CVE Vulnerability Catalog

Translated CVE descriptions from NVD NIST — in English

CISA KEV catalog updated: (v2026.07.07)

CVE-2026-46680
High

In containerd prior to versions 1.7.32, 2.0.9, 2.2.4, and 2.3.1, containers with a numeric User directive that cannot be parsed as a 32-bit integer are incorrectly treated as a username. This allows bypassing the Kubernetes runAsNonRoot restriction if a crafted image maps this large numeric string to root in /etc/passwd, causing the container to run as root (UID 0).

CVE-2026-58454
High

JAIOTlink C492A-W6 Wi-Fi IP cameras with firmware 4.8.30.57701411 contain a remote code execution vulnerability. An authenticated attacker can write a malicious script to persistent JFFS2 storage and trigger execution via an HTTP endpoint, achieving persistent control over the device.

CVE-2026-58453
CriticalEPSS 74%

JAIOTlink C492A-W6 Wi-Fi IP cameras running firmware 4.8.30.57701411 contain hard-coded credentials that allow network-adjacent attackers to gain unauthorized access by using the default admin username with an empty password accepted by the anyka_ipc HTTP service on port 80. Attackers can authenticate with these credentials to access camera snapshots, video streams, network configuration, and factory-level API endpoints including the SetMAC command injection surface.

CVE-2026-58452
HighEPSS 82%

JAIOTlink C492A-W6 Wi-Fi IP cameras running firmware 4.8.30.57701411 contain an OS command injection vulnerability. An authenticated attacker can achieve remote code execution by supplying a malicious Wireless parameter to the HTTP PUT NetSDK/Factory SetMAC endpoint.

CVE-2026-57721
Medium

The ApplyOnline WordPress plugin contains a missing authorization vulnerability that allows exploiting incorrectly configured access control security levels. This issue affects versions from n/a through 2.6.7.6.

CVE-2026-57720
Medium

The ThumbPress WordPress plugin contains a missing authorization vulnerability that allows exploiting incorrectly configured access control security levels. This issue affects all versions from n/a through 6.3.2.

CVE-2026-57516
High

Ray prior to 2.56.0 contains an unsafe deserialization vulnerability in the WebDataset reader. Attackers can achieve remote code execution by supplying a malicious tar archive to the read_webdataset() function, which unconditionally calls pickle.loads() on .pkl/.pickle entries and torch.load() with weights_only=False on .pt/.pth entries, executing arbitrary code in Ray remote workers.

CVE-2026-56151
Medium

CVE-2026-56151 in Kibana is an improper input validation vulnerability (CWE-20) that allows an authenticated user to submit a specially crafted Fleet policy input, causing a denial of service (DoS) via input data manipulation (CAPEC-153). This attack renders Fleet agent, server, and policy management functionality unavailable.

CVE-2026-56149
Medium

CWE-770 vulnerability in Elasticsearch allows a denial of service via excessive memory allocation. A privileged user can submit a crafted machine learning request, causing resource exhaustion and node unavailability.

CVE-2026-56148
Medium

CVE-2026-56148 in Elasticsearch involves uncontrolled recursion leading to denial of service. An authenticated user can submit a specially crafted query causing excessive resource consumption during processing, potentially rendering the affected node unavailable.

CVE-2026-54399
High

An uncontrolled resource consumption vulnerability in the HTTP/1.1 message parser in Apache HttpComponents Core (versions 5.4.2 and earlier, 5.5-beta1 and earlier) allows a remote attacker to cause a denial of service through memory exhaustion by sending messages with an excessive number of headers or excessive header length.

CVE-2026-49088
Medium

CVE-2026-49088 in Kibana allows insertion of sensitive information into log files. When optional APM instrumentation is enabled, sensitive request header values may be recorded in application logs.

CVE-2026-49087
Medium

CWE-770 vulnerability in Kibana allows a denial of service via excessive resource allocation. An authenticated attacker can send a crafted bulk deletion request, exhausting resources and making Kibana unavailable.

CVE-2026-34117
Critical

The vulnerability in the Guardian language-system passes the 'id' GET parameter directly into a PHP exec() call in text_to_subtitles.php (line 19) without sanitization. No authentication is required, allowing an unauthenticated remote attacker to append shell metacharacters and execute arbitrary OS commands on the server.

CVE-2026-34116
Critical

The vulnerability in the Guardian language system passes the 'id' GET parameter directly into a PHP exec() call in transcribe.php without sanitization. An unauthenticated attacker can append shell metacharacters to execute arbitrary OS commands on the server.

CVE-2026-34115
Critical

A vulnerability in the Guardian language-system allows an unauthenticated remote attacker to execute arbitrary OS commands by injecting shell metacharacters into the 'id' parameter passed to the PHP exec() function in transcribe_amazon.php.

CVE-2026-34114
Critical

A vulnerability in the Guardian language system allows an unauthenticated remote attacker to execute arbitrary OS commands by injecting shell metacharacters into the 'id' parameter in translate_text.php. The lack of input validation and direct use of the parameter in an exec() call enables exploitation without authentication.

CVE-2026-34113
Critical

A vulnerability in the Guardian language-system allows an unauthenticated remote attacker to execute arbitrary OS commands by injecting shell metacharacters into the 'id' parameter in speech_text.php.

CVE-2026-34112
Critical

A vulnerability in the Guardian language-system allows an unauthenticated remote attacker to execute arbitrary OS commands by injecting shell metacharacters into the 'id' parameter in speechmac.php.

CVE-2026-34111
Critical

A vulnerability in the Guardian language-system allows an unauthenticated attacker to execute arbitrary OS commands remotely by injecting shell metacharacters into the id parameter, which is passed unsanitized to the PHP exec() function in speechmac_text.php.

PreviousPage 28 of 4490Next

Vulnerability data from NVD (NIST) · CISA KEV · EPSS