CVE Vulnerability Catalog

Translated CVE descriptions from NVD NIST — in English

CISA KEV catalog updated: (v2026.07.01)

CVE-2026-55688
Medium

The AsyncHttpClient (AHC) library versions 2.0.0 through 2.15.0 and 3.0.0.Beta1 through 3.0.10 have a vulnerability in ThreadSafeCookieStore that does not verify whether the responding host is allowed to set a cookie for a domain. This allows an attacker-controlled host to inject a cookie for an unrelated domain, which the client then sends to that domain.

CVE-2026-54908
Medium

Pion DTLS library versions prior to 3.1.4 are vulnerable to remote denial of service via a panic triggered while parsing a crafted ECDHE_PSK ServerKeyExchange message. The issue is fixed in version 3.1.4.

CVE-2026-54164
Medium

Vulnerability in API Platform Core before versions 4.1.30, 4.2.26 and 4.3.12 allows an attacker to substitute resource types in IRI relations. Missing type validation in AbstractItemNormalizer enables assigning an object of an unintended type to a relation property.

CVE-2026-49858
Medium

In API Platform Core versions from 2.6.0 prior to 4.1.29, 4.2.26, and 4.3.12, a missing isCacheKeySafe gate in the JSON:API and HAL item normalizers causes a cross-user attribute leak. The component cache (attributes, relationships, links) keyed on context cache key can be reused for a subsequent request from a different user with different permissions, exposing properties that should be hidden.

CVE-2026-14363
Medium

An SQL injection vulnerability in the Cargo extension for MediaWiki allows an attacker to inject malicious SQL code. The issue affects versions before 1.43.9, 1.44.6, and 1.45.4.

CVE-2026-58517
Medium

A vulnerability in the WikiLambda extension for MediaWiki allows authentication bypass due to improper neutralization of input terminators. The issue affects versions before 1.43.9, 1.44.6, and 1.45.4.

CVE-2026-58451
Medium

Horde IMP before version 7.0.1 contains a path traversal vulnerability in lib/Compose.php. Authenticated attackers can read arbitrary files from the server filesystem by embedding traversal sequences after a CKEditor path prefix in img src URLs. Attackers can bypass the stripos() prefix validation by appending traversal sequences after the matching prefix, causing file_get_contents() to read sensitive files whose contents are then exfiltrated as MIME parts in outgoing email; unauthenticated exploitation is also achievable via CSRF against an active authenticated session.

CVE-2026-55628
Medium

In versions prior to 7.1.2-26he, the `-concatenate` operation lacked security policy checks, potentially allowing reading and writing to paths disallowed by the policy. This issue has been fixed in version 7.1.2-26.

CVE-2026-55597
Medium

In ImageMagick prior to version 7.1.2-26, a heap buffer over-write vulnerability exists in the JP2 encoder due to incorrect argument handling. The issue has been fixed in version 7.1.2-26.

CVE-2026-55595
Medium

In ImageMagick prior to versions 6.9.13-51 and 7.1.2-26, providing invalid arguments to the connected-components option causes an infinite loop. This issue has been fixed in the mentioned versions.

CVE-2026-55594
Medium

In ImageMagick prior to versions 6.9.13-51 and 7.1.2-26, a missing depth check in the MVG decoder leads to a stack overflow when processing a crafted image.

CVE-2026-55577
Medium

In ImageMagick prior to versions 6.9.13-51 and 7.1.2-26, a heap buffer overflow occurs in the MVG decoder that could result in an out-of-bounds write when processing a crafted image.

CVE-2026-55510
Medium

In ImageMagick prior to versions 6.9.13-51 and 7.1.2-26, a use-after-free vulnerability occurs when identifying an image with a crafted 8BIM profile containing a specific format string. The issue is fixed in the mentioned versions.

CVE-2026-53489
Medium

A vulnerability in containerd allows reading arbitrary files on the host via kubectl logs. The bug occurs in the CRI plugin, which restores container.log from a checkpoint image without validating a symlinked path.

CVE-2026-53467
Medium

In ImageMagick prior to versions 6.9.13-51 and 7.1.2-26, the MNG decoder contains a heap information disclosure vulnerability because part of the pixels are left unchanged.

CVE-2026-53466
Medium

In ImageMagick prior to versions 6.9.13-51 and 7.1.2-26, an integer overflow in the XCF decoder can result in an out-of-bounds read when a crafted image is processed, potentially causing a crash.

CVE-2026-47262
Medium

A vulnerability in containerd allows memory exhaustion via a maliciously crafted container image, causing an OOM kill of the containerd process and making the runtime API unavailable. Affected versions are prior to 1.7.33, 2.0.10, 2.1.9, 2.2.5, and 2.3.2.

CVE-2026-38142
Medium

An unauthenticated command injection vulnerability exists in the /goform/fast_setting_internet_set endpoint of Tenda AC18 firmware version 15.03.05.05. An attacker can send a crafted request with a malicious payload in the mac parameter to execute arbitrary system commands.

CVE-2026-14358
Medium

The Charts extension for MediaWiki contains an XSS vulnerability due to improper input neutralization during page generation. Affected versions are before 1.43.9, 1.44.6, and 1.45.4.

CVE-2026-13769
Medium

Overly permissive file permissions in AWS CLI before versions 1.44.78 (v1) and 2.34.29 (v2) on Unix-like systems, where umask has not been configured to restrict file permissions (the default on most systems), may allow other local users on the same host to read credentials written by certain CLI subcommands (aws codeartifact login, aws iam create-virtual-mfa-device, aws deploy register).

PreviousPage 10 of 485Next

Vulnerability data from NVD (NIST) · CISA KEV · EPSS