CVE Vulnerability Catalog

Translated CVE descriptions from NVD NIST - in English

CISA KEV catalog updated: (v2026.07.14)

CVE-2026-40002
Medium

A vulnerability in Red Magic 11 Pro (NX809J) allows non-privileged applications to trigger sensitive operations. The lack of validation for applications accessing the service interface enables an attacker to write files to specific partitions and set writable system properties.

CVE-2026-3861
Medium

LINE client for iOS versions prior to 26.3.0 contains a vulnerability in the in-app browser where opening a crafted web page can repeatedly trigger OS-level dialogs due to insufficient safeguards when handling arbitrary URL schemes, potentially causing the iOS device to become temporarily inoperable.

CVE-2026-21726
Medium

The CVE-2026-21726 vulnerability allows an attacker to read files by exploiting double encoding in the namespace parameter at the Ruler API endpoint.

CVE-2026-20170
Medium

A vulnerability in the Desktop Agent functionality of Cisco Webex Contact Center allowed an unauthenticated, remote attacker to perform cross-site scripting (XSS) attacks. The issue was due to improper handling of HTML and script content. Cisco has addressed this vulnerability in the service, requiring no customer action.

CVE-2026-20148
MediumEPSS 95%

A vulnerability in Cisco ISE and Cisco ISE-PIC allows an authenticated remote attacker to perform path traversal attacks on the underlying OS and read arbitrary files. The flaw is due to improper validation of user-supplied input.

CVE-2026-20136
Medium

A vulnerability in the CLI of Cisco Identity Services Engine (ISE) and Cisco ISE Passive Identity Connector (ISE-PIC) allows an authenticated local attacker with administrative privileges to perform command injection on the underlying OS and elevate privileges to root. The issue is due to insufficient input validation.

CVE-2026-20132
Medium

Multiple vulnerabilities in the web-based management interface of Cisco Identity Services Engine (ISE) allow an authenticated remote attacker with administrative write privileges to conduct stored XSS or reflected XSS attacks against a user of the interface. These issues stem from insufficient sanitization of user-supplied data stored in web pages.

CVE-2026-5713
Medium

The 'profiling.sampling' module (Python 3.15+) and 'asyncio introspection capabilities' (3.14+) could be exploited to read and write addresses in a privileged process if that process connected to a malicious or 'infected' Python process via the remote debugging feature.

CVE-2026-22155
Medium

A cleartext transmission of sensitive information vulnerability in Fortinet FortiSOAR (PaaS and on-premise versions) allows an attacker to intercept sensitive data sent in plaintext. The flaw affects multiple versions from 7.3 to 7.6.

CVE-2026-21742
Medium

A cleartext transmission of sensitive information vulnerability in Fortinet FortiSOAR (PaaS and on-premise versions) allows an authenticated attacker to view cleartext passwords in responses to Secure Message Exchange and Radius queries, if configured. The issue involves sending sensitive data in an unencrypted form.

CVE-2026-37980
Medium

W Keycloak znaleziono lukę w stronie logowania do wyboru organizacji. Zdalny atakujący z uprawnieniami `manage-realm` lub `manage-organizations` może wykorzystać podatność na przechowywane Cross-Site Scripting (XSS), co pozwala na wykonanie złośliwego kodu JavaScript w przeglądarce użytkownika.

CVE-2025-69893
Medium

A side-channel vulnerability in BIP-39 mnemonic processing implementation in Trezor hardware wallets (versions 1.13.0-1.14.0) allows an attacker with physical access during setup to recover the mnemonic code using deep learning-based side-channel analysis. The issue has been patched.

CVE-2026-34257
Medium

W wyniku podatności typu Open Redirect w SAP NetWeaver Application Server ABAP, nieautoryzowany atakujący może stworzyć złośliwy adres URL, który po otwarciu przez ofiarę przekieruje ją na stronę kontrolowaną przez atakującego. Podatność ta ma niski wpływ na poufność i integralność aplikacji, nie wpływając na dostępność.

CVE-2026-27674
Medium

W wyniku podatności na wstrzykiwanie kodu w SAP NetWeaver Application Server Java (Web Dynpro Java), nieautoryzowany atakujący może dostarczyć spreparowane dane, które są interpretowane przez aplikację, co prowadzi do odwołania się do treści kontrolowanej przez atakującego. Jeśli ofiara uzyska dostęp do dotkniętej funkcjonalności, ta treść może zostać wykonana w przeglądarce ofiary.

CVE-2026-33555
Medium

In HAProxy before version 3.3.6, a vulnerability was found in the HTTP/3 parser. It does not verify that the received body length matches a previously declared Content-Length header when the stream is closed via a frame with an empty payload. The issue exists since version 2.6.

CVE-2025-63743
Medium

Cross-Site Scripting vulnerability in Snipe-IT asset management system versions 8.3.0 through 8.3.1. An authenticated attacker with minimal privileges can inject arbitrary JavaScript code via the "Name" and "Surname" fields. The code executes when the Activity Report or a modified profile is viewed by other users with sufficient permissions, provided the profile has no Display Name set.

CVE-2025-31991
Medium

In HCL DevOps Velocity, the rate limiting mechanism for login attempts is not properly enforced, allowing brute-force attacks after exceeding the unsuccessful login attempt limit. This vulnerability is fixed in version 5.1.7.

CVE-2026-31420
Medium

W jądrze systemu Linux zidentyfikowano podatność, która pozwala na przekazanie wartości interwału równiej zeru do funkcji br_mrp_start_test() i br_mrp_start_in_test(), co prowadzi do pętli, która wyczerpuje pamięć systemową i powoduje panikę jądra. Problem ten dotyczy również funkcji br_mrp_start_in_test_parse() dla ramek testowych interkonektów.

CVE-2026-0232
Medium

A vulnerability in the Palo Alto Networks Cortex XDR agent for Windows allows a local Windows administrator to disable the agent. The issue stems from a flaw in the protection mechanism.

CVE-2026-40447
Medium

W podatności CVE-2026-40447 występuje przepełnienie lub owinięcie liczb całkowitych w Samsung Open Source Escargot, co prowadzi do nieokreślonego zachowania. Problem ten dotyczy wersji Escargot: 97e8115ab1110bc502b4b5e4a0c689a71520d335.

PreviousPage 245 of 551Next

Vulnerability data from NVD (NIST) · CISA KEV · EPSS