CVE Vulnerability Catalog
Translated CVE descriptions from NVD NIST - in English
CISA KEV catalog updated: (v2026.07.13)
A tampering vulnerability exists when .NET Core improperly handles specially crafted files. An attacker who successfully exploited this vulnerability could write arbitrary files and directories to certain locations on a vulnerable system.
Podatność CVE-2026-32170 dotyczy podwójnego zwolnienia pamięci w edytorze Rich Text w systemie Windows, co pozwala autoryzowanemu atakującemu na lokalne podniesienie uprawnień.
An OS Command Injection vulnerability in Fortinet FortiAP allows an authenticated privileged attacker to execute unauthorized code or commands via crafted CLI requests.
An unspecified vulnerability was discovered in the JavaScript Engine component of Firefox and Thunderbird. The flaw is fixed in Firefox 150.0.3, Firefox ESR 115.36, Firefox ESR 140.11, and Thunderbird 140.11.
A vulnerability in the JavaScript Engine: JIT component of Firefox and Thunderbird is caused by incorrect boundary conditions. The flaw was fixed in Firefox 150.0.3, Firefox ESR 115.36, Firefox ESR 140.11, and Thunderbird 140.11.
A vulnerability in IMAP handling allows an attacker to cause uncontrolled memory usage through excessive bracing. The fix for CVE-2026-27857 was incomplete, blocking only one attack vector while leaving another open. Attackers can use open braces to bypass the limit and increase memory usage up to the configured memory limit.
Zidentyfikowano podatność w różnych wersjach urządzeń blueplanet, która umożliwia atakującemu z odpowiednimi uprawnieniami wykorzystanie luk w zabezpieczeniach związanych z niewłaściwą neutralizacją specjalnych elementów w poleceniu SQL. Atak ten może prowadzić do podniesienia uprawnień w lokalnej sieci.
A vulnerability in RUGGEDCOM ROX devices allows an authenticated remote attacker to read arbitrary files from the OS filesystem with root privileges. The issue stems from improper input validation in the web server's JSON-RPC interface.
A vulnerability in the operating system allows a stack overflow by sending an ICMP ping to the device's own IPv4 address using the `net ping` command. This causes recursive processing of the packet in the network stack, leading to a stack overflow in the system work-queue stack.
W systemie SAP NetWeaver Application Server dla ABAP oraz platformy ABAP występuje podatność na wstrzykiwanie poleceń systemowych, która pozwala uwierzytelnionemu atakującemu z dostępem administracyjnym na wykonanie specjalnie przygotowanych poleceń powłoki na serwerze, omijając mechanizm logowania.
W wyniku podatności na odzwierciedlone ataki XSS w SAP NetWeaver Application Server ABAP, nieautoryzowany atakujący może stworzyć URL, który wykorzystuje niechroniony parametr URL do osadzenia złośliwego skryptu. Kliknięcie w taki link przez ofiarę prowadzi do wykonania złośliwej treści w kontekście przeglądarki ofiary.
A use-after-free issue was addressed with improved memory management in Safari and macOS Tahoe. The issue is fixed in Safari 26.5 and macOS Tahoe 26.5. Processing maliciously crafted web content may lead to an unexpected Safari crash.
A use-after-free vulnerability was addressed with improved memory management in Safari. The issue is fixed in Safari 26.5, iOS 26.5, iPadOS 26.5, macOS Tahoe 26.5, tvOS 26.5, visionOS 26.5, and watchOS 26.5. Processing maliciously crafted web content may lead to an unexpected Safari crash.
A vulnerability in WebKit may cause a process crash when processing maliciously crafted web content. The issue was addressed with improved memory handling.
A vulnerability in WebKit allows a process crash when processing maliciously crafted web content. The issue was addressed with improved memory handling.
A vulnerability in WebKit allows a process crash when processing maliciously crafted web content. The issue was addressed with improved memory handling.
A heap-based out-of-bounds read vulnerability in the DNSSEC validation of dnsmasq allows remote attackers to cause a denial of service via a crafted DNS packet.
A Cross-Site Scripting (XSS) vulnerability has been discovered in IoTGateway version 3.0.1 within the Log Record Function. This allows a remote attacker to execute arbitrary JavaScript code in the victim's browser.
W Casdoorze występuje podatność na zapis dowolnych plików w dostawcy lokalnego systemu plików. Z powodu niewystarczającej sanitizacji ścieżek, uwierzytelniony atakujący z uprawnieniami administratora może przeprowadzić atak typu Path Traversal, aby tworzyć lub nadpisywać dowolne pliki w systemie plików hosta.
In Zephyr, sockets created with `IPPROTO_TLS_1_3` can negotiate a TLS 1.2 connection when both TLS versions are enabled in Kconfig, because the socket-level protocol selection is not propagated to mbedTLS. Applications assuming `IPPROTO_TLS_1_3` enforces TLS 1.3 may silently use TLS 1.2 and remain exposed to TLS 1.2-specific weaknesses.

