CVE Vulnerability Catalog

Translated CVE descriptions from NVD NIST - in English

CISA KEV catalog updated: (v2026.07.07)

CVE-2025-7006
Medium

The vulnerability in Avast Antivirus involves the use of stack memory after it has been freed when scanning a malformed Windows PE file, which may lead to a denial-of-service of the antivirus process.

CVE-2025-7005
Medium

There is an uncontrolled recursion vulnerability in Avast Antivirus when scanning a malformed Windows PE file, which may lead to a Denial-of-Service of the antivirus process.

CVE-2026-54397
Medium

A vulnerability in MISP allows an authenticated user with event edit permissions to manipulate form data and assign an event to a sharing group they are not authorized to use. The issue occurs in the event editing path that does not enforce proper authorization checks.

CVE-2026-54396
Medium

An information disclosure vulnerability exists in the MISP AuthKey edit functionality. When a validation error occurs during an AuthKey edit request, the user dropdown was populated using the attacker-controlled AuthKey.user_id value from the submitted request data, allowing enumeration of user email addresses.

CVE-2026-54395
Medium

MISP contains a reflected cross-site scripting vulnerability in the UiBeta event index view. The urlparams value is inserted into an inline JavaScript handler, allowing an attacker to execute arbitrary JavaScript in the victim's browser.

CVE-2026-54394
Medium

MISP contains a path traversal vulnerability in OrganisationsController::getOrgLogo. The vulnerable code builds organisation logo file paths using organisation-controlled fields, allowing an attacker to access files outside the intended directory.

CVE-2026-54393
Medium

A stored XSS vulnerability exists in MISP when the Overmind theme is used. An authenticated user can store an arbitrary homepage value, including an XSS payload, leading to the execution of malicious JavaScript in the browser context.

CVE-2026-54362
Medium

A flaw in the visibility conditions in the MISP event template builder allowed authenticated non-site-admin users to view galaxies that should not have been visible to their organisation. The use of a PHP comparison expression instead of a query condition resulted in enabled galaxies, including organisation-only custom galaxies, being exposed.

CVE-2026-53606
Medium

ApostropheCMS, an open-source Node.js content management system, has a vulnerability in sanitize-html that allows dangerous URI schemes like 'javascript:' to pass through in HTML attributes. Versions prior to 2.17.5 do not block these schemes, leading to potential XSS attacks.

CVE-2026-47264
Medium

Discourse is an open-source discussion platform with a vulnerability in versions from 2026.1.0 to before 2026.1.4, from 2026.3.0 to before 2026.3.1, and from 2026.4.0 to before 2026.4.1. The DetailedTagSerializer#tag_group_names function returned all tag groups a tag belonged to without considering the user's visibility, allowing anonymous and unprivileged users to access the names of tag groups restricted to specific user groups.

CVE-2026-47263
Medium

Discourse is an open-source discussion platform that has a vulnerability in versions from 2026.1.0 to before 2026.1.4, from 2026.3.0 to before 2026.3.1, and from 2026.4.0 to before 2026.4.1. The MessageBus.publish call for /web_hook_events/<id> in Jobs::RedeliverWebHookEvents did not pass group_ids, allowing any authenticated user (or anonymous user when login_required is disabled) to access the channel.

CVE-2026-45775
Medium

Discourse, a discussion platform, has a path traversal vulnerability in backup handling that allows an authenticated administrator on one site in a multisite deployment to access backup files of another site. This issue affects versions from 2026.1.0 to before 2026.1.4, from 2026.3.0 to before 2026.3.1, and from 2026.4.0 to before 2026.4.1.

CVE-2026-45085
Medium

Discourse is an open-source discussion platform that had four authorization/disclosure issues in the chat plugin. Read-only category users could create chat threads, and self-deleted messages could be restored by their authors after channel access was revoked.

CVE-2026-45014
Medium

ApostropheCMS is an open-source Node.js content management system. Versions up to and including 4.29.0 are vulnerable to stored cross-site scripting via unsanitized user display name in draft version tooltip.

CVE-2026-44785
Medium

There is a vulnerability in the Discourse discussion platform that allows authenticated users to access hidden parent post content by using the AI 'explain' function on a reply to that post. This issue affects versions from 2026.1.0 to before 2026.1.4, from 2026.3.0 to before 2026.3.1, and from 2026.4.0 to before 2026.4.1.

CVE-2026-44784
Medium

Discourse is an open-source discussion platform where group owners, who are not necessarily admins or moderators, can view SMTP credentials in plaintext. This affects versions from 2026.1.0 to before 2026.1.4, from 2026.3.0 to before 2026.3.1, and from 2026.4.0 to before 2026.4.1.

CVE-2026-44783
Medium

A vulnerability in the Discourse discussion platform allows authenticated users outside the configured groups to post into staff-only whisper channels. This issue affects versions from 2026.1.0 to before 2026.1.4, from 2026.3.0 to before 2026.3.1, and from 2026.4.0 to before 2026.4.1.

CVE-2026-44782
Medium

Discourse is an open-source discussion platform that has a bug in the serialization of the :name attribute in GroupPostSerializer. The issue is that the incorrectly named predicate include_user_long_name? was never called, resulting in object.user.name always being serialized regardless of SiteSetting.enable_names.

CVE-2026-44780
Medium

Discourse is an open-source discussion platform with a vulnerability in versions from 2026.1.0 to before 2026.1.4, from 2026.3.0 to before 2026.3.1, and from 2026.4.0 to before 2026.4.1. The ReviewableQueuedPostSerializer unconditionally included payload["raw_email"] for posts arriving via email, allowing moderation group members to access the full email source without proper permissions.

CVE-2026-44779
Medium

Discourse is an open-source discussion platform that, in versions from 2026.1.0 to before 2026.1.4, from 2026.3.0 to before 2026.3.1, and from 2026.4.0 to before 2026.4.1, discloses whisper translation audit logs through bot debug endpoints. This issue has been patched in versions 2026.1.4, 2026.3.1, 2026.4.1, and 2026.5.0-latest.1.

PreviousPage 127 of 559Next

Vulnerability data from NVD (NIST) · CISA KEV · EPSS