CVE Vulnerability Catalog

Translated CVE descriptions from NVD NIST — in English

CISA KEV catalog updated: (v2026.07.07)

CVE-2026-56785
High

FlatPress contains a stored cross-site scripting vulnerability in comment and contact forms where name, URL, and email fields are rendered without proper output encoding in Smarty templates. Attackers can inject arbitrary HTML and JavaScript through these fields.

CVE-2026-11972
High

A vulnerability in Python's 'tarfile' module occurs when opening an archive in streaming mode (mode='r|'). The module improperly handles EOF, causing archive parsing to take exponentially longer.

CVE-2026-54513
High

A vulnerability in jackson-databind allows bypassing the allowlist in BasicPolymorphicTypeValidator. The allowIfSubTypeIsArray() method permits any array type without validating the component type, enabling deserialization of dangerous types like EvilType[] even if EvilType is not allowlisted.

CVE-2026-54512
High

Vulnerability in jackson-databind allows bypassing the PolymorphicTypeValidator (PTV) during polymorphic deserialization. When a type contains generic parameters (e.g., ArrayList<Gadget>), validation only checks the container name, not nested types, enabling loading a denied class as a generic parameter.

CVE-2026-50193
High

A vulnerability in jackson-databind from version 2.13.0 to 2.14.0 allows a DoS attack by sending deeply nested JSON (thousands of levels) read as JsonNode and written via toString(). Even small requests (1000 nested arrays is 2kB) can significantly consume system resources.

CVE-2026-47387
High

NocoDB prior to version 2026.05.1 has a vulnerability that allows users with editor role to inject malicious JavaScript code through the form's redirect_url field. When an authenticated user opens the shared link, this code can be executed in the context of NocoDB.

CVE-2026-47383
High

NocoDB prior to version 2026.05.1 allowed authenticated commenters to store HTML in row comments, resulting in script execution when other users hovered over the comment in expanded view. Lack of server-side sanitization enabled the injection of malicious code.

CVE-2026-41862
High

Spring Statemachine has a vulnerability in Kryo-based backends that deserialize state-machine contexts without enforcing a class allowlist. This can lead to remote code execution within the application JVM.

CVE-2026-23513
High

In FOSSBilling versions 0.7.2 and prior, a query-construction flaw in client list endpoints allowed authenticated clients to bypass tenant scoping and retrieve other clients’ data. The issue stemmed from improper grouping of filters in queries, allowing OR clauses to be evaluated independently of the enforced client_id constraint.

CVE-2026-12112
High

A session management vulnerability was found in the foreman-mcp-server. Unauthenticated attackers can hijack active administrative sessions due to improper caching of authenticated client connections, trusting a non-secret session ID without re-validating authentication tokens, and logging all newly created session IDs to standard logs.

CVE-2026-54762
High

In Traefik versions from 3.7.0-ea.1 to 3.7.5, a medium severity vulnerability was found in the Kubernetes Ingress NGINX provider. When an Ingress explicitly enables BasicAuth or DigestAuth via auth-type and auth-secret annotations, but the referenced Secret cannot be resolved or parsed, Traefik logs the error, skips installing the authentication middleware, and still emits a router to the backend. This results in a protected route being published without access control, allowing unauthorized access.

CVE-2026-54761
High

Vulnerability in Traefik (versions prior to 3.6.21 and 3.7.5) in the Kubernetes Gateway provider affects the crossProviderNamespaces allowlist. For HTTPRoute rules with multiple backendRefs (WRR), Traefik incorrectly evaluates the allowlist against the target backendRef.namespace instead of the route's own namespace. This allows an HTTPRoute from a non-allowlisted namespace to reference internal Traefik services (e.g., api@internal) by pointing backendRef.namespace at an allowlisted namespace covered by a ReferenceGrant.

CVE-2026-54555
High

A vulnerability in rtk (versions before 0.42.2) allowed bypassing the permission control mechanism by hiding a second command within Bash shell constructs that were not properly split or rejected. A command starting with an allowed prefix (e.g., 'git') could contain a hidden command that executed without required user authorization.

CVE-2026-54328
High

Pi is a minimal terminal coding harness. From versions 0.74.0 to 0.78.1, temporary npm or git extension package installs used predictable paths under the operating system's temporary directory, allowing a local attacker to inject malicious code.

CVE-2026-39253
HighEPSS 52%

An issue in Pivotal CRM v.6.6.04.08 allows a remote attacker to execute arbitrary code via the Pivotal.Core.Common.dll and Pivotal.Engine.Client.Services.Conversion.dll components.

CVE-2026-54322
High

In versions prior to 0.185.0, Daytona allowed organization role updates and deletions without verifying if the role belonged to the specified organization. An authenticated user owning any organization could modify permissions or delete a role belonging to another organization using that role's identifier.

CVE-2026-54321
High

In versions from 0.101.0 to 0.184.0, sandboxes switched from public to private could remain accessible without authentication for a short period after the change, due to a cached visibility state that was not invalidated.

CVE-2026-54320
High

In versions prior to 0.184.0, users could accept or decline organization invitations even if their email address was not verified. Daytona's authentication system did not require email verification for these actions, creating a risk of unauthorized access.

CVE-2026-53755
High

Crawl4AI prior to version 0.8.9 contains an SSRF vulnerability that allows an unauthenticated attacker to bypass the destination URL check and route traffic through a proxy to internal IP addresses. The attacker can exploit this flaw to access internal services and cloud metadata endpoints while providing a valid crawl URL.

CVE-2026-53754
High

Crawl4AI before version 0.8.8 has an SSRF vulnerability in the Docker API server that allows an attacker to bypass the CIDR blocklist and access internal services and cloud metadata endpoints (e.g., 169.254.169.254) by encoding an IPv4 address in an IPv6 transition form or using the IPv6 unspecified address. Since the Docker API is unauthenticated by default, no credentials are required for the attack.

PreviousPage 67 of 3334Next

Vulnerability data from NVD (NIST) · CISA KEV · EPSS