CVE Vulnerability Catalog
Translated CVE descriptions from NVD NIST — in English
CISA KEV catalog updated: (v2026.07.07)
SQL Injection vulnerability in the NVBUDashboard component of Quest NetVault Backup allows remote code execution. The flaw results from improper validation of user-supplied data before using it in SQL queries, enabling an attacker to execute code in the context of the NETWORK SERVICE account. Authentication is required but the existing authentication mechanism can be bypassed.
A vulnerability in Quest NetVault Backup allows remote code execution via SQL injection in the NVBULibrarySlot component. Authentication is required but can be bypassed. The flaw stems from improper validation of user-supplied data used in SQL queries.
A vulnerability in Quest NetVault Backup allows remote code execution via SQL injection in the NVBULibraryPort component. Authentication is required but can be bypassed.
SQL Injection vulnerability in the NVBURemovableMedia component of Quest NetVault Backup allows remote attackers to execute arbitrary code. The flaw stems from improper validation of user-supplied data before using it in SQL queries, and the existing authentication mechanism can be bypassed.
SQL Injection vulnerability in Quest NetVault Backup allows remote code execution. The flaw exists in the NVBUDeviceDrive component during JSON-RPC message processing, where lack of user input validation leads to SQL injection. Authentication is required but can be bypassed.
A vulnerability in Quest NetVault Backup allows remote code execution via SQL injection in the NVBURASDevice component. Authentication is required but can be bypassed.
A vulnerability in Quest NetVault Backup's addclient3 component allows an attacker to bypass authentication via script injection. User interaction is required, as the target must visit a malicious page or open a malicious file.
A vulnerability in Quest NetVault Backup allows remote code execution via SQL injection in the NVBUDashboard component. Authentication is required but can be bypassed. The issue stems from improper validation of user-supplied data before use in SQL queries.
A vulnerability in Quest NetVault Backup allows an attacker to bypass authentication via cross-site scripting (XSS) in the viewclient component. User interaction is required, as the target must visit a malicious page or open a malicious file.
Cacti is an open source performance and fault management framework. Versions 1.2.30 and prior have a Stored SQL Injection vulnerability through graph_name_regexp in the Reports feature. This issue has been fixed in version 1.2.31.
A buffer overflow vulnerability in the gf_media_import function of GPAC/MP4Box before version 26.02.0 allows an attacker to cause a Denial of Service (DoS) by supplying a crafted input file.
A use-after-free vulnerability was found in the GPAC/MP4Box library before version 26.02.0 in the gf_filter_pid_inst_swap_delete_task function within filter_pid.c. An attacker can exploit this by supplying a crafted media file to cause a denial of service (DoS).
In ATEN Unizon, the updateWar method has an improper implementation of cryptographic signature verification. An authenticated remote attacker can exploit this vulnerability to execute arbitrary code in the context of SYSTEM.
A directory traversal vulnerability in the ImportDeviceList method of ATEN Unizon allows remote code execution. The issue stems from improper validation of a user-supplied path before using it in file operations. Authentication is required for exploitation.
A directory traversal vulnerability in the restoreDB method of ATEN Unizon allows remote code execution. The flaw is due to improper validation of a user-supplied path before using it in file operations. Authentication is required, but the attacker can execute code in the context of SYSTEM.
A Directory Traversal vulnerability in the writeFileToHttpServletResponse method in ATEN Unizon allows remote attackers to disclose sensitive information without authentication. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations.
The vulnerability allows remote code execution in Unraid via command injection in ToggleState.php. Authentication is required, and the issue stems from missing validation of user input before using it in a system call.
A vulnerability in the Unraid web server allows remote code execution via command injection in FileUpload.php. The flaw stems from insufficient validation of user-supplied data before use in a system call. Authentication is required, and an attacker can execute code as the www-data user.
In Rocket.Chat versions prior to 8.5.1, 8.4.4, 8.3.6, 8.2.6, 8.1.6, 8.0.7, and 7.10.13, the POST /api/v1/fingerprint endpoint requires authentication but does not perform authorization checks. Any authenticated user could deregister the workspace from Rocket.Chat Cloud, leading to data loss and requiring manual re-registration.
Vulnerability in Rocket.Chat's Apple Sign-In handler lacks JWT claims validation. An attacker who obtains a target user's Apple identity token (from server logs, intercepted sign-in flow, or another app sharing the same Apple developer team) can replay it to authenticate as that user with no expiration.

