CVE Vulnerability Catalog
Translated CVE descriptions from NVD NIST — in English
CISA KEV catalog updated: (v2026.07.07)
CodexBar before version 0.33.0 contains a credential forwarding vulnerability that allows network-adjacent attackers to intercept sensitive credentials. Attackers can redirect credentialed provider requests to unintended hosts or ports, capturing data such as browser cookies, bearer tokens, or API keys.
FPDI is a collection of PHP classes that facilitate reading pages from existing PDF documents and using them as templates in FPDF. Prior to version 2.6.7, an attacker can upload a small, malicious PDF file that will cause the server-side script to crash due to memory exhaustion or a script time-out.
A stack buffer overflow flaw was found in the GStreamer H.265 codec parser library (gst-plugins-bad). This flaw occurs when parsing a buffering period SEI message, where an incorrect loop bound is used, potentially leading to writes beyond the allocated stack memory bounds.
An out-of-bounds write vulnerability was found in GStreamer's H.266/VVC PPS picture partition parser. In the multi-slice-in-tile processing of gst_h266_parser_parse_picture_partition(), the loop iterates without checking that the slice index stays within bounds, leading to writes past three fixed-size arrays.
mcp-server-kubernetes is a Model Context Protocol server for Kubernetes cluster management. Prior to version 3.7.0, the kubectl_generic tool passes user-supplied flags directly to kubectl without any allowlist, enabling a privilege escalation attack within Kubernetes environments.
Quest Bot is an opensource modern Discord Bot that prior to version 1.0.4 allowed users to configure bot settings, including the ticket transcript channel. Users could set this channel to one they could read, leading to the exposure of private ticket messages.
Quest Bot is an open-source modern Discord Bot that, prior to version 1.0.4, allowed users to configure logging settings, resulting in the logging of deleted and edited message contents from every channel, including private ones that the configuring user could not access.
Quest Bot is a modern Discord bot that, prior to version 1.0.3, allowed normal users to create tickets with reasons containing @everyone, @here, user mentions, or role mentions. When the ticket was created, the bot posted the attacker-controlled reason into the new ticket channel without suppressing mentions.
In the Vim text editor prior to version 9.2.0496, a code injection vulnerability exists in the s:stepmatch() function of the cucumber filetype plugin. Step-definition patterns read from .rb files can be exploited to execute arbitrary Ruby commands, posing a risk of executing malicious code.
A logging issue was addressed with improved data redaction. An app may be able to access sensitive user data.
An authorization issue was addressed with improved state management. An app may be able to leak sensitive user information.
The issue concerns improper handling of symlinks, which may allow an app to access protected user data. It is fixed in macOS Sequoia 15.4.
An access issue was addressed with additional sandbox restrictions. This issue is fixed in macOS Tahoe 26.1.
This issue was addressed with improved handling of symlinks. An app may be able to access protected user data.
A privacy issue was addressed by removing the vulnerable code. This issue is fixed in macOS Sequoia 15.4.
The issue was addressed with improved checks. This issue is fixed in macOS Sequoia 15.4, macOS Sonoma 14.7.5, and macOS Ventura 13.7.5.
A parsing issue in the handling of directory paths was addressed with improved path validation. An app may be able to access sensitive user data.
A permissions issue was addressed with additional restrictions. An app may be able to cause unexpected system termination.
aiograpi is an asynchronous Instagram API for Python. Versions before 0.9.10 accepted server-supplied signup challenge paths, which could lead to building request URLs without prior validation, creating a risk of attacks.
The Fediverse Embeds plugin prior to version 1.5.9 had a vulnerability that allowed unauthorized invocation of the AJAX action wp_ajax_nopriv_ftf_get_site_info, enabling attackers to fetch information from external URLs.

