CVE Vulnerability Catalog

Translated CVE descriptions from NVD NIST — in English

CISA KEV catalog updated: (v2026.07.07)

CVE-2026-11942
Medium

Akaunting 3.1.21 contains an authenticated stored cross-site scripting vulnerability in the reusable delete confirmation flow. A user with permission to create or modify records, such as Items, can store HTML/JavaScript in the record name.

CVE-2026-11372
Medium

IBM TRIRIGA Application Platform versions 5.0.2 through 5.0.3 are vulnerable to cross-site scripting (XSS). An authenticated user can embed arbitrary JavaScript code in the Web UI, potentially leading to credential disclosure within a trusted session.

CVE-2024-51454
Medium

IBM Engineering Workflow Management versions 7.0.2 through 7.0.2 Interim Fix 035, 7.0.3 through 7.0.3 Interim Fix 017, and 7.1 through 7.1 Interim Fix 004 are vulnerable to HTTP header injection due to improper validation of input in the HOST headers. This could allow an attacker to conduct various attacks against the vulnerable system, including cross-site scripting, cache poisoning, or session hijacking.

CVE-2023-33854
Medium

A vulnerability in IBM Db2 on Cloud Pak for Data and Db2 Warehouse on Cloud Pak for Data versions 4.8, 5.0, 5.1, 5.2, and 5.3 allows an authenticated user to bypass client-side validation and manipulate input data using man-in-the-middle techniques.

CVE-2026-9162
Medium

Mattermost versions 11.7.x <= 11.7.0, 11.6.x <= 11.6.2, 11.5.x <= 11.5.5, and 10.11.x <= 10.11.17 fail to invalidate cached authentication state for active WebSocket connections during global session revocation. This allows a user with an existing WebSocket connection to remain authenticated and continue receiving real-time events until the cached session expires or the client reconnects.

CVE-2026-7167
Medium

The vulnerability arises when the system fails to properly validate the 'email' field during the authentication process, allowing unverified or fake email addresses to be accepted. This lack of validation enables the creation of user accounts with fake email addresses, facilitating the mass creation of fraudulent accounts.

CVE-2026-6673
Medium

Mattermost versions 11.7.x <= 11.7.0, 11.6.x <= 11.6.2, 11.5.x <= 11.5.5, and 10.11.x <= 10.11.17 fail to authenticate Atlassian Connect installed callbacks, allowing a remote unauthenticated attacker to inject a rogue sharedSecret and disrupt the Jira integration.

CVE-2026-6062
Medium

Mattermost versions 11.7.x <= 11.7.0, 11.6.x <= 11.6.2, 11.5.x <= 11.5.5, and 10.11.x <= 10.11.17 fail to validate channel ownership of an existing subscription before applying edits. This allows an authenticated attacker to hijack subscriptions from channels they have no access to via a crafted PUT request to the subscription edit endpoint.

CVE-2026-5139
Medium

Mattermost versions 11.7.x <= 11.7.0, 11.6.x <= 11.6.2, 11.5.x <= 11.5.5, and 10.11.x <= 10.11.17 fail to enforce administrator authorization on the {{setDefaultInstance}} call within the {{/gitlab connect}} command handler, allowing any authenticated user to overwrite the global default GitLab instance configuration via the {{/gitlab connect <instance-name>}} slash command.

CVE-2026-56450
Medium

AIL did not restrict repeated failed attempts to verify a two-factor authentication (OTP) code. An attacker who reached the 2FA verification step could submit an unlimited number of OTP guesses, potentially leading to unauthorized account access.

CVE-2026-10601
Medium

The Tempo and Loki datasource plugins in Grafana construct backend HTTP requests by interpolating user-supplied input into URL paths without sanitization, enabling path traversal. A Viewer-role user can capture admin-configured datasource credentials (secureJsonData custom headers) by traversing to an attacker-controlled endpoint, invoke state-changing admin endpoints on Tempo (e.g., /flush, /shutdown), and exfiltrate internal service data via Loki's CallResource which returns full HTTP response bodies.

CVE-2025-33128
Medium

An XSS vulnerability in IBM Engineering Workflow Management allows an authenticated user to embed arbitrary JavaScript code in the Web UI, potentially leading to credential disclosure within a trusted session.

CVE-2025-2669
Medium

A vulnerability in IBM Db2 on Cloud Pak for Data and Db2 Warehouse on Cloud Pak for Data versions 4.8, 5.0, 5.1, 5.2, 5.3 could allow a privileged user to perform operations and obtain sensitive information outside of their authority due to improper token validation.

CVE-2024-54178
Medium

A vulnerability in IBM Db2 on Cloud Pak for Data and Db2 Warehouse on Cloud Pak for Data versions 4.8, 5.0, 5.1, 5.2, 5.3 allows an authenticated user to cause a denial of service when creating new databases due to improper resource allocation.

CVE-2026-12863
Medium

An unvalidated redirect was contained in Venueless' social login functionality and could be exploited for phishing using trusted domains.

CVE-2026-12862
Medium

Untrusted user data was passed verbatim to Excel exports for administrators. This allowed formula injection which can be used to compromise the environment of the user loading the file or other data in the file.

CVE-2026-12580
Medium

EasyFlow .NET developed by Digiwin has a Stored Cross-Site Scripting vulnerability, allowing authenticated remote attackers to inject persistent JavaScript code executed in users' browsers upon page load.

CVE-2026-54665
Medium

Apache NiFi versions 0.0.1 through 2.9.0 do not validate the values of Proxy and Forwarded headers, allowing for the construction of invalid URLs. Version 1.6.0 introduced a property to restrict Host header values, but this was not applied to alternative headers.

CVE-2026-44911
Medium

In Apache NiFi versions 1.15.0 through 2.9.0, authorization handling for component configuration verification requests allows clients with read access to submit proposed configuration properties. These properties can override the current configuration, enabling users with read access to invoke predefined verification methods with alternative settings.

CVE-2025-62198
Medium

An authenticated user can perform XSS. This issue affects Apache Atlas versions 2.4.0 and earlier.

PreviousPage 77 of 534Next

Vulnerability data from NVD (NIST) · CISA KEV · EPSS