CVE Vulnerability Catalog
Translated CVE descriptions from NVD NIST — in English
CISA KEV catalog updated: (v2026.07.07)
A vulnerability in Nmap through version 7.99 causes the ipv6_get_data_primitive function to improperly handle IPv6 extension header boundaries, leading to out-of-bounds reads. An attacker can trigger a crash by sending a crafted IPv6 response with a truncated extension header during raw IPv6 scans.
A vulnerability in Flowise before version 3.1.3 allows bypassing the denylist of environment variables for Custom MCP nodes. On Windows, where environment variable names are case-insensitive, using 'node_options' instead of 'NODE_OPTIONS' enables injection of --require options and arbitrary code execution.
A vulnerability in RustDesk allows privilege escalation within a file transfer session. The gating of incoming control messages is based on per-capability flags rather than the session's authorized connection type, and a file transfer session does not clear those flags. A peer holding only a valid FileTransfer authorization can inject keyboard and mouse input and reach the unguarded screenshot and display-capture handlers, acting outside its granted scope.
A vulnerability in nghttp2 nghttpx up to version 1.69.0 causes an HTTP/1.1 Upgrade request with a Content-Length header and body to be forwarded onto reusable keep-alive backend connections. A backend interpreting this ambiguous message in the attacker's favor enables HTTP request/response smuggling and cross-client response-queue poisoning.
In MyBB 1.8.40, a limited administrator with user management permissions can assign any usergroup, including the Administrators group (gid 4). The verify_usergroup() function in the user module always returns true, allowing privilege escalation to full administrator permissions.
A vulnerability in Gitea act_runner with Docker backend (up to act 0.262.0) allows bypassing privileged mode restrictions. By passing container options like --pid=host, --cap-add, and --security-opt, a user can access host namespaces and escalate privileges to root.
A vulnerability in 7-Zip for Windows up to version 26.02 allows bypassing the Mark-of-the-Web when extracting a crafted RAR5 archive. The guard mechanism checks for the exact name 'Zone.Identifier' but fails to handle STM records named ':Zone.Identifier:$DATA', which NTFS canonicalizes to the same stream, overwriting the Internet zone marker with ZoneId=0. A second STM record '::$DATA' overwrites the default data stream of the extracted file, enabling an attacker to bypass SmartScreen/MotW warnings and spoof file content.
In libssh2 up to version 1.11.1, when growing the publickey list with SSH2_REALLOC, new entries are not zero-initialized before parsing populates them. A parse failure reaching the cleanup path causes libssh2_publickey_list_free to operate on an uninitialized entry, potentially freeing an attacker-influenceable attrs pointer.
A vulnerability in libssh2 up to version 1.11.1 allows an attacker-controlled SSH server to read a 32-bit attribute count from a publickey-subsystem response. This count is used for memory allocation without bounds checking, causing multiplication overflow on 32-bit platforms and an undersized buffer. A malicious server can then write past the allocation, leading to a heap buffer overflow in the connecting libssh2 client.
The RASC video decoder in FFmpeg (decode_dlta function in libavcodec/rasc.c) performs 32-bit reads and writes at the row cursor before the NEXT_LINE row-boundary check and validates the DLTA region in pixel rather than byte units, so a DLTA run on a PAL8 frame can access several bytes past the row allocation. A crafted media stream using the RASC FourCC, decoded by libavcodec, triggers a bitstream-controlled out-of-bounds heap write and adjacent out-of-bounds read, leading to memory corruption.
The Frontend File Manager Plugin for WordPress up to version 23.6 is vulnerable to authenticated arbitrary file deletion. The issue is a case-sensitive bypass of the wpfm_dir_path parameter sanitization in the wpfm_file_meta_update AJAX handler, allowing an attacker to delete arbitrary files on the server.
In Zephyr's IP socket recvmsg() implementation (sockets_inet.c), the insert_pktinfo() function improperly validates the control buffer size by omitting the cmsg header size, allowing an out-of-bounds write. This affects versions from v3.6.0 through v4.4.0.
A vulnerability in the FreeBSD kernel in the CONS_HISTORY ioctl handler allows an unprivileged local user to perform an out-of-bounds write. A large history size causes an integer overflow in buffer size calculation, resulting in a heap allocation smaller than expected and subsequent write beyond the allocation.
The ELF image activator cleared per-process ASLR preference flags for setuid binaries after the code that computes the PIE base address, rather than before. As a result, a user-requested ASLR disable was still in effect at the point where the base address was chosen.
A use-after-free vulnerability was found in the Linux kernel audio drivers. When an audio device is closed, the audio buffer may be freed while the memory mapping remains valid, allowing access to freed kernel memory.
A vulnerability in the Linuxulator (FreeBSD's Linux binary compatibility layer) causes the AT_SECURE flag to be incorrectly set to zero for executables with set-user-ID or set-group-ID bits. This allows an unprivileged local user to inject a shared library via the LD_PRELOAD environment variable into such a binary.
In the kernel handler for IPV6_MSFILTER, a use-after-free vulnerability exists. The handler drops a serializing lock while copying the source-filter list from userspace, then reacquires the lock. During this window, another thread can free the multicast filter structure, leaving the handler with a stale pointer to freed memory.
A vulnerability in the sigqueue(2) implementation in FreeBSD allows a process in capability mode to send signals to any process, bypassing Capsicum sandbox restrictions. The missing check for the target PID being the calling process's own enables an attacker to interfere with other processes.
An integer overflow vulnerability was found in the dsp_mmap_single() function during validation of memory mapping requests. A large offset and length can cause the sum to wrap around, bypassing the check and allowing mapping beyond the audio buffer into unrelated kernel memory.
The RegistrationMagic plugin for WordPress up to version 6.0.8.6 contains an authentication bypass vulnerability due to insufficient data authenticity verification in the PayPal IPN handler. The handler is accessible to unauthenticated users and updates the database before IPN validation, allowing an attacker to forge an IPN request, overwrite the user ID in a payment log, and then obtain authentication cookies for any user, including administrators.

