CVE Vulnerability Catalog

Translated CVE descriptions from NVD NIST - in English

CISA KEV catalog updated: (v2026.07.13)

CVE-2026-50741
High

CVE-2026-50741 bypasses the fix for CVE-2026-34916. Attackers can bypass the security patch by sending a disallowed but valid plugin identifier as type or by using the `ox.setChannelTargeting` XML-RPC API method.

CVE-2026-50740
Medium

In Revive Adserver 6.0.7 and earlier, missing sanitization of user input in the zone-include.php script allows XSS attacks. A low-privileged user can exploit the refresh parameter of the iFrame invocation tag to perform reflected XSS attacks.

CVE-2026-50739
Medium

A bypass for CVE-2026-34913 exists in Revive Adserver 6.0.7 and earlier due to missing ownership validation in the reverse operation of linking campaigns and trackers via the `tracker-campaigns.php` script. A low-privileged user can link their trackers to campaigns owned by other managers on the same instance, causing inconsistent ownership relationships.

CVE-2026-48936
Low

A flaw in Node.js Permission API allows starting a local server via a Unix domain socket, even without the `--allow-net` permission. This affects Node.js 26 release line.

CVE-2026-48935
Low

A flaw in Node.js Permission API allows modification of file metadata even on a path set as read-only with the `--allow-fs-read` flag. This vulnerability affects all supported release lines: Node.js 22, Node.js 24, and Node.js 26.

CVE-2026-48934
Medium

A flaw in Node.js TLS host verification allows an attacker to bypass certificate validation. This vulnerability affects all supported release lines: Node.js 22, Node.js 24, and Node.js 26.

CVE-2026-48933
HighEPSS 83%

A flaw in Node.js WebCrypto implementation crashes the process when the input of `subtle.encrypt()` is a multiple of 2 GiB. This vulnerability affects all supported release lines: Node.js 22, Node.js 24, and Node.js 26.

CVE-2026-48930
Critical

A flaw in Node.js TLS hostname handling can cause Embedded-nul hostnames can lead to silent authority rebinding due to c-string truncation in resolver bindings. This vulnerability affects all supported release lines: Node.js 22, Node.js 24, and Node.js 26.

CVE-2026-48928
Medium

An inconsistency in Node.js hostname matching can cause a trust-policy bypass in multi-context mTLS setups. This vulnerability affects all supported release lines: Node.js 22, Node.js 24, and Node.js 26.

CVE-2026-48619
High

A flaw in Node.js HTTP/2 client allows a server to send an unlimited number of ORIGIN frames, which could lead to an Out of Memory error on the client. This vulnerability affects all supported release lines: Node.js 22, Node.js 24, and Node.js 26.

CVE-2026-48618
Medium

A flaw in Node.js TLS hostname handling can cause Node.js unicode dot separator handling can lead to tls wildcard-depth authentication bypass due to resolver and verifier hostname normalization mismatch.

CVE-2026-48615
High

A flaw in Node.js proxy tunnel error handling could expose proxy credentials in `ERR_PROXY_TUNNEL` error messages. When proxy credentials are embedded in the proxy URL, they may be exposed through error handling paths and captured by logs, diagnostics, or other error consumers.

CVE-2026-13226
Medium

The Groundhogg plugin for WordPress (versions up to and including 4.5.4) is vulnerable to generic SQL injection via the 'after' parameter. Authenticated attackers with Sales Manager-level access or above can append additional SQL queries to existing ones, enabling extraction of sensitive data from the database. Additionally, the AJAX handler wp_ajax_groundhogg_get_contacts_table has its capability check commented out and performs no nonce verification, allowing any authenticated user to reach the vulnerable code path.

CVE-2026-9222
High

The Setracker2 Android Companion App (com.tgelec.setracker) versions 3.1.5 and prior only require the password hash when authenticating with backend services from the client. An attacker who knows the hash can authenticate and gain full access.

CVE-2026-9221
High

The Setracker2 Android Companion App (com.tgelec.setracker) versions 3.1.5 and earlier uses MD5 to generate a request signature for authenticating communications between the mobile client and the backend REST API. Attackers could potentially reverse the signature to recover the session ID.

CVE-2026-9220
High

The Setracker2 Android Companion App versions 3.1.5 and prior encrypts communication between the watch and its backend using static hardcoded AES keys and initialization vectors. This allows an attacker to decrypt Setracker2 watch traffic.

CVE-2026-9219
Medium

The Setracker2 Android Companion App (com.tgelec.setracker) versions 3.1.5 and prior generate a predictable registration ID derived from IMEI. The enrollment system lacks additional authentication before assignment, allowing an attacker who obtains the registration ID to arbitrarily enroll watches belonging to other users.

CVE-2026-43920
Medium

A vulnerability in FOSSBilling versions 0.5.4 through 0.7.2 allows an unauthenticated remote attacker to trigger the /run-patcher maintenance endpoint, which executes critical operations such as configuration file modifications, database schema changes, filesystem mutations, and cache clearing. The lack of authentication and CSRF validation enables denial-of-service attacks via a simple HTTP GET request.

CVE-2026-13322
Low

A flaw was found in KubeVirt's downward metrics virtio-serial server. The server reads guest requests using textproto.Reader.ReadLine(), which buffers input indefinitely until a newline character is received, with no length limit or read deadline. A user with access to a VM guest that has the downward metrics virtio-serial device configured can write a continuous byte stream to the device, causing unbounded memory allocation in the virt-handler process until it is OOM-killed.

CVE-2026-13318
Medium

A server-side request forgery (SSRF) flaw was found in KubeVirt's virt-api port-forward handler. When processing a port-forward request to a VirtualMachineInstance (VMI), virt-api reads the target IP from vmi.Status.Interfaces[0].IP and passes it directly to net.Dial() without validation. For VMIs using non-masquerade network bindings (bridge or secondary-only), this IP is reported by the QEMU guest agent running inside the VM and is fully controllable by the VM owner.

PreviousPage 190 of 4574Next

Vulnerability data from NVD (NIST) · CISA KEV · EPSS