CVE Vulnerability Catalog
Translated CVE descriptions from NVD NIST — in English
CISA KEV catalog updated: (v2026.07.07)
Funkcje resetowania hasła i nazwy użytkownika generowały zwykłe linki http dla połączeń https, jeśli flaga 'Force SSL' nie była wyraźnie ustawiona. Może to prowadzić do nieautoryzowanego dostępu do kont użytkowników.
An improper access check allows privilege escalation through the com_users batch task.
An improper access check allows privilege escalation through the com_users batch task.
FastNetMon Community Edition through 1.2.9 contains an integer overflow in the BGP AS_PATH attribute encoder. The get_attributes() function computes attribute_length, leading to silent truncation when the AS_PATH contains more than 63 ASNs, resulting in a heap buffer overflow.
Algernon is a small self-contained pure-Go web server. Prior to version 1.17.7, when the server receives a URL request that resolves to a directory without an index file, it searches upward through parent directories for a handler.lua file, potentially leading to remote code execution.
Improper validation of user-supplied input leads to a local file inclusion vulnerability.
Improper access check allows unauthorized access to com_config webservice endpoints.
Improperly validated order clauses lead to a SQL injection vulnerability in com_tags.
Improperly built filter clauses lead to a SQL injection vulnerability in the search query for com_finder.
A vulnerability in the Google Cloud Apigee SetIntegrationRequest policy allows remote attackers to perform Server-Side Request Forgery (SSRF) and exfiltrate service account access tokens.
FastNetMon Community Edition up to version 1.2.9 contains an OS command injection vulnerability in the Juniper router integration plugin. The _log() function in fastnetmon_juniper.php constructs shell commands by concatenating the $msg parameter directly into exec() calls.
FastNetMon Community Edition through 1.2.9 contains a stack-based buffer overflow in the BGP NLRI decoder. The function decode_bgp_subnet_encoding_ipv4_raw() does not validate the prefix length, leading to potential arbitrary code execution.
A flaw in the Samba printing subsystem allows a remote attacker to execute code by sending a specially crafted print job description. The description is passed to the command configured in the "print command" setting without proper escaping of shell special characters.
Mirasvit Full Page Cache Warmer dla Magento 2 przed wersją 1.11.12 zawiera podatność na wstrzykiwanie obiektów PHP, która pozwala nieautoryzowanym atakującym na zdalne wykonanie kodu poprzez dostarczenie spreparowanego zserializowanego obiektu PHP w ciasteczku CacheWarmer. Wykorzystanie nieograniczonego wywołania funkcji PHP unserialize() w połączeniu z łańcuchami gadżetów dostępnymi w Magento i jego zależnościach umożliwia wykonanie dowolnego kodu na serwerze.
A vulnerability has been found in Totolink N300RH 6.1c.1353_B20190305, affecting the setPasswordCfg function in the /cgi-bin/cstecgi.cgi file of the Web Management Interface. Manipulation of the admpass argument leads to OS command injection.
A flaw in KubeVirt's virt-handler component allows an authenticated OpenShift user with edit permissions in a single namespace to exploit improper symlink validation when connecting to virtual machine console sockets. By replacing the console socket with a symlink to the host's CRI-O socket, the attacker can hijack virt-handler's privileged connection, gaining access to any Unix socket on the host, potentially leading to full node and cluster compromise.
Vulnerability in Archive::Tar for Perl before version 3.08 allows extraction of symbolic links pointing to arbitrary paths outside the target directory. The _make_special_file() function does not validate the symlink target path, enabling attackers to overwrite files outside the extraction directory.
CVE-2026-42774 describes an improper neutralization of special elements used in SQL commands, allowing SQL Injection in Crocoblock JetEngine.
CVE-2026-42773 describes an improper neutralization of special elements used in SQL commands, leading to a Blind SQL Injection vulnerability in eMagicOne Store Manager.
A weakness has been identified in Totolink A8000RU 7.1cu.643_b20200521, affecting the setParentalRules function in the /cgi-bin/cstecgi.cgi file of the Web Management Interface. Manipulating the enable argument can lead to OS command injection.

