CVE Vulnerability Catalog

Translated CVE descriptions from NVD NIST - in English

CISA KEV catalog updated: (v2026.07.10)

CVE-2026-42890
Medium

Actual is an open-source personal finance application. In the macOS desktop application version 25.x (built on Electron 39.2.7), the ELECTRON_RUN_AS_NODE fuse is not disabled, allowing an attacker to invoke the signed Actual.app binary with the ELECTRON_RUN_AS_NODE=1 environment variable set, turning the application into a Node.js REPL capable of executing arbitrary code.

CVE-2026-42604
Medium

Versions of Actual Budget's sync-server up to 26.4.0 expose the full OpenID Connect configuration, including the OAuth2 `client_secret`, to any caller who knows the bootstrap password. The endpoint lacks authentication and rate limiting, making it susceptible to brute-force attacks.

CVE-2026-53726
Medium

In Parse Server prior to versions 8.6.80 and 9.9.1-alpha.6, a vulnerability allowed reading the membership of a Relation field using the $relatedTo operator, even when that field was hidden from the client. This enabled unauthorized clients to enumerate objects linked through a protected relation.

CVE-2026-53725
Medium

Parse Server versions from 9.8.0 to before 9.9.1-alpha.5 have a vulnerability that allows the exposure of sensitive user data through the /login and /verifyPassword endpoints when MFA is enabled and access to the _User class is denied. When access to user data is denied, the server falls back to raw database rows, potentially exposing sensitive information such as MFA secrets and recovery codes.

CVE-2026-50244
Medium

The Naxclow platform exposes a registration endpoint that accepts signed requests containing a batch prefix and an arbitrary caller-supplied account identifier, without validating any ownership relationship. Each call mints a new sequential device identifier and returns the current high-water counter value for the batch, allowing callers to measure and enumerate the active device space.

CVE-2026-50099
Medium

During WiFi association, Naxclow device firmware prints the host network’s SSID, PSK, and negotiated WPA keys in cleartext to an exposed UART console. This allows an attacker with physical access to recover WiFi credentials and perform firmware-side attacks.

CVE-2026-50008
Medium

Parse Server versions from 9.8.0 to before 9.9.1-alpha.3 have a vulnerability that allows bypassing the allowed API route list. External clients can issue sub-requests to routes not included in this list, creating a risk of unauthorized access.

CVE-2026-47248
Medium

Parse Server prior to versions 8.6.78 and 9.9.1-alpha.2 discloses schema metadata through GraphQL validation-error messages, allowing unauthenticated users to reconstruct class and field names.

CVE-2026-47236
Medium

Solidtime is a time-tracking application that prior to version 0.12.2 had improperly configured permissions for the invitations and members API. Employees of the organization could access invitation email addresses and members, even though the API forbade them from doing so.

CVE-2026-42932
Medium

Naxclow device identifiers use fixed manufacturing prefixes combined with sequential counters, producing a fully predictable and enumerable identifier space. Additionally, the platform exposes an endpoint that reveals the current identifier high-water mark, allowing for enumeration of the active fleet.

CVE-2026-41568
Medium

In Moby, versions prior to 2.0.0-beta.14 and Docker Engine prior to 29.5.1, a race condition during docker cp mount setup allows a malicious container to create empty files or directories at arbitrary absolute paths on the host filesystem.

CVE-2026-10715
Medium

Camaleon CMS version 2.9.2 contains an improper authorization vulnerability in the administrator draft autosave endpoint. A low-privileged authenticated user can send an arbitrary post_id to POST /admin/post_type/<POST_TYPE_ID>/drafts and overwrite the draft associated with another user's post.

CVE-2026-47225
Medium

Typesense, a typo-tolerant search engine, has a cache isolation issue affecting search requests that use server-side search result caching and Scoped Search API Keys. Under specific request ordering, cached search results could be reused across requests with different Scoped Search API Key constraints, leading to unintended disclosure of search results.

CVE-2026-47223
Medium

In NanaZip, from version 3.0.1000.0 to before version 6.0.1698.0, a heap out-of-bounds read exists in the Android Verified Boot (AVB) vbmeta image parser. A 32-bit unsigned integer overflow in the bounds check allows an attacker-controlled salt_len field to bypass validation.

CVE-2026-44173
Medium

A vulnerability in MariaDB allows SELECT ... INTO OUTFILE and SELECT ... INTO DUMPFILE without the required FILE privilege if the FROM clause contains only subqueries. Affected versions include 10.6.1 to 10.6.26, 10.11.1 to 10.11.17, 11.4.1 to 11.4.11, 11.8.1 to 11.8.7, and 12.3.1.

CVE-2026-44171
Medium

MariaDB server versions from 10.6.1 to before 10.6.26, 10.11.1 to before 10.11.17, 11.4.1 to before 11.4.11, 11.8.1 to before 11.8.7, and 12.3.1 had an issue with not checking for /../ in the path when unpacking the archive. A specially crafted archive could have caused mbstream to create files outside of the target-dir path.

CVE-2026-44169
Medium

In MariaDB versions from 11.4.1 to before 11.4.11, 11.8.1 to before 11.8.7, and 12.3.1, a user with EXECUTE access to a stored routine could see the routine definition even without SHOW CREATE ROUTINE privilege. This issue has been patched in versions 11.4.11, 11.8.7, and 12.3.2.

CVE-2026-7184
Medium

Mattermost versions 11.6.x <= 11.6.1, 11.5.x <= 11.5.4, and 10.11.x <= 10.11.15 fail to sanitize the Remote Cluster API response on PATCH operations. This allows authenticated users with the {{manage_secure_connections}} permission to obtain remote cluster authentication tokens via a PATCH request to the remote cluster endpoint.

CVE-2026-6739
Medium

Mattermost versions 11.6.x <= 11.6.1, 11.5.x <= 11.5.4, and 10.11.x <= 10.11.16 fail to require system-level permission when patching protected default system roles. This allows authenticated users with delegated user-management permissions to escalate privileges by altering built-in role permissions via the role patch API.

CVE-2026-6689
Medium

Mattermost versions 11.6.x <= 11.6.1, 11.5.x <= 11.5.4, and 10.11.x <= 10.11.16 fail to enforce proper permissions when creating teams, allowing authenticated users with PermissionCreateTeam but without PermissionInviteUser to modify team invite settings.

PreviousPage 134 of 565Next

Vulnerability data from NVD (NIST) · CISA KEV · EPSS