CVE Vulnerability Catalog
Translated CVE descriptions from NVD NIST — in English
CISA KEV catalog updated: (v2026.07.07)
A missing authorization vulnerability in GitHub Enterprise Server allowed an authenticated user to read source code from private repositories they did not have access to via the Copilot pull request description diff summary endpoint. The vulnerability affects all versions prior to 3.21 and was fixed in versions 3.17.17, 3.18.11, 3.19.8, and 3.20.4.
A UI misrepresentation vulnerability in GitHub Enterprise Server allowed an OAuth application to gain unintended access to an organization's runner management. The issue occurred because the manage_runners:org scope was not displayed on the authorization consent screen, enabling an attacker to trick a user into authorizing a malicious app.
An unauthenticated attacker can crash the worklist server with a single crafted query when the server has a valid Called AE Title / storage directory, the expected lockfile, and at least one matching worklist record.
FUXA versions 1.3.1 and prior contain an authentication bypass vulnerability via dot-segment path normalization in the REST API. The API router fails to normalize dot-segment sequences before applying authentication middleware, allowing unauthenticated requests to access protected endpoints by prefixing paths with dot-segments such as /api/./users, /api/./roles, and /api/project/../users. These requests bypass authentication checks and return sensitive user and role data without credentials.
IBM WebSphere Application Server 9.0 and 8.5 is affected by a cross-site scripting vulnerability in the administrative console. This allows an attacker to inject malicious scripts into the server management interface.
An unauthenticated URL redirection vulnerability has been identified in Archer AX20 V2 due to improper validation of user-supplied URL input within the web interface. An unauthenticated attacker can craft URLs containing URL-encoded path traversal sequences, which when processed by the embedded web server may cause the device to respond with HTTP 3xx redirects to attacker-controlled external domains.
The vulnerability in IBM DevOps Automation 1.0.1 and IBM DevOps Loop 1.0.2 does not invalidate session IDs after expiration. This allows an authenticated user to impersonate another user on the system.
IBM watsonx.data intelligence versions 5.2.0, 5.2.1, 5.2.2, and 5.3.0 transmit data in clear text, allowing an attacker to obtain sensitive information using man-in-the-middle techniques.
A vulnerability in IBM watsonx.data intelligence versions 5.2.0, 5.2.1, 5.2.2, and 5.3.0 allows an authenticated user to perform unauthorized actions due to improper enforcement of behavioral workflow.
A vulnerability in IBM watsonx.data intelligence versions 5.2.0, 5.2.1, 5.2.2, and 5.3.0 allows a remote attacker to obtain sensitive information through detailed error messages returned in the browser. This information could be used in further attacks against the system.
A vulnerability in IBM watsonx.data intelligence versions 5.2.0, 5.2.1, 5.2.2, and 5.3.0 allows an authenticated user to bypass security controls and perform unauthorized actions due to client-side enforcement of server-side security.
IBM watsonx.data intelligence versions 5.2.0, 5.2.1, 5.2.2, and 5.3.0 are vulnerable to server-side request forgery (SSRF). An authenticated attacker can send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks.
Cross-site scripting vulnerability in IBM watsonx.data intelligence allows an authenticated user to embed arbitrary JavaScript code in the Web UI, potentially leading to credential disclosure within a trusted session.
IBM watsonx.data intelligence versions 5.2.0, 5.2.1, 5.2.2, and 5.3.0 are vulnerable to HTML injection. A remote attacker can inject malicious HTML code, which when viewed, would be executed in the victim's Web browser within the security context of the hosting site.
Stored cross-site scripting vulnerability in IBM watsonx.data intelligence versions 5.2.0, 5.2.1, 5.2.2, and 5.3.0. Allows an authenticated user to embed arbitrary JavaScript code in the Web UI, potentially leading to credential disclosure within a trusted session.
A vulnerability in IBM watsonx.data intelligence versions 5.2.0, 5.2.1, 5.2.2, and 5.3.0 allows an authenticated user to cause a temporary denial of service via a specially crafted HTTP request. The issue stems from improper allocation of resource throttling.
IBM watsonx.data intelligence versions 5.2.2, 5.3.0, 5.3.1, and 5.3.1 through patch-1 transmit data in clear text. This allows an attacker to obtain sensitive information using man-in-the-middle techniques.
IBM InfoSphere Information Server versions 11.7.0.0 through 11.7.1.6 are affected by an information disclosure vulnerability. An attacker could exploit this flaw to gain access to sensitive data.
IBM WebSphere Extreme Scale versions 8.6.1.0 through 8.6.1.6 contain a denial-of-service vulnerability due to improper validation in the XDF decoder. The application processes deeply nested Protocol Buffers messages and attacker-controlled length prefixes without sufficient bounds checking, which may lead to a StackOverflowError or OutOfMemoryError.
IBM Langflow OSS versions 1.0.0 through 1.10.0 contain a vulnerability that could disclose all stored credentials. The issue is due to the use of a weak and reversible key derivation mechanism for encryption at rest.

