CVE Vulnerability Catalog
Translated CVE descriptions from NVD NIST — in English
CISA KEV catalog updated: (v2026.07.07)
A Server-Side Request Forgery (SSRF) vulnerability in Microsoft Entra Provisioning Service (SyncFabric) allows an authorized attacker to escalate privileges over a network.
A vulnerability in Microsoft Exchange Online allows an authorized attacker to elevate privileges over a network due to incorrect authorization.
A Server-Side Request Forgery (SSRF) vulnerability in Azure OpenAI allows an authorized attacker to elevate privileges over a network. The attacker can send requests to internal resources, potentially leading to unauthorized access.
An open redirect vulnerability in M365 Copilot allows an unauthorized attacker to redirect users to a malicious site, potentially leading to privilege escalation over a network.
An improper access control vulnerability in Azure Synapse allows an authorized attacker to elevate privileges over a network.
In Libreswan, the function RSA_authenticate_hash_signature_pkcs1_1_5_rsa() incorrectly verifies the DER encoding of the ASN.1 digest when processing IKEv2 AUTH payloads with RSASSA-PKCS1-v1_5. A remote attacker can exploit a Bleichenbacher-style attack to forge the AUTH payload when small public exponents (e.g., e=3) are used, leading to impersonation. Additionally, sending a shorter-than-expected hash can trigger an assertion, causing the daemon to abort and restart, resulting in denial-of-service.
Libreswan has a vulnerability in the RSA_authenticate_hash_signature_raw_rsa() function that incorrectly verifies the authentication hash length in IKEv1 packets using PKCS #1 RSA Encryption (RFC 2313). A remote attacker can use a Bleichenbacher variant to forge the SIG payload with small public exponents (e.g., e=3), leading to impersonation, or send a short hash to trigger an assertion and crash the daemon (DoS).
An invalidly formatted IKEv2 fragment causes the Libreswan pluto daemon to crash and restart due to an off-by-one error in the PASSERT assertion. Continued exploitation would cause a denial of service (DoS).
The react-native-receive-sharing-intent library contains a path traversal vulnerability that allows a malicious co-resident app to write files outside the intended cache directory by supplying a crafted _display_name value with dot-dot path components. Attackers can send an explicit ACTION_SEND intent to the exported share-receiver activity to overwrite arbitrary files in the consuming app's private data directory, including databases, shared preferences, and cached configuration.
A vulnerability in fast-mcp-telegram before version 0.19.1 allows a remote HTTP client to bypass authentication by manipulating the Bearer token with path separators. A token like '../fast-mcp-telegram/telegram' grants access to the default legacy session, bypassing the reserved session name control.
A vulnerability in the UTT nv518G router with firmware version nv518GV3v3.2.7-210919-161313 allows a remote attacker to cause a denial of service (DoS) via the gohead/sub_445C5C component.
A buffer overflow vulnerability in the UTT nv518G router (firmware version nv518GV3v3.2.7-210919-161313) allows a remote attacker to cause a denial of service (DoS) via the gohead/sub_444C8C component.
A buffer overflow vulnerability in UTT nv518G device (firmware version nv518GV3v3.2.7-210919-161313) allows a remote attacker to cause a denial of service (DoS) via the gohead/sub_487330 component.
A buffer overflow vulnerability has been discovered in the UTT nv518G device running firmware version nv518GV3v3.2.7-210919-161313. A remote attacker can exploit the gohead//sub_497498 component to cause a denial of service (DoS).
Notepad3 up to version 6.25.822.1 contains a DLL search-order hijacking vulnerability in the About-dialog code path. The application calls LoadLibrary(L"MSFTEDIT.DLL") with a bare DLL name, allowing a local attacker to place a malicious MSFTEDIT.DLL in the application directory or another preferred DLL search location and achieve arbitrary code execution in the context of the user when the About dialog is opened.
An out-of-bounds read issue was found in the GCS_MAVLink library of ArduPilot up to version Plane-4.6.3, specifically in the GCS_MAVLINK::handle_serial_control() function. This vulnerability may lead to unexpected behavior or data leakage.
A denial-of-service vulnerability in pdfcpu up to version 0.11.1 is caused by uncontrolled recursion in the PDF parser. Functions ParseObjectContext() and parseArray() in parse.go recursively process nested PDF objects without enforcing a maximum nesting depth, potentially leading to stack overflow.
A vulnerability in the Ruby WEBrick library (up to version 1.9.2) re-parses the trailer Content-Length header into canonical request state, enabling request smuggling attacks.
A vulnerability in ntopng up to version 6.6 allows predictable session identifiers, leading to session hijacking. Session IDs are generated using weak time-seeded pseudo-randomness.
Forgejo before version 15.0.3 contains a stored cross-site scripting vulnerability that allows authenticated attackers to execute arbitrary JavaScript in other users' browsers by setting a full name containing an HTML payload and triggering an Actions run. When the DEFAULT_SHOW_FULL_NAME option is enabled, the run description is assembled server-side with the user's display name interpolated into an HTML string via a translation function that does not escape its arguments, and the frontend renders the result using a Vue v-html binding, causing script execution for any user who views the affected Actions run page.

