CVE Vulnerability Catalog
Translated CVE descriptions from NVD NIST — in English
CISA KEV catalog updated: (v2026.07.01)
Graylog, a log management platform, uses a single source port for DNS queries, which goes against recommended security practices. This could allow DNS cache poisoning attacks, where an external attacker can inject forged DNS responses into Graylog's cache.
Graylog has a partial path traversal vulnerability in the `Support Bundle` feature that allows an attacker with valid Admin role credentials to download or delete files in sibling directories. The issue is caused by improper input validation in an HTTP API resource.
IBM Security Verify Information Queue versions 10.0.4 and 10.0.5 stores sensitive information in plain clear text, which can be read by a local user.
In the GitHub repository instantsoft/icms2 prior to version 2.16.1, there is a vulnerability related to a sensitive cookie in an HTTPS session that lacks the 'Secure' attribute.
In the Graylog platform, in multi-node clusters, a user session may still be used for API requests after logout until it reaches its original expiry time. Each node maintains a local cache of user sessions, leading to situations where other nodes may still accept the session after it has been removed from the local cache.
xrdp is an open source remote desktop protocol (RDP) server. In versions prior to 0.9.23 improper handling of session establishment errors allows bypassing OS-level session restrictions.
There is a Server-Side Request Forgery (SSRF) vulnerability in the GitHub repository bookstackapp/bookstack prior to version 23.08. This allows attackers to send requests to internal server services, potentially leading to the exposure of sensitive information.
A vulnerability has been identified in SourceCodester Inventory Management System version 1.0 that allows cross site scripting (XSS) attacks through manipulation of the name/company argument in the suppliar_data.php file. The attack can be launched remotely.
A vulnerability was found in SPA-Cart eCommerce CMS version 1.9.0.3, rated as problematic. Manipulation of the arguments filter[brandid] and filter[price] in the /search file leads to cross-site scripting attacks.
A vulnerability was found in Byzoro Smart S85F Management Platform up to version 20230816, concerning an unknown functionality of the file /sysmanage/licence.php. Manipulation of this functionality leads to improper access controls.
A vulnerability was found in the NeoMind Fusion Platform up to version 20230731, allowing cross site scripting (XSS) attacks through manipulation of the link argument in the /fusion/portal/action/Link file. The attack can be executed remotely.
In JetBrains TeamCity versions before 2023.05.3, reflected XSS was possible during user registration.
In the password recovery form of Silverware Games, the response time varies depending on whether the specified email address exists in the database. This issue has been fixed in version 1.3.7.
An insufficient entropy vulnerability has been reported to affect QNAP operating systems. If exploited, the vulnerability possibly allows remote users to predict secret via unspecified vectors.
A vulnerability has been reported affecting QNAP operating systems regarding the cleartext transmission of sensitive information. If exploited, local network clients may read unexpected sensitive data via unspecified vectors.
A vulnerability has been identified in ioLogik 4000 Series (ioLogik E4200) firmware versions v1.6 and prior, where the session cookies attribute is not set properly. The vulnerability may lead to security risks, potentially exposing user session data to unauthorized access and manipulation.
IBM Robotic Process Automation versions 21.0.0 through 21.0.7.1 is vulnerable to information disclosure of script content if the remote REST request policy is enabled.
A vulnerability in Microsoft Edge (Chromium-based) allows for information disclosure. An attacker could exploit this flaw to gain access to sensitive user data.
A vulnerability was found in Control iD Gerencia Web 1.30, affecting an unknown functionality of the Cookie Handler component. Manipulation leads to cleartext storage of sensitive information.
A vulnerability has been found in MaximaTech Portal Executivo version 21.9.1.140, affecting unknown code of the Cookie Handler component. The manipulation leads to missing encryption of sensitive data.

