CVE Vulnerability Catalog

Translated CVE descriptions from NVD NIST — in English

CISA KEV catalog updated: (v2026.07.01)

CVE-2026-45642
Low

Improper input validation in Microsoft Azure Attestation service and Device Health Attestation Service allows an authorized attacker to perform spoofing with a physical attack.

CVE-2026-45485
Low

An out-of-bounds read vulnerability in Microsoft Office allows an unauthorized attacker to disclose information locally.

CVE-2026-45466
Low

A heap-based buffer overflow in Microsoft Office Word allows an unauthorized attacker to disclose information locally.

CVE-2026-45459
Low

A protection mechanism failure in Microsoft Office Excel allows an unauthorized attacker to locally bypass a security feature.

CVE-2026-45455
Low

An out-of-bounds read in Microsoft Office Excel allows an unauthorized attacker to disclose information over a network.

CVE-2026-42770
Low

The vulnerability exists in the EVP_PKEY_derive_set_peer() function, which improperly checks the subgroup membership of the peer key when a DHX (X9.42) key is used. A malicious peer can exploit this flaw to recover the victim's private key after a small number of key exchange attempts.

CVE-2026-42768
Low

The CMS_decrypt and PKCS7_decrypt functions are vulnerable to a Bleichenbacher-style attack when an attacker can provide CMS or S/MIME messages and observe the error code and/or decryption output. This attack allows the use of the victim's vulnerable application to decrypt or sign messages with the victim's private RSA key.

CVE-2026-11792
Low

A heap buffer overflow vulnerability was found in 389 Directory Server. The create_masked_entry_string() function in auditlog.c copies a fixed-length password mask into a precisely-sized heap buffer without checking available space, causing an overflow when a short cleartext password is logged.

CVE-2026-11786
Low

A flaw in 389 Directory Server's LDIF parser reads past the end of a heap buffer when processing attribute types with trailing semicolons during database import, causing an out-of-bounds read detectable under memory instrumentation.

CVE-2026-11764
Low

CVE-2026-11764 allows the export of secrets related to gift cards even if the user does not have permission to view them. This violates security principles as only the first letters of the gift card secret are displayed in the UI and API.

CVE-2026-49738
Low

The path allowance check in GeneralUtility::isAllowedAbsPath() did not require a directory separator boundary, allowing invalid paths to be accepted. Administrators could create new file storage definitions pointing to directories outside the project root.

CVE-2026-41986
Low

Logic bypass vulnerability in the file system. Its exploitation may affect system availability.

CVE-2026-41974
Low

CVE-2026-41974 describes a permission control vulnerability in service notifications. Successful exploitation of this vulnerability may affect system availability.

CVE-2026-8981
Low

The Custom Block Builder WordPress plugin before version 4.3.0 does not consistently check the unfiltered_html capability across all paths that write to its block template code fields. This allows administrators on multisite installations (or single-site installs with DISALLOW_UNFILTERED_HTML defined) to inject arbitrary JavaScript that executes for any visitor of pages embedding the affected block.

CVE-2026-41852
Low

A vulnerability in Spring Expression Language (SpEL) evaluation logic allows for arbitrary zero-argument method invocation, even within restricted or read-only contexts, which may allow an attacker to invoke unintended application logic.

CVE-2026-41848
Low

A ReDoS vulnerability in Spring Framework allows an attacker to perform a denial of service attack by providing a specially crafted pattern to AntPathMatcher methods: match, matchStart, and extractUriTemplateVariables.

CVE-2026-44743
Low

Under certain conditions, when an unauthorized attacker accesses a specific endpoint, the SAP Business Objects application leaks sensitive information. This has a low impact on the confidentiality of the data.

CVE-2026-11691
Low

Insufficient validation of untrusted input in New Tab Page in Google Chrome prior to version 149.0.7827.103 allowed a remote attacker who compromised the renderer process to leak cross-origin data via a crafted HTML page.

CVE-2026-11686
Low

Insufficient validation of untrusted input in Dawn in Google Chrome on macOS prior to version 149.0.7827.103 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page.

CVE-2026-11684
Low

Insufficient policy enforcement in Network in Google Chrome prior to version 149.0.7827.103 allowed a remote attacker who had compromised the utility process to leak cross-origin data via a crafted HTML page.

PreviousPage 11 of 60Next

Vulnerability data from NVD (NIST) · CISA KEV · EPSS