CVE Vulnerability Catalog

Translated CVE descriptions from NVD NIST — in English

CISA KEV catalog updated: (v2026.07.07)

CVE-2026-31070
Critical

The LalanaChami Pharmacy Management System (commit 5c3d028) allows unauthenticated remote attackers to escalate privileges by self-assigning an administrative role during registration. The /api/user/signup endpoint fails to validate the role parameter in the request body.

CVE-2026-30118
Critical

Version 0.1.13 of the scalar/astro library was found to contain a Server-Side Request Forgery (SSRF) vulnerability in the scalar_url query parameter of the Scalar Proxy endpoint. This allows unauthenticated attackers to force the backend server to send HTTP requests to attacker-controlled URLs.

CVE-2026-30117
Critical

Version 0.1.13 of the scalar/astro library was found to contain an arbitrary file upload vulnerability in the scalar_url query parameter of the Scalar Proxy endpoint. This vulnerability allows attackers to execute arbitrary code by uploading a crafted SVG file.

CVE-2026-44159
Critical

Tyler Identity Local (TID-L) uses documented, default administrative credentials. Users are not required to change the credentials before deployment.

CVE-2026-2587
Critical

A critical Remote Code Execution (RCE) vulnerability in the Glassfish server-side template rendering mechanism. The application processes .xml files and evaluates EL expressions without proper sanitization, allowing an attacker to fully compromise the host.

CVE-2026-2586
CriticalEPSS 53%

An authenticated Remote Code Execution (RCE) vulnerability was found in GlassFish's Administration Console. A user with panel access can send crafted requests to execute arbitrary OS commands with the privileges of the application service user.

CVE-2026-8959
Critical

CVE-2026-8959 is a vulnerability due to incorrect boundary conditions in the Widget: Win32 component, allowing for sandbox escape. It has been fixed in Firefox 151, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11.

CVE-2026-8956
Critical

Integer overflow in the Networking: JAR component. This vulnerability was fixed in Firefox 151, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11.

CVE-2026-8953
Critical

A 'sandbox escape' vulnerability exists due to a use-after-free error in the Disability Access APIs component. It has been fixed in Firefox 151, Firefox ESR 115.36, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11.

CVE-2026-8950
Critical

A vulnerability allowing same-origin policy bypass in the Networking: HTTP component. It was fixed in Firefox 151, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11.

CVE-2026-8948
Critical

A vulnerability in the DOM: Networking component allows bypassing the same-origin policy. This flaw was fixed in Firefox 151 and Thunderbird 151.

CVE-2026-47323
CriticalEPSS 70%

Vulnerability in Apache Camel due to missing inbound header filtering in CXF and Knative implementations. An unauthenticated attacker can inject internal Camel headers (e.g., CamelExecCommandExecutable, CamelFileName) via HTTP requests to CXF-RS or CXF-SOAP endpoints, leading to remote code execution or arbitrary file writes when messages are forwarded to header-driven components.

CVE-2026-43633
Critical

HestiaCP versions 1.9.0 through 1.9.4 contain a deserialization vulnerability in the web terminal component caused by a session format mismatch between PHP and Node.js. This allows unauthenticated remote attackers to achieve root-level code execution.

CVE-2026-4883
Critical

The Piotnet Forms plugin for WordPress is vulnerable to arbitrary file upload due to missing file type validation in the 'piotnetforms_ajax_form_builder' function in all versions up to and including 2.1.40. The plugin uses an incomplete extension blacklist, allowing dangerous file uploads.

CVE-2026-43493
Critical

In the Linux kernel, a vulnerability was found in the pcrypt module that incorrectly handles MAY_BACKLOG requests. These requests can return EBUSY, which requires proper checking and filtering of EINPROGRESS notifications.

CVE-2026-46725
Critical

The extension passes an attacker-controlled cookie directly to PHP's unserialize() without safely processing the input. A remote, unauthenticated attacker can supply a crafted serialized payload to trigger PHP Object Injection, leading to Remote Code Execution on the TYPO3 server.

CVE-2026-45434
Critical

CVE-2026-45434 in Apache OFBiz has a flaw in password-change logic that can lead to remote code execution. This issue affects versions before 24.09.06.

CVE-2026-41919
Critical

CVE-2026-41919 describes an improper neutralization of special elements used in LDAP queries, leading to LDAP Injection vulnerability in Apache OFBiz.

CVE-2026-31986
Critical

Use of hard-coded cryptographic key vulnerability in Apache OFBiz. This issue affects versions before 24.09.06.

CVE-2026-2611
Critical

In MLflow version 3.9.0, the MLflow Assistant feature introduced improper origin validation in its /ajax-api endpoints. This vulnerability allows a remote attacker to exploit cross-origin requests from a malicious webpage to interact with the MLflow Assistant running on a victim's local machine.

PreviousPage 71 of 558Next

Vulnerability data from NVD (NIST) · CISA KEV · EPSS