Daily curated vulnerability bulletins from ARETIQ AI. Each bulletin highlights the day’s most critical vulnerabilities, ranked by real-world risk — not just CVSS scores.
Ranked by AAS (ARETIQ Adjusted Score) — a real-world risk score that considers exploit maturity, deployment scale, asset criticality, and remediation status.
Subscribe via JSON feed.
No EMERGENCY vulnerabilities this month.
Daily Bulletins#
16 vulnerabilities across 8 products scored HIGH or above on June 08, 2026.
CRITICAL: 2 HIGH: 14 [CRITICAL] checkpoint/quantum_security_gateway 2 CVEs | CVSS 3.1: 9.3 | AAS 13.8
Checkpoint Quantum Security Gateway is affected by multiple critical vulnerabilities (CVE-2026-50751 and CVE-2026-50752, CVSS 9.3) that allow unauthenticated remote attackers to bypass user authentication and establish remote access VPN connections without valid credentials. The issue stems from logic flow weaknesses in certificate validation for Remote Access and Mobile Access via deprecated IKEv1 key exchange. Organizations running affected Quantum Security Gateway instances should immediately apply available patches per Checkpoint’s advisory at https://support.checkpoint.com/results/sk/sk185033 to mitigate exploitation risk.
...
1 vulnerabilities across 1 products scored HIGH or above on June 07, 2026.
[MODERATE] comodo/comodo_internet_security 1 CVE | CVSS 4.0: 8.7 | AAS 7.6
Comodo Internet Security’s firewall driver (Inspect.sys) contains an integer underflow vulnerability (CVE-2026-49494, CVSS 8.7) in its IPv6 packet parser that fails to validate payload lengths against extension header sizes. The flaw affects all users of Comodo Internet Security when processing IPv6 packets with malformed headers, though practical exploitation techniques have not yet been demonstrated. Organizations running Comodo Internet Security should review the vendor advisory at https://github.com/MalwareTech/ComoDoS and apply available patches.
...
8 vulnerabilities across 8 products scored HIGH or above on June 06, 2026.
[MODERATE] davidanderson/all-in-one_security_(aios)_–_security_and_firewall 1 CVE | CVSS 3.1: 7.2 | AAS 8.5
The All-In-One Security (AIOS) – Security and Firewall WordPress plugin versions through 5.4.7 are vulnerable to Stored Cross-Site Scripting (CVE-2026-8438, CVSS 7.2) due to insufficient input sanitization and missing output escaping in REST API and debug logging functions. The vulnerability is exploitable when both the REST API restriction and debug logging features are enabled. WordPress site administrators should update to a patched version immediately, or disable the affected debug logging feature if updates cannot be deployed promptly.
...
40 vulnerabilities across 15 products scored HIGH or above on June 05, 2026.
HIGH: 40 [HIGH] altium/altium_enterprise_server 7 CVEs | CVSS 4.0: 10.0 | AAS 11.9
Altium Enterprise Server is affected by seven path traversal vulnerabilities in the Network Installation Service (maximum CVSS 10.0) that allow unauthenticated network attackers to write arbitrary files to any writable location and read server package archives. Organizations using Altium Enterprise Server should apply available patches immediately, as exploitation can result in arbitrary file writes to web-accessible directories, overwriting of application binaries or configuration files, and potential remote code execution. Consult the vendor security advisory at https://www.altium.com/platform/security-compliance/security-advisories for patch details and remediation guidance.
...
24 vulnerabilities across 15 products scored HIGH or above on June 04, 2026.
CRITICAL: 4 HIGH: 20 [CRITICAL] npm/axios 4 CVEs | CVSS 3.1: 8.0 | AAS 12.2
Axios library for npm contains four critical vulnerabilities with a maximum CVSS 3.1 score of 8.0, including multiple affecting the Node.js HTTP adapter that improperly forward Proxy-Authorization headers to redirected destinations in proxy-to-direct redirect scenarios. This could expose proxy credentials to unintended third parties and compromise security when using authenticated HTTP proxies. Organizations using Axios in Node.js should apply patches immediately and consult the vendor advisory at https://github.com/advisories/GHSA-p92q-9vqr-4j8v.
...
20 vulnerabilities across 11 products scored HIGH or above on June 03, 2026.
HIGH: 20 [HIGH] pip/jupyter_enterprise_gateway 3 CVEs | CVSS 3.1: 9.8 | AAS 11.4
Jupyter Enterprise Gateway contains three vulnerabilities including a critical YAML injection flaw in Kubernetes manifest rendering that allows attackers to manipulate environment variables and overwrite security controls. The CVSS 9.8 issue stems from unescaped environment variable interpolation, enabling injection of arbitrary Kubernetes resources in affected deployments. Organizations using Jupyter Enterprise Gateway in Kubernetes environments should immediately apply available patches and restrict access to environment variable configuration.
...
23 vulnerabilities across 15 products scored HIGH or above on June 02, 2026.
CRITICAL: 1 HIGH: 22 [CRITICAL] themeum/kirki_–_freeform_page_builder,website_builder&_customizer 1 CVE | CVSS 3.1: 9.8 | AAS 12.2
The Kirki – Freeform Page Builder plugin for WordPress versions 6.0.0 through 6.0.6 contains a critical privilege escalation vulnerability (CVE-2026-8206, CVSS 9.8) that allows unauthenticated attackers to perform account takeover. The flaw enables attackers to send password reset links for any user account to an attacker-controlled email address by manipulating the email parameter in password reset requests. WordPress site administrators using affected versions should immediately update to the patched release and consider enforcing additional authentication controls such as multi-factor authentication.
...
25 vulnerabilities across 15 products scored HIGH or above on June 01, 2026.
EMERGENCY: 5 CRITICAL: 12 HIGH: 8 [EMERGENCY] npm/vitest 1 CVE | CVSS 3.1: 9.8 | AAS 16.7
npm Vitest is affected by a critical arbitrary file read vulnerability (CVE-2026-47429, CVSS 9.8) on Windows systems when the Vitest UI server is exposed to the network. The issue impacts users running Vitest UI or Browser Mode on Windows who have configured the UI server to be accessible over the network, potentially allowing attackers to read sensitive files. Security teams should update affected systems immediately and ensure the Vitest UI server is not exposed to untrusted networks; consult https://github.com/advisories/GHSA-5xrq-8626-4rwp for remediation details.
...
1 vulnerabilities across 1 products scored HIGH or above on May 31, 2026.
HIGH: 1 [HIGH] totolink/n300rh 1 CVE | CVSS 8.9 | AAS 7.8
Totolink has released advisories addressing CVE-2026-10187 in the N300RH router affecting version 6.1c.1353_B20190305 and potentially other versions. This high-severity vulnerability (CVSS 8.9) is a stack-based buffer overflow in the wireless configuration interface that can be exploited remotely through manipulation of the KeyStr parameter. Organizations deploying Totolink N300RH routers should prioritize applying available patches from the vendor immediately, as public exploit code exists for this vulnerability.
...
31 vulnerabilities across 15 products scored HIGH or above on May 30, 2026.
CRITICAL: 2 HIGH: 29 [CRITICAL] yhirose/cpp-httplib 2 CVEs | CVSS 9.9 | AAS 11.3
yhirose cpp-httplib versions prior to 0.44.0 contain multiple critical vulnerabilities with a maximum CVSS score of 9.9 affecting HTTP/HTTPS server request parsing. The library improperly applies percent-decoding to header values, allowing encoded carriage return and line feed sequences to bypass validation checks and be stored as literal bytes within headers, which can enable header injection attacks. Organizations using cpp-httplib should immediately update to version 0.44.0 or later.
...