CVE Vulnerability Catalog
Translated CVE descriptions from NVD NIST — in English
CISA KEV catalog updated: (v2026.07.01)
A weakness has been identified in RT-Thread up to version 5.0.2 in the function sys_getaddrinfo in file components/lwp/lwp_syscall.c. Manipulation of the ai_addr argument can lead to memory corruption. The attack requires local access and the exploit is publicly available.
A vulnerability was found in Open Asset Import Library Assimp up to version 6.0.4 in the function Assimp::Exporter::ExportToBlob within code/AssetLib/Ply/PlyLoader.cpp. Manipulation in PLY model handling leads to a double free condition. The attack can be initiated remotely and the exploit has been publicly disclosed.
A vulnerability in webpack-dev-server versions 5.2.5 and earlier terminates the Node.js process when an unauthenticated peer sends a normal HTTP request with a malformed Host header or a WebSocket upgrade with a malformed Origin header. The malformed value causes an uncaught exception in the host-validation path and crashes the dev server.
A vulnerability in webpack-dev-server versions up to 5.2.5 exposes two internal developer endpoints that perform state-changing actions on any GET request without verifying the request origin. Any website a developer visits while the dev server is running can trigger these endpoints cross-origin with no interaction beyond the visit.
A flaw in the Fine-Grained Admin Permissions (FGAP) v2 implementation in Keycloak causes improper filtering of child groups based on caller permissions. A delegated administrator can view details of unauthorized child groups, including names, paths, and custom attributes.
In Keycloak, within the ClientResource component of admin services with FGAP v2 enabled, a delegated administrator can attach or remove hidden client scopes they are not authorized to manage. This allows injecting unauthorized data or permissions into end-user security tokens.
A vulnerability in Keycloak's administrative interface allows restricted administrators to view information about groups they should not have access to. When Fine-Grained Admin Permissions (FGAP v2) are enabled, an administrator who can see a specific role can also see all groups assigned to that role, without proper permission checks.
Two off-by-one errors in the FreeIPA ipa-otpd daemon's OAuth2 device authorization handler can cause out-of-bounds memory access when processing an oversized response from a configured external OAuth2/OIDC Identity Provider. An attacker controlling or man-in-the-middling the IdP endpoint may trigger ipa-otpd to write or read one byte past the end of a fixed-size buffer.
Dell PowerProtect Data Domain in multiple versions contains an OS command injection vulnerability. A high-privileged attacker with local access could exploit this flaw to execute arbitrary commands.
A vulnerability in Dell PowerProtect Data Domain allows a high-privileged attacker with remote access to exploit an externally-controlled format string. This could lead to information disclosure and denial of service.
Dell PowerProtect Data Domain in multiple versions contains an improper link resolution before file access vulnerability. It allows a high privileged attacker with remote access to disclose sensitive information.
Dell PowerProtect Data Domain in multiple versions contains an integer overflow or wraparound vulnerability. An unauthenticated attacker with remote access could potentially exploit this vulnerability, leading to denial of service.
A vulnerability in Prospero Flow CRM before version 5.5.3 allows an authenticated attacker to delete arbitrary calendar events of other users by manipulating the {id} parameter in a GET request to /calendar/event/delete/{id}. The lack of ownership checks (user_id/company_id) before deletion enables unauthorized data destruction.
Dell PowerProtect Data Domain in multiple versions contains an OS command injection vulnerability. A high-privileged attacker with local access could exploit this flaw to execute arbitrary commands.
A vulnerability in Dell PowerProtect Data Domain allows unauthorized command execution by a local attacker with high privileges. The issue stems from incorrect authorization in the system.
A vulnerability in Dell PowerProtect Data Domain allows a high privileged attacker with local access to exploit improper link resolution before file access, potentially leading to information exposure.
A vulnerability in Dell PowerProtect Data Domain causes insertion of sensitive information into log files. A low-privileged attacker with local access could exploit this flaw to expose confidential data.
Dell PowerProtect Data Domain in multiple versions contains an improper link resolution before file access vulnerability. It allows a high privileged attacker with local access to gain unauthorized access to the system.
A vulnerability in Dell PowerProtect Data Domain involves incorrect permission assignment for a critical resource. This flaw could be exploited by a local attacker with high privileges, leading to unauthorized access.
Dell PowerProtect Data Domain versions 7.7.1.0 through 8.6, LTS2026 release 8.6.1.0 through 8.6.1.10, LTS2025 release 8.3.1.0 through 8.3.1.30, and LTS2024 release 7.13.1.0 through 7.13.1.70 contain an improper access control vulnerability in RBAC. A low privileged attacker with remote access could exploit this vulnerability to tamper with information.

