| CVE ID | Title | Vendor | Product | Severity | CVSS Score | Published At | AI Analysis |
|---|---|---|---|---|---|---|---|
| CVE-2026-47140🧪 | vm2: NodeVM builtin denylist bypass via process and inspector/promises allows host code execution | patriksimek | vm2 | Critical | 10.0 | 2026-06-12 14:16:11 | Deep Dive |
| CVE-2026-45673 | Netty: DNS Cache Poisoning due to Predictable PRNG and Default Static Source Port | netty | netty | Medium | 6.8 | 2026-06-12 14:16:04 | Deep Dive |
| CVE-2026-47139🧪 | vm2: NodeVM network builtin exclusions bypass via internal _http_client and _http_server | patriksimek | vm2 | High | 8.6 | 2026-06-12 14:15:45 | Deep Dive |
| CVE-2026-47137🧪 | vm2: GHSA-8hg8-63c5-gwmx patch bypass: nesting:true without explicit require still allows full RCE | patriksimek | vm2 | Critical | 10.0 | 2026-06-12 14:15:35 | Deep Dive |
| CVE-2026-47135🧪 | vm2: Sandbox escape via unblocked cross-realm Symbol.for keys + missing bridge write-trap symbol checks | patriksimek | vm2 | High | 8.7 | 2026-06-12 14:14:42 | Deep Dive |
| CVE-2026-47131🧪 | vm2: Sandbox Escape | patriksimek | vm2 | Critical | 10.0 | 2026-06-12 14:14:17 | Deep Dive |
| CVE-2026-47209🧪 | vm2: Bridge Proxy set trap ignores receiver parameter, enabling host object property injection via prototype chain | patriksimek | vm2 | High | 8.6 | 2026-06-12 14:14:06 | Deep Dive |
| CVE-2026-45536 | Netty: Unix-socket fd receive leaks descriptors when peer sends two at once | netty | netty | Medium | 4.0 | 2026-06-12 14:12:48 | Deep Dive |
| CVE-2026-8694 | Improper access control on the API documentation endpoint in PowerShell Universal | Devolutions | PowerShell Universal | 中危 | - | 2026-06-12 14:11:33 | Deep Dive |
| CVE-2026-6211 | Arbitrary File Upload in Global IT's WEOLL | Global IT Informatics Services Inc. | WEOLL | High | 8.7 | 2026-06-12 14:10:15 | Deep Dive |
| CVE-2026-45416🧪 | Netty: SNI handler pre-allocates up to 16 MiB from nine attacker bytes | netty | netty | High | 7.5 | 2026-06-12 14:10:06 | Deep Dive |
| CVE-2026-44894🧪 | Netty's Default QUIC token handler accepts any client-supplied token | netty | netty | High | 7.5 | 2026-06-12 14:06:54 | Deep Dive |
| CVE-2026-10557 | Yarbo Android/iOS Mobile Application and Cloud Infrastructure Use of Hard-coded Credentials | Yarbo | Yarbo Android/IOS mobile application | Critical | 9.8 | 2026-06-12 14:05:35 | Deep Dive |
| CVE-2026-7368 | Yarbo Android/iOS Mobile Application and Cloud Infrastructure Missing Authorization | Yarbo | Yarbo Android/IOS mobile application | High | 8.1 | 2026-06-12 14:01:11 | Deep Dive |
| CVE-2026-44893🧪 | Netty: HAProxy SSL TLV parsing leaks retained slice on invalid TLV length | netty | netty | High | 7.5 | 2026-06-12 14:00:26 | Deep Dive |
| CVE-2026-54133🧪 | jmespath.php has CompilerRuntime code injection via unescaped function names | jmespath | jmespath.php | Critical | 9.8 | 2026-06-12 13:56:38 | Deep Dive |
| CVE-2026-53787 | Amasty Order Attributes for Magento 2 < 4.0.0 Unauthenticated Arbitrary File Upload | Amasty | Order Attributes for Magento 2 | Critical | 9.8 | 2026-06-12 13:52:17 | Deep Dive |
| CVE-2026-6853 | OTP Bypass in Başbelen Group's Pause+ Mobile App | Başbelen Group Food Cafe Businesses Industry and Trade Ltd. Co. | Pause+ Mobile App | Critical | 9.8 | 2026-06-12 13:50:33 | Deep Dive |
| CVE-2026-53722 | Nuxt: Reflected XSS in `<NuxtLink>` via unsanitised `javascript:` or `data:` URL | nuxt | nuxt | 中危 | - | 2026-06-12 13:44:15 | Deep Dive |
| CVE-2026-53721 | Nuxt: Route-rule middleware bypass via case-sensitivity mismatch between vue-router and the routeRules matcher | nuxt | nuxt | 高危 | - | 2026-06-12 13:41:34 | Deep Dive |