CVE Vulnerability Catalog

Translated CVE descriptions from NVD NIST — in English

CISA KEV catalog updated: (v2026.07.01)

CVE-2026-14607
Medium

A weakness has been identified in RT-Thread up to version 5.0.2 in the function sys_getaddrinfo in file components/lwp/lwp_syscall.c. Manipulation of the ai_addr argument can lead to memory corruption. The attack requires local access and the exploit is publicly available.

CVE-2026-14604
Medium

A vulnerability was found in Open Asset Import Library Assimp up to version 6.0.4 in the function Assimp::Exporter::ExportToBlob within code/AssetLib/Ply/PlyLoader.cpp. Manipulation in PLY model handling leads to a double free condition. The attack can be initiated remotely and the exploit has been publicly disclosed.

CVE-2026-14631
Medium

A vulnerability in webpack-dev-server versions 5.2.5 and earlier terminates the Node.js process when an unauthenticated peer sends a normal HTTP request with a malformed Host header or a WebSocket upgrade with a malformed Origin header. The malformed value causes an uncaught exception in the host-validation path and crashes the dev server.

CVE-2026-14620
Medium

A vulnerability in webpack-dev-server versions up to 5.2.5 exposes two internal developer endpoints that perform state-changing actions on any GET request without verifying the request origin. Any website a developer visits while the dev server is running can trigger these endpoints cross-origin with no interaction beyond the visit.

CVE-2026-14615
Medium

A flaw in the Fine-Grained Admin Permissions (FGAP) v2 implementation in Keycloak causes improper filtering of child groups based on caller permissions. A delegated administrator can view details of unauthorized child groups, including names, paths, and custom attributes.

CVE-2026-14614
Medium

In Keycloak, within the ClientResource component of admin services with FGAP v2 enabled, a delegated administrator can attach or remove hidden client scopes they are not authorized to manage. This allows injecting unauthorized data or permissions into end-user security tokens.

CVE-2026-14613
Medium

A vulnerability in Keycloak's administrative interface allows restricted administrators to view information about groups they should not have access to. When Fine-Grained Admin Permissions (FGAP v2) are enabled, an administrator who can see a specific role can also see all groups assigned to that role, without proper permission checks.

CVE-2026-14612
Medium

Two off-by-one errors in the FreeIPA ipa-otpd daemon's OAuth2 device authorization handler can cause out-of-bounds memory access when processing an oversized response from a configured external OAuth2/OIDC Identity Provider. An attacker controlling or man-in-the-middling the IdP endpoint may trigger ipa-otpd to write or read one byte past the end of a fixed-size buffer.

CVE-2026-49813
Medium

Dell PowerProtect Data Domain in multiple versions contains an OS command injection vulnerability. A high-privileged attacker with local access could exploit this flaw to execute arbitrary commands.

CVE-2026-46465
Medium

A vulnerability in Dell PowerProtect Data Domain allows a high-privileged attacker with remote access to exploit an externally-controlled format string. This could lead to information disclosure and denial of service.

CVE-2026-46464
Medium

Dell PowerProtect Data Domain in multiple versions contains an improper link resolution before file access vulnerability. It allows a high privileged attacker with remote access to disclose sensitive information.

CVE-2026-46463
Medium

Dell PowerProtect Data Domain in multiple versions contains an integer overflow or wraparound vulnerability. An unauthenticated attacker with remote access could potentially exploit this vulnerability, leading to denial of service.

CVE-2026-59234
Medium

A vulnerability in Prospero Flow CRM before version 5.5.3 allows an authenticated attacker to delete arbitrary calendar events of other users by manipulating the {id} parameter in a GET request to /calendar/event/delete/{id}. The lack of ownership checks (user_id/company_id) before deletion enables unauthorized data destruction.

CVE-2026-54483
Medium

Dell PowerProtect Data Domain in multiple versions contains an OS command injection vulnerability. A high-privileged attacker with local access could exploit this flaw to execute arbitrary commands.

CVE-2026-46730
Medium

A vulnerability in Dell PowerProtect Data Domain allows unauthorized command execution by a local attacker with high privileges. The issue stems from incorrect authorization in the system.

CVE-2026-46468
Medium

A vulnerability in Dell PowerProtect Data Domain allows a high privileged attacker with local access to exploit improper link resolution before file access, potentially leading to information exposure.

CVE-2026-46467
Medium

A vulnerability in Dell PowerProtect Data Domain causes insertion of sensitive information into log files. A low-privileged attacker with local access could exploit this flaw to expose confidential data.

CVE-2026-44269
Medium

Dell PowerProtect Data Domain in multiple versions contains an improper link resolution before file access vulnerability. It allows a high privileged attacker with local access to gain unauthorized access to the system.

CVE-2026-44268
Medium

A vulnerability in Dell PowerProtect Data Domain involves incorrect permission assignment for a critical resource. This flaw could be exploited by a local attacker with high privileges, leading to unauthorized access.

CVE-2026-41123
Medium

Dell PowerProtect Data Domain versions 7.7.1.0 through 8.6, LTS2026 release 8.6.1.0 through 8.6.1.10, LTS2025 release 8.3.1.0 through 8.3.1.30, and LTS2024 release 7.13.1.0 through 7.13.1.70 contain an improper access control vulnerability in RBAC. A low privileged attacker with remote access could exploit this vulnerability to tamper with information.

PreviousPage 2 of 485Next

Vulnerability data from NVD (NIST) · CISA KEV · EPSS