CVE Vulnerability Catalog
Translated CVE descriptions from NVD NIST — in English
CISA KEV catalog updated: (v2026.07.07)
The CVE-2026-37709 vulnerability involves insecure permissions in grokability snipe-it version 8.4.0 and earlier, fixed after commit 676a9958 on March 10, 2026. This allows a remote attacker to execute arbitrary code via the app/Http/Controllers/Api/UploadedFilesController.php component.
The MQTT broker in Yarbo firmware version 2.3.9 is configured to allow anonymous connections with no topic-level access control. Any host on the same network can subscribe to sensitive telemetry topics or publish control messages without any authentication.
Yarbo firmware v2.3.9 contains hardcoded administrative credentials. These credentials are identical across all devices running this firmware and cannot be changed or removed by end users.
The NPM package query-parser-string version 1.0.0 is vulnerable to Prototype Pollution. The package does not properly sanitize user supplied query parameters and merges them to the newly created object.
The npm package parse-ini version 1.0.6 is vulnerable to Prototype Pollution in the index.js() function.
ChestnutCMS version 1.5.10 has a SQL injection vulnerability. The content parameter of the cms_content tag can be manipulated in the admin backend and injected into a SQL query when the template is rendered.
The NPM package next-npm-version version 1.0.1 is vulnerable to Command injection, which may allow an attacker to execute unauthorized commands on the system.
CVE-2026-6795 describes a URL redirection to an untrusted site ('open redirect') vulnerability in DivvyDrive. It allows for parameter injection, potentially leading to unauthorized access.
Wish to serwer SSH, który w wersjach od 2.0.0 do przed 2.0.1 jest podatny na ataki typu path traversal w middleware SCP. Złośliwy klient SCP może odczytywać dowolne pliki z serwera, zapisywać pliki oraz tworzyć katalogi poza skonfigurowanym katalogiem głównym, wysyłając odpowiednio skonstruowane nazwy plików zawierające sekwencje ../ przez protokół SCP.
The Optoma CinemaX P2 projector (firmware TVOS-04.24.010.04.01, Android 8.0.0) exposes an HTTP API on TCP port 2345 that allows full unauthenticated remote control of the device. The API supports both reading configuration and writing/modifying settings including volume, mute, brightness, and other projector functions.
An unspecified vulnerability was found in the WebRTC component of Firefox and Thunderbird. The flaw was fixed in Firefox ESR 140.10.2 and Thunderbird 140.10.2.
A vulnerability in the Audio/Video playback component of Firefox and Thunderbird results from incorrect boundary conditions. The flaw was fixed in Firefox 150, Thunderbird 150, Firefox ESR 140.10.1, Thunderbird 140.10.1, and Firefox ESR 115.35.2.
The CVE-2026-6508 vulnerability in Liderahenk software has an origin validation error that allows access to functionality not properly constrained by access control lists (ACLs). This issue affects Liderahenk from version 2.0.1 before 2.0.2.
Lack of user input sanitisation in Open Notebook v1.8.3 allows the application user to execute Python code (and subsequently OS commands) on the docker container via Server-Side Template Injection (SSTI) for user-created transformations.
Hyperledger Fabric versions from 1.0.0 to 2.2.26 contain a vulnerability in the Channel.java class, which implements the readObject() method and exposes deSerializeChannel(). This method calls ObjectInputStream.readObject() on untrusted byte arrays without configuring an ObjectInputFilter, leading to a classic Java deserialization RCE pattern.
OpenEXR versions from 3.0.0 to before 3.2.9, 3.3.0 to before 3.3.11, and 3.4.0 to before 3.4.11 have an issue with the readVariableLengthInteger() function that decodes a variable-length integer from untrusted EXR input without bounding the shift count. After enough continuation bytes, the code executes a left shift by 70 on a 64-bit value, leading to undefined behavior.
In OpenEXR versions 3.0.0 to 3.2.9, 3.3.0 to 3.3.11, and 3.4.0 to 3.4.11, a vulnerability exists in the IDManifest::init() function. When reconstructing strings from a prefix-compressed representation, the code reads bytes without verifying that the current string has at least two bytes, potentially causing an out-of-bounds read.
CI4MS is a CodeIgniter 4-based CMS skeleton that prior to version 0.31.5.0 had a vulnerability in the Theme::upload function. It allows an authenticated backend user with theme creation permissions to upload ZIP files without validating entry names, leading to remote code execution.
In versions prior to 0.31.5.0, the Backup::restore function in CI4MS does not validate file names in uploaded ZIP archives, allowing an authenticated user to write files to arbitrary filesystem locations, potentially leading to remote code execution.
In version 0.31.4.0, CI4MS, based on CodeIgniter 4, has a vulnerability that allows full account takeover and privilege escalation via Stored DOM XSS in the backup module filename field. An attacker can manipulate this field using a SQL file to inject a hidden XSS payload.

