CVE Vulnerability Catalog

Translated CVE descriptions from NVD NIST — in English

CISA KEV catalog updated: (v2026.07.01)

CVE-2026-6733
Low

Undici's HTTP/1.1 client is vulnerable to response queue poisoning on reused keep-alive sockets. An attacker-controlled upstream server can inject an unsolicited HTTP/1.1 response onto an idle socket, causing responses to be delivered to the wrong requests.

CVE-2026-39199
Low

snes9x version 1.63 allows an out-of-bounds write and denial of service via a crafted .ups file.

CVE-2026-11525
Low

A vulnerability in undici allows the acceptance of incorrect SameSite attribute values in the Set-Cookie header, potentially leading to a weakening of the cookie's SameSite policy. Instead of the required case-insensitive exact match, values containing 'Strict', 'Lax', or 'None' as substrings are accepted.

CVE-2026-35068
Low

Dell PowerFlex Manager versions prior to 5.1.0.1 contain an SQL Injection vulnerability due to improper neutralization of special elements used in SQL commands. A low privileged attacker with adjacent network access could exploit this vulnerability, potentially leading to information disclosure.

CVE-2026-12458
Low

Inappropriate implementation in Passwords in Google Chrome prior to version 149.0.7827.155 allowed a remote attacker who convinced a user to engage in specific UI gestures to leak cross-origin data via a crafted HTML page.

CVE-2026-0057
Low

In Contacts Provider, there is a possible way to access an incoming call's phone number and associated metadata due to a missing permission check. This could lead to local information disclosure with no additional execution privileges needed.

CVE-2025-62340
Low

The vulnerability in HCL iControl is due to inadequate session timeout. The web application does not automatically terminate user sessions after a period of inactivity.

CVE-2026-46977
Low

A vulnerability in the Oracle VM VirtualBox product (component: VMSVGA device) allows an easily exploitable attack by a high privileged attacker with access to the infrastructure where Oracle VM VirtualBox runs. Attacks may significantly impact additional products, leading to unauthorized access to data.

CVE-2026-46874
Low

Vulnerability in the Oracle VM VirtualBox product (component: Core) in version 7.2.8. Easily exploitable by a high privileged attacker with access to the infrastructure where Oracle VM VirtualBox runs, potentially compromising the software.

CVE-2026-46816
Low

A vulnerability in the Oracle VM VirtualBox product (component: VMSVGA device) allows a high privileged attacker with access to the infrastructure where Oracle VM VirtualBox runs to compromise the software. Attacks may significantly impact additional products, leading to unauthorized access to data.

CVE-2026-46815
Low

A vulnerability in the Oracle VM VirtualBox product (component: VMSVGA device) allows an easily exploitable attack by a high privileged attacker with access to the infrastructure where Oracle VM VirtualBox runs. Attacks may significantly impact additional products.

CVE-2026-0158
Low

In the Camera application, there is a possible unauthorized way to access photos due to a missing permission check. This could lead to local information disclosure with no additional execution privileges needed.

CVE-2026-0145
Low

In keymint, there is a possible Permission Bypass due to a logic error in the code. This could lead to local information disclosure with no additional execution privileges needed.

CVE-2026-0142
Low

In the function iavb_parse_key_data of avb_rsa.c, there is a possible out of bounds read due to improper input validation. This could lead to local information disclosure with no additional execution privileges needed.

CVE-2026-0134
Low

In the PostWipeData function of recovery_ui.cpp, there is a possible data persistence issue after a factory reset due to a logic error in the code. This could lead to local information disclosure with no additional execution privileges needed.

CVE-2026-0130
Low

In RtcpChunk::decodeRtcpChunk, there is a possible out of bounds read due to a heap buffer overflow. This could lead to remote information disclosure with no additional execution privileges needed.

CVE-2026-0129
Low

In RtcpByePacket::decodeByePacket, there is a possible vulnerability due to a missing bounds check. This could lead to remote information disclosure with no additional execution privileges needed.

CVE-2026-10636
Low

In Zephyr's IPv4 IGMP implementation, a use-after-free vulnerability exists in igmp_send() where the network interface pointer is read after the packet has been sent. This affects releases from v2.6.0 through v4.4.0.

CVE-2026-48709
Low

OliveTin versions 3000.0.0 and prior allow access to predefined shell commands from a web interface. The ValidateArgumentType RPC endpoint does not perform any authentication or authorization checks, allowing unauthenticated users to enumerate valid action binding IDs and their argument configurations.

CVE-2026-12211
Low

A flaw has been found in Intelbras iNVU 7016 FT 3.004.00IB000.0.T Build 2025-09-26, allowing path traversal via manipulation of the /RPC2_Loadfile/syslog/ file in the web interface. The attack can be launched remotely.

PreviousPage 8 of 60Next

Vulnerability data from NVD (NIST) · CISA KEV · EPSS