CVE Vulnerability Catalog

Translated CVE descriptions from NVD NIST - in English

CISA KEV catalog updated: (v2026.07.10)

CVE-2026-43966
Medium

CVE-2026-43966 describes an improper neutralization of CRLF sequences in HTTP headers in the cowlib library, allowing HTTP response splitting through the injection of non-VCHAR bytes in structured field values.

CVE-2026-39908
Medium

OpenBullet2 through version 0.3.2 on Windows contains a credential disclosure vulnerability that allows remote attackers to capture the NTLMv2 hash of the process user by configuring a job proxy source with a UNC path pointing to an attacker-controlled server.

CVE-2026-11611
Medium

A flaw in 389 Directory Server's Content Synchronization persistent search plugin allows unbounded memory growth when an authenticated client stops reading sync responses, enabling denial of service. Additional race conditions in plugin thread lifecycle can cause crashes during connection teardown or shutdown.

CVE-2026-11533
Medium

A vulnerability has been detected in the imvks786 student management system affecting an unknown functionality of the file /see.php in the Student Deletion Endpoint component. Manipulation of the argument del leads to improper authorization.

CVE-2026-11532
Medium

A weakness has been identified in the imvks786 student management system affecting an unknown function of the file /add.php of the Student Record Handler component. Executing a manipulation can lead to improper access controls.

CVE-2026-46443
Medium

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, when credentials are fetched with a credentialName filter parameter, the encryptedData field is not stripped from the response, potentially leading to the exposure of sensitive data.

CVE-2026-44119
Medium

Improper Privilege Management vulnerability in Apache HTTP Server 2.4.67 and earlier allows local .htaccess authors to read files with the privileges of the httpd user.

CVE-2026-43951
Medium

CVE-2026-43951 describes an out-of-bounds read vulnerability in Apache HTTP Server with mod_headers and mod_mime and multiple response languages. It affects Apache HTTP Server versions from 2.4.0 to 2.4.67.

CVE-2026-42862
Medium

In Flowise, prior to version 3.1.2, a mass assignment vulnerability exists in the tool update endpoint. This allows authenticated users to modify server-controlled properties, leading to a breach of tenant isolation in multi-workspace environments.

CVE-2026-29170
Medium

A cross-site scripting vulnerability exists in mod_proxy_ftp's HTML directory list generation in Apache HTTP Server 2.4.67 and earlier when listing FTP directory contents either via forward or reverse proxy configuration.

CVE-2026-11529
Medium

A vulnerability was identified in designcomputer mysql-mcp-server up to version 0.2.2 in the read_resource function of the src/mysql_mcp_server/server.py file, leading to SQL injection. Remote exploitation is possible, and the exploit has been publicly disclosed.

CVE-2025-71315
Medium

In the Linux kernel, a vulnerability in the DRM vkms driver was fixed by replacing the custom vblank timer with the DRM implementation. The flaw could cause incorrect vertical synchronization behavior.

CVE-2020-37248
Medium

OfflineIMAP before 8.0.3 trusts the server with their STARTTLS capability prior to authentication, allowing STRIPTLS and man-in-the-middle attacks, taking over the connection and extracting account credentials in cleartext.

CVE-2026-43972
Medium

The Origin Validation Error vulnerability in the gun_http2 module allows cross-origin cookie injection via unvalidated HTTP/2 PUSH_PROMISE headers. The :authority pseudo-header is stored verbatim without validation, violating protocol standards.

CVE-2026-25558
Medium

QloApps through version 1.7.0 contains a stored cross-site scripting vulnerability in the admin file manager that allows authenticated administrators to inject malicious JavaScript by uploading crafted SVG files.

CVE-2026-11521
Medium

A vulnerability has been detected in the Mohammed-eid35 bank management system affecting an unknown part of the TransactionController.java file. This manipulation leads to improper authorization, allowing for remote attacks.

CVE-2026-11519
Medium

A security flaw has been discovered in SourceCodester Inventory System 1.0. The issue affects an unknown functionality of the file /Product_Inventory/api/users_handler.php, where manipulation of the argument ROLE results in improper authorization.

CVE-2026-11518
Medium

A vulnerability was identified in SourceCodester Inventory System 1.0. The issue affects an unknown function of the file /users.php of the User Management Page component, where manipulation of the argument fullname/username leads to cross-site scripting.

CVE-2026-11516
Medium

A vulnerability was found in UTT HiPER 2610G up to version 3.0.0-171107, affecting the strcpy function in the file /goform/formNatStaticMap. Manipulating the argument NatBinds results in a buffer overflow.

CVE-2026-9549
Medium

In Checkmk versions <2.5.0p5, <2.4.0p31, <2.3.0p48, and all 2.2.0 versions, there is a stored XSS vulnerability in the active check output of service discovery. Administrators can inject malicious HTML or JavaScript that executes in the browsers of admins or users with host read permissions.

PreviousPage 154 of 553Next

Vulnerability data from NVD (NIST) · CISA KEV · EPSS