Security Vulnerabilities
Missing authorization in Microsoft Exchange Online allows an authorized attacker to elevate privileges over a network.
CVSS Score
9.6
EPSS Score
0.004
Published
2026-06-19
Improper authentication in Azure Active Directory allows an unauthorized attacker to elevate privileges over a network.
CVSS Score
10.0
EPSS Score
0.006
Published
2026-06-19
Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Edge (Chromium-based) allows an authorized attacker to perform spoofing over a network.
CVSS Score
8.8
EPSS Score
0.003
Published
2026-06-19
There is an insecure default credentials vulnerability in NI grpc-device when TLS configuration is not present and the server is bound beyond loopback. This may allow an unauthenticated user access to the server on the local network. This affects NI grpc-device 2.17.0 and prior versions.
CVSS Score
9.3
EPSS Score
0.003
Published
2026-06-19
There is an incorrect conversion between numeric types vulnerability in NI grpc-device due to missing range checks in CodeGen. This may silently discard high bits if a size value exceeded the target type's range. This affects NI grpc-device 2.17.0 and prior versions.
CVSS Score
6.3
EPSS Score
0.002
Published
2026-06-19
URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Apache APISIX.
The attacker could manipulate some client headers to perform an open-redirect, to potentially expose the session token.
This issue affects Apache APISIX: from 3.0.0 through 3.16.0.
Users are recommended to upgrade to version 3.17.0, which fixes the issue.
CVSS Score
2.1
EPSS Score
0.003
Published
2026-06-19
Improper Validation of Integrity Check Value vulnerability in Apache APISIX.
The jwe-decrypt plugin under default configuration is vulnerable to authentication bypass.
This issue affects Apache APISIX: from 3.8.0 through 3.16.0.
Users are recommended to upgrade to version 3.17.0, which fixes the issue.
CVSS Score
6.3
EPSS Score
0.002
Published
2026-06-19
Authentication Bypass by Spoofing vulnerability in opa plugin.
An attacker could relay spoofed identity headers to upstream capitalising on non-default configuration in opa plugin.
This could allow the attacker to assume higher privileges on the upstream service.
This issue affects Apache APISIX: from 3.5.0 through 3.16.0.
Users are recommended to upgrade to version 3.17.0, which fixes the issue.
CVSS Score
2.3
EPSS Score
0.004
Published
2026-06-19
Cross-Site Request Forgery (CSRF) vulnerability in the cas-auth plugin under default configurations.
This defect allows a remote attacker that manages to send a victim to a webpage controlled by them can cause the victim's browser to become authenticated as a different identity.
Actions the victim takes upstream are then attributed to attackers identity.
This issue affects Apache APISIX: from 3.0.0 through 3.16.0.
Users are recommended to upgrade to version 3.17.0, which fixes the issue.
CVSS Score
2.1
EPSS Score
0.002
Published
2026-06-19
Improper Authentication vulnerability in Apache APISIX.
When the cas-auth plugin is used in a route, an attacker can possibly authenticate itself with credentials from a different source.
This issue affects Apache APISIX: from 3.0.0 through 3.16.0.
Users are recommended to upgrade to version 3.17.0, which fixes the issue.
CVSS Score
5.3
EPSS Score
0.003
Published
2026-06-19