CVE Vulnerability Catalog
Translated CVE descriptions from NVD NIST - in English
CISA KEV catalog updated: (v2026.07.14)
A privilege escalation vulnerability in Bitwarden Server before 2026.5.0 allows authenticated Custom users with ManageUsers permission to remove Admin accounts from an organization. Attackers exploit a missing role hierarchy check in the bulk user-remove endpoint to bypass the guard enforced on the single-user removal path.
Vulnerability in the WolfSSL library involves accepting intermediate certificates with CA:TRUE but without the keyCertSign key usage as signing CAs. Previously, temporary CAs added during certificate path building (WOLFSSL_TEMP_CA) were exempt from this check, allowing invalid certificates to be accepted. Now the check applies to temporary CAs as well, except for operator-loaded root certificates (WOLFSSL_USER_CA) and self-signed ones.
The vulnerability allows an un-negotiated Raw Public Key (RFC 7250) to be accepted in place of an X.509 certificate, bypassing chain validation. This only affects builds with Raw Public Key support (HAVE_RPK) enabled, which is disabled by default but included with --enable-all.
Out-of-bounds write in the Renesas TSIP TLS 1.3 transcript buffer. The tsip_StoreMessage() function fails to return after exceeding the 8 KB limit, causing heap corruption and potential remote denial of service.
The TIFF decoder does not set a limit on the size of tiles in tiled images, permitting a malicious or corrupt image containing a very large tile to cause unbounded memory consumption.
The WebP decoder can panic when processing a VP8 chunk with dimensions that do not match the canvas size.
An insecure permissions vulnerability in MSI NBFoundation Service v.2.0.2506.1201 allows a remote attacker to obtain sensitive information via the MSI_SERVICE_2 pipe.
A SQL injection vulnerability was discovered in the scost parameter in /grocery/search_products.php of GROCERY-STORE-MANAGEMENT-SYSTEM-USING-PHP-AND-MYSQL-PHPMYADMIN v1.0. This allows attackers to access sensitive database information via a crafted SQL statement.
The Mattermost Google Drive plugin before version 1.1.0 fails to validate channel membership in the file creation endpoint, allowing authenticated users with a connected Google account to share Google Drive files to unauthorized private channels and disclose private channel membership.
Out-of-bounds heap read during SM2/SM3 certificate signature verification. When parsing a certificate with an SM3wSM2 signature, the Subject Key Identifier computation reads the trailing 65 bytes of the public key without checking that the key is at least that long. A public key shorter than 65 bytes results in an out-of-bounds heap read, leading to a potential crash (denial of service).
The vulnerability allows bypassing X.509 trust-chain validation in the wolfSSL_X509_verify_cert() function of the wolfSSL library. It only affects builds with --enable-opensslextra (OPENSSL_EXTRA) and applications that call X509_verify_cert() with caller-supplied untrusted intermediate certificates. An attacker can present a chain that never reaches a configured trust anchor and have it accepted, resulting in acceptance of an attacker-controlled certificate.
Certificates with wildcard DNS SANs (e.g. *.example.com) bypassed CA name-constraint checks. A certificate with a wildcard DNS SAN that should be rejected by the issuing CA's permitted/excluded DNS name constraints could be accepted.
The X25519 x86_64 assembly implementation fails to clear the most significant bit during the final modular reduction, so the computed result may not be fully reduced modulo the field prime 2^255 - 19. This can leave the field element in a non-canonical form, producing an incorrect result from the scalar multiplication and potentially a wrong shared secret.
The AVX2-optimized ML-KEM implementation in wolfSSL compares only 1536 of the 1568 ciphertext bytes during the Fujisaki-Okamoto re-encryption check in ML-KEM-1024 decapsulation. Ciphertexts differing solely in bytes 1536-1567 bypass implicit rejection and are accepted as valid, breaking IND-CCA2 security.
A use-after-free vulnerability was found in the gf_filter_pid_inst_swap function of GPAC/MP4Box before version 26.02.0. An attacker can supply a crafted media file to cause a Denial of Service (DoS).
A use-after-free vulnerability was found in the gf_sei_load_from_state_internal function (/filters/sei_load.c) of GPAC/MP4Box before version 26.02.0. Attackers can cause a Denial of Service (DoS) by supplying a crafted MPEG-2 TS file.
The OMGF Pro WordPress plugin contains an unrestricted file upload vulnerability with dangerous file types, allowing an attacker to upload malicious files to the server. The issue affects versions from n/a through 5.2.6.
RTKLIB through version 2.4.3 contains an out-of-bounds write vulnerability in the decode_type1033 function that fails to clamp length counters to the destination buffer size, allowing up to 191-byte overflow into fixed 64-byte descriptor fields. An attacker controlling an NTRIP or serial RTCM3 correction stream can craft a valid CRC-bearing type-1033 message to corrupt adjacent rtcm_t object members, potentially achieving arbitrary code execution or denial of service.
libais through 0.15 has a vulnerability where VdmStream::AddLine uses an unchecked sentinel value as a vector index when processing AIS sentences with empty or out-of-range message IDs. Remote attackers can crash services or vessel systems by sending crafted AIVDM sentences.
A vulnerability in Seahub before version 13.0.23 allows unauthenticated users to bypass the SHARE_LINK_LOGIN_REQUIRED enforcement via a GET request to /api/v2.1/share-link-zip-task/. Attackers with a folder share-link token can obtain a fileserver zip token and download entire shared directory trees.

