CVE Vulnerability Catalog

Translated CVE descriptions from NVD NIST — in English

CISA KEV catalog updated: (v2026.07.07)

CVE-2026-8054
Critical

In dotCMS Core versions 25.11.04-1 through 26.04.28-02, there is an SQL Injection vulnerability in the Publish Audit API endpoints, allowing remote unauthenticated attackers to read, modify, or destroy arbitrary database content.

CVE-2026-49002
Critical

Access control failure allows unauthorized users to access system data, including viewing and modifying configuration information.

CVE-2025-12686
Critical

W podatności CVE-2025-12686 występuje błąd przepełnienia bufora w AdminCenter systemu operacyjnego Synology BeeStation przed wersją 1.3.2-65648. Umożliwia on zdalnym atakującym wykonanie dowolnego kodu poprzez nieokreślone wektory.

CVE-2026-8760
Critical

The Login with OTP plugin for WordPress is vulnerable to authentication bypass in all versions up to and including 1.6. This is due to an incomplete fix for CVE-2024-11178, allowing attackers to brute-force the 6-digit OTP without a time limit.

CVE-2026-8450
CriticalEPSS 65%

A vulnerability in the HTTP::Daemon library for Perl before version 6.17 allows OS command injection via the send_file() function. The function opens its argument using Perl's 2-arg open(), which interprets magic prefixes like '| cmd' as a pipe to a subprocess, enabling arbitrary command execution.

CVE-2026-44985
Critical

Dozzle to narzędzie do podglądu logów w czasie rzeczywistym dla kontenerów Docker. W wersjach przed 10.5.2, mechanizm aktualizacji WebSocket dla punktów końcowych /exec i /attach akceptował żądania z dowolnego źródła, co prowadziło do możliwości przejęcia WebSocketów (CSWSH) przy użyciu ważnych ciasteczek JWT.

CVE-2026-44895
Critical

Serwer GitLab MCP pozwala agentowi AI na bezpośrednią komunikację z GitLabem. W wersjach przed 0.6.0 transport HTTP nie zawierał warstwy uwierzytelniającej oraz miał wildcard Access-Control-Allow-Origin: * w każdej odpowiedzi, co stwarzało poważne luki w zabezpieczeniach.

CVE-2026-44451
Critical

Lumiverse is an AI chat application that prior to version 0.9.7 had a component override system that could be bypassed. Users could supply TSX code that was processed and could access dangerous global objects like fetch and window.

CVE-2026-44450
Critical

Lumiverse is an AI chat application that prior to version 0.9.7 had a vulnerability in the MCP server creation endpoint. The command field was validated, but the args array passed to the child process was not verified, allowing logged-in users to execute arbitrary OS-level code.

CVE-2026-44449
Critical

In the Lumiverse application prior to version 0.9.7, there is a vulnerability that allows arbitrary command execution on the Lumiverse server. The issue arises from a lack of validation in the toSmbPath method, enabling the injection of malicious commands through improperly formatted filenames.

CVE-2026-44444
Critical

Lumiverse is an AI chat application that prior to version 0.9.7 had a vulnerability in the Spindle extension. The execution of 'bun install' without the --ignore-scripts flag allows malicious extensions to execute code at the host level when an admin installs it.

CVE-2026-48689
Critical

FastNetMon Community Edition up to version 1.2.9 contains a heap-based buffer overflow in the dynamic_binary_buffer_t class, allowing writing one byte past the end of the buffer. This flaw occurs in five methods that incorrectly check buffer bounds.

CVE-2026-3660
Critical

IBM Engineering Lifecycle Management w wersjach 7.0.3, 7.1.0 i 7.2.0 może umożliwić nieautoryzowanemu zdalnemu atakującemu aktualizację plików konfiguracyjnych serwera, co pozwala na uzyskanie nieautoryzowanego dostępu do aplikacji.

CVE-2026-9170
Critical

IBM HTTP Server versions 8.5 and 9.0 are vulnerable to denial of service and potential remote code execution due to improper input validation.

CVE-2026-8633
Critical

Web Server Plug-ins for IBM WebSphere Application Server and WebSphere Liberty versions 8.5 and 9.0 are vulnerable to remote code execution through a specially crafted request.

CVE-2026-7251
Critical

Eppendorf BioFlo 320 jest podatny na atak z powodu serwera VNC używającego twardo zakodowanego hasła. Zdalny atakujący, znając adres sieciowy dowolnego modelu BioFlo 320 z włączonym zdalnym dostępem, może uzyskać pełną kontrolę nad interfejsem użytkownika, wykorzystując to hasło.

CVE-2026-47202
Critical

Kavita is a cross-platform reading server. Prior to version 0.9.0.2, an improper token validation flaw allowed a remote and unauthenticated threat actor to request a JWT for any user, including admins, if they knew the username.

CVE-2026-46624
Critical

In the Twenty CRM system, versions from 1.7.7 to 1.16.7, a critical Remote Code Execution (RCE) vulnerability exists via a chained SQL Injection and PostgreSQL COPY TO PROGRAM attack. A superuser PostgreSQL account can allow any authenticated user to execute arbitrary OS commands on the database server.

CVE-2026-44668
Critical

FACTION is a framework for generating penetration testing reports. In versions prior to 1.8.3, AccessControlInterceptor did not validate session validity, allowing unauthorized attackers to access templates in the system.

CVE-2026-48904
Critical

An improper access check allows privilege escalation through the com_users group editing webservice endpoint.

PreviousPage 64 of 557Next

Vulnerability data from NVD (NIST) · CISA KEV · EPSS