CVE Vulnerability Catalog

Translated CVE descriptions from NVD NIST - in English

CISA KEV catalog updated: (v2026.07.15)

CVE-2026-43699
Medium

A use-after-free vulnerability in Safari, iOS, iPadOS, and macOS Tahoe could lead to an unexpected process crash when processing maliciously crafted web content. The issue was addressed with improved memory management.

CVE-2026-43676
Medium

An out-of-bounds access issue was addressed with improved bounds checking. Processing maliciously crafted web content may lead to an unexpected Safari crash.

CVE-2026-43663
Medium

A vulnerability in Safari and Apple systems may cause a process crash when processing maliciously crafted web content. The issue was fixed with improved memory handling.

CVE-2026-39872
Medium

A vulnerability in WebKit may lead to an unexpected process crash when processing maliciously crafted web content. The issue was addressed with improved memory handling. The fix is included in Safari 26.5.2, iOS 26.5.2, iPadOS 26.5.2, and macOS Tahoe 26.5.2.

CVE-2026-39868
Critical

A vulnerability in Apple systems allows an app to cause unexpected system termination or corrupt kernel memory. The issue was addressed with improved input validation.

CVE-2026-37637
Critical

A vulnerability in Alexantr filemanager v.1.0 allows a remote attacker to execute arbitrary code via the filemanager.php component. The issue stems from insufficient input validation or code injection protection.

CVE-2026-31016
Medium

A Cross-Site Request Forgery (CSRF) vulnerability has been found in Squidex CMS version 7.21.0 and earlier. An attacker can exploit the IdentityServer account profile endpoint to escalate privileges without the victim's knowledge.

CVE-2026-28979
Medium

An out-of-bounds access vulnerability in Safari and Apple systems allows processing maliciously crafted web content to cause an unexpected process crash. The issue is fixed in Safari 26.5.2, iOS 26.5.2, iPadOS 26.5.2, and macOS Tahoe 26.5.2.

CVE-2026-13763
Critical

Inconsistent interpretation of HTTP/2 requests in AWS Application Load Balancer with AWS WAF enabled might allow remote actors to bypass AWS WAF managed rule body inspection via crafted HTTP/2 requests that fragment the request body across frames so that only a partial body is inspected. This issue only impacts HTTP/2 ALB target groups.

CVE-2026-13762
Critical

Inconsistent interpretation of HTTP/2 requests in Amazon CloudFront with AWS WAF enabled might allow remote actors to bypass AWS WAF managed rule body inspection via crafted HTTP/2 requests that fragment the request body across frames so that only a partial body is inspected.

CVE-2026-13593
Medium

A memory leak vulnerability in CSS::Minifier::XS for Perl before version 0.14 occurs when minifying a document containing only characters to be removed, such as comments and whitespace.

CVE-2026-13008
Unknown

This CVE entry has been rejected. It is a reservation duplicate of CVE-2026-57700 and should not be used.

CVE-2026-58000
HighEPSS 69%

A command injection vulnerability in luci-proto-openvpn through version 0.11.1 (fixed in commit e4ff45e) exists in the generateKey ubus method. The cl_meta parameter is interpolated into a shell command without proper escaping, allowing an authenticated LuCI user with OpenVPN configuration access to execute arbitrary commands as root via the popen function.

CVE-2026-57999
HighEPSS 64%

The luci-app-tailscale-community package contains a command injection vulnerability in the tailscale.do_login RPC method, where user-controlled loginserver and loginserver_authkey parameters are improperly quoted within a double-quoted shell command, allowing authenticated users to execute arbitrary commands as root.

CVE-2026-53428
Medium

A vulnerability in the mdex and mdex_native libraries allows an unauthenticated attacker to cause a denial of service via unbounded memory allocation. The parse_highlight_lines function in the LumisAdapter component expands a user-controlled line range from a fenced code block without an upper bound, allocating huge vectors. A payload with a range like 1-2000000000 can exhaust host memory and abort the BEAM process.

CVE-2026-53427
Low

A cross-site scripting (XSS) vulnerability was found in the MDEx library due to improper input neutralization in Markdown processing. An attacker can inject arbitrary HTML/JavaScript that executes in the browser of every user viewing the rendered output.

CVE-2026-13757
Medium

A flaw was found in p11-kit where the RPC message attribute parsing functions lack recursion depth limits when processing nested template attributes. An unauthenticated attacker with local access to the Unix domain socket can send a crafted request causing stack exhaustion and crashing the p11-kit server and its dependent services.

CVE-2026-57960
Medium

A vulnerability in Hi.Events up to version 1.9.0 allows unauthorized access to attendee lists via public check-in list endpoints. Using only the short_id, an attacker can retrieve full attendee data including emails and personal information, as well as create or delete check-in records without authentication.

CVE-2026-57959
Medium

A vulnerability in Hi.Events through version 1.9.0 allows unlimited use of limited promo codes. The validation checks the usage count before the asynchronous UpdateEventStatisticsJob increments it, enabling attackers to sequentially reserve multiple orders with the same code, each seeing usage_count=0, and then complete them all at a discounted price.

CVE-2026-57958
Medium

Mixpost through version 2.6.0 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to execute arbitrary JavaScript in authenticated users' browsers by crafting malicious OAuth callback URLs with unsanitized error query parameters.

PreviousPage 236 of 4677Next

Vulnerability data from NVD (NIST) · CISA KEV · EPSS