Vulnerabilities - Yack CVE

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2026-11852 - - Jun 10, 2026 Jun 10, 2026 N/A· v4 6.5 MEDIUM· v3 N/A· v2 Debusine is an integrated solution to build, distribute and maintain a Debian-based distribution. Files managed by debusine are organized into artifacts. The endpoints that create and delete relationships between artifac...Show more Debusine is an integrated solution to build, distribute and maintain a Debian-based distribution. Files managed by debusine are organized into artifacts. The endpoints that create and delete relationships between artifacts enforced no permissions checks beyond being able to see the artifacts in question.Show less
CVE-2026-10721 - - Jun 10, 2026 Jun 10, 2026 8.4 HIGH· v4 N/A· v3 N/A· v2 Concrete CMS below 9.5.2 is vulnerable to PHP Object Injection via unserialize() calls in the in Permission, Cache, and Search components. An unauthenticated attacker may trigger arbitrary PHP object instantiation if a...Show more Concrete CMS below 9.5.2 is vulnerable to PHP Object Injection via unserialize() calls in the in Permission, Cache, and Search components. An unauthenticated attacker may trigger arbitrary PHP object instantiation if a malicious serialized payload has been placed in the database. Thanks XananasX7 for reporting.Show less
CVE-2026-45600 1Microsoft 4Windows 11 24h2 Windows 11 25h2Windows 11 26h1+1 more Jun 10, 2026 Jun 9, 2026 N/A· v4 7.8 HIGH· v3 N/A· v2 Access of resource using incompatible type ('type confusion') in Windows Kernel-Mode Drivers allows an authorized attacker to elevate privileges locally.
CVE-2026-33828 1Microsoft 12Windows 10 1607 Windows 10 1809Windows 10 21h2+9 more Jun 10, 2026 Jun 9, 2026 N/A· v4 7.8 HIGH· v3 N/A· v2 Trust boundary violation in Windows Attestation allows an authorized attacker to elevate privileges locally.
CVE-2026-34335 1Microsoft 13Windows 10 1607 Windows 10 1809Windows 10 21h2+10 more Jun 10, 2026 Jun 9, 2026 N/A· v4 7.0 HIGH· v3 N/A· v2 Use after free in Windows Ancillary Function Driver for WinSock allows an authorized attacker to elevate privileges locally.
CVE-2026-40404 1Microsoft 13Windows 10 1607 Windows 10 1809Windows 10 21h2+10 more Jun 10, 2026 Jun 9, 2026 N/A· v4 7.8 HIGH· v3 N/A· v2 Windows Universal Disk Format File System Driver (UDFS) Elevation of Privilege Vulnerability
CVE-2026-42828 1Microsoft 10Windows 10 1809 Windows 10 21h2Windows 10 22h2+7 more Jun 10, 2026 Jun 9, 2026 N/A· v4 7.8 HIGH· v3 N/A· v2 Buffer over-read in Windows Projected File System Filter Driver allows an authorized attacker to elevate privileges locally.
CVE-2026-42972 1Microsoft 13Windows 10 1607 Windows 10 1809Windows 10 21h2+10 more Jun 10, 2026 Jun 9, 2026 N/A· v4 5.5 MEDIUM· v3 N/A· v2 Exposure of sensitive information to an unauthorized actor in Windows Hyper-V allows an authorized attacker to disclose information locally.
CVE-2026-42973 1Microsoft 12Windows 10 1607 Windows 10 1809Windows 10 21h2+9 more Jun 10, 2026 Jun 9, 2026 N/A· v4 5.5 MEDIUM· v3 N/A· v2 Use of uninitialized resource in Windows Push Notifications allows an authorized attacker to disclose information locally.
CVE-2026-42974 1Microsoft 6Windows 11 23h2 Windows 11 24h2Windows 11 25h2+3 more Jun 10, 2026 Jun 9, 2026 N/A· v4 8.1 HIGH· v3 N/A· v2 Integer underflow (wrap or wraparound) in Windows Performance Monitor allows an unauthorized attacker to execute code over a network.
CVE-2026-42977 1Microsoft 10Windows 10 1809 Windows 10 21h2Windows 10 22h2+7 more Jun 10, 2026 Jun 9, 2026 N/A· v4 7.8 HIGH· v3 N/A· v2 Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Push Notifications allows an authorized attacker to elevate privileges locally.
CVE-2026-9754 - - Jun 10, 2026 Jun 9, 2026 7.1 HIGH· v4 6.5 MEDIUM· v3 N/A· v2 An authenticated user with the read role may read limited amounts of uninitialized stack memory via specially-crafted issuances of the filemd5 command
CVE-2026-9753 - - Jun 10, 2026 Jun 9, 2026 7.2 HIGH· v4 8.1 HIGH· v3 N/A· v2 The $_internalApplyOplogUpdate aggregation pipeline stage can be used to execute a document diff containing a malformed binary diff to return memory out-of-bounds or crash the server. $_internalApplyOplogUpdate can be ex...Show more The $_internalApplyOplogUpdate aggregation pipeline stage can be used to execute a document diff containing a malformed binary diff to return memory out-of-bounds or crash the server. $_internalApplyOplogUpdate can be executed by any authenticated user with access to the aggregate command.Show less
CVE-2026-9752 - - Jun 10, 2026 Jun 9, 2026 7.1 HIGH· v4 6.5 MEDIUM· v3 N/A· v2 An authorized user could trigger a server crash by running a query with a 2dsphere index on a field that stores a GeoJSON GeometryCollection containing a Polygon with a strict-winding CRS. Strict-winding polygons are in...Show more An authorized user could trigger a server crash by running a query with a 2dsphere index on a field that stores a GeoJSON GeometryCollection containing a Polygon with a strict-winding CRS. Strict-winding polygons are intentionally unsupported for indexing, but the guard that rejects them does not inspect members of a GeometryCollection, allowing the unsafe path to be reached which ends with an ensuing null-pointer dereference.Show less
CVE-2026-9750 - - Jun 10, 2026 Jun 9, 2026 7.1 HIGH· v4 6.5 MEDIUM· v3 N/A· v2 An authenticated user can cause a MongoDB server to crash or return incorrect results by creating documents that interfere with internal metadata processing during query execution. This stems from insufficient separation...Show more An authenticated user can cause a MongoDB server to crash or return incorrect results by creating documents that interfere with internal metadata processing during query execution. This stems from insufficient separation between user-controlled document fields and internal metadata in certain execution paths.Show less
CVE-2026-9749 - - Jun 10, 2026 Jun 9, 2026 7.1 HIGH· v4 6.5 MEDIUM· v3 N/A· v2 This issue can occur when running an aggregation pipeline that uses the internal $exchange stage configured with key-range partitioning and order-preserving delivery. If a single key range produces enough documents to fi...Show more This issue can occur when running an aggregation pipeline that uses the internal $exchange stage configured with key-range partitioning and order-preserving delivery. If a single key range produces enough documents to fill its exchange buffer (that is, many results are routed to the same consumer), the server reaches the code path where a full per-consumer buffer is detected but the internal "high watermark" for that key range is not updated as intended.Show less
CVE-2026-9748 - - Jun 10, 2026 Jun 9, 2026 7.1 HIGH· v4 6.5 MEDIUM· v3 N/A· v2 The $_internalConvertBucketIndexStats stage used PauseExecution as a way to signal "skip this document" when an index stats conversion failed. But PauseExecution is not a general purpose skip mechanism, but rather a TeeB...Show more The $_internalConvertBucketIndexStats stage used PauseExecution as a way to signal "skip this document" when an index stats conversion failed. But PauseExecution is not a general purpose skip mechanism, but rather a TeeBuffer-internal signal used solely by $facet to coordinate its sub-pipelines. When this stage is placed before $facet in a pipeline, TeeBuffer receives the unexpected PauseExecution from upstream and hits a hard invariant assertion, crashing mongod.Show less
CVE-2026-9747 - - Jun 10, 2026 Jun 9, 2026 7.1 HIGH· v4 6.5 MEDIUM· v3 N/A· v2 Adding fromRouter:true and runtimeConstants.userRoles could cause aggregations to crash mongodb server.
CVE-2026-9746 - - Jun 10, 2026 Jun 9, 2026 7.1 HIGH· v4 6.5 MEDIUM· v3 N/A· v2 When using $changestreams and $_requestReshardingResumeToken with the exchange option the server hits an invariant which causes the server to crash. There are no special privileges needed. The user must be logged in to i...Show more When using $changestreams and $_requestReshardingResumeToken with the exchange option the server hits an invariant which causes the server to crash. There are no special privileges needed. The user must be logged in to issue the statement.Show less
CVE-2026-9743 - - Jun 10, 2026 Jun 9, 2026 7.1 HIGH· v4 6.5 MEDIUM· v3 N/A· v2 In MongoDB Server 8.0, an aggregation stage can leave its _subPipeline field null during processing of certain pipelines. If a getMore is subsequently issued on the same cursor, the server may dereference this null sub-p...Show more In MongoDB Server 8.0, an aggregation stage can leave its _subPipeline field null during processing of certain pipelines. If a getMore is subsequently issued on the same cursor, the server may dereference this null sub-pipeline when reattaching to the operation context, accessing an invalid address and crashing the process. This issue allows an authenticated user who can run aggregation pipelines to cause a denial of service by issuing a specially crafted aggregation followed by getMore on affected versions.Show less
CVE-2026-9742 - - Jun 10, 2026 Jun 9, 2026 8.2 HIGH· v4 7.5 HIGH· v3 N/A· v2 When OIDC authentication is enabled in configuration, clients may set specific values in the "mechanism" parameter of the "authenticate" command that lead to server crash. The authenticate command is accessible to unauth...Show more When OIDC authentication is enabled in configuration, clients may set specific values in the "mechanism" parameter of the "authenticate" command that lead to server crash. The authenticate command is accessible to unauthenticated clients, leading to pre-auth denial-of-service in affected product configurations.Show less
CVE-2026-9741 - - Jun 10, 2026 Jun 9, 2026 7.1 HIGH· v4 6.5 MEDIUM· v3 N/A· v2 A bug in query analysis processing of the $vectorSearch aggregation stage for Queryable Encryption (QE) or Client-Side Field Level Encryption (CSFLE) results in literal values for encrypted fields within the $vectorSear...Show more A bug in query analysis processing of the $vectorSearch aggregation stage for Queryable Encryption (QE) or Client-Side Field Level Encryption (CSFLE) results in literal values for encrypted fields within the $vectorSearch stage filter expressions to be sent to the server as plaintext instead of ciphertext.Show less
CVE-2026-9740 - - Jun 10, 2026 Jun 9, 2026 8.7 HIGH· v4 7.5 HIGH· v3 N/A· v2 A vulnerability in MongoDB Server's BSON validation logic allows an unauthenticated user to crash the mongod process by sending a specially crafted message. The BSON validator's handling of certain nested binary data str...Show more A vulnerability in MongoDB Server's BSON validation logic allows an unauthenticated user to crash the mongod process by sending a specially crafted message. The BSON validator's handling of certain nested binary data structures permits uncontrolled mutual recursion between validation functions, where each re-entry resets internal depth tracking.Show less
CVE-2026-9735 - - Jun 10, 2026 Jun 9, 2026 6.8 MEDIUM· v4 5.5 MEDIUM· v3 N/A· v2 MongoDB server may log authentication parameters, including credentials, to the server log during SASL authentication. When connection health metric logging is enabled, the full authentication parameters are written to t...Show more MongoDB server may log authentication parameters, including credentials, to the server log during SASL authentication. When connection health metric logging is enabled, the full authentication parameters are written to the log without redaction.Show less
CVE-2026-9045 - - Jun 10, 2026 Jun 10, 2026 8.5 HIGH· v4 7.8 HIGH· v3 N/A· v2 During an internal security assessment, a potential vulnerability was discovered in Lenovo Accessories and Display Manager for Enterprise for Windows that could allow a local authenticated user to execute arbitrary code...Show more During an internal security assessment, a potential vulnerability was discovered in Lenovo Accessories and Display Manager for Enterprise for Windows that could allow a local authenticated user to execute arbitrary code with elevated privileges.Show less

Previous 1...464748...14314 Next

Vulnerabilities (CVE)