CVE Vulnerability Catalog

Translated CVE descriptions from NVD NIST — in English

CISA KEV catalog updated: (v2026.07.07)

CVE-2026-24207
Critical

NVIDIA Triton Inference Server contains a vulnerability that allows an attacker to bypass authentication. A successful exploit may lead to code execution, privilege escalation, data tampering, denial of service, or information disclosure.

CVE-2026-7284
Critical

The Easy Elements for Elementor – Addons & Website Templates plugin for WordPress is vulnerable to privilege escalation via user registration in all versions up to and including 1.4.4. The 'easyel_handle_register' function does not restrict user roles, allowing unauthenticated attackers to assign the 'administrator' role during registration.

CVE-2026-6555
CriticalEPSS 58%

The ProSolution WP Client plugin for WordPress is vulnerable to Arbitrary File Upload in versions up to and including 2.0.0. This is due to an array validation mismatch where only the first file in the upload array undergoes extension and MIME type validation, while all files are processed and uploaded to a web-accessible directory.

CVE-2026-8495
Critical

A missing authorization vulnerability in Drupal Date iCal allows for forceful browsing.

CVE-2026-34234
Critical

CtrlPanel is open-source billing software for hosting providers, which in versions 1.1.1 and prior is vulnerable to unauthenticated Remote Code Execution (RCE) due to improper install.lock checking. This allows an attacker to execute arbitrary commands on the server.

CVE-2026-33642
Critical

In versions 0.46.2 and below, the handle_compose_command() function in kitty/graphics.c performs bounds validation on composition offsets, potentially leading to Heap Buffer Over-Read/Write. An attacker can exploit this by supplying crafted x_offset/y_offset values that pass the bounds check after wrapping but cause massive out-of-bounds heap memory access.

CVE-2026-8605
Critical

In ScadaBR version 1.2.0, a Use of Hard-Coded Credentials vulnerability could allow an attacker to access the SCADA system as admin.

CVE-2026-8603
Critical

In ScadaBR version 1.2.0, an OS Command Injection vulnerability could allow an attacker to execute commands as root on the SCADA system.

CVE-2026-8602
Critical

In ScadaBR version 1.2.0, a Missing Authentication for Critical Function vulnerability could allow an unauthenticated attacker to send HTTP GET requests to the SCADA system and inject arbitrary sensor readings.

CVE-2026-36829
Critical

CVE-2026-36829 describes an authentication bypass vulnerability in the embedded HTTP server of the Panabit PAP-XM320 device up to and including version 7.7. The server validates session cookies based on a user-controlled value, allowing for directory traversal and bypassing authentication.

CVE-2026-37281
Critical

CVE-2026-37281 describes an OS command injection vulnerability in the /stream-to-vlc Express route in hitarth-gg Zenshin before version 2.7.0, allowing remote attackers to execute arbitrary commands via the url parameter.

CVE-2026-31072
CriticalEPSS 52%

The vulnerability in APScheduler allows Remote Code Execution (RCE) via insecure deserialization in JSONSerializer and CBORSerializer classes. The unmarshal_object function enables arbitrary class instantiation and state injection by dynamically importing modules and calling __setstate__ on any class available in the Python environment.

CVE-2026-31071
Critical

The API endpoints in LalanaChami Pharmacy Management System (commit 5c3d028) lack authentication middleware. This allows unauthenticated remote attackers to leak all user records and modify drug inventory.

CVE-2026-31070
Critical

The LalanaChami Pharmacy Management System (commit 5c3d028) allows unauthenticated remote attackers to escalate privileges by self-assigning an administrative role during registration. The /api/user/signup endpoint fails to validate the role parameter in the request body.

CVE-2026-30118
Critical

Version 0.1.13 of the scalar/astro library was found to contain a Server-Side Request Forgery (SSRF) vulnerability in the scalar_url query parameter of the Scalar Proxy endpoint. This allows unauthenticated attackers to force the backend server to send HTTP requests to attacker-controlled URLs.

CVE-2026-30117
Critical

Version 0.1.13 of the scalar/astro library was found to contain an arbitrary file upload vulnerability in the scalar_url query parameter of the Scalar Proxy endpoint. This vulnerability allows attackers to execute arbitrary code by uploading a crafted SVG file.

CVE-2026-44159
Critical

Tyler Identity Local (TID-L) uses documented, default administrative credentials. Users are not required to change the credentials before deployment.

CVE-2026-2587
Critical

A critical Remote Code Execution (RCE) vulnerability in the Glassfish server-side template rendering mechanism. The application processes .xml files and evaluates EL expressions without proper sanitization, allowing an attacker to fully compromise the host.

CVE-2026-2586
CriticalEPSS 53%

An authenticated Remote Code Execution (RCE) vulnerability was found in GlassFish's Administration Console. A user with panel access can send crafted requests to execute arbitrary OS commands with the privileges of the application service user.

CVE-2026-8959
Critical

CVE-2026-8959 is a vulnerability due to incorrect boundary conditions in the Widget: Win32 component, allowing for sandbox escape. It has been fixed in Firefox 151, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11.

PreviousPage 66 of 553Next

Vulnerability data from NVD (NIST) · CISA KEV · EPSS