CVE Vulnerability Catalog

Translated CVE descriptions from NVD NIST - in English

CISA KEV catalog updated: (v2026.07.10)

CVE-2026-25624
Medium

An administrative cross-site scripting (XSS) vulnerability exists in the web user interface dashboard layout of Arista Edge Threat Management - Arista Next Generation Firewall (NGFW). Unvalidated user-supplied variables are echoed back to administrative profiles, facilitating vector payload processing behavior controls.

CVE-2026-25623
Medium

An input validation command execution vulnerability exists in the browser management pipeline of Arista Edge Threat Management - Arista Next Generation Firewall (NGFW). Authenticated administrators can leverage this exposure to obtain underlying terminal script code processing execution permissions.

CVE-2026-25622
Medium

A command injection vulnerability exists in the Captive Portal Custom Handler of Arista Edge Threat Management - Arista Next Generation Firewall (NGFW). An administrative account logged into the user interface can exploit this vulnerability to execute arbitrary platform shell commands.

CVE-2026-25621
Medium

A Reports application infrastructure vulnerability exists in Arista Edge Threat Management - Arista Next Generation Firewall (NGFW) due to insecure input validation. This issue uniquely affects version 17.4.0; earlier software releases are not exposed.

CVE-2026-25620
Medium

An encrypted password command injection vulnerability exists in the Captive Portal application framework of Arista Edge Threat Management. This issue uniquely affects version 17.4.0; earlier software releases are not exposed.

CVE-2026-46390
Medium

HAX CMS versions from 2.0.0 to 26.0.0 have the gitlist plugin exposed to unauthenticated users, allowing unauthenticated browsing of git repositories and git history.

CVE-2026-2379
Medium

Na dotkniętych platformach z obsługą sprzętowego IPSec działających na Arista EOS z włączonymi określonymi funkcjami IPsec, EOS może wykazywać nieoczekiwane zachowanie w określonych przypadkach. Fluktuacje interfejsów fizycznych oraz niektóre restarty agentów mogą powodować ponowne nawiązywanie tunelu IPsec z istniejącymi skojarzeniami bezpieczeństwa, co prowadzi do niezgodności numerów sekwencyjnych między punktami końcowymi tunelu.

CVE-2026-11341
Medium

W urządzeniach D-Link DWR-M920 do wersji 1.1.50 zidentyfikowano lukę, która pozwala na zdalne wstrzyknięcie poleceń systemowych poprzez manipulację argumentem IMEI_value w funkcji sub_412DA0 w pliku /boafrm/formIMEISetup.

CVE-2026-8714
Medium

A denial-of-service vulnerability exists in the RTSP server component of TP-Link Tapo C520WS v2 due to improper handling of syntactically invalid input. Crafted inputs can trigger a processing error, causing the RTSP service to enter a non-responsive state.

CVE-2026-7473
MediumActively exploitedEPSS 96%

On affected platforms running Arista EOS, a tunnel decapsulation configuration, such as VXLAN, decap-groups, or a GRE tunnel interface, may lead to incorrect decapsulation and forwarding of other unexpected tunneled packets. This issue arises from the switch's failure to verify the tunnel protocol type.

CVE-2026-48112
Medium

7-Zip versions 9.18 through 26.00 contain a heap out-of-bounds read vulnerability in the BSD SYMDEF parser. The ParseLibSymbols function reads data beyond the allocated memory area, potentially leading to leakage of uninitialized data.

CVE-2026-48111
Medium

7-Zip, a file archiver, contains an off-by-one vulnerability in the ParseDepedencyExpression function that may lead to out-of-bounds reads. Versions 9.21 through 26.00 are affected, potentially resulting in crashes or minor information disclosure.

CVE-2026-48104
Medium

7-Zip versions 9.18 through 26.00 contain a vulnerability in the SquashFS archive handler, involving an uninitialized heap read. This issue occurs when processing images with few inodes, potentially leading to memory information disclosure.

CVE-2026-48103
Medium

7-Zip versions 9.34 through 26.00 contain an off-by-one vulnerability in the WIM archive handler, leading to out-of-bounds read. An attacker can control the security identifier, allowing for application crashes.

CVE-2026-11339
MediumEPSS 68%

A vulnerability was detected in D-Link DWR-M920 up to version 1.1.50. Manipulation of the ussdValue argument in the sub_41CF20 function leads to command injection, allowing for remote attacks.

CVE-2026-11337
Medium

W systemie zarządzania uczelnią tittuvarghese CollegeManagementSystem zidentyfikowano podatność, która dotyczy nieznanej funkcjonalności pliku /dashboard_page/forms/fetch.php. Manipulacja argumentem department_name prowadzi do ataku typu cross site scripting (XSS).

CVE-2025-5090
Medium

CVX nie jest odporny na nieoczekiwane wiadomości z podłączonego przełącznika, co prowadzi do awarii agentów na CVX i niestabilności klastra CVX. Atakujący może wykorzystać to zachowanie do stworzenia scenariusza odmowy usługi (DoS).

CVE-2025-5089
Medium

W klastrze CVX, przełącznik EOS połączony z serwerem CVX nie jest odporny na pewne źle sformułowane wiadomości otrzymywane z połączonego serwera CVX. Podobnie, serwer CVX nie jest odporny na pewne źle sformułowane wiadomości otrzymywane z połączonego przełącznika EOS, co prowadzi do awarii agenta Sysdb na urządzeniu EOS lub awarii agentów na serwerze CVX.

CVE-2026-48101
Medium

7-Zip, a file archiver, contains an uninitialized memory disclosure vulnerability in the UEFI capsule (.scap) parser in versions 9.21 through 26.00. The OpenCapsule function allocates a heap buffer without zero-initialization, which may lead to unauthorized data exposure.

CVE-2026-11336
Medium

A vulnerability has been found in the CollegeManagementSystem affecting an unknown function in the dashboard_page/admin_page.php file of the Admin Interface component. Manipulation of the UserAuthData argument leads to improper authorization.

PreviousPage 166 of 560Next

Vulnerability data from NVD (NIST) · CISA KEV · EPSS