Vulnerability Bulletin — June 12, 2026

31 vulnerabilities across 15 products scored HIGH or above on June 12, 2026.

• CRITICAL: 14
• HIGH: 17

[CRITICAL] nezhahq/nezha

2 CVEs | CVSS 3.1: 9.9 | AAS 14.7

• cpe:2.3:a:nezhahq:nezha:*:*:*:*:*:*:*:* (>= 1.4.0, < 2.0.8)
• cpe:2.3:a:nezhahq:nezha:*:*:*:*:*:*:*:* (< 2.0.13)

Nezha monitoring software versions 1.4.0 through 2.0.7 contain two critical vulnerabilities (CVSS 9.9) allowing restricted users to execute arbitrary commands on all servers in the deployment, including systems they should not access. Exploit code is available. Organizations running Nezha should upgrade immediately to version 2.0.8 or later and review access controls for user roles.

• CVE-2026-46716 (CVSS 3.1: 9.9)
• CVE-2026-53519 (CVSS 3.1: 9.1)

Vendor Advisory

[CRITICAL] mtdowling/jmespath.php

1 CVE | CVSS 3.1: 9.8 | AAS 14.6

• cpe:2.3:a:mtdowling:jmespath.php:*:*:*:*:*:*:*:* (< 2.9.1)

jmespath.php, a JMESPath library for PHP, contains a critical code injection vulnerability (CVSS 9.8) in versions prior to 2.9.1 that allows arbitrary PHP code execution when processing untrusted JMESPath expressions. Exploit code is available. Organizations and developers using jmespath.php should upgrade immediately to version 2.9.1 or later.

• CVE-2026-54133 (CVSS 3.1: 9.8)

Vendor Advisory

[CRITICAL] patriksimek/vm2

7 CVEs | CVSS 3.1: 10.0 | AAS 13.3

• cpe:2.3:a:patriksimek:vm2:*:*:*:*:*:*:*:* (< 3.11.4)

vm2, an open source sandbox for Node.js, contains multiple critical vulnerabilities (CVSS 10.0) in versions prior to 3.11.4 that allow attackers to escape the sandbox and execute arbitrary commands on the host system. These vulnerabilities are readily exploitable. Organizations using vm2 should upgrade immediately to version 3.11.4 or later.

• CVE-2026-47208 (CVSS 3.1: 10.0)
• CVE-2026-47210 (CVSS 3.1: 9.8)
• CVE-2026-47140 (CVSS 3.1: 10.0)
• CVE-2026-47131 (CVSS 3.1: 10.0)
• CVE-2026-47137 (CVSS 3.1: 10.0)
• CVE-2026-47139 (CVSS 3.1: 8.6)
• CVE-2026-47209 (CVSS 3.1: 8.6)

Vendor Advisory

[CRITICAL] apostrophecms/sanitize-html

1 CVE | CVSS 3.1: 9.3 | AAS 12.6

• cpe:2.3:a:apostrophecms:sanitize-html:*:*:*:*:*:*:*:* (< 2.17.4)

sanitize-html, an HTML sanitizer for Node.js, contains a critical sanitizer bypass (CVSS 9.3) in versions prior to 2.17.4 that allows attackers to inject executable HTML and JavaScript through xmp elements, causing stored XSS attacks. This vulnerability is readily exploitable. Applications using sanitize-html should upgrade immediately to version 2.17.4 or later.

• CVE-2026-44990 (CVSS 3.1: 9.3)

Vendor Advisory

[CRITICAL] parse-community/parse-server

3 CVEs | CVSS 4.0: 8.7 | AAS 12.1

• cpe:2.3:a:parse-community:parse-server:*:*:*:*:*:*:*:* (< 8.6.77)
• cpe:2.3:a:parse-community:parse-server:*:*:*:*:*:*:*:* (>= 9.8.0, < 9.9.1-alpha.3)
• cpe:2.3:a:parse-community:parse-server:*:*:*:*:*:*:*:* (< 8.6.80)

Parse Server, an open source backend for Node.js, contains multiple critical vulnerabilities (CVSS 8.7) in versions prior to 8.6.77 and 9.9.1-alpha.1 that allow unauthenticated attackers to cause denial of service through adversarial HTTP requests, bypassing rate limiting protections. These vulnerabilities are readily exploitable. Organizations running Parse Server should upgrade immediately to version 8.6.77, 9.9.1-alpha.1, or later.

• CVE-2026-47138 (CVSS 4.0: 8.7)
• CVE-2026-50008 (CVSS 4.0: 6.9)
• CVE-2026-53726 (CVSS 4.0: 6.9)

Vendor Advisory

[HIGH] nuxt/nuxt

1 CVE | CVSS 4.0: 8.8 | AAS 11.7

• cpe:2.3:a:nuxt:nuxt:*:*:*:*:*:*:*:* (>= 3.11.0, < 3.21.7)

Nuxt, an open-source web development framework for Vue.js, contains a vulnerability (CVSS 8.8) in versions 3.11.0 through 3.21.6 and 4.0.0 through 4.4.6 that allows route-rule middleware to be bypassed due to case-sensitivity mismatches in route matching. This vulnerability is readily exploitable. Applications using Nuxt should upgrade immediately to version 3.21.7 or 4.4.7 or later.

• CVE-2026-53721 (CVSS 4.0: 8.8)

Vendor Advisory

[HIGH] netty/netty

6 CVEs | CVSS 4.0: 8.7 | AAS 11.6

• cpe:2.3:a:netty:netty:*:*:*:*:*:*:*:* (< 4.1.135.Final)
• cpe:2.3:a:netty:netty:*:*:*:*:*:*:*:* (< 4.2.15.Final)

Netty, a network application framework, contains multiple vulnerabilities (CVSS 8.7) in versions prior to 4.1.135.Final and 4.2.15.Final affecting the HAProxy PROXY protocol v2 codec that leak native and heap memory on every connection, allowing attackers to cause denial of service through resource exhaustion. These vulnerabilities are readily exploitable. Applications using Netty should upgrade immediately to version 4.1.135.Final, 4.2.15.Final, or later.

• CVE-2026-48059 (CVSS 4.0: 8.7)
• CVE-2026-48006 (CVSS 4.0: 8.7)
• CVE-2026-44892 (CVSS 3.1: 7.5)
• CVE-2026-50011 (CVSS 3.1: 7.5)
• CVE-2026-47691 (CVSS 3.1: 8.7)
• CVE-2026-44894 (CVSS 3.1: 7.5)

Vendor Advisory

[HIGH] simplehelp/simplehelp

1 CVE | CVSS 4.0: 9.5 | AAS 11.3

• cpe:2.3:a:simplehelp:simplehelp:*:*:*:*:*:*:*:* (< 5.5.16)
• cpe:2.3:a:simplehelp:simplehelp:*:*:*:*:*:*:*:* (>= 6.0.0-pre, < 6.0.0)

SimpleHelp versions 5.5.15 and earlier, including 6.0 pre-release, contain an authentication bypass vulnerability (CVSS 9.5) in the OIDC authentication flow that allows unauthenticated attackers to obtain fully authenticated technician sessions by forging identity tokens. This vulnerability is readily exploitable. Organizations using SimpleHelp with OIDC should apply available patches immediately.

• CVE-2026-48558 (CVSS 4.0: 9.5)

Vendor Advisory

[HIGH] başbelen_group_food_cafe_businesses_industry_and_trade_ltd._co./pause+_mobile_app

1 CVE | CVSS 3.1: 9.8 | AAS 10.6

• cpe:2.3:a:ba_belen_group_food_cafe_businesses_industry_and_trade_ltd._co.:pause_mobile_app:*:*:*:*:*:*:*:* (>= 1.0.6, < 1.5)

Pause+ Mobile App versions 1.0.6 through 1.4 contain an authentication bypass vulnerability (CVSS 9.8) due to improper restriction of authentication attempts, allowing attackers to gain unauthorized access through brute force attacks. This vulnerability is readily exploitable. Users of Pause+ Mobile App should upgrade immediately to version 1.5 or later.

• CVE-2026-6853 (CVSS 3.1: 9.8)

Vendor Advisory

[HIGH] ubiquiti_inc/uid_enterprise_agent

1 CVE | CVSS 3.1: 9.9 | AAS 10.2

• cpe:2.3:a:ubiquiti_inc:uid_enterprise_agent:*:*:*:*:*:*:*:*

Ubiquiti UID Enterprise Agent contains a command injection vulnerability (CVSS 9.9) that allows attackers with network access and low privileges to execute arbitrary commands on the host device through improper input validation. This vulnerability is readily exploitable. Organizations deploying UID Enterprise Agent should apply available patches from Ubiquiti immediately.

• CVE-2026-47367 (CVSS 3.1: 9.9)

Vendor Advisory

[HIGH] webpros/wordpress-toolkit

1 CVE | CVSS 3.1: 9.9 | AAS 10.2

• cpe:2.3:a:webpros:wordpress-toolkit:*:*:*:*:*:*:*:* (< 6.11.0)

WordPress Toolkit before version 6.11.0, as used in cPanel & WHM, contains an argument injection vulnerability (CVSS 9.9) that allows authenticated users to bypass cross-tenant authorization and execute arbitrary commands as other accounts. This vulnerability is readily exploitable. Organizations using WordPress Toolkit should upgrade immediately to version 6.11.0 or later.

• CVE-2026-47365 (CVSS 3.1: 9.9)

Vendor Advisory

[HIGH] ubiquiti_inc/unifi_os_server

3 CVEs | CVSS 3.1: 9.9 | AAS 10.2

• cpe:2.3:a:ubiquiti_inc:unifi_os_server:*:*:*:*:*:*:*:*

UniFi OS Server contains multiple command injection vulnerabilities (CVSS 9.9) that allow attackers with network access and low privileges to execute arbitrary commands on UniFi OS devices through improper input validation. These vulnerabilities are readily exploitable. Organizations deploying UniFi OS Server should apply available patches from Ubiquiti immediately.

• CVE-2026-47370 (CVSS 3.1: 9.9)
• CVE-2026-47368 (CVSS 3.1: 8.6)
• CVE-2026-47369 (CVSS 3.1: 9.9)

Vendor Advisory

[HIGH] mattermost/mattermost

1 CVE | CVSS 3.1: 8.8 | AAS 10.1

• cpe:2.3:a:mattermost:mattermost:*:*:*:*:*:*:*:*

Mattermost versions 11.6.1 and earlier, 11.5.4 and earlier, and 10.11.16 and earlier contain a privilege escalation vulnerability (CVSS 8.8) that allows users with group-link permissions to escalate themselves and group members to team or channel admin through improper authorization checks on group syncable endpoints. This vulnerability is readily exploitable. Organizations running affected Mattermost versions should upgrade immediately.

• CVE-2026-7387 (CVSS 3.1: 8.8)

Vendor Advisory

[HIGH] apostrophecms/@apostrophecms/seo

1 CVE | CVSS 3.1: 8.7 | AAS 10.0

• cpe:2.3:a:apostrophecms:apostrophecms_seo:*:*:*:*:*:*:*:* (< 1.4.3)

@apostrophecms/seo versions up to 1.4.2 contain a stored cross-site scripting vulnerability (CVSS 8.7) that allows content editors to inject arbitrary JavaScript through unvalidated Google Analytics and Tag Manager ID fields. This vulnerability is readily exploitable. Organizations deploying ApostropheCMS with the SEO package should upgrade immediately to the patched version.

• CVE-2026-53608 (CVSS 3.1: 8.7)

Vendor Advisory

[HIGH] aqara/cloud_production_api

1 CVE | CVSS 3.1: 9.6 | AAS 9.9

• cpe:2.3:a:aqara:cloud_production_api:*:*:*:*:*:*:*:*

The Aqara Cloud Production API contains an authorization bypass vulnerability (CVSS 9.6) that allows any authenticated developer token to access any account, regardless of authorization. This vulnerability is readily exploitable and can enable complete remote takeover of affected Aqara devices when combined with related flaws. Users and administrators of Aqara devices should apply available security updates immediately.

• CVE-2026-50084 (CVSS 3.1: 9.6)

Vendor Advisory