CVE Vulnerability Catalog
Translated CVE descriptions from NVD NIST — in English
CISA KEV catalog updated: (v2026.07.07)
The vulnerability allows bypassing X.509 trust-chain validation in the wolfSSL_X509_verify_cert() function of wolfSSL compiled with --enable-opensslextra. When the application supplies untrusted intermediate certificates and the chain exceeds the maximum allowed depth (default 100), the validator accepts an attacker-controlled certificate without reaching a trusted anchor.
A flaw in Keycloak Policy Enforcer allows any authenticated user to bypass all authorization policies, including role, scope, and UMA permission checks. By including the configured access-denied page path within a request URL, as a path segment or query parameter, an attacker can gain unauthorized access to protected resources.
A missing authorization check in the Keycloak GroupResource.addChild() endpoint allows an authenticated user with limited admin privileges to reparent any group. With FGAPv2 enabled, an attacker can move a high-privilege group under their control.
A flaw was found in Keycloak allowing a remote attacker with administrative privileges (specifically those with `manage-client` permission or access to client registration endpoints) to bypass client URI validation. The attacker can register a malicious client with a crafted redirect URI using case-insensitive `javascript:` or `data:` schemes, leading to a Cross-Site Scripting (XSS) vulnerability.
Heap-based buffer overflow vulnerability in socat versions 1.8.0.0 through 1.8.1.1. The flaw occurs in the DOMAINNAME reply parser where the domain name length byte is read as a signed char, causing a negative value that is implicitly converted to size_t, resulting in an unbounded heap write into the 262-byte reply buffer.
In ToolJet prior to version 3.20.178-lts, there is an SSRF vulnerability in the RestAPI data source component. The private IP filter only checks the hostname string, allowing bypassing of security and theft of Azure managed identity tokens.
Trivy before version 0.71.1 uses the `org.opencontainers.image.title` annotation from the OCI artifact manifest as the destination filename without validation. An attacker who can make Trivy fetch an attacker-controlled artifact can supply a crafted annotation that resolves to a path outside the intended destination, causing Trivy to write the layer content to an arbitrary location on the host filesystem.
LibreChat before version 0.8.4-rc1 allows authenticated users to set a custom URL for OpenAI-compatible API endpoints. This URL is used to construct HTTP requests without any SSRF validation, enabling traffic to be directed to internal network addresses.
A vulnerability in LibreChat before version 0.8.5 allows a malicious MCP server to steal access tokens intended for a legitimate server. The MCP OAuth implementation does not validate that the resource parameter from OAuth Protected Resource metadata (RFC 9728) matches the configured MCP server URL.
HTMLy CMS version 3.1.1 contains a path traversal vulnerability that allows low-privileged authenticated attackers to relocate arbitrary files by supplying directory traversal sequences in the oldfile parameter at the admin autosave endpoint.
The IPv6 stack in Zephyr can be prevented from receiving or processing future incoming packets by sending a small number of maliciously fragmented IPv6 packets. When such a packet is handled by the fragment-header processing path, the associated RX network packet buffer (allocated from a memory slab) is not released back to the pool. Repeating the malicious packet exhausts all RX buffer slots, after which the device can no longer obtain RX buffers and stops receiving traffic, resulting in a denial of service.
An OS Command Injection vulnerability (CWE-78) in a network service allows unauthorized execution of commands with elevated privileges. The flaw is triggered when a privileged authenticated user interacts with the vulnerable service.
A CWE-476 NULL Pointer Dereference vulnerability could cause a denial-of-service condition, making the device's HMI and configuration functionality unavailable when malformed requests are received over exposed network interfaces.
CVE-2026-9650 is a vulnerability related to insufficiently protected credentials, which may lead to unauthorized access and exposure of sensitive information. An attacker with physical access to the device could use these credentials to compromise it.
In Vim prior to version 9.2.0699, the Python omni-completion function executes reconstructed function and class definitions from the current buffer using exec(). During source reconstruction, each scope's docstring is inserted verbatim between triple quotes without escaping, allowing a malicious buffer to break out of the triple-quoted literal and execute attacker-controlled Python code during omni-completion.
In Vim before version 9.2.0698, the spell_soundfold_sofo() function in src/spell.c has a stack out-of-bounds write vulnerability. The copy loop does not check the bounds of the result buffer, allowing data to be written past the allocated stack memory when processing a word longer than MAXWLEN. This corrupts the call frame and crashes the editor.
In Vim prior to version 9.2.0663, a Vimscript code injection vulnerability exists in s:NetrwLocalRmFile() in the netrw plugin. A filename derived from the buffer's directory listing is interpolated into an Ex command line passed to :execute with only the backslash character escaped, allowing a crafted filename containing a bar (|) to terminate the intended command and execute arbitrary Vimscript, including shell commands via :call system() and :!.
In Vim prior to version 9.2.0653, the tree_count_words() function in src/spellfile.c writes out-of-bounds on the stack when processing crafted .spl/.sug files. An attacker can exploit this vulnerability to crash the editor via stack buffer overflow.
3X-UI is a control panel for managing Xray-core servers. Prior to version 3.3.1, an authenticated administrator could abuse the database import functionality to achieve arbitrary file write on the host by modifying Xray configuration values stored in the database.
List::SomeUtils::XS versions before 0.59 for Perl have a heap buffer overflow in the pairwise function. The issue arises from improper memory management, which can lead to memory corruption.

