Cybersecurity & Regolamentazione UE

News & Sicurezza

Aggiornamenti da ENISA, NVD e le principali fonti di cybersecurity europee. Tutto quello che un Responsabile Tecnico deve sapere.

24404 risultati

News
Duizenden Joomla-websites bevatten actief misbruikt RCE-lek in JCE-editor

Duizenden Joomla-websites bevatten actief misbruikt RCE-lek in JCE-editor Duizenden Joomla websites die gebruikmaken van de Joomla Content Editor (JCE) bevatten een kritieke kwetsbaarheid waar aanvallers actief misbruik van maken en ervoor zorgt dat sites volledig zijn over ... Read more Published Date: Jun 23, 2026 (5 days, 23 hours ago) Vulnerabilities has been mentioned in this article. CVE-2026-48907

CVEfeed Newsroom23 giu 2026
VulnerabilitàAlta
CVE-2026-56784 - OpenRemote Manager - Cross-Tenant IDOR in Bulk Alarm Deletion

CVE ID :CVE-2026-56784 Published : June 23, 2026, 12:13 p.m. | 3 hours, 31 minutes ago Description :OpenRemote Manager before 1.24.2 contains an insecure direct object reference vulnerability in the removeAlarms() method that allows authenticated users to delete alarms from other tenants by supplying arbitrary alarm IDs. The bulk deletion endpoint fails to validate that targeted alarm IDs belong to the caller's realm, enabling cross-tenant permanent destruction of safety-critical and security alerts. Severity: 8.3 | HIGH Visit the link for more details, such as CVSS details, affected products, timeline, and more...

CVEfeed CVE23 giu 2026
VulnerabilitàAlta
CVE-2026-56762 - Hono - Missing Cookie Name Validation in setCookie()

CVE ID :CVE-2026-56762 Published : June 23, 2026, 12:13 p.m. | 3 hours, 31 minutes ago Description :Hono before 4.12.12 does not validate cookie names on the write path in the setCookie(), serialize(), and serializeSigned() functions, allowing invalid characters such as control characters (e.g. \r or \n) when an application passes a user-controlled cookie name. This can produce malformed Set-Cookie header values. In modern runtimes such as Node.js and Cloudflare Workers, such invalid header values are rejected and cause a runtime error before the response is sent, so header injection or response splitting could not be reproduced; the issue primarily affects correctness and robustness, resulting in runtime errors (availability) rather than confirmed header injection. Severity: 6.9 | MEDIUM Visit the link for more details, such as CVSS details, affected products, timeline, and more...

CVEfeed CVE23 giu 2026
VulnerabilitàAlta
CVE-2026-56701 - Grav - XML External Entity Injection via SVG Upload

CVE ID :CVE-2026-56701 Published : June 23, 2026, 12:13 p.m. | 3 hours, 31 minutes ago Description :Grav before 2.0.0-beta.2 contains an XML external entity injection vulnerability in SVG file upload processing that allows authenticated attackers to read arbitrary files. The application uses simplexml_load_string without disabling external entity loading, enabling attackers to inject XXE payloads via malicious SVG files to exfiltrate sensitive data. Severity: 7.1 | HIGH Visit the link for more details, such as CVSS details, affected products, timeline, and more...

CVEfeed CVE23 giu 2026
VulnerabilitàAlta
CVE-2026-56379 - ImageMagick - Command Injection via SVG Decoder

CVE ID :CVE-2026-56379 Published : June 23, 2026, 12:13 p.m. | 3 hours, 31 minutes ago Description :ImageMagick before 7.1.2-15 and 6.9.13-40 contains a command injection vulnerability in the SVG decoder that allows attackers to inject arbitrary MVG drawing commands. Attackers can craft malicious SVG files with injected Magick Vector Graphics commands that execute during rendering. Severity: 0.0 | NONE Visit the link for more details, such as CVSS details, affected products, timeline, and more...

CVEfeed CVE23 giu 2026
VulnerabilitàAlta
CVE-2026-56371 - ImageMagick - Memory Leak in TXT File Processing via Texture Attribute

CVE ID :CVE-2026-56371 Published : June 23, 2026, 12:13 p.m. | 3 hours, 31 minutes ago Description :ImageMagick before 7.1.2-15 and 6.9.13-40 contains a memory leak in coders/txt.c when processing TXT files with texture attributes: the texture object allocated via ReadImage is not released when GetTypeMetrics fails, leaking memory each time a crafted TXT file with a texture attribute is processed. Severity: 0.0 | NONE Visit the link for more details, such as CVSS details, affected products, timeline, and more...

CVEfeed CVE23 giu 2026
VulnerabilitàAlta
CVE-2026-56376 - ImageMagick - Heap Use-After-Free in Meta Coder

CVE ID :CVE-2026-56376 Published : June 23, 2026, 12:13 p.m. | 3 hours, 31 minutes ago Description :ImageMagick before 7.1.2-15 and 6.9.13-40 contains a heap use-after-free in the meta coder: when memory allocation fails, a single byte is written to a stale pointer. Remote attackers can trigger it by processing specially crafted image files, causing a denial of service. Severity: 6.3 | MEDIUM Visit the link for more details, such as CVSS details, affected products, timeline, and more...

CVEfeed CVE23 giu 2026
VulnerabilitàAlta
CVE-2026-56322 - Capgo - Information Disclosure via Unauthenticated /updates defaultChannel Parameter

CVE ID :CVE-2026-56322 Published : June 23, 2026, 12:13 p.m. | 3 hours, 31 minutes ago Description :Capgo before 12.128.2 contains an information disclosure vulnerability in the unauthenticated /updates endpoint that resolves the defaultChannel parameter before enforcing privacy restrictions, allowing attackers to enumerate private channels and leak version/config state. Unauthenticated attackers can probe private channel names and distinguish valid channels from nonexistent ones based on response differences, revealing assigned bundle versions and platform-specific configuration details. Severity: 8.7 | HIGH Visit the link for more details, such as CVSS details, affected products, timeline, and more...

CVEfeed CVE23 giu 2026
VulnerabilitàAlta
CVE-2026-56315 - picklescan - Remote Code Execution via Unblocked Standard Library Modules

CVE ID :CVE-2026-56315 Published : June 23, 2026, 12:13 p.m. | 3 hours, 31 minutes ago Description :picklescan before 1.0.4 fails to block at least seven Python standard library modules (including uuid, _osx_support, _aix_support, _pyrepl.pager, and imaplib) exposing eight functions that provide direct arbitrary command execution. Attackers can craft malicious pickle files importing these unblocked modules to achieve remote code execution while bypassing picklescan's safety validation entirely. Severity: 9.8 | CRITICAL Visit the link for more details, such as CVSS details, affected products, timeline, and more...

CVEfeed CVE23 giu 2026
VulnerabilitàAlta
CVE-2026-56301 - Nuxt - Arbitrary File Read via World-Connectable vite-node IPC Socket on Linux

CVE ID :CVE-2026-56301 Published : June 23, 2026, 12:13 p.m. | 3 hours, 31 minutes ago Description :Nuxt 4.0.0 before 4.4.7 and 3.18.0 before 3.21.7, when running the development server (nuxt dev) on Linux, binds the vite-node IPC server to an abstract-namespace Unix socket without permission restrictions, allowing local users to enumerate and connect. Unprivileged co-resident users can exploit the unprotected module request handler to read arbitrary files such as .env and SSH keys through the SSR plugin pipeline. Production builds are unaffected, as the IPC server runs only in development. Severity: 6.8 | MEDIUM Visit the link for more details, such as CVSS details, affected products, timeline, and more...

CVEfeed CVE23 giu 2026
VulnerabilitàAlta
CVE-2026-56275 - Flowise - Server-Side Request Forgery via Execute Flow Base URL

CVE ID :CVE-2026-56275 Published : June 23, 2026, 12:13 p.m. | 3 hours, 31 minutes ago Description :Flowise before 3.1.0 contains a server-side request forgery vulnerability in the Execute Flow node that allows attackers to bypass security validation by providing intranet addresses through the base URL field. Attackers can initiate HTTP requests to internal network addresses, access cloud metadata, and enumerate internal services by exploiting the missing secureFetch verification in httpSecurity.ts. Severity: 6.0 | MEDIUM Visit the link for more details, such as CVSS details, affected products, timeline, and more...

CVEfeed CVE23 giu 2026
VulnerabilitàAlta
CVE-2026-56274 - Flowise - Remote Code Execution via MCP Security Bypass in validateCommandFlags and validateArgsForLocalFileAccess

CVE ID :CVE-2026-56274 Published : June 23, 2026, 12:13 p.m. | 3 hours, 31 minutes ago Description :Flowise before 3.1.2 contains multiple OS command injection vulnerabilities in the Custom MCP Server feature due to incomplete command-flag validation and a regex bypass in local file access restrictions. An attacker with a Flowise account of any role, or API access with view/update permissions for chatflows, can configure a malicious MCP server to bypass the validateCommandFlags blocklist (for example, 'docker build' is not blocked, and 'npx --yes' is not blocked while only '-y' is) and the validateArgsForLocalFileAccess checks, resulting in execution of arbitrary commands on the Flowise host. Severity: 9.9 | CRITICAL Visit the link for more details, such as CVSS details, affected products, timeline, and more...

CVEfeed CVE23 giu 2026

Pagina 115 di 2034

Resta aggiornato sulla cybersecurity

Iscriviti a CodersRegistry per ricevere gli aggiornamenti più importanti su regolamentazione EU e vulnerabilità critiche.