CVE Vulnerability Catalog
Translated CVE descriptions from NVD NIST — in English
CISA KEV catalog updated: (v2026.07.07)
In dotCMS Core versions 25.11.04-1 through 26.04.28-02, there is an SQL Injection vulnerability in the Publish Audit API endpoints, allowing remote unauthenticated attackers to read, modify, or destroy arbitrary database content.
Access control failure allows unauthorized users to access system data, including viewing and modifying configuration information.
W podatności CVE-2025-12686 występuje błąd przepełnienia bufora w AdminCenter systemu operacyjnego Synology BeeStation przed wersją 1.3.2-65648. Umożliwia on zdalnym atakującym wykonanie dowolnego kodu poprzez nieokreślone wektory.
The Login with OTP plugin for WordPress is vulnerable to authentication bypass in all versions up to and including 1.6. This is due to an incomplete fix for CVE-2024-11178, allowing attackers to brute-force the 6-digit OTP without a time limit.
A vulnerability in the HTTP::Daemon library for Perl before version 6.17 allows OS command injection via the send_file() function. The function opens its argument using Perl's 2-arg open(), which interprets magic prefixes like '| cmd' as a pipe to a subprocess, enabling arbitrary command execution.
Dozzle to narzędzie do podglądu logów w czasie rzeczywistym dla kontenerów Docker. W wersjach przed 10.5.2, mechanizm aktualizacji WebSocket dla punktów końcowych /exec i /attach akceptował żądania z dowolnego źródła, co prowadziło do możliwości przejęcia WebSocketów (CSWSH) przy użyciu ważnych ciasteczek JWT.
Serwer GitLab MCP pozwala agentowi AI na bezpośrednią komunikację z GitLabem. W wersjach przed 0.6.0 transport HTTP nie zawierał warstwy uwierzytelniającej oraz miał wildcard Access-Control-Allow-Origin: * w każdej odpowiedzi, co stwarzało poważne luki w zabezpieczeniach.
Lumiverse is an AI chat application that prior to version 0.9.7 had a component override system that could be bypassed. Users could supply TSX code that was processed and could access dangerous global objects like fetch and window.
Lumiverse is an AI chat application that prior to version 0.9.7 had a vulnerability in the MCP server creation endpoint. The command field was validated, but the args array passed to the child process was not verified, allowing logged-in users to execute arbitrary OS-level code.
In the Lumiverse application prior to version 0.9.7, there is a vulnerability that allows arbitrary command execution on the Lumiverse server. The issue arises from a lack of validation in the toSmbPath method, enabling the injection of malicious commands through improperly formatted filenames.
Lumiverse is an AI chat application that prior to version 0.9.7 had a vulnerability in the Spindle extension. The execution of 'bun install' without the --ignore-scripts flag allows malicious extensions to execute code at the host level when an admin installs it.
FastNetMon Community Edition up to version 1.2.9 contains a heap-based buffer overflow in the dynamic_binary_buffer_t class, allowing writing one byte past the end of the buffer. This flaw occurs in five methods that incorrectly check buffer bounds.
IBM Engineering Lifecycle Management w wersjach 7.0.3, 7.1.0 i 7.2.0 może umożliwić nieautoryzowanemu zdalnemu atakującemu aktualizację plików konfiguracyjnych serwera, co pozwala na uzyskanie nieautoryzowanego dostępu do aplikacji.
IBM HTTP Server versions 8.5 and 9.0 are vulnerable to denial of service and potential remote code execution due to improper input validation.
Web Server Plug-ins for IBM WebSphere Application Server and WebSphere Liberty versions 8.5 and 9.0 are vulnerable to remote code execution through a specially crafted request.
Eppendorf BioFlo 320 jest podatny na atak z powodu serwera VNC używającego twardo zakodowanego hasła. Zdalny atakujący, znając adres sieciowy dowolnego modelu BioFlo 320 z włączonym zdalnym dostępem, może uzyskać pełną kontrolę nad interfejsem użytkownika, wykorzystując to hasło.
Kavita is a cross-platform reading server. Prior to version 0.9.0.2, an improper token validation flaw allowed a remote and unauthenticated threat actor to request a JWT for any user, including admins, if they knew the username.
In the Twenty CRM system, versions from 1.7.7 to 1.16.7, a critical Remote Code Execution (RCE) vulnerability exists via a chained SQL Injection and PostgreSQL COPY TO PROGRAM attack. A superuser PostgreSQL account can allow any authenticated user to execute arbitrary OS commands on the database server.
FACTION is a framework for generating penetration testing reports. In versions prior to 1.8.3, AccessControlInterceptor did not validate session validity, allowing unauthorized attackers to access templates in the system.
An improper access check allows privilege escalation through the com_users group editing webservice endpoint.

