24 vulnerabilities across 15 products scored HIGH or above on June 04, 2026.
- CRITICAL: 4
- HIGH: 20
[CRITICAL] npm/axios
4 CVEs | CVSS 3.1: 8.0 | AAS 12.2
Axios library for npm contains four critical vulnerabilities with a maximum CVSS 3.1 score of 8.0, including multiple affecting the Node.js HTTP adapter that improperly forward Proxy-Authorization headers to redirected destinations in proxy-to-direct redirect scenarios. This could expose proxy credentials to unintended third parties and compromise security when using authenticated HTTP proxies. Organizations using Axios in Node.js should apply patches immediately and consult the vendor advisory at https://github.com/advisories/GHSA-p92q-9vqr-4j8v.
- CVE-2026-44487 (CVSS 3.1: 8.0)
- CVE-2026-44486 (CVSS 3.1: 7.5)
- CVE-2026-44496 (CVSS 3.1: 7.5)
- CVE-2026-44488 (CVSS 3.1: 7.5)
[HIGH] microsoft/microsoft_exchange_online
1 CVE | CVSS 3.1: 7.5 | AAS 10.8
Microsoft Exchange Online has an improper authorization vulnerability (CVE-2026-48579) with a CVSS 3.1 score of 7.5 that allows unauthorized attackers to disclose information over a network, with an active exploit available. Organizations using Exchange Online should immediately apply available patches from Microsoft to eliminate this exploitable risk. For patching details, refer to https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-48579.
- CVE-2026-48579 (CVSS 3.1: 7.5)
[HIGH] openjsf/node_version_manager
1 CVE | CVSS 4.0: 7.5 | AAS 10.4
nvm (Node Version Manager) through version 0.40.4 contains a command injection vulnerability (CVE-2026-10796) with a CVSS 3.1 score of 7.5 that allows arbitrary command execution through unsanitized version strings from the configured Node.js mirror. Attackers with control over the mirror’s index.tab file can inject malicious commands that execute with user privileges during nvm install operations. Administrators and developers using nvm should update immediately and verify their configured mirrors; see https://github.com/nvm-sh/nvm/commit/6d870d182cd5333647ffa16c0d7dbcd817ec27a8 for details.
- CVE-2026-10796 (CVSS 4.0: 7.5)
[HIGH] microsoft/azure_horizondb
1 CVE | CVSS 3.1: 9.8 | AAS 9.9
Azure HorizonDB contains an authentication bypass vulnerability (CVE-2026-48567) with a CVSS 3.1 score of 9.8 that allows unauthorized attackers to spoof authentication and elevate privileges across the network, with an active exploit available. This critical vulnerability poses immediate risk to all Azure HorizonDB deployments and requires urgent patching. Organizations must apply patches from Microsoft immediately and audit access logs for signs of compromise; see https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-48567 for details.
- CVE-2026-48567 (CVSS 3.1: 9.8)
[HIGH] osnexus/quantastor
1 CVE | CVSS 3.1: 9.8 | AAS 9.7
OSNexus QuantaStor SDS Manager contains a SQL injection vulnerability (CVE-2026-10880) with a CVSS 3.1 score of 9.8 in the login endpoint that allows unauthenticated remote attackers to bypass authentication and gain administrator access without a valid password. An active exploit for this vulnerability is available, making it an immediate threat to all exposed QuantaStor deployments. Organizations running QuantaStor must apply vendor patches immediately, restrict access to the management interface, and review logs for unauthorized login attempts; refer to https://blog.blacklanternsecurity.com/p/cve-2026-10880-osnexus-quantastor for details.
- CVE-2026-10880 (CVSS 3.1: 9.8)
[HIGH] neterbit/nw-431f_router
4 CVEs | CVSS 3.1: 9.8 | AAS 9.7
Neterbit NW-431F Router versions 20241014-IR03 and earlier contain four vulnerabilities with a maximum CVSS 3.1 score of 9.8, including multiple in the network diagnosis module that fail to sanitize the IP address field, allowing OS command injection and remote code execution with web server privileges. Unauthenticated attackers can exploit this vulnerability to execute arbitrary commands on affected routers. Organizations using these routers must apply patches immediately, restrict access to the management interface, and review logs for exploitation attempts; refer to https://github.com/fun-beep/CVEs/tree/main/CVE-2025-67447 for details.
- CVE-2025-67447 (CVSS 3.1: 9.8)
- CVE-2025-67446 (CVSS 3.1: 9.8)
- CVE-2025-69755 (CVSS 3.1: 8.2)
- CVE-2025-67448 (CVSS 3.1: 7.1)
[HIGH] cisco/cisco_catalyst_sd-wan_manager
1 CVE | CVSS 3.1: 7.8 | AAS 9.6
Cisco Catalyst SD-WAN Manager contains a command injection vulnerability (CVE-2026-20245) with a CVSS 3.1 score of 7.8 that allows authenticated local attackers to execute arbitrary commands as root through a crafted file upload due to insufficient input validation. An active exploit is available for this vulnerability, presenting an immediate privilege escalation risk. Organizations using Cisco Catalyst SD-WAN Manager should apply patches immediately and implement strict file upload restrictions; see https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-privesc-4uxFrdzx for details.
- CVE-2026-20245 (CVSS 3.1: 7.8)
[HIGH] progress_software/loadmaster
1 CVE | CVSS 3.1: 9.6 | AAS 9.5
Progress Software LoadMaster contains a remote code execution vulnerability (CVE-2026-8037) with a CVSS 3.1 score of 9.6 in the API that allows unauthenticated attackers to execute arbitrary commands on the appliance by exploiting unsanitized input in multiple command endpoints. An active exploit is available, presenting an immediate critical risk to all exposed LoadMaster instances. Organizations using Progress LoadMaster must apply patches immediately, restrict API access to trusted networks only, and audit logs for exploitation attempts; see https://community.progress.com/s/article/LoadMaster-Critical-Security-Bulletin-June-2026-CVE-2026-8037-CVE-2026-33691 for details.
- CVE-2026-8037 (CVSS 3.1: 9.6)
[HIGH] pip/stata-mcp
1 CVE | CVSS 3.1: 9.5 | AAS 9.4
The stata-mcp package contains a command injection vulnerability (CVE-2026-47708) with a CVSS 3.1 score of 9.5 in the log_file_name parameter of the stata_do API and CLI, which is directly interpolated into Stata command strings without validation. Attackers can inject arbitrary Stata commands such as shell, python, or erase through a crafted log_file_name parameter, with an active exploit available. Organizations using stata-mcp must update immediately and audit systems for unauthorized command execution; see https://github.com/advisories/GHSA-4p62-hqp5-g644 for details.
- CVE-2026-47708 (CVSS 3.1: 9.5)
[HIGH] misp/misp
1 CVE | CVSS 4.0: 9.0 | AAS 9.3
MISP contains a mass assignment vulnerability (CVE-2026-10868) with a CVSS 3.1 score of 9.0 in the user edit functionality that allows authenticated attackers to modify unintended user accounts by supplying a crafted request with another user’s identifier due to insufficient field filtering. An attacker could potentially escalate privileges or compromise other user accounts depending on editable fields and their role. Organizations running MISP must apply patches immediately and audit user account modifications for unauthorized changes; see https://github.com/MISP/MISP/commit/1be8c413b7104a889dfd30c5b1986e3ab17238e8 for details.
- CVE-2026-10868 (CVSS 4.0: 9.0)
[HIGH] seagull_software,_llc./bartender_2010
1 CVE | CVSS 4.0: 9.3 | AAS 9.2
Seagull Software BarTender 2010, 2016, and 2019 contain an unauthenticated remote code execution vulnerability (CVE-2026-25550) with a CVSS 3.1 score of 9.3 in the .NET Remoting service on TCP port 7375, which registers unauthenticated singleton endpoints configured with unrestricted object deserialization. An attacker can exploit .NET Remoting deserialization to achieve arbitrary code execution, with an active exploit available. Organizations running BarTender must apply patches immediately, restrict access to port 7375, and monitor for exploitation attempts; see https://portal.seagullscientific.com/downloads/bartender for details.
- CVE-2026-25550 (CVSS 4.0: 9.3)
[HIGH] ad-manager-wd/ad_manager_wd
1 CVE | CVSS 4.0: 9.3 | AAS 9.2
The WordPress plugin ad manager wd version 1.0.11 contains an arbitrary file download vulnerability (CVE-2019-25727) with a CVSS 3.1 score of 9.3 that allows unauthenticated attackers to read sensitive files by manipulating the path parameter in export requests. An attacker can download critical configuration files such as wp-config.php containing database credentials and sensitive information, with an active exploit available. Website administrators must update to a patched version immediately or remove the plugin, and audit for unauthorized file access; see https://web-dorado.com/products/wordpress-ad-manager-wd.html for details.
- CVE-2019-25727 (CVSS 4.0: 9.3)
[HIGH] framework-y/hybrid_composer
1 CVE | CVSS 4.0: 9.3 | AAS 9.2
The WordPress plugin Hybrid Composer version 1.4.6 contains an unauthenticated settings modification vulnerability (CVE-2019-25738) with a CVSS 3.1 score of 9.3 in the hc_ajax_save_option action that allows attackers to modify WordPress options without authentication. An attacker can enable user registration and set the default role to administrator via POST requests to admin-ajax.php, enabling account takeover and site compromise, with an active exploit available. Website administrators must update to a patched version immediately, disable user registration if unnecessary, and audit user accounts for unauthorized entries; see http://wordpress.framework-y.com for details.
- CVE-2019-25738 (CVSS 4.0: 9.3)
[HIGH] simcy_creative/pdf_signer
1 CVE | CVSS 4.0: 9.3 | AAS 9.2
PDF Signer version 3.0 contains a server-side template injection vulnerability (CVE-2019-25729) with a CVSS 3.1 score of 9.3 that allows unauthenticated attackers to execute arbitrary code by injecting PHP commands through the CSRF-TOKEN cookie parameter. An attacker can craft malicious cookies containing template injection payloads to execute system commands and retrieve sensitive information, with an active exploit available. Organizations using PDF Signer 3.0 must update immediately, implement strict input validation on cookies, and monitor for unauthorized command execution; see https://codecanyon.net/item/signer-create-digital-signatures-and-sign-pdf-documents-online/20737707 for details.
- CVE-2019-25729 (CVSS 4.0: 9.3)
[HIGH] froxlor/froxlor
4 CVEs | CVSS 3.1: 8.8 | AAS 8.7
Froxlor version 2.3.6 contains four vulnerabilities with a maximum CVSS 3.1 score of 8.8, including multiple in the SSH key synchronization path that fail to validate symlink targets when appending public keys to customer home directories. An attacker with shell access can exploit symlink-following flaws to inject SSH keys into arbitrary files and achieve privilege escalation, with an active exploit available. Organizations running Froxlor must update to version 2.3.7 or later immediately, restrict shell access, and audit SSH key files for unauthorized modifications; see https://github.com/froxlor/froxlor/releases/tag/2.3.7 for details.
- CVE-2026-41236 (CVSS 3.1: 8.8)
- CVE-2026-41237 (CVSS 4.0: 8.6)
- CVE-2026-41235 (CVSS 4.0: 8.6)
- CVE-2026-41234 (CVSS 3.1: 7.6)