News & Sicurezza

CISA’s KEV Wave: Ubiquiti, Lantronix, and Cisco Unified CM Join the List CISA’s Known Exploited Vulnerabilities catalog has had a busy several days. On June 23, 2026, three perfect-10 Ubiquiti UniFi OS flaws and a 9.8 root-access Lantronix bug landed in KEV together, with ... Read more Published Date: Jun 26, 2026 (1 day, 19 hours ago) Vulnerabilities has been mentioned in this article. CVE-2026-20230 CVE-2026-34910 CVE-2026-34909 CVE-2026-34908 CVE-2025-67038 CVE-2026-20045

CVE ID :CVE-2026-13226 Published : June 26, 2026, 1:27 a.m. | 8 hours, 17 minutes ago Description :The Groundhogg — CRM, Newsletters, and Marketing Automation plugin for WordPress is vulnerable to generic SQL Injection via the 'after' parameter in all versions up to, and including, 4.5.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Sales Manager-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. The AJAX handler wp_ajax_groundhogg_get_contacts_table has its capability check commented out and performs no nonce verification, meaning any authenticated user regardless of role can reach the vulnerable code path. Severity: 6.5 | MEDIUM Visit the link for more details, such as CVSS details, affected products, timeline, and more...

CVE ID :CVE-2026-48930 Published : June 26, 2026, 1:14 a.m. | 8 hours, 30 minutes ago Description :A flaw in Node.js TLS hostname handling can cause Embedded-nul hostnames can lead to silent authority rebinding due to c-string truncation in resolver bindings. This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**. Severity: 5.6 | MEDIUM Visit the link for more details, such as CVSS details, affected products, timeline, and more...

CVE ID :CVE-2026-48928 Published : June 26, 2026, 1:14 a.m. | 8 hours, 30 minutes ago Description :A inconsistency in Node.js hostname matching can cause a trust-policy bypass in multi-context mTLS setups. This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**. Severity: 4.2 | MEDIUM Visit the link for more details, such as CVSS details, affected products, timeline, and more...

CVE ID :CVE-2026-48618 Published : June 26, 2026, 1:14 a.m. | 6 hours, 30 minutes ago Description :A flaw in Node.js TLS hostname handling can cause Node.js unicode dot separator handling can lead to tls wildcard-depth authentication bypass due to resolver and verifier hostname normalization mismat. This can lead to confidentiality impact or bypass of the intended security boundary under affected configurations. This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**. Severity: 7.7 | HIGH Visit the link for more details, such as CVSS details, affected products, timeline, and more...

CVE ID :CVE-2026-48934 Published : June 26, 2026, 1:14 a.m. | 8 hours, 30 minutes ago Description :A flaw in Node.js TLS host verification can cause an attacker to bypass certification validation. This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**. Severity: 4.3 | MEDIUM Visit the link for more details, such as CVSS details, affected products, timeline, and more...

CVE ID :CVE-2026-48936 Published : June 26, 2026, 1:14 a.m. | 6 hours, 30 minutes ago Description :A flaw in Node.js Permission API can cause a local server to be started (via a Unix domain socket), even without the `--allow-net` permission. This vulnerability affects one supported release line: **Node.js 26**. Severity: 3.3 | LOW Visit the link for more details, such as CVSS details, affected products, timeline, and more...

CVE ID :CVE-2026-48615 Published : June 26, 2026, 1:14 a.m. | 6 hours, 30 minutes ago Description :A flaw in Node.js proxy tunnel error handling could expose proxy credentials in `ERR_PROXY_TUNNEL` error messages. When proxy credentials are embedded in the proxy URL, they may be exposed through error handling paths and captured by logs, diagnostics, or other error consumers. This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**. Severity: 5.9 | MEDIUM Visit the link for more details, such as CVSS details, affected products, timeline, and more...

CVE ID :CVE-2026-48619 Published : June 26, 2026, 1:14 a.m. | 6 hours, 30 minutes ago Description :A flaw in Node.js HTTP/2 client allows a server to send an unlimited number of ORIGIN frames, which could lead to an Out of Memory error on the client. This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**. Severity: 5.3 | MEDIUM Visit the link for more details, such as CVSS details, affected products, timeline, and more...

CVE ID :CVE-2026-48935 Published : June 26, 2026, 1:14 a.m. | 6 hours, 30 minutes ago Description :A flaw in Node.js Permission API can cause a file metadata to be modified even on a path that was set as read-only with e.g. `--allow-fs-read`. This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**. Severity: 3.3 | LOW Visit the link for more details, such as CVSS details, affected products, timeline, and more...

CVE ID :CVE-2026-48933 Published : June 26, 2026, 1:14 a.m. | 6 hours, 30 minutes ago Description :A flaw in Node.js WebCrypto implementation can crash the process if the input of `subtle.encrypt()` is a multiple of 2GiB. This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**. Severity: 7.5 | HIGH Visit the link for more details, such as CVSS details, affected products, timeline, and more...

CVE ID :CVE-2026-50744 Published : June 26, 2026, 1:11 a.m. | 4 hours, 33 minutes ago Description :A bypass to the admin‑only restriction of the XML‑RPC API in Revive Adserver 6.0.7. The API response for the ox.login method returned a session ID cookie in the HTTP headers, and although the method correctly returned an error, the associated session was not invalidated. As a result, the leaked session ID could be used to perform subsequent API calls without restrictions. Severity: 0.0 | NA Visit the link for more details, such as CVSS details, affected products, timeline, and more...