CVE Vulnerability Catalog

Translated CVE descriptions from NVD NIST — in English

CISA KEV catalog updated: (v2026.07.07)

CVE-2026-9132
Medium

A missing authorization vulnerability in GitHub Enterprise Server allowed an authenticated user to read source code from private repositories they did not have access to via the Copilot pull request description diff summary endpoint. The vulnerability affects all versions prior to 3.21 and was fixed in versions 3.17.17, 3.18.11, 3.19.8, and 3.20.4.

CVE-2026-9106
Medium

A UI misrepresentation vulnerability in GitHub Enterprise Server allowed an OAuth application to gain unintended access to an organization's runner management. The issue occurred because the manage_runners:org scope was not displayed on the authorization consent screen, enabling an attacker to trick a user into authorizing a malicious app.

CVE-2026-44628
High

An unauthenticated attacker can crash the worklist server with a single crafted query when the server has a valid Called AE Title / storage directory, the expected lockfile, and at least one matching worklist record.

CVE-2026-13207
High

FUXA versions 1.3.1 and prior contain an authentication bypass vulnerability via dot-segment path normalization in the REST API. The API router fails to normalize dot-segment sequences before applying authentication middleware, allowing unauthenticated requests to access protected endpoints by prefixing paths with dot-segments such as /api/./users, /api/./roles, and /api/project/../users. These requests bypass authentication checks and return sensitive user and role data without credentials.

CVE-2026-11594
High

IBM WebSphere Application Server 9.0 and 8.5 is affected by a cross-site scripting vulnerability in the administrative console. This allows an attacker to inject malicious scripts into the server management interface.

CVE-2026-10562
Medium

An unauthenticated URL redirection vulnerability has been identified in Archer AX20 V2 due to improper validation of user-supplied URL input within the web interface. An unauthenticated attacker can craft URLs containing URL-encoded path traversal sequences, which when processed by the embedded web server may cause the device to respond with HTTP 3xx redirects to attacker-controlled external domains.

CVE-2025-36359
High

The vulnerability in IBM DevOps Automation 1.0.1 and IBM DevOps Loop 1.0.2 does not invalidate session IDs after expiration. This allows an authenticated user to impersonate another user on the system.

CVE-2025-36336
Medium

IBM watsonx.data intelligence versions 5.2.0, 5.2.1, 5.2.2, and 5.3.0 transmit data in clear text, allowing an attacker to obtain sensitive information using man-in-the-middle techniques.

CVE-2025-36333
Medium

A vulnerability in IBM watsonx.data intelligence versions 5.2.0, 5.2.1, 5.2.2, and 5.3.0 allows an authenticated user to perform unauthorized actions due to improper enforcement of behavioral workflow.

CVE-2025-36328
Medium

A vulnerability in IBM watsonx.data intelligence versions 5.2.0, 5.2.1, 5.2.2, and 5.3.0 allows a remote attacker to obtain sensitive information through detailed error messages returned in the browser. This information could be used in further attacks against the system.

CVE-2025-36327
Medium

A vulnerability in IBM watsonx.data intelligence versions 5.2.0, 5.2.1, 5.2.2, and 5.3.0 allows an authenticated user to bypass security controls and perform unauthorized actions due to client-side enforcement of server-side security.

CVE-2025-36324
Medium

IBM watsonx.data intelligence versions 5.2.0, 5.2.1, 5.2.2, and 5.3.0 are vulnerable to server-side request forgery (SSRF). An authenticated attacker can send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks.

CVE-2025-36323
Medium

Cross-site scripting vulnerability in IBM watsonx.data intelligence allows an authenticated user to embed arbitrary JavaScript code in the Web UI, potentially leading to credential disclosure within a trusted session.

CVE-2025-36321
Medium

IBM watsonx.data intelligence versions 5.2.0, 5.2.1, 5.2.2, and 5.3.0 are vulnerable to HTML injection. A remote attacker can inject malicious HTML code, which when viewed, would be executed in the victim's Web browser within the security context of the hosting site.

CVE-2025-36320
Medium

Stored cross-site scripting vulnerability in IBM watsonx.data intelligence versions 5.2.0, 5.2.1, 5.2.2, and 5.3.0. Allows an authenticated user to embed arbitrary JavaScript code in the Web UI, potentially leading to credential disclosure within a trusted session.

CVE-2025-36319
Medium

A vulnerability in IBM watsonx.data intelligence versions 5.2.0, 5.2.1, 5.2.2, and 5.3.0 allows an authenticated user to cause a temporary denial of service via a specially crafted HTTP request. The issue stems from improper allocation of resource throttling.

CVE-2025-12530
Medium

IBM watsonx.data intelligence versions 5.2.2, 5.3.0, 5.3.1, and 5.3.1 through patch-1 transmit data in clear text. This allows an attacker to obtain sensitive information using man-in-the-middle techniques.

CVE-2026-9836
Low

IBM InfoSphere Information Server versions 11.7.0.0 through 11.7.1.6 are affected by an information disclosure vulnerability. An attacker could exploit this flaw to gain access to sensitive data.

CVE-2026-9002
Medium

IBM WebSphere Extreme Scale versions 8.6.1.0 through 8.6.1.6 contain a denial-of-service vulnerability due to improper validation in the XDF decoder. The application processes deeply nested Protocol Buffers messages and attacker-controlled length prefixes without sufficient bounds checking, which may lead to a StackOverflowError or OutOfMemoryError.

CVE-2026-7874
Critical

IBM Langflow OSS versions 1.0.0 through 1.10.0 contain a vulnerability that could disclose all stored credentials. The issue is due to the use of a weak and reversible key derivation mechanism for encryption at rest.

PreviousPage 101 of 4520Next

Vulnerability data from NVD (NIST) · CISA KEV · EPSS