CVE Vulnerability Catalog

Translated CVE descriptions from NVD NIST — in English

CISA KEV catalog updated: (v2026.07.01)

CVE-2026-44631
Critical

CVE-2026-44631 describes a buffer underwrite vulnerability in Apache HTTP Server caused by crafted regular expressions in the configuration. It affects versions from 2.4.0 to 2.4.67.

CVE-2026-42861
Critical

In Flowise, prior to version 3.1.2, a mass assignment vulnerability exists in the variable update endpoint. This allows authenticated users to modify server-controlled properties, potentially breaking tenant isolation in multi-workspace environments.

CVE-2026-42535
Critical

A path handling issue in mod_dav_fs in Apache 2.4.67 and earlier allows a WebDAV content author to directly manipulate trusted DAV property databases, potentially causing child process crashes.

CVE-2026-29167
Critical

A Use After Free vulnerability in Apache HTTP Server with mod_ldap in per-directory configuration may lead to unauthorized memory access. This issue affects Apache HTTP Server versions from 2.4.0 through 2.4.67.

CVE-2026-50751
CriticalActively exploitedEPSS 94%

A logic flow weakness in Remote Access and Mobile Access certificate validation in deprecated IKEv1 key exchange allows an unauthenticated remote attacker to bypass user authentication and establish a remote access VPN connection without a valid user password.

CVE-2026-11499
Critical

A vulnerability was identified in Tenda HG7HG9 and HG10 300001138_en_xpon affecting the function formDOMAINBLK in the file /boaform/formDOMAINBLK. Manipulating the argument blkDomain can lead to stack-based buffer overflow.

CVE-2024-58349
Critical

The WordPress Theme Travelscape version 1.0.3 contains an arbitrary file upload vulnerability that allows unauthenticated attackers to upload malicious files by exploiting insufficient validation in the theme's upload functionality. Attackers can upload arbitrary files to the theme directory and execute them to achieve remote code execution on the affected WordPress installation.

CVE-2024-58348
Critical

WordPress Background Image Cropper version 1.2 contains a remote code execution vulnerability that allows unauthenticated attackers to upload arbitrary files by accessing the ups.php endpoint. Attackers can upload PHP files through the file upload form in the plugin directory to execute arbitrary code on the server.

CVE-2023-54352
Critical

WordPress Seotheme contains a remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary PHP code by uploading malicious files to the theme directory. Attackers can access the uploaded PHP shell at /wp-content/themes/seotheme/mar.php to execute system commands and upload additional files for persistent access.

CVE-2026-11429
CriticalEPSS 63%

Two endpoints in the Vault Service ScriptsController accept file uploads where a user-supplied filename component is used to construct the destination path without validation. This allows arbitrary files to be written to any location writable by the service account.

CVE-2026-11423
Critical

A path traversal vulnerability exists in the Altium Enterprise Server Collaboration Service due to improper handling of user-supplied filenames. An authenticated user can submit a collaboration message with a crafted filename, allowing arbitrary files to be read from the server filesystem.

CVE-2026-45779
CriticalEPSS 63%

Open XDMoD versions prior to 10.0.3 have an SQL injection vulnerability that allows an unauthenticated remote attacker to execute arbitrary SQL statements. Exploitation does not require authentication or user interaction.

CVE-2026-45777
Critical

OpenXDMoD, an open framework for collecting and analyzing HPC metrics, has a vulnerability that allows an attacker to remotely execute arbitrary system commands on the web server. This affects versions 9.5.0 through 11.0.2 inclusive.

CVE-2026-45758
Critical

On May 11, 2026, a malicious version of the `guardrails-ai` package (0.10.1) was published on PyPI, potentially affecting users who installed it. Security researchers identified the malicious package within approximately 2 hours, and PyPI took action to quarantine it.

CVE-2026-11420
Critical

Two path traversal vulnerabilities in the Network Installation Service (NIS) of Altium Enterprise Server allow an unauthenticated network attacker to write arbitrary files to any writable location on the server filesystem and to read package archive files from the server.

CVE-2026-11414
Critical

Altium Enterprise Server has a vulnerability related to the use of a hard-coded cryptographic key for signing file download URLs. This key is identical across all installations, allowing unauthenticated attackers to forge signatures and retrieve files from the Vault storage area without authentication.

CVE-2026-46496
Critical

HAX CMS, który zarządza mikrositami z backendami PHP lub NodeJs, ma podatność na przechowywane ataki XSS w wersjach przed 26.0.0. Problem wynika z niewłaściwego oczyszczania komponentu `<video-player>`, który pozwala na użycie URI `javascript:` w atrybucie `source`.

CVE-2026-46399
Critical

HAX CMS versions prior to 26.0.0 have an authenticated file overwrite vulnerability. An attacker can exploit this vulnerability to configure malicious Git filter commands, leading to code execution on the HAX CMS server.

CVE-2026-46396
Critical

HAX CMS, which manages microsites with PHP or NodeJs backends, has a stored XSS vulnerability in versions prior to 26.0.0. The issue arises from improper sanitization of `<iframe>` elements, allowing execution of malicious JavaScript.

CVE-2026-46395
Critical

HAX CMS, który zarządza mikrositami z backendem PHP lub Node.js, przed wersją 26.0.0 zawierał krytyczne błędy w implementacji kryptograficznej w funkcji `hmacBase64()`. Te błędy pozwalały nieautoryzowanym atakującym na wydobycie prywatnego klucza podpisywania systemu oraz fałszowanie tokenów JWT, co umożliwiało pełny dostęp administracyjny za pomocą jednego żądania HTTP.

PreviousPage 48 of 556Next

Vulnerability data from NVD (NIST) · CISA KEV · EPSS