CVE Vulnerability Catalog

Translated CVE descriptions from NVD NIST — in English

CISA KEV catalog updated: (v2026.07.01)

CVE-2026-57951
Medium

A vulnerability in Mythic before version 3.4.0.60 is caused by a broken Hasura permission filter on the payload_build_step table with an always-satisfied _or condition that bypasses operation-scoped access controls. Authenticated operators and spectators can query payload_build_step to read step_stdout, step_stderr, step_name, and step_description across all operations on the server.

CVE-2026-57949
Medium

A missing authorization vulnerability in the CRM module of ruoyi-vue-pro (up to version 2026.05, fixed in commit c779a47) exists in the GET /admin-api/crm/follow-up-record/get endpoint. Authenticated users can read any follow-up record by iterating sequential numeric IDs.

CVE-2026-57948
Medium

Pinpoint through version 3.1.0 contains an insecure session management vulnerability where the pinpointJwt session cookie lacks HttpOnly and Secure attributes. This allows attackers to access the cookie via JavaScript (document.cookie) and transmit it in cleartext over HTTP.

CVE-2026-57945
Medium

A broken access control vulnerability in PhotoPrism before version 260601-a7d098548 allows authenticated non-admin users to modify other users' profile information. The missing session-to-user identifier validation in the PUT users API endpoint enables attackers to overwrite another user's profile details without authorization.

CVE-2026-57943
Medium

A vulnerability in LibrePhotos before version 1.0.0 in the SetPhotosShared endpoint allows authenticated users to bypass ownership validation and grant themselves access to other users' private photos. Attackers can manipulate shared_to relations without proper owner checks to read arbitrary private photos.

CVE-2026-57942
Medium

LibreTranslate through version 1.9.7 has an IP spoofing vulnerability in the get_remote_address() function. An unauthenticated attacker can inject arbitrary values into the X-Forwarded-For header, bypassing per-IP rate limiting and flood bans.

CVE-2026-56783
Medium

Parseable before version 2.9.2 exposes webhook tokens and basic-auth credentials in cleartext via notification-target API endpoints due to commented-out secret-masking functionality. Any authenticated user with the GetAlert action, including low-privilege reader roles, can recover credentials and internal endpoint URLs for all configured notification targets.

CVE-2026-56781
Medium

A vulnerability in Teable before the June 15, 2026 build allows anonymous attackers to access hidden field data by supplying arbitrary field IDs in the projection parameter of the share view records endpoint. Attackers can enumerate hidden field IDs from share metadata and read field values intended to be restricted from public view.

CVE-2026-13752
Medium

In Snowflake CLI versions prior to 3.19, improper neutralization of parameters allowed unintended SQL execution. An attacker could exploit this by supplying crafted values to vulnerable command paths, causing unintended SQL execution in the context of the user's Snowflake session.

CVE-2026-13751
Medium

A vulnerability in Snowflake CLI prior to version 3.19 allows server-side request forgery (SSRF) due to improper handling of untrusted remote references in !source/!load directives. An attacker can supply crafted SQL content that, when processed through a vulnerable command path, causes unauthorized outbound requests to internal or non-public network locations and remote SQL execution in the victim's session.

CVE-2026-13591
Medium

A weakness in the Contact Tracking component of DeepMyst Mysti 0.4.0 involves improper authorization in the _isTrackedConversation function of src/managers/ChannelBridge.ts. The attack can be initiated remotely but requires high complexity and is considered difficult to exploit. A public exploit is available, increasing the attack risk.

CVE-2026-13590
Medium

A security flaw in PcapPlusPlus 25.05 affects the pcpp::ModbusLayer::getLength function in ModbusLayer.h. Manipulating the length argument causes a heap-based buffer overflow, which can be exploited remotely.

CVE-2026-13589
Medium

A heap-based buffer overflow vulnerability exists in PcapPlusPlus 25.05 in the pcpp::TelnetLayer::getSubCommand function of TelnetLayer.cpp. The attack can be initiated remotely but is difficult to exploit. A public exploit is available.

CVE-2026-13588
Medium

A heap-based buffer overflow vulnerability was found in PcapPlusPlus 25.05 in the function pcpp::SSLClientHelloMessage::getHandshakeVersion of SSLHandshake.cpp. An attacker can remotely manipulate the handshakeVersion argument, causing a buffer overflow. The attack complexity is high and exploitation is considered difficult, but the exploit has been publicly disclosed.

CVE-2026-9105
Medium

A stack-based buffer overflow vulnerability in the web management interface of TP-Link TL-WR841N v14 allows an authenticated remote attacker to crash the device by sending a crafted HTTP request. Successful exploitation leads to a denial-of-service condition, causing the device to crash and automatically reboot.

CVE-2026-13750
Medium

In Snowflake CLI versions prior to 3.19, sensitive credentials (passwords, tokens, private keys) were written in plaintext to local debug log files. An attacker with read access to these logs could steal authentication data.

CVE-2026-13748
Medium

A vulnerability in Snowflake CLI prior to version 3.19 allowed arbitrary local file content to be read and transmitted to Snowflake services. An attacker could exploit this by supplying crafted repository or project content that referenced files outside the intended project boundary.

CVE-2026-13742
Medium

A vulnerability in Honeywell IQ MultiAccess (versions up to and including 28) stems from improper digital signature verification. It allows an attacker to replace a downloaded file with a malicious one.

CVE-2026-13581
MediumEPSS 63%

A vulnerability was found in Edimax EW-7478APC 1.04, involving OS command injection in the formStaDrvSetup function via the rootAPmac argument. The attack is remotely exploitable and the exploit is publicly available.

CVE-2026-13437
Medium

In Devolutions PowerShell Universal 2026.2.0, a vulnerability was found involving the insertion of sensitive information into sent data in the AI Agent job API. An authenticated user with AI Agent read access can obtain reusable authentication tokens with potentially higher privileges, which are serialized in plaintext in job API responses.

PreviousPage 41 of 535Next

Vulnerability data from NVD (NIST) · CISA KEV · EPSS