CVE Vulnerability Catalog

Translated CVE descriptions from NVD NIST — in English

CISA KEV catalog updated: (v2026.07.07)

CVE-2026-54679
Medium

In jq prior to version 1.8.2, on 32-bit systems, the jvp_string_append function may experience integer overflow, leading to a massive buffer overrun.

CVE-2026-50573
Medium

In pnpm before versions 10.34.0 and 11.4.0, `pnpm install` in non-frozen mode can accept new remote package content after detecting an integrity mismatch with pnpm-lock.yaml. Even though the package is locked with an integrity value and the registry returns different data, pnpm performs a resolution repair, updates the lockfile, and installs the new content, exiting successfully.

CVE-2026-50021
Medium

In pnpm before versions 10.34.0 and 11.4.0, the tarball extraction worker skips integrity verification when the integrity field is missing from pnpm-lock.yaml. An attacker can remove this field and serve altered package content, allowing installation of modified packages without integrity errors.

CVE-2026-50017
Medium

pnpm before versions 10.34.0 and 11.4.0 can send user-level unscoped npm authentication credentials to a registry chosen by a repository-local .npmrc file. In the reproduced case, the user's npm config contains a default registry and an unscoped _authToken, while the repository only sets registry= to a different registry URL. During normal pnpm workflows, the user's credentials are bound to the repository-selected registry and sent as an Authorization header.

CVE-2026-50014
Medium

A vulnerability in pnpm package manager before versions 10.34.0 and 11.4.0 allows an attacker to inject Git options into the git fetch command via a malicious lockfile. Lack of validation of the commit value in the lockfile enables substitution of the --upload-pack option, which for SSH and local transports can lead to arbitrary command execution.

CVE-2026-47770
Medium

The vulnerability in jq (versions prior to 1.8.2) allows a DoS attack via C stack exhaustion when comparing deeply nested arrays with the == operator. The issue stems from missing recursion guards in jvp_array_equal() and jv_equal() functions in src/jv.c.

CVE-2026-9799
Medium

A flaw was found in the Keycloak authorization component. An authenticated user with a UMA permission ticket for one resource can bypass per-resource access control for all resources of the same type on the resource server by using a specific permission request prefix. This vulnerability requires PERMISSIVE policy enforcement mode and ownerManagedAccess enabled for typed resources without explicit policies.

CVE-2026-9705
Medium

A flaw in Keycloak's client registration service allows a remote attacker with a previously issued Registration Access Token (RAT) to re-enable a client disabled by an administrator. The attacker can reset the client secret and potentially regain privileged API access.

CVE-2026-9083
Medium

A flaw was found in Keycloak where a realm administrator with the 'manage-realm' role can submit an arbitrary filesystem path as a keystore parameter when creating a key provider component. This allows probing of arbitrary filesystem paths to determine which files exist and are readable by the Keycloak process.

CVE-2026-55439
Medium

Halo is an open source website building tool. Prior to version 2.24.3, a path traversal vulnerability in the backup download endpoint allows authenticated administrators to read arbitrary files from the server filesystem.

CVE-2026-55411
Medium

In ToolJet prior to version 3.20.1780-lts, the authenticated endpoint POST /api/data-sources/decrypt returns the decrypted plaintext for any credential whose credential_id is supplied in the request body. Unlike other data endpoints, this handler is not protected by ValidateDataSourceGuard, does not receive the calling @User(), and the underlying CredentialsService.getValue() looks up the credential by id only, with no organization scoping.

CVE-2026-54573
Medium

Outline before version 1.8.0 contains a vulnerability where the AuthenticationHelper.canAccess function uses ctx.originalUrl without stripping the URL fragment (#), allowing an attacker to bypass API key scope restrictions and escalate privileges by appending a permitted path in the fragment.

CVE-2026-54448
Medium

Trivy before version 0.71.0, when scanning Helm chart archives (.tgz), uses a custom tar unpacker that reads each entry with io.ReadAll(tr) without size limit. An attacker can place a malicious .tgz file in the scanned path that decompresses to gigabytes, causing the Trivy process to be killed by the OS OOM killer.

CVE-2026-54040
Medium

A vulnerability in LibreChat prior to 0.8.4-rc1 allows an attacker with a stolen session token to regenerate all 2FA backup codes without requiring any TOTP token or existing backup code. This enables bypassing 2FA login or disabling 2FA entirely.

CVE-2026-54037
Medium

A vulnerability in LibreChat prior to 0.8.4-rc1 allows an authenticated user to bypass rate limiters added for the /fork endpoint by using the /duplicate endpoint, which performs the same expensive database operations but lacks any rate limiter. This can lead to server resource exhaustion.

CVE-2026-54029
Medium

A vulnerability in LibreChat before version 0.8.4-rc1 allows any authenticated user to delete any other user's messages. The delete endpoint lacks a user constraint, enabling an attacker to use their own conversation ID and the victim's message ID to permanently remove messages.

CVE-2026-54027
Medium

Vulnerability in LibreChat before version 0.8.4-rc1 allows an authenticated user to upload files to any agent's tool resources (e.g., context, execute code) without verifying ownership or EDIT permission. The authorization bypass is possible by using the image endpoint instead of the file endpoint.

CVE-2026-54025
Medium

LibreChat prior to version 0.8.4-rc1 has a vulnerability due to missing HTML escaping of double-quote characters in image alt text in Markdown. An attacker can inject malicious HTML code that executes in the victim's browser.

CVE-2026-54024
Medium

A vulnerability in LibreChat before version 0.8.4-rc1 allows an authenticated user to upload arbitrarily large files via the conversation import endpoint, potentially exhausting server disk space and memory. The issue stems from missing file size limits in a separate multer instance for this endpoint and a disabled application-level size check by default.

CVE-2026-9718
Medium

A CWE-617 Reachable Assertion vulnerability allows an authenticated attacker to trigger a denial-of-service (DoS) condition by sending a specially crafted request to a vulnerable network-exposed service. This impacts system availability.

PreviousPage 52 of 531Next

Vulnerability data from NVD (NIST) · CISA KEV · EPSS