CVE Vulnerability Catalog
Translated CVE descriptions from NVD NIST — in English
CISA KEV catalog updated: (v2026.07.01)
The react-native-receive-sharing-intent library contains a path traversal vulnerability that allows a malicious app to write files outside the intended cache directory by supplying a crafted _display_name value with dot-dot path components. An attacker can send an ACTION_SEND intent to the exported share-receiver activity to overwrite arbitrary files in the app's private data directory, including databases, shared preferences, and cached configuration.
A vulnerability in Dapr Sentry allows a remote unauthenticated attacker to poison the OIDC discovery document via an unvalidated X-Forwarded-Host header. The attacker can cause relying parties to fetch JWKS from an attacker-controlled server, leading to acceptance of attacker-signed JWTs.
LobeChat before version 2.2.10-canary.18 contains a server-side request forgery (SSRF) vulnerability. An authenticated attacker can direct internal HTTP requests to arbitrary URLs by exploiting the skill import (importFromUrl) and topic cover update (fetchImageFromUrl) endpoints, which use the global fetch without the project's ssrf-safe-fetch wrapper.
Pathway through version 0.31.1 (fixed in commit d09722e) allows a remote unauthenticated attacker to cause a denial of service by sending a short glob pattern with many ** tokens to the /v1/retrieve, /v1/inputs, or /v2/answer HTTP endpoints. The recursive, non-memoized pattern matcher has exponential worst-case complexity, and with no length or **-count limit, a few requests can consume CPU for tens of seconds each.
In Weaviate before version 1.38.0, there is no verification that a principal assigning an RBAC role holds the permissions granted by that role. The assignRoleToUser and assignRoleToGroup handlers only authorize the ability to assign a role, not the permissions themselves, allowing a user with the delegated assign_and_revoke_users or assign_and_revoke_groups permission to assign the built-in admin role or any high-privilege custom role to themselves or others.
JuiceFS through version 1.3.1 contains an authentication bypass vulnerability. Unauthenticated remote attackers can access sensitive debug and metrics endpoints by exploiting improper handler registration on the shared http.DefaultServeMux. Attackers can retrieve the process command line containing metadata engine connection strings with database credentials, gaining full read/write access to the filesystem metadata.
Cockpit CMS before release 364 contains a path traversal and local file inclusion vulnerability that allows unauthenticated attackers to read arbitrary files or execute PHP files by including unvalidated PATH_INFO derived from REQUEST_URI in filesystem path construction without containment checks. Attackers can inject dot-dot sequences into the URL to traverse outside the designated spaces directory, and when the resolved path ends with a .php extension, the application passes it to include(), enabling local file inclusion on deployments using the PHP built-in server or certain non-default Nginx configurations.
The TinyPNG plugin for WordPress (versions up to 3.6.13) contains an arbitrary file deletion vulnerability exploitable by authenticated attackers with author-level access or higher. The issue stems from insufficient file path validation in the delete_converted_image_size function.
Eclipse Wakaama before snapshot/2026-05-26 has an unbounded memory allocation vulnerability in the CoAP Block1 handler in coap/block.c. An unauthenticated remote attacker can send a sequence of Block1 PUT requests with incrementing block numbers, causing repeated reallocation of an accumulation buffer without size limit, leading to server memory exhaustion.
A stored XSS vulnerability was found in the web management interface of Archer C5 v6.8 routers due to insufficient input validation and output encoding. An admin can inject malicious HTML/JS that executes when another admin views the affected page.
A vulnerability in the Erlang/OTP ssl application allows an unauthenticated attacker to permanently disrupt TLS 1.3 session ticket handling by sending a crafted ClientHello with mismatched PSK identity and binder lists. This crashes the session ticket handler process, making TLS 1.3 unusable on the affected listener until the ssl application is restarted.
A TOCTOU race condition in the Erlang/OTP ssl library's dtls_packet_demux module allows an unauthenticated remote attacker to crash all active DTLS sessions on a listener by sending rapid ClientHello messages from the same source IP and port. The crash terminates the shared demux process, killing every DTLS association.
Craft CMS versions 5.7.0 through 5.9.20 contain a mass-assignment vulnerability in the bulk-duplicate element action. An attacker who can duplicate their own entries can submit an arbitrary id via the newAttributes parameter, leading to overwriting an existing victim entry.
Landray OA contains an unauthenticated HQL injection vulnerability that allows attackers to query Hibernate entities by injecting malicious HQL syntax into the uid parameter of the wechatLoginHelper.do endpoint. Lack of input sanitization in the filter expression passed to the Hibernate findList() method enables extraction of sensitive data like administrator password hashes and, with sufficient database privileges, file-write operations leading to remote code execution.
A relative path traversal vulnerability in the "keyhint" option during repomd.xml parsing in libzypp before version 17.38.12. Attackers able to supply a malicious repository can inject or overwrite files on the target system as root.
In Progress Flowmon ADS versions prior to 12.5.6 and 13.0.5, a vulnerability allows an authenticated attacker with low privileges to send specially crafted requests, potentially leading to unauthorized access to application data and its modification.
In Progress Flowmon versions prior to 12.5.9 and 13.0.11, an authenticated low-privileged user may craft a request during PDF generation, resulting in operations performed with another user's privileges. This could lead to unauthorized access to sensitive data and unintended system configuration changes.
An Incorrect Authorization vulnerability in UniFi Network Application allows a malicious actor with network access to persist privileges after such access has been removed, under certain conditions.
An authenticated SQL Injection vulnerability in UniFi Protect Application allows an attacker with network access and low privileges to escalate privileges on the host device by injecting malicious SQL code.
A vulnerability in the UniFi Talk Application allows an attacker with network access and low privileges to escalate privileges through improper access control.

