CVE Vulnerability Catalog
Translated CVE descriptions from NVD NIST - in English
CISA KEV catalog updated: (v2026.07.10)
The KTM e-BOK system enforces a maximum password length of six numeric digits and does not allow alphabetic, special, or extended characters. This issue was fixed in the patch released in June 2026.
KTM e-BOK system is vulnerable to Cross‑Site Request Forgery (CSRF) in email-change and password-change functionalities. An authenticated user can be tricked into performing unauthorized changes without their knowledge.
The vulnerability in KTM e-BOK allows an attacker to set the session identifier before authentication. If a cookie with a valid name is set, its value remains unchanged after successful login, enabling session hijacking.
Memory safety bugs were found in Firefox 152.0.3. Some of these bugs showed evidence of memory corruption and could potentially be exploited to run arbitrary code with enough effort. This vulnerability was fixed in Firefox 152.0.4.
In openGauss, when processing to_timestamp calls with NLS parameters, to_timestamp_with_fmt_nls() stores nls_fmt_str in u_sess->parser_cxt.nls_fmt_str. In the seqscan + sort execution path, this string is allocated in the SeqScan expression context; after SeqScan completes, the memory context is reset, but the output phase timestamp_out() still accesses u_sess->parser_cxt.nls_fmt_str via CheckNlsFormat(), causing a heap-use-after-free. An attacker with SQL execution privileges can craft a specific to_timestamp(..., ..., nlsparam) query to trigger this, leading to backend process crash and denial of service.
A SQL misconfiguration in the Gravitino UI, versions 1.0.0 and below, allows a malicious user to read or truncate files. The issue is fixed in version 1.0.0.
Multiple memory overflow vulnerabilities in NetScaler ADC and NetScaler Gateway can lead to unpredictable or erroneous behavior and Denial of Service (DoS). The vulnerability occurs when NetScaler ADC is configured as an Oracle load balancer, DNS proxy, or DNS recursive resolver.
A memory overflow vulnerability in NetScaler ADC and NetScaler Gateway can lead to unpredictable or erroneous behavior and Denial of Service (DoS) if the appliance is configured as a Gateway (SSL VPN, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server.
Insufficient input validation in NetScaler ADC and NetScaler Gateway leads to memory overread when the device is configured as a SAML IDP.
A stored cross-site scripting (XSS) vulnerability was found in Eksagate SYSGUARD 6001 due to improper input neutralization during web page generation. It affects versions from 2.0.2 up to (but not including) 6.1.4.0. The vendor was contacted and confirmed the product is no longer supported.
In @fastify/express versions 4.0.6 and earlier, plugin prefixes are not applied to middleware mount paths when they are arrays or regular expressions. Consequently, middleware registered this way is not executed for requests to prefixed routes, allowing security mechanisms to be bypassed.
In hostapd before version 2.12, a missing bounds check in AP-mode Wi-Fi 7 (IEEE 802.11be) Multi-Link Operation (MLO) association request processing allows an unauthenticated attacker within wireless range to send a crafted management frame with a malformed Multi-Link Element or Per-STA Profile subelement. In hostapd_process_ml_assoc_req() in src/ap/ieee802_11_eht.c, the received link_id field can be parsed as value 15, but the corresponding links[] storage only has valid entries for lower link IDs (0 through 14), causing an out-of-bounds write and small memory corruption before the 4-way handshake.
LLaMA-Factory through version 0.9.5 contains a remote code execution vulnerability that allows attackers with WebUI access to execute arbitrary Python code by supplying a malicious model path in the Chat or Training interfaces. The application passes user-supplied model path input unvalidated into AutoTokenizer.from_pretrained() and AutoModel.from_pretrained() with a hardcoded trust_remote_code=True parameter, causing the Hugging Face transformers library to fetch and execute arbitrary code from a remote or local model repository with the privileges of the server process.
A flaw was found in GLib where a state confusion issue in g_dbus_node_info_new_for_xml() when processing malformed D-Bus introspection XML, specifically with a <node> element nested within other elements like <method>, <signal>, <property> or <arg>, can cause an unsigned integer overflow and out-of-bounds read, leading to a denial of service.
A flaw was found in GLib's D-Bus client-side implementation of the DBUS_COOKIE_SHA1 SASL authentication mechanism. The cookie_context parameter received from the server is not validated, allowing a malicious D-Bus server to supply path traversal sequences. This enables the client to read arbitrary files and exfiltrate sensitive data by verifying guessed file contents against a generated hash.
An off-by-one error was found in GLib's g_key_file_get_locale_string_list function in gkeyfile.c when loading a key file with an empty value. This flaw can cause an out-of-bounds access of 1 byte or a denial of service when the out-of-bounds access crosses a page boundary.
A flaw was found in GLib where a buffer over-read occurs in g_io_channel_read_line_backend() in giochannel.c when a custom line terminator longer than one byte is set, causing memcmp to read past the GString buffer. This vulnerability can lead to minor information disclosure of 7 bytes or denial of service if the over-read crosses a page boundary.
A flaw was found in GLib where a buffer over-read occurs in the g_regex_replace function when using the G_REGEX_RAW compile flag and case-change replacement escapes. The string_append function processes matched substrings using UTF-8 functions that assume valid UTF-8 input, even when the string is treated as raw bytes. This can lead to minor information disclosure of 1-5 bytes and a denial of service when the buffer over-read crosses a page boundary.
A flaw was found in GLib where an out-of-bounds read of 2 bytes occurs in the g_date_time_get_ymd function in glib/gdatetime.c when processing an invalid GDateTime object created by g_date_time_add_full. This can corrupt date output and cause logic errors.
An off-by-one error was found in GLib in the gvs_tuple_is_normal function within glib/gvariant-serialiser.c. The bounds check uses > instead of >=, causing an out-of-bounds read of one byte during alignment padding checks. This flaw can lead to minor information disclosure of one byte and denial of service if the read crosses a page boundary.

