CVE Vulnerability Catalog

Translated CVE descriptions from NVD NIST — in English

CISA KEV catalog updated: (v2026.07.07)

CVE-2026-54262
Medium

In Wagtail, an open source content management system built on Django, versions prior to 7.0.8, 7.3.3, and 7.4.2 allow a low-level user with the 'Can submit translation' permission to create translations for any page, including those they do not have permissions for. This issue has been fixed in versions 7.0.8, 7.3.3, and 7.4.2.

CVE-2026-54261
Medium

In Wagtail, an open source CMS built on Django, a missing permission check on the image preview endpoint allows users with Wagtail admin access to preview any image. The existing data of the image object itself is not exposed. The vulnerability is not exploitable by ordinary site visitors without admin access.

CVE-2026-54260
Medium

In Wagtail, an open source CMS built on Django, versions prior to 7.0.8, 7.3.3, and 7.4.2 allow an authenticated admin user to trigger expensive rendition processing with crafted filter specs, potentially causing service degradation. The vulnerability is not exploitable by ordinary site visitors without Wagtail admin access.

CVE-2026-54259
Medium

In Wagtail, an open source CMS built on Django, versions prior to 7.0.8, 7.3.3, and 7.4.2, the Documents and Images chooser's chosen endpoint incorrectly listed items for which the user has not been granted choose permission. A user with access to the Wagtail admin could see the filename, name, and URLs of documents and images in those collections.

CVE-2026-52190
High

A buffer overflow vulnerability in the UTT nv518G router running firmware version nv518GV3v3.2.7-210919-161313 allows a remote attacker to cause a denial of service (DoS) via the gohead/sub_448384 component.

CVE-2026-52186
Critical

SQL Injection vulnerability in UTT nv518G firmware version nv518GV3v3.2.7-210919-161313 allows a remote attacker to execute arbitrary code via the gohead/sub_463bbc component.

CVE-2026-38891
High

An improper input validation in the gazebo_ros_diff_drive.cpp component of gazebo_plugins v3.9.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted geometry_msgs::Twist message.

CVE-2026-36912
High

A NULL pointer dereference vulnerability was found in the AP4_AtomSampleTable::GetSample() function of MPC-BE before commit 4341cb3. An attacker can exploit a crafted MP4 file to cause a Denial of Service (DoS) by crashing the application.

CVE-2026-36911
Medium

A division-by-zero vulnerability in the CStreamSwitcherOutputPin::DecideBufferSize function of MPC-BE before commit 4341cb3 allows attackers to cause a Denial of Service (DoS) via a crafted MP4 file.

CVE-2026-36910
Medium

An access violation in the BaseSplitterFile::Read function of MPC-BE before commit 4341cb3 allows attackers to cause a Denial of Service (DoS) via a crafted MP4 file.

CVE-2026-36909
Medium

A NULL pointer dereference in the AP4_TkhdAtom::GetTrackId() function of MPC-BE before commit 4341cb3 allows attackers to cause a Denial of Service (DoS) via a crafted MP4 file.

CVE-2026-58263
High

In Jodit Editor prior to version 4.12.28, a vulnerability allows bypassing the built-in clean-html sanitizer using a MathML/<style> carrier that hides a dangerous element from the sanitizer's element walk. This results in a no-interaction event handler surviving into the editor value, potentially causing Mutation XSS.

CVE-2026-55886
Medium

Jodit Editor versions prior to 4.12.26 are vulnerable to Prototype Pollution via the Jodit.modules.Helpers.set() function. An attacker can pass a crafted key chain containing __proto__, constructor, or prototype, leading to Object.prototype modification and injection of unexpected properties.

CVE-2026-55661
Medium

A stored XSS vulnerability exists in the Tina CMS rich-text component. The URL field in Slate link/image nodes is not sanitized, allowing injection of javascript: or data:text/html URLs. An attacker with content editing privileges can achieve stored XSS that executes when content is viewed by editors or site visitors.

CVE-2026-55660
High

A vulnerability in the Tina headless CMS allows stored XSS and session takeover via unverified postMessage handlers and insufficient URL sanitization in rich-text content. An attacker can forge messages to hijack an authenticated editing session.

CVE-2026-55153
High

The mchange-commons-java library prior to version 0.6.0 has a vulnerability in its JNDI ObjectFactory implementation (JavaBeanObjectFactory) that allows constructing objects of arbitrary classes and initializing their JavaBean-style properties. For certain classes like Swing JEditorPane, this enables HTTP requests to arbitrary URLs, which can be exploited for JNDI injection and deserialization attacks.

CVE-2026-54786
Medium

Wasmtime prior to versions 24.0.10, 36.0.11, 44.0.3, and 45.0.2 contains a vulnerability in the native WASIp1 implementation where the fd_renumber function fails to properly close the target file descriptor. This causes resource leaks in the host system, potentially leading to exhaustion of file descriptors and resources.

CVE-2026-54756
Medium

In Jodit Editor prior to version 4.12.18, the Jodit.configure() function and internal ConfigMerge/ConfigProto helpers merged user-supplied options without filtering prototype-mutating keys, leading to a Prototype Pollution vulnerability.

CVE-2026-54720
Medium

In Silverstripe Framework prior to version 6.2.2, the 'Insert media from web' functionality in the CMS is vulnerable to XSS from a specially crafted embed. This issue was fixed in version 6.2.2.

CVE-2026-54074
High

A Remote Code Execution vulnerability exists in @tinacms/cli prior to version 2.4.3 during the Forestry-to-Tina migration. The addVariablesToCode helper unsafely processes user-supplied label and name fields from .forestry/**/*.yml, allowing arbitrary JavaScript injection into the generated tina/templates.{ts,js} file.

PreviousPage 48 of 4515Next

Vulnerability data from NVD (NIST) · CISA KEV · EPSS