CVE Vulnerability Catalog

Translated CVE descriptions from NVD NIST — in English

CISA KEV catalog updated: (v2026.07.01)

CVE-2026-43715
High

A use-after-free vulnerability was addressed with improved memory management in Safari, iOS, iPadOS, and macOS Tahoe. Processing maliciously crafted web content may lead to memory corruption.

CVE-2026-43705
High

A type confusion vulnerability was discovered in Safari, iOS, iPadOS, and macOS Tahoe. The issue was fixed with improved type checking. Processing maliciously crafted web content may lead to memory corruption.

CVE-2026-43701
High

A vulnerability in Safari and Apple systems allows a malicious website to process restricted web content outside the sandbox. The issue is fixed in Safari 26.5.2, iOS 26.5.2, iPadOS 26.5.2, and macOS Tahoe 26.5.2 with improved checks.

CVE-2026-58000
HighEPSS 69%

A command injection vulnerability in luci-proto-openvpn through version 0.11.1 (fixed in commit e4ff45e) exists in the generateKey ubus method. The cl_meta parameter is interpolated into a shell command without proper escaping, allowing an authenticated LuCI user with OpenVPN protocol configuration access to execute arbitrary commands as root via the popen function.

CVE-2026-57999
HighEPSS 64%

A command injection vulnerability in luci-app-tailscale-commons allows authenticated users to execute arbitrary commands as root via the tailscale.do_login RPC method. The issue stems from improper quoting of the loginserver and loginserver_authkey parameters within a double-quoted shell command, enabling shell substitutions like $() to be evaluated.

CVE-2026-57955
High

A SQL injection vulnerability in SigNoz through version 0.130.1 allows authenticated attackers to execute arbitrary ClickHouse queries by injecting URL-encoded quotes into the rule ID path parameter of alert-history endpoints. Attackers can read all stored traces, logs, and metrics, or abuse the url() function for server-side request forgery (SSRF).

CVE-2026-57950
High

A broken access control vulnerability in ruoyi-vue-pro through version 2026.05 (fixed in commit 5d1fd70) in ErpSaleOrderController allows attackers with erp:sale-out permissions to gain unauthorized access to sale order operations by exploiting incorrect permission namespace enforcement. Attackers can perform unauthorized create, update, delete, and read operations on financially sensitive sale orders.

CVE-2026-57947
High

An SSRF vulnerability in Pinpoint through version 3.1.0 allows authenticated users to register internal URLs in the webhook registration endpoint due to missing SSRF protection. Attackers can trigger alarm threshold breaches to force the server to send POST requests to internal hosts and metadata endpoints, enabling unauthorized access to internal network resources.

CVE-2026-56780
High

Modoboa before version 2.9.0 has an insecure direct object reference (IDOR) vulnerability in the PUT /api/v1/accounts/{pk}/password/ endpoint. Domain administrators can change any user's password, including superadmins, leading to full account takeover.

CVE-2026-56285
High

A vulnerability in Nitter allows unauthenticated attackers to exploit the /video media proxy endpoint to send HTTP requests to any host reachable by the server, including cloud metadata services and internal network resources. The issue stems from missing validation of target URLs against Twitter/X domains and the use of a hardcoded default HMAC key.

CVE-2026-36848
High

A Directory Traversal vulnerability in Gigamon GVOS version 5.16.1 and below, located in the H-VUE subsystem, allows unauthorized access to files outside the application's root directory.

CVE-2026-13592
High

A vulnerability was found in the EtherNet IP Message Handler component of the CIPster library (up to commit e8e9dba09bf56962807d3504b783ccdb6287f3e4), involving an out-of-bounds write in the BufWriter::append function. Remote exploitation is possible and the exploit has been made public.

CVE-2026-12912
High

A vulnerability in the libtiff library allows a remote attacker to execute arbitrary code or cause a denial of service (DoS) by providing a specially crafted TIFF image compressed with the PixarLog codec. The issue occurs when decoding PixarLog images with the PIXARLOGDATAFMT_8BITABGR output format and a specific stride value, leading to a heap-based buffer overflow.

CVE-2026-41052
High

In Rancher versions 2.14 before 2.14.2, 2.13 before 2.13.6, and 2.12 before 2.12.10, users with the Project Owner role can exploit improper privilege handling to escalate their privileges.

CVE-2026-13749
High

A vulnerability in Snowflake CLI prior to version 3.19 allows arbitrary code execution due to improper neutralization in the Snowpark annotation processor callback template. An attacker can supply crafted project content that is interpolated into generated Python code, causing the CLI to execute attacker-controlled code in the local user context.

CVE-2026-13744
High

A vulnerability in Snowflake CLI prior to version 3.19 allowed unintended SQL execution by supplying crafted repository, project configuration, manifest data, or specification input. An attacker could execute arbitrary SQL in the context of the victim's Snowflake session.

CVE-2026-13583
High

A buffer overflow vulnerability was found in Edimax EW-7478APC version 1.04 in the formUSBFolder function of the /goform/formUSBFolder file. Manipulation of the ShareName/SelectName arguments in a POST request can cause a buffer overflow, enabling remote attack. The exploit has been publicly disclosed and may be used.

CVE-2026-13582
High

A buffer overflow vulnerability has been found in Edimax EW-7478APC version 1.04 in the formUSBAccount function of the /goform/formUSBAccount file. An attacker can remotely manipulate the UserName/Password arguments, causing a buffer overflow. The exploit has been published and may be used.

CVE-2026-13580
High

A buffer overflow vulnerability has been detected in the Edimax EW-7478APC version 1.04 in the formQoS function of the /goform/formQoS file. An attacker can remotely manipulate the selSSID argument, leading to a buffer overflow. The exploit has been publicly disclosed and may be used.

CVE-2026-57338
High

The ARForms plugin version 7.1.2 and earlier contains an unauthenticated Cross Site Scripting (XSS) vulnerability. An attacker can inject malicious script without requiring authentication.

PreviousPage 36 of 3339Next

Vulnerability data from NVD (NIST) · CISA KEV · EPSS