CVE Vulnerability Catalog

Translated CVE descriptions from NVD NIST — in English

CISA KEV catalog updated: (v2026.07.07)

CVE-2026-49278
Medium

In the visitors.info endpoint of Rocket.Chat, a token is returned in the API response. There is no legitimate use case for the token to be present in the response, and its exposure poses a security risk. The vulnerability is fixed in versions 8.5.0, 8.4.2, 8.3.4, 8.2.4, 8.1.5, 8.0.6, 7.13.8, and 7.10.12.

CVE-2026-47733
Medium

In versions prior to 8.5.0, the ImageElement component in Rocket.Chat renders user-controlled src values without protocol sanitization. This allows for the insertion of a malicious URL with the javascript: protocol, potentially executing arbitrary JavaScript in the user's session.

CVE-2026-32315
MediumEPSS 85%

motionEye (mEye) is an online interface for motion software, a video surveillance program with motion detection. Versions prior to 0.44.0 create the configuration file /etc/motioneye/motion.conf with 644 permissions, making it readable by any local user on the system, leading to the exposure of sensitive data including the admin password.

CVE-2026-31978
Medium

motionEye (mEye) is an online interface for motion software, which is a video surveillance program with motion detection. Versions prior to 0.44.0 are vulnerable to path traversal in the picture and movie API endpoints, allowing an authenticated user to read arbitrary files from the filesystem.

CVE-2026-13208
Medium

A flaw was found in KubeVirt's virt-handler domain notify server. The gRPC handlers for HandleDomainEvent and HandleK8SEvent derive the VMI identity (namespace/name) solely from the request body without validating it against the connection's origin. Each virt-launcher pod connects through a per-VMI pipe socket, but no identity tag is propagated from the pipe path to the server handlers.

CVE-2025-64719
Medium

In Gogs before version 0.14.3, a malicious user with rights to create a new file on a repository or wiki page can trigger a denial of service condition. Pages containing the listing of files will return HTTP error 500 and render the web interface unusable for the repository or wiki.

CVE-2026-48028
Medium

Prior to versions 4.5.10, 4.4.17, and 4.3.23, Mastodon's normalization of incoming activities signed with Linked-Data Signatures did not adequately protect against a certain class of spoofing, allowing threat actors to remove JSON entries from valid signed activities from third-party actors.

CVE-2026-46349
Medium

Mastodon, a social network server based on ActivityPub, prior to versions 4.5.10, 4.4.17, and 4.3.23, improperly normalized incoming activities signed with Linked-Data Signatures, allowing attackers to manipulate valid signed JSON-LD activities from third-party actors.

CVE-2026-53949
Medium

In the Ghost content management system, from version 5.46.1 to 6.21.2, the validation applied to filters on public API endpoints could be partially bypassed, allowing the disclosure of private fields via a brute force attack. If SQLite was used, password hashes were fully accessible, while in the case of MySQL, the case of the password hashes was lost, potentially rendering further brute force attacks ineffective.

CVE-2026-53948
Medium

Ghost is a Node.js content management system. From versions 6.19.4 to 6.21.1, insufficient validation of the client-supplied Content-Type on Ghost's Admin API file upload endpoint allowed uploaded files to be served with an attacker-chosen content type from S3/GCS storage backends.

CVE-2026-53947
Medium

A vulnerability in the Ghost content management system (versions 5.18.0 through 6.21.1) allows an unauthenticated attacker to determine whether a given email address belongs to a registered member. The issue stems from discrepancies in responses from the members signin endpoints.

CVE-2026-53946
Medium

Ghost is a Node.js content management system. From versions 6.19.4 to 6.21.1, when re-rendering posts, Ghost could send HTTP requests to unauthorized image hosts, posing a security risk.

CVE-2026-53945
Medium

Ghost is a Node.js content management system. From versions 6.0.9 to 6.21.1, the private-IP check for outbound HTTP requests could be bypassed via DNS rebinding, allowing an attacker to coerce the Ghost server into reaching hosts on internal networks.

CVE-2026-53944
Medium

Ghost is a Node.js content management system. From versions 6.0.9 to 6.21.1, it is possible to bypass the IP filter when making an external request, allowing it to target an internal service using an IPv6 literal that maps to a private IPv4 address.

CVE-2026-49220
Medium

Jellyfin, an open-source media server, prior to version 10.11.9, had a potential XSS vulnerability that allowed a non-privileged user to execute arbitrary Javascript in the context of a logged-in Administrative user. The attack could occur through the Client header during AuthenticateByName.

CVE-2026-13034
Medium

Inappropriate implementation in Passwords in Google Chrome prior to version 149.0.7827.197 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTML page.

CVE-2026-13030
Medium

Uninitialized use in GPU in Google Chrome on Android prior to 149.0.7827.197 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page.

CVE-2026-13024
Medium

Insufficient validation of untrusted input in Navigation in Google Chrome prior to 149.0.7827.197 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTML page.

CVE-2026-13023
Medium

Uninitialized Use in GPU in Google Chrome prior to 149.0.7827.197 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive information from process memory via a crafted HTML page.

CVE-2026-13022
Medium

An inappropriate implementation in Autofill in Google Chrome prior to 149.0.7827.197 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page.

PreviousPage 50 of 522Next

Vulnerability data from NVD (NIST) · CISA KEV · EPSS