CVE Vulnerability Catalog
Translated CVE descriptions from NVD NIST — in English
CISA KEV catalog updated: (v2026.07.07)
The iVEC-IEI Virtualization Edge Computer developed by IEI Integration Corp has a Path Traversal vulnerability, allowing authenticated remote attackers to exploit this vulnerability to create directories in unintended system paths.
The iVEC-IEI Virtualization Edge Computer developed by IEI Integration Corp has an Arbitrary File Read vulnerability, allowing privileged remote attackers to access files outside the intended directory scope.
The connection confirmation pop-up of a specific feature in the PcSuite can be bypassed.
Vulnerability CVE-2026-9271 affects a specific component that may be susceptible to attacks. In particular, it could lead to unauthorized access or data disclosure.
Heptabase developed by Hepta Platforms has an Exposed Dangerous Method or Function vulnerability, allowing unauthenticated remote attackers to leverage social engineering techniques to trick a victim into opening or loading a malicious webpage within the Heptabase application, thereby gaining unauthorized access to camera and microphone permissions.
CVE-2026-48613 describes an SQL injection vulnerability in phpBB profile field migration due to improper handling of user-supplied profile field data. This allows for the execution of arbitrary SQL queries on phpBB forums that were updated from versions prior to phpBB 3.3.8 and have not yet been updated to 3.3.11 or newer.
Virtual attribute handling in Ping Identity PingDirectory in affected versions allows only authorized users to exhaust java memory heap when recent login history is enabled and copying virtual attributes that reference ds-privilege-name values.
The Presto Player plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) via the 'link_url' parameter of the [presto_player_overlay] shortcode in versions up to and including 4.2.0. This is due to insufficient input sanitization and output escaping in the getOverlays() function.
ClipBucket v5 is an open source video sharing platform that prior to version 5.5.3 - #141 contained improper neutralization of SQL wildcard characters in the subtitle editing endpoint. An authenticated user could send a % character as the number parameter to overwrite all subtitle titles of any video they own in a single HTTP request.
ClipBucket v5 is an open source video sharing platform. In versions prior to 5.5.3 - #133, a normal authenticated user could edit another user's video subtitles due to a lack of authorization.
The Idira Identity Browser extension for Chrome, Firefox, and Edge versions prior to 26.8.1 has an origin validation flaw in its internal web-page verification routines. An authenticated user navigating to a specially crafted webpage could allow a remote attacker to trigger unauthorized application interaction or execution parameters within the context of that authenticated browser session.
In Google Chrome prior to version 149.0.7827.115, an out of bounds read in VideoCapture allowed a remote attacker who had compromised the GPU process to obtain potentially sensitive information from process memory via a crafted HTML page.
An out-of-bounds read vulnerability in the Video component of Google Chrome on ChromeOS prior to version 149.0.7827.115 allows a remote attacker who has compromised the renderer process to obtain potentially sensitive information from process memory via a crafted HTML page.
Insufficient validation of untrusted input in Network in Google Chrome prior to version 149.0.7827.115 allowed a remote attacker who compromised the renderer process to leak cross-origin data via a crafted HTML page.
Insufficient policy enforcement in DevTools in Google Chrome prior to version 149.0.7827.115 allowed a remote attacker to bypass same origin policy via a crafted HTML page.
Use after free in Autofill in Google Chrome prior to version 149.0.7827.115 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive information from process memory via a crafted HTML page.
OpenClaw before version 2026.4.24 contains an authorization bypass vulnerability in the MCP loopback feature that allows non-owner callers to skip owner-only tool policies. Attackers can invoke owner-only behavior through the affected loopback path.
OpenClaw before version 2026.5.19 contains an authorization bypass vulnerability in message read actions that skips channel allowlist checks. Lower-trust callers can request messages from channels not intended for them, potentially exposing sensitive information.
OpenClaw before 2026.5.6 contains an approval policy bypass vulnerability in the Skill Workshop apply flow. This allows attackers to exploit agent tool calls to set apply: true despite approvalPolicy: pending configuration.
The vulnerability in Summarize before version 0.17.0 allows remote attackers to exhaust disk resources by serving media responses that bypass the enforced size limits. This can occur through missing or misreported Content-Length headers, chunked transfer encoding, or failed HEAD requests.

