CVE Vulnerability Catalog
Translated CVE descriptions from NVD NIST - in English
CISA KEV catalog updated: (v2026.07.10)
An authenticated arbitrary file upload vulnerability in the /api/create-car-image component of bookcars v8.3 allows attackers to execute arbitrary code via uploading a crafted file.
A NULL pointer dereference in the ctts_box_write function in GPAC MP4Box v2.4 allows attackers to cause a Denial of Service (DoS) by supplying a crafted MP4 file.
GPAC MP4Box version 2.4 was found to contain a floating point exception in the gf_opus_parse_packet_header function, which may lead to application crashes. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted MP4 file.
A NULL pointer dereference in the gf_isom_get_user_data_count function in GPAC MP4Box v2.4 allows attackers to cause a Denial of Service (DoS) by supplying a crafted MP4 file.
An issue was discovered in Malwarebytes 4.x and 5.x (and Nebula 2020-10-21 and later) that can cause the parser to ignore other browser configuration files when a large number of Firefox preference files are present, leading to a denial of service.
Dell/Alienware Purchased Apps, versions prior to 1.1.32.0, contain an Improper Link Resolution Before File Access ('Link Following') vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Arbitrary File Write.
Dell Inventory Collector Client, versions prior to 13.8.0, contains an Improper Link Resolution Before File Access ('Link Following') vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Arbitrary File Write.
InDesign Desktop versions 21.3, 20.5.3 and earlier are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to disclose sensitive information.
InDesign Desktop versions 21.3, 20.5.3 and earlier are affected by a NULL Pointer Dereference vulnerability that could lead to application denial-of-service. An attacker could exploit this vulnerability to crash the application, resulting in a denial-of-service condition.
InDesign Desktop versions 21.3, 20.5.3 and earlier are affected by a NULL Pointer Dereference vulnerability that could lead to application crashes. Exploitation of this vulnerability requires user interaction, as the victim must open a malicious file.
Adobe Experience Manager Forms JEE versions LTS SP1, 6.5.24.0 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability. A high-privileged attacker can inject malicious scripts into vulnerable form fields.
Unrestricted resource allocation in AMD uProf may be exploitable to consume excessive system resources, potentially leading to a loss of availability.
Improper access control in AMD uProf may allow a local attacker with user privileges to write to the kernel-shared memory section, potentially resulting in crash or denial of service.
Improper access control for register interface in the input-output memory management unit (IOMMU) could allow a privileged attacker to cause non-coherent accesses by the AMD secure processor (ASP) potentially resulting in loss of integrity.
The vulnerable NETGEAR models have an insufficient input validation vulnerability that allows authenticated administrators connected to the local network to make unauthorized modifications to router software and functionality.
A vulnerability in Windows NTLM allows an unauthorized attacker to perform spoofing over a network, leading to the exposure of sensitive information.
Missing authentication for a critical function in Windows BitLocker allows an unauthorized attacker to bypass a security feature through a physical attack.
Hermes WebUI before version 0.51.303 contains a TOCTOU vulnerability in the git_discard function that allows attackers to delete files outside the configured workspace boundary. This is possible by replacing a validated path component with a symlink after validation but before deletion.
Hermes WebUI before version 0.51.269 contains a profile isolation bypass vulnerability that allows authenticated users to access data belonging to other profiles. This enables attackers to send requests to the session search endpoint without active-profile filtering.
Hermes WebUI before version 0.51.270 contains a resource exhaustion vulnerability that allows unauthenticated remote attackers to degrade service availability by repeatedly calling the passkey options endpoint without completing assertion.

