CVE安全周报 | 严重漏洞预警(40条)

2026-06-26 15:35

📅 统计周期: 2026-06-19 ~ 2026-06-26
📊 本轮漏洞总数: 40条
🔴 严重漏洞: 40条

以下为本轮收录的安全漏洞详情,请及时关注并修复受影响的系统。

🔴 严重漏洞(CVSS 9.0+)

CVE-2026-52813 — CVSS 10.0(🔴 严重)

Gogs is an open source self-hosted Git service. Prior to 0.14.3, organization names containing path traversal sequences (../) are accepted by Gogs, an...

  • CWE: CWE-23
  • 状态: Deferred

CVE-2026-46752 — CVSS 10.0(🔴 严重)

Redis Lua HEAP overflow in cjson library vulnerability in Apache Kvrocks.

This issue affects Apache Kvrocks: from 2.0.4 through 2.15.0.

Users are re...

  • CWE: CWE-122
  • 状态: Deferred

CVE-2026-57700 — CVSS 10.0(🔴 严重)

Unrestricted Upload of File with Dangerous Type vulnerability in Daan.Dev OMGF Pro allows Using Malicious Files.

This issue affects OMGF Pro: from n/...

  • CWE: CWE-434
  • 状态: Deferred

CVE-2025-71338 — CVSS 10.0(🔴 严重)

Flowise contains a path traversal vulnerability in the /api/v1/document-store/loader/process endpoint that allows unauthenticated attackers to write a...

  • CWE: CWE-73
  • 状态: Received

CVE-2026-52806 — CVSS 9.9(🔴 严重)

Gogs is an open source self-hosted Git service. Prior to 0.14.3, Gogs allows authenticated users to achieve Remote Code Execution (RCE) on the server ...

  • CWE: CWE-77
  • 状态: Deferred

CVE-2026-50551 — CVSS 9.9(🔴 严重)

SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, SiYuan contains a stored cross-site scripting (XSS) vulnerability in th...

  • CWE: CWE-79
  • 状态: Deferred

CVE-2026-54067 — CVSS 9.9(🔴 严重)

SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, CSS snippet body containing breaks out of its surrounding <sty...

  • CWE: CWE-79,CWE-1188
  • 状态: Deferred

CVE-2026-54158 — CVSS 9.9(🔴 严重)

SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, the attribute-view (database) cell renderer genAVValueHTML interpolates...

  • CWE: CWE-79,CWE-1188
  • 状态: Deferred

CVE-2026-55454 — CVSS 9.9(🔴 严重)

Appsmith is a platform to build admin panels, internal tools, and dashboards. Prior to 2.1, the bundled Caddy reverse-proxy's admin API — which has no...

  • CWE: CWE-749,CWE-1188
  • 状态: Undergoing Analysis

CVE-2026-54823 — CVSS 9.9(🔴 严重)

Contributor Remote Code Execution (RCE) in Widget Options <= 4.2.3 versions.

  • CWE: CWE-94
  • 状态: Deferred

CVE-2026-39893 — CVSS 9.8(🔴 严重)

Cacti is an open source performance and fault management framework. In versions 1.2.30 and prior, the rfilter request variable was concatenated into a...

  • CWE: CWE-89
  • 状态: Analyzed

CVE-2026-39938 — CVSS 9.8(🔴 严重)

Cacti is an open source performance and fault management framework. Versions 1.2.30 and prior have unauthenticated LFI through graph_theme and rrdtool...

  • CWE: CWE-22,CWE-78
  • 状态: Analyzed

CVE-2026-39955 — CVSS 9.8(🔴 严重)

Cacti is an open source performance and fault management framework. Versions 1.2.30 and prior have pre-authentication SQL Injection via unanchored FIL...

  • CWE: CWE-89
  • 状态: Analyzed

CVE-2026-41120 — CVSS 9.8(🔴 严重)

Dell Wyse Management Suite, versions prior to WMS 5.5 HF1, contain an Acceptance of Extraneous Untrusted Data With Trusted Data vulnerability. A low p...

  • CWE: CWE-349
  • 状态: Undergoing Analysis

CVE-2026-41566 — CVSS 9.4(🔴 严重)

Improper Handling of Insufficient Permissions or Privileges vulnerability in Apache Kvrocks.

This issue affects Apache Kvrocks: 2.8.0.

Users are rec...

  • CWE: CWE-280
  • 状态: Deferred

CVE-2026-55413 — CVSS 9.4(🔴 严重)

ToolJet is the open-source foundation am AI-native platform for building and deploying internal tools, workflows and AI agents. Prior to 3.20.178-lts,...

  • CWE: CWE-94
  • 状态: Deferred

CVE-2026-33543 — CVSS 9.3(🔴 严重)

FOSSBilling is a free, open-source billing and client management system. Versions 0.7.2 and prior expose a guest API endpoint, /api/guest/staff/create...

  • CWE: CWE-288,CWE-306
  • 状态: Deferred

CVE-2026-46423 — CVSS 9.3(🔴 严重)

Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to 8.5.0, 8.4.1, 8.3.3, 8.2.3, 8.1.4, 8.0.5, 7.13.7, and 7.10...

  • CWE: CWE-347
  • 状态: Deferred

CVE-2026-55666 — CVSS 9.3(🔴 严重)

Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to 8.5.1, 8.4.4, 8.3.6, 8.2.6, 8.1.6, 8.0.7, and 7.10.13, in ...

  • CWE: CWE-287,CWE-288
  • 状态: Deferred

CVE-2026-39948 — CVSS 9.3(🔴 严重)

Cacti is an open source performance and fault management framework. In versions 1.2.30 and prior, the rfilter request parameter is retrieved via the r...

  • CWE: CWE-89
  • 状态: Analyzed

CVE-2026-54836 — CVSS 9.3(🔴 严重)

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in YMC Filter allows SQL Injection.

This issue aff...

  • CWE: CWE-89
  • 状态: Deferred

CVE-2026-54843 — CVSS 9.3(🔴 严重)

Unauthenticated SQL Injection in MDTF <= 1.3.7 versions.

  • CWE: CWE-89
  • 状态: Deferred

CVE-2026-54849 — CVSS 9.3(🔴 严重)

Unauthenticated SQL Injection in Premmerce Wishlist for WooCommerce <= 1.1.11 versions.

  • CWE: CWE-89
  • 状态: Deferred

CVE-2026-50548 — CVSS 9.3(🔴 严重)

Cursor is a code editor built for programming with AI. Prior to 3.0, Cursor runs agent terminal commands in a sandbox by default, and the sandbox gran...

  • CWE: CWE-22
  • 状态: Undergoing Analysis

CVE-2026-50549 — CVSS 9.3(🔴 严重)

Cursor is a code editor built for programming with AI. Prior to 3.0, Cursor runs agent terminal commands in a sandbox by default. Before a Write, the ...

  • CWE: CWE-59
  • 状态: Undergoing Analysis

CVE-2026-54088 — CVSS 9.3(🔴 严重)

File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to 2.63...

  • CWE: CWE-78,CWE-88,CWE-306
  • 状态: Deferred

CVE-2026-56786 — CVSS 9.3(🔴 严重)

RTKLIB through 2.4.3 contains an out-of-bounds write vulnerability in decode_type1033 function that fails to clamp length counters to destination buff...

  • CWE: CWE-787
  • 状态: Undergoing Analysis

CVE-2025-71327 — CVSS 9.3(🔴 严重)

Flowise contains an authentication bypass vulnerability in the unprotected /api/v1/account/register endpoint that allows unauthenticated attackers to ...

  • CWE: CWE-306
  • 状态: Received

CVE-2025-71333 — CVSS 9.3(🔴 严重)

Flowise through 2.2.4 contains an unauthenticated arbitrary file upload vulnerability in the /api/v1/attachments endpoint when storageType is set to l...

  • CWE: CWE-73
  • 状态: Received

CVE-2025-71334 — CVSS 9.3(🔴 严重)

Flowise before 3.0.6 (affected versions 2.2.8 and earlier) contains an arbitrary file access vulnerability due to missing validation that the chatflow...

  • CWE: CWE-73
  • 状态: Received

CVE-2025-71336 — CVSS 9.3(🔴 严重)

Flowise before 3.0.6 (affected versions 2.2.7-patch.1 and earlier) contains an unsandboxed remote code execution vulnerability in the Custom MCP featu...

  • CWE: CWE-78
  • 状态: Received

CVE-2026-40702 — CVSS 9.3(🔴 严重)

WebSocket endpoints lack proper authentication mechanisms, enabling attackers to impersonate charging stations. As a result, attackers can exploit thi...

  • CWE: CWE-306
  • 状态: Received

CVE-2026-54069 — CVSS 9.2(🔴 严重)

SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, SiYuan Note's kernel HTTP server unconditionally trusts all chrome-exte...

  • CWE: CWE-346
  • 状态: Deferred

CVE-2026-56123 — CVSS 9.2(🔴 严重)

socat versions 1.8.0.0 through 1.8.1.1 contain a heap-based buffer overflow vulnerability that allows a malicious SOCKS5 proxy server to overwrite adj...

  • CWE: CWE-122
  • 状态: Undergoing Analysis

CVE-2026-9222 — CVSS 9.2(🔴 严重)

Setracker2 Android Companion App com.tgelec.setracker versions 3.1.5 and prior only require the password hash when authenticating with backend service...

  • CWE: CWE-836
  • 状态: Received

CVE-2026-45688 — CVSS 9.1(🔴 严重)

Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to 8.5.0, 8.4.1, 8.3.3, 8.2.3, 8.1.4, 8.0.5, 7.13.7, and 7.10...

  • CWE: CWE-943
  • 状态: Deferred

CVE-2026-45689 — CVSS 9.1(🔴 严重)

Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to 8.5.0, 8.4.1, 8.3.3, 8.2.3, 8.1.4, 8.0.5, 7.13.7, and 7.10...

  • CWE: CWE-943
  • 状态: Deferred

CVE-2026-54089 — CVSS 9.1(🔴 严重)

File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Starting with...

  • CWE: CWE-287,CWE-290
  • 状态: Deferred

CVE-2026-52811 — CVSS 9.0(🔴 严重)

Gogs is an open source self-hosted Git service. Prior to 0.14.3, (*Repository).UploadRepoFiles checks for symlinks only on the leaf of the upload targ...

  • CWE: CWE-22,CWE-59,CWE-61
  • 状态: Deferred

CVE-2026-55570 — CVSS 9.0(🔴 严重)

SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, it does not escape the untrusted fields (name, version, author, descrip...

  • CWE: CWE-79,CWE-94,CWE-116
  • 状态: Deferred

🤖 本文由 CVE 安全周报机器人自动生成
数据来源: NVD (National Vulnerability Database) | 更新时间: 2026-06-26 15:35