CVE Vulnerability Catalog

Translated CVE descriptions from NVD NIST — in English

CISA KEV catalog updated: (v2026.07.07)

CVE-2026-49495
Medium

Ghidra 10.2 before 12.1 contains an uncontrolled resource consumption vulnerability in ExportTrie.parseTrie(). The lack of cycle detection when processing Mach-O binary files leads to unbounded queue growth and exponential string concatenation.

CVE-2026-11853
Medium

Debusine is an integrated solution to build, distribute, and maintain a Debian-based distribution. The parser used to read manifest files accepted arbitrary fully user-controlled paths, potentially allowing the creation of arbitrary symbolic links on a worker.

CVE-2026-11852
Medium

Debusine is an integrated solution to build, distribute and maintain a Debian-based distribution. Endpoints that create and delete relationships between artifacts enforced no permissions checks beyond being able to see the artifacts in question.

CVE-2026-9019
Medium

The Easy Image Collage plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) via 'grid[properties][borderColor]' and 'grid[images][N][attachment_url]' parameters in all versions up to and including 1.13.6 due to insufficient input sanitization and output escaping.

CVE-2026-8853
Medium

The MW WP Form plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) via the 'memo' parameter in all versions up to and including 5.1.3 due to insufficient input sanitization and output escaping. This allows authenticated attackers with editor-level access and above to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVE-2026-8613
Medium

The aThemes Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'title_tag' Widget Setting in all versions up to and including 1.1.8 due to insufficient input sanitization and output escaping. This allows authenticated attackers with contributor-level access and above to inject arbitrary web scripts into pages.

CVE-2026-29115
Medium

A vulnerability has been found in some Dahua products that could allow an authenticated remote attacker to send a specially crafted packet, triggering an exception that causes the system to reboot unexpectedly, resulting in a denial of service.

CVE-2026-11815
MediumEPSS 61%

An attacker who intercepts and tampers with traffic between the client application and the API Gateway server could potentially deserialize arbitrary objects. This vulnerability could lead to broken security expectations or remote code execution.

CVE-2025-8444
Medium

The Animation Addons for Elementor, powered by GSAP, is vulnerable to DOM-Based Stored Cross-Site Scripting in versions up to and including 2.6.7. The issue arises from insufficient input sanitization and output escaping, allowing authenticated attackers with Contributor-level access and above to inject arbitrary web scripts.

CVE-2026-24720
Medium

A vulnerability has been reported in File Station 6, involving resource allocation without limits or throttling. A remote attacker with a user account can exploit this vulnerability to prevent other systems, applications, or processes from accessing the same type of resource.

CVE-2026-24717
Medium

A path traversal vulnerability has been reported in QNAP operating systems. A remote attacker with an administrator account can read unexpected files or system data.

CVE-2026-22899
Medium

A NULL pointer dereference vulnerability has been reported to affect File Station 6. A remote attacker with a user account can exploit this vulnerability to launch a denial-of-service (DoS) attack.

CVE-2025-62851
Medium

A path traversal vulnerability has been reported to affect License Center. A local attacker with an administrator account can exploit this vulnerability to read the contents of unexpected files or system data.

CVE-2025-58468
Medium

A cross-site request forgery (CSRF) vulnerability has been reported to affect Notification Center, allowing remote attackers to gain privileges or hijack user identities.

CVE-2026-46532
Medium

The Espressif Internet of Things (IOT) framework has an out-of-bounds read issue in the BlueDroid AVRCP vendor-command parser. This issue affects versions 5.2.6, 5.3.5, 5.4.4, 5.5.3, and 6.0 and has been patched in versions 5.2.7, 5.3.6, 5.4.5, 5.5.4, and 6.0.1.

CVE-2026-45160
Medium

The ESP-IDF framework has a vulnerability in versions 5.2.7, 5.3.5, 5.4.4, 5.5.4, and 6.0.1 related to an out-of-bounds read flaw in the DHCP server option parser. This vulnerability allows reading adjacent memory, potentially leading to unauthorized access to data.

CVE-2026-53675
Medium

BuddyPress version 14.4.0 contains an insecure direct object reference vulnerability in the friends REST API that allows authenticated attackers to enumerate another user's complete friend list.

CVE-2026-47838
Medium

A vulnerability in the SubjectDnX509PrincipalExtractor component of Spring Security allows incorrect handling of malformed CN values in X.509 certificates. This can lead to reading the wrong username and potentially allow an attacker to impersonate another user.

CVE-2026-46543
Medium

Nimiq is a Rust implementation of the Proof-of-Stake protocol. Prior to version 1.5.0, a remote peer can crash any full node by sending a RequestBatchSet message containing the genesis block's hash.

CVE-2026-46542
Medium

In versions prior to 1.4.0, Nimiq has a denial-of-service vulnerability in the Ed25519 multisig delinearization code path. The Ed25519PublicKey::delinearize() method calls .unwrap() on curve point decompression, which panics when a public key is not valid.

PreviousPage 119 of 524Next

Vulnerability data from NVD (NIST) · CISA KEV · EPSS