CVE Vulnerability Catalog

Translated CVE descriptions from NVD NIST - in English

CISA KEV catalog updated: (v2026.07.10)

CVE-2026-13484
Medium

In MLflow up to version 4666cffc7912ea606d592fc38d6a75e2935f65e7, a missing authorization vulnerability was found in the Experiment-scoped Label Schema CRUD API. This flaw allows remote manipulation of data without proper authentication, though exploitation is difficult due to high attack complexity.

CVE-2026-13483
Low

A vulnerability has been found in arc53 DocsGPT up to version 0.18.0 in the encrypt_credentials function within application/security/encryption.py. It involves insufficient verification of data authenticity, potentially allowing remote attacks. Although the exploit is difficult, it has been published and may be used.

CVE-2026-13482
Low

A vulnerability was found in skypilot up to version 0.12.0, affecting the username.encode function in sky/users/server.py of the User ID Handler component. Manipulation leads to use of weak hash, enabling a remote attack with high complexity.

CVE-2026-10646
High

In Zephyr's BSD-sockets getaddrinfo() implementation, a use-after-return vulnerability occurs when a semaphore wait times out and the code retries the DNS query without canceling the previous one, leaving a stale stack pointer active. A subsequent DNS response or delayed timeout can overwrite stack memory, leading to crashes or memory corruption.

CVE-2026-10644
Medium

The Microchip SERCOM-G1 UART driver for PIC32CM-JH SoCs has an out-of-bounds write vulnerability in the asynchronous (DMA) receive path. When uart_rx_enable() is called with a 1-byte receive buffer and CONFIG_UART_MCHP_ASYNC is enabled, the RX-complete ISR triggers a single-beat DMA transfer while a byte is already pending in the DATA register, causing a one-byte write past the buffer end (CWE-787).

CVE-2026-10593
Medium

In Zephyr Bluetooth LE Audio Basic Audio Profile (BAP) unicast client, a NULL pointer dereference vulnerability exists. The unicast_client_ep_qos_state() function writes attacker-controlled QoS fields via the stream->qos pointer, which can be NULL when the stream is codec-configured but not added to a unicast group. A remote ASCS server can send a GATT notification announcing the ASE has entered the QoS Configured state while the local endpoint is in Codec Configured state, causing a write through NULL and a crash (denial of service).

CVE-2026-58058
Medium

A vulnerability in Nmap through version 7.99 causes the ipv6_get_data_primitive function to improperly handle IPv6 extension header boundaries, leading to out-of-bounds reads. An attacker can trigger a crash by sending a crafted IPv6 response with a truncated extension header during raw IPv6 scans.

CVE-2026-58057
Medium

A vulnerability in Flowise before version 3.1.3 allows bypassing the denylist of environment variables for Custom MCP nodes. On Windows, where environment variable names are case-insensitive, using 'node_options' instead of 'NODE_OPTIONS' enables injection of --require options and arbitrary code execution.

CVE-2026-58056
High

A vulnerability in RustDesk allows privilege escalation within a file transfer session. The gating of incoming control messages is based on per-capability flags rather than the session's authorized connection type, and a file transfer session does not clear those flags. A peer holding only a valid FileTransfer authorization can inject keyboard and mouse input and reach the unguarded screenshot and display-capture handlers, acting outside its granted scope.

CVE-2026-58055
Medium

A vulnerability in nghttp2 nghttpx up to version 1.69.0 causes an HTTP/1.1 Upgrade request with a Content-Length header and body to be forwarded onto reusable keep-alive backend connections. A backend interpreting this ambiguous message in the attacker's favor enables HTTP request/response smuggling and cross-client response-queue poisoning.

CVE-2026-58054
High

In MyBB 1.8.40, a limited administrator with user management permissions can assign any usergroup, including the Administrators group (gid 4). The verify_usergroup() function in the user module always returns true, allowing privilege escalation to full administrator permissions.

CVE-2026-58053
Critical

A vulnerability in Gitea act_runner with Docker backend (up to act 0.262.0) allows bypassing privileged mode restrictions. By passing container options like --pid=host, --cap-add, and --security-opt, a user can access host namespaces and escalate privileges to root.

CVE-2026-58052
Low

A vulnerability in 7-Zip for Windows up to version 26.02 allows bypassing the Mark-of-the-Web when extracting a crafted RAR5 archive. The guard mechanism checks for the exact name 'Zone.Identifier' but fails to handle STM records named ':Zone.Identifier:$DATA', which NTFS canonicalizes to the same stream, overwriting the Internet zone marker with ZoneId=0. A second STM record '::$DATA' overwrites the default data stream of the extracted file, enabling an attacker to bypass SmartScreen/MotW warnings and spoof file content.

CVE-2026-58051
Medium

In libssh2 up to version 1.11.1, when growing the publickey list with SSH2_REALLOC, new entries are not zero-initialized before parsing populates them. A parse failure reaching the cleanup path causes libssh2_publickey_list_free to operate on an uninitialized entry, potentially freeing an attacker-influenceable attrs pointer.

CVE-2026-58050
High

A vulnerability in libssh2 up to version 1.11.1 allows an attacker-controlled SSH server to read a 32-bit attribute count from a publickey-subsystem response. This count is used for memory allocation without bounds checking, causing multiplication overflow on 32-bit platforms and an undersized buffer. A malicious server can then write past the allocation, leading to a heap buffer overflow in the connecting libssh2 client.

CVE-2026-58049
High

The RASC video decoder in FFmpeg (decode_dlta function in libavcodec/rasc.c) performs 32-bit reads and writes at the row cursor before the NEXT_LINE row-boundary check and validates the DLTA region in pixel rather than byte units, so a DLTA run on a PAL8 frame can access several bytes past the row allocation. A crafted media stream using the RASC FourCC, decoded by libavcodec, triggers a bitstream-controlled out-of-bounds heap write and adjacent out-of-bounds read, leading to memory corruption.

CVE-2026-8095
High

The Frontend File Manager Plugin for WordPress up to version 23.6 is vulnerable to authenticated arbitrary file deletion. The issue is a case-sensitive bypass of the wpfm_dir_path parameter sanitization in the wpfm_file_meta_update AJAX handler, allowing an attacker to delete arbitrary files on the server.

CVE-2026-10643
High

In Zephyr's IP socket recvmsg() implementation (sockets_inet.c), the insert_pktinfo() function improperly validates the control buffer size by omitting the cmsg header size, allowing an out-of-bounds write. This affects versions from v3.6.0 through v4.4.0.

CVE-2026-49416
High

A vulnerability in the FreeBSD kernel in the CONS_HISTORY ioctl handler allows an unprivileged local user to perform an out-of-bounds write. A large history size causes an integer overflow in buffer size calculation, resulting in a heap allocation smaller than expected and subsequent write beyond the allocation.

CVE-2026-49414
High

The ELF image activator cleared per-process ASLR preference flags for setuid binaries after the code that computes the PIE base address, rather than before. As a result, a user-requested ASLR disable was still in effect at the point where the base address was chosen.

PreviousPage 152 of 4563Next

Vulnerability data from NVD (NIST) · CISA KEV · EPSS