CVE Vulnerability Catalog
Translated CVE descriptions from NVD NIST — in English
CISA KEV catalog updated: (v2026.07.01)
Podman from version 1.8.1 to 5.8.4 contains a vulnerability where a container image with an environment variable containing only a key without a value can trick Podman into passing that variable from the host into the container. Using an asterisk (*) causes all host variables to be passed, allowing a malicious image to exfiltrate Podman environment variables from the session where the container is launched.
In AutoGPT before version 0.6.52, an authenticated user can bypass SSRF protections and access internal network services. The _is_ip_blocked() function does not normalize IPv4-mapped IPv6 addresses or block special ranges like 100.64.0.0/10 (CGNAT).
Echo, a Go web framework, has a vulnerability due to a mismatch in URL path decoding between the router and the static file handler. The router matches routes using the raw encoded path (preserving %2F as-is), while StaticDirectoryHandler unescapes %2F to / before resolving filesystem paths. This allows an attacker to bypass route-level access controls and read static files without authorization.
A privilege escalation vulnerability in LXD versions 6.0 before 6.9, 5.21.0 before 5.21.5, and 5.0.0 before 5.0.7 allows bypassing project-restriction policies during snapshot restoration. An authenticated project operator can import a malicious instance backup with restricted configuration keys in a snapshot, which are applied without validation upon restoration.
An unauthenticated remote attacker can read and exfiltrate the heap memory of the Ollama server through the model quantization engine, leading to sensitive data exposure.
In Docling prior to version 2.94.0, unsafe URI and path handling was found in the HTML backend. This vulnerability could allow an attacker to perform unauthorized operations on files or network resources.
A vulnerability in kernel software running inside a Host VM allows sending improper commands to the GPU firmware, potentially causing memory read or write outside the permitted range. Addresses passed to the GPU firmware can be used to gain more privileged memory access than allowed by the system.
A vulnerability in the GPU shader compiler allows an out-of-bounds write by loading a web page with specially crafted GPU shader code. This can cause a segmentation fault in the compiler under certain conditions.
A Broken Access Control vulnerability in the devLXDInstancePatchHandler component of Canonical LXD allows an untrusted guest to mount, read, and overwrite another guest's custom storage volume via a crafted device PATCH request over /dev/lxd when security.devlxd.management.volumes is enabled.
The kernel driver ProcessMonitorDriver.sys in Safetica's endpoint client x64, versions 10.5.75.0 and 11.11.4.0, allows an unprivileged user to abuse the IOCTL path and terminate protected system processes.
The Groundhogg plugin for WordPress versions 4.5 and earlier contains an SQL injection vulnerability in the Sales Representative module. An attacker can exploit this flaw to execute unauthorized database queries.
The Recipe Maker For Your Food Blog plugin by Zip Recipes version 8.2.7 and earlier contains a Contributor SQL Injection vulnerability.
SQL Injection vulnerability in the Contributor component of Contest Gallery plugin up to version 30.0.0. Allows an attacker to manipulate database queries through improperly sanitized input.
The Paid Memberships Pro - Add Member From Admin plugin version 0.7.2 and earlier is vulnerable to unauthenticated Cross-Site Request Forgery (CSRF). An attacker can exploit this vulnerability to perform unauthorized actions in the context of an administrator without requiring an authenticated session.
The vulnerability allows an unauthenticated attacker to perform a Cross-Site Request Forgery (CSRF) in the Child Theme Wizard plugin version 1.4 and earlier. The attack can lead to unauthorized changes in the plugin configuration without the administrator's knowledge.
The WP Job Portal plugin version 2.5.2 and earlier contains a SQL injection vulnerability in the Contributor module. This allows an attacker to manipulate database queries.
The Panorama Viewer – 360 Degree Image + Video Viewer plugin version 1.6.1 and earlier contains a Local File Inclusion (LFI) vulnerability exploitable by contributors. This allows an attacker with contributor privileges to read sensitive files on the server.
The vulnerability in the Newsletters plugin up to version 4.13 allows unauthorized access to subscriber management functions. The lack of proper access control enables an attacker to manipulate subscriber data without required permissions.
The Restaurant Menu by MotoPress plugin version 2.4.10 and earlier contains a SQL injection vulnerability exploitable by contributors. An attacker with contributor privileges can inject malicious SQL queries into the database.
The WP Post Author plugin version 3.9.1 and earlier contains a SQL injection vulnerability in the Contributor function. This allows an attacker to manipulate database queries.

