20 vulnerabilities across 11 products scored HIGH or above on June 03, 2026.
- HIGH: 20
[HIGH] pip/jupyter_enterprise_gateway
3 CVEs | CVSS 3.1: 9.8 | AAS 11.4
Jupyter Enterprise Gateway contains three vulnerabilities including a critical YAML injection flaw in Kubernetes manifest rendering that allows attackers to manipulate environment variables and overwrite security controls. The CVSS 9.8 issue stems from unescaped environment variable interpolation, enabling injection of arbitrary Kubernetes resources in affected deployments. Organizations using Jupyter Enterprise Gateway in Kubernetes environments should immediately apply available patches and restrict access to environment variable configuration.
- CVE-2026-44182 (CVSS 3.1: 9.5)
- CVE-2026-44181 (CVSS 3.1: 9.5)
- CVE-2026-44180 (CVSS 3.1: 9.8)
[HIGH] apache_software_foundation/apache_mina
1 CVE | CVSS 3.1: 9.8 | AAS 9.7
Apache MINA contains a Java deserialization flaw in which an unoverridden resolveProxyClass() method allows attackers to bypass the acceptMatchers filter using specially crafted java.lang.reflect.Proxy objects during serialized stream processing. The CVSS 9.8 vulnerability affects Apache MINA installations processing untrusted serialized data and could enable remote code execution. Organizations deploying Apache MINA should immediately apply the security patch provided by the Apache Software Foundation.
- CVE-2026-47065 (CVSS 3.1: 9.8)
[HIGH] cisco/cisco_unified_communications_manager
1 CVE | CVSS 3.1: 8.6 | AAS 8.5
Cisco Unified Communications Manager and Cisco Unified Communications Manager Session Management Edition contain a server-side request forgery vulnerability resulting from improper validation of HTTP requests. An unauthenticated, remote attacker can exploit this CVSS 8.6 flaw by sending crafted requests to affected devices. Organizations running these Cisco products should immediately apply the available security patch from Cisco.
- CVE-2026-20230 (CVSS 3.1: 8.6)
[HIGH] pip/docling-core
2 CVEs | CVSS 3.1: 8.6 | AAS 8.5
docling-core in versions 1.5.0 through 2.74.0 contains multiple vulnerabilities in remote request handling and Content-Disposition validation that could allow server-side request forgery attacks targeting local files outside the cache directory. The CVSS 8.6 flaws affect applications processing untrusted URLs and could enable access to sensitive files through unsafe filename normalization. Organizations using docling-core should immediately upgrade to version 2.74.1 or later to resolve these issues.
- CVE-2026-44023 (CVSS 3.1: 8.6)
- CVE-2026-44019 (CVSS 3.1: 8.1)
[HIGH] glpi-project/glpi
1 CVE | CVSS 4.0: 8.4 | AAS 8.5
GLPI in versions 10.0.4 through 10.0.24 contains a stored cross-site scripting vulnerability in the asset locked tab that allows a technician to inject arbitrary JavaScript code. The CVSS 8.4 flaw affects IT asset management deployments and could result in unauthorized actions or compromise of user sessions. Organizations running GLPI should immediately upgrade to version 10.0.25 or 11.0.7 to apply the available security patch.
- CVE-2026-42321 (CVSS 4.0: 8.4)
[HIGH] pip/docling
4 CVEs | CVSS 3.1: 8.2 | AAS 7.8
docling versions 2.82.0 through 2.91.0 contain multiple vulnerabilities in Playwright-based HTML rendering that allow JavaScript execution and unrestricted network access when processing untrusted documents. The CVSS 8.2 flaws affect applications with the HTML backend explicitly configured for rendering and could enable arbitrary code execution or server-side request forgery attacks. Organizations using docling should immediately upgrade to version 2.91.0 or later to apply the available security patches.
- CVE-2026-44016 (CVSS 3.1: 8.2)
- CVE-2026-44020 (CVSS 3.1: 7.5)
- CVE-2026-44017 (CVSS 3.1: 7.5)
- CVE-2026-47214 (CVSS 3.1: 7.1)
[HIGH] synology/synology_active_backup_for_business_recovery_media_creator
1 CVE | CVSS 3.1: 7.8 | AAS 7.7
Synology Active Backup for Business Recovery Media Creator versions prior to 2.5.0-2081 contain an OpenSSL configuration vulnerability that allows local users to execute arbitrary code through untrusted control sphere functionality. The CVSS 7.8 flaw affects Synology backup deployments and could enable privilege escalation or system compromise. Organizations using this product should immediately upgrade to version 2.5.0-2081 or later to apply the security patch.
- CVE-2022-49036 (CVSS 3.1: 7.8)
[HIGH] synology/synology_hyper_backup_explorer
1 CVE | CVSS 3.1: 7.8 | AAS 7.7
Synology Hyper Backup Explorer versions prior to 3.0.1-0156 contain a MinGW DLL component vulnerability that allows local users to execute arbitrary code through untrusted control sphere functionality. The CVSS 7.8 flaw affects Synology backup deployments and could enable privilege escalation or system compromise. Organizations using this product should immediately upgrade to version 3.0.1-0156 or later to apply the security patch.
- CVE-2022-49042 (CVSS 3.1: 7.8)
[HIGH] abb/t-mac_plus
4 CVEs | CVSS 4.0: 7.3 | AAS 7.7
ABB T-MAC Plus version 4.0-24 contains multiple cross-site scripting vulnerabilities resulting from improper input neutralization during web page generation. The CVSS 7.3 flaws affect industrial organizations using this product and could enable attackers to inject malicious scripts that compromise user sessions or steal sensitive data. Organizations should immediately apply the available security patches from ABB.
- CVE-2025-14773 (CVSS 4.0: 7.2)
- CVE-2025-14771 (CVSS 4.0: 7.3)
- CVE-2025-14772 (CVSS 4.0: 7.3)
- CVE-2025-14774 (CVSS 4.0: 7.2)
[HIGH] freeipmi/freeipmi
1 CVE | CVSS 3.1: 7.5 | AAS 7.4
FreeIPMI before version 1.6.18 contains exploitable buffer overflow vulnerabilities in the ipmi-oem command that can be triggered when processing response messages from IPMI devices. The CVSS 7.5 flaw affects systems using FreeIPMI for platform management, sensor monitoring, and remote power control and could enable remote code execution. Organizations should immediately upgrade FreeIPMI to version 1.6.18 or later to apply the security fix.
- CVE-2026-50031 (CVSS 3.1: 7.5)
[HIGH] mbs/single-a
1 CVE | CVSS 4.0: 9.3 | AAS 7.2
MBS Single-A devices contain a hardcoded default password that can be extracted from firmware images, allowing unauthenticated remote attackers to gain complete access to affected systems. The CVSS 9.3 vulnerability affects organizations deploying Single-A devices and could enable unauthorized control or data access. Organizations should immediately change default credentials and apply available firmware updates from MBS.
- CVE-2026-35075 (CVSS 4.0: 9.3)