CVE Vulnerability Catalog
Translated CVE descriptions from NVD NIST — in English
CISA KEV catalog updated: (v2026.07.01)
A vulnerability in NVIDIA Megatron Bridge for Linux allows deserialization of untrusted data. An attacker could exploit this flaw to achieve code execution, privilege escalation, data tampering, and information disclosure.
A vulnerability in NVIDIA Megatron Bridge for Linux allows an attacker to improperly control dynamically managed code resources. Successful exploitation could lead to code execution, privilege escalation, data tampering, and information disclosure.
A vulnerability in NVIDIA Megatron Bridge for Linux allows deserialization of untrusted data. An attacker could exploit this flaw to achieve code execution, privilege escalation, data tampering, and information disclosure.
A vulnerability in NVIDIA Megatron Bridge for Linux allows deserialization of untrusted data. An attacker could exploit this flaw to achieve code execution, privilege escalation, data tampering, and information disclosure.
A vulnerability in NVIDIA Megatron Bridge for Linux allows deserialization of untrusted data. An attacker could exploit this flaw to achieve code execution, privilege escalation, data tampering, and information disclosure.
A vulnerability in NVIDIA Megatron Bridge for Linux allows an attacker to perform server-side request forgery (SSRF). Successful exploitation of this flaw could lead to information disclosure.
A vulnerability in NVIDIA Megatron Bridge for Linux allows deserialization of untrusted data. An attacker could exploit this flaw to achieve code execution, privilege escalation, data tampering, and information disclosure.
A vulnerability in FatFs R0.16 and earlier affects long filename (LFN) handling. The function copies filenames (up to 255 characters) into short fixed buffers without bounds checking, causing buffer overflow.
FatFs R0.16 and earlier contains a stack overflow bug in f_getlabel() because exFAT label length (XDIR_NumLabel) is trusted without enforcing spec maximums.
In FatFS R0.16 and earlier, there is an integer overflow bug in mount_volume() where fasize *= fs->n_fats can wrap, leading to attacker-controlled file-size metadata and unsafe read lengths in downstream callers.
A vulnerability in the @acastellon/auth authentication system for microservices allows an unauthenticated attacker to bypass token validation via crafted auth-user and Host HTTP headers. The issue affects validateToken() in versions prior to 2.3.0.
A vulnerability in Poly Voice IP devices (CCX, Trio, Edge E) may render them inoperable when connecting to a malicious SIP server and receiving malformed data. HP is releasing updates to mitigate this risk.
A chain of vulnerabilities was found in pretix: payment plugins (Stripe, Mollie, OPPWA, BitPay, Payone, SecuConnect, Sofort, Saferpay) do not validate session parameters beyond cryptographic signature, the redirect feature uses the same key and salt for signing as the plugins, and the admin impersonation feature allows changing user after injecting arbitrary parameters. An attacker with access to at least one event can become any backend user and access all data.
The Usergroup model in Foreman does not properly validate role assignments against the calling user's permissions. This allows an authenticated user with usergroup management permissions to attach arbitrary roles, including administrative roles, to a user group and then add themselves as a member.
A Race Condition vulnerability in BIOVIA Workbook from Release 2021 through Release 2026 could allow a user to access unauthorized data from another user.
A vulnerability in MCO allows an authenticated user to modify group membership without proper authorization checks, leading to privilege escalation. An attacker can add themselves to arbitrary groups by providing a valid group ID, which can be obtained from other application functions or guessed via brute-force.
Vulnerability in @fastify/middie versions 9.1.0 through 9.3.2 causes Node.js process termination when processing malformed percent-encoded sequences in request paths. The issue only affects the standalone engine API (middie.run), not the Fastify plugin path.
The LatePoint plugin for WordPress up to version 5.6.3 is vulnerable to privilege escalation to Administrator due to an Insecure Direct Object Reference (IDOR) in the create_or_update() function and missing role verification in OsAuthHelper::authorize_customer(). An authenticated attacker with Agent-level access can overwrite any customer's email, including one linked to an Administrator account, and then log in as that user.
The NEX-Forms plugin for WordPress up to version 9.2.2 is vulnerable to Stored Cross-Site Scripting via the '_name[]' array parameter. Insufficient input sanitization and output escaping allow unauthenticated attackers to inject arbitrary scripts that execute when a user accesses the affected page.
An OS command injection vulnerability exists in SkyBridge MB-A100/MB-A110 devices. The issue is caused by improper neutralization of special elements used in OS commands.

