CVE Vulnerability Catalog
Translated CVE descriptions from NVD NIST — in English
CISA KEV catalog updated: (v2026.07.07)
IBM Aspera High-Speed Transfer Endpoint w wersjach od 3.7.4 do 4.4.7 Fix Pack 1 oraz IBM Aspera High-Speed Transfer Server w tych samych wersjach są podatne na przepełnienie bufora w komponencie asperahttpd. Ta podatność może być wykorzystana do wywołania odmowy usługi oraz potencjalnie prowadzić do obejścia uwierzytelniania lub zdalnego wykonania kodu.
IBM Aspera HSTS for CP4I versions 1.5.1 through 1.5.19 is affected by an authentication bypass vulnerability. A transfer client may exploit this vulnerability to access files in the server's local storage that they should not have access to when specific restriction settings are not in place.
IBM Langflow OSS w wersjach od 1.0.0 do 1.9.1 może umożliwiać zdalne wykonanie kodu z powodu niewłaściwej walidacji linków symbolicznych podczas ekstrakcji archiwów.
A vulnerability has been identified in the Linux kernel within the rxe_rcv function, which improperly validates the packet length before calculating the payload size. An attacker could exploit this to trigger an underflow error, potentially leading to security issues.
In the Linux kernel, a potential integer overflow in the rxgk_extract_token() function when checking the length of the ticket has been fixed. Instead of rounding up the value to be tested, the size of the available data is rounded down.
A vulnerability related to the re-decryption of RESPONSE packets has been fixed in the Linux kernel. If a RESPONSE packet encounters a temporary failure during processing, it may end up in a partially decrypted state and be requeued for retry.
In the Linux kernel, a vulnerability was found in the smb2_open_file() function of the SMB client. Failing to zero out @err_iov and @err_buftype pointers before retrying SMB2_open() can lead to a use-after-free (UAF) or double free when @data is not NULL.
In the Linux kernel RDMA/iwcm subsystem, a vulnerability causes workqueue list corruption. The issue stems from the incorrect assumption that queue_work() would not enqueue work if already pending, while each free list entry is unique. This leads to processing multiple entries in a single run, freeing and reusing them, resulting in list corruption and kernel panic.
In Slican telephone exchanges, it is possible to manage the control panel remotely. An unauthenticated attacker can connect to the modem via a telephone with a specific caller ID, allowing them to bypass admin authentication and gain full access to the service protocol and configuration panel.
Slican telephone exchanges allow administrative protocol authentication bypass. An attacker can bypass the need to enter login credentials by executing the appropriate command.
CVE-2026-42761 describes an improper neutralization of special elements used in SQL commands, allowing for Blind SQL Injection in the Active Products Tables for WooCommerce plugin in versions from n/a to 1.0.9.
CVE-2026-42758 describes an incorrect privilege assignment vulnerability in WebinarIgnition that allows privilege escalation. This issue affects WebinarIgnition from n/a through below 4.08.253.
CVE-2026-42757 describes an improper limitation of a pathname to a restricted directory, leading to a 'Path Traversal' vulnerability in the WebinarIgnition application. This issue affects versions from n/a to below 4.08.253.
The 'Path Traversal' vulnerability in Ludwig You QuickWebP has an improper limitation of a pathname to a restricted directory, allowing unauthorized access to files. This issue affects QuickWebP versions from n/a through 3.2.7.
CVE-2026-42755 describes an improper neutralization of special elements used in SQL commands, leading to a Blind SQL Injection vulnerability in RealMag777 TableOn versions from n/a to 1.0.5.1.
The vulnerability in WPify Woo Czech allows unrestricted upload of files with dangerous types, enabling the upload of a web shell to a web server. This issue affects WPify Woo Czech from n/a through 5.4.1.
CVE-2026-42747 describes an improper neutralization of special elements used in SQL commands, leading to a Blind SQL Injection vulnerability in Easy Form Builder. This issue affects versions from n/a through 4.0.6.
CVE-2026-42740 describes an improper neutralization of special elements used in SQL commands, leading to a Blind SQL Injection vulnerability in the Tainacan system. This issue affects Tainacan versions from n/a through 1.0.3.
CVE-2026-42731 describes an incorrect privilege assignment vulnerability in miniOrange OTP Verification that allows privilege escalation. This issue affects versions from n/a through 5.4.9 inclusive.
CVE-2026-42727 describes an improper neutralization of special elements used in SQL commands, allowing for Blind SQL Injection in the Active Products Tables for WooCommerce plugin in versions from n/a to 1.0.8.

