CVE Vulnerability Catalog
Translated CVE descriptions from NVD NIST - in English
CISA KEV catalog updated: (v2026.07.13)
An OS Command Injection vulnerability (CWE-78) in a network service allows unauthorized execution of commands with elevated privileges. The flaw is triggered when a privileged authenticated user interacts with the vulnerable service.
A CWE-476 NULL Pointer Dereference vulnerability could cause a denial-of-service condition, making the device's HMI and configuration functionality unavailable when malformed requests are received over exposed network interfaces.
CWE-732 Incorrect Permission Assignment for Critical Resource vulnerability that could cause unauthorized disclosure of password hashes and potential account compromise when an attacker with privileged local access reads improperly protected system files.
CVE-2026-9650 is a vulnerability related to insufficiently protected credentials, which may lead to unauthorized access and exposure of sensitive information. An attacker with physical access to the device could use these credentials to compromise it.
In Vim prior to version 9.2.0699, the Python omni-completion function executes reconstructed function and class definitions from the current buffer using exec(). During source reconstruction, each scope's docstring is inserted verbatim between triple quotes without escaping, allowing a malicious buffer to break out of the triple-quoted literal and execute attacker-controlled Python code during omni-completion.
In Vim before version 9.2.0698, the spell_soundfold_sofo() function in src/spell.c has a stack out-of-bounds write vulnerability. The copy loop does not check the bounds of the result buffer, allowing data to be written past the allocated stack memory when processing a word longer than MAXWLEN. This corrupts the call frame and crashes the editor.
A vulnerability in Vim versions 9.2.0320 through 9.2.0679 allows an out-of-bounds heap memory read via a crafted undo or swap file. A specially crafted file can store a virtual-text property with offset and length pointing outside the line's property data, causing an out-of-bounds read when Vim restores or displays such a line.
In Vim from version 9.1.1784 to 9.2.0678, the bundled zip plugin (autoload/zip.vim) when falling back to PowerShell to browse, read, extract, update or delete entries in a zip archive, builds the PowerShell command by inserting archive entry names that are quoted only for the shell, not for PowerShell. A crafted entry name can break out of the intended string context and cause PowerShell to execute arbitrary commands with the privileges of the user running Vim, triggered by opening, viewing or extracting the archive.
Vim before version 9.2.0671 has a vulnerability when opening files encrypted with VimCrypt~04! or VimCrypt~05! (xchacha20poly1305, requires +sodium feature). If the file body is shorter than a single libsodium secretstream header, an unsigned length calculation underflows and a subsequent decryption call reads far past the end of the input buffer, crashing Vim.
In Vim before version 9.2.0670, a vulnerability was found in the get_text_props() function in src/textprop.c. The function reads a uint16 property count stored inline after a line's text and returns it as the number of 32-byte textprop_T entries that follow, without checking if the actual data amount is sufficient. A crafted line with a large count but little data causes reading past the end of the line buffer, potentially leading to a crash.
Vulnerability in the Nokogiri library (versions prior to 1.19.4) for the Ruby language. During XInclude processing, <xi:include> nodes along with children and namespaces are freed, but if the application previously exposed them to Ruby, Ruby objects point to freed memory, which can lead to invalid reads or writes.
In Vim prior to version 9.2.0663, a Vimscript code injection vulnerability exists in s:NetrwLocalRmFile() in the netrw plugin. A filename derived from the buffer's directory listing is interpolated into an Ex command line passed to :execute with only the backslash character escaped, allowing a crafted filename containing a bar (|) to terminate the intended command and execute arbitrary Vimscript, including shell commands via :call system() and :!.
In Vim before version 9.2.0662, the dump_prefixes() function in src/spell.c does not check the depth of recursion against the size of stack arrays (prefix[], arridx[], curi[]) when processing prefixes from a .spl file. A crafted .spl file can cause an out-of-bounds write on the stack, corrupting the call frame and crashing the editor.
In Vim prior to version 9.2.0653, the tree_count_words() function in src/spellfile.c writes out-of-bounds on the stack when processing crafted .spl/.sug files. An attacker can exploit this vulnerability to crash the editor via stack buffer overflow.
3X-UI is a control panel for managing Xray-core servers. Prior to version 3.3.1, an authenticated administrator could abuse the database import functionality to achieve arbitrary file write on the host by modifying Xray configuration values stored in the database.
In LibreChat prior to 0.8.4-rc1, an authenticated user (or attacker with a stolen session) can call the GET /api/auth/2fa/enable endpoint, which overwrites the existing TOTP secret, generates new backup codes, and sets twoFactorEnabled to false without requiring any TOTP or backup code verification. This allows an attacker to completely take over a victim's two-factor authentication.
Missing authentication for critical function vulnerability in HYPR Passwordless on Windows allows Credentials Interception. This issue affects HYPR Passwordless: before 11.1.1.
A vulnerability in the K2 component allows authors to upload PHP files as article attachments. Apache executes these files, enabling remote PHP code execution in the web server context.
A vulnerability in the K2 component for Joomla! allows uploading a ZIP/TAR archive containing PHP files to the gallery directory. The system only renames image files, leaving non-image files (including PHP) extracted as-is and accessible via HTTP, enabling remote code execution.
A vulnerability in the K2 component for Joomla! allows an Author to copy any file readable by the web user (e.g., configuration.php or /etc/passwd) to the /media/k2/attachments/ directory by manipulating the `attachment[N][existing]` POST field. Lack of source path validation and `..` filtering in `JPath::clean` enables a path traversal attack.

