CVE Vulnerability Catalog
Translated CVE descriptions from NVD NIST — in English
CISA KEV catalog updated: (v2026.07.07)
Rocket.Chat prior to version 8.5.0 does not verify the signature on LogoutRequest messages in SAML integration. An unauthorized attacker can craft a fake logout request, leading to the immediate termination of the victim's session.
AutoGPT, a workflow automation platform, has a Denial of Service (DoS) vulnerability in versions prior to 0.6.52. The Fill Text Template block does not limit the computational complexity or execution time of expressions, allowing an attacker to input computationally expensive Python/Jinja2 expressions, leading to system hang or crash.
Gogs is an open source Git service that prior to version 0.14.3 accepted the authentication header without verifying that the request came from a trusted reverse proxy. This allowed attackers to impersonate users or trigger automatic account creation.
The Aclara Metrum Cellular Web Interface is vulnerable to unauthorized access due to the absence of authentication controls on critical system functions. This weakness allows attackers to modify configuration settings and trigger system restarts without restriction.
A flaw in KubeVirt's safepath package, used by virt-handler, was found in the OpenAtNoFollow function. It uses O_PATH|O_NOFOLLOW to obtain a file descriptor, but subsequent operations resolve the path via /proc/self/fd/N using link-following syscalls. When the leaf is a symlink, the kernel dereferences it, bypassing the intended no-follow protection.
A flaw in AngularJS' Strict Contextual Escaping (SCE) logic allows bypassing certain SCE policies for resource URLs, potentially leading to arbitrary JavaScript execution within the victim's browser session.
Twenty is an open-source CRM platform that was vulnerable to an insecure direct object reference (IDOR) in the AI agent monitor prior to version 2.9.0. As a result of this vulnerability, an authenticated user could access another user's full chat history on the same instance using the victim's agentId or turnId.
Mastodon prior to versions 4.5.10, 4.4.17, and 4.3.23 has a vulnerability that allows incorrect recognition of IPv4-mapped IPv6 addresses, potentially leading to TCP connections to private IPv4 addresses. Attackers can exploit this vulnerability by publishing appropriate DNS records.
Mastodon, a social network server based on ActivityPub, prior to versions 4.5.10, 4.4.17, and 4.3.23, had a vulnerability in the list of disallowed IP address ranges, allowing attackers to make HTTP requests to loopback interfaces. This could lead to unauthorized access to private resources and services.
FOSSBilling versions 0.7.2 and prior have a vulnerability in the API that allows authenticated clients to access other clients' data by guessing order IDs. The __call method in the API does not verify if the client owns the order, potentially leading to data exposure.
The py7zr library, used for compressing and decompressing 7zip archives, contains an arbitrary file write vulnerability in versions 1.1.2 and below. This allows attackers to create malicious archives that can restore symbolic links to arbitrary directories in the file system.
The ActivityPub client in the Ghost application was vulnerable to JavaScript injection on posts shared by a maliciously customized ActivityPub server prior to version 3.1.0. This vulnerability has been fixed in version 3.1.0.
Vulnerability in Jellyfin from version 10.9.0 to 10.11.9 allows authenticated non-admin users to write arbitrary files on the server by manipulating the Client field in the Authorization header. An attacker can use ../ sequences in this field to overwrite files in any location accessible to the Jellyfin service user, with a forced .log extension.
A vulnerability in Jellyfin before version 10.11.10 allows FFmpeg argument injection via a specially crafted subtitle filename. An unauthenticated attacker can exploit the lack of path normalization in SubtitleEncoder, leading to arbitrary file write on the server and information disclosure.
Use after free in Autofill in Google Chrome on Windows prior to version 149.0.7827.197 allowed a remote attacker to execute arbitrary code via a crafted HTML page.
Use after free in WebView in Google Chrome on Android prior to version 149.0.7827.197 allowed a local attacker to execute arbitrary code inside a sandbox via a crafted HTML page.
Use after free in Blink in Google Chrome prior to version 149.0.7827.197 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page.
Use after free in Bluetooth in Google Chrome on Mac prior to version 149.0.7827.197 allowed a remote attacker to execute arbitrary code via a malicious peripheral.
In Google Chrome prior to version 149.0.7827.197, there was an out of bounds read and write vulnerability in Blink>InterestGroups, allowing a remote attacker to execute arbitrary code via a crafted HTML page.
Use after free in Blink in Google Chrome prior to version 149.0.7827.197 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page.

