CVE Vulnerability Catalog
Translated CVE descriptions from NVD NIST - in English
CISA KEV catalog updated: (v2026.07.14)
ISPConfig 3.3.0 is vulnerable to Cross Site Scripting (XSS) via the system status webpage. This allows an attacker to inject malicious scripts into the administrator's browser.
A vulnerability in Apache Thrift involves memory allocation with an excessive size value, which could lead to crashes or potential exploitation. The issue affects versions before 0.23.0.
Beets is a media library management system. Prior to version 2.10.0, the bundled web UI used Underscore template interpolation mode <%= ... %> for untrusted metadata fields, leading to the possibility of injecting malicious HTML code.
A vulnerability in Assimp v.6.0.2 allows a remote attacker to cause a denial of service via the ParseVectorDataArray() function in FBXParser.cpp.
A vulnerability in Assimp v.6.0.2 allows a remote attacker to cause a denial of service (DoS) by exploiting an issue in FBXConverter.cpp, specifically in the FBXConverter::ConvertMeshMultiMaterial() function.
A denial of service vulnerability has been discovered in Assimp version 6.0.2. The issue resides in FBXMeshGeometry.cpp within the MeshGeometry::MeshGeometry() function. A remote attacker can exploit this flaw to cause a denial of service.
A privilege escalation vulnerability exists in the Web Interface / ssi.cgi functionality of GeoVision LPC2011/LPC2211 version 1.10. A specially crafted HTTP request can lead to credentials leak.
W jądrze Linuxa zidentyfikowano podatność związaną z funkcjami vidtv_ts_null_write_into() oraz vidtv_ts_pcr_write_into(), które przyjmują argumenty jako struktury przekazywane przez wartość. To powoduje ostrzeżenia MSAN dotyczące niezainicjowanych wartości.
Open CASCADE Technology (OCCT) w wersji V8_0_0_rc5 zawiera wiele podatności w swoich parserach plików IGES i STEP, które mogą być wywołane przez spreparowane pliki IGES lub STEP. Problemy te obejmują odczyt poza zakresem w Geom2d_BSplineCurve::EvalD0 oraz nieskończoną rekurencję w StepShape_OrientedEdge::EdgeStart.
W podatności CVE-2026-42480 występuje błąd odczytu poza granicami stosu w funkcji VrmlData_Scene::ReadLine w parserze VRML w Open CASCADE Technology (OCCT) V8_0_0_rc5. Atakujący może wykorzystać tę lukę do wywołania odmowy usługi poprzez spreparowany plik VRML.
SQL injection vulnerability in MixPHP Framework versions 2.x through 2.2.17. The flaw exists in the joinOn function in BuildHelper.php, where the `on` array is improperly handled, allowing SQL code injection.
A vulnerability in the Linux kernel's BPF subsystem allowed attaching sleepable kprobe.multi programs to atomic/RCU contexts. The bpf_kprobe_multi_link_attach() function lacked validation of the sleepable flag, enabling sleepable helpers like bpf_copy_from_user() to be called from non-sleepable context, causing a kernel splat.
In the Linux kernel, a NULL pointer dereference vulnerability was found in the USB cdns3 gadget driver's ep_queue function. When the endpoint is disabled or not configured, the ep->desc pointer can be NULL, causing a kernel crash when __cdns3_gadget_ep_queue() is called.
In the Linux kernel, a resource leak was found in gpiochip_add_data_with_key() on error paths. After commit aab5c6f20023, `gdev->dev.release` is unset, so the reference count to `gdev->dev` is not dropped on errors. The fix drops the reference and reorders code to prevent double-free.
A vulnerability has been identified in the Linux kernel that leads to a NULL pointer dereference in the eth_get_drvinfo function. The issue occurs when a userspace tool queries the interface while the device is detached.
W jądrze systemu Linux zidentyfikowano podatność, która została rozwiązana. Dotyczy ona funkcji set_posix_acl_entries_dacl() i set_ntacl_dacl(), które mogą prowadzić do przepełnienia zmiennej u16 podczas akumulacji rozmiarów ACE, co skutkuje nadpisywaniem wcześniejszych wpisów ACL.
W jądrze systemu Linux zidentyfikowano podatność w sterowniku caiaq, polegającą na braku odpowiedniego odniesienia do urządzenia USB w funkcji create_card(). Może to prowadzić do dereferencji zwolnionego obiektu usb_device, co stwarza ryzyko awarii systemu.
A flaw was found in GnuTLS where case-sensitive comparisons of nameConstraints labels for dNSName and rfc822Name allow a remote attacker to bypass policy by crafting a leaf certificate with casing differences in the Subject Alternative Name (SAN). This can lead to unauthorized access or information disclosure.
A vulnerability in Keycloak causes the disabling of account and account-api features via the `--features-disabled` flag to be ineffective. Five REST API endpoints under `/account/v1alpha1` remain fully functional because they lack the `checkAccountApiEnabled()` gate that correctly blocks the other four endpoints in the same service class.
A vulnerability in the optional Assisted Installer (assisted-service) component in Multicluster Engine (MCE) allows an authenticated user with minimal namespace-scoped privileges to obtain administrative credentials for any OpenShift cluster provisioned through the hub. The local authentication mode (AUTH_TYPE=local) lacks per-endpoint restrictions, and a JWT is readable in InfraEnvStatus.ISODownloadURL.

