CVE Vulnerability Catalog

Translated CVE descriptions from NVD NIST - in English

CISA KEV catalog updated: (v2026.07.13)

CVE-2026-42919
Medium

A vulnerability exists in BIG-IP systems that may allow an authenticated attacker with administrative access to escalate their privileges. A successful exploit may allow the attacker to cross a security boundary.

CVE-2026-42781
Medium

When ePVA (embedded Packet Velocity Acceleration) is configured, undisclosed local ethernet traffic can lead to increased resource utilization of ePVA and Traffic Management Microkernel (TMM).

CVE-2026-42780
MediumEPSS 55%

A directory traversal vulnerability exists in BIG-IP SSL Orchestrator that allows an authenticated attacker with high privilege to overwrite, delete or corrupt arbitrary local files.

CVE-2026-42408
Medium

A vulnerability exists in an undisclosed TMOS Shell (tmsh) command in BIG-IP DNS that may allow a highly privileged authenticated attacker to view sensitive information.

CVE-2026-42063
Medium

A vulnerability exists in iControl SOAP that allows an authenticated attacker with the Resource Administrator or Administrator role to download sensitive files.

CVE-2026-42058
Medium

An authenticated attacker's undisclosed requests to BIG-IP iControl REST can lead to an information leak of BIG-IP local user account names.

CVE-2026-41959
Medium

Vulnerabilities related to incorrect permission assignment exist in BIG-IP and BIG-IQ TMOS Shell (tmsh) network diagnostics commands and in BIG-IP iControl REST. These vulnerabilities may allow an authenticated attacker to view the network status of destination systems.

CVE-2026-41954
Medium

CVE-2026-41954 describes a sensitive information disclosure vulnerability in an undisclosed iControl REST endpoint and TMOS Shell (tmsh) command. This allows an authenticated attacker with resource administrator role privileges to view sensitive information.

CVE-2026-41219
Medium

An improper sanitization vulnerability exists in the BIG-IP QKView utility that allows a low-privileged attacker to read sensitive information from a QKView file.

CVE-2026-40703
Medium

A cross-site request forgery (CSRF) vulnerability exists in the dashboard of the BIG-IP Configuration utility. This affects software versions that have not reached End of Technical Support (EoTS).

CVE-2026-40701
Medium

NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_ssl_module when the ssl_verify_client directive is set to 'on' or 'optional,' and the ssl_ocsp directive is set to 'on' or the leaf parameters are configured with a resolver. In this configuration, an unauthenticated attacker can send requests that may cause a heap-use-after-free error in the NGINX worker process.

CVE-2026-40699
Medium

A vulnerability exists in the undisclosed pages in the Configuration utility that may allow a low-privileged authenticated attacker to access undisclosed sensitive information.

CVE-2026-40462
Medium

Incorrect permission assignment vulnerabilities exist in iControl REST and TMOS shell (tmsh) undisclosed command, allowing an authenticated attacker to view sensitive information.

CVE-2026-40460
Medium

In NGINX Plus and NGINX Open Source with the HTTP/3 QUIC module enabled, an attacker can spoof their source IP address, bypassing authorization or rate limiting.

CVE-2026-40435
Medium

A vulnerability in the httpd server causes IP-based access restrictions to not cover all endpoints when configured. This may allow connections from addresses that should be blocked.

CVE-2026-36738
Medium

The U-SPEED AC1200 Gigabit Wi-Fi Router (Model T18-21K) V1.0 has an Incorrect Access Control vulnerability. The device exposes a UART interface without authentication, authorization, or access control mechanisms. An attacker with physical access to the UART pins can connect and gain unrestricted access to device functionality.

CVE-2026-35062
Medium

An authenticated iControl SOAP user may be able to obtain information of other accounts. The vulnerability affects software versions that have not reached End of Technical Support.

CVE-2026-34019
Medium

A vulnerability in BFD (Bidirectional Forwarding Detection) configured in static and dynamic routing protocols causes undisclosed traffic to stop BFD packet processing by the Traffic Management Microkernel (TMM). This leads to a failover of the configured routing protocol.

CVE-2026-31156
Medium

A path injection vulnerability exists in OpenPLC v3 (commit 2c82b0e79c53f8c1f1458eee15fec173400d6e1a). The binary compiled from glue_generator.cpp does not validate file path parameters from the command line, allowing an attacker to read arbitrary files.

CVE-2026-28758
Medium

When BIG-IP DNS is provisioned, a vulnerability in the gtm_add and bigip_add iControl REST commands returns the ssh-password parameter in cleartext in the REST response and logs it in the audit log. This allows a highly privileged, authenticated attacker with audit log access to view sensitive information.

PreviousPage 228 of 556Next

Vulnerability data from NVD (NIST) · CISA KEV · EPSS