CVE Vulnerability Catalog
Translated CVE descriptions from NVD NIST — in English
CISA KEV catalog updated: (v2026.07.07)
An inappropriate implementation in DeviceBoundSessionCredentials in Google Chrome prior to 149.0.7827.197 allowed a remote attacker to bypass same origin policy via a crafted HTML page. (Chromium security severity: High)
A DoS vulnerability in Tapo C200 v3 camera stems from improper handling of fragmented IPv4 packets. An unauthenticated adjacent attacker can send crafted packets causing excessive resource consumption and device instability.
A use-after-free vulnerability was found in the GPAC/MP4Box library before version 26.02.0 in the gf_filter_pid_reconfigure_task_discard function in filter_pid.c. An attacker can cause a Denial of Service (DoS) by supplying a crafted media file.
Warp is a development environment that from versions 0.2021.04.25.23.05.stable_00 to 0.2026.05.06.15.42.stable_01 accepted unverified terminal lifecycle hooks from the PTY stream. An attacker could spoof selected lifecycle metadata, potentially exposing sensitive information.
The AnythingLLM application prior to version 1.13.0 on Windows allowed the use of an encoded absolute path to the documents folder, potentially leading to access to files outside the intended documents directory.
A vulnerability in Docling from version 2.73.0 to 2.91.0 allows attackers to read arbitrary files from the file system via crafted LaTeX documents. Lack of path validation in \includegraphics, \input, and \include commands enables path traversal sequences, potentially leading to sensitive data exposure.
In concurrent-ruby up to version 1.3.6, a vulnerability allows incorrect granting of a write lock after one thread acquires the read lock 32,768 times. The lock stores thread-local read and write hold counts in one integer, where the low 15 bits are for read count and bit 15 is for WRITE_LOCK_HELD. After exceeding this threshold, the read count overflows into the write-lock bit, causing try_write_lock to incorrectly return true without setting the global RUNNING_WRITER bit.
In the Linux kernel, the DRBD driver has an RCU call imbalance in drbd_adm_dump_devices(). The function calls rcu_read_unlock() without a preceding rcu_read_lock(), which can lead to incorrect RCU behavior.
In the Linux kernel, a vulnerability in the dm log module allows an out-of-bounds write due to a 32-bit unsigned int overflow in region_count when using dm_sector_div_up() which returns 64-bit sector_t. This results in undersized heap buffers and subsequent heap memory corruption.
A Stored Cross-Site Scripting (XSS) vulnerability exists in Frappe Framework version 17.0.0-dev due to improper neutralization of user-controlled input in the frappe.ui.Tree component.
A Stored Cross-Site Scripting (XSS) vulnerability exists in Frappe Framework version 17.0.0-dev due to improper neutralization of user-controlled input in the Number Card component.
A Stored Cross-Site Scripting (XSS) vulnerability exists in Frappe Framework version 17.0.0-dev due to unsafe evaluation of user-controlled data in the Number Card component.
A Stored Cross-Site Scripting (XSS) vulnerability exists in Frappe Framework version 17.0.0-dev due to improper neutralization of user-controlled input in the Notifications > Events panel.
A Stored Cross-Site Scripting (XSS) vulnerability exists in Frappe Framework version 17.0.0-dev due to improper neutralization of user-controlled input in the MultiSelectDialog component.
A Cross-Site Scripting (XSS) vulnerability exists in Frappe Framework version 17.0.0-dev due to improper neutralization of untrusted input in the Form Dashboard headline renderer.
A Stored Cross-Site Scripting (XSS) vulnerability exists in Frappe Framework version 17.0.0-dev due to improper neutralization of user-controlled input in the File View breadcrumb renderer.
A Stored Cross-Site Scripting (XSS) vulnerability exists in Frappe Framework version 17.0.0-dev due to improper neutralization of user-controlled input in the Desk desktop icon renderer.
A Reflected Cross-Site Scripting (XSS) vulnerability exists in Frappe Framework version 17.0.0-dev due to improper neutralization of user-controlled input in the dashboard-view component.
A Stored Cross-Site Scripting (XSS) vulnerability exists in Frappe Framework version 17.0.0-dev due to improper neutralization of user-controlled input in the frappe.get_avatar function.
A Stored Cross-Site Scripting (XSS) vulnerability exists in Frappe Framework version 17.0.0-dev. An authenticated attacker with write access to Auto Repeat can persist HTML/JavaScript in reference_document, leading to script execution when users open the affected Auto Repeat form.

