CVE Vulnerability Catalog

Translated CVE descriptions from NVD NIST — in English

CISA KEV catalog updated: (v2026.07.07)

CVE-2026-46683
Medium

Snappy is a PHP library allowing thumbnail, snapshot or PDF generation from a url or a html page. Prior to version 1.7.0, there is a SSRF and local file read vulnerability via the xsl-style-sheet option.

CVE-2026-45106
Medium

Weblate is a web based localization tool. Prior to version 2026.5, Weblate's live search preview renders unit source and context as HTML without escaping, potentially allowing malicious code execution.

CVE-2026-50639
Medium

Metrics::Any::Adapter::SignalFx versions before 0.04 for Perl do not protect against metric injections. The statsd protocol allows multiple metrics to be sent per packet, creating a risk.

CVE-2026-11626
Medium

The CleanWipe Removal Tool (macOS) prior to version 16.0.0.65 may be susceptible to a Local Privilege Escalation vulnerability. An attacker with limited access can escalate their privileges to gain administrative control.

CVE-2026-10740
Medium

Unbounded memory allocation in the CRYPTO frame reassembler in s2n-quic before version 1.8.2 may allow an unauthenticated remote actor to cause a denial of service by sending crafted QUIC Initial packets.

CVE-2026-50569
Medium

Fission is a serverless framework, native to Kubernetes, that prior to version 1.25.0 improperly validated the RelativeURL and Prefix fields in HTTPTriggerSpec.Validate(). These fields were only validated at the CLI level, allowing URL checks to be bypassed using kubectl or direct Kubernetes REST API calls.

CVE-2026-50565
Medium

Fission, a Kubernetes-native serverless framework, prior to version 1.24.0, created builder pods with auto-mounted service account tokens, potentially leading to unauthorized access to resources. This issue has been patched in version 1.24.0.

CVE-2026-46642
Medium

The draw.io application prior to version 29.7.12 contains a vulnerability that allows arbitrary JavaScript execution through a crafted .drawio file. The issue lies in the Text Format panel where the raw cell label is assigned to an element without proper sanitization.

CVE-2026-46618
Medium

Fission is a serverless framework, Kubernetes-native, that prior to version 1.23.0 had a security vulnerability. In pkg/builder/builder.go, the Environment.spec.builder.command was passed without validation, allowing arbitrary code execution in the builder pod context.

CVE-2026-20260
Medium

In Splunk SOAR versions below 8.5.0, an unauthenticated attacker could inject ANSI escape codes into SOAR application log files through specially crafted HTTP request paths. The injection is possible because SOAR does not strip control characters from HTTP request paths before writing them to application logs.

CVE-2026-20259
Medium

In Splunk Enterprise versions below 10.2.4 and 10.0.7, and Splunk Cloud Platform versions below 10.4.2604.0, 10.3.2512.12, 10.2.2510.15, 10.1.2507.23, 10.0.2503.14, and 9.3.2411.131, a user with a role containing the high-privilege capability `edit_saved_search_owner` could reassign saved search ownership to users outside their authorized scope. The ownership reassignment endpoint lacks access control.

CVE-2026-20257
Medium

In Splunk Enterprise versions below 10.2.4, 10.0.7, 9.4.12, and 9.3.13, and Splunk Cloud Platform versions below 10.3.2512.13, 10.2.2510.15, 10.1.2507.23, and 9.3.2411.132, a low-privileged user can craft a classic dashboard that exfiltrates sensitive data from the browser of a higher-privileged user who views it. The issue arises from the lack of full validation of style attribute values in classic dashboard panels.

CVE-2026-20256
Medium

In Splunk Enterprise versions below 10.2.4, 10.0.7, 9.4.12, and 9.3.13, and Splunk Cloud Platform versions below 10.3.2512.13, 10.2.2510.15, 10.1.2507.23, and 9.3.2411.132, a low-privileged user can cause data exfiltration through classic dashboards by redirecting a victim to an external site using a protocol-relative URL in a drill-down link.

CVE-2026-20255
Medium

In Splunk Enterprise versions below 10.2.4, 10.0.7, 9.4.12, and 9.3.13, and Splunk Cloud Platform versions below 10.3.2512.13, 10.2.2510.15, 10.1.2507.23, and 9.3.2411.132, a low-privileged user can craft a malicious classic dashboard that exfiltrates sensitive data to an external server.

CVE-2026-20254
Medium

In Splunk Enterprise versions below 10.2.4, 10.0.7, 9.4.12, and 9.3.13, and Splunk Cloud Platform versions below 10.3.2512.13, 10.2.2510.15, 10.1.2507.23, and 9.3.2411.132, a low-privileged user can craft a malicious dashboard that exfiltrates sensitive data to an external server when a higher-privileged user views it, exploiting a validation flaw in the Trusted Domains security check.

CVE-2026-11596
Medium

In ScreenConnect™ versions prior to 26.2, input validation within the Host Pass creation functionality could allow an authenticated user with Host Pass creation privileges to specify a token expiration duration beyond the intended maximum when generating delegated access tokens.

CVE-2026-46616
Medium

Umbraco is an ASP.NET CMS. Prior to versions 13.14.0 and 17.4.0, some Surface Controllers in the CMS fail to validate redirect URLs, making Razor templates that derive 'RedirectUrl' from user-controlled query parameters vulnerable to malicious redirect attacks.

CVE-2026-46609
Medium

Umbraco is an ASP.NET CMS. Authenticated users can inject HTML into an input field, which is rendered in the confirmation dialog without proper output encoding.

CVE-2026-53698
Medium

Silverpeas through 6.4.6 mishandles the 'Personal space' feature when no componentId is set.

CVE-2026-53693
Medium

A stored cross-site scripting (XSS) vulnerability exists in the tag rendering code of MISP BSimVis. Several client-side rendering paths interpolate tag names, collection names, entity identifiers, cluster names, and tag metadata without appropriate context, allowing attackers to inject malicious code.

PreviousPage 116 of 513Next

Vulnerability data from NVD (NIST) · CISA KEV · EPSS