22 vulnerabilities across 13 products scored HIGH or above on June 03, 2026.
- HIGH: 22
[HIGH] pip/jupyter_enterprise_gateway
3 CVEs | CVSS 3.1: 9.8 | AAS 11.4
Jupyter Enterprise Gateway contains multiple vulnerabilities including YAML injection flaws that allow attackers to manipulate Kubernetes manifests through unescaped environment variables, with a maximum CVSS 3.1 score of 9.8. Organizations deploying this gateway in Kubernetes environments face risk of security context bypass and unauthorized resource creation. Immediate patching is advised; consult the vendor advisory at https://github.com/advisories/GHSA-cfw7-6c5v-2wjq for remediation guidance.
- CVE-2026-44182 (CVSS 3.1: 9.5)
- CVE-2026-44181 (CVSS 3.1: 9.5)
- CVE-2026-44180 (CVSS 3.1: 9.8)
[HIGH] apache_software_foundation/apache_mina
1 CVE | CVSS 3.1: 9.8 | AAS 9.7
Apache MINA is affected by CVE-2026-47065, a vulnerability that allows attackers to bypass the acceptMatchers filter through improper handling of Java serialized proxy objects, with a CVSS 3.1 score of 9.8. Applications using MINA for network communication are at risk from malicious serialized streams that can circumvent security restrictions. Updates are available from the Apache Software Foundation; see https://lists.apache.org/thread/y7xj1bl8qo47p9bktb11hg5v6k1d4dyj for patching details.
- CVE-2026-47065 (CVSS 3.1: 9.8)
[HIGH] glpi-project/glpi
1 CVE | CVSS 4.0: 8.4 | AAS 8.5
GLPI asset and IT management software versions 10.0.4 through 10.0.24 contain a stored cross-site scripting vulnerability in the asset locked tab that allows technicians to inject malicious payloads, with a CVSS 4.0 score of 8.4. Organizations deploying GLPI for asset management should upgrade to version 10.0.25 or 11.0.7 to eliminate the vulnerability. Refer to https://github.com/glpi-project/glpi/security/advisories/GHSA-hwjc-8228-55x4 for patch availability and deployment guidance.
- CVE-2026-42321 (CVSS 4.0: 8.4)
[HIGH] cisco/cisco_unified_communications_manager
1 CVE | CVSS 3.1: 8.6 | AAS 8.5
Cisco Unified Communications Manager and Unified Communications Manager Session Management Edition contain a server-side request forgery vulnerability that allows unauthenticated remote attackers to conduct SSRF attacks through improper HTTP request validation, with a CVSS 3.1 score of 8.6. Organizations running these unified communications systems are at risk of internal network reconnaissance and exploitation of backend services. Patching is available from Cisco; consult https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cucm-ssrf-cXPnHcW for remediation details.
- CVE-2026-20230 (CVSS 3.1: 8.6)
[HIGH] pip/docling-core
2 CVEs | CVSS 3.1: 8.6 | AAS 8.5
The docling-core document processing library versions 1.5.0 through 2.74.0 contain multiple vulnerabilities including server-side request forgery flaws that allow attackers to access arbitrary local files outside the configured cache directory by exploiting unsafe Content-Disposition header handling, with a CVSS 3.1 score of 8.6. Applications that accept untrusted URLs when processing documents are at risk of unauthorized file access and information disclosure. Upgrade to version 2.74.1 or later; refer to https://github.com/advisories/GHSA-jmmv-h3mp-59v8 for patching details.
- CVE-2026-44023 (CVSS 3.1: 8.6)
- CVE-2026-44019 (CVSS 3.1: 8.1)
[HIGH] crmeb/crmeb_java
1 CVE | CVSS 4.0: 6.9 | AAS 8.2
CRMEB Java version 1.4 contains a server-side request forgery vulnerability in the RestTemplate.getForEntity component of the base64 QR code endpoint that allows remote attackers to manipulate the URL parameter and conduct SSRF attacks, with a CVSS 4.0 score of 6.9. Organizations deploying CRMEB Java for customer relationship management are at risk of information disclosure and internal network reconnaissance through crafted requests. A patch is not yet available as the vendor has not responded to the disclosure; monitor https://vuldb.com/vuln/368137 for updates.
- CVE-2026-10771 (CVSS 4.0: 6.9)
[HIGH] pip/docling
4 CVEs | CVSS 3.1: 8.2 | AAS 7.8
The docling document processing library versions 2.82.0 through 2.90.x contain multiple vulnerabilities including JavaScript execution and unrestricted network access flaws in the Playwright-based HTML rendering backend that allow attackers to execute arbitrary code and conduct SSRF attacks when processing untrusted HTML documents, with a CVSS 3.1 score of 8.2. Organizations processing untrusted HTML content with the rendering feature enabled face risk of code execution, data exfiltration, and internal network reconnaissance. Upgrade to version 2.91.0 or later; refer to https://github.com/advisories/GHSA-pj2v-ggqh-cmq2 for patching guidance.
- CVE-2026-44016 (CVSS 3.1: 8.2)
- CVE-2026-44020 (CVSS 3.1: 7.5)
- CVE-2026-44017 (CVSS 3.1: 7.5)
- CVE-2026-47214 (CVSS 3.1: 7.1)
[HIGH] abb/t-mac_plus
4 CVEs | CVSS 4.0: 7.3 | AAS 7.7
ABB T-MAC Plus version 4.0-24 contains multiple vulnerabilities including cross-site scripting flaws that result from improper input neutralization during web page generation, allowing attackers to inject malicious scripts that execute in user browsers, with a CVSS 4.0 score of 7.3. Organizations deploying T-MAC Plus for asset and maintenance management face risk of session hijacking, credential theft, and administrative account compromise. Patching is available from ABB; consult https://search.abb.com/library/Download.aspx?DocumentID=9AKK108472A7840&LanguageCode=en&DocumentPartId=&Action=Launch for update and remediation details.
- CVE-2025-14773 (CVSS 4.0: 7.2)
- CVE-2025-14771 (CVSS 4.0: 7.3)
- CVE-2025-14772 (CVSS 4.0: 7.3)
- CVE-2025-14774 (CVSS 4.0: 7.2)
[HIGH] synology/synology_hyper_backup_explorer
1 CVE | CVSS 3.1: 7.8 | AAS 7.7
Synology Hyper Backup Explorer versions prior to 3.0.1-0156 contain a privilege escalation vulnerability in the MinGW DLL component that allows local users to execute arbitrary code through inclusion of functionality from untrusted control sources, with a CVSS 3.1 score of 7.8. Users with local system access who have installed Hyper Backup Explorer face risk of privilege escalation and full system compromise. Upgrade to version 3.0.1-0156 or later; refer to https://www.synology.com/en-global/releaseNote/HyperBackupExplorer for patch availability.
- CVE-2022-49042 (CVSS 3.1: 7.8)
[HIGH] synology/synology_active_backup_for_business_recovery_media_creator
1 CVE | CVSS 3.1: 7.8 | AAS 7.7
Synology Active Backup for Business Recovery Media Creator versions prior to 2.5.0-2081 contain a privilege escalation vulnerability in the OpenSSL configuration that allows local users to execute arbitrary code through inclusion of functionality from untrusted control sources, with a CVSS 3.1 score of 7.8. Administrators and users with local system access to Recovery Media Creator face risk of privilege escalation and full system compromise. Upgrade to version 2.5.0-2081 or later; refer to https://www.synology.com/en-global/releaseNote/ActiveBackupRecoveryMediaCreator for patch availability.
- CVE-2022-49036 (CVSS 3.1: 7.8)
[HIGH] froxlor/froxlor
1 CVE | CVSS 3.1: 7.6 | AAS 7.5
Froxlor hosting control panel’s DomainZones.add API endpoint fails to sanitize newline characters in TXT record content, allowing authenticated customers with DNS editing privileges to inject arbitrary BIND directives and DNS records into zone files by breaking out of the record line, with a CVSS 3.1 score of 7.6. Hosting providers and organizations using Froxlor for DNS management face risk of unauthorized DNS record injection, zone file manipulation, and potential DNS poisoning attacks. Apply available patches; refer to https://github.com/advisories/GHSA-37m5-m4q3-fc6x for remediation guidance.
- CVE-2026-41234 (CVSS 3.1: 7.6)
[HIGH] freeipmi/freeipmi
1 CVE | CVSS 3.1: 7.5 | AAS 7.4
FreeIPMI before version 1.6.18 contains exploitable buffer overflow vulnerabilities in the ipmi-oem command that allow remote attackers to crash the application or execute arbitrary code through malformed IPMI response messages, with a CVSS 3.1 score of 7.5. Organizations using FreeIPMI for Intelligent Platform Management Interface operations including sensor reading and remote power control face risk of denial of service and potential code execution. Upgrade to version 1.6.18 or later; refer to https://lists.gnu.org/archive/html/info-gnu/2026-06/msg00000.html for patch details.
- CVE-2026-50031 (CVSS 3.1: 7.5)
[HIGH] mbs/single-a
1 CVE | CVSS 4.0: 9.3 | AAS 7.2
MBS Single-A devices are affected by a default hardcoded password vulnerability that allows unauthenticated remote attackers to extract credentials from firmware images and gain complete administrative access to affected devices, with a CVSS 4.0 score of 9.3. Organizations deploying Single-A devices for network management and access control face risk of unauthorized administrative access and complete system compromise. Apply available patches from MBS; refer to https://www.certvde.com/en/advisories/VDE-2026-039/ for remediation guidance.
- CVE-2026-35075 (CVSS 4.0: 9.3)