CVE Vulnerability Catalog

Translated CVE descriptions from NVD NIST — in English

CISA KEV catalog updated: (v2026.07.07)

CVE-2025-55644
Medium

A heap use-after-free vulnerability in the gf_node_get_tag function of GPAC MP4Box v2.4 allows attackers to cause a Denial of Service (DoS) by supplying a crafted MP4 file.

CVE-2025-55643
Medium

A NULL pointer dereference in the TrackWriter handling component of GPAC MP4Box v2.4 allows attackers to cause a Denial of Service (DoS) by supplying a crafted MP4 file.

CVE-2025-55642
Medium

In version 2.4 of GPAC MP4Box, a floating point exception was discovered in the avidmx_process function (isomedia/isom_write.c).

CVE-2025-55641
Medium

A NULL pointer dereference in the gf_isom_copy_sample_info function in GPAC MP4Box v2.4 allows attackers to cause a Denial of Service (DoS) by supplying a crafted MP4 file.

CVE-2026-8358
Medium

LibreOffice Calc had a heap buffer overflow vulnerability when a document reused the same change identifier for two different kinds of changes. This led to writing past the end of its allocation.

CVE-2026-8356
Medium

LibreOffice has a stack buffer overflow when importing presentations in the legacy PPT format. This occurs during the import of a colour-replacement record when the combined colour counts exceed the size of the colour tables.

CVE-2026-6047
Medium

LibreOffice has a heap buffer overflow vulnerability when replaying deferred parser events for a text box element in OOXML (DOCX) documents. The issue arises from assuming a handler object is of one type, leading to writes beyond the end of the allocation.

CVE-2026-6045
Medium

LibreOffice has a heap buffer overflow vulnerability when importing EMF+ graphics, which can lead to memory corruption. The issue arises from incorrectly calculating the allocation size for a gradient, potentially resulting in improper memory allocation.

CVE-2026-6039
Medium

LibreOffice had a heap buffer overflow vulnerability when importing DXF polylines. The point count from the file was truncated to a 16-bit value, leading to writing past the end of the buffer when the point count exceeded this range.

CVE-2026-49294
Medium

Valhalla is an open source routing engine that is vulnerable to reflected XSS in versions 3.6.3 and prior due to improper neutralization of input in the JSONP callback parameter. An attacker can inject arbitrary JavaScript, potentially leading to session token theft or credential disclosure.

CVE-2026-20262
MediumActively exploitedEPSS 63%

A vulnerability in the web UI of Cisco Catalyst SD-WAN Manager allows an authenticated, remote attacker to create or overwrite files on the filesystem. Exploiting this vulnerability requires sending a crafted HTTP request to an affected API endpoint.

CVE-2026-9595
Medium

A vulnerability in webpack-dev-server allows for the interception of browser cookies and the Origin header when a user-configured proxy has a broad context and ws: true enabled. This leads to bypassing Host/Origin validation and corrupting the HMR socket.

CVE-2026-8683
Medium

Mattermost Desktop App versions <=6.1 5.5.13.0 fail to properly handle attempts to open extremely long URLs, allowing a malicious server owner to crash the application by including a script to call window.open on a very large URL.

CVE-2026-5038
Medium

Multer versions 2.0.0-alpha.1 through 2.1.1 and 3.0.0-alpha.1 are vulnerable to a Denial of Service when using diskStorage. Aborted or malformed multipart uploads leave orphaned partial files on disk, potentially exhausting disk space.

CVE-2026-10634
Medium

Zephyr's TCP stack has a use-after-free vulnerability in net_tcp_foreach(). Releasing tcp_lock during callback iteration allows a concurrent thread to free the next list element, leading to dereferencing freed memory. The bug exists in the TCP2 stack from 2020 up to v4.4.0.

CVE-2025-15659
Medium

Versions of Elizaibots <= 1.0.2 are vulnerable to Cross Site Scripting (XSS), allowing attackers to inject malicious code into the application.

CVE-2025-15658
Medium

There is a Cross Site Scripting (XSS) vulnerability in WP Emmet versions <= 0.3.4 that can be exploited by administrators.

CVE-2026-6517
Medium

Mattermost Desktop App versions <=6.1 5.5.13.0 fail to restrict the allow list of domains to which NTLM credentials were forwarded. This allows any user on a server without the image proxy enabled to intercept other users' credentials via embedding an image that routes to an external web server.

CVE-2026-48969
Medium

Versions of Really Simple SSL up to 9.5.9 have a vulnerability in access control that may allow subscribers unauthorized access to resources.

CVE-2025-64215
Medium

Missing Authorization in StylemixThemes MasterStudy LMS Pro allows accessing functionality not properly constrained by ACLs. This issue affects MasterStudy LMS Pro versions before 4.7.16.

PreviousPage 102 of 514Next

Vulnerability data from NVD (NIST) · CISA KEV · EPSS