CVE Vulnerability Catalog
Translated CVE descriptions from NVD NIST - in English
CISA KEV catalog updated: (v2026.07.13)
CVE-2026-50741 bypasses the fix for CVE-2026-34916. Attackers can bypass the security patch by sending a disallowed but valid plugin identifier as type or by using the `ox.setChannelTargeting` XML-RPC API method.
In Revive Adserver 6.0.7 and earlier, missing sanitization of user input in the zone-include.php script allows XSS attacks. A low-privileged user can exploit the refresh parameter of the iFrame invocation tag to perform reflected XSS attacks.
A bypass for CVE-2026-34913 exists in Revive Adserver 6.0.7 and earlier due to missing ownership validation in the reverse operation of linking campaigns and trackers via the `tracker-campaigns.php` script. A low-privileged user can link their trackers to campaigns owned by other managers on the same instance, causing inconsistent ownership relationships.
A flaw in Node.js Permission API allows starting a local server via a Unix domain socket, even without the `--allow-net` permission. This affects Node.js 26 release line.
A flaw in Node.js Permission API allows modification of file metadata even on a path set as read-only with the `--allow-fs-read` flag. This vulnerability affects all supported release lines: Node.js 22, Node.js 24, and Node.js 26.
A flaw in Node.js TLS host verification allows an attacker to bypass certificate validation. This vulnerability affects all supported release lines: Node.js 22, Node.js 24, and Node.js 26.
A flaw in Node.js WebCrypto implementation crashes the process when the input of `subtle.encrypt()` is a multiple of 2 GiB. This vulnerability affects all supported release lines: Node.js 22, Node.js 24, and Node.js 26.
A flaw in Node.js TLS hostname handling can cause Embedded-nul hostnames can lead to silent authority rebinding due to c-string truncation in resolver bindings. This vulnerability affects all supported release lines: Node.js 22, Node.js 24, and Node.js 26.
An inconsistency in Node.js hostname matching can cause a trust-policy bypass in multi-context mTLS setups. This vulnerability affects all supported release lines: Node.js 22, Node.js 24, and Node.js 26.
A flaw in Node.js HTTP/2 client allows a server to send an unlimited number of ORIGIN frames, which could lead to an Out of Memory error on the client. This vulnerability affects all supported release lines: Node.js 22, Node.js 24, and Node.js 26.
A flaw in Node.js TLS hostname handling can cause Node.js unicode dot separator handling can lead to tls wildcard-depth authentication bypass due to resolver and verifier hostname normalization mismatch.
A flaw in Node.js proxy tunnel error handling could expose proxy credentials in `ERR_PROXY_TUNNEL` error messages. When proxy credentials are embedded in the proxy URL, they may be exposed through error handling paths and captured by logs, diagnostics, or other error consumers.
The Groundhogg plugin for WordPress (versions up to and including 4.5.4) is vulnerable to generic SQL injection via the 'after' parameter. Authenticated attackers with Sales Manager-level access or above can append additional SQL queries to existing ones, enabling extraction of sensitive data from the database. Additionally, the AJAX handler wp_ajax_groundhogg_get_contacts_table has its capability check commented out and performs no nonce verification, allowing any authenticated user to reach the vulnerable code path.
The Setracker2 Android Companion App (com.tgelec.setracker) versions 3.1.5 and prior only require the password hash when authenticating with backend services from the client. An attacker who knows the hash can authenticate and gain full access.
The Setracker2 Android Companion App (com.tgelec.setracker) versions 3.1.5 and earlier uses MD5 to generate a request signature for authenticating communications between the mobile client and the backend REST API. Attackers could potentially reverse the signature to recover the session ID.
The Setracker2 Android Companion App versions 3.1.5 and prior encrypts communication between the watch and its backend using static hardcoded AES keys and initialization vectors. This allows an attacker to decrypt Setracker2 watch traffic.
The Setracker2 Android Companion App (com.tgelec.setracker) versions 3.1.5 and prior generate a predictable registration ID derived from IMEI. The enrollment system lacks additional authentication before assignment, allowing an attacker who obtains the registration ID to arbitrarily enroll watches belonging to other users.
A vulnerability in FOSSBilling versions 0.5.4 through 0.7.2 allows an unauthenticated remote attacker to trigger the /run-patcher maintenance endpoint, which executes critical operations such as configuration file modifications, database schema changes, filesystem mutations, and cache clearing. The lack of authentication and CSRF validation enables denial-of-service attacks via a simple HTTP GET request.
A flaw was found in KubeVirt's downward metrics virtio-serial server. The server reads guest requests using textproto.Reader.ReadLine(), which buffers input indefinitely until a newline character is received, with no length limit or read deadline. A user with access to a VM guest that has the downward metrics virtio-serial device configured can write a continuous byte stream to the device, causing unbounded memory allocation in the virt-handler process until it is OOM-killed.
A server-side request forgery (SSRF) flaw was found in KubeVirt's virt-api port-forward handler. When processing a port-forward request to a VirtualMachineInstance (VMI), virt-api reads the target IP from vmi.Status.Interfaces[0].IP and passes it directly to net.Dial() without validation. For VMIs using non-masquerade network bindings (bridge or secondary-only), this IP is reported by the QEMU guest agent running inside the VM and is fully controllable by the VM owner.

