CVE Vulnerability Catalog
Translated CVE descriptions from NVD NIST — in English
CISA KEV catalog updated: (v2026.07.07)
LobeChat through version 2.2.9 in server-database deployments is vulnerable to broken object-level authorization in MessageModel. The updateMessagePlugin, updatePluginState, updatePluginError, updateTTS, and updateTranslate methods filter target rows by message ID only, omitting the userId scope applied by sibling methods, and findMessagePlugin reads back by ID alone. An authenticated user who knows another user's message identifier can overwrite that victim's plugin tool-call metadata, plugin state/error, text-to-speech, and translation records on the same instance, with tampered content served back to the victim.
A vulnerability in RAGFlow before version 0.26.3 allows JavaScript injection due to improper storage of agent pipeline node names. The node name is not sanitized during agent updates and is rendered without HTML encoding in the web interface, leading to script execution in another user's session.
LobeChat before version 2.2.10-canary.15 contains a ReDoS vulnerability. An authenticated attacker can block the Node.js event loop by supplying a catastrophic-backtracking pattern in a GitHub repository URL path during skill import. This pattern is injected into a dynamically constructed regular expression in the findSkillMd function, causing prolonged denial of service for all users.
Cockpit CMS before release 364 contains a path traversal and local file inclusion vulnerability that allows unauthenticated attackers to read arbitrary files or execute PHP files by including unvalidated PATH_INFO derived from REQUEST_URI in filesystem path construction without containment checks. Attackers can inject dot-dot sequences into the URL to traverse outside the designated spaces directory, and when the resolved path ends with a .php extension, the application passes it to include(), enabling local file inclusion on deployments using the PHP built-in server or certain non-default Nginx configurations.
AutoBangumi before version 3.2.8 contains a hard-coded default credentials vulnerability that allows unauthenticated attackers to authenticate as the administrator by using publicly known default credentials seeded at startup via add_default_user() in the database user module when the users table is empty. Attackers can submit the default credentials to the authentication login endpoint to gain full control of the application, including RSS feed configuration, downloader configuration, and all authenticated API endpoints.
A double-free vulnerability was found in GIMP's PSP file format parser within the read_layer_block() function. Processing a specially crafted PSP file can cause memory corruption.
A buffer overflow vulnerability has been discovered in the UTT nv518G device running firmware version nv518GV3v3.2.7-210919-161313. A remote attacker can exploit the gohead/sub_483ba0 component to cause a denial of service (DoS).
Reflected XSS vulnerability in Netdata before 2.3.1 in the api/v2/ilove.svg and api/v3/ilove.svg endpoints. The love parameter is reflected into the SVG document without escaping, allowing arbitrary JavaScript injection. The endpoints are accessible without authentication because bearer-token protection is disabled by default.
The TinyPNG plugin for WordPress (versions up to 3.6.13) contains an arbitrary file deletion vulnerability exploitable by authenticated attackers with author-level access or higher. The issue stems from insufficient file path validation in the delete_converted_image_size function.
Eclipse Wakaama before snapshot/2026-05-26 has an unbounded memory allocation vulnerability in the CoAP Block1 handler. An unauthenticated attacker can send a sequence of Block1 PUT requests with incrementing block numbers, causing repeated reallocation of an accumulation buffer without size limit, leading to server memory exhaustion.
A vulnerability in CubeSpace CW0057 Reaction Wheel firmware versions prior to 5.0.20 is due to improper verification of cryptographic signatures. This allows an attacker with physical access to upload arbitrary malicious firmware without authentication.
A stored XSS vulnerability was found in the web management interface of Archer C5 v6.8 routers due to insufficient input validation and output encoding. An admin can inject malicious HTML/JS that executes when another admin views the affected page.
A vulnerability in the Erlang/OTP ssl application allows an unauthenticated remote attacker to disrupt TLS 1.3 session ticket handling by sending a crafted ClientHello with mismatched PSK identity and binder lists. This crashes the session ticket handler process, making TLS 1.3 unusable on the affected listener until the ssl application is restarted.
A TOCTOU race condition in the Erlang/OTP ssl library's dtls_packet_demux module allows an unauthenticated remote attacker to crash all active DTLS sessions on a listener by sending rapid ClientHello messages from the same source IP and port. The crash terminates the shared demux process, killing every DTLS association, not just the attacker's.
A vulnerability in the SSL library of the DTLS server in Erlang/OTP uses a default empty cryptographic key for DTLS cookie generation during server startup. This makes cookies predictable, allowing an attacker to bypass source address verification.
An infinite loop vulnerability in the ssh_sftpd module of Erlang OTP allows an authenticated SFTP user to permanently block an SFTP channel. Sending extended data (SSH_MSG_CHANNEL_EXTENDED_DATA) with a non-zero type code causes the handle_data/4 function to loop indefinitely, halting further communication on that channel.
An Observable Response Discrepancy vulnerability in the Erlang OTP ssh (ssh_sftpd module) allows an authenticated SFTP user to enumerate files and directories outside the configured root directory. The SSH_FXP_REALPATH handler fails to canonicalize the path, bypassing the is_within_root/2 check and enabling filesystem enumeration.
Craft CMS versions 5.0.0-RC1 through 5.9.21 and 4.0.0-RC1 through 4.17.14 contain an authorization issue where a forced folder move can delete a conflicting destination folder without the required delete permission. The vulnerability is in the actionMoveFolder() function of the AssetsController.
Craft CMS versions 5.7.0 through 5.9.20 contain a mass-assignment vulnerability in the bulk-duplicate element action. An attacker who can duplicate their own entries can submit an arbitrary id via the newAttributes parameter, leading to overwriting an existing victim entry.
Missing validation of 'valuesFrom' references in Helm Deployer of SUSE Rancher Fleet allows owners of one tenant to access fleet credentials of other tenants. Affected versions: 0.15 before 0.15.2, 0.14 before 0.14.6, 0.13 before 0.13.11, and 0.12 before 0.12.15.

