CVE Vulnerability Catalog

Translated CVE descriptions from NVD NIST — in English

CISA KEV catalog updated: (v2026.07.01)

CVE-2026-12481
High

A vulnerability in Keras version 3.14.0 allows arbitrary code execution due to improper deserialization handling in the `Lambda` layer. The `_raise_for_lambda_deserialization()` function fails to enforce safe-mode when `safe_mode` is `None` (default), bypassing the guard and allowing attacker-controlled `marshal` bytecode to be deserialized.

CVE-2026-14608
Medium

A security vulnerability has been found in SourceCodester CET Automated Grading System with AI Predictive Analytics 1.0, allowing authorization bypass. The issue is in the /index.php?action=view_student file within the POST Handler component, where manipulation of the ID argument leads to unauthorized access.

CVE-2026-14607
Medium

A weakness has been identified in RT-Thread up to version 5.0.2 in the function sys_getaddrinfo in file components/lwp/lwp_syscall.c. Manipulation of the ai_addr argument can lead to memory corruption. The attack requires local access and the exploit is publicly available.

CVE-2026-14606
High

A security flaw in RT-Thread up to version 5.0.2 affects the CAN_Receive function in the SWM341.h file. A local attacker can trigger a stack-based buffer overflow, potentially leading to system instability or compromise. A public exploit increases the risk of attacks.

CVE-2026-14605
High

A stack-based buffer overflow vulnerability exists in the recvmsg function of the ls1c CAN Handler component in RT-Thread up to version 5.0.2. Local access is required, and a public exploit is available.

CVE-2026-58379
High

A heap buffer overflow vulnerability was found in GIMP's Paint Shop Pro (PSP) file format parser. The flaw occurs due to incorrect buffer size calculations when processing low bit-depth images, allowing a remote attacker to execute arbitrary code or cause a denial of service (DoS) by tricking a user into opening a specially crafted PSP file.

CVE-2026-14604
Medium

A vulnerability was found in Open Asset Import Library Assimp up to version 6.0.4 in the function Assimp::Exporter::ExportToBlob within the file code/AssetLib/Ply/PlyLoader.cpp, part of the PLY Model Handler component. Manipulation leads to a double free condition. The attack can be initiated remotely, and the exploit has been publicly disclosed.

CVE-2026-14631
Medium

A vulnerability in webpack-dev-server versions 5.2.5 and earlier crashes the entire Node.js process when an unauthenticated peer sends a malformed Host header in an HTTP request or a malformed Origin header in a WebSocket upgrade. The malformed value triggers an uncaught exception in the host-validation path, crashing the dev server.

CVE-2026-14620
Medium

A vulnerability in webpack-dev-server versions 5.2.5 and earlier allows an attacker to perform unauthorized actions on the dev server by sending a GET request from any website. The attacker can open arbitrary local files in the developer's editor, including files outside the project root, and degrade the developer's machine through repeated requests.

CVE-2026-14615
Medium

A flaw in the Fine-Grained Admin Permissions (FGAP) v2 implementation in Keycloak causes improper filtering of child groups when queried through a parent group. This allows a delegated administrator to view details of groups they are not authorized to access, including names, paths, and custom attributes.

CVE-2026-14614
Medium

In Keycloak, within the ClientResource component of admin services with FGAP v2 enabled, a delegated administrator can attach or remove hidden client scopes they are not authorized to manage. This allows injecting unauthorized data or permissions into end-user security tokens.

CVE-2026-14613
Medium

A vulnerability was discovered in Keycloak's administrative interface that allows certain administrators to see information about groups they shouldn't have access to. When the new Fine-Grained Admin Permissions (FGAP v2) are enabled, an administrator who can see a specific role can also see a list of all groups assigned to that role. The system fails to check if the administrator has permission to view those specific groups.

CVE-2026-14612
Medium

Two off-by-one errors in FreeIPA's ipa-otpd daemon OAuth2 device authorization handler can cause out-of-bounds memory access when processing an oversized response from an external OAuth2/OIDC Identity Provider.

CVE-2026-53478
HighEPSS 65%

Dell PowerProtect Data Domain in multiple versions contains an OS command injection vulnerability. A high-privileged attacker with remote access could exploit this flaw to execute arbitrary commands.

CVE-2026-49815
HighEPSS 62%

Dell PowerProtect Data Domain in multiple versions contains an OS command injection vulnerability. A high-privileged attacker with remote access could exploit this flaw to execute arbitrary OS commands.

CVE-2026-49814
HighEPSS 65%

Dell PowerProtect Data Domain in multiple versions contains an OS command injection vulnerability. A high privileged attacker with remote access could exploit this flaw to execute arbitrary commands.

CVE-2026-49813
Medium

Dell PowerProtect Data Domain in multiple versions contains an OS command injection vulnerability. A high-privileged attacker with local access could exploit this flaw to execute arbitrary commands.

CVE-2026-14460
High

Missing authorization in TUBITAK BILGEM's pardus-software allows argument injection. The vulnerability affects versions 1.0.4 and earlier, before the update to 1.0.5.

CVE-2026-14459
High

An argument injection vulnerability in TUBITAK BILGEM's pardus-software allows attackers to inject additional arguments into commands. The issue affects versions up to 1.0.4 and is fixed in version 1.0.5.

CVE-2026-46466
Low

The vulnerability in Dell PowerProtect Data Domain involves the use of a less trusted source. It allows a high-privileged attacker with remote access to tamper with information.

PreviousPage 26 of 4518Next

Vulnerability data from NVD (NIST) · CISA KEV · EPSS