CVE Vulnerability Catalog
Translated CVE descriptions from NVD NIST - in English
CISA KEV catalog updated: (v2026.07.10)
CVE-2026-43966 describes an improper neutralization of CRLF sequences in HTTP headers in the cowlib library, allowing HTTP response splitting through the injection of non-VCHAR bytes in structured field values.
OpenBullet2 through version 0.3.2 on Windows contains a credential disclosure vulnerability that allows remote attackers to capture the NTLMv2 hash of the process user by configuring a job proxy source with a UNC path pointing to an attacker-controlled server.
A flaw in 389 Directory Server's Content Synchronization persistent search plugin allows unbounded memory growth when an authenticated client stops reading sync responses, enabling denial of service. Additional race conditions in plugin thread lifecycle can cause crashes during connection teardown or shutdown.
A vulnerability has been detected in the imvks786 student management system affecting an unknown functionality of the file /see.php in the Student Deletion Endpoint component. Manipulation of the argument del leads to improper authorization.
A weakness has been identified in the imvks786 student management system affecting an unknown function of the file /add.php of the Student Record Handler component. Executing a manipulation can lead to improper access controls.
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, when credentials are fetched with a credentialName filter parameter, the encryptedData field is not stripped from the response, potentially leading to the exposure of sensitive data.
Improper Privilege Management vulnerability in Apache HTTP Server 2.4.67 and earlier allows local .htaccess authors to read files with the privileges of the httpd user.
CVE-2026-43951 describes an out-of-bounds read vulnerability in Apache HTTP Server with mod_headers and mod_mime and multiple response languages. It affects Apache HTTP Server versions from 2.4.0 to 2.4.67.
In Flowise, prior to version 3.1.2, a mass assignment vulnerability exists in the tool update endpoint. This allows authenticated users to modify server-controlled properties, leading to a breach of tenant isolation in multi-workspace environments.
A cross-site scripting vulnerability exists in mod_proxy_ftp's HTML directory list generation in Apache HTTP Server 2.4.67 and earlier when listing FTP directory contents either via forward or reverse proxy configuration.
A vulnerability was identified in designcomputer mysql-mcp-server up to version 0.2.2 in the read_resource function of the src/mysql_mcp_server/server.py file, leading to SQL injection. Remote exploitation is possible, and the exploit has been publicly disclosed.
In the Linux kernel, a vulnerability in the DRM vkms driver was fixed by replacing the custom vblank timer with the DRM implementation. The flaw could cause incorrect vertical synchronization behavior.
OfflineIMAP before 8.0.3 trusts the server with their STARTTLS capability prior to authentication, allowing STRIPTLS and man-in-the-middle attacks, taking over the connection and extracting account credentials in cleartext.
The Origin Validation Error vulnerability in the gun_http2 module allows cross-origin cookie injection via unvalidated HTTP/2 PUSH_PROMISE headers. The :authority pseudo-header is stored verbatim without validation, violating protocol standards.
QloApps through version 1.7.0 contains a stored cross-site scripting vulnerability in the admin file manager that allows authenticated administrators to inject malicious JavaScript by uploading crafted SVG files.
A vulnerability has been detected in the Mohammed-eid35 bank management system affecting an unknown part of the TransactionController.java file. This manipulation leads to improper authorization, allowing for remote attacks.
A security flaw has been discovered in SourceCodester Inventory System 1.0. The issue affects an unknown functionality of the file /Product_Inventory/api/users_handler.php, where manipulation of the argument ROLE results in improper authorization.
A vulnerability was identified in SourceCodester Inventory System 1.0. The issue affects an unknown function of the file /users.php of the User Management Page component, where manipulation of the argument fullname/username leads to cross-site scripting.
A vulnerability was found in UTT HiPER 2610G up to version 3.0.0-171107, affecting the strcpy function in the file /goform/formNatStaticMap. Manipulating the argument NatBinds results in a buffer overflow.
In Checkmk versions <2.5.0p5, <2.4.0p31, <2.3.0p48, and all 2.2.0 versions, there is a stored XSS vulnerability in the active check output of service discovery. Administrators can inject malicious HTML or JavaScript that executes in the browsers of admins or users with host read permissions.

