CVE Vulnerability Catalog

Translated CVE descriptions from NVD NIST — in English

CISA KEV catalog updated: (v2026.07.07)

CVE-2026-49949
Medium

CodexBar before version 0.33.0 contains a credential forwarding vulnerability that allows network-adjacent attackers to intercept sensitive credentials. Attackers can redirect credentialed provider requests to unintended hosts or ports, capturing data such as browser cookies, bearer tokens, or API keys.

CVE-2026-45802
Medium

FPDI is a collection of PHP classes that facilitate reading pages from existing PDF documents and using them as templates in FPDF. Prior to version 2.6.7, an attacker can upload a small, malicious PDF file that will cause the server-side script to crash due to memory exhaustion or a script time-out.

CVE-2026-53702
Medium

A stack buffer overflow flaw was found in the GStreamer H.265 codec parser library (gst-plugins-bad). This flaw occurs when parsing a buffering period SEI message, where an incorrect loop bound is used, potentially leading to writes beyond the allocated stack memory bounds.

CVE-2026-53701
Medium

An out-of-bounds write vulnerability was found in GStreamer's H.266/VVC PPS picture partition parser. In the multi-slice-in-tile processing of gst_h266_parser_parse_picture_partition(), the loop iterates without checking that the slice index stays within bounds, leading to writes past three fixed-size arrays.

CVE-2026-47250
Medium

mcp-server-kubernetes is a Model Context Protocol server for Kubernetes cluster management. Prior to version 3.7.0, the kubectl_generic tool passes user-supplied flags directly to kubectl without any allowlist, enabling a privilege escalation attack within Kubernetes environments.

CVE-2026-47177
Medium

Quest Bot is an opensource modern Discord Bot that prior to version 1.0.4 allowed users to configure bot settings, including the ticket transcript channel. Users could set this channel to one they could read, leading to the exposure of private ticket messages.

CVE-2026-47176
Medium

Quest Bot is an open-source modern Discord Bot that, prior to version 1.0.4, allowed users to configure logging settings, resulting in the logging of deleted and edited message contents from every channel, including private ones that the configuring user could not access.

CVE-2026-47173
Medium

Quest Bot is a modern Discord bot that, prior to version 1.0.3, allowed normal users to create tickets with reasons containing @everyone, @here, user mentions, or role mentions. When the ticket was created, the bot posted the attacker-controlled reason into the new ticket channel without suppressing mentions.

CVE-2026-47167
Medium

In the Vim text editor prior to version 9.2.0496, a code injection vulnerability exists in the s:stepmatch() function of the cucumber filetype plugin. Step-definition patterns read from .rb files can be exploited to execute arbitrary Ruby commands, posing a risk of executing malicious code.

CVE-2025-46313
Medium

A logging issue was addressed with improved data redaction. An app may be able to access sensitive user data.

CVE-2025-46308
Medium

An authorization issue was addressed with improved state management. An app may be able to leak sensitive user information.

CVE-2025-46293
Medium

The issue concerns improper handling of symlinks, which may allow an app to access protected user data. It is fixed in macOS Sequoia 15.4.

CVE-2025-43339
Medium

An access issue was addressed with additional sandbox restrictions. This issue is fixed in macOS Tahoe 26.1.

CVE-2025-43278
Medium

This issue was addressed with improved handling of symlinks. An app may be able to access protected user data.

CVE-2025-30459
Medium

A privacy issue was addressed by removing the vulnerable code. This issue is fixed in macOS Sequoia 15.4.

CVE-2025-30431
Medium

The issue was addressed with improved checks. This issue is fixed in macOS Sequoia 15.4, macOS Sonoma 14.7.5, and macOS Ventura 13.7.5.

CVE-2025-24268
Medium

A parsing issue in the handling of directory paths was addressed with improved path validation. An app may be able to access sensitive user data.

CVE-2025-24165
Medium

A permissions issue was addressed with additional restrictions. An app may be able to cause unexpected system termination.

CVE-2026-47157
Medium

aiograpi is an asynchronous Instagram API for Python. Versions before 0.9.10 accepted server-supplied signup challenge paths, which could lead to building request URLs without prior validation, creating a risk of attacks.

CVE-2026-46698
Medium

The Fediverse Embeds plugin prior to version 1.5.9 had a vulnerability that allowed unauthorized invocation of the AJAX action wp_ajax_nopriv_ftf_get_site_info, enabling attackers to fetch information from external URLs.

PreviousPage 111 of 511Next

Vulnerability data from NVD (NIST) · CISA KEV · EPSS