CVE Vulnerability Catalog
Translated CVE descriptions from NVD NIST — in English
CISA KEV catalog updated: (v2026.07.07)
Cap-go before version 12.128.2 contains an authorization bypass vulnerability in the GET /organization/members endpoint that allows org-limited API keys to bypass limited_to_orgs restrictions. Attackers with such keys can access membership data from organizations outside their assigned scope.
Capgo before version 12.128.2 contains an unsecured images bucket lacking any row level security controls, allowing unauthenticated attackers to read, insert, and delete stored app icons.
Flowise before version 3.0.13 uses bcrypt with default salt rounds of 5, providing only 32 iterations instead of the OWASP-recommended minimum of 10 rounds. Attackers can crack password hashes approximately 30 times faster with modern GPU hardware, potentially compromising all user accounts in a database breach scenario.
Flowise before version 3.1.0 (npm package flowise, versions 3.0.13 and earlier) uses a weak hardcoded default value 'Secre$t' for the TOKEN_HASH_SECRET environment variable in packages/server/src/enterprise/utils/tempTokenUtils.ts when the variable is not configured. This secret derives the AES-256-CBC key used to encrypt user IDs and workspace IDs in the 'meta' field of JWT tokens. An attacker who knows the default secret can decrypt this metadata to extract internal user and workspace identifiers, and re-encrypt manipulated values such as altered user or workspace IDs.
Crawl4AI before version 0.8.7 contains an authentication bypass vulnerability in the monitor router endpoints that allows unauthenticated attackers to access destructive operations. Remote attackers can invoke the /monitor/actions/cleanup endpoint and manipulate monitoring state without authentication, causing service disruption.
CVE-2026-13163 describes an open redirect vulnerability in the _safe_redirect function of the click-tracking endpoint in Mailerup versions before 1.0.0. This allows remote unauthenticated attackers to redirect victims to arbitrary external sites, potentially leading to phishing attacks.
Flowise through version 2.2.7 contains a SQL injection vulnerability in the importChatflows API. Due to insufficient validation of the chatflow.id value, an authenticated user can supply a crafted JSON import file whose id field is concatenated unsanitized into a SQL IN clause, allowing arbitrary SQL to be executed, including blind and error-based extraction of data from the credential table.
In ccyl13 Pentestify version 1.0.0 and lower, there is a Server-Side Request Forgery (SSRF) vulnerability in the PDF generation endpoint. An attacker can exploit this flaw to send requests to arbitrary internal or external URLs, potentially leading to the exposure of sensitive data.
TortoiseGitBlame is vulnerable to argument injection via malicious Git history filenames, leading to arbitrary file write in TortoiseGit.
In the Linux kernel, a vulnerability was found in the IPC SHM subsystem where shm_destroy_orphaned() does not properly synchronize access to the shm_nattch field. Missing locking can lead to a race condition when cleaning up unused shared memory segments.
A vulnerability was found in the Linux kernel's AF_UNIX socket implementation. The SIOCATMARK ioctl, which reports the urgent mark position for MSG_OOB, was accessible for all socket types, even though MSG_OOB is only supported for SOCK_STREAM. Now, for SOCK_DGRAM and SOCK_SEQPACKET sockets, it returns -EOPNOTSUPP.
In the Linux kernel, the batman-adv module fails to clear the currently selected gateway pointer during mesh teardown, leaving stale state that can break subsequent mesh recreation.
A vulnerability was found in the Linux kernel's VRF (Virtual Routing and Forwarding) mechanism. Lack of RCU synchronization when removing a port from a VRF can cause a race condition where an RCU reader sees a new master device (e.g., a bridge) without l3mdev operations, leading to a NULL pointer dereference (NPD).
In the Linux kernel netfilter/ipset subsystem, a vulnerability was found in several hash:* variants. The 32-bit iterator used for scanning IPv4 address ranges may advance past the requested range after completion, causing retries to start from an unintended position.
In the Linux kernel, the batman-adv module is vulnerable to recursive processing of BATADV_UNICAST_FRAG packets. A malicious sender can craft a packet whose reassembled payload is itself a BATADV_UNICAST_FRAG packet, leading to unbounded recursion and kernel stack exhaustion.
In the Linux kernel's batman-adv module, a NULL pointer dereference vulnerability exists. When a network interface is disabled, its mesh_iface pointer is set to NULL, but batadv_v_ogm_send_meshif() may still dispatch OGMv2 packets through the disabled interface, causing a crash when trying to read from address NULL.
The MotorDesk plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to and including 1.1.2. This is due to missing or incorrect nonce validation on the motordesk_admin_home function.
The Book a Room Event Calendar plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) in all versions up to and including 1.9. This is due to missing or incorrect nonce validation in the settings_form()/update_settings() functionality.
The WP Latest Posts plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) via crafted image src attributes in post content in versions up to and including 5.0.11. This is due to insufficient output escaping in the field() and loop() functions.
The Reviews and Rating – Docplanner plugin for WordPress is vulnerable to authorization bypass in all versions up to and including 1.1.4. This is due to the plugin not properly verifying that a user is authorized to perform an action.

