CVE Vulnerability Catalog

Translated CVE descriptions from NVD NIST - in English

CISA KEV catalog updated: (v2026.07.13)

CVE-2026-53131
Critical

A vulnerability was found in the Linux kernel's netfilter subsystem where functions like `ip6t_eui64`, `xt_mac`, ipset types (`bitmap:ip,mac`, `hash:ip,mac`, `hash:mac`), and `nf_log_syslog` accessed the Ethernet header (`eth_hdr(skb)`) without first verifying that the skb is associated with an Ethernet device, that the MAC header is set, and that it spans at least a full Ethernet header. Missing these checks could lead to errors or potential security issues.

CVE-2026-46752
Critical

Vulnerability in the cjson library in Apache Kvrocks causing Lua HEAP overflow. Affects versions from 2.0.4 to 2.15.0.

CVE-2026-46751
Medium

A vulnerability in Apache Kvrocks affects versions from 2.2.0 through 2.15.0, and users are recommended to upgrade to version 2.16.0 to fix the issue.

CVE-2026-45188
Low

A Relative Path Traversal vulnerability in Apache Kvrocks may allow attackers to access unauthorized system resources. The issue affects versions from 1.0.0 through 2.15.0.

CVE-2026-41566
Critical

CVE-2026-41566 involves improper handling of insufficient permissions in Apache Kvrocks version 2.8.0. This issue has been fixed in version 2.16.0.

CVE-2026-56129
Medium

The generic IO & Memory Access driver for PCs provided by TOSHIBA CORPORATION and Dynabook Inc. exposes its IOCTL with insufficient access control. A logged-in user without administrative privileges may access physical memory.

CVE-2026-12937
High

The Tourfic – AI Powered Travel Booking, Hotel Booking & Car Rental WordPress plugin is vulnerable to generic SQL Injection via the 'post_id' parameter in all versions up to and including 2.22.7 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query.

CVE-2026-9702
High

The InPost PL WordPress plugin before 1.9.1 does not verify that the request originates from the legitimate buyer, allowing unauthenticated attackers to silently redirect the shipping destination of WooCommerce orders.

CVE-2026-5305
High

The Email Address Encoder WordPress plugin before 1.0.25 and email-encoder-premium WordPress plugin before 0.3.12 do not properly handle email replacement, which could allow unauthenticated users to perform Stored XSS attacks.

CVE-2026-12490
High

A vulnerability in the DNS system allows bypassing client certificate authentication for zone transfers (XFR) when using provide-xfr with tls-auth-name. If the request comes via TLS on the standard TLS port (not the tls-auth port) or via plain TCP on the standard port, the server does not require a client certificate, even if the provide-xfr rule specifies one.

CVE-2026-12246
High

In NSD version 4.14.0, a bug was introduced where a specially crafted APL RR with an adflength larger than permitted for the address family overwrites the stack when the zone is written to disk, with a maximum of 111 attacker-controlled bytes.

CVE-2026-12245
High

In NSD from version 4.13.0, a heap use-after-free bug was found in logging errors on TLS connections. The vulnerability causes a crash of the server process, which can be easily triggered by sending a DNS query over a DoT connection and closing the connection without reading the response.

CVE-2026-12244
High

A vulnerability in NSD allows an attacker acting as a primary server for a zone to cause a heap overflow by sending an AXFR response containing a specially crafted SVCB record with an rdata size of 65512 bytes. This causes a uint16_t variable used for memory allocation to wrap, leading to a write beyond the allocated buffer.

CVE-2026-10824
Medium

The Masteriyo LMS WordPress plugin before 2.2.1 does not perform authorization checks in a course-progress REST API controller, allowing unauthenticated users to read and permanently delete any user's course-progress records.

CVE-2026-8330
Medium

A vulnerability in GitLab CE/EE allowed sensitive information to be written to application logs due to insufficient filtering in a CI/CD API endpoint. It affects all versions from 9.3 before 18.11.6, 19.0 before 19.0.3, and 19.1 before 19.1.1.

CVE-2026-5952
Medium

A vulnerability in GitLab CE/EE due to incorrect authorization checks allows an authenticated user with developer role to bypass package protection rules and overwrite protected Maven package metadata under certain conditions.

CVE-2026-5796
Medium

A vulnerability in GitLab CE/EE allows an authenticated user with Reporter-level group permissions to view package metadata from projects with the Package Registry disabled due to incorrect authorization checks in the group packages feature.

CVE-2026-5309
Medium

An issue in GitLab EE allowed an authenticated user to read or modify another group's virtual registry cleanup policy settings without authorization under certain conditions. Affected versions: 18.6 to 18.11.6, 19.0 to 19.0.3, and 19.1 to 19.1.1.

CVE-2026-3176
Low

An issue was found in GitLab EE that, under certain conditions, could allow an authenticated user with limited permissions to access project information due to insufficient authorization checks. It affects all versions from 18.6 before 18.11.6, 19.0 before 19.0.3, and 19.1 before 19.1.1.

CVE-2026-2238
Medium

A vulnerability in GitLab CE/EE allowed an unauthenticated user to view confidential issue references in public projects under certain conditions due to improper authorization checks. Affected versions: 17.5 to 18.11.6, 19.0 to 19.0.3, and 19.1 to 19.1.1.

PreviousPage 185 of 4549Next

Vulnerability data from NVD (NIST) · CISA KEV · EPSS