the default template users from security.json or reset their passwords; consult https://lists.apache.org/thread/5xg6xr99glocp3zsg9ht2zlbwlrst7ch for additional guidance.

Vendor Advisory


[CRITICAL] apache/airflow

3 CVEs | CVSS 3.1: 8.8 | AAS 14.0

Apache Airflow is affected by multiple critical vulnerabilities, including at least one remote code execution issue in the XCom PATCH endpoint (CVE-2026-42359, CVE-2026-45192, CVE-2026-42358, CVSS 8.8). Authenticated UI or API users with XCom write permissions can exploit this vulnerability to set reserved XCom keys with malicious serialized payloads that execute arbitrary code on the triggerer. Organizations running Airflow should apply patches immediately and consult https://github.com/apache/airflow/pull/65915 for remediation details.

Vendor Advisory


[CRITICAL] apache/activemq

2 CVEs | CVSS 3.1: 8.8 | AAS 13.8

Apache ActiveMQ versions before 5.19.7 and 6.0.0 through before 6.2.6 are vulnerable to privilege escalation through incorrect default Jolokia authorization permissions (CVE-2026-49157, CVE-2026-42253, CVSS 8.8). The vulnerability allows low-privilege web-login users to access Jolokia operations meant for administrators, enabling them to execute unauthorized broker management operations such as adding and removing queues. Organizations running affected ActiveMQ versions should upgrade to 5.19.7 or 6.2.6 immediately; refer to https://lists.apache.org/thread/rrcsf6s90hj4tdh89nvkko75q5505rj8 for additional details.

Vendor Advisory


[CRITICAL] otrs_ag/otrs

4 CVEs | CVSS 3.1: 9.1 | AAS 13.1

OTRS AG OTRS versions 7.0.X, 8.0.X, 2023.X, 2024.X, 2025.X, and 2026.X before 2026.4.X, plus OTRS Community Edition 6.0.x, are vulnerable to unauthenticated SQL injection through multiple improper input validation issues (CVE-2026-48188, CVE-2026-48209, CVE-2026-48208, CVE-2026-48187, CVSS 9.1). The vulnerabilities allow attackers to bypass authentication on systems using MySQL or MariaDB servers configured with the NO_BACKSLASH_ESCAPES SQL mode. Organizations running affected OTRS versions should apply patches immediately and review their database configuration; consult https://otrs.com/release-notes/otrs-security-advisory-2026-02/ for remediation guidance.

Vendor Advisory


[HIGH] cline/cline

1 CVE | CVSS 3.1: 9.6 | AAS 11.4

Cline versions 2.13.0 and prior contain a critical cross-origin WebSocket hijack vulnerability in Cline Kanban servers (CVE-2026-44211, CVSS 9.6). The exploitable vulnerability could allow attackers to hijack WebSocket connections and compromise Cline server instances. Organizations running affected versions should monitor for security updates and restrict access to Cline Kanban servers; consult https://github.com/cline/cline/security/advisories/GHSA-5c57-rqjx-35g2 for details and mitigation strategies.

Vendor Advisory


[HIGH] apache_software_foundation/apache_activemq_broker

2 CVEs | CVSS 3.1: 8.8 | AAS 10.6

Apache Software Foundation Apache ActiveMQ Broker contains multiple code injection vulnerabilities through improper input validation in discovery wrappers (CVE-2026-45505, CVE-2026-42588, CVSS 8.8). Non-parenthesized discovery wrappers such as masterslave:vm://… and static:vm://… bypass validation and allow exploitation, circumventing the fix from CVE-2026-34197. Organizations running affected ActiveMQ versions should apply patches immediately; consult https://lists.apache.org/thread/7n97nddyw96w6ykldjv1h40jx86xdo0w for remediation guidance.

Vendor Advisory


[HIGH] ivanti/neurons_for_itsm_(on-premises)

1 CVE | CVSS 3.1: 8.8 | AAS 10.4

Ivanti Neurons for ITSM (on-premises and cloud) is vulnerable to privilege escalation through improper access control, allowing authenticated attackers to gain administrative access (CVE-2026-9614, CVSS 8.8). The exploitable vulnerability affects organizations running affected versions of Neurons for ITSM and could enable account takeover or system compromise by internal attackers. Organizations running Neurons for ITSM should apply patches immediately and consult https://hub.ivanti.com/s/article/Security-Advisory-Ivanti-Neurons-for-ITSM-CVE-2026-9614 for remediation guidance.

Vendor Advisory


[HIGH] swivid/f5-tts

1 CVE | CVSS 4.0: 8.8 | AAS 10.0

Swivid F5-TTS versions through 1.1.20 contain a path traversal vulnerability in the finetune Gradio handlers that allows unauthenticated attackers to write arbitrary files (CVE-2026-43624, CVSS 8.8). The vulnerability results from unsanitized project names being passed directly to path operations without validation, enabling attackers to create files and directories with arbitrary content at any location on the system. Organizations running affected F5-TTS versions should update immediately and consult https://github.com/SWivid/F5-TTS/commit/2f53ded68e5f69e248ceb200a51ef4d1dc647936 for patch details.

Vendor Advisory


[HIGH] cloakhq/cloakbrowser

1 CVE | CVSS 4.0: 8.8 | AAS 10.0

CloakHQ CloakBrowser prior to version 0.3.28 contains a path traversal vulnerability in the cloakserve CDP multiplexer that allows unauthenticated attackers to access or write files outside the configured data directory (CVE-2026-45727, CVSS 8.8). The vulnerability results from unsanitized user-supplied fingerprint parameters being used directly as filesystem path components without proper validation. Organizations running affected CloakBrowser versions should update to 0.3.28 or later immediately and consult https://github.com/CloakHQ/CloakBrowser/security/advisories/GHSA-mf33-gv72-w2h5 for remediation details.

Vendor Advisory


[HIGH] google/android_xr

1 CVE | CVSS 4.0: 10.0 | AAS 9.9

Google Android XR contains a critical privilege escalation vulnerability in InputMethodManagerService due to a missing permission check (CVE-2026-0072, CVSS 10.0). Local attackers can exploit the vulnerability without additional execution privileges or user interaction to gain elevated permissions on affected devices. Organizations and users running affected Android XR versions should apply security patches immediately; consult https://source.android.com/docs/security/bulletin/xr/2026/2026-06-01 for patch availability and additional details.

Vendor Advisory


[HIGH] anionex/banana-slides

1 CVE | CVSS 4.0: 8.7 | AAS 9.9

Anionex Banana Slides versions through 0.4.0 contain a path traversal vulnerability in the AI service backend’s generate_image() function that allows unauthenticated attackers to read arbitrary image files outside the intended uploads directory (CVE-2026-49136, CVSS 8.7). The vulnerability results from an incomplete path prefix check that uses os.path.startswith() without a trailing separator, allowing attackers to supply crafted markdown image references that resolve to sibling directories. Organizations running affected Banana Slides versions should update immediately and consult https://github.com/Anionex/banana-slides/commit/e8bc490ec8b4b657e07dc3ab4e94fbedcaade421 for patch details.

Vendor Advisory