CVE Vulnerability Catalog

Translated CVE descriptions from NVD NIST — in English

CISA KEV catalog updated: (v2026.07.07)

CVE-2026-53520
Medium

Nezha Monitoring is a tool for monitoring servers and websites. In versions from 2.0.14 to before 2.1.0, authenticated users can claim the dashboard Host through NAT, allowing them to preempt all dashboard routing.

CVE-2026-49397
Medium

Nezha Monitoring is a tool for monitoring servers and websites. In versions from 2.0.0 to before 2.0.14, private services were enumerable via per-server endpoints, leaking name and timing data.

CVE-2026-47268
Medium

Nezha Monitoring before version 2.0.10 allows authenticated users to create or update a DDNS profile with any webhook_url, leading to an SSRF vulnerability. Low-privileged users can send HTTP requests to internal network services.

CVE-2026-47124
Medium

Nezha Monitoring versions from 1.4.0 to before 2.0.9 allow authenticated non-admin users to access the server-status WebSocket and receive telemetry data for all servers, including those owned by other users.

CVE-2026-41155
Medium

An attacker could cooperatively pass data from one secure GPU process to another secure GPU process through shared secure memory allocations in the kernel module. This could lead to image corruption or GPU hardware recovery.

CVE-2026-12131
Medium

A SQL injection vulnerability has been identified in CodeAstro Human Resource Management System 1.0 within the Payroll Invoice module. The flaw exists in the Invoice function of Payroll.php, where the ID argument is susceptible to manipulation. Remote exploitation is possible, and a public exploit is available.

CVE-2025-7019
Medium

A stack overflow vulnerability in Avast Antivirus when scanning a malformed Office Open XML file may allow Denial-of-Service of the antivirus process.

CVE-2025-7018
Medium

CVE-2025-7018 involves a null pointer dereference vulnerability in the Avira Antivirus engine when scanning a malformed Windows PE file, potentially leading to a Denial-of-Service of the antivirus engine process.

CVE-2025-7010
Medium

A stack overflow vulnerability due to uncontrolled recursion in Avast Antivirus when scanning a malformed PDF file may allow Denial-of-Service of the antivirus process.

CVE-2025-7006
Medium

The vulnerability in Avast Antivirus involves the use of stack memory after it has been freed when scanning a malformed Windows PE file, which may lead to a denial-of-service of the antivirus process.

CVE-2025-7005
Medium

There is an uncontrolled recursion vulnerability in Avast Antivirus when scanning a malformed Windows PE file, which may lead to a Denial-of-Service of the antivirus process.

CVE-2026-54397
Medium

A vulnerability in MISP allows an authenticated user with event edit permissions to manipulate form data and assign an event to a sharing group they are not authorized to use. The issue occurs in the event editing path that does not enforce proper authorization checks.

CVE-2026-54396
Medium

An information disclosure vulnerability exists in the MISP AuthKey edit functionality. When a validation error occurs during an AuthKey edit request, the user dropdown was populated using the attacker-controlled AuthKey.user_id value from the submitted request data, allowing enumeration of user email addresses.

CVE-2026-54395
Medium

MISP contains a reflected cross-site scripting vulnerability in the UiBeta event index view. The urlparams value is inserted into an inline JavaScript handler, allowing an attacker to execute arbitrary JavaScript in the victim's browser.

CVE-2026-54394
Medium

MISP contains a path traversal vulnerability in OrganisationsController::getOrgLogo. The vulnerable code builds organisation logo file paths using organisation-controlled fields, allowing an attacker to access files outside the intended directory.

CVE-2026-54393
Medium

A stored XSS vulnerability exists in MISP when the Overmind theme is used. An authenticated user can store an arbitrary homepage value, including an XSS payload, leading to the execution of malicious JavaScript in the browser context.

CVE-2026-54362
Medium

A flaw in the visibility conditions in the MISP event template builder allowed authenticated non-site-admin users to view galaxies that should not have been visible to their organisation. The use of a PHP comparison expression instead of a query condition resulted in enabled galaxies, including organisation-only custom galaxies, being exposed.

CVE-2026-53606
Medium

ApostropheCMS, an open-source Node.js content management system, has a vulnerability in sanitize-html that allows dangerous URI schemes like 'javascript:' to pass through in HTML attributes. Versions prior to 2.17.5 do not block these schemes, leading to potential XSS attacks.

CVE-2026-47264
Medium

Discourse is an open-source discussion platform with a vulnerability in versions from 2026.1.0 to before 2026.1.4, from 2026.3.0 to before 2026.3.1, and from 2026.4.0 to before 2026.4.1. The DetailedTagSerializer#tag_group_names function returned all tag groups a tag belonged to without considering the user's visibility, allowing anonymous and unprivileged users to access the names of tag groups restricted to specific user groups.

CVE-2026-47263
Medium

Discourse is an open-source discussion platform that has a vulnerability in versions from 2026.1.0 to before 2026.1.4, from 2026.3.0 to before 2026.3.1, and from 2026.4.0 to before 2026.4.1. The MessageBus.publish call for /web_hook_events/<id> in Jobs::RedeliverWebHookEvents did not pass group_ids, allowing any authenticated user (or anonymous user when login_required is disabled) to access the channel.

PreviousPage 106 of 514Next

Vulnerability data from NVD (NIST) · CISA KEV · EPSS