CVE Vulnerability Catalog
Translated CVE descriptions from NVD NIST — in English
CISA KEV catalog updated: (v2026.07.07)
A command injection vulnerability in luci-proto-openvpn through version 0.11.1 (fixed in commit e4ff45e) exists in the generateKey ubus method. The cl_meta parameter is interpolated into a shell command without proper escaping, allowing an authenticated LuCI user with OpenVPN protocol configuration access to execute arbitrary commands as root via the popen function.
A command injection vulnerability in luci-app-tailscale-commons allows authenticated users to execute arbitrary commands as root via the tailscale.do_login RPC method. The issue stems from improper quoting of the loginserver and loginserver_authkey parameters within a double-quoted shell command, enabling shell substitutions like $() to be evaluated.
A vulnerability in the mdex and mdex_native libraries allows an unauthenticated attacker to cause a denial of service via unbounded memory allocation. The parse_highlight_lines function in the LumisAdapter component expands a user-controlled line range from a fenced code block without an upper bound, allocating huge vectors. A payload with a range like 1-2000000000 can exhaust host memory and abort the BEAM process.
A cross-site scripting (XSS) vulnerability was found in the MDEx library due to improper input neutralization in Markdown processing. An attacker can inject arbitrary HTML/JavaScript that executes in the browser of every user viewing the rendered output.
A flaw was found in p11-kit where the RPC message attribute parsing functions lack a recursion depth limit when processing nested template attributes. An unauthenticated attacker with local access to the p11-kit RPC Unix domain socket can send a crafted request with deeply nested attributes, causing stack exhaustion and crashing the p11-kit server and its dependent services.
A vulnerability in Hi.Events through version 1.9.0 allows unauthenticated attackers to access full attendee lists, including emails and personal information, via public check-in list endpoints. By knowing the short_id, an attacker can read attendee data and create or delete check-in records without authentication.
A vulnerability in Hi.Events up to version 1.9.0 allows unlimited use of limited promo codes. The validation checks the usage count before an asynchronous job updates it, enabling sequential reservations with the same code, each seeing count=0.
Mixpost through version 2.6.0 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to execute arbitrary JavaScript in authenticated users' browsers by crafting malicious OAuth callback URLs with unsanitized error query parameters.
A vulnerability in Papermark up to version 0.22.0 is caused by a CORS misconfiguration, allowing unauthenticated remote attackers to perform credentialed cross-origin requests. Attackers exploit the TUS-based viewer upload endpoint that reflects arbitrary request Origins with Access-Control-Allow-Credentials set to true.
A vulnerability in SigNoz through version 0.130.1 allows authenticated users to access alert rules of other organizations by supplying a target rule UUID, as the alert rule store predicates fail to filter by organization ID. This enables bypassing multi-tenant access controls.
A SQL injection vulnerability in SigNoz through version 0.130.1 allows authenticated attackers to execute arbitrary ClickHouse queries by injecting URL-encoded quotes into the rule ID path parameter of alert-history endpoints. Attackers can read all stored traces, logs, and metrics, or abuse the url() function for server-side request forgery (SSRF).
Vulnerability in Elide through version 7.1.17 fails to enforce @ReadPermission on client-supplied sort expressions in SortingImpl.getValidSortingRules, allowing attackers to sort collections by forbidden fields. Attackers can infer hidden field values through row ordering analysis, leaking relative field ordering across all rows via both JSON:API and GraphQL read paths.
A vulnerability in Mythic before version 3.4.0.60 allows authenticated spectator-role users to bypass authorization and perform unauthorized write operations. Attackers can exploit the misconfigured eventing_import_automatic_webhook endpoint to create and delete automation workflows.
Mythic before version 3.4.0.60 contains an authorization bypass vulnerability in four REST endpoints (c2profile_config_check_webhook, c2profile_redirect_rules_webhook, c2profile_get_ioc_webhook, c2profile_sample_message_webhook) that fail to verify payload ownership. An operator in one operation can invoke these endpoints with a known payload UUID from another operation to access that operation's C2 profile configuration including encryption keys and callback parameters.
A vulnerability in Mythic before version 3.4.0.60 is caused by a broken Hasura permission filter on the payload_build_step table with an always-satisfied _or condition that bypasses operation-scoped access controls. Authenticated operators and spectators can query payload_build_step to read step_stdout, step_stderr, step_name, and step_description across all operations on the server.
A broken access control vulnerability in ruoyi-vue-pro through version 2026.05 (fixed in commit 5d1fd70) in ErpSaleOrderController allows attackers with erp:sale-out permissions to gain unauthorized access to sale order operations by exploiting incorrect permission namespace enforcement. Attackers can perform unauthorized create, update, delete, and read operations on financially sensitive sale orders.
A missing authorization vulnerability in the CRM module of ruoyi-vue-pro (up to version 2026.05, fixed in commit c779a47) exists in the GET /admin-api/crm/follow-up-record/get endpoint. Authenticated users can read any follow-up record by iterating sequential numeric IDs.
Pinpoint through version 3.1.0 contains an insecure session management vulnerability where the pinpointJwt session cookie lacks HttpOnly and Secure attributes. This allows attackers to access the cookie via JavaScript (document.cookie) and transmit it in cleartext over HTTP.
An SSRF vulnerability in Pinpoint through version 3.1.0 allows authenticated users to register internal URLs in the webhook registration endpoint due to missing SSRF protection. Attackers can trigger alarm threshold breaches to force the server to send POST requests to internal hosts and metadata endpoints, enabling unauthorized access to internal network resources.
A broken access control vulnerability in Invidious before version 2.20260626.0 allows unauthenticated attackers to retrieve private playlist contents via the RSS feed playlist endpoint. Attackers can supply a playlist ID to obtain the full playlist contents, owner email address, and associated video entries without authentication.

