CVE Vulnerability Catalog

Translated CVE descriptions from NVD NIST - in English

CISA KEV catalog updated: (v2026.07.15)

CVE-2026-44376
Medium

CubeCart to rozwiązanie oprogramowania e-commerce. Przed wersją 6.7.0 występuje podatność na Reflected XSS w funkcji wyszukiwania, która pozwala na odzwierciedlenie nieautoryzowanego wejścia użytkownika bez sanitizacji, gdy wyszukiwanie zwraca dokładnie jeden produkt.

CVE-2025-27852
Medium

Lokalnie serwisowana strona internetowa na urządzeniu Garmin WDU (w wersjach 1.4.6 i 5.0) umożliwia atak typu reflected cross site scripting (XSS). Atakujący w lokalnej sieci może wykonać dowolny kod JavaScript w kontekście strony WDU, co może prowadzić do pełnego dostępu administracyjnego do urządzenia.

CVE-2026-33381
Medium

When a user's access to mint tokens for a service account is revoked, it is sometimes still possible to do so for a few seconds after the event. The user will eventually lose access to do this.

CVE-2026-33380
Medium

A vulnerability in SQL Expressions allows an authenticated attacker to read arbitrary files from the Grafana server's filesystem. Only instances with the sqlExpressions feature toggle enabled are vulnerable.

CVE-2026-33378
Medium

Using the $__timeGroup macro can lead to an out-of-memory (OOM) condition by overloading the server. This requires a SQL datasource, and if the server is set up to auto-restart, the impact of the attack is minimal or non-existent.

CVE-2026-28383
Medium

A vulnerability in the Grafana plugin allows unbounded memory allocation by reading the entire request body into memory. An authenticated user can exploit this to trigger an out-of-memory condition, potentially causing a denial of service.

CVE-2026-28380
Medium

Any editor could delete any snapshot, even if they have no access to read or write them.

CVE-2026-28379
Medium

A race condition in Grafana Live allows authenticated users with Viewer role to trigger a server crash by sending concurrent requests that cause a fatal map access error. This results in complete service unavailability requiring restart of the Grafana server.

CVE-2026-28376
Medium

The Grafana Live push endpoint can be exploited to cause unbounded memory allocation by sending a large or streaming request body, potentially leading to out-of-memory conditions. An authenticated user with access to the Grafana Live API can trigger this issue.

CVE-2026-28374
Medium

Editors could delete any annotation, even those they do not have read access to. The editor user cannot create or read the annotations.

CVE-2026-0243
Medium

A DoS vulnerability in Palo Alto Networks Prisma SD-WAN ION devices allows an unauthenticated attacker in a network adjacent to the device to cause system disruption by sending a specially crafted IPv6 packet.

CVE-2026-44248
Medium

In Netty before versions 4.2.13.Final and 4.1.133.Final, a vulnerability exists in the MQTT 5 decoder. The Properties section of the MQTT header is parsed and buffered before any message size limit check, allowing an attacker to send oversized properties. This causes repeated, expensive parsing and memory buffering, leading to high CPU and memory usage.

CVE-2026-42581
Medium

A vulnerability in Netty allows HTTP request smuggling for HTTP/1.0 messages. When a request contains both Transfer-Encoding: chunked and Content-Length headers, the HttpObjectDecoder fails to strip the conflicting Content-Length header for HTTP/1.0, causing downstream proxies or handlers that trust Content-Length to misinterpret message boundaries.

CVE-2026-22677
Medium

Hermes WebUI prior to version 0.51.44 contains a path traversal vulnerability in the session import endpoint. Authenticated attackers can read arbitrary files by importing a crafted session with an unrestricted workspace value.

CVE-2026-0256
Medium

A stored cross-site scripting (XSS) vulnerability in Palo Alto Networks PAN-OS software allows a malicious authenticated administrator to store a JavaScript payload via the web interface.

CVE-2026-0249
Medium

Multiple improper certificate validation vulnerabilities in the Palo Alto Networks GlobalProtect app allow an attacker to intercept encrypted communications and potentially compromise the endpoint. A local non-administrative OS user or an attacker on the same subnet can redirect traffic to an unauthorized server and facilitate malicious software installation. The GlobalProtect app on Linux, Windows, iOS, and GlobalProtect UWP are not affected.

CVE-2026-0248
Medium

An improper certificate validation vulnerability in the Prisma Access Agent for Android and Chrome OS allows a man-in-the-middle (MitM) attack to intercept VPN traffic. By presenting a certificate for any domain issued by a trusted Certificate Authority, the attacker can capture sensitive device information.

CVE-2026-0245
Medium

Multiple information disclosure vulnerabilities in Prisma Access Agent allow a local user to access sensitive configuration data and credentials. The vulnerability affects the agent on Windows and macOS systems.

CVE-2026-0239
Medium

An information disclosure vulnerability in Chronosphere Chronocollector allows an unauthenticated attacker with network access to the collector service to retrieve sensitive information.

CVE-2026-0235
Medium

A race condition vulnerability in Palo Alto Networks Prisma® Browser allows a locally authenticated non-admin user to bypass certain access and data control policies.

PreviousPage 271 of 606Next

Vulnerability data from NVD (NIST) · CISA KEV · EPSS