CVE Vulnerability Catalog

Translated CVE descriptions from NVD NIST - in English

CISA KEV catalog updated: (v2026.07.14)

CVE-2025-52206
Medium

ISPConfig 3.3.0 is vulnerable to Cross Site Scripting (XSS) via the system status webpage. This allows an attacker to inject malicious scripts into the administrator's browser.

CVE-2026-43868
Medium

A vulnerability in Apache Thrift involves memory allocation with an excessive size value, which could lead to crashes or potential exploitation. The issue affects versions before 0.23.0.

CVE-2026-42052
Medium

Beets is a media library management system. Prior to version 2.10.0, the bundled web UI used Underscore template interpolation mode <%= ... %> for untrusted metadata fields, leading to the possibility of injecting malicious HTML code.

CVE-2025-70071
Medium

A vulnerability in Assimp v.6.0.2 allows a remote attacker to cause a denial of service via the ParseVectorDataArray() function in FBXParser.cpp.

CVE-2025-70072
Medium

A vulnerability in Assimp v.6.0.2 allows a remote attacker to cause a denial of service (DoS) by exploiting an issue in FBXConverter.cpp, specifically in the FBXConverter::ConvertMeshMultiMaterial() function.

CVE-2025-70070
Medium

A denial of service vulnerability has been discovered in Assimp version 6.0.2. The issue resides in FBXMeshGeometry.cpp within the MeshGeometry::MeshGeometry() function. A remote attacker can exploit this flaw to cause a denial of service.

CVE-2026-42367
Medium

A privilege escalation vulnerability exists in the Web Interface / ssi.cgi functionality of GeoVision LPC2011/LPC2211 version 1.10. A specially crafted HTTP request can lead to credentials leak.

CVE-2026-43058
Medium

W jądrze Linuxa zidentyfikowano podatność związaną z funkcjami vidtv_ts_null_write_into() oraz vidtv_ts_pcr_write_into(), które przyjmują argumenty jako struktury przekazywane przez wartość. To powoduje ostrzeżenia MSAN dotyczące niezainicjowanych wartości.

CVE-2026-42481
Medium

Open CASCADE Technology (OCCT) w wersji V8_0_0_rc5 zawiera wiele podatności w swoich parserach plików IGES i STEP, które mogą być wywołane przez spreparowane pliki IGES lub STEP. Problemy te obejmują odczyt poza zakresem w Geom2d_BSplineCurve::EvalD0 oraz nieskończoną rekurencję w StepShape_OrientedEdge::EdgeStart.

CVE-2026-42480
Medium

W podatności CVE-2026-42480 występuje błąd odczytu poza granicami stosu w funkcji VrmlData_Scene::ReadLine w parserze VRML w Open CASCADE Technology (OCCT) V8_0_0_rc5. Atakujący może wykorzystać tę lukę do wywołania odmowy usługi poprzez spreparowany plik VRML.

CVE-2026-42475
Medium

SQL injection vulnerability in MixPHP Framework versions 2.x through 2.2.17. The flaw exists in the joinOn function in BuildHelper.php, where the `on` array is improperly handled, allowing SQL code injection.

CVE-2026-43010
Medium

A vulnerability in the Linux kernel's BPF subsystem allowed attaching sleepable kprobe.multi programs to atomic/RCU contexts. The bpf_kprobe_multi_link_attach() function lacked validation of the sleepable flag, enabling sleepable helpers like bpf_copy_from_user() to be called from non-sleepable context, causing a kernel splat.

CVE-2026-31755
Medium

In the Linux kernel, a NULL pointer dereference vulnerability was found in the USB cdns3 gadget driver's ep_queue function. When the endpoint is disabled or not configured, the ep->desc pointer can be NULL, causing a kernel crash when __cdns3_gadget_ep_queue() is called.

CVE-2026-31732
Medium

In the Linux kernel, a resource leak was found in gpiochip_add_data_with_key() on error paths. After commit aab5c6f20023, `gdev->dev.release` is unset, so the reference count to `gdev->dev` is not dropped on errors. The fix drops the reference and reorders code to prevent double-free.

CVE-2026-31727
Medium

A vulnerability has been identified in the Linux kernel that leads to a NULL pointer dereference in the eth_get_drvinfo function. The issue occurs when a userspace tool queries the interface while the device is detached.

CVE-2026-31704
Medium

W jądrze systemu Linux zidentyfikowano podatność, która została rozwiązana. Dotyczy ona funkcji set_posix_acl_entries_dacl() i set_ntacl_dacl(), które mogą prowadzić do przepełnienia zmiennej u16 podczas akumulacji rozmiarów ACE, co skutkuje nadpisywaniem wcześniejszych wpisów ACL.

CVE-2026-31701
Medium

W jądrze systemu Linux zidentyfikowano podatność w sterowniku caiaq, polegającą na braku odpowiedniego odniesienia do urządzenia USB w funkcji create_card(). Może to prowadzić do dereferencji zwolnionego obiektu usb_device, co stwarza ryzyko awarii systemu.

CVE-2026-3833
Medium

A flaw was found in GnuTLS where case-sensitive comparisons of nameConstraints labels for dNSName and rfc822Name allow a remote attacker to bypass policy by crafting a leaf certificate with casing differences in the Subject Alternative Name (SAN). This can lead to unauthorized access or information disclosure.

CVE-2026-7500
Medium

A vulnerability in Keycloak causes the disabling of account and account-api features via the `--features-disabled` flag to be ineffective. Five REST API endpoints under `/account/v1alpha1` remain fully functional because they lack the `checkAccountApiEnabled()` gate that correctly blocks the other four endpoints in the same service class.

CVE-2026-7163
Medium

A vulnerability in the optional Assisted Installer (assisted-service) component in Multicluster Engine (MCE) allows an authenticated user with minimal namespace-scoped privileges to obtain administrative credentials for any OpenShift cluster provisioned through the hub. The local authentication mode (AUTH_TYPE=local) lacks per-endpoint restrictions, and a JWT is readable in InfraEnvStatus.ISODownloadURL.

PreviousPage 244 of 557Next

Vulnerability data from NVD (NIST) · CISA KEV · EPSS