CVE Vulnerability Catalog

Translated CVE descriptions from NVD NIST - in English

CISA KEV catalog updated: (v2026.07.16)

CVE-2026-20111
Medium

A vulnerability in the web-based management interface of Cisco Prime Infrastructure allows an authenticated, remote attacker to perform a stored cross-site scripting (XSS) attack against users of the interface. This is due to improper validation of user-supplied input.

CVE-2025-70545
Medium

A stored cross-site scripting (XSS) vulnerability exists in the web management interface of the PPC (Belden) ONT 2K05X router running firmware v1.1.9_206L. The CGI component improperly handles user-supplied input, allowing a remote, unauthenticated attacker to inject persistent JavaScript.

CVE-2025-69618
Medium

An arbitrary file overwrite vulnerability in the file import process of Tarot, Astro & Healing v11.4.0 allows attackers to overwrite critical internal files, potentially leading to arbitrary code execution or exposure of sensitive information.

CVE-2025-69620
Medium

A path traversal vulnerability in Moo Chan Song v4.5.7 allows attackers to write files to internal storage, potentially causing a Denial of Service (DoS).

CVE-2026-1312
MediumEPSS 52%

A SQL injection vulnerability was discovered in Django's `.QuerySet.order_by()` method. The issue occurs when a column alias containing a period is used with `FilteredRelation` and dictionary expansion. Affected versions include 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28; older unsupported series may also be vulnerable.

CVE-2026-1287
MediumEPSS 51%

An SQL injection vulnerability was discovered in Django 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28 in `FilteredRelation` column aliases via control characters. A crafted dictionary with dictionary expansion passed as `**kwargs` to `annotate()`, `aggregate()`, `extra()`, `values()`, `values_list()`, and `alias()` methods can be exploited.

CVE-2026-1207
MediumEPSS 95%

In Django 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28, a vulnerability was found in raster lookups on RasterField (PostGIS only). Remote attackers can inject SQL via the band index parameter.

CVE-2026-23026
Medium

In the Linux kernel, a memory leak was found in the gpi_peripheral_config() function of the QCOM GPI DMA driver. The issue occurs when krealloc() returns NULL, causing loss of reference to previously allocated memory.

CVE-2026-23019
Medium

In the Linux kernel, a NULL pointer dereference vulnerability was found in the Marvell Prestera network driver. The devlink_alloc() function may return NULL on allocation failure, but the code unconditionally calls devlink_priv() on the returned pointer, causing a system crash.

CVE-2025-71191
Medium

In the Linux kernel, the at_hdmac driver has a device reference leak in of_dma_xlate(). The reference taken when looking up the DMA platform device is not dropped after successful channel allocation, causing a memory leak.

CVE-2025-71190
Medium

A vulnerability in the Linux kernel's BCM-SBA-RAID DMA driver causes a device reference leak during probe. The driver fails to drop the reference taken when looking up the mailbox device on probe failures or driver unbind.

CVE-2025-71189
Medium

In the Linux kernel, a vulnerability in the dw_dmamux DMA driver causes an OF node reference leak on late DMA route allocation failure. The reference taken to the DMA master OF node is not released when route allocation fails after the initial setup.

CVE-2025-71188
Medium

W jądrze Linuxa naprawiono podatność związaną z wyciekiem urządzenia podczas alokacji trasy w module dmaengine dla lpc18xx-dmamux. Problem polegał na tym, że utrzymywanie referencji do urządzenia nie zapobiegało usunięciu danych sterownika.

CVE-2025-71186
Medium

In the Linux kernel, a device reference leak was found in the STM32 DMA MUX driver during route allocation. The allocation function failed to drop the reference taken when looking up the DMA mux platform device.

CVE-2025-71185
Medium

In the Linux kernel, a device reference leak was found in the DMA crossbar driver for TI AM335x. The reference to the crossbar platform device was not dropped during route allocation, causing a memory leak.

CVE-2026-25210
Medium

W libexpat przed wersją 2.7.4 funkcja doContent nieprawidłowo określa rozmiar bufora bufSize, ponieważ brakuje sprawdzenia przepełnienia całkowitego przy reallocacji bufora tagów.

CVE-2025-7014
Medium

Podatność typu Session Fixation w systemie QR Menu Pro Smart Menu Systems Menu Panel umożliwia przejęcie sesji. Problem ten dotyczy Menu Panel do 29012026.

CVE-2025-7013
Medium

Podatność CVE-2025-7013 dotyczy systemu Menu Panel w QR Menu Pro, gdzie możliwe jest obejście autoryzacji poprzez wykorzystanie kluczy kontrolowanych przez użytkownika. Umożliwia to wykorzystanie zaufanych identyfikatorów.

CVE-2025-7015
Medium

Podatność typu Session Fixation w oprogramowaniu QR Menu firmy Akın Software Computer Import Export Industry and Trade Ltd. pozwala na przejęcie sesji użytkownika. Problem ten dotyczy wersji QR Menu przed s1.05.12.

CVE-2025-71001
Medium

A segmentation violation in the flow.column_stack component of OneFlow v0.9.0 allows attackers to cause a Denial of Service (DoS) via a crafted input.

PreviousPage 291 of 597Next

Vulnerability data from NVD (NIST) · CISA KEV · EPSS