CVE Vulnerability Catalog

Translated CVE descriptions from NVD NIST — in English

CISA KEV catalog updated: (v2026.07.07)

CVE-2026-8153
Critical

The Dashboard Server interface in Universal Robots PolyScope versions prior to 5.25.1 is vulnerable to OS command injection, allowing an unauthenticated attacker to craft commands that execute code on the robot's OS.

CVE-2026-8076
Critical

The CashDro 3 web administration panel version 24.01.00.26 has weak credentials as it allows the use of numeric PINs for user authentication. An attacker can easily perform a brute-force attack by trying different PINs without the account being locked.

CVE-2026-6213
Critical

A vulnerability in Remote Spark SparkView before build 1122 allows an attacker to bypass the local connection check and achieve arbitrary code execution as root on the server side. Depending on implementation, the vulnerability can be exploited by an unauthenticated attacker.

CVE-2013-10075
Critical

Apache::Session versions through 1.94 for Perl re-create deleted sessions. Sessions stored in Apache::Session::Store::File and Apache::Session::Store::DB_File can be revived, potentially exposing data that was meant to be deleted.

CVE-2025-69691
Critical

Netgate pfSense CE version 2.8.0 allows code execution via the XMLRPC API using pfsense.exec_php. The supplier disputes this vulnerability as the API call is only available to admins who are intentionally allowed to execute PHP code.

CVE-2025-69690
Critical

Netgate pfSense CE version 2.7.2 allows code execution by using the module installer with a backup file containing a serialized PHP object with the post_reboot_commands property.

CVE-2025-69599
Critical

RayVentory Scan Engine through version 12.6 Update 8 allows attackers to gain privileges if they control the value of the PATH environment variable. This vulnerability is disputed as the ability to control the environment is a site-specific misconfiguration.

CVE-2025-67887
Critical

1C-Bitrix version 25.100.500 allows Remote Code Execution because an actor with SOURCE/WRITE permissions for the Translate Module can upload and execute code by sending a PHP file and a .htaccess file.

CVE-2023-46453
Critical

Certain GL.iNet devices with 4.x firmware allow authentication bypass, resulting in administrative control of the device. This affects version 4.3.7 on models GL-MT3000, GL-AR300M, GL-B1300, GL-AX1800, GL-AR750S, GL-MT2500, GL-AXT1800, GL-X3000, and GL-SFT1200.

CVE-2024-51092
Critical

LibreNMS before 24.10.0 allows a remote attacker to execute arbitrary code via OS command injection involving AboutController.php's index(), SettingsController.php's update(), and PollDevice.php's initRrdDirectory().

CVE-2026-43944
Critical

Electerm, a terminal/ssh/sftp/telnet/serialport/RDP/VNC/Spice/ftp client, is vulnerable to arbitrary local code execution in versions from 3.0.6 to before 3.8.15. Exploiting this vulnerability requires clicking a crafted electerm://... link or opening a crafted shortcut/command.

CVE-2026-43941
Critical

Electerm is a terminal client that in versions 3.8.15 and prior does not validate protocols for URLs clicked in the terminal. Attackers can exploit this to execute arbitrary code or access local files on the victim's machine if the victim clicks a displayed link.

CVE-2026-42208
CriticalActively exploitedEPSS 100%

In LiteLLM versions from 1.81.16 to before 1.83.7, a SQL injection vulnerability exists during proxy API key checks. An unauthenticated attacker can send a crafted Authorization header, leading to reading and potentially modifying data in the proxy database.

CVE-2026-41501
Critical

In the electerm client prior to version 3.3.8, a command injection vulnerability exists that allows an attacker to append malicious version strings into an exec command without validation. This issue has been patched in version 3.3.8.

CVE-2026-41500
Critical

In the electerm client prior to version 3.3.8, a command injection vulnerability allows an attacker to inject malicious code into the exec command. This issue has been patched in version 3.3.8.

CVE-2026-42880
Critical

In Argo CD versions 3.2.0 to 3.2.10 and 3.3.0 to 3.3.8, there is a missing authorization and data-masking gap in the ServerSideDiff endpoint. This allows an attacker with read-only access to extract plaintext Kubernetes Secret data from etcd via the Kubernetes API server's Server-Side Apply dry-run mechanism.

CVE-2026-8034
Critical

A server-side request forgery (SSRF) vulnerability was identified in the GitHub Enterprise Server notebook viewer that allowed an attacker to access internal services by exploiting URL parser confusion between the validation layer and the HTTP request library.

CVE-2026-7891
Critical

The VerySecureApp made by DIVD using Mendix Studio Pro 11.8.0 Beta allows unintended data exposure due to authorization misconfiguration. Anonymous users of the MyFirstModule can access all stored records, even though no access rights are explicitly configured on that role.

CVE-2026-42826
Critical

Azure DevOps has a vulnerability that allows an unauthorized attacker to disclose sensitive information over a network.

CVE-2026-35428
Critical

Improper neutralization of special elements used in a command ('command injection') in Azure Cloud Shell allows an unauthorized attacker to perform spoofing over a network.

PreviousPage 86 of 560Next

Vulnerability data from NVD (NIST) · CISA KEV · EPSS