CVE Vulnerability Catalog
Translated CVE descriptions from NVD NIST - in English
CISA KEV catalog updated: (v2026.07.15)
CubeCart to rozwiązanie oprogramowania e-commerce. Przed wersją 6.7.0 występuje podatność na Reflected XSS w funkcji wyszukiwania, która pozwala na odzwierciedlenie nieautoryzowanego wejścia użytkownika bez sanitizacji, gdy wyszukiwanie zwraca dokładnie jeden produkt.
Lokalnie serwisowana strona internetowa na urządzeniu Garmin WDU (w wersjach 1.4.6 i 5.0) umożliwia atak typu reflected cross site scripting (XSS). Atakujący w lokalnej sieci może wykonać dowolny kod JavaScript w kontekście strony WDU, co może prowadzić do pełnego dostępu administracyjnego do urządzenia.
When a user's access to mint tokens for a service account is revoked, it is sometimes still possible to do so for a few seconds after the event. The user will eventually lose access to do this.
A vulnerability in SQL Expressions allows an authenticated attacker to read arbitrary files from the Grafana server's filesystem. Only instances with the sqlExpressions feature toggle enabled are vulnerable.
Using the $__timeGroup macro can lead to an out-of-memory (OOM) condition by overloading the server. This requires a SQL datasource, and if the server is set up to auto-restart, the impact of the attack is minimal or non-existent.
A vulnerability in the Grafana plugin allows unbounded memory allocation by reading the entire request body into memory. An authenticated user can exploit this to trigger an out-of-memory condition, potentially causing a denial of service.
Any editor could delete any snapshot, even if they have no access to read or write them.
A race condition in Grafana Live allows authenticated users with Viewer role to trigger a server crash by sending concurrent requests that cause a fatal map access error. This results in complete service unavailability requiring restart of the Grafana server.
The Grafana Live push endpoint can be exploited to cause unbounded memory allocation by sending a large or streaming request body, potentially leading to out-of-memory conditions. An authenticated user with access to the Grafana Live API can trigger this issue.
Editors could delete any annotation, even those they do not have read access to. The editor user cannot create or read the annotations.
A DoS vulnerability in Palo Alto Networks Prisma SD-WAN ION devices allows an unauthenticated attacker in a network adjacent to the device to cause system disruption by sending a specially crafted IPv6 packet.
In Netty before versions 4.2.13.Final and 4.1.133.Final, a vulnerability exists in the MQTT 5 decoder. The Properties section of the MQTT header is parsed and buffered before any message size limit check, allowing an attacker to send oversized properties. This causes repeated, expensive parsing and memory buffering, leading to high CPU and memory usage.
A vulnerability in Netty allows HTTP request smuggling for HTTP/1.0 messages. When a request contains both Transfer-Encoding: chunked and Content-Length headers, the HttpObjectDecoder fails to strip the conflicting Content-Length header for HTTP/1.0, causing downstream proxies or handlers that trust Content-Length to misinterpret message boundaries.
Hermes WebUI prior to version 0.51.44 contains a path traversal vulnerability in the session import endpoint. Authenticated attackers can read arbitrary files by importing a crafted session with an unrestricted workspace value.
A stored cross-site scripting (XSS) vulnerability in Palo Alto Networks PAN-OS software allows a malicious authenticated administrator to store a JavaScript payload via the web interface.
Multiple improper certificate validation vulnerabilities in the Palo Alto Networks GlobalProtect app allow an attacker to intercept encrypted communications and potentially compromise the endpoint. A local non-administrative OS user or an attacker on the same subnet can redirect traffic to an unauthorized server and facilitate malicious software installation. The GlobalProtect app on Linux, Windows, iOS, and GlobalProtect UWP are not affected.
An improper certificate validation vulnerability in the Prisma Access Agent for Android and Chrome OS allows a man-in-the-middle (MitM) attack to intercept VPN traffic. By presenting a certificate for any domain issued by a trusted Certificate Authority, the attacker can capture sensitive device information.
Multiple information disclosure vulnerabilities in Prisma Access Agent allow a local user to access sensitive configuration data and credentials. The vulnerability affects the agent on Windows and macOS systems.
An information disclosure vulnerability in Chronosphere Chronocollector allows an unauthenticated attacker with network access to the collector service to retrieve sensitive information.
A race condition vulnerability in Palo Alto Networks Prisma® Browser allows a locally authenticated non-admin user to bypass certain access and data control policies.

