CVE Vulnerability Catalog
Translated CVE descriptions from NVD NIST - in English
CISA KEV catalog updated: (v2026.07.10)
Użytkownik ERPNext z uprawnieniami do edycji rekordów przedmiotów może wprowadzać dowolny kod HTML/JavaScript w polach item_name, description lub image. To prowadzi do niebezpiecznego renderowania w interfejsie koszyka w Punkcie Sprzedaży (POS) dla każdego operatora, który doda ten przedmiot do transakcji.
Wersje Koha do 25.11 zawierają podatność typu Server-Side Request Forgery (SSRF) w konfiguracji serwera Z39.50/SRU. Umożliwia to uwierzytelnionym atakującym skanowanie wewnętrznej sieci oraz identyfikację działających usług poprzez analizę czasów odpowiedzi serwera.
Podatność typu Cross Site Scripting w Koha 25.11 i wcześniejszych wersjach umożliwia zdalnemu atakującemu wykonanie dowolnego kodu poprzez funkcję przesyłania plików w funkcjach fakturowania.
A vulnerability has been identified in the Linux kernel related to a race condition between sysfs mode and perf mode. This issue occurs when both modes are run simultaneously, triggering a warning in the tmc_etr_enable_hw() function.
A vulnerability has been identified in the Linux kernel that leads to a NULL pointer dereference when parsing the device tree in the k230 pinctrl driver. This issue occurs when attempting to retrieve the device pointer before it has been initialized.
A vulnerability in the Linux kernel related to the p2pmem_alloc_mmap() function has been fixed, which incorrectly checked the page reference count. The change introduces correct assertion conditions, eliminating false warnings.
A vulnerability has been identified in the Linux kernel related to improper lock management in the fsl_xcvr_mode_put() function. This can lead to a deadlock when attempting to acquire a read lock while holding a write lock in the same thread.
A vulnerability in the Linux kernel has been fixed that could lead to a NULL pointer dereference in the wpcm_fiu_probe() function. The issue occurred when platform_get_resource_byname() returned NULL, potentially causing system crashes.
A vulnerability has been identified in the Linux kernel that may lead to NULL pointer dereference in the linehandle_create() function. This issue has been resolved by using the value of handlereq.lines instead of dereferencing the pointer.
In the Linux kernel, a vulnerability was fixed that led to an Oops error when read_current_timer was called on ARM32 platforms where SP804 was not registered as sched_clock.
A vulnerability related to LOCALIO in NFS has been resolved in the Linux kernel, which could lead to recursive deadlock during direct memory reclaim. This issue occurred when LOCALIO transitioned to XFS and then back to NFS via nfs_writepages.
A vulnerability has been identified in the Linux kernel related to improper clock disabling in the .remove() function of the fsl-edma driver. Clocks are allocated and enabled automatically, but manual disabling causes warnings during driver removal.
A vulnerability has been identified in the Linux kernel's AppArmor that allows handling of unaligned dfa tables. These tables can originate from kernel or userspace, potentially leading to unaligned memory accesses on various architectures.
In the Linux kernel, a locking issue was found in the error path of regulator_resolve_supply() in the voltage regulator driver. When late enabling of a supply regulator fails, the code calls _regulator_put() without holding the regulator_list_mutex, triggering a lockdep warning. The fix switches to regulator_put() and adds proper locking to prevent concurrent access to rdev while clearing the supply pointer.
A vulnerability has been identified in the Linux kernel that leads to a PF driver crash during kexec booting. The issue arises because the AF state from the old kernel can persist into the new one, causing the PF driver to incorrectly assume AF is ready.
A vulnerability has been identified in the Linux kernel within the wifi ath12k module, concerning improper link mapping management during failed arvif initialization in STA mode. This can lead to stale link mappings causing warnings in system logs when a new arvif is initialized with the same link ID.
A vulnerability has been identified in the Linux kernel related to incorrect determination of the GFX3D clock rate, leading to system crashes. The issue arises from improper parent mapping in the request, which has been fixed by setting the appropriate field in the parent_req structure.
A vulnerability in the Linux kernel related to NULL handling in the HPD initialization function in amdgpu_dm has been fixed. The issue was that the amdgpu_dm_hpd_init() function could encounter connectors without a valid dc_link pointer, leading to unsafe dereferencing of this pointer.
W interfejsie webowym Kimi AI v1.0 występuje podatność typu Cross Site Scripting w funkcji 'Podgląd'. Aplikacja nieprawidłowo sanitizuje lub koduje ładunki HTML/JavaScript generowane przez model AI, co pozwala na wykonanie złośliwego kodu w sesji przeglądarki ofiary.
Urządzenie Mercusys AC12G (EU) V1 z oprogramowaniem AC12G(EU)_V1_200909 odpowiada na zapytania CHAOS TXT dotyczące version.bind, ujawniając wersję oprogramowania resolvera DNS (unbound 1.22.0). To może wspierać ataki ukierunkowane na znane podatności.

