CVE Vulnerability Catalog
Translated CVE descriptions from NVD NIST — in English
CISA KEV catalog updated: (v2026.07.07)
In OpenEXR versions 3.4.0 through 3.4.11, an integer overflow in ht_undo_impl() in internal_ht.cpp leads to a heap-buffer overflow when decoding a crafted HTJ2K-compressed EXR file. The multiplication of channel width (int32_t) by bytes_per_element in 32-bit signed arithmetic can overflow, causing an out-of-bounds write. The same pattern appears in two other HTJ2K paths.
The vulnerability in libssh2 up to version 1.11.1 (fixed in commit 2dae302) allows an out-of-bounds heap read in the sftp_symlink() function in src/sftp.c. A malicious SSH server or man-in-the-middle attacker can disclose heap memory contents or cause a crash by sending a crafted SSH_FXP_NAME response.
A vulnerability in OpenBSD before commit 6a23123 (2026-06-18) in the mpls_do_error function within sys/netmpls/mpls_input.c allows remote attackers to disclose kernel stack memory by sending crafted MPLS frames with 16 labels and no Bottom-of-Stack bit set.
In versions prior to 0.9.2, pam_usb has a symlink race condition in per-device and per-user pad directory creation. A local attacker can exploit this vulnerability by replacing the target path with a symlink to a directory they control.
In versions prior to 0.9.2, pam_usb creates a temporary file without the O_EXCL flag when updating a one-time pad file. This can lead to a situation where two concurrent processes updating the same pad may both succeed, resulting in overwriting the pad value.
In versions prior to 0.9.2, pam_usb calls xmlReadFile() with flags=0 when loading the configuration file, allowing libxml2 to process external entity references (XXE). This can lead to outbound network connections or local file reads at XML parse time from the context of the authenticating process.
In versions prior to 0.9.2, the pam_usb module, responsible for hardware authentication on Linux, is vulnerable to environment variable injection. The XRDP_SESSION, DISPLAY, and TMUX variables can be manipulated by a local user, affecting the local and remote session checking logic.
Bitnami MariaDB Galera container images and Helm chart are affected by a hardcoded default credential vulnerability in the Galera replication health-check user. The default environment variables MARIADB_REPLICATION_USER and MARIADB_REPLICATION_PASSWORD are set to 'monitor' and 'monitor', creating a risk of unauthorized access.
In Coturn prior to version 4.11.0, a stored XSS vulnerability was found in the HTTPS web-admin interface. An attacker can create a TURN allocation with a crafted USERNAME value, causing HTML/JavaScript execution when an authenticated admin views the TURN session list.
Mojolicious::Sessions::Storable versions through 0.05 for Perl generate session ids insecurely. The default session id generator uses low-entropy sources, making them predictable.
NILFS utilities up to version 2.3.0 have a validation issue with the s_log_block_size field in the NILFS2 superblock in the nilfs_sb_is_valid() function. Attackers can supply crafted NILFS2 images, leading to undefined behavior and crashes of tools like nilfs-tune and dumpseg.
A flaw in Node.js HTTP/2 server API allows servers to keep accepting data even after sending a `GOAWAY` frame. This affects **Node.js 22** and **Node.js 24**.
CVE-2026-47833 is a privilege escalation vulnerability from container to host via manipulation of the bpm.log file. A compromised process inside a bpm container can force the system to change the owner of any host file, leading to the exposure of passwords from the /etc/shadow file.
In pam_usb versions 0.9.1 and earlier, a bug can lead to an infinite loop DoS due to improper initialization of the *ppid variable. In the pusb_local_login() function, the same variable is reused as input and output in a loop, which can cause the authenticating process to hang.
In versions 0.9.1 and below, the pam_usb module can cause a NULL dereference crash when parsing loginctl output. The pusb_is_loginctl_local() function calls popen() and reads the result, which can lead to undefined behavior and crashing the PAM module.
In versions 0.9.1 and below, the xfree() function in pam_usb releases memory without first zeroing the buffer contents, leading to the exposure of sensitive data in freed memory. This could allow recovery of pad values or other authentication material from freed memory regions.
The WP EasyPay WordPress plugin contains a CSRF vulnerability that allows an attacker to perform unauthorized actions on behalf of a logged-in administrator. The flaw affects all versions up to and including 4.5.0.
Webmin accepts basic authentication without session cookies when an attacker provides the 'User-Agent: webmin' header, allowing bypass of additional MFA requirements. Fixed in version 2.641.
Webmin allows unauthenticated attackers to read the contents of any file ending in .conf within module directories, due to a bypassable regex pattern.
Hermes WebUI before 0.51.468 contains a resource exhaustion vulnerability in the unauthenticated POST /api/onboarding/oauth/start endpoint that allows unbounded accumulation of in-memory flow state and daemon threads.

