CVE Vulnerability Catalog

Translated CVE descriptions from NVD NIST — in English

CISA KEV catalog updated: (v2026.07.07)

CVE-2026-45687
High

A vulnerability in Rocket.Chat before versions 8.5.0, 8.4.1, 8.3.3, 8.2.3, 8.1.4, 8.0.5, 7.13.7, and 7.10.11 allows an attacker to modify any field in their own upload record. This occurs because the sendFileMessage DDP method passes the entire file object into Uploads.updateFileComplete, which merges it directly into a MongoDB $set update via Object.assign without an allow-list of writable fields.

CVE-2026-45677
High

Rocket.Chat prior to version 8.5.0 does not verify the signature on LogoutRequest messages in SAML integration. An unauthorized attacker can craft a fake logout request, leading to the immediate termination of the victim's session.

CVE-2026-33235
High

AutoGPT, a workflow automation platform, has a Denial of Service (DoS) vulnerability in versions prior to 0.6.52. The Fill Text Template block does not limit the computational complexity or execution time of expressions, allowing an attacker to input computationally expensive Python/Jinja2 expressions, leading to system hang or crash.

CVE-2026-25119
HighEPSS 54%

Gogs is an open source Git service that prior to version 0.14.3 accepted the authentication header without verifying that the request came from a trusted reverse proxy. This allowed attackers to impersonate users or trigger automatic account creation.

CVE-2026-1840
High

The Aclara Metrum Cellular Web Interface is vulnerable to unauthorized access due to the absence of authentication controls on critical system functions. This weakness allows attackers to modify configuration settings and trigger system restarts without restriction.

CVE-2026-13201
High

A flaw in KubeVirt's safepath package, used by virt-handler, was found in the OpenAtNoFollow function. It uses O_PATH|O_NOFOLLOW to obtain a file descriptor, but subsequent operations resolve the path via /proc/self/fd/N using link-following syscalls. When the leaf is a symlink, the kernel dereferences it, bypassing the intended no-follow protection.

CVE-2026-11998
High

A flaw in AngularJS' Strict Contextual Escaping (SCE) logic allows bypassing certain SCE policies for resource URLs, potentially leading to arbitrary JavaScript execution within the victim's browser session.

CVE-2026-55583
High

Twenty is an open-source CRM platform that was vulnerable to an insecure direct object reference (IDOR) in the AI agent monitor prior to version 2.9.0. As a result of this vulnerability, an authenticated user could access another user's full chat history on the same instance using the victim's agentId or turnId.

CVE-2026-47389
High

Mastodon prior to versions 4.5.10, 4.4.17, and 4.3.23 has a vulnerability that allows incorrect recognition of IPv4-mapped IPv6 addresses, potentially leading to TCP connections to private IPv4 addresses. Attackers can exploit this vulnerability by publishing appropriate DNS records.

CVE-2026-46348
High

Mastodon, a social network server based on ActivityPub, prior to versions 4.5.10, 4.4.17, and 4.3.23, had a vulnerability in the list of disallowed IP address ranges, allowing attackers to make HTTP requests to loopback interfaces. This could lead to unauthorized access to private resources and services.

CVE-2026-27708
High

FOSSBilling versions 0.7.2 and prior have a vulnerability in the API that allows authenticated clients to access other clients' data by guessing order IDs. The __call method in the API does not verify if the client owns the order, potentially leading to data exposure.

CVE-2026-23879
High

The py7zr library, used for compressing and decompressing 7zip archives, contains an arbitrary file write vulnerability in versions 1.1.2 and below. This allows attackers to create malicious archives that can restore symbolic links to arbitrary directories in the file system.

CVE-2026-53950
High

The ActivityPub client in the Ghost application was vulnerable to JavaScript injection on posts shared by a maliciously customized ActivityPub server prior to version 3.1.0. This vulnerability has been fixed in version 3.1.0.

CVE-2026-49247
High

Vulnerability in Jellyfin from version 10.9.0 to 10.11.9 allows authenticated non-admin users to write arbitrary files on the server by manipulating the Client field in the Authorization header. An attacker can use ../ sequences in this field to overwrite files in any location accessible to the Jellyfin service user, with a forced .log extension.

CVE-2026-48793
High

A vulnerability in Jellyfin before version 10.11.10 allows FFmpeg argument injection via a specially crafted subtitle filename. An unauthenticated attacker can exploit the lack of path normalization in SubtitleEncoder, leading to arbitrary file write on the server and information disclosure.

CVE-2026-13038
High

Use after free in Autofill in Google Chrome on Windows prior to version 149.0.7827.197 allowed a remote attacker to execute arbitrary code via a crafted HTML page.

CVE-2026-13037
High

Use after free in WebView in Google Chrome on Android prior to version 149.0.7827.197 allowed a local attacker to execute arbitrary code inside a sandbox via a crafted HTML page.

CVE-2026-13036
High

Use after free in Blink in Google Chrome prior to version 149.0.7827.197 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page.

CVE-2026-13035
High

Use after free in Bluetooth in Google Chrome on Mac prior to version 149.0.7827.197 allowed a remote attacker to execute arbitrary code via a malicious peripheral.

CVE-2026-13033
High

In Google Chrome prior to version 149.0.7827.197, there was an out of bounds read and write vulnerability in Blink>InterestGroups, allowing a remote attacker to execute arbitrary code via a crafted HTML page.

PreviousPage 54 of 3327Next

Vulnerability data from NVD (NIST) · CISA KEV · EPSS