CVE Vulnerability Catalog
Translated CVE descriptions from NVD NIST - in English
CISA KEV catalog updated: (v2026.07.13)
In OpenStack Ironic versions up to 35.x before a3f6d73, during image handling, an infinite loop in checksum calculations can occur via the file:///dev/zero URL.
Vulnerability in the ftpcp() function in Python's ftplib.py module. This function was not updated when CVE-2021-4189 was fixed, allowing an attacker to control the IP address and port passed to target.sendport().
In MISP, prior to version 2.5.37, a SQL injection vulnerability existed in the handling of user-controlled ordering parameters in the event and shadow attribute listing endpoints. An attacker could craft a malicious ordering parameter to manipulate the generated SQL query.
MISP is an open source threat intelligence and sharing platform. Prior to version 2.5.37, MISP Collections did not enforce RFC 4122 UUID validation, allowing users to submit malformed UUID values, potentially leading to data integrity issues.
CubeCart to rozwiązanie oprogramowania e-commerce. Przed wersją 6.7.0 występuje podatność na Reflected XSS w funkcji wyszukiwania, która pozwala na odzwierciedlenie nieautoryzowanego wejścia użytkownika bez sanitizacji, gdy wyszukiwanie zwraca dokładnie jeden produkt.
Lokalnie serwisowana strona internetowa na urządzeniu Garmin WDU (w wersjach 1.4.6 i 5.0) umożliwia atak typu reflected cross site scripting (XSS). Atakujący w lokalnej sieci może wykonać dowolny kod JavaScript w kontekście strony WDU, co może prowadzić do pełnego dostępu administracyjnego do urządzenia.
When a user's access to mint tokens for a service account is revoked, it is sometimes still possible to do so for a few seconds after the event. The user will eventually lose access to do this.
A vulnerability in SQL Expressions allows an authenticated attacker to read arbitrary files from the Grafana server's filesystem. Only instances with the sqlExpressions feature toggle enabled are vulnerable.
Using the $__timeGroup macro can lead to an out-of-memory (OOM) condition by overloading the server. This requires a SQL datasource, and if the server is set up to auto-restart, the impact of the attack is minimal or non-existent.
A vulnerability in the Grafana plugin allows unbounded memory allocation by reading the entire request body into memory. An authenticated user can exploit this to trigger an out-of-memory condition, potentially causing a denial of service.
Any editor could delete any snapshot, even if they have no access to read or write them.
A race condition in Grafana Live allows authenticated users with Viewer role to trigger a server crash by sending concurrent requests that cause a fatal map access error. This results in complete service unavailability requiring restart of the Grafana server.
The Grafana Live push endpoint can be exploited to cause unbounded memory allocation by sending a large or streaming request body, potentially leading to out-of-memory conditions. An authenticated user with access to the Grafana Live API can trigger this issue.
Editors could delete any annotation, even those they do not have read access to. The editor user cannot create or read the annotations.
In Netty before versions 4.2.13.Final and 4.1.133.Final, a vulnerability exists in the MQTT 5 decoder. The Properties section of the MQTT header is parsed and buffered before any message size limit check, allowing an attacker to send oversized properties. This causes repeated, expensive parsing and memory buffering, leading to high CPU and RAM usage.
A vulnerability in Netty allows HTTP request smuggling for HTTP/1.0 messages. When a request includes both Transfer-Encoding: chunked and Content-Length headers, HttpObjectDecoder fails to strip the conflicting Content-Length header for HTTP/1.0, causing message boundary disagreement.
Multiple denial of service vulnerabilities in Palo Alto Networks PAN-OS® software allow an unauthenticated attacker with network access to cause a denial of service (DoS) condition by sending specially crafted network traffic.
Multiple command injection vulnerabilities in Palo Alto Networks PAN-OS® software enable an authenticated administrator to bypass system restrictions and run arbitrary commands as a root user. To exploit this issue, the user must have access to the PAN-OS CLI or Web UI.
CVE-2026-0258 describes a server-side request forgery (SSRF) vulnerability in the IKEv2 implementation of Palo Alto Networks PAN-OS® software. It allows an unauthenticated attacker to cause the firewall to send network requests to unintended destinations or cause a denial of service (DoS) condition.
A stored cross-site scripting (XSS) vulnerability in Palo Alto Networks PAN-OS® software allows a malicious authenticated administrator to store a JavaScript payload using the web interface.

