CVE Vulnerability Catalog
Translated CVE descriptions from NVD NIST — in English
CISA KEV catalog updated: (v2026.07.07)
Parse Server prior to versions 8.6.78 and 9.9.1-alpha.2 discloses schema metadata through GraphQL validation-error messages, allowing unauthenticated users to reconstruct class and field names.
Solidtime is a time-tracking application that prior to version 0.12.2 had improperly configured permissions for the invitations and members API. Employees of the organization could access invitation email addresses and members, even though the API forbade them from doing so.
Naxclow device identifiers use fixed manufacturing prefixes combined with sequential counters, producing a fully predictable and enumerable identifier space. Additionally, the platform exposes an endpoint that reveals the current identifier high-water mark, allowing for enumeration of the active fleet.
In Moby, versions prior to 2.0.0-beta.14 and Docker Engine prior to 29.5.1, a race condition during docker cp mount setup allows a malicious container to create empty files or directories at arbitrary absolute paths on the host filesystem.
Camaleon CMS version 2.9.2 contains an improper authorization vulnerability in the administrator draft autosave endpoint. A low-privileged authenticated user can send an arbitrary post_id to POST /admin/post_type/<POST_TYPE_ID>/drafts and overwrite the draft associated with another user's post.
Typesense, a typo-tolerant search engine, has a cache isolation issue affecting search requests that use server-side search result caching and Scoped Search API Keys. Under specific request ordering, cached search results could be reused across requests with different Scoped Search API Key constraints, leading to unintended disclosure of search results.
In NanaZip, from version 3.0.1000.0 to before version 6.0.1698.0, a heap out-of-bounds read exists in the Android Verified Boot (AVB) vbmeta image parser. A 32-bit unsigned integer overflow in the bounds check allows an attacker-controlled salt_len field to bypass validation.
A vulnerability in MariaDB allows SELECT ... INTO OUTFILE and SELECT ... INTO DUMPFILE without the required FILE privilege when the FROM clause contains only subqueries. Affected versions include 10.6.1 to 10.6.26, 10.11.1 to 10.11.17, 11.4.1 to 11.4.11, 11.8.1 to 11.8.7, and 12.3.1.
MariaDB server versions from 10.6.1 to before 10.6.26, 10.11.1 to before 10.11.17, 11.4.1 to before 11.4.11, 11.8.1 to before 11.8.7, and 12.3.1 had an issue with not checking for /../ in the path when unpacking the archive. A specially crafted archive could have caused mbstream to create files outside of the target-dir path.
In MariaDB versions from 11.4.1 to before 11.4.11, 11.8.1 to before 11.8.7, and 12.3.1, a user with EXECUTE access to a stored routine could see the routine definition even without SHOW CREATE ROUTINE privilege. This issue has been patched in versions 11.4.11, 11.8.7, and 12.3.2.
Mattermost versions 11.6.x <= 11.6.1, 11.5.x <= 11.5.4, and 10.11.x <= 10.11.15 fail to sanitize the Remote Cluster API response on PATCH operations. This allows authenticated users with the {{manage_secure_connections}} permission to obtain remote cluster authentication tokens via a PATCH request to the remote cluster endpoint.
Mattermost versions 11.6.x <= 11.6.1, 11.5.x <= 11.5.4, and 10.11.x <= 10.11.16 fail to require system-level permission when patching protected default system roles. This allows authenticated users with delegated user-management permissions to escalate privileges by altering built-in role permissions via the role patch API.
Mattermost versions 11.6.x <= 11.6.1, 11.5.x <= 11.5.4, and 10.11.x <= 10.11.16 fail to enforce proper permissions when creating teams, allowing authenticated users with PermissionCreateTeam but without PermissionInviteUser to modify team invite settings.
Mattermost versions 11.6.x <= 11.6.1, 11.5.x <= 11.5.4, and 10.11.x <= 10.11.16 fail to validate that a username returned during bot registration belongs to a bot account. This allows an unprivileged attacker to intercept private messages sent by plugins via direct message channels by pre-registering a user account with a predictable plugin bot username.
Cap-go Console versions below 12.28.2 contain a denial-of-service vulnerability in the account deletion flow that allows an attacker to block authentication and onboarding functions. The issue arises from incorrectly associating the deletion state with the device identifier, leading to redirection to an account-disabled page for approximately 30 days.
NanaZip, a derivative of 7-Zip, has a heap buffer-overflow read vulnerability in the LVM2 physical-volume metadata parser. This issue exists in versions from 3.0.1000.0 to before 6.0.1698.0 when opening a crafted LVM disk image.
In NanaZip, from version 3.0.1000.0 to before version 6.0.1698.0, a heap out-of-bounds read exists in the Android Verified Boot (AVB) vbmeta image parser. An attacker can exploit this vulnerability to cause a crash of the application when opening a crafted .avb or .img file.
Mattermost versions 11.6.x <= 11.6.1, 11.5.x <= 11.5.4, and 10.11.x <= 10.11.15 and 10.11.x <= 10.11.16 fail to restrict 'role_updated' websocket event broadcasts to members of the affected team or channel. This allows an authenticated attacker with guest-level access to observe permission scheme change notifications for private teams they are not a member of.
Crypt::PBKDF2 versions before 0.261630 for Perl have a weak default algorithm and number of iterations. The default algorithm is HMAC-SHA1, which should only be used for legacy systems.
CVE-2026-5792 is a vulnerability affecting Hedef Media Promotion Interactive Media Marketing Inc. that allows authentication bypass through spoofing, enabling Brute Force attacks.

