Security
CVE Feed
Latest vulnerabilities from the National Vulnerability Database.
21960
Total
1564
Critical
6679
High
7025
Medium
| CVE ID | Severity | Score | Description | Published |
|---|---|---|---|---|
| CVE-2026-50560 | UNKNOWN | — | Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, Netty HTTP/2 max header size handling … | Jun 12, 2026 |
| CVE-2026-50091 | CRITICAL | 9.1 | Aqara Home Android (com.lumiunited.aqarahome) 6.0.0 (and white-label clients embedding the same liblumidevsdk.so) uses hard-coded cryptographic keys, which is an instance of "CWE-321: Use of Hard-coded … | Jun 12, 2026 |
| CVE-2026-50090 | CRITICAL | 9.3 | The Aqara Cloud OAuth Authorization Endpoint (open-cn.aqara.com/oauth/authorize) is vulnerable to a redirect bypass due to lax controls on domain matching, which is an instance of … | Jun 12, 2026 |
| CVE-2026-50089 | MEDIUM | 6.1 | The Aqara IAM/SSO Gateway (gw-builder.aqara.com) provides an open redirect, which is an instance of "CWE-601: URL Redirection to Untrusted Site," with an estimated CVSS of … | Jun 12, 2026 |
| CVE-2026-50088 | HIGH | 8.2 | The Aqara Developer Portal (developer.aqara.com) and shared test environments (developer-test.aqara.com, aiot-test.aqara.com) exhibit cross-origin request sharing, which is an instance of "CWE-942: Permissive Cross-domain Policy with … | Jun 12, 2026 |
| CVE-2026-50087 | HIGH | 8.2 | The Aqara IAM/SSO gateway (gw-builder.aqara.com) exhibits a cross-origin request sharing vulnerability, which is an instance of "CWE-942: Permissive Cross-domain Policy with Untrusted Domains," and has … | Jun 12, 2026 |
| CVE-2026-50086 | CRITICAL | 10.0 | The Aqara IAM/SSO gateway (gw-builder.aqara.com) exposes bidirectional AES round-trups against the platform's signing key without authentication. This is an instance of "CWE-306: Missing Authentication for … | Jun 12, 2026 |
| CVE-2026-50085 | HIGH | 8.6 | The Aqara Board service (op-test.aqara.com) accepts arbitrary MQTT command payloads, and forwards them to the platfom's HiveMQ broker without authentication. This is an instance of … | Jun 12, 2026 |
| CVE-2026-50084 | CRITICAL | 9.6 | The Aqara Cloud Production API (open-cn.aqara.com/v3.0/open/api) would authorize any valid developer token for access to any account. This is an instance of "CWE-862: Missing Authorization" … | Jun 12, 2026 |
| CVE-2026-50083 | CRITICAL | 9.1 | The Aqara IAM/SSO Gateway (gw-builder.aqara.com) used a hardcoded OAuth client credential, which is an instance of "CWE-798: Use of Hard-coded Credentials." This issue has an … | Jun 12, 2026 |
| CVE-2026-50082 | MEDIUM | 6.5 | The Aqara Cloud Developer Portal (developer.aqara.com) issued a developer token to any email address supplied by the attacker. This is an instance of "CWE-306: Missing … | Jun 12, 2026 |
| CVE-2026-50026 | UNKNOWN | — | Frappe is a full-stack web application framework. Prior to versions 15.107.0 and 16.17.0, a lack of permission checks in these endpoints allowed unauthorized access to … | Jun 12, 2026 |
| CVE-2026-50020 | MEDIUM | 5.3 | Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, before reading the first request-line, `HttpObjectDecoder` … | Jun 12, 2026 |
| CVE-2026-50011 | HIGH | 7.5 | Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, RedisArrayAggregator pre-allocates ArrayList with initial capacity … | Jun 12, 2026 |
| CVE-2026-50010 | HIGH | 7.5 | Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, SimpleTrustManagerFactory.engineGetTrustManagers() and related paths wrap any … | Jun 12, 2026 |
| CVE-2026-50009 | MEDIUM | 4.8 | Netty is a network application framework for development of protocol servers and clients. Prior to version 4.2.15.Final, Netty QUIC exposes the stateless reset token on … | Jun 12, 2026 |
| CVE-2026-48748 | HIGH | 7.5 | Netty is a network application framework for development of protocol servers and clients. Prior to version 4.2.15.Final, a memory exhaustion vulnerability in the Netty HTTP/3 … | Jun 12, 2026 |
| CVE-2026-48059 | UNKNOWN | — | Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, the HAProxy PROXY protocol v2 codec … | Jun 12, 2026 |
| CVE-2026-48043 | MEDIUM | 5.3 | Netty is a network application framework for development of protocol servers and clients. In netty-codec-http2 prior to versions 4.1.135.Final and 4.2.15.Final, the `DelegatingDecompressorFrameListener` class orchestrates … | Jun 12, 2026 |
| CVE-2026-48006 | UNKNOWN | — | Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, the RedisArrayAggregator handler permanently leaks pooled … | Jun 12, 2026 |
| CVE-2026-47691 | HIGH | 8.7 | Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, Netty's `DnsResolveContext` insufficiently validates the bailiwick … | Jun 12, 2026 |
| CVE-2026-47190 | MEDIUM | 4.4 | IPAM is the IP address Manager for Cluster API Provider Metal3. Prior to versions 1.11.7, 1.12.4, and 1.13.0, the IPAM controller's ClusterRole granted full CRUD … | Jun 12, 2026 |
| CVE-2026-47182 | UNKNOWN | — | Frappe is a full-stack web application framework. Prior to version 16.17.4, any authenticated user can access private files by guessing the file path. This issue … | Jun 12, 2026 |
| CVE-2026-46690 | MEDIUM | 5.8 | unbounded_spsc is an "unbounded" extension of bounded_spsc_queue. In versions 0.2.0 and prior, sender::send pointer-as-value transmute causes OOB read and fake-Arc drop under TX/RX race. At … | Jun 12, 2026 |
| CVE-2026-45833 | UNKNOWN | — | A code injection vulnerability in version 0.4.17 or later of the ChromaDB Python project allows an authenticated attacker to run arbitrary code on the server … | Jun 12, 2026 |