CVE Vulnerability Catalog

Translated CVE descriptions from NVD NIST — in English

CISA KEV catalog updated: (v2026.07.07)

CVE-2026-56151
Medium

CVE-2026-56151 in Kibana is an improper input validation vulnerability (CWE-20) that allows an authenticated user to submit a specially crafted Fleet policy input, causing a denial of service (DoS) via input data manipulation (CAPEC-153). This attack renders Fleet agent, server, and policy management functionality unavailable.

CVE-2026-56150
Medium

A CWE-770 vulnerability in Fleet Server allows an attacker to send a specially crafted request to an upload endpoint, causing excessive memory consumption and potentially leading to a denial of service (DoS).

CVE-2026-56149
Medium

CWE-770 vulnerability in Elasticsearch allows a denial of service via excessive memory allocation. A privileged user can submit a crafted machine learning request, causing resource exhaustion and node unavailability.

CVE-2026-56148
Medium

CVE-2026-56148 in Elasticsearch involves uncontrolled recursion leading to denial of service. An authenticated user can submit a specially crafted query causing excessive resource consumption during processing, potentially rendering the affected node unavailable.

CVE-2026-54399
High

An uncontrolled resource consumption vulnerability in the HTTP/1.1 message parser in Apache HttpComponents Core (versions 5.4.2 and earlier, 5.5-beta1 and earlier) allows a remote attacker to cause a denial of service through memory exhaustion by sending messages with an excessive number of headers or excessive header length.

CVE-2026-49088
Medium

CVE-2026-49088 in Kibana allows insertion of sensitive information into log files. When optional APM instrumentation is enabled, sensitive request header values may be recorded in application logs.

CVE-2026-49087
Medium

CWE-770 vulnerability in Kibana allows a denial of service via excessive resource allocation. An authenticated attacker can send a crafted bulk deletion request, exhausting resources and making Kibana unavailable.

CVE-2026-34117
Critical

The vulnerability in the Guardian language-system passes the 'id' GET parameter directly into a PHP exec() call in text_to_subtitles.php (line 19) without sanitization. No authentication is required, allowing an unauthenticated remote attacker to append shell metacharacters and execute arbitrary OS commands on the server.

CVE-2026-34116
Critical

The vulnerability in the Guardian language system passes the 'id' GET parameter directly into a PHP exec() call in transcribe.php without sanitization. An unauthenticated attacker can append shell metacharacters to execute arbitrary OS commands on the server.

CVE-2026-34115
Critical

A vulnerability in the Guardian language-system allows an unauthenticated remote attacker to execute arbitrary OS commands by injecting shell metacharacters into the 'id' parameter passed to the PHP exec() function in transcribe_amazon.php.

CVE-2026-34114
Critical

A vulnerability in the Guardian language system allows an unauthenticated remote attacker to execute arbitrary OS commands by injecting shell metacharacters into the 'id' parameter in translate_text.php. The lack of input validation and direct use of the parameter in an exec() call enables exploitation without authentication.

CVE-2026-34113
Critical

A vulnerability in the Guardian language-system allows an unauthenticated remote attacker to execute arbitrary OS commands by injecting shell metacharacters into the 'id' parameter in speech_text.php.

CVE-2026-34112
Critical

A vulnerability in the Guardian language-system allows an unauthenticated remote attacker to execute arbitrary OS commands by injecting shell metacharacters into the 'id' parameter in speechmac.php.

CVE-2026-34111
Critical

A vulnerability in the Guardian language-system allows an unauthenticated attacker to execute arbitrary OS commands remotely by injecting shell metacharacters into the id parameter, which is passed unsanitized to the PHP exec() function in speechmac_text.php.

CVE-2026-34110
Critical

A vulnerability in the Guardian language-system allows an unauthenticated remote attacker to execute arbitrary OS commands by injecting shell metacharacters into the 'id' parameter, which is passed unsanitized to the PHP exec() function in complex_start.php.

CVE-2026-34109
Critical

The vulnerability in the Guardian language system involves passing the 'id' GET parameter directly into a PHP exec() call in speech.php without sanitization. An unauthenticated attacker can append shell metacharacters to execute arbitrary OS commands on the server.

CVE-2026-34108
Critical

A vulnerability in the Guardian language-system allows an unauthenticated remote attacker to execute arbitrary OS commands by injecting shell metacharacters into the id parameter passed to the exec() function in text.php.

CVE-2026-34107
Critical

The vulnerability in the Guardian language-system passes the id GET parameter directly into a PHP exec() call in translate.php (line 14) without sanitization. An unauthenticated remote attacker can append shell metacharacters to execute arbitrary OS commands on the server.

CVE-2026-34106
Critical

The vulnerability in the Guardian language-system directly passes the id GET parameter into a PHP exec() call in subtitles.php without sanitization. An unauthenticated remote attacker can append shell metacharacters to the id parameter to execute arbitrary OS commands on the server.

CVE-2026-34105
Critical

An SQL injection vulnerability in the Guardian language-system component allows an authenticated attacker to inject malicious SQL code via the 'id' parameter in translate_text.php. Lack of input sanitization enables error-based SQL injection to extract database contents.

PreviousPage 60 of 4524Next

Vulnerability data from NVD (NIST) · CISA KEV · EPSS