CVE Vulnerability Catalog

Translated CVE descriptions from NVD NIST — in English

CISA KEV catalog updated: (v2026.07.07)

CVE-2026-9641
Medium

Crypt::PBKDF2 versions before 0.261630 for Perl have a weak default algorithm and number of iterations. The default algorithm is HMAC-SHA1, which should only be used for legacy systems.

CVE-2026-5792
Medium

CVE-2026-5792 is a vulnerability affecting Hedef Media Promotion Interactive Media Marketing Inc. that allows authentication bypass through spoofing, enabling Brute Force attacks.

CVE-2026-53568
Medium

Frappe is a web application framework. Prior to versions 15.107.2 and 16.17.4, there was a stored XSS vulnerability in the report/list view. This issue has been patched in versions 15.107.2 and 16.17.4.

CVE-2026-50560
Medium

Netty, a network application framework, prior to versions 4.1.135.Final and 4.2.15.Final had an issue with handling max HTTP/2 header size, allowing an attack similar to HTTP/2 Rapid Reset. This could result in exceptions when writing response headers during request processing.

CVE-2026-50082
Medium

The Aqara Cloud Developer Portal (developer.aqara.com) issues a developer token to any email address supplied by the attacker. This is an instance of 'CWE-306: Missing Authentication for Critical Function', posing a risk of device takeover by unauthorized users.

CVE-2026-50026
Medium

Frappe is a web application framework that prior to versions 15.107.0 and 16.17.0 had a vulnerability related to a lack of permission checks in certain endpoints, allowing unauthorized access to resources.

CVE-2026-50020
Medium

In versions prior to 4.1.135.Final and 4.2.15.Final, `HttpObjectDecoder` in the Netty framework skipped control bytes and whitespace before reading the first request line. This can lead to request-boundary confusion in complex transports, creating a risk of attacks.

CVE-2026-50009
Medium

Netty prior to version 4.2.15.Final exposes the stateless reset token on the network path, which can be exploited by an attacker to perform a Denial of Service attack.

CVE-2026-47190
Medium

IPAM, the IP address Manager for Cluster API Provider Metal3, prior to versions 1.11.7, 1.12.4, and 1.13.0, granted full CRUD permissions for core/v1 Secrets. Under normal operation, the controller does not access Secrets, but if the controller pod were compromised, an attacker could leverage these excessive permissions to read, modify, or delete Secrets.

CVE-2026-47182
Medium

Frappe is a web application framework. Prior to version 16.17.4, any authenticated user could access private files by guessing the file path. This issue has been patched in version 16.17.4.

CVE-2026-46690
Medium

The unbounded_spsc extension in versions 0.2.0 and prior contains a bug that leads to out-of-bounds reads and fake resource drops due to a race condition between sender and receiver.

CVE-2026-44976
Medium

Frappe is a full-stack web application framework. Prior to version 16.17.4, any user could modify any field in any Onboarding Step record. This issue has been patched in version 16.17.4.

CVE-2026-44975
Medium

Frappe is a web application framework. Prior to versions 15.107.2 and 16.17.4, any authenticated user could reset onboarding for all users in the system.

CVE-2026-44967
Medium

OpenTelemetry-cpp prior to version 1.27.0 has a vulnerability where the OTLP HTTP exporters (traces/metrics/logs) read the full HTTP response into an in-memory vector of bytes without a size cap. This can lead to memory exhaustion when the configured collector endpoint is attacker-controlled.

CVE-2026-44208
Medium

Frappe is a web application framework that prior to versions 15.107.0 and 16.17.0 lacked validations in the 'submit_discussion()' endpoint, allowing unauthorized access to resources.

CVE-2026-44207
Medium

Frappe is a web application framework. Prior to versions 15.107.0 and 16.17.0, an IDOR vulnerability allowed authenticated users to access other users' email configuration details.

CVE-2026-44206
Medium

Frappe is a web application framework. Prior to versions 15.107.2 and 16.17.4, DB Schema Enumeration was possible through exploiting an endpoint. This issue has been patched in versions 15.107.2 and 16.17.4.

CVE-2026-8694
Medium

Improper access control in Devolutions PowerShell Universal 2026.1.7 and earlier allows an unauthenticated remote attacker to obtain the OpenAPI specification of user-defined REST endpoints.

CVE-2026-53722
Medium

The Nuxt framework prior to versions 3.21.7 and 4.4.7 did not validate the URL scheme for values bound to the to or href attributes of the <NuxtLink> component. This allows attackers to inject malicious scripts, leading to reflected XSS attacks.

CVE-2026-47739
Medium

Frappe is a web application framework, and prior to versions 15.106.0 and 16.16.0, there was a stored XSS vulnerability in the Note module due to lack of sanitization. This issue has been patched in versions 15.106.0 and 16.16.0.

PreviousPage 108 of 511Next

Vulnerability data from NVD (NIST) · CISA KEV · EPSS