CVE Vulnerability Catalog
Translated CVE descriptions from NVD NIST — in English
CISA KEV catalog updated: (v2026.07.07)
The LalanaChami Pharmacy Management System (commit 5c3d028) allows unauthenticated remote attackers to escalate privileges by self-assigning an administrative role during registration. The /api/user/signup endpoint fails to validate the role parameter in the request body.
Version 0.1.13 of the scalar/astro library was found to contain a Server-Side Request Forgery (SSRF) vulnerability in the scalar_url query parameter of the Scalar Proxy endpoint. This allows unauthenticated attackers to force the backend server to send HTTP requests to attacker-controlled URLs.
Version 0.1.13 of the scalar/astro library was found to contain an arbitrary file upload vulnerability in the scalar_url query parameter of the Scalar Proxy endpoint. This vulnerability allows attackers to execute arbitrary code by uploading a crafted SVG file.
Tyler Identity Local (TID-L) uses documented, default administrative credentials. Users are not required to change the credentials before deployment.
A critical Remote Code Execution (RCE) vulnerability in the Glassfish server-side template rendering mechanism. The application processes .xml files and evaluates EL expressions without proper sanitization, allowing an attacker to fully compromise the host.
An authenticated Remote Code Execution (RCE) vulnerability was found in GlassFish's Administration Console. A user with panel access can send crafted requests to execute arbitrary OS commands with the privileges of the application service user.
CVE-2026-8959 is a vulnerability due to incorrect boundary conditions in the Widget: Win32 component, allowing for sandbox escape. It has been fixed in Firefox 151, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11.
Integer overflow in the Networking: JAR component. This vulnerability was fixed in Firefox 151, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11.
A 'sandbox escape' vulnerability exists due to a use-after-free error in the Disability Access APIs component. It has been fixed in Firefox 151, Firefox ESR 115.36, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11.
A vulnerability allowing same-origin policy bypass in the Networking: HTTP component. It was fixed in Firefox 151, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11.
A vulnerability in the DOM: Networking component allows bypassing the same-origin policy. This flaw was fixed in Firefox 151 and Thunderbird 151.
Vulnerability in Apache Camel due to missing inbound header filtering in CXF and Knative implementations. An unauthenticated attacker can inject internal Camel headers (e.g., CamelExecCommandExecutable, CamelFileName) via HTTP requests to CXF-RS or CXF-SOAP endpoints, leading to remote code execution or arbitrary file writes when messages are forwarded to header-driven components.
HestiaCP versions 1.9.0 through 1.9.4 contain a deserialization vulnerability in the web terminal component caused by a session format mismatch between PHP and Node.js. This allows unauthenticated remote attackers to achieve root-level code execution.
The Piotnet Forms plugin for WordPress is vulnerable to arbitrary file upload due to missing file type validation in the 'piotnetforms_ajax_form_builder' function in all versions up to and including 2.1.40. The plugin uses an incomplete extension blacklist, allowing dangerous file uploads.
In the Linux kernel, a vulnerability was found in the pcrypt module that incorrectly handles MAY_BACKLOG requests. These requests can return EBUSY, which requires proper checking and filtering of EINPROGRESS notifications.
The extension passes an attacker-controlled cookie directly to PHP's unserialize() without safely processing the input. A remote, unauthenticated attacker can supply a crafted serialized payload to trigger PHP Object Injection, leading to Remote Code Execution on the TYPO3 server.
CVE-2026-45434 in Apache OFBiz has a flaw in password-change logic that can lead to remote code execution. This issue affects versions before 24.09.06.
CVE-2026-41919 describes an improper neutralization of special elements used in LDAP queries, leading to LDAP Injection vulnerability in Apache OFBiz.
Use of hard-coded cryptographic key vulnerability in Apache OFBiz. This issue affects versions before 24.09.06.
In MLflow version 3.9.0, the MLflow Assistant feature introduced improper origin validation in its /ajax-api endpoints. This vulnerability allows a remote attacker to exploit cross-origin requests from a malicious webpage to interact with the MLflow Assistant running on a victim's local machine.

