CVE Vulnerability Catalog

Translated CVE descriptions from NVD NIST - in English

CISA KEV catalog updated: (v2026.07.10)

CVE-2026-9754
Medium

An authenticated user with the read role may read limited amounts of uninitialized stack memory via specially-crafted issuances of the filemd5 command.

CVE-2026-9752
Medium

An authorized user could trigger a server crash by running a query with a 2dsphere index on a field that stores a GeoJSON GeometryCollection containing a Polygon with a strict-winding CRS.

CVE-2026-9751
Medium

The ldapQueryPassword parameter, when set through the runtime setParameter command, logs the new password to the mongod.log file in plain text.

CVE-2026-9750
Medium

An authenticated user can cause a MongoDB server to crash or return incorrect results by creating documents that interfere with internal metadata processing during query execution. This stems from insufficient separation between user-controlled document fields and internal metadata in certain execution paths.

CVE-2026-9749
Medium

The vulnerability occurs when running an aggregation pipeline using the internal $exchange stage configured with key-range partitioning and order-preserving delivery. If a single key range produces enough documents to fill its exchange buffer, the server does not update the internal 'high watermark' for that key range as intended.

CVE-2026-9748
Medium

The $_internalConvertBucketIndexStats stage used PauseExecution to signal 'skip this document' when an index stats conversion failed. However, PauseExecution is not a general-purpose skip mechanism, leading to mongod crashes when this stage is placed before $facet in a pipeline.

CVE-2026-9747
Medium

Adding fromRouter:true and runtimeConstants.userRoles could cause MongoDB server crashes during aggregations.

CVE-2026-9746
Medium

Using $changestreams and $_requestReshardingResumeToken with the exchange option causes the server to crash due to hitting an invariant. The user must be logged in to issue the statement.

CVE-2026-9743
Medium

In MongoDB Server 8.0, an aggregation stage can leave its _subPipeline field null during processing of certain pipelines. If a getMore is subsequently issued on the same cursor, the server may dereference this null sub-pipeline, leading to a process crash.

CVE-2026-9741
Medium

A bug in query analysis processing of the $vectorSearch aggregation stage for Queryable Encryption (QE) or Client-Side Field Level Encryption (CSFLE) results in literal values for encrypted fields within the $vectorSearch stage filter expressions being sent to the server as plaintext instead of ciphertext.

CVE-2026-9735
Medium

The MongoDB server may log authentication parameters, including credentials, to the server log during SASL authentication. When connection health metric logging is enabled, the full authentication parameters are written to the log without redaction.

CVE-2026-46433
Medium

In lldpd prior to version 1.0.22, there is a bug in the lldpd_decode() function that leads to a heap buffer over-read. This issue arises from incorrect byte count calculation, which may result in memory violations.

CVE-2026-47905
Medium

CAI Content Credentials versions [email protected], c2pa-v0.80.1 and earlier are affected by an Uncontrolled Resource Consumption vulnerability. An attacker could exploit this vulnerability to exhaust system resources, resulting in an application denial-of-service condition.

CVE-2026-47904
Medium

CAI Content Credentials versions [email protected], c2pa-v0.80.1 and earlier are affected by an Uncontrolled Resource Consumption vulnerability. An attacker could exploit this vulnerability to exhaust system resources, resulting in an application denial-of-service condition.

CVE-2026-47903
Medium

CAI Content Credentials versions [email protected], c2pa-v0.80.1 and earlier are affected by an Improper Input Validation vulnerability. An attacker could exploit this vulnerability to crash the application, leading to a denial-of-service condition.

CVE-2026-47902
Medium

CAI Content Credentials versions [email protected], c2pa-v0.80.1 and earlier are affected by an Uncontrolled Resource Consumption vulnerability. An attacker could exploit this vulnerability to exhaust system resources, resulting in an application denial-of-service condition.

CVE-2026-34657
Medium

CAI Content Credentials versions [email protected], c2pa-v0.80.1 and earlier are affected by a 'Path Traversal' vulnerability that allows arbitrary file system writes. An attacker could exploit this vulnerability to write to unauthorized files or directories outside of intended restrictions.

CVE-2026-34417
Medium

OSCAL-GUI contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to execute arbitrary JavaScript in a victim's browser. This can be exploited by injecting malicious content through the project request parameter in oscal-forms.php.

CVE-2026-25860
Medium

OpenClinic GA version 5.351.19 contains a reflected cross-site scripting vulnerability in the DICOM image upload handler that allows attackers to execute arbitrary JavaScript in a victim's browser. Attackers can craft a DICOM file with malicious payloads in metadata fields that are reflected without sanitization.

CVE-2026-47961
Medium

Acrobat Reader versions 24.001.30365, 26.001.21651 and earlier are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to disclose sensitive information, requiring user interaction in that a victim must open a malicious file.

PreviousPage 148 of 565Next

Vulnerability data from NVD (NIST) · CISA KEV · EPSS