CVE Vulnerability Catalog
Translated CVE descriptions from NVD NIST - in English
CISA KEV catalog updated: (v2026.07.16)
IBM Db2 versions 11.5.0 through 11.5.9 and 12.1.0 through 12.1.4 are vulnerable to remote code execution due to improper handling of DRDA handshake before authentication.
A vulnerability in IBM Db2 allows an authenticated user to read sensitive information from monitoring and event tables. It affects versions 11.5.0 through 11.5.9 and 12.1.0 through 12.1.4 on Linux, UNIX, and Windows.
Orkes Conductor versions 3.21.21 through 3.30.2 contain an unauthenticated remote code execution vulnerability. Attackers can submit malicious workflow definitions with JavaScript or Python expressions to the API before authentication, allowing arbitrary OS command execution.
The Webmention plugin for WordPress up to version 5.8.0 is vulnerable to Stored Cross-Site Scripting via parser-derived 'avatar' and 'url' author metadata. This is due to insufficient input sanitization and output escaping on user-supplied MF2 author properties processed by the unauthenticated webmention REST endpoint and rendered directly into HTML 'value' attributes by the edit-comment-form template.
A vulnerability in the Zephyr Bluetooth ISO Adaptation Layer (isoal.c) allows a remote attacker to trigger an out-of-bounds read due to improper validation of the framed ISO PDU start segment length. Missing check that the segment length is at least 3 bytes causes an underflow during subtraction, copying up to 255 bytes of controller memory beyond the received PDU into an HCI ISO packet.
The HP Fan Control App might allow local escalation of privileges. The vulnerability stems from improper access control in HP's fan management software.
A broken access control vulnerability in JeecgBoot through version 3.9.2 allows authenticated low-privilege users full CRUD operations on OpenAPI credentials. The lack of Shiro authorization annotations in OpenApiAuthController and OpenApiPermissionController enables listing, adding, editing, and deleting all AK/SK pairs, with the list endpoint exposing secret keys in plaintext.
Dolibarr up to version 23.0.3 (fixed in commit 14db36e) contains a SQL injection vulnerability. Authenticated API users can exfiltrate arbitrary database contents by supplying malicious values to the sqlfilters query parameter in the setup dictionary and multicurrencies REST API endpoints.
JimuReport up to version 2.5.0 exposes the POST /jmreport/auto/export endpoint without authentication. The @JimuNoLoginRequired annotation causes all access controls to be skipped, and the export service streams the report for any given ID without verifying the auto-export configuration flag. An unauthenticated remote attacker can enumerate Snowflake report identifiers and export the full contents of any report, including data from SQL queries and credentials embedded in data sources.
A vulnerability in CVAT before version 2.69.0 in the QualityReportViewSet.get_queryset allows authenticated attackers to enumerate quality report identifiers belonging to other organizations. The missing check_object_permissions call on the parent_id parameter in the quality reports API endpoint enables distinguishing existing and non-existing reports via HTTP 500 vs 404 responses.
SeaweedFS before version 4.34 has a path traversal vulnerability in the S3 gateway DeleteMultipleObjectsHandler. An authenticated S3 principal with write access to a single bucket can delete arbitrary objects in other tenants' buckets by supplying object keys with ../ sequences in the DeleteObjects XML request body.
A vulnerability in SeaweedFS before version 4.30 reflects the callback query parameter verbatim in JavaScript responses without validation, missing X-Content-Type-Options: nosniff header and CORS allow-list. This allows cross-origin attacks on unauthenticated endpoints.
A vulnerability in Woodpecker before version 3.15.0 allows bypassing the ApprovalAllowedUsers list by manipulating the pipeline.Author field. For the GitLab forge driver, pipeline.Author is populated from the git commit author name (commit.author.name) in the webhook payload, which is attacker-controlled and not verified by GitLab. A user opening a merge request from a fork can set the commit author name to match an entry in ApprovalAllowedUsers, causing needsApproval to return false and the pipeline to run without required approval.
Woodpecker before version 3.15.0 exposes the /api/orgs/lookup/*org_full_name endpoint without authentication middleware, and the LookupOrg handler unconditionally dereferences the session user (user.ForgeID via ForgeFromUser) when selecting the forge to query. For an unauthenticated request, session.User returns nil, causing a NULL pointer dereference and panic. The panic is recovered by gin recovery middleware and the server continues serving (returning HTTP 500), but each request writes a multi-line panic stack trace to the error log.
In RuoYi-Vue-Plus up to version 5.6.2 (fixed in commit 88d03d9), workflow task management endpoints in FlwTaskController lack any permission checks. Any authenticated user, regardless of role, can reassign tasks, urge them, and list all pending and finished tasks.
A vulnerability in Hermes WebUI before version 0.51.521 allows bypassing profile isolation. When importing a session via the /api/session/import handler, the session object is created without setting its profile, resulting in a null profile. Since a null profile is treated as the default profile, a user on the default profile can export the session transcript and use its session identifier to read files from the named profile's workspace.
A path traversal vulnerability in Vibe-Trading before version 0.1.10 allows attackers to write files outside the intended memory root directory by supplying a malicious memory_type value containing path traversal sequences through the remember tool. Attackers can manipulate the memory_type parameter in the persistent memory store to cause the application to write arbitrary Markdown files to unintended locations on the filesystem.
Ocelot through version 24.1.0 has a security control bypass vulnerability. Denied clients can send WebSocket upgrade requests that bypass IP-based access restrictions.
A vulnerability in Vibe-Trading before version 0.1.10 allows reading and overwriting run.json files outside the runs directory. An attacker can supply a crafted run identifier via MCP swarm tools, leading to unauthorized file access.
A path traversal vulnerability in Vibe-Trading before version 0.1.10 allows an attacker to inject path traversal sequences into the proposal identifier when building the proposal file path. This causes the application to load an attacker-controlled JSON file as an authoritative live trading mandate.

