Loading market data...

CVE Feed

Latest vulnerabilities from the National Vulnerability Database.

21960
Total
1564
Critical
6679
High
7025
Medium
CVE ID Severity Score Description Published
CVE-2026-50560 UNKNOWN Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, Netty HTTP/2 max header size handling … Jun 12, 2026
CVE-2026-50091 CRITICAL 9.1 Aqara Home Android (com.lumiunited.aqarahome) 6.0.0 (and white-label clients embedding the same liblumidevsdk.so) uses hard-coded cryptographic keys, which is an instance of "CWE-321: Use of Hard-coded … Jun 12, 2026
CVE-2026-50090 CRITICAL 9.3 The Aqara Cloud OAuth Authorization Endpoint (open-cn.aqara.com/oauth/authorize) is vulnerable to a redirect bypass due to lax controls on domain matching, which is an instance of … Jun 12, 2026
CVE-2026-50089 MEDIUM 6.1 The Aqara IAM/SSO Gateway (gw-builder.aqara.com) provides an open redirect, which is an instance of "CWE-601: URL Redirection to Untrusted Site," with an estimated CVSS of … Jun 12, 2026
CVE-2026-50088 HIGH 8.2 The Aqara Developer Portal (developer.aqara.com) and shared test environments (developer-test.aqara.com, aiot-test.aqara.com) exhibit cross-origin request sharing, which is an instance of "CWE-942: Permissive Cross-domain Policy with … Jun 12, 2026
CVE-2026-50087 HIGH 8.2 The Aqara IAM/SSO gateway (gw-builder.aqara.com) exhibits a cross-origin request sharing vulnerability, which is an instance of "CWE-942: Permissive Cross-domain Policy with Untrusted Domains," and has … Jun 12, 2026
CVE-2026-50086 CRITICAL 10.0 The Aqara IAM/SSO gateway (gw-builder.aqara.com) exposes bidirectional AES round-trups against the platform's signing key without authentication. This is an instance of "CWE-306: Missing Authentication for … Jun 12, 2026
CVE-2026-50085 HIGH 8.6 The Aqara Board service (op-test.aqara.com) accepts arbitrary MQTT command payloads, and forwards them to the platfom's HiveMQ broker without authentication. This is an instance of … Jun 12, 2026
CVE-2026-50084 CRITICAL 9.6 The Aqara Cloud Production API (open-cn.aqara.com/v3.0/open/api) would authorize any valid developer token for access to any account. This is an instance of "CWE-862: Missing Authorization" … Jun 12, 2026
CVE-2026-50083 CRITICAL 9.1 The Aqara IAM/SSO Gateway (gw-builder.aqara.com) used a hardcoded OAuth client credential, which is an instance of "CWE-798: Use of Hard-coded Credentials." This issue has an … Jun 12, 2026
CVE-2026-50082 MEDIUM 6.5 The Aqara Cloud Developer Portal (developer.aqara.com) issued a developer token to any email address supplied by the attacker. This is an instance of "CWE-306: Missing … Jun 12, 2026
CVE-2026-50026 UNKNOWN Frappe is a full-stack web application framework. Prior to versions 15.107.0 and 16.17.0, a lack of permission checks in these endpoints allowed unauthorized access to … Jun 12, 2026
CVE-2026-50020 MEDIUM 5.3 Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, before reading the first request-line, `HttpObjectDecoder` … Jun 12, 2026
CVE-2026-50011 HIGH 7.5 Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, RedisArrayAggregator pre-allocates ArrayList with initial capacity … Jun 12, 2026
CVE-2026-50010 HIGH 7.5 Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, SimpleTrustManagerFactory.engineGetTrustManagers() and related paths wrap any … Jun 12, 2026
CVE-2026-50009 MEDIUM 4.8 Netty is a network application framework for development of protocol servers and clients. Prior to version 4.2.15.Final, Netty QUIC exposes the stateless reset token on … Jun 12, 2026
CVE-2026-48748 HIGH 7.5 Netty is a network application framework for development of protocol servers and clients. Prior to version 4.2.15.Final, a memory exhaustion vulnerability in the Netty HTTP/3 … Jun 12, 2026
CVE-2026-48059 UNKNOWN Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, the HAProxy PROXY protocol v2 codec … Jun 12, 2026
CVE-2026-48043 MEDIUM 5.3 Netty is a network application framework for development of protocol servers and clients. In netty-codec-http2 prior to versions 4.1.135.Final and 4.2.15.Final, the `DelegatingDecompressorFrameListener` class orchestrates … Jun 12, 2026
CVE-2026-48006 UNKNOWN Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, the RedisArrayAggregator handler permanently leaks pooled … Jun 12, 2026
CVE-2026-47691 HIGH 8.7 Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, Netty's `DnsResolveContext` insufficiently validates the bailiwick … Jun 12, 2026
CVE-2026-47190 MEDIUM 4.4 IPAM is the IP address Manager for Cluster API Provider Metal3. Prior to versions 1.11.7, 1.12.4, and 1.13.0, the IPAM controller's ClusterRole granted full CRUD … Jun 12, 2026
CVE-2026-47182 UNKNOWN Frappe is a full-stack web application framework. Prior to version 16.17.4, any authenticated user can access private files by guessing the file path. This issue … Jun 12, 2026
CVE-2026-46690 MEDIUM 5.8 unbounded_spsc is an "unbounded" extension of bounded_spsc_queue. In versions 0.2.0 and prior, sender::send pointer-as-value transmute causes OOB read and fake-Arc drop under TX/RX race. At … Jun 12, 2026
CVE-2026-45833 UNKNOWN A code injection vulnerability in version 0.4.17 or later of the ChromaDB Python project allows an authenticated attacker to run arbitrary code on the server … Jun 12, 2026