CVE Vulnerability Catalog
Translated CVE descriptions from NVD NIST — in English
CISA KEV catalog updated: (v2026.07.07)
A path traversal vulnerability in the ImageScan subsystem of Rancher Fleet affects versions 0.12.0 to 0.12.16, 0.13.0 to 0.13.12, 0.14.0 to 0.14.7, and 0.15.0 to 0.15.3, allowing an attacker to traverse outside the intended directory and cause a denial of service.
A vulnerability in PostgreSQL Anonymizer allows unprivileged masked users to repeatedly call the anon.hash() function and collect (seed, hash_output) pairs to perform an offline brute-force attack and deduce the salt.
A vulnerability in Mendix Studio Pro arises from improper validation and sanitization of project files processed during the build pipeline. An attacker can trick a user into opening and running a specially crafted malicious project, leading to arbitrary code execution in the context of that user.
A vulnerability in Rancher FleetWorkspace allows an unauthenticated attacker with network access to the in-cluster rancher-webhook service to create workspace-related Kubernetes objects with attacker-chosen identity data. Affected versions are 0.7.0 to 0.7.10, 0.8.0 to 0.8.7, 0.9.0 to 0.9.6, and 0.10.0 to 0.10.7.
A missing clean-up in the legacy Project Role Template Binding (PRTB) reconciler in Rancher versions 2.13.0 up to 2.13.7 and 2.14.0 up to 2.14.3 allowed users to retain unauthorized Pod Security Admission (PSA) permissions after an administrator removes those permissions from a RoleTemplate.
In Coolify prior to version 4.0.0-beta.464, an authenticated command injection vulnerability in the CA Certificate management feature allows any authenticated user to execute arbitrary commands as the configured SSH user on the managed server host.
Coolify prior to version 4.0.0-beta.464 has a vulnerability in the `GET /api/v1/servers/{server_uuid}/domains?uuid={app_uuid}` endpoint that bypasses team scoping when the optional `uuid` parameter is provided. Any authenticated API user can enumerate domain names (FQDNs) of applications belonging to other teams.
Coolify prior to version 4.0.0-beta.464 has a vulnerability in the executeInDocker() helper that wraps commands in bash -c without escaping single quotes. The docker_compose_custom_build_command and docker_compose_custom_start_command fields are interpolated directly, allowing an attacker to break out of the bash -c argument and execute arbitrary commands on the managed server host.
Coolify prior to version 4.0.0-beta.464 has a vulnerability in the GET /api/v1/deployments/{uuid} endpoint that allows any authenticated user to access deployment details of any team, bypassing team-based authorization. The issue stems from the $teamId extracted from the authentication token not being used to scope the database query.
Coolify prior to version 4.0.0-beta.461 uses a non-constant-time string comparison operator (!==) to validate the GitLab webhook secret token. This allows an attacker to gradually discover the secret token by measuring response time differences (timing attack).
Coolify prior to version 4.0.0-beta.464 has a vulnerability in the `GET /api/v1/deployments/{uuid}` endpoint that does not validate whether the deployment belongs to the authenticated user's team. Any authenticated API user can read deployment details from other teams by providing a valid deployment UUID.
KTM System e-BOK does not implement any limit or timeout on consecutive login attempts, allowing an attacker to perform unlimited authentication requests. This lack of rate-limiting enables efficient brute-force attacks against user accounts. When combined with vulnerability CVE-2026-35097, where passwords are restricted to a six-digit numeric format, this becomes a critical issue, as such passwords can be brute-forced in a relatively short time.
The KTM e-BOK system enforces a maximum password length of six numeric digits and does not allow alphabetic, special, or extended characters. This issue was fixed in the patch released in June 2026.
KTM e-BOK system is vulnerable to Cross‑Site Request Forgery (CSRF) in email-change and password-change functionalities. An authenticated user can be tricked into performing unauthorized changes without their knowledge.
The vulnerability in KTM e-BOK allows an attacker to set the session identifier before authentication. If a cookie with a valid name is set, its value remains unchanged after successful login, enabling session hijacking.
Memory safety bugs were found in Firefox 152.0.3. Some of these bugs showed evidence of memory corruption and could potentially be exploited to run arbitrary code with enough effort. This vulnerability was fixed in Firefox 152.0.4.
In openGauss, when processing to_timestamp calls with NLS parameters, to_timestamp_with_fmt_nls() stores nls_fmt_str in u_sess->parser_cxt.nls_fmt_str. In the seqscan + sort execution path, this string is allocated in the SeqScan expression context; after SeqScan completes, the memory context is reset, but the output phase timestamp_out() still accesses u_sess->parser_cxt.nls_fmt_str via CheckNlsFormat(), causing a heap-use-after-free. An attacker with SQL execution privileges can craft a specific to_timestamp(..., ..., nlsparam) query to trigger this, leading to backend process crash and denial of service.
A SQL misconfiguration in the Gravitino UI, versions 1.0.0 and below, allows a malicious user to read or truncate files. The issue is fixed in version 1.0.0.
Multiple memory overflow vulnerabilities in NetScaler ADC and NetScaler Gateway can lead to unpredictable or erroneous behavior and Denial of Service (DoS). The vulnerability occurs when NetScaler ADC is configured as an Oracle load balancer, DNS proxy, or DNS recursive resolver.
A memory overflow vulnerability in NetScaler ADC and NetScaler Gateway can lead to unpredictable or erroneous behavior and Denial of Service (DoS) if the appliance is configured as a Gateway (SSL VPN, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server.

