CVE Vulnerability Catalog
Translated CVE descriptions from NVD NIST — in English
CISA KEV catalog updated: (v2026.07.07)
PostgreSQL Anonymizer contains a vulnerability that allows a user to gain superuser privileges by creating a JSON document and placing malicious code inside a particular key-value pair. If a superuser calls the import_database_rules() or import_roles_rules() functions, the malicious code is executed with superuser privileges.
IBM DevOps Plan versions 3.0.0 through 3.0.6 is vulnerable to HTTP header injection due to improper validation of input in the HOST headers. This could allow an attacker to conduct various attacks against the vulnerable system, including cross-site scripting, cache poisoning, or session hijacking.
IBM Langflow Desktop versions 1.0.0 through 1.9.2 are vulnerable to server-side request forgery (SSRF). This allows an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks.
IBM Security QRadar EDR versions 3.12 through 3.12.24 store user credentials in plain text, which can be read by a local privileged user.
CVE-2026-6338 is a vulnerability affecting HTTP request smuggling and desynchronization in Kong Gateway Enterprise versions 3.4, 3.10, 3.11, 3.12, 3.13, and 3.14. The issue is caused by a parsing flaw in Kong's HTTP request processing pipeline when handling untrusted HTTP/1.1 traffic.
Guzzle Services prior to version 1.5.4 has an issue with safely serializing XML element values containing the CDATA terminator `]]>`. An attacker can introduce malicious data, leading to premature closing of the CDATA section and interpretation of the remaining part as XML markup.
The guzzlehttp/psr7 library in versions prior to 2.10.2 did not reject ASCII control characters, whitespace, or DEL in URI host components. This can lead to the injection of additional headers by an attacker, posing a risk to applications using user-controlled URLs.
The guzzlehttp/psr7 library in versions prior to 2.10.2 contains improper Host header validation, which can lead to incorrect URI processing in HTTP requests. An attacker can provide a malicious Host header, resulting in a discrepancy between the original value and the URI host value.
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.10 before 18.10.8, 18.11 before 18.11.5, and 19.0 before 19.0.2. Under certain conditions, an authenticated user could read arbitrary files from the Gitaly server and access internal network resources during repository import, due to insufficient validation of secondary URLs.
GitLab has remediated an issue in GitLab EE affecting all versions from 13.9 before 18.10.8, 18.11 before 18.11.5, and 19.0 before 19.0.2. Under certain conditions, an authenticated user with Security Manager-role permissions could manage project security configuration even when the relevant feature was in a disabled state, due to incorrect authorization enforcement.
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.10 before 18.10.8, 18.11 before 18.11.5, and 19.0 before 19.0.2. Under certain conditions, an authenticated user with developer-role permissions could modify hidden merge requests due to incorrect authorization enforcements.
Cerebrate before version 1.37 exposed credential data from self-registration requests. User passwords are stored in message data and can be returned in API responses, creating a risk of disclosure.
A vulnerability in the membraneframework membrane_mp4_plugin allows unauthenticated denial-of-service via BEAM atom table exhaustion. The MP4 box header parser does not validate box names, leading to permanent atom allocations.
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.10 before 18.10.8, 18.11 before 18.11.5, and 19.0 before 19.0.2. Under certain conditions, an authenticated user could have caused denial of service due to uncontrolled resource consumption when processing a specially crafted file upload.
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.0 before 18.10.8, 18.11 before 18.11.5, and 19.0 before 19.0.2. This issue could have allowed an authenticated user to cause denial of service on the CI/CD Catalog page due to improper sanitization.
MetroStore has a missing authorization vulnerability that allows exploiting incorrectly configured access control security levels.
CVE-2023-25969 describes a missing authorization vulnerability in the ThemeHunk Contact Form & Lead Form Elementor Builder, allowing exploitation of incorrectly configured access control security levels.
CSRF vulnerability in weDevs WooCommerce Conversion Tracking allows Cross-Site Request Forgery. This issue affects versions from n/a through 2.0.10.
CVE-2022-45813 is a vulnerability in the BeRocket Advanced AJAX Product Filters plugin that has a missing authorization issue, allowing exploitation of incorrectly configured access control security levels.
Cerebrate before version 1.37 allowed the id primary key field to be supplied through request input during CRUD edit operations and certain custom entity patching flows. This enabled an authenticated attacker to craft edit requests that could modify unrelated records.

