CVE Vulnerability Catalog

Translated CVE descriptions from NVD NIST — in English

CISA KEV catalog updated: (v2026.07.07)

CVE-2026-11945
Medium

PostgreSQL Anonymizer contains a vulnerability that allows a user to gain superuser privileges by creating a JSON document and placing malicious code inside a particular key-value pair. If a superuser calls the import_database_rules() or import_roles_rules() functions, the malicious code is executed with superuser privileges.

CVE-2026-4096
Medium

IBM DevOps Plan versions 3.0.0 through 3.0.6 is vulnerable to HTTP header injection due to improper validation of input in the HOST headers. This could allow an attacker to conduct various attacks against the vulnerable system, including cross-site scripting, cache poisoning, or session hijacking.

CVE-2026-3341
Medium

IBM Langflow Desktop versions 1.0.0 through 1.9.2 are vulnerable to server-side request forgery (SSRF). This allows an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks.

CVE-2024-45636
Medium

IBM Security QRadar EDR versions 3.12 through 3.12.24 store user credentials in plain text, which can be read by a local privileged user.

CVE-2026-6338
Medium

CVE-2026-6338 is a vulnerability affecting HTTP request smuggling and desynchronization in Kong Gateway Enterprise versions 3.4, 3.10, 3.11, 3.12, 3.13, and 3.14. The issue is caused by a parsing flaw in Kong's HTTP request processing pipeline when handling untrusted HTTP/1.1 traffic.

CVE-2026-53723
Medium

Guzzle Services prior to version 1.5.4 has an issue with safely serializing XML element values containing the CDATA terminator `]]>`. An attacker can introduce malicious data, leading to premature closing of the CDATA section and interpretation of the remaining part as XML markup.

CVE-2026-49214
Medium

The guzzlehttp/psr7 library in versions prior to 2.10.2 did not reject ASCII control characters, whitespace, or DEL in URI host components. This can lead to the injection of additional headers by an attacker, posing a risk to applications using user-controlled URLs.

CVE-2026-48998
Medium

The guzzlehttp/psr7 library in versions prior to 2.10.2 contains improper Host header validation, which can lead to incorrect URI processing in HTTP requests. An attacker can provide a malicious Host header, resulting in a discrepancy between the original value and the URI host value.

CVE-2026-9204
Medium

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.10 before 18.10.8, 18.11 before 18.11.5, and 19.0 before 19.0.2. Under certain conditions, an authenticated user could read arbitrary files from the Gitaly server and access internal network resources during repository import, due to insufficient validation of secondary URLs.

CVE-2026-6277
Medium

GitLab has remediated an issue in GitLab EE affecting all versions from 13.9 before 18.10.8, 18.11 before 18.11.5, and 19.0 before 19.0.2. Under certain conditions, an authenticated user with Security Manager-role permissions could manage project security configuration even when the relevant feature was in a disabled state, due to incorrect authorization enforcement.

CVE-2026-6269
Medium

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.10 before 18.10.8, 18.11 before 18.11.5, and 19.0 before 19.0.2. Under certain conditions, an authenticated user with developer-role permissions could modify hidden merge requests due to incorrect authorization enforcements.

CVE-2026-53912
Medium

Cerebrate before version 1.37 exposed credential data from self-registration requests. User passwords are stored in message data and can be returned in API responses, creating a risk of disclosure.

CVE-2026-53423
Medium

A vulnerability in the membraneframework membrane_mp4_plugin allows unauthenticated denial-of-service via BEAM atom table exhaustion. The MP4 box header parser does not validate box names, leading to permanent atom allocations.

CVE-2026-1500
Medium

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.10 before 18.10.8, 18.11 before 18.11.5, and 19.0 before 19.0.2. Under certain conditions, an authenticated user could have caused denial of service due to uncontrolled resource consumption when processing a specially crafted file upload.

CVE-2026-10733
Medium

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.0 before 18.10.8, 18.11 before 18.11.5, and 19.0 before 19.0.2. This issue could have allowed an authenticated user to cause denial of service on the CI/CD Catalog page due to improper sanitization.

CVE-2023-32959
Medium

MetroStore has a missing authorization vulnerability that allows exploiting incorrectly configured access control security levels.

CVE-2023-25969
Medium

CVE-2023-25969 describes a missing authorization vulnerability in the ThemeHunk Contact Form & Lead Form Elementor Builder, allowing exploitation of incorrectly configured access control security levels.

CVE-2022-47150
Medium

CSRF vulnerability in weDevs WooCommerce Conversion Tracking allows Cross-Site Request Forgery. This issue affects versions from n/a through 2.0.10.

CVE-2022-45813
Medium

CVE-2022-45813 is a vulnerability in the BeRocket Advanced AJAX Product Filters plugin that has a missing authorization issue, allowing exploitation of incorrectly configured access control security levels.

CVE-2026-53911
Medium

Cerebrate before version 1.37 allowed the id primary key field to be supplied through request input during CRUD edit operations and certain custom entity patching flows. This enabled an authenticated attacker to craft edit requests that could modify unrelated records.

PreviousPage 121 of 543Next

Vulnerability data from NVD (NIST) · CISA KEV · EPSS