CVE Vulnerability Catalog

Translated CVE descriptions from NVD NIST — in English

CISA KEV catalog updated: (v2026.07.01)

CVE-2026-13592
High

A vulnerability was found in the EtherNet IP Message Handler component of the CIPster library (up to commit e8e9dba09bf56962807d3504b783ccdb6287f3e4), involving an out-of-bounds write in the BufWriter::append function. Remote exploitation is possible and the exploit has been made public.

CVE-2026-12912
High

A vulnerability in the libtiff library allows a remote attacker to execute arbitrary code or cause a denial of service (DoS) by providing a specially crafted TIFF image compressed with the PixarLog codec. The issue occurs when decoding PixarLog images with the PIXARLOGDATAFMT_8BITABGR output format and a specific stride value, leading to a heap-based buffer overflow.

CVE-2026-41052
High

In Rancher versions 2.14 before 2.14.2, 2.13 before 2.13.6, and 2.12 before 2.12.10, users with the Project Owner role can exploit improper privilege handling to escalate their privileges.

CVE-2026-13749
High

A vulnerability in Snowflake CLI prior to version 3.19 allows arbitrary code execution due to improper neutralization in the Snowpark annotation processor callback template. An attacker can supply crafted project content that is interpolated into generated Python code, causing the CLI to execute attacker-controlled code in the local user context.

CVE-2026-13744
High

A vulnerability in Snowflake CLI prior to version 3.19 allowed unintended SQL execution by supplying crafted repository, project configuration, manifest data, or specification input. An attacker could execute arbitrary SQL in the context of the victim's Snowflake session.

CVE-2026-13583
High

A buffer overflow vulnerability was found in Edimax EW-7478APC version 1.04 in the formUSBFolder function of the /goform/formUSBFolder file. Manipulation of the ShareName/SelectName arguments in a POST request can cause a buffer overflow, enabling remote attack. The exploit has been publicly disclosed and may be used.

CVE-2026-13582
High

A buffer overflow vulnerability has been found in Edimax EW-7478APC version 1.04 in the formUSBAccount function of the /goform/formUSBAccount file. An attacker can remotely manipulate the UserName/Password arguments, causing a buffer overflow. The exploit has been published and may be used.

CVE-2026-13580
High

A buffer overflow vulnerability has been detected in the Edimax EW-7478APC version 1.04 in the formQoS function of the /goform/formQoS file. An attacker can remotely manipulate the selSSID argument, leading to a buffer overflow. The exploit has been publicly disclosed and may be used.

CVE-2026-57338
High

The ARForms plugin version 7.1.2 and earlier contains an unauthenticated Cross Site Scripting (XSS) vulnerability. An attacker can inject malicious script without requiring authentication.

CVE-2026-57337
High

The Landing Page Builder plugin version 1.5.3.5 and earlier contains an unauthenticated Cross Site Scripting (XSS) vulnerability. It allows an attacker to inject malicious script without requiring authentication.

CVE-2026-57336
High

The Jobify plugin version 4.3.2 and earlier contains an unauthenticated Cross Site Scripting (XSS) vulnerability. An attacker can inject malicious script without requiring authentication.

CVE-2026-57333
High

The Link Whisper Free plugin version 0.9.4 and earlier contains an unauthenticated Cross Site Scripting (XSS) vulnerability. An attacker can inject malicious script without requiring authentication.

CVE-2026-57332
High

The Wallet System for WooCommerce plugin version 2.7.6 and earlier contains a broken access control vulnerability for subscribers. This allows users with the subscriber role to perform operations they should not be authorized for.

CVE-2026-57320
High

An unauthenticated Cross Site Scripting (XSS) vulnerability exists in BEAR versions 1.1.8 and earlier. It allows a remote attacker to inject malicious JavaScript code into the page without requiring authentication.

CVE-2026-56124
High

phpUploader before version 2.0.2 contains an unauthenticated information disclosure vulnerability that allows remote attackers to access the full contents of the uploaded-files database table by visiting any page of the application. The index model executes an unbounded SELECT query and embeds the complete JSON-encoded result set in an inline script block, exposing uploader IP addresses, Argon2ID key hashes, internal filenames, and SHA-256 fingerprints.

CVE-2026-55844
High

The Home Assistant iOS companion app ignores the SSID allowlist for internal networks. When no other URL is found, it falls back to the internal URL, potentially exposing the user's token on an unsecured network.

CVE-2026-55607
High

A vulnerability in Claude Code (versions 2.1.38 through 2.1.163) allows worktree manipulation attacks, including creating worktrees named ".git" and navigating outside the sandbox. An attacker can overwrite files in the user's home directory (e.g., .zshenv), leading to code execution outside seatbelt sandbox restrictions.

CVE-2026-49049
High

The Helix3 plugin for Joomla! exposes an AJAX handler task that allows unauthenticated attackers to delete arbitrary files, write arbitrary JSON files, and update template parameters.

CVE-2026-54371
High

A vulnerability in the getfattr and setfattr utilities before version 2.6.0 allows local attackers to escalate privileges by replacing a pathname component with a symbolic link during directory hierarchy traversal. Attackers who control a pathname component can redirect getfattr and setfattr operations to arbitrary files, leading to local privilege escalation when these tools are invoked by a privileged process over an attacker-controlled path.

CVE-2026-54369
High

A symlink traversal vulnerability was found in the libacl library before version 2.4.0 in pathname-based functions. A local attacker can replace any pathname component with a symbolic link, leading to privilege escalation by manipulating access control lists.

PreviousPage 26 of 3324Next

Vulnerability data from NVD (NIST) · CISA KEV · EPSS