CVE Vulnerability Catalog

Translated CVE descriptions from NVD NIST — in English

CISA KEV catalog updated: (v2026.07.07)

CVE-2026-11604
Medium

An incorrect buffer size calculation in the epoch key generator in OpenVPN ovpn-dco-win versions 2.0.0 through 2.8.3 allows a remote authenticated peer to trigger a heap-based buffer overflow and kernel memory corruption via a crafted data packet, resulting in a system crash (denial of service).

CVE-2026-0273
Medium

A command injection vulnerability in PAN-OS® allows an authenticated administrator to bypass system restrictions and execute arbitrary commands as a root user. Exploiting this issue requires access to the PAN-OS CLI or Web UI.

CVE-2026-0272
Medium

A privilege escalation vulnerability in Palo Alto Networks PAN-OS® software allows an authenticated administrator with access to the Command Line Interface (CLI) to perform actions on the device with root privileges.

CVE-2026-0271
Medium

A privilege escalation vulnerability in the Palo Alto Networks Prisma Access Agent app on Linux devices allows a local user to execute code with elevated privileges.

CVE-2026-0270
Medium

A path traversal vulnerability in Palo Alto Networks Cortex XSOAR engine software running on Linux allows an unauthenticated attacker on an adjacent network to write arbitrary files to the host.

CVE-2026-0269
Medium

CVE-2026-0269 is a memory corruption vulnerability in the processing of tunnel traffic in Palo Alto Networks PAN-OS® software. It allows an authenticated user to initiate system reboots using a maliciously crafted packet.

CVE-2026-0268
Medium

CVE-2026-0268 is a security control bypass vulnerability in the Prisma Access Agent for Linux, allowing a local attacker to route network traffic outside the VPN tunnel.

CVE-2026-0267
Medium

An information exposure vulnerability in the Palo Alto Networks GlobalProtect app on macOS allows a local user to learn the configured passcodes for disabling, disconnecting, or uninstalling the app. Once the passcode is known, the user can perform these actions even if the GlobalProtect configuration would not normally permit them.

CVE-2026-50127
Medium

Weblate is a web based localization tool. From version 5.15 to before version 2026.6, VCS_RESTRICT_PRIVATE did not properly account for some transitional IPv6 ranges, multicast addresses, or some semi-private IPv4 ranges, which allowed some addresses to bypass private range restrictions.

CVE-2026-46683
Medium

Snappy is a PHP library allowing thumbnail, snapshot or PDF generation from a url or a html page. Prior to version 1.7.0, there is a SSRF and local file read vulnerability via the xsl-style-sheet option.

CVE-2026-45106
Medium

Weblate is a web based localization tool. Prior to version 2026.5, Weblate's live search preview renders unit source and context as HTML without escaping, potentially allowing malicious code execution.

CVE-2026-50639
Medium

Metrics::Any::Adapter::SignalFx versions before 0.04 for Perl do not protect against metric injections. The statsd protocol allows multiple metrics to be sent per packet, creating a risk.

CVE-2026-11626
Medium

The CleanWipe Removal Tool (macOS) prior to version 16.0.0.65 may be susceptible to a Local Privilege Escalation vulnerability. An attacker with limited access can escalate their privileges to gain administrative control.

CVE-2026-10740
Medium

Unbounded memory allocation in the CRYPTO frame reassembler in s2n-quic before version 1.8.2 may allow an unauthenticated remote actor to cause a denial of service by sending crafted QUIC Initial packets.

CVE-2026-50569
Medium

Fission is a serverless framework, native to Kubernetes, that prior to version 1.25.0 improperly validated the RelativeURL and Prefix fields in HTTPTriggerSpec.Validate(). These fields were only validated at the CLI level, allowing URL checks to be bypassed using kubectl or direct Kubernetes REST API calls.

CVE-2026-50565
Medium

Fission, a Kubernetes-native serverless framework, prior to version 1.24.0, created builder pods with auto-mounted service account tokens, potentially leading to unauthorized access to resources. This issue has been patched in version 1.24.0.

CVE-2026-46642
Medium

The draw.io application prior to version 29.7.12 contains a vulnerability that allows arbitrary JavaScript execution through a crafted .drawio file. The issue lies in the Text Format panel where the raw cell label is assigned to an element without proper sanitization.

CVE-2026-46618
Medium

Fission is a serverless framework, Kubernetes-native, that prior to version 1.23.0 had a security vulnerability. In pkg/builder/builder.go, the Environment.spec.builder.command was passed without validation, allowing arbitrary code execution in the builder pod context.

CVE-2026-20260
Medium

In Splunk SOAR versions below 8.5.0, an unauthenticated attacker could inject ANSI escape codes into SOAR application log files through specially crafted HTTP request paths. The injection is possible because SOAR does not strip control characters from HTTP request paths before writing them to application logs.

CVE-2026-20259
Medium

In Splunk Enterprise versions below 10.2.4 and 10.0.7, and Splunk Cloud Platform versions below 10.4.2604.0, 10.3.2512.12, 10.2.2510.15, 10.1.2507.23, 10.0.2503.14, and 9.3.2411.131, a user with a role containing the high-privilege capability `edit_saved_search_owner` could reassign saved search ownership to users outside their authorized scope. The ownership reassignment endpoint lacks access control.

PreviousPage 122 of 540Next

Vulnerability data from NVD (NIST) · CISA KEV · EPSS