CVE Vulnerability Catalog

Translated CVE descriptions from NVD NIST - in English

CISA KEV catalog updated: (v2026.07.13)

CVE-2026-44919
Medium

In OpenStack Ironic versions up to 35.x before a3f6d73, during image handling, an infinite loop in checksum calculations can occur via the file:///dev/zero URL.

CVE-2026-8328
Medium

Vulnerability in the ftpcp() function in Python's ftplib.py module. This function was not updated when CVE-2021-4189 was fixed, allowing an attacker to control the IP address and port passed to target.sendport().

CVE-2026-44381
Medium

In MISP, prior to version 2.5.37, a SQL injection vulnerability existed in the handling of user-controlled ordering parameters in the event and shadow attribute listing endpoints. An attacker could craft a malicious ordering parameter to manipulate the generated SQL query.

CVE-2026-44379
Medium

MISP is an open source threat intelligence and sharing platform. Prior to version 2.5.37, MISP Collections did not enforce RFC 4122 UUID validation, allowing users to submit malformed UUID values, potentially leading to data integrity issues.

CVE-2026-44376
Medium

CubeCart to rozwiązanie oprogramowania e-commerce. Przed wersją 6.7.0 występuje podatność na Reflected XSS w funkcji wyszukiwania, która pozwala na odzwierciedlenie nieautoryzowanego wejścia użytkownika bez sanitizacji, gdy wyszukiwanie zwraca dokładnie jeden produkt.

CVE-2025-27852
Medium

Lokalnie serwisowana strona internetowa na urządzeniu Garmin WDU (w wersjach 1.4.6 i 5.0) umożliwia atak typu reflected cross site scripting (XSS). Atakujący w lokalnej sieci może wykonać dowolny kod JavaScript w kontekście strony WDU, co może prowadzić do pełnego dostępu administracyjnego do urządzenia.

CVE-2026-33381
Medium

When a user's access to mint tokens for a service account is revoked, it is sometimes still possible to do so for a few seconds after the event. The user will eventually lose access to do this.

CVE-2026-33380
Medium

A vulnerability in SQL Expressions allows an authenticated attacker to read arbitrary files from the Grafana server's filesystem. Only instances with the sqlExpressions feature toggle enabled are vulnerable.

CVE-2026-33378
Medium

Using the $__timeGroup macro can lead to an out-of-memory (OOM) condition by overloading the server. This requires a SQL datasource, and if the server is set up to auto-restart, the impact of the attack is minimal or non-existent.

CVE-2026-28383
Medium

A vulnerability in the Grafana plugin allows unbounded memory allocation by reading the entire request body into memory. An authenticated user can exploit this to trigger an out-of-memory condition, potentially causing a denial of service.

CVE-2026-28380
Medium

Any editor could delete any snapshot, even if they have no access to read or write them.

CVE-2026-28379
Medium

A race condition in Grafana Live allows authenticated users with Viewer role to trigger a server crash by sending concurrent requests that cause a fatal map access error. This results in complete service unavailability requiring restart of the Grafana server.

CVE-2026-28376
Medium

The Grafana Live push endpoint can be exploited to cause unbounded memory allocation by sending a large or streaming request body, potentially leading to out-of-memory conditions. An authenticated user with access to the Grafana Live API can trigger this issue.

CVE-2026-28374
Medium

Editors could delete any annotation, even those they do not have read access to. The editor user cannot create or read the annotations.

CVE-2026-44248
Medium

In Netty before versions 4.2.13.Final and 4.1.133.Final, a vulnerability exists in the MQTT 5 decoder. The Properties section of the MQTT header is parsed and buffered before any message size limit check, allowing an attacker to send oversized properties. This causes repeated, expensive parsing and memory buffering, leading to high CPU and RAM usage.

CVE-2026-42581
Medium

A vulnerability in Netty allows HTTP request smuggling for HTTP/1.0 messages. When a request includes both Transfer-Encoding: chunked and Content-Length headers, HttpObjectDecoder fails to strip the conflicting Content-Length header for HTTP/1.0, causing message boundary disagreement.

CVE-2026-0262
Medium

Multiple denial of service vulnerabilities in Palo Alto Networks PAN-OS® software allow an unauthenticated attacker with network access to cause a denial of service (DoS) condition by sending specially crafted network traffic.

CVE-2026-0261
Medium

Multiple command injection vulnerabilities in Palo Alto Networks PAN-OS® software enable an authenticated administrator to bypass system restrictions and run arbitrary commands as a root user. To exploit this issue, the user must have access to the PAN-OS CLI or Web UI.

CVE-2026-0258
Medium

CVE-2026-0258 describes a server-side request forgery (SSRF) vulnerability in the IKEv2 implementation of Palo Alto Networks PAN-OS® software. It allows an unauthenticated attacker to cause the firewall to send network requests to unintended destinations or cause a denial of service (DoS) condition.

CVE-2026-0256
Medium

A stored cross-site scripting (XSS) vulnerability in Palo Alto Networks PAN-OS® software allows a malicious authenticated administrator to store a JavaScript payload using the web interface.

PreviousPage 226 of 556Next

Vulnerability data from NVD (NIST) · CISA KEV · EPSS