CVE Vulnerability Catalog

Translated CVE descriptions from NVD NIST — in English

CISA KEV catalog updated: (v2026.07.01)

CVE-2026-50548
Critical

A vulnerability in Cursor before version 3.0 allows a malicious agent to modify the working_directory parameter, enabling file writes outside the intended workspace. This can lead to remote code execution without user interaction, e.g., by overwriting the cursorsandbox helper.

CVE-2026-6094
Critical

Heap buffer overread in wc_PKCS7_DecodeEnvelopedData when parsing crafted PKCS7 EnvelopedData. This could theoretically be triggered by attacker-supplied data delivered via S/MIME or CMS.

CVE-2026-55413
Critical

In ToolJet prior to version 3.20.178-lts, any authenticated user with builder role (free tier) could overwrite a globally-shared marketplace plugin with arbitrary JavaScript that executed server-side with full Node.js access. The malicious code ran whenever any user on the instance triggered a query using that plugin, leading to remote code execution (RCE) and supply-chain compromise of the entire ToolJet deployment.

CVE-2026-54849
Critical

The Premmerce Wishlist plugin for WooCommerce versions up to 1.1.11 contains a vulnerability to unauthenticated SQL injection.

CVE-2026-54843
Critical

There is an unauthenticated SQL injection vulnerability in MDTF versions <= 1.3.7.

CVE-2026-54836
Critical

SQL Injection vulnerability in YMC Filter allows an attacker to inject malicious SQL code. The flaw affects versions up to and including 3.11.5.

CVE-2026-54823
Critical

There is a remote code execution (RCE) vulnerability in Widget Options versions <= 4.2.3 that can be exploited by an attacker.

CVE-2026-41120
Critical

A vulnerability in Dell Wyse Management Suite (versions prior to WMS 5.5 HF1) involves accepting extraneous untrusted data along with trusted data. This allows a low-privileged attacker with remote access to execute code on the vulnerable system.

CVE-2026-53260
Critical

A vulnerability was found in the Linux kernel's TCP stack in the reqsk_queue_hash_req() function. On systems with PREEMPT_RT, preemption between mod_timer() and refcount_set() can cause a timer to fire early, leading to a refcount underflow and use-after-free.

CVE-2026-53247
Critical

In the Linux kernel, a use-after-free vulnerability was found in the mtk_eth_soc driver. The mtk_free_dev() function calls metadata_dst_free() which frees metadata_dst memory immediately, bypassing the RCU grace period. In the RX path, skb_dst_set_noref() sets a non-refcounted pointer, which can lead to use of freed memory if the driver is torn down while packets still reference the dst.

CVE-2026-53246
Critical

In the Linux kernel SCTP stack, the cached INIT chunk length in COOKIE_ECHO processing was not validated, potentially leading to out-of-bounds reads and memory corruption.

CVE-2026-53228
Critical

In the Linux kernel, a vulnerability in the SIT (Simple Internet Transition) IPv6 module uses a stale inner IPv6 header pointer after GSO offloads. The ipip6_tunnel_xmit() function caches the pointer at entry, but iptunnel_handle_offloads() may relocate the skb buffer, causing reads from freed memory.

CVE-2026-53225
Critical

A vulnerability was found in the Linux kernel's SCTP stack in the __sctp_rcv_asconf_lookup() function. An unauthenticated peer can send a truncated ASCONF chunk that declares an IPv6 address but ends after the parameter header, causing uninitialized memory to be read.

CVE-2026-53224
Critical

In the Linux kernel, sctp_unpack_cookie() lacked validation of the embedded INIT chunk length and address list length in SCTP cookies. A truncated INIT or oversized address list can cause out-of-bounds reads.

CVE-2026-53221
Critical

In the Linux kernel, a bug was found in the vti6_tnl_lookup() function causing incorrect tunnel matching for IP6_VTI. During wildcard tunnel fallback search, missing checks allowed hash collisions to match tunnels without actual wildcard addresses.

CVE-2026-53216
Critical

In the Linux kernel, the mvpp2 driver incorrectly initializes the XDP frame size (frame_sz) to PAGE_SIZE instead of the actual RX buffer size from the BM pool. This allows bpf_xdp_adjust_tail() to grow a packet beyond the allocated buffer, causing memory corruption.

CVE-2026-53215
Critical

In the Linux kernel, a vulnerability in the mvpp2 driver allows an RX buffer to be returned to the BM pool after being handed to XDP or skb, causing use-after-free. The fix reorders operations to refill the BM pool before handing the buffer to XDP or skb.

CVE-2026-53186
Critical

In the Linux kernel, the RDMA/SRP driver lacks validation of the sense data length in SRP_RSP responses. A malicious SRP target can set a large resp_data_len, causing an out-of-bounds read beyond the received buffer and a potential page fault.

CVE-2026-53176
Critical

In the Linux kernel's IB/isert driver, a vulnerability was found due to missing lower bound validation of iSER login PDU length. A remote initiator can send a packet shorter than ISER_HEADERS_LEN (76 bytes), causing an underflow in payload length calculation and resulting in a negative value. This negative length is then used in memcpy(), leading to an out-of-bounds write and system crash.

CVE-2026-53175
Critical

A use-after-free vulnerability was found in the Linux kernel's IP fragment reassembly mechanism. During network namespace teardown, fqdir_pre_exit() flushes fragment queues without resetting q->fragments_tail and q->last_run_head pointers, which still point to freed skbs. A fragment that obtained the queue before the flush can dereference these pointers upon resumption, causing memory corruption.

PreviousPage 14 of 554Next

Vulnerability data from NVD (NIST) · CISA KEV · EPSS