22 vulnerabilities across 15 products scored HIGH or above on June 11, 2026.

  • EMERGENCY: 1
  • CRITICAL: 2
  • HIGH: 19

[EMERGENCY] oracle/peoplesoft_enterprise_peopletools

1 CVE | CVSS 3.1: 9.8 | AAS 17.1

  • cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.61:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.62:*:*:*:*:*:*:*

Oracle PeopleSoft Enterprise PeopleTools versions 8.61 and 8.62 are affected by CVE-2026-35273, a critical unauthenticated remote code execution vulnerability in the Updates Environment Management component that allows attackers to fully compromise affected systems via HTTP. With a CVSS score of 9.8 and active exploitation occurring in the wild, organizations running these versions should immediately apply patches from Oracle’s security advisory. This vulnerability poses an emergency-level risk to any organization using the affected PeopleSoft versions and should be prioritized for immediate remediation.

Vendor Advisory

[CRITICAL] mariadb/mariadb

1 CVE | CVSS 3.1: 10.0 | AAS 12.8

  • cpe:2.3:a:mariadb:mariadb:*:*:*:*:*:*:*:* (>= 10.6.1, < 10.6.27)

MariaDB versions 10.6.1 through 10.6.26, 10.11.1 through 10.11.17, 11.4.1 through 11.4.11, 11.8.1 through 11.8.7, and 12.3.1 are affected by CVE-2026-49261, a critical shell command injection vulnerability in the wsrep_notify_cmd feature that allows remote code execution when this feature is enabled. With a CVSS score of 10.0 and the vulnerability being exploitable, organizations using these versions should upgrade immediately to the patched releases (10.6.27, 10.11.18, 11.4.12, 11.8.8, or 12.3.2) or disable wsrep_notify_cmd as a temporary workaround. This vulnerability affects any MariaDB installation with wsrep_notify_cmd enabled and represents a critical risk requiring immediate action.

Vendor Advisory

[CRITICAL] flux159/mcp-server-kubernetes

1 CVE | CVSS 3.1: 8.8 | AAS 12.1

  • cpe:2.3:a:flux159:mcp-server-kubernetes:*:*:*:*:*:*:*:* (< 3.6.0)

mcp-server-kubernetes versions prior to 3.6.0 are affected by CVE-2026-46519, a critical access control bypass vulnerability where environment variable restrictions (ALLOW_ONLY_READONLY_TOOLS, ALLOW_ONLY_NON_DESTRUCTIVE_TOOLS, ALLOWED_TOOLS) are only enforced at the tool discovery layer but not at the execution layer. This allows any client that knows a tool name to invoke restricted Kubernetes operations, completely bypassing the documented access controls. Organizations using mcp-server-kubernetes should upgrade to version 3.6.0 or later immediately, as this CVSS 8.8 vulnerability is exploitable and poses a critical risk to Kubernetes cluster security.

Vendor Advisory

[HIGH] axios/axios

5 CVEs | CVSS 3.1: 8.6 | AAS 11.9

  • cpe:2.3:a:axios:axios:*:*:*:*:*:node.js:*:* (< 0.32.0)
  • cpe:2.3:a:axios:axios:*:*:*:*:*:node.js:*:* (>= 1.0.0, < 1.16.0)
  • cpe:2.3:a:axios:axios:*:*:*:*:*:node.js:*:* (>= 1.7.0, < 1.16.0)

Axios HTTP client versions prior to 0.32.0 and 1.16.0 are affected by five vulnerabilities, including multiple that bypass IPv4-mapped IPv6 address normalization in NO_PROXY rules, allowing attackers to route requests through configured proxies even when internal IPv4 addresses are explicitly listed for bypass. With a CVSS score of 8.6 and the vulnerabilities being exploitable, attackers can access internal services that should be protected by proxy configurations. Organizations using Axios should upgrade immediately to version 0.32.0 or 1.16.0 or later, particularly those relying on NO_PROXY for network security boundaries.

Vendor Advisory

[HIGH] soagen_informatics_technologies_software_and_consulting_inc./apinizer

1 CVE | CVSS 3.1: 9.8 | AAS 11.1

  • cpe:2.3:a:soagen_informatics_technologies_software_and_consulting:apinizer:*:*:*:*:*:*:*:* (>= 2026.04.0, < 2026.04.6)

Soagen Informatics Technologies’ Apinizer versions 2026.04.0 through 2026.04.5 are affected by CVE-2026-11561, an expression language injection vulnerability that allows attackers to inject and execute arbitrary code through improper neutralization of special elements in expression language statements. With a CVSS score of 9.8 and the vulnerability being exploitable, this permits remote code execution on affected Apinizer instances. Organizations using Apinizer should upgrade immediately to version 2026.04.6 or later to remediate this critical vulnerability.

Vendor Advisory

[HIGH] limatek_system_inc./limrad_nac

1 CVE | CVSS 3.1: 9.8 | AAS 11.1

  • cpe:2.3:a:limatek_system:limrad_nac:*:*:*:*:*:*:*:* (< 5.5.7.3.9)

Limatek System Inc.’s LimRAD NAC versions before 5.5.7.3.9 are affected by CVE-2026-7852, an unrestricted file upload vulnerability that allows attackers to upload files with dangerous types and achieve remote code inclusion on affected systems. With a CVSS score of 9.8 and the vulnerability being exploitable, this permits remote code execution without authentication. Organizations using LimRAD NAC should upgrade immediately to version 5.5.7.3.9 or later to remediate this critical vulnerability.

Vendor Advisory

[HIGH] gitlab/gitlab

3 CVEs | CVSS 3.1: 8.7 | AAS 11.0

  • cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:* (>= 17.1, < 18.10.8)
  • cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:* (>= 15.5.0, < 18.10.8)
  • cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:* (>= 15.5.0, < 18.10.8)
  • cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:* (>= 18.11.0, < 18.11.5)
  • cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:* (>= 18.11.0, < 18.11.5)

GitLab EE versions 17.1 before 18.10.8, 18.11 before 18.11.5, and 19.0 before 19.0.2 are affected by three vulnerabilities, including multiple that allow authenticated developers to execute arbitrary client-side code on behalf of other users through improper input sanitization in the Analytics Dashboard. With a CVSS score of 8.7 and the vulnerabilities being exploitable, attackers with developer-role permissions can conduct account hijacking and credential theft attacks. Organizations using affected GitLab EE versions should upgrade immediately to 18.10.8, 18.11.5, or 19.0.2 or later.

Vendor Advisory

[HIGH] nesquena/hermes-webui

1 CVE | CVSS 4.0: 9.2 | AAS 10.5

  • cpe:2.3:a:nesquena:hermes-webui:*:*:*:*:*:*:*:* (< 0.51.358)

Hermes WebUI versions before 0.51.358 are affected by CVE-2026-49973, an improper access control vulnerability that allows unauthenticated remote attackers to hijack initial setup by submitting arbitrary password hashes to the settings API endpoint without network origin restrictions. With a CVSS score of 9.2 and the vulnerability being exploitable, attackers on any reachable network can lock out the legitimate operator and gain administrative access during the first-run setup window. Organizations deploying Hermes WebUI should upgrade immediately to version 0.51.358 or later before completing initial setup, or restrict network access to the settings endpoint.

Vendor Advisory

[HIGH] pip/meta-ads-mcp

1 CVE | CVSS 3.1: 9.1 | AAS 10.4

  • cpe:2.3:a:pip:meta-ads-mcp:*:*:*:*:*:*:*:*

Meta Ads MCP versions 1.0.101 and earlier are affected by CVE-2026-48039, an improper authentication vulnerability that allows unauthenticated remote attackers to execute arbitrary MCP tools via HTTP and obtain operator Meta access tokens without any credentials. With a CVSS score of 9.1 and the vulnerability being exploitable, attackers can gain full access to Meta advertising account credentials and perform unauthorized actions on behalf of the operator. Organizations using Meta Ads MCP should upgrade immediately to a patched version and restrict network access to the tool, as this vulnerability poses a critical risk to Meta account security.

Vendor Advisory

[HIGH] başarsoft_information_technologies_inc./rotaban

1 CVE | CVSS 3.1: 9.9 | AAS 10.2

  • cpe:2.3:a:ba_arsoft_information_technologies:rotaban:*:*:*:*:*:*:*:* (>= V2026.06.002, < V2026.06.003)

Başarsoft Information Technologies’ Rotaban version V2026.06.002 is affected by CVE-2026-11839, an unrestricted file upload vulnerability that allows attackers to upload web shells to the web server and achieve remote code execution. With a CVSS score of 9.9 and the vulnerability being exploitable, this permits complete compromise of affected Rotaban instances. Organizations using Rotaban should upgrade immediately to version V2026.06.003 or later to remediate this critical vulnerability.

Vendor Advisory

[HIGH] spring/spring_web_services

2 CVEs | CVSS 3.1: 8.6 | AAS 9.9

  • cpe:2.3:a:spring:spring_web_services:*:*:*:*:*:*:*:* (>= 5.0.0, < 5.0.2)
  • cpe:2.3:a:spring:spring_web_services:*:*:*:*:*:*:*:* (>= 4.1.0, < 4.1.4)
  • cpe:2.3:a:spring:spring_web_services:*:*:*:*:*:*:*:* (>= 4.0.0, < 4.0.19)
  • cpe:2.3:a:spring:spring_web_services:*:*:*:*:*:*:*:* (>= 3.1.0, < 3.1.9)
  • cpe:2.3:a:spring:spring_web_services:*:*:*:*:*:*:*:* (>= 3.1.0, < 4.0.0)

Spring Web Services versions 5.0.0 through 5.0.1, 4.1.0 through 4.1.3, 4.0.0 through 4.0.18, and 3.1.0 through 3.1.8 are affected by two vulnerabilities, including multiple that allow server-side request forgery through improper validation of WS-Addressing ReplyTo and FaultTo addresses. With a CVSS score of 8.6 and the vulnerabilities being exploitable, attackers can trick Spring WS instances into initiating outbound connections to arbitrary destinations by injecting malicious addresses in request headers. Organizations using affected Spring Web Services versions should upgrade immediately to patched releases: 5.0.2 or later, 4.1.4 or later, 4.0.19 or later, or 3.1.9 or later.

Vendor Advisory

[HIGH] wbw_plugins/product_filter_by_wbw

1 CVE | CVSS 3.1: 9.3 | AAS 9.6

  • cpe:2.3:a:wbw_plugins:product_filter_by_wbw:*:*:*:*:*:*:*:* (< 3.1.3)

WBW Plugins’ Product Filter by WBW WordPress plugin version 3.1.2 and earlier is affected by CVE-2026-39494, a blind SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries against the WordPress database. With a CVSS score of 9.3 and the vulnerability being exploitable, attackers can extract sensitive data including user credentials and confidential information. WordPress site administrators using this plugin should upgrade immediately to the latest patched version, or disable and remove the plugin until a fix is available.

Vendor Advisory

[HIGH] perryts/perry

1 CVE | CVSS 4.0: 8.6 | AAS 9.5

  • cpe:2.3:a:perryts:perry:*:*:*:*:*:*:*:* (< 0.5.1159)

Perry versions before 0.5.1159 are affected by CVE-2026-53777, a path traversal vulnerability that allows malicious build servers to write arbitrary files to any location writable by the Perry process through unsanitized path components in WebSocket messages. With a CVSS score of 8.6 and the vulnerability being exploitable, attackers controlling the server URL can overwrite sensitive files, corrupt system configurations, or expose arbitrary local files. Organizations using Perry should upgrade immediately to version 0.5.1159 or later and ensure the build server is from a trusted source.

Vendor Advisory

[HIGH] cyberark_software,a_palo_alto_networks_company/conjur_cloud(edge_finding_only)

1 CVE | CVSS 4.0: 9.1 | AAS 9.4

  • cpe:2.3:a:cyberark_software:conjur_cloud_edge_finding_only:*:*:*:*:*:*:*:* (< 1.8)

CyberArk Idira Secrets Manager SaaS Edge versions prior to 1.8 are affected by CVE-2026-45177, an improper access control vulnerability in internal authentication components that allows unauthenticated attackers to manipulate identity verification mechanisms and obtain unauthorized access tokens. With a CVSS score of 9.1 and the vulnerability being exploitable, attackers can gain unauthorized access to secrets management infrastructure without legitimate credentials. Organizations using Conjur Cloud Edge should upgrade immediately to version 1.8 or later to remediate this critical vulnerability.

Vendor Advisory

[HIGH] sonatype/nexus_repository_manager

1 CVE | CVSS 4.0: 8.7 | AAS 9.1

  • cpe:2.3:a:sonatype:nexus_repository_manager:*:*:*:*:*:*:*:*

Sonatype Nexus Repository Manager is affected by CVE-2026-3329, a credential-guessing vulnerability that allows unauthenticated remote attackers to conduct brute-force attacks against user accounts through the authentication endpoints. With a CVSS score of 8.7, this vulnerability could lead to unauthorized account access if weak passwords are in use. Organizations running Nexus Repository Manager should apply the latest security patches from Sonatype and implement rate limiting or account lockout policies on authentication endpoints to mitigate brute-force attacks.

Vendor Advisory