CVE Vulnerability Catalog

Translated CVE descriptions from NVD NIST - in English

CISA KEV catalog updated: (v2026.07.14)

CVE-2026-34237
Medium

MCP Java SDK, the official Java SDK for Model Context Protocol servers and clients, had a hardcoded wildcard CORS vulnerability prior to versions 0.83.0, 1.0.1, and 1.1.1. This issue has been patched in the mentioned versions.

CVE-2026-29597
Medium

DDSN Interactive cm3 Acora CMS version 10.7.1 contains an improper access control vulnerability. An editor-privileged user can access sensitive configuration files by force browsing the “/Admin/file_manager/file_details.asp” endpoint and manipulating the “file” parameter. By referencing specific files (e.g., cm3.xml), the attacker can retrieve system administrator credentials, SMTP settings, database credentials, and other confidential information.

CVE-2026-30082
Medium

Multiple stored cross-site scripting (XSS) vulnerabilities were found in the Edit feature of the Software Package List page in IngEstate Server v11.14.0. Attackers can inject malicious payloads into the About application, What's news, or Release note parameters, leading to arbitrary script or HTML execution.

CVE-2026-5119
Medium

A flaw was found in libsoup that allows sensitive session cookies to be transmitted in cleartext during the establishment of HTTPS tunnels through a configured HTTP proxy. Attackers can intercept these cookies, leading to potential session hijacking or user impersonation.

CVE-2026-23399
Medium

W jądrze systemu Linux zidentyfikowano podatność, która została naprawiona. Problem dotyczy możliwego wycieku pamięci w wyrażeniu stanowym w ścieżce błędu, gdy klonowanie drugiego wyrażenia stanowego nie powiedzie się.

CVE-2026-30689
Medium

In Blog.Core up to version bcb4d17, the getinfobytoken API interface has improper access control leading to sensitive data exposure. Unauthorized parties can obtain sensitive administrator account information via a valid token, threatening system security.

CVE-2026-28375
Medium

A testdata data-source can be used to trigger out-of-memory crashes in Grafana.

CVE-2026-27879
Medium

A resample query can lead to out-of-memory crashes in Grafana.

CVE-2025-61190
Medium

A Reflected Cross-Site Scripting (XSS) vulnerability has been identified in DSpace JSPUI 6.5 within the search/discover filtering functionality. The vulnerability exists due to improper sanitization of user-supplied input via the filter_type_1 parameter.

CVE-2026-33375
Medium

The Grafana MSSQL data source plugin contains a logic flaw that allows a low-privileged user (Viewer) to bypass API restrictions and trigger a catastrophic Out-Of-Memory (OOM) memory exhaustion, crashing the host container.

CVE-2026-2100
MediumEPSS 63%

A flaw was found in p11-kit where a remote attacker could exploit the C_DeriveKey function on a remote token with specific IBM kyber or IBM btc derive mechanism parameters set to NULL. This could lead to the RPC-client attempting to return an uninitialized value, potentially causing a NULL dereference or undefined behavior.

CVE-2026-21724
Medium

A vulnerability has been discovered in Grafana OSS that allows an authorization bypass in the provisioning contact points API. Users with Editor role can modify protected webhook URLs without the required alert.notifications.receivers.protected:write permission.

CVE-2026-3116
Medium

Mattermost Plugins versions <=11.4, 11.0.4, 11.1.3, 11.3.2, and 10.11.11.0 fail to validate incoming request size, allowing an authenticated attacker to disrupt service via the webhook endpoint.

CVE-2026-4887
Medium

A flaw was found in GIMP, which is a heap buffer over-read in the PCX file loader due to an off-by-one error. A remote attacker could exploit this by convincing a user to open a specially crafted PCX image.

CVE-2026-20108
Medium

A vulnerability in the web-based management interface of Cisco Catalyst SD-WAN Manager allows an authenticated, remote attacker to perform a cross-site scripting (XSS) attack against a user of the interface. This is due to insufficient input validation.

CVE-2026-23394
Medium

W jądrze systemu Linux zidentyfikowano podatność, która pozwala na błędne usunięcie gniazda z kolejki odbiorczej przez zbieranie śmieci (GC) w wyniku wywołania MSG_PEEK. Problem ten występuje w sytuacji, gdy gniazdo jest zamykane podczas sprawdzania jego stanu przez GC, co prowadzi do nieprawidłowego wniosku o martwym gnieździe.

CVE-2026-23389
Medium

W jądrze systemu Linux zidentyfikowano podatność związana z wyciekiem pamięci w funkcji ice_set_ringparam. Problem polega na tym, że w przypadku niepowodzenia alokacji rx_rings, tx_rings i xdp_rings pozostają niezwolnione, co prowadzi do wycieku pamięci.

CVE-2026-23371
Medium

W jądrze Linuxa zidentyfikowano podatność związaną z niewłaściwym dziedziczeniem parametrów przez zadania SCHED_DEADLINE podczas zmiany priorytetu. Problem ten może prowadzić do błędów w obliczaniu pasma, gdy zadanie nie jest poprawnie oznaczane jako wzmocnione.

CVE-2026-23346
Medium

A vulnerability has been identified in the Linux kernel in the ioremap_prot() function, which may lead to memory read errors from the kernel level on arm64 systems with PAN enabled. The issue lies in returning a new user mapping that is inaccessible to the kernel.

CVE-2026-23310
Medium

A vulnerability in the Linux kernel allows changing the transmission hash policy to vlan+srcmac while an XDP program is loaded on a bond in 802.3ad or balance-xor mode. This can lead to incompatibility and errors when destroying bonds.

PreviousPage 248 of 551Next

Vulnerability data from NVD (NIST) · CISA KEV · EPSS