CVE Vulnerability Catalog

Translated CVE descriptions from NVD NIST — in English

CISA KEV catalog updated: (v2026.07.07)

CVE-2026-9786
High

SQL Injection vulnerability in the NVBUDashboard component of Quest NetVault Backup allows remote code execution. The flaw results from improper validation of user-supplied data before using it in SQL queries, enabling an attacker to execute code in the context of the NETWORK SERVICE account. Authentication is required but the existing authentication mechanism can be bypassed.

CVE-2026-9785
High

A vulnerability in Quest NetVault Backup allows remote code execution via SQL injection in the NVBULibrarySlot component. Authentication is required but can be bypassed. The flaw stems from improper validation of user-supplied data used in SQL queries.

CVE-2026-9784
High

A vulnerability in Quest NetVault Backup allows remote code execution via SQL injection in the NVBULibraryPort component. Authentication is required but can be bypassed.

CVE-2026-9783
High

SQL Injection vulnerability in the NVBURemovableMedia component of Quest NetVault Backup allows remote attackers to execute arbitrary code. The flaw stems from improper validation of user-supplied data before using it in SQL queries, and the existing authentication mechanism can be bypassed.

CVE-2026-9782
High

SQL Injection vulnerability in Quest NetVault Backup allows remote code execution. The flaw exists in the NVBUDeviceDrive component during JSON-RPC message processing, where lack of user input validation leads to SQL injection. Authentication is required but can be bypassed.

CVE-2026-9781
High

A vulnerability in Quest NetVault Backup allows remote code execution via SQL injection in the NVBURASDevice component. Authentication is required but can be bypassed.

CVE-2026-9780
High

A vulnerability in Quest NetVault Backup's addclient3 component allows an attacker to bypass authentication via script injection. User interaction is required, as the target must visit a malicious page or open a malicious file.

CVE-2026-7570
High

A vulnerability in Quest NetVault Backup allows remote code execution via SQL injection in the NVBUDashboard component. Authentication is required but can be bypassed. The issue stems from improper validation of user-supplied data before use in SQL queries.

CVE-2026-7569
High

A vulnerability in Quest NetVault Backup allows an attacker to bypass authentication via cross-site scripting (XSS) in the viewclient component. User interaction is required, as the target must visit a malicious page or open a malicious file.

CVE-2026-39951
High

Cacti is an open source performance and fault management framework. Versions 1.2.30 and prior have a Stored SQL Injection vulnerability through graph_name_regexp in the Reports feature. This issue has been fixed in version 1.2.31.

CVE-2025-60474
High

A buffer overflow vulnerability in the gf_media_import function of GPAC/MP4Box before version 26.02.0 allows an attacker to cause a Denial of Service (DoS) by supplying a crafted input file.

CVE-2025-60467
High

A use-after-free vulnerability was found in the GPAC/MP4Box library before version 26.02.0 in the gf_filter_pid_inst_swap_delete_task function within filter_pid.c. An attacker can exploit this by supplying a crafted media file to cause a denial of service (DoS).

CVE-2026-9779
High

In ATEN Unizon, the updateWar method has an improper implementation of cryptographic signature verification. An authenticated remote attacker can exploit this vulnerability to execute arbitrary code in the context of SYSTEM.

CVE-2026-9778
HighEPSS 71%

A directory traversal vulnerability in the ImportDeviceList method of ATEN Unizon allows remote code execution. The issue stems from improper validation of a user-supplied path before using it in file operations. Authentication is required for exploitation.

CVE-2026-9777
HighEPSS 71%

A directory traversal vulnerability in the restoreDB method of ATEN Unizon allows remote code execution. The flaw is due to improper validation of a user-supplied path before using it in file operations. Authentication is required, but the attacker can execute code in the context of SYSTEM.

CVE-2026-9776
HighEPSS 72%

A Directory Traversal vulnerability in the writeFileToHttpServletResponse method in ATEN Unizon allows remote attackers to disclose sensitive information without authentication. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations.

CVE-2026-9773
HighEPSS 62%

The vulnerability allows remote code execution in Unraid via command injection in ToggleState.php. Authentication is required, and the issue stems from missing validation of user input before using it in a system call.

CVE-2026-9772
HighEPSS 62%

A vulnerability in the Unraid web server allows remote code execution via command injection in FileUpload.php. The flaw stems from insufficient validation of user-supplied data before use in a system call. Authentication is required, and an attacker can execute code as the www-data user.

CVE-2026-55762
High

In Rocket.Chat versions prior to 8.5.1, 8.4.4, 8.3.6, 8.2.6, 8.1.6, 8.0.7, and 7.10.13, the POST /api/v1/fingerprint endpoint requires authentication but does not perform authorization checks. Any authenticated user could deregister the workspace from Rocket.Chat Cloud, leading to data loss and requiring manual re-registration.

CVE-2026-55759
High

Vulnerability in Rocket.Chat's Apple Sign-In handler lacks JWT claims validation. An attacker who obtains a target user's Apple identity token (from server logs, intercepted sign-in flow, or another app sharing the same Apple developer team) can replay it to authenticate as that user with no expiration.

PreviousPage 63 of 3344Next

Vulnerability data from NVD (NIST) · CISA KEV · EPSS