CVE Vulnerability Catalog
Translated CVE descriptions from NVD NIST - in English
CISA KEV catalog updated: (v2026.07.10)
An improper authorization vulnerability in Apache Tomcat causes security constraints for the default servlet to ignore any configured HTTP method or method omission. This affects Tomcat versions from 7.0.0 through 11.0.22.
An Always-Incorrect Control Flow Implementation vulnerability in Apache Tomcat causes special roles and empty authorization constraints to be omitted when the effective web.xml is logged. Affected versions include 11.0.0-M1 through 11.0.22, 10.1.0-M1 through 10.1.55, 9.0.0.M1 through 9.0.118, and 8.5.0 through 8.5.100.
A vulnerability was found in Apache Tomcat where a detection of error condition without action occurs when configuring CRLs for a FFM based connector. Affected versions are from 11.0.0-M1 through 11.0.22, from 10.1.0-M7 through 10.1.55, and from 9.0.83 through 9.0.118.
An Always-Incorrect Control Flow Implementation vulnerability in Apache Tomcat's rewrite valve causes subsequent non-OR conditions to be skipped if the first condition in an OR chain matches.
A basic XSS (Cross-Site Scripting) vulnerability was found in the number guess example application in Apache Tomcat. Improper neutralization of script-related HTML tags allows an attacker to inject malicious JavaScript code.
In Coolify prior to 4.0.0-beta.474, the HMAC key for GitHub webhooks can be null, causing an empty string to be used as the key. An attacker can compute a valid signature and trigger unauthorized deployments.
In Coolify prior to 4.0.0-beta.470, a critical authenticated remote code execution (RCE) vulnerability was found. The flaw is in the handling of the install_command parameter, which is directly concatenated into a shell command during Nixpacks build, allowing arbitrary command execution on the host.
In Coolify prior to version 4.0.0-beta.471, an authenticated command injection vulnerability in the Destination Network Management functionality allows users with network management permissions to execute arbitrary commands as root on managed servers. The "network" parameter is passed directly to shell commands without sanitization, enabling full remote code execution.
A vulnerability in CryptX versions before 0.088_001 for Perl causes AEAD authentication tag comparison in the decrypt_done path to be non-constant time. The decrypt_done($tag) function uses memNE (memcmp() != 0), which short-circuits on the first differing byte, making execution time depend on the number of matching leading bytes.
A vulnerability in PBackupVSS.exe in Matrix42 Empirum before version 25.5 and 26.x before 26.2 creates a named pipe with overly permissive DACL. An authenticated low-privileged attacker can connect to this pipe and send crafted IPC messages, leading to arbitrary command execution with SYSTEM privileges.
Coolify prior to version 4.0.0-beta.474 has a vulnerability where Livewire web UI components accept server_id and destination_uuid from URL query parameters without team ownership validation. This allows cross-team resource deployment on servers belonging to other teams.
A vulnerability in JavaScript::Minifier::XS for Perl before version 0.16 causes memory leaks on every call to minify(). The cleanup function only frees NodeSet structures but not per-token content buffers, leading to unbounded memory growth.
A vulnerability in JavaScript::Minifier::XS before version 0.16 for Perl causes a crash via NULL pointer dereference when the first meaningful token of the input is a slash. The issue occurs in the JsTokenizeString function during regexp versus division disambiguation.
XSS vulnerability in the mdex library for Elixir allows an attacker to inject JavaScript code via improper validation of URL schemes in Markdown to Quill Delta processing. An attacker can supply a malicious link with javascript: scheme in Markdown text, which is copied verbatim to the Delta attribute and executed in the victim's browser when rendered to HTML.
A vulnerability in the mdex library (and mdex_native) allows a DoS attack by supplying a deeply nested Markdown document. Recursive conversion functions lack a maximum depth check, causing a C stack overflow and crashing the entire BEAM node.
A missing release of memory after effective lifetime vulnerability in mdex and mdex_native allows an attacker who controls a rendered document to cause a denial of service through unbounded native memory exhaustion. The native rendering code permanently leaks memory when rendering a document containing escaped-tag nodes, leading to unlimited memory consumption and process crash.
A vulnerability in the MDEx library for Elixir/Erlang allows exhaustion of the atom table by processing a specially crafted JSON document. The json_to_node/1 function creates new atoms for each unique node_type value, which are never garbage collected, leading to a crash of the entire BEAM virtual machine.
A use-after-free vulnerability was addressed with improved memory management in Safari. The issue is fixed in Safari 26.5.2, iOS 26.5.2, iPadOS 26.5.2, and macOS Tahoe 26.5.2. Processing maliciously crafted web content may lead to an unexpected Safari crash.
An out-of-bounds write vulnerability was found in Safari, iOS, iPadOS, and macOS Tahoe. The issue was fixed by improving input validation.
A race condition vulnerability was fixed in iOS 26.5.2, iPadOS 26.5.2, and macOS Tahoe 26.5.2 by improving state handling. This flaw could allow an app to cause unexpected system termination.

