CVE Vulnerability Catalog
Translated CVE descriptions from NVD NIST - in English
CISA KEV catalog updated: (v2026.07.10)
Actual is an open-source personal finance application. In the macOS desktop application version 25.x (built on Electron 39.2.7), the ELECTRON_RUN_AS_NODE fuse is not disabled, allowing an attacker to invoke the signed Actual.app binary with the ELECTRON_RUN_AS_NODE=1 environment variable set, turning the application into a Node.js REPL capable of executing arbitrary code.
Versions of Actual Budget's sync-server up to 26.4.0 expose the full OpenID Connect configuration, including the OAuth2 `client_secret`, to any caller who knows the bootstrap password. The endpoint lacks authentication and rate limiting, making it susceptible to brute-force attacks.
In Parse Server prior to versions 8.6.80 and 9.9.1-alpha.6, a vulnerability allowed reading the membership of a Relation field using the $relatedTo operator, even when that field was hidden from the client. This enabled unauthorized clients to enumerate objects linked through a protected relation.
Parse Server versions from 9.8.0 to before 9.9.1-alpha.5 have a vulnerability that allows the exposure of sensitive user data through the /login and /verifyPassword endpoints when MFA is enabled and access to the _User class is denied. When access to user data is denied, the server falls back to raw database rows, potentially exposing sensitive information such as MFA secrets and recovery codes.
The Naxclow platform exposes a registration endpoint that accepts signed requests containing a batch prefix and an arbitrary caller-supplied account identifier, without validating any ownership relationship. Each call mints a new sequential device identifier and returns the current high-water counter value for the batch, allowing callers to measure and enumerate the active device space.
During WiFi association, Naxclow device firmware prints the host network’s SSID, PSK, and negotiated WPA keys in cleartext to an exposed UART console. This allows an attacker with physical access to recover WiFi credentials and perform firmware-side attacks.
Parse Server versions from 9.8.0 to before 9.9.1-alpha.3 have a vulnerability that allows bypassing the allowed API route list. External clients can issue sub-requests to routes not included in this list, creating a risk of unauthorized access.
Parse Server prior to versions 8.6.78 and 9.9.1-alpha.2 discloses schema metadata through GraphQL validation-error messages, allowing unauthenticated users to reconstruct class and field names.
Solidtime is a time-tracking application that prior to version 0.12.2 had improperly configured permissions for the invitations and members API. Employees of the organization could access invitation email addresses and members, even though the API forbade them from doing so.
Naxclow device identifiers use fixed manufacturing prefixes combined with sequential counters, producing a fully predictable and enumerable identifier space. Additionally, the platform exposes an endpoint that reveals the current identifier high-water mark, allowing for enumeration of the active fleet.
In Moby, versions prior to 2.0.0-beta.14 and Docker Engine prior to 29.5.1, a race condition during docker cp mount setup allows a malicious container to create empty files or directories at arbitrary absolute paths on the host filesystem.
Camaleon CMS version 2.9.2 contains an improper authorization vulnerability in the administrator draft autosave endpoint. A low-privileged authenticated user can send an arbitrary post_id to POST /admin/post_type/<POST_TYPE_ID>/drafts and overwrite the draft associated with another user's post.
Typesense, a typo-tolerant search engine, has a cache isolation issue affecting search requests that use server-side search result caching and Scoped Search API Keys. Under specific request ordering, cached search results could be reused across requests with different Scoped Search API Key constraints, leading to unintended disclosure of search results.
In NanaZip, from version 3.0.1000.0 to before version 6.0.1698.0, a heap out-of-bounds read exists in the Android Verified Boot (AVB) vbmeta image parser. A 32-bit unsigned integer overflow in the bounds check allows an attacker-controlled salt_len field to bypass validation.
A vulnerability in MariaDB allows SELECT ... INTO OUTFILE and SELECT ... INTO DUMPFILE without the required FILE privilege if the FROM clause contains only subqueries. Affected versions include 10.6.1 to 10.6.26, 10.11.1 to 10.11.17, 11.4.1 to 11.4.11, 11.8.1 to 11.8.7, and 12.3.1.
MariaDB server versions from 10.6.1 to before 10.6.26, 10.11.1 to before 10.11.17, 11.4.1 to before 11.4.11, 11.8.1 to before 11.8.7, and 12.3.1 had an issue with not checking for /../ in the path when unpacking the archive. A specially crafted archive could have caused mbstream to create files outside of the target-dir path.
In MariaDB versions from 11.4.1 to before 11.4.11, 11.8.1 to before 11.8.7, and 12.3.1, a user with EXECUTE access to a stored routine could see the routine definition even without SHOW CREATE ROUTINE privilege. This issue has been patched in versions 11.4.11, 11.8.7, and 12.3.2.
Mattermost versions 11.6.x <= 11.6.1, 11.5.x <= 11.5.4, and 10.11.x <= 10.11.15 fail to sanitize the Remote Cluster API response on PATCH operations. This allows authenticated users with the {{manage_secure_connections}} permission to obtain remote cluster authentication tokens via a PATCH request to the remote cluster endpoint.
Mattermost versions 11.6.x <= 11.6.1, 11.5.x <= 11.5.4, and 10.11.x <= 10.11.16 fail to require system-level permission when patching protected default system roles. This allows authenticated users with delegated user-management permissions to escalate privileges by altering built-in role permissions via the role patch API.
Mattermost versions 11.6.x <= 11.6.1, 11.5.x <= 11.5.4, and 10.11.x <= 10.11.16 fail to enforce proper permissions when creating teams, allowing authenticated users with PermissionCreateTeam but without PermissionInviteUser to modify team invite settings.

