Updated at UTC 2026-06-16T12:46:08.638885

Access data as JSON


CVE CVSS Git URL Published Description
CVE-2026-37216 - https://github.com/yangzongzhuan/ruoyi/issues/320 2026-06-15T20:16:26.250 Ruoyi 4.8.2 is vulnerable to Cross Site Scripting (XSS) at the interface /system/notice/add.
CVE-2026-12210 6.3 https://github.com/universal-tool-calling-protocol/python-utcp/issues/86 2026-06-15T03:16:24.330 A vulnerability was detected in universal-tool-calling-protocol python-utcp 1.1.0. This affects an unknown function of the component utcp-gql/utcp-websocket. Performing a manipulation results in server-side request forgery. The attack can be initiated remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVE-2026-12203 5.3 https://github.com/hkuds/ai-trader/pull/227 2026-06-15T02:16:12.100 A vulnerability was found in HKUDS AI-Trader up to 74caf996f78dcc0c657df8365c8544678a16e215. This affects an unknown part of the file /api/research/agents.csv of the component Research Export. Performing a manipulation results in information disclosure. Remote exploitation of the attack is possible. The exploit has been made public and could be used. This product follows a rolling release approach for continuous delivery, so version details for affected or updated releases are not provided. The patch is named 91a31aac1b0f4dbc6b8bef9f6eff0b7912e0bc65. Applying a patch is the recommended action to fix this issue. The vendor confirms: "Research export endpoints now require an authenticated agent with the research_exports capability".
CVE-2026-12198 7.3 https://github.com/microweber/microweber/issues/1172 2026-06-15T00:16:43.803 A weakness has been identified in Microweber up to 2.0.20. This affects the function userfiles_path of the file /api_nosession/thumbnail_img of the component API Endpoint. Executing a manipulation of the argument cache_path_relative can lead to path traversal. It is possible to launch the attack remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.