CVE Vulnerability Catalog

Translated CVE descriptions from NVD NIST - in English

CISA KEV catalog updated: (v2026.07.16)

CVE-2025-71079
Medium

A deadlock was discovered in the Linux kernel between nfc_unregister_device and rfkill_fop_write due to inverted lock ordering of device_lock and rfkill_global_mutex, causing thread blockage.

CVE-2025-68823
Medium

W jądrze systemu Linux zidentyfikowano podatność, która prowadziła do zakleszczenia podczas odczytu tabeli partycji z urządzenia blokowego ublk. Problem występował, gdy proces próbował uzyskać dostęp do urządzenia blokowego, co prowadziło do sytuacji, w której ten sam proces czekał na mutex, który już posiadał.

CVE-2024-54855
Medium

The Vanilla OS 2 Core image v1.1.0 from fabricators Ltd was found to contain static SSH keys, allowing attackers to perform a man-in-the-middle attack during connections with other hosts.

CVE-2025-55462
Medium

A CORS misconfiguration in Eramba Community and Enterprise Editions v3.26.0 allows an attacker-controlled Origin header to be reflected in the Access-Control-Allow-Origin response with Access-Control-Allow-Credentials: true. This enables malicious third-party websites to perform authenticated cross-origin requests against the Eramba API, including endpoints like /system-api/login and /system-api/user/me, exposing sensitive user session data.

CVE-2026-22212
Medium

A stack-based buffer overflow vulnerability in the mcp2200gpio utility in TinyOS versions up to and including 2.1.2. It is caused by unsafe use of strcpy() and strcat() functions when constructing device paths during automatic device discovery. A local attacker can exploit this by creating specially crafted filenames under /dev/usb/, leading to stack memory corruption and application crashes.

CVE-2025-65553
Medium

The D3D Wi-Fi Home Security System ZX-G12 v2.1.17 is susceptible to RF jamming on the 433 MHz alarm sensor channel. An attacker within RF range can transmit continuous interference to block sensor transmissions, resulting in missed alarms and loss of security monitoring. The device lacks jamming detection or mitigations, creating a denial-of-service condition.

CVE-2026-22610
Medium

W Angularze, platformie do tworzenia aplikacji webowych, zidentyfikowano podatność typu cross-site scripting (XSS) w kompilatorze szablonów. Problem wynika z niewłaściwego rozpoznawania atrybutów href i xlink:href w elementach SVG <script> jako kontekstu URL zasobów. Został on naprawiony w wersjach 19.2.18, 20.3.16, 21.0.7 oraz 21.1.0-rc.0.

CVE-2026-0707
Medium

A flaw was found in Keycloak regarding the authorization header parser. This parser is overly permissive regarding the formatting of the 'Bearer' authentication scheme, accepting non-standard characters as separators and tolerating case variations that deviate from RFC 6750 specifications.

CVE-2026-22188
Medium

The deploy-stub component in Panda3D up to version 1.10.16 contains a denial of service vulnerability due to unbounded stack allocation. The alloca() function allocates memory for argv_copy and argv_copy2 based on attacker-controlled argc without validation. Supplying a large number of command-line arguments can exhaust stack space and propagate uninitialized stack memory into Python interpreter initialization, causing a reliable crash and undefined behavior.

CVE-2025-67316
Medium

An issue in realme Internet browser v.45.13.4.1 allows a remote attacker to execute arbitrary code via a crafted webpage in the built-in HeyTap/ColorOS browser. The supplier is currently disputing this finding and the record is under review.

CVE-2025-34171
Medium

CasaOS versions up to and including 0.4.15 expose multiple unauthenticated endpoints that allow remote attackers to retrieve sensitive configuration files and system debug information. The /v1/users/image and /v1/sys/debug endpoints can be abused to access files and disclose host OS, kernel, hardware, and storage details.

CVE-2025-59381
Medium

A path traversal vulnerability has been reported to affect several QNAP operating system versions. A remote attacker with an administrator account can exploit this vulnerability to read the contents of unexpected files or system data.

CVE-2024-55374
Medium

A vulnerability in REDCap 14.3.13 allows an attacker to enumerate usernames due to an observable discrepancy in login attempt responses.

CVE-2025-34467
Medium

ZwiiCMS versions prior to 13.7.00 contain a denial-of-service vulnerability in multiple administrative endpoints due to improper authorization checks combined with flawed resource state management.

CVE-2025-15128
Medium

A vulnerability was detected in ZKTeco BioTime up to versions 9.0.3/9.0.4/9.5.2, affecting an unknown part of the file /base/safe_setting/ of the Endpoint component. Manipulating the argument backup_encryption_password_decrypt/export_encryption_password_decrypt results in unprotected storage of credentials.

CVE-2025-66737
Medium

Yealink T21P_E2 Phone version 52.84.0.15 is vulnerable to directory traversal. A remote attacker with normal privileges can read arbitrary files via a crafted request to the diagnostic component's result read function.

CVE-2025-2154
Medium

Podatność CVE-2025-2154 dotyczy niewłaściwej neutralizacji danych wejściowych podczas generowania stron internetowych w systemie Specto CM, co prowadzi do możliwości ataku typu Stored XSS. Problem ten dotyczy wersji przed 17032025.

CVE-2025-68725
Medium

A vulnerability was found in the Linux kernel's BPF test infrastructure that allowed generating invalid GSO (Generic Segmentation Offload) packets and sending them to the network stack. The issue occurred when a BPF program used bpf_clone_redirect() to redirect a packet to the loopback interface, triggering a skb_warn_bad_offload() warning and disabling GSO features.

CVE-2025-68340
Medium

A vulnerability has been identified in the Linux kernel that occurs when adding a port device to a team device while the port is already active. Modifying the team device header can lead to incorrect private data pointing, resulting in system errors.

CVE-2025-67291
Medium

A stored cross-site scripting (XSS) vulnerability in the Media module of Piranha CMS v12.1 allows attackers to inject malicious JavaScript or HTML into the Name field, leading to script execution in victims' browsers.

PreviousPage 314 of 617Next

Vulnerability data from NVD (NIST) · CISA KEV · EPSS