Cybersecurity & Regolamentazione UE

News & Sicurezza

Aggiornamenti da ENISA, NVD e le principali fonti di cybersecurity europee. Tutto quello che un Responsabile Tecnico deve sapere.

27064 risultati

VulnerabilitàAlta
CVE-2026-44783 - Discourse: Replying to a whisper lets non-whisperers create staff-only whisper posts

CVE ID :CVE-2026-44783 Published : June 12, 2026, 8:23 p.m. | 1 hour ago Description :Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.4, 2026.3.0-latest to before 2026.3.1, and 2026.4.0-latest to before 2026.4.1, a flaw in how replies to whisper posts are handled allows authenticated users outside the groups configured in whispers_allowed_groups to post into a topic's staff-only whisper channel. The injected content is visible to whisperers (typically staff) alongside legitimate whispers. Only sites that have whispers enabled are affected. This issue has been patched in versions 2026.1.4, 2026.3.1, 2026.4.1, and 2026.5.0-latest.1. Severity: 0.0 | NA Visit the link for more details, such as CVSS details, affected products, timeline, and more...

CVEfeed CVE12 giu 2026
VulnerabilitàAlta
CVE-2026-44782 - Discourse: GroupPostSerializer leaks hidden full names through reaction post association

CVE ID :CVE-2026-44782 Published : June 12, 2026, 8:23 p.m. | 1 hour ago Description :Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.4, 2026.3.0-latest to before 2026.3.1, and 2026.4.0-latest to before 2026.4.1, GroupPostSerializer declared include_user_long_name? as the predicate for its :name attribute, but AMS looks for include_name?. The misnamed predicate was never called, so object.user.name was always serialized regardless of SiteSetting.enable_names. This issue has been patched in versions 2026.1.4, 2026.3.1, 2026.4.1, and 2026.5.0-latest.1. Severity: 0.0 | NA Visit the link for more details, such as CVSS details, affected products, timeline, and more...

CVEfeed CVE12 giu 2026
VulnerabilitàAlta
CVE-2026-44780 - Discourse: Category queue reviewers can read raw incoming emails from queued posts

CVE ID :CVE-2026-44780 Published : June 12, 2026, 8:22 p.m. | 1 hour, 1 minute ago Description :Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.4, 2026.3.0-latest to before 2026.3.1, and 2026.4.0-latest to before 2026.4.1, ReviewableQueuedPostSerializer unconditionally included payload["raw_email"] for posts that arrived via incoming email. Category moderation group members reaching the review queue could therefore read the full inbound email source (headers, sender trace, MUA, body) without being in view_raw_email_allowed_groups — the trust boundary that gates the dedicated raw-email endpoint. This issue has been patched in versions 2026.1.4, 2026.3.1, 2026.4.1, and 2026.5.0-latest.1. Severity: 0.0 | NA Visit the link for more details, such as CVSS details, affected products, timeline, and more...

CVEfeed CVE12 giu 2026
News
PeopleSoft 0-day affecting hundreds of organizations steals gigabytes of data

PeopleSoft 0-day affecting hundreds of organizations steals gigabytes of data “While several organizations successfully blocked the activity or remediated the vulnerabilities, others experienced compromise, resulting in stolen data being published on the ShinyHunters DLS,” Mand ... Read more Published Date: Jun 12, 2026 (4 days, 14 hours ago) Vulnerabilities has been mentioned in this article. CVE-2026-35273

CVEfeed Newsroom12 giu 2026
VulnerabilitàAlta
CVE-2026-53726 - Parse Server: Relation `$relatedTo` query bypasses `protectedFields` and owning-object ACL

CVE ID :CVE-2026-53726 Published : June 12, 2026, 6:37 p.m. | 46 minutes ago Description :Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.80 and 9.9.1-alpha.6, a relation query using the $relatedTo operator could read the membership of a Relation field even when that field was hidden from the requesting client by protectedFields, and even when the object owning the relation was not readable by the client under its ACL or class-level permissions. The request requires only the public API credentials that Parse clients normally carry — no user session, master key, or Cloud Code is needed. As a result, an unauthenticated client who knows or obtains the owning object's objectId could enumerate the objects linked through a protected relation, or combine the operator with an objectId constraint to use it as a membership oracle — confirming whether a specific object is linked to a private parent. This affects applications that rely on protectedFields or object ACLs to keep Relation membership confidential, such as private group memberships, block lists, or account-to-resource associations. This issue has been patched in versions 8.6.80 and 9.9.1-alpha.6. Severity: 0.0 | NA Visit the link for more details, such as CVSS details, affected products, timeline, and more...

CVEfeed CVE12 giu 2026
VulnerabilitàAlta
CVE-2026-12043 - Heap double-free in AWS Common Runtime aws-c-http

CVE ID :CVE-2026-12043 Published : June 12, 2026, 6:35 p.m. | 47 minutes ago Description :Improper handling of HPACK dynamic table size updates in the AWS Common Runtime aws-c-http library might allow a remote threat actor operating a server to cause memory corruption on a connecting client application, potentially leading to arbitrary code execution, via a crafted sequence of HTTP/2 HEADERS frames. To remediate this issue, users should upgrade to aws-c-http version 0.11.0. Severity: 8.8 | HIGH Visit the link for more details, such as CVSS details, affected products, timeline, and more...

CVEfeed CVE12 giu 2026
VulnerabilitàAlta
CVE-2026-53725 - Parse Server: Endpoints `/login` and `/verifyPassword` disclose MFA secrets and protected fields when `_User` get is denied

CVE ID :CVE-2026-53725 Published : June 12, 2026, 6:35 p.m. | 47 minutes ago Description :Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. From version 9.8.0 to before version 9.9.1-alpha.5, apps that enable MFA and deny get on the _User class via Class-Level Permissions could expose sensitive user data through the /login and /verifyPassword endpoints. These endpoints re-fetch the user through the access-controlled query pipeline (CLP, protectedFields, auth-adapter sanitizers) before responding. When that re-fetch was denied by the _User get permission, the server fell back to the raw database row, exposing raw authData (including MFA TOTP secrets and recovery codes) and fields hidden by protectedFields (when protectedFieldsOwnerExempt is false). /verifyPassword is the most severe: with only a username and password (no session or MFA token), an attacker who knows a victim's password could retrieve their MFA secret and recovery codes, defeating the second factor. This issue has been patched in version 9.9.1-alpha.5. Severity: 0.0 | NA Visit the link for more details, such as CVSS details, affected products, timeline, and more...

CVEfeed CVE12 giu 2026
VulnerabilitàAlta
CVE-2026-53724 - Parse Server: Stored XSS via trailing-dot filename bypassing file upload extension blocklist

CVE ID :CVE-2026-53724 Published : June 12, 2026, 6:34 p.m. | 49 minutes ago Description :Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.79 and 9.9.1-alpha.4, the default file upload extension blocklist can be bypassed by appending a trailing dot to a filename whose extension would otherwise be blocked (e.g. poc.svg.). The trailing dot causes the extension parser to extract an empty string, which short-circuits the blocklist check, and the attacker-controlled Content-Type is forwarded to the storage adapter unchanged. Storage adapters that persist and serve the provided Content-Type (such as S3 or GCS) then serve the file with an active type such as image/svg+xml, enabling stored XSS when a victim opens the file URL. The default GridFS adapter is not affected because it sets X-Content-Type-Options: nosniff on responses. This issue has been patched in versions 8.6.79 and 9.9.1-alpha.4. Severity: 0.0 | NA Visit the link for more details, such as CVSS details, affected products, timeline, and more...

CVEfeed CVE12 giu 2026
VulnerabilitàAlta
CVE-2026-50099 - Naxclow IoT Platform Insertion of sensitive information into Externally-Accessible file or directory

CVE ID :CVE-2026-50099 Published : June 12, 2026, 6:24 p.m. | 59 minutes ago Description :During WiFi association, Naxclow device firmware prints the host network’s SSID, PSK, and negotiated WPA keys in cleartext to an exposed UART console on production hardware. The UART pads are labeled, run with default serial settings, and drop to an interactive RT-Thread shell that permits arbitrary memory reads, enabling full firmware extraction. An attacker with brief physical access, common for outdoor-mounted devices, can therefore recover WiFi credentials and bootstrap firmware-side attacks. Severity: 5.1 | MEDIUM Visit the link for more details, such as CVSS details, affected products, timeline, and more...

CVEfeed CVE12 giu 2026
VulnerabilitàAlta
CVE-2026-50008 - Parse Server: Server option routeAllowList is bypassable through batch sub-requests

CVE ID :CVE-2026-50008 Published : June 12, 2026, 6:22 p.m. | 1 hour, 1 minute ago Description :Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. From version 9.8.0 to before version 9.9.1-alpha.3, the routeAllowList server option restricts external client access to a configured list of REST API routes. The check is only enforced as Express middleware against the outer HTTP request URL, so the /batch handler dispatches each sub-request to the internal router without re-running the allow-list check. An external caller whose outer route matches batch can issue batch sub-requests to any REST API route that the operator omitted from the allow-list. Authentication, ACL, CLP, and other inner-route authorization controls still apply — only the operator-configured route firewall is bypassed. This issue has been patched in version 9.9.1-alpha.3. Severity: 0.0 | NA Visit the link for more details, such as CVSS details, affected products, timeline, and more...

CVEfeed CVE12 giu 2026
VulnerabilitàAlta
CVE-2026-10715 - Camaleon CMS 2.9.2 - Improper authorization in draft autosave endpoint

CVE ID :CVE-2026-10715 Published : June 12, 2026, 6:22 p.m. | 1 hour, 1 minute ago Description :Camaleon CMS 2.9.2 contains an improper authorization vulnerability in the administrator draft autosave endpoint. A low-privileged authenticated user can send an arbitrary post_id to POST /admin/post_type//drafts and overwrite the draft associated with another user's post. Severity: 5.1 | MEDIUM Visit the link for more details, such as CVSS details, affected products, timeline, and more...

CVEfeed CVE12 giu 2026
VulnerabilitàAlta
CVE-2026-47138 - Parse Server: Pre-authentication denial of service via client version header regex backtracking

CVE ID :CVE-2026-47138 Published : June 12, 2026, 6:22 p.m. | 1 hour, 1 minute ago Description :Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.77 and 9.9.1-alpha.1, an unauthenticated attacker who knows a publicly-known Parse Application ID can submit a single HTTP request whose client SDK version field contains adversarial input that triggers polynomial backtracking in a request-header parser. The parsing runs before session authentication and before rate limiting on every /parse/* request, so the request consumes seconds to minutes of synchronous CPU on a Node.js worker before any access control evaluates it. A small number of concurrent requests can saturate a worker; a single large request via the body-field variant can pin a worker for minutes. Production deployments running the default configuration are affected. This issue has been patched in versions 8.6.77 and 9.9.1-alpha.1. Severity: 0.0 | NA Visit the link for more details, such as CVSS details, affected products, timeline, and more...

CVEfeed CVE12 giu 2026

Pagina 456 di 2256

Resta aggiornato sulla cybersecurity

Iscriviti a CodersRegistry per ricevere gli aggiornamenti più importanti su regolamentazione EU e vulnerabilità critiche.