CVE Vulnerability Catalog
Translated CVE descriptions from NVD NIST — in English
CISA KEV catalog updated: (v2026.07.07)
On May 11, 2026, a malicious version of the `guardrails-ai` package (0.10.1) was published on PyPI, potentially affecting users who installed it. Security researchers identified the malicious package within approximately 2 hours, and PyPI took action to quarantine it.
Two path traversal vulnerabilities in the Network Installation Service (NIS) of Altium Enterprise Server allow an unauthenticated network attacker to write arbitrary files to any writable location on the server filesystem and to read package archive files from the server.
Altium Enterprise Server has a vulnerability related to the use of a hard-coded cryptographic key for signing file download URLs. This key is identical across all installations, allowing unauthenticated attackers to forge signatures and retrieve files from the Vault storage area without authentication.
HAX CMS, który zarządza mikrositami z backendami PHP lub NodeJs, ma podatność na przechowywane ataki XSS w wersjach przed 26.0.0. Problem wynika z niewłaściwego oczyszczania komponentu `<video-player>`, który pozwala na użycie URI `javascript:` w atrybucie `source`.
HAX CMS versions prior to 26.0.0 have an authenticated file overwrite vulnerability. An attacker can exploit this vulnerability to configure malicious Git filter commands, leading to code execution on the HAX CMS server.
HAX CMS, which manages microsites with PHP or NodeJs backends, has a stored XSS vulnerability in versions prior to 26.0.0. The issue arises from improper sanitization of `<iframe>` elements, allowing execution of malicious JavaScript.
HAX CMS, który zarządza mikrositami z backendem PHP lub Node.js, przed wersją 26.0.0 zawierał krytyczne błędy w implementacji kryptograficznej w funkcji `hmacBase64()`. Te błędy pozwalały nieautoryzowanym atakującym na wydobycie prywatnego klucza podpisywania systemu oraz fałszowanie tokenów JWT, co umożliwiało pełny dostęp administracyjny za pomocą jednego żądania HTTP.
In versions 0.11.0 through 0.26.0, there is a logic error in the `client-kubernetes-secret` Keycloak client authenticator that allows an attacker to overwrite the `client_secret` with the mounted Kubernetes secret. This enables authentication as that client with any `client_secret` value and obtaining OAuth2 tokens.
Wtyczka Hippoo Mobile App dla WooCommerce w WordPressie jest podatna na obejście uwierzytelnienia, co prowadzi do przejęcia konta administratora we wszystkich wersjach do i włącznie z 1.9.4. Problem wynika z błędu logicznego w funkcji HippooPermissions::get_user_permissions(), która zwraca ten sam null dla administratorów i niezautoryzowanych użytkowników.
Termix is a server management platform that prior to version 2.3.2 had a vulnerability in the File Manager component where the path parameter was unsafely processed. This allowed malicious users to execute shell commands over an active SSH session.
Termix is a web-based server management platform that prior to version 2.3.2 had a vulnerability in the `POST /ssh/tunnel/connect` endpoint. This vulnerability allowed OS command injection through user-controlled fields being interpolated directly into a shell command.
Termix is a server management platform that prior to version 2.3.2 contained a critical Broken Access Control vulnerability in the File Manager functionality. The issue stemmed from improper validation of the sessionId parameter, allowing an attacker to access other users' File Manager sessions.
Termix is a web-based server management platform that was vulnerable to OS command injection in the GET /ssh/file_manager/ssh/resolvePath endpoint prior to version 2.3.2. This allows authenticated users to execute arbitrary commands on the connected remote host.
An issue in the cluster-admin:backup-datastore component of Controller v12.0.5 allows attackers to execute a directory traversal via a crafted request.
NetMan 204 nie wymusza uwierzytelniania na swoich stronach administracyjnych i punktach końcowych komend. Zdalny, nieautoryzowany atakujący może bezpośrednio żądać stron administracyjnych, co prowadzi do ujawnienia wrażliwych informacji oraz możliwości wywołania uprzywilejowanych komend kontrolnych UPS.
NetMan 204 zawiera twardo zakodowane konto backdoor z nazwą użytkownika i hasłem 'eurek', które przyznaje dostęp administracyjny. Zdalny, nieautoryzowany atakujący może uwierzytelnić się przez punkt końcowy cgi-bin/login.cgi, co pozwala na uzyskanie uprawnień administratora.
DataDog::DogStatsd versions through 0.07 for Perl allow metric injections due to improper input sanitization. The send_stats method does not remove newlines from metric names, allowing attackers to change the metric name prefix.
DataDog::DogStatsd versions through 0.07 for Perl allow metric injections from event tags. The format_event method does not validate the content of the tags, allowing data injection from untrusted sources.
DBI versions before 1.648 for Perl have a heap overflow when preparsing SQL statements with more than 9 binders. The preparse method expands SQL placeholder characters to numbered binders but only allocates three characters per binder in the buffer.
The Redline WR3200 system has a vulnerability related to improper authentication that allows access to functionality not properly constrained by access control lists (ACLs). This issue affects versions from 7.1.3 before 7.1.8.

