CVE Vulnerability Catalog
Translated CVE descriptions from NVD NIST — in English
CISA KEV catalog updated: (v2026.07.01)
Microsoft Exchange Server has an improper neutralization of input during web page generation, leading to a cross-site scripting vulnerability. This flaw allows an unauthorized attacker to perform spoofing over a network.
CVE-2026-20182 identifies an issue with the authentication mechanism in Cisco Catalyst SD-WAN Controller, Manager, and Validator that allows an unauthenticated attacker to bypass authentication and gain administrative privileges. An attacker could exploit this vulnerability by sending crafted requests to the system.
CVE-2026-0257 describes authentication bypass vulnerabilities in the GlobalProtect portal and gateway of Palo Alto Networks PAN-OS® software, allowing an attacker to bypass security restrictions and establish an unauthorized VPN connection.
W dniu 11 maja 2026 roku opublikowano 84 złośliwe wersje w 42 pakietach @tanstack/* w rejestrze npm. Atakujący wykorzystał trzy znane klasy podatności, aby opublikować złośliwe oprogramowanie kradnące dane uwierzytelniające pod zaufaną tożsamością.
LiteLLM versions 1.74.2 through 1.83.6 have a vulnerability in the POST /mcp-rest/test/connection and POST /mcp-rest/test/tools/list endpoints, which accept a full MCP server configuration including commands to execute. An authenticated user with any API key (even low-privilege) can run arbitrary commands on the proxy host.
In LiteLLM versions from 1.81.16 to before 1.83.7, a SQL injection vulnerability exists during proxy API key checks. An unauthenticated attacker can send a crafted Authorization header, leading to reading and potentially modifying data in the proxy database.
An Improper Input Validation in Ivanti EPMM before versions 12.6.1.1, 12.7.0.1, and 12.8.0.1 allows a remotely authenticated user with administrative access to achieve remote code execution.
In the Linux kernel, the in-place optimization for AEAD encryption via AF_ALG sockets has been reverted. Out-of-place operation is restored because source and destination come from different memory mappings, making the optimization unbeneficial. The complexity added for in-place operation has been removed, and associated data is copied directly.
A vulnerability in Apache ActiveMQ allows an authenticated attacker to achieve remote code execution via the Jolokia JMX-HTTP endpoint. It stems from improper input validation and code injection, enabling arbitrary code execution on the broker's JVM.
An issue was discovered in Lantronix EDS5000 2.1.0.0R3 where the HTTP RPC module executes a shell command to write logs upon authentication failure. The username is directly concatenated with the command without sanitization, allowing attackers to inject arbitrary OS commands into the username parameter. Injected commands are executed with root privileges.
A vulnerability in the peering authentication mechanism in Cisco Catalyst SD-WAN Controller, Manager, and Validator allows an unauthenticated remote attacker to bypass the login process and gain administrative privileges on an affected system.
In Fortinet FortiAnalyzer, FortiManager, FortiNAC-F, FortiOS, FortiProxy, and FortiWeb, there is an authentication bypass vulnerability that allows an attacker with a FortiCloud account and a registered device to log into other devices registered to other accounts if FortiCloud SSO authentication is enabled on those devices.
Reliance on untrusted inputs in a security decision in Microsoft Office allows an unauthorized attacker to bypass a security feature locally.
A vulnerability in Fortinet FortiOS, FortiProxy, and FortiSwitchManager related to improper verification of cryptographic signature allows an unauthenticated attacker to bypass FortiCloud SSO login authentication via a crafted SAML response message.
The Endpoint Manager module in FreePBX, in versions 17.0.2.36 and above before 17.0.3, is vulnerable to post-authentication command injection by an authenticated known user. An attacker can leverage this vulnerability to gain remote access to the system as an asterisk user.
FreePBX, an open-source graphical user interface, has vulnerabilities in versions 15, 16, and 17 due to insufficiently sanitized user-supplied data. This allows unauthenticated access to the FreePBX Administrator, leading to arbitrary database manipulation and remote code execution.
A vulnerability in WebKit allows memory corruption when processing maliciously crafted web content. The issue was fixed by improving memory handling.
Nieprawidłowa implementacja algorytmu uwierzytelniania w Ivanti vTM, z wyjątkiem wersji 22.2R1 lub 22.7R2, umożliwia zdalnemu, nieautoryzowanemu atakującemu ominięcie uwierzytelnienia panelu administracyjnego.
Podatność w produkcie Oracle WebLogic Server w ramach Oracle Fusion Middleware (komponent: Core) dotyczy wersji 12.2.1.4.0 oraz 14.1.1.0.0. Łatwo eksploatowalna podatność pozwala nieautoryzowanemu atakującemu z dostępem do sieci na kompromitację Oracle WebLogic Server.
A path traversal vulnerability was found in Qlik Sense Enterprise for Windows in versions up to May 2023 Patch 3, February 2023 Patch 7, November 2022 Patch 10, and August 2022 Patch 12. This allows an unauthenticated remote attacker to generate an anonymous session and transmit HTTP requests to unauthorized endpoints.

