CVE Vulnerability Catalog

Translated CVE descriptions from NVD NIST — in English

CISA KEV catalog updated: (v2026.07.07)

CVE-2026-49219
Medium

ImageMagick prior to versions 6.9.13-48 and 7.1.2-24 had an issue with incorrect parsing of filenames, which could lead to a policy bypass and reading disallowed files using symlinks.

CVE-2026-48994
Medium

ImageMagick prior to versions 6.9.13-48 and 7.1.2-24 had a missing check of a return value, which could lead to a heap buffer over-write in the MAT decoder on 32-bit systems. This issue has been patched in versions 6.9.13-48 and 7.1.2-24.

CVE-2026-48734
Medium

ImageMagick prior to versions 6.9.13-49 and 7.1.2-24 had a stack overflow vulnerability due to a missing depth or visited-set check in MVG files. This issue has been patched in the mentioned versions.

CVE-2026-48733
Medium

ImageMagick prior to versions 6.9.13-49 and 7.1.2-24 contained a flaw that could lead to an infinite loop during the subimage-search operation when using a crafted image. This issue has been patched in versions 6.9.13-49 and 7.1.2-24.

CVE-2026-48724
Medium

ImageMagick prior to version 7.1.2-24 has a heap buffer over-write vulnerability when using an image with a mask with the Floyd-Steinberg dithering method.

CVE-2026-47734
Medium

Dulwich, a pure-Python implementation of Git file formats and protocols, has a vulnerability that allows a client with push access to send a small crafted pack, leading to the allocation of a huge amount of memory. The issue affects versions from 0.1.0 to 1.2.5 and is patched in version 1.2.5.

CVE-2026-47213
Medium

Boxlite is a sandbox service that allows users to create lightweight virtual machines and launch OCI containers. In versions 0.8.2 and prior, Boxlite uses the SIGALRM signal to terminate processes after a timeout, which can be exploited by malicious code to continue running, leading to resource exhaustion.

CVE-2026-47166
Medium

ImageMagick prior to versions 6.9.13-48 and 7.1.2-23 contained a vulnerability that allowed an attacker to cause a heap buffer over-read in the server process if they could connect to a magick -distribute-cache service.

CVE-2026-47165
Medium

ImageMagick prior to versions 6.9.13-48 and 7.1.2-23 had a distributed pixel cache that operated without a challenge-response authentication model. Changes have been made in newer versions to enhance security.

CVE-2026-46693
Medium

ImageMagick prior to versions 6.9.13-48 and 7.1.2-23 contained a vulnerability that allowed an attacker to hijack a file descriptor in the server process when a race condition occurred. This issue has been patched in the mentioned versions.

CVE-2026-46692
Medium

ImageMagick prior to versions 6.9.13-48 and 7.1.2-23 contained a vulnerability that allowed an attacker to perform a heap buffer over-write in the server process if they had access to the magick -distribute-cache service.

CVE-2026-46645
Medium

SQLAdmin is a flexible Admin interface for SQLAlchemy models. Prior to version 0.25.1, the ajax_lookup endpoint in application.py bypasses the is_accessible() access control check, allowing authenticated users to access model data despite restrictions set by developers.

CVE-2026-46559
Medium

ImageMagick prior to versions 6.9.13-48 and 7.1.2-23 contained a flaw in JP2 checking that could lead to a heap buffer over-write of a single byte when certain options were specified. This issue has been patched in versions 6.9.13-48 and 7.1.2-23.

CVE-2026-46557
Medium

ImageMagick prior to version 7.1.2-23 has a vulnerability that can lead to a stack overflow in the fx operation due to a missing depth check when passing a crafted argument.

CVE-2026-46521
Medium

ImageMagick prior to versions 6.9.13-48 and 7.1.2-23 contained a vulnerability that allowed for an out of bounds write when using LZMA compression in the MIFF encoder due to a missing check.

CVE-2026-42568
MediumEPSS 75%

In the Yamcs framework, prior to versions 5.13.0 and 5.12.7, an LDAP injection vulnerability exists in the `org.yamcs.security.LdapAuthModule` when constructing search filters. The username parameter is inserted directly into the LDAP filter without proper RFC 4515 escaping.

CVE-2024-21944
Medium

Improper input validation for DIMM serial presence detect (SPD) metadata could allow an attacker with physical access, ring0 access on a system with a non-compliant DIMM, or control over the Root of Trust for BIOS update, to potentially overwrite guest memory resulting in loss of guest data integrity.

CVE-2026-53742
Medium

Simple Link Directory version 9.0.4 improperly processes shortcode attributes, leading to their reflection in HTML data attributes without proper escaping. Attackers with contributor access can craft a shortcode attribute that injects an event handler executing in a viewer's browser.

CVE-2026-53741
Medium

Simple Link Directory version 9.0.4 interpolates the sld_no_results_found option into a JavaScript string literal without encoding. Because sanitize_text_field leaves quotes intact, a stored payload can break out of the string and run script for every page visitor.

CVE-2026-53740
Medium

The Yoast Duplicate Post plugin up to version 4.6 inserts an unescaped post title and permalink into the Classic Editor scheduled republish notice. Attackers can schedule a republish copy with a crafted title to execute script when an administrator views the resulting notice.

PreviousPage 114 of 511Next

Vulnerability data from NVD (NIST) · CISA KEV · EPSS