Cybersecurity & Regolamentazione UE

News & Sicurezza

Aggiornamenti da ENISA, NVD e le principali fonti di cybersecurity europee. Tutto quello che un Responsabile Tecnico deve sapere.

24876 risultati

VulnerabilitàAlta
CVE-2026-56355 - GNU Savannah Savane Authorization Bypass

CVE ID :CVE-2026-56355 Published : June 20, 2026, 8:08 p.m. | 17 hours, 35 minutes ago Description :GNU Savannah Administration Savane through 3.17 uses untrusted data as part of authorization. Severity: 3.7 | LOW Visit the link for more details, such as CVSS details, affected products, timeline, and more...

CVEfeed CVE20 giu 2026
VulnerabilitàAlta
CVE-2026-56345 (CVSS 8.1)

AVideo through 29.0 contains an authorization bypass vulnerability in the Meet plugin's uploadRecordedVideo.json.php endpoint that derives the target users_id from the uploaded filename without verification. An attacker with knowledge of the Meet shared secret can craft a malicious file upload with a filename containing an arbitrary users_id to invoke passwordless User->login() and establish an authenticated session as any user including admin. Attackers can obtain the Meet shared secret through path-traversal vulnerabilities or timing attacks against checkToken.json.php, then POST a crafted file to uploadRecordedVideo.json.php with a filename like '1-anything.mp4' to hijack admin sessions and gain full account takeover.

NVD (NIST)20 giu 2026
VulnerabilitàAlta
CVE-2026-56341 (CVSS 7.5)

AVideo through version 26.0 contains multiple unauthenticated list.json.php endpoints in payment plugins lacking authorization checks, exposing PayPal tokens, Authorize.Net webhooks, and Bitcoin transaction records. Unauthenticated attackers can retrieve all payment transaction data including agreement IDs, user financial records, and API responses via direct GET requests to vulnerable endpoints.

NVD (NIST)20 giu 2026
VulnerabilitàAlta
CVE-2026-56340 (CVSS 8.8)

vLLM versions >= 0.10.2 and < 0.13.0 are missing sparse tensor validation in multimodal embeddings processing. Because PyTorch disables sparse tensor invariant checks by default, an attacker can submit crafted embedding requests with malformed (negative or out-of-bounds) tensor indices, when the prompt-embeds feature is enabled, to trigger crashes or resource exhaustion (denial of service), with potential for out-of-bounds/write-what-where memory corruption. This continues CVE-2025-62164, whose prior fix only disabled the feature by default rather than addressing the root cause.

NVD (NIST)20 giu 2026
VulnerabilitàAlta
CVE-2026-56347 - AVideo TopMenu Plugin - Stored Cross-Site Scripting via Unescaped Menu Item Fields

CVE ID :CVE-2026-56347 Published : June 20, 2026, 6:27 p.m. | 19 hours, 16 minutes ago Description :AVideo TopMenu plugin through version 26.0 contains a stored cross-site scripting vulnerability in menu item rendering due to missing output encoding of icon classes, URLs, and text labels. Attackers can inject malicious JavaScript through unescaped menu item fields that execute for all site visitors, potentially stealing session cookies or performing unauthorized actions. Severity: 6.1 | MEDIUM Visit the link for more details, such as CVSS details, affected products, timeline, and more...

CVEfeed CVE20 giu 2026
VulnerabilitàAlta
CVE-2026-56345 - AVideo - Arbitrary User Session Hijacking via Meet Plugin uploadRecordedVideo Endpoint

CVE ID :CVE-2026-56345 Published : June 20, 2026, 6:27 p.m. | 15 hours, 16 minutes ago Description :AVideo through 29.0 contains an authorization bypass vulnerability in the Meet plugin's uploadRecordedVideo.json.php endpoint that derives the target users_id from the uploaded filename without verification. An attacker with knowledge of the Meet shared secret can craft a malicious file upload with a filename containing an arbitrary users_id to invoke passwordless User->login() and establish an authenticated session as any user including admin. Attackers can obtain the Meet shared secret through path-traversal vulnerabilities or timing attacks against checkToken.json.php, then POST a crafted file to uploadRecordedVideo.json.php with a filename like '1-anything.mp4' to hijack admin sessions and gain full account takeover. Severity: 9.2 | CRITICAL Visit the link for more details, such as CVSS details, affected products, timeline, and more...

CVEfeed CVE20 giu 2026
VulnerabilitàAlta
CVE-2026-56346 - AVideo - Unauthenticated PGP Message Decryption via decryptMessage.json.php Endpoint

CVE ID :CVE-2026-56346 Published : June 20, 2026, 6:27 p.m. | 15 hours, 16 minutes ago Description :AVideo through version 25.0 contains an authentication bypass vulnerability in the decryptMessage.json.php endpoint that allows unauthenticated users to decrypt PGP messages. Remote attackers can submit private keys, ciphertext, and passphrases to perform server-side decryption without credentials, exposing key material to logs and enabling resource exhaustion attacks. Severity: 6.9 | MEDIUM Visit the link for more details, such as CVSS details, affected products, timeline, and more...

CVEfeed CVE20 giu 2026
VulnerabilitàAlta
CVE-2026-56342 - AVideo - Server-Side Request Forgery in Live/test.php via statsURL Parameter

CVE ID :CVE-2026-56342 Published : June 20, 2026, 6:27 p.m. | 15 hours, 16 minutes ago Description :AVideo through version 27.0 contains a server-side request forgery vulnerability in plugin/Live/test.php that allows authenticated administrators to read arbitrary URLs via the statsURL parameter, which lacks isSSRFSafeURL() validation and accepts requests to private IP ranges and cloud metadata endpoints. Attackers can exploit this by crafting requests to internal services, cloud metadata endpoints like 169.254.169.254, and localhost to retrieve sensitive information including IAM credentials, internal service responses, and network configuration details. Severity: 6.8 | MEDIUM Visit the link for more details, such as CVSS details, affected products, timeline, and more...

CVEfeed CVE20 giu 2026
VulnerabilitàAlta
CVE-2026-56340 - vLLM - Denial of Service via Unvalidated Multimodal Embeddings

CVE ID :CVE-2026-56340 Published : June 20, 2026, 6:27 p.m. | 13 hours, 16 minutes ago Description :vLLM versions >= 0.10.2 and Severity: 8.8 | HIGH Visit the link for more details, such as CVSS details, affected products, timeline, and more...

CVEfeed CVE20 giu 2026
VulnerabilitàAlta
CVE-2026-56341 - AVideo - Unauthenticated Access to Payment Log DataTables Endpoints via list.json.php

CVE ID :CVE-2026-56341 Published : June 20, 2026, 6:27 p.m. | 15 hours, 16 minutes ago Description :AVideo through version 26.0 contains multiple unauthenticated list.json.php endpoints in payment plugins lacking authorization checks, exposing PayPal tokens, Authorize.Net webhooks, and Bitcoin transaction records. Unauthenticated attackers can retrieve all payment transaction data including agreement IDs, user financial records, and API responses via direct GET requests to vulnerable endpoints. Severity: 8.7 | HIGH Visit the link for more details, such as CVSS details, affected products, timeline, and more...

CVEfeed CVE20 giu 2026
VulnerabilitàAlta
CVE-2025-71379 - vllm - Regular Expression Denial of Service in Multiple Components

CVE ID :CVE-2025-71379 Published : June 20, 2026, 6:27 p.m. | 13 hours, 16 minutes ago Description :vLLM versions >= 0.6.3 and Severity: 5.3 | MEDIUM Visit the link for more details, such as CVSS details, affected products, timeline, and more...

CVEfeed CVE20 giu 2026
VulnerabilitàAlta
CVE-2026-5366 - Git Argument Injection in prefecthq/prefect

CVE ID :CVE-2026-5366 Published : June 20, 2026, 4:43 p.m. | 15 hours ago Description :Prefect version 3.6.23 is vulnerable to remote code execution due to improper handling of user-controlled input in the `GitRepository` storage class. The `commit_sha` parameter, which is passed to git commands, lacks validation and does not include a `--` separator to distinguish user input from git flags. This allows attackers to inject arbitrary git flags, such as `--upload-pack`, enabling execution of external programs. Additionally, the `directories` parameter can be exploited to inject git flags during sparse-checkout operations. These vulnerabilities allow any user with deployment creation permissions to execute arbitrary commands on worker machines, compromising shared work pools in multi-tenant environments. Severity: 9.9 | CRITICAL Visit the link for more details, such as CVSS details, affected products, timeline, and more...

CVEfeed CVE20 giu 2026

Pagina 179 di 2073

Resta aggiornato sulla cybersecurity

Iscriviti a CodersRegistry per ricevere gli aggiornamenti più importanti su regolamentazione EU e vulnerabilità critiche.