17 vulnerabilities across 12 products scored HIGH or above on June 18, 2026.
- π΄ CRITICAL: 1
- π HIGH: 16
π΄ [CRITICAL] getkirby/cms
4 CVEs | CVSS 3.1: 9.5 | AAS 12.3
cpe:2.3:a:getkirby:cms:*:*:*:*:*:*:*:*
Kirby CMS by getkirby is affected by four vulnerabilities, including at least one rated CRITICAL with a CVSS score of 9.5. The most severe issue allows remote attackers to complete Panel installation and create an admin account on sites that have no configured users and sit behind a reverse proxy setting certain forwarded-for headers. No public exploit code has been observed, but the ease of exploitation on affected configurations makes this a high-priority patch. Teams running Kirby CMS, particularly on publicly accessible servers behind reverse proxies, should review the vendor advisory at github.com/advisories/GHSA-whxw-24jc-cwmv and apply available updates immediately.
- π΄ CVE-2026-54003 (CVSS 3.1: 9.5)
- π CVE-2026-54002 (CVSS 3.1: 8.0)
- π CVE-2026-54005 (CVSS 3.1: 8.0)
- π CVE-2026-49276 (CVSS 3.1: 8.0)
π [HIGH] github.com/docker/mcp-gateway
1 CVE | CVSS 3.1: 8.0 | AAS 11.8
cpe:2.3:a:github.com:docker_mcp-gateway:*:*:*:*:*:*:*:*
Docker MCP Gateway is affected by a HIGH severity vulnerability with a CVSS score of 8.0 that allows an attacker who controls a malicious OCI image to inject arbitrary arguments into the docker run command line, potentially mounting the host filesystem, escalating to root, and achieving full host compromise. The flaw stems from unsafe YAML unmarshalling of the image metadata label, and exploitation is considered feasible in environments where users reference untrusted images via docker:// or pull from attacker-influenced catalogs. Teams using Docker MCP Gateway should review the vendor advisory at github.com/advisories/GHSA-r2xf-7jw5-pjg6 and update to a patched version immediately.
- π CVE-2026-55887 (CVSS 3.1: 8.0)
π [HIGH] haproxy/haproxy
2 CVEs | CVSS 4.0: 9.0 | AAS 11.3
cpe:2.3:a:haproxy:haproxy:*:*:*:*:*:*:*:*(< 3.4.1)
HAProxy versions through 3.4.0 are affected by two vulnerabilities, including at least one rated HIGH with a CVSS score of 9.0. The most severe issue involves an integer overflow in the FastCGI connection parser that allows a malicious FastCGI backend to desynchronize FCGI framing, potentially leading to response smuggling, request routing errors, or memory safety issues. Organizations running HAProxy with FastCGI backends should update beyond version 3.4.0 and review the vendor commit at github.com/haproxy/haproxy/commit/5985276 for patch details.
- π CVE-2026-55203 (CVSS 4.0: 9.0)
- π CVE-2026-55204 (CVSS 4.0: 8.7)
π [HIGH] webmin/webmin
1 CVE | CVSS 4.0: 9.2 | AAS 11.2
cpe:2.3:a:webmin:webmin:*:*:*:*:*:*:*:*(< 2.641)
Webmin versions prior to 2.641 are affected by a HIGH severity vulnerability with a CVSS score of 9.2 that allows unauthenticated remote attackers to impersonate any user configured with an SSL client certificate by injecting a forged HTTP header into the Webmin HTTP server (miniserv.pl). This is an authentication bypass requiring no credentials, making it a serious risk for any Internet-exposed Webmin instance relying on certificate-based authentication. Administrators should upgrade to Webmin 2.641 or later immediately and review the release notes at github.com/webmin/webmin/releases/tag/2.641.
- π CVE-2026-56020 (CVSS 4.0: 9.2)
π [HIGH] ffmpeg/ffmpeg
1 CVE | CVSS 3.1: 8.8 | AAS 10.6
cpe:2.3:a:ffmpeg:ffmpeg:*:*:*:*:*:*:*:*(< 8.1.2)
FFmpeg versions prior to 8.1.2 are affected by a HIGH severity out-of-bounds write vulnerability in the MagicYUV decoder within libavcodec, carrying a CVSS score of 8.8. The flaw can be triggered by processing a crafted media file, leading to denial of service or potentially remote code execution, and exploitation is considered feasible. Any organization or product embedding FFmpeg for media processing should upgrade to version 8.1.2 or later and review the patch at code.ffmpeg.org/FFmpeg/FFmpeg/pulls/23159.
- π CVE-2026-8461 (CVSS 3.1: 8.8)
π [HIGH] pip/jupyter-server
1 CVE | CVSS 3.1: 9.5 | AAS 10.6
cpe:2.3:a:pip:jupyter-server:*:*:*:*:*:*:*:*
Jupyter Server is affected by a HIGH severity stored cross-site scripting vulnerability with a CVSS score of 9.5 stemming from the nbconvert HTML handler rendering user-authored notebook content under the Jupyter origin without proper Content-Security-Policy sandboxing. An attacker who can place a malicious notebook on the server can achieve cookie theft, full Jupyter API access, and remote code execution via kernel commands when an authenticated user views the converted HTML output. Teams running Jupyter Server deployments should review the vendor advisory at github.com/advisories/GHSA-fcw5-x6j4-ccmp and apply the available patch as soon as possible.
- π CVE-2026-44727 (CVSS 3.1: 9.5)
π [HIGH] google/android
1 CVE | CVSS 4.0: 10.0 | AAS 9.4
cpe:2.3:a:google:android:*:*:*:*:*:*:*:*
Google Android versions 14 and 16 are affected by a HIGH severity vulnerability with a CVSS score of 10.0 involving a missing permission check in AndroidManifest.xml that enables persistent denial of service without requiring any user interaction or additional execution privileges. The flaw allows a local attacker to render the device unusable, and its presence in the Wear OS security bulletin indicates particular relevance for Android wearable deployments. Organizations managing Android device fleets should apply the June 2026 security update and review the bulletin at source.android.com/docs/security/bulletin/wear/2026/2026-06-01.
- π CVE-2026-28573 (CVSS 4.0: 10.0)
π [HIGH] google/mcp_toolbox_for_databases_(googleapis/mcp-toolbox)
2 CVEs | CVSS 4.0: 9.3 | AAS 9.2
cpe:2.3:a:google:mcp_toolbox_for_databases_googleapis_mcp-toolbox:*:*:*:*:*:*:*:*(< 0.7.0)cpe:2.3:a:google:mcp_toolbox_for_databases_googleapis_mcp-toolbox:*:*:*:*:*:*:*:*(< 0.2.0)
Google MCP Toolbox for Databases (googleapis/mcp-toolbox) versions 1.3.0 and earlier are affected by two vulnerabilities, including at least one rated HIGH with a CVSS score of 9.3. The most severe issue is an authentication bypass in the opaque token validation path where missing issuer claims in OAuth 2.0 introspection responses cause claim-checking logic to be silently skipped, allowing attackers with any valid-looking token to bypass authentication entirely. Teams using MCP Toolbox for Databases should update beyond version 1.3.0 immediately and review the fix at github.com/googleapis/mcp-toolbox/pull/3360.
- π CVE-2026-11718 (CVSS 4.0: 9.3)
- π CVE-2026-11717 (CVSS 4.0: 9.3)
π [HIGH] nur-alam39/bus-ticket
1 CVE | CVSS 4.0: 9.3 | AAS 9.2
cpe:2.3:a:nur-alam39:bus-ticket:*:*:*:*:*:*:*:*
Nur-Alam39 bus-ticket, an open-source bus ticketing application with no formal releases, contains a HIGH severity unauthenticated SQL injection vulnerability in bus_info.php with a CVSS score of 9.3. The busid parameter is concatenated directly into a MySQL query without any sanitization or parameterization, allowing remote attackers to extract or manipulate the entire database using standard UNION-based or other injection techniques. Anyone running this application should immediately take it offline or implement input parameterization, as no official patch exists and the vulnerable code is present in the latest available commit.
- π CVE-2026-55740 (CVSS 4.0: 9.3)
π [HIGH] iba/ibapda
1 CVE | CVSS 4.0: 9.3 | AAS 9.2
cpe:2.3:a:iba:ibapda:*:*:*:*:*:*:*:*
iba ibaPDA versions prior to 8.14.0 and ibaDatCoordinator versions prior to 4.0.7 are affected by a HIGH severity deserialization of untrusted data vulnerability with a CVSS score of 9.3 that allows a remote, unauthenticated attacker to gain full access to affected systems. These products are commonly deployed in industrial data acquisition and process monitoring environments, making this a significant risk for OT and ICS networks. Organizations running affected versions should upgrade ibaPDA to 8.14.0 and ibaDatCoordinator to 4.0.7 or later, and review the vendor advisory at iba.csaf-tp.certvde.com for additional mitigation guidance.
- π CVE-2026-8024 (CVSS 4.0: 9.3)
π [HIGH] claudiopizzillo/piaf-hms
1 CVE | CVSS 4.0: 9.3 | AAS 9.2
cpe:2.3:a:claudiopizzillo:piaf-hms:*:*:*:*:*:*:*:*
PIAF-HMS (PBX-In-A-Flash Hotel Management System) by claudiopizzillo contains a HIGH severity set of unauthenticated SQL injection vulnerabilities with a CVSS score of 9.3, stemming from user-supplied HTTP parameters being concatenated directly into deprecated mysql_query() calls across multiple files including rooms.php. The application has no authentication mechanism whatsoever, meaning any remote attacker can freely inject arbitrary SQL to read, modify, or delete the entire database. Anyone running this software should take it offline immediately, as no official patch or versioned release exists, and the application’s fundamental lack of authentication and input handling makes it unsuitable for any network-accessible deployment.
- π CVE-2026-54419 (CVSS 4.0: 9.3)
π [HIGH] jtl_software/jtl_shop
1 CVE | CVSS 4.0: 9.3 | AAS 9.2
cpe:2.3:a:jtl_software:jtl_shop:*:*:*:*:*:*:*:*(>= 5.2.0)
JTL Shop versions 5.2.0 through 5.7.1 are affected by a HIGH severity server-side template injection vulnerability with a CVSS score of 9.3 that allows unauthenticated attackers to inject malicious Smarty template syntax via unsanitized user input, exposing database credentials and encryption keys. On versions 5.4.0 through 5.7.1, attackers can further leverage registered Smarty modifiers such as unserialize and file_get_contents to write webshells and achieve full remote code execution. Organizations running JTL Shop should update beyond version 5.7.1 immediately and review the detailed analysis at sansec.io/research/jtl-shop-ssti-rce for indicators of compromise.
- π CVE-2026-54390 (CVSS 4.0: 9.3)