CVE Vulnerability Catalog
Translated CVE descriptions from NVD NIST — in English
CISA KEV catalog updated: (v2026.07.01)
A vulnerability in Keras version 3.14.0 allows arbitrary code execution due to improper deserialization handling in the `Lambda` layer. The `_raise_for_lambda_deserialization()` function fails to enforce safe-mode when `safe_mode` is `None` (default), bypassing the guard and allowing attacker-controlled `marshal` bytecode to be deserialized.
A security vulnerability has been found in SourceCodester CET Automated Grading System with AI Predictive Analytics 1.0, allowing authorization bypass. The issue is in the /index.php?action=view_student file within the POST Handler component, where manipulation of the ID argument leads to unauthorized access.
A weakness has been identified in RT-Thread up to version 5.0.2 in the function sys_getaddrinfo in file components/lwp/lwp_syscall.c. Manipulation of the ai_addr argument can lead to memory corruption. The attack requires local access and the exploit is publicly available.
A security flaw in RT-Thread up to version 5.0.2 affects the CAN_Receive function in the SWM341.h file. A local attacker can trigger a stack-based buffer overflow, potentially leading to system instability or compromise. A public exploit increases the risk of attacks.
A stack-based buffer overflow vulnerability exists in the recvmsg function of the ls1c CAN Handler component in RT-Thread up to version 5.0.2. Local access is required, and a public exploit is available.
A heap buffer overflow vulnerability was found in GIMP's Paint Shop Pro (PSP) file format parser. The flaw occurs due to incorrect buffer size calculations when processing low bit-depth images, allowing a remote attacker to execute arbitrary code or cause a denial of service (DoS) by tricking a user into opening a specially crafted PSP file.
A vulnerability was found in Open Asset Import Library Assimp up to version 6.0.4 in the function Assimp::Exporter::ExportToBlob within the file code/AssetLib/Ply/PlyLoader.cpp, part of the PLY Model Handler component. Manipulation leads to a double free condition. The attack can be initiated remotely, and the exploit has been publicly disclosed.
A vulnerability in webpack-dev-server versions 5.2.5 and earlier crashes the entire Node.js process when an unauthenticated peer sends a malformed Host header in an HTTP request or a malformed Origin header in a WebSocket upgrade. The malformed value triggers an uncaught exception in the host-validation path, crashing the dev server.
A vulnerability in webpack-dev-server versions 5.2.5 and earlier allows an attacker to perform unauthorized actions on the dev server by sending a GET request from any website. The attacker can open arbitrary local files in the developer's editor, including files outside the project root, and degrade the developer's machine through repeated requests.
A flaw in the Fine-Grained Admin Permissions (FGAP) v2 implementation in Keycloak causes improper filtering of child groups when queried through a parent group. This allows a delegated administrator to view details of groups they are not authorized to access, including names, paths, and custom attributes.
In Keycloak, within the ClientResource component of admin services with FGAP v2 enabled, a delegated administrator can attach or remove hidden client scopes they are not authorized to manage. This allows injecting unauthorized data or permissions into end-user security tokens.
A vulnerability was discovered in Keycloak's administrative interface that allows certain administrators to see information about groups they shouldn't have access to. When the new Fine-Grained Admin Permissions (FGAP v2) are enabled, an administrator who can see a specific role can also see a list of all groups assigned to that role. The system fails to check if the administrator has permission to view those specific groups.
Two off-by-one errors in FreeIPA's ipa-otpd daemon OAuth2 device authorization handler can cause out-of-bounds memory access when processing an oversized response from an external OAuth2/OIDC Identity Provider.
Dell PowerProtect Data Domain in multiple versions contains an OS command injection vulnerability. A high-privileged attacker with remote access could exploit this flaw to execute arbitrary commands.
Dell PowerProtect Data Domain in multiple versions contains an OS command injection vulnerability. A high-privileged attacker with remote access could exploit this flaw to execute arbitrary OS commands.
Dell PowerProtect Data Domain in multiple versions contains an OS command injection vulnerability. A high privileged attacker with remote access could exploit this flaw to execute arbitrary commands.
Dell PowerProtect Data Domain in multiple versions contains an OS command injection vulnerability. A high-privileged attacker with local access could exploit this flaw to execute arbitrary commands.
Missing authorization in TUBITAK BILGEM's pardus-software allows argument injection. The vulnerability affects versions 1.0.4 and earlier, before the update to 1.0.5.
An argument injection vulnerability in TUBITAK BILGEM's pardus-software allows attackers to inject additional arguments into commands. The issue affects versions up to 1.0.4 and is fixed in version 1.0.5.
The vulnerability in Dell PowerProtect Data Domain involves the use of a less trusted source. It allows a high-privileged attacker with remote access to tamper with information.

