CVE Vulnerability Catalog

Translated CVE descriptions from NVD NIST - in English

CISA KEV catalog updated: (v2026.07.13)

CVE-2021-47987
High

The vulnerability concerns a supply chain incident in Parse Server before version 4.10.0, where incorrect version tags were pushed to the official repository pointing to an unreviewed personal fork of a contributor with write access. No releases were published with these tags; a project was exposed only if it defined a git-based dependency referencing one of the affected tags (e.g., parse-server#4.9.3). The code behind the tags was not reviewed or approved, and although no malicious code was identified, the introduction of security vulnerabilities could not be ruled out.

CVE-2021-47986
High

A vulnerability in Parse Server before version 4.10.0 stems from incorrect version tags pushed to the repository, pointing to unreviewed code from a personal fork. Attackers could exploit these tags in dependency declarations to execute unreviewed and potentially malicious code.

CVE-2020-37256
Medium

Grav before version 1.6.30 contains a cross-site scripting vulnerability in the Admin plugin page editor default security configuration. Privileged users with page editing capabilities can inject malicious scripts to execute arbitrary code and install malicious plugins for system access.

CVE-2026-6731
High

Vulnerability allows bypassing X.509 name constraints via the Subject Common Name treated as a DNS-type name. A certificate whose CN violates an issuing CA's DNS name constraints could be accepted.

CVE-2026-6681
Medium

In the PKCS#7 decode path of the wolfSSL library, the caller-supplied output buffer size (outputSz) is ignored, allowing decoded content to be written past the bounds of the provided buffer. This affects wolfSSL version 5.9.0 and earlier, and was fixed in release 5.9.1.

CVE-2026-6679
High

A heap buffer overflow could occur in the DTLS 1.3 ACK serialization path before the connecting peer is authenticated. The buffer overflow was due to an integer truncation when computing the length of the ACK record-number list, causing an undersized buffer to be allocated and then overrun.

CVE-2026-6678
Medium

Integer underflow in wc_PKCS7_DecryptOri when processing crafted Other Recipient Info, leading to incorrect length handling during decryption.

CVE-2026-6450
Medium

A vulnerability in the ParseCRL_Extensions function allows bypassing critical CRL extensions, enabling a crafted CRL with an unhandled critical extension to be accepted. This only affects builds with CRL support enabled and where the crafted CRL has a trusted signature during parsing.

CVE-2026-6412
Medium

The vulnerability concerns issues with certificate policy and RFC 8446 compliance, involving the continued acceptance of SHA-1 and MD5 algorithms in certificate processing.

CVE-2026-56445
Critical

The vulnerability in the qrscp application consists of the C-STORE handler using a specific instance from attacker-supplied DICOM datasets directly in os.path.join() without sanitization, allowing file writes to arbitrary paths.

CVE-2026-38640
High

A reachable unwrap in the __assert_fail function of relibc (commit 61f42d) allows attackers to cause a Denial of Service (DoS) via a crafted string.

CVE-2026-38637
High

An issue in the pthread_rwlockattr_setpshared() function of relibc commit 61f42d allows attackers to cause a Denial of Service (DoS) via a crafted input.

CVE-2026-37452
High

An insecure permissions vulnerability in MSI NBFoundation Service v.2.0.2506.1201 allows a remote attacker to obtain sensitive information via the MSIAPService.exe component.

CVE-2026-12473
High

The vulnerability in OHIF Viewer involves two default data sources (DICOMWebProxy and DICOMJSON) that fetch an arbitrary URL parameter without validation. A global authentication service automatically injects the authenticated user's OIDC Bearer token into requests, sending it to an attacker-controlled server. DICOMweb data sources are not affected.

CVE-2026-7531
Critical

Use-after-free vulnerability in PQC hybrid key-share handling. This is an incomplete fix follow-up to CVE-2026-5460 (released in 5.9.1): a malicious TLS 1.3 server sending a truncated PQC hybrid KeyShare can still trigger the error cleanup path to operate on freed memory.

CVE-2026-57522
Low

A vulnerability in Bitwarden Server before version 2026.5.0 allows JSON injection via the IntegrationTemplateProcessor.ReplaceTokens() function, which substitutes user-controlled values into event integration templates without JSON encoding. An authenticated organization member can set their display name to JSON metacharacters and inject arbitrary key-value pairs into rendered payloads delivered to webhook, SIEM, Slack, Teams, or Datadog endpoints.

CVE-2026-57521
Medium

A broken access control vulnerability in Bitwarden Server before 2026.5.0 allows any authenticated user to access arbitrary organization billing data by supplying an arbitrary organizationId to the PreviewInvoiceController endpoints without membership or authorization checks.

CVE-2026-57520
High

A privilege escalation vulnerability in Bitwarden Server before 2026.5.0 allows authenticated Custom users with ManageUsers permission to remove Admin accounts from an organization. This is due to a missing role hierarchy check in the bulk user-remove endpoint.

CVE-2026-55964
Medium

Vulnerability in the WolfSSL library involves accepting intermediate certificates with CA:TRUE but without the keyCertSign key usage as signing CAs. Previously, temporary CAs added during certificate path building (WOLFSSL_TEMP_CA) were exempt from this check, allowing invalid certificates to be accepted. Now the check applies to temporary CAs as well, except for operator-loaded root certificates (WOLFSSL_USER_CA) and self-signed ones.

CVE-2026-55960
High

The vulnerability allows an un-negotiated Raw Public Key (RFC 7250) to be accepted in place of an X.509 certificate, bypassing chain validation. This only affects builds with Raw Public Key support (HAVE_RPK) enabled, which is disabled by default but included with --enable-all.

PreviousPage 226 of 4626Next

Vulnerability data from NVD (NIST) · CISA KEV · EPSS