CVE Vulnerability Catalog

Translated CVE descriptions from NVD NIST — in English

CISA KEV catalog updated: (v2026.07.07)

CVE-2026-58058
Medium

A vulnerability in Nmap through version 7.99 causes the ipv6_get_data_primitive function to improperly handle IPv6 extension header boundaries, leading to out-of-bounds reads. An attacker can trigger a crash by sending a crafted IPv6 response with a truncated extension header during raw IPv6 scans.

CVE-2026-58057
Medium

A vulnerability in Flowise before version 3.1.3 allows bypassing the denylist of environment variables for Custom MCP nodes. On Windows, where environment variable names are case-insensitive, using 'node_options' instead of 'NODE_OPTIONS' enables injection of --require options and arbitrary code execution.

CVE-2026-58056
High

A vulnerability in RustDesk allows privilege escalation within a file transfer session. The gating of incoming control messages is based on per-capability flags rather than the session's authorized connection type, and a file transfer session does not clear those flags. A peer holding only a valid FileTransfer authorization can inject keyboard and mouse input and reach the unguarded screenshot and display-capture handlers, acting outside its granted scope.

CVE-2026-58055
Medium

A vulnerability in nghttp2 nghttpx up to version 1.69.0 causes an HTTP/1.1 Upgrade request with a Content-Length header and body to be forwarded onto reusable keep-alive backend connections. A backend interpreting this ambiguous message in the attacker's favor enables HTTP request/response smuggling and cross-client response-queue poisoning.

CVE-2026-58054
High

In MyBB 1.8.40, a limited administrator with user management permissions can assign any usergroup, including the Administrators group (gid 4). The verify_usergroup() function in the user module always returns true, allowing privilege escalation to full administrator permissions.

CVE-2026-58053
Critical

A vulnerability in Gitea act_runner with Docker backend (up to act 0.262.0) allows bypassing privileged mode restrictions. By passing container options like --pid=host, --cap-add, and --security-opt, a user can access host namespaces and escalate privileges to root.

CVE-2026-58052
Low

A vulnerability in 7-Zip for Windows up to version 26.02 allows bypassing the Mark-of-the-Web when extracting a crafted RAR5 archive. The guard mechanism checks for the exact name 'Zone.Identifier' but fails to handle STM records named ':Zone.Identifier:$DATA', which NTFS canonicalizes to the same stream, overwriting the Internet zone marker with ZoneId=0. A second STM record '::$DATA' overwrites the default data stream of the extracted file, enabling an attacker to bypass SmartScreen/MotW warnings and spoof file content.

CVE-2026-58051
Medium

In libssh2 up to version 1.11.1, when growing the publickey list with SSH2_REALLOC, new entries are not zero-initialized before parsing populates them. A parse failure reaching the cleanup path causes libssh2_publickey_list_free to operate on an uninitialized entry, potentially freeing an attacker-influenceable attrs pointer.

CVE-2026-58050
High

A vulnerability in libssh2 up to version 1.11.1 allows an attacker-controlled SSH server to read a 32-bit attribute count from a publickey-subsystem response. This count is used for memory allocation without bounds checking, causing multiplication overflow on 32-bit platforms and an undersized buffer. A malicious server can then write past the allocation, leading to a heap buffer overflow in the connecting libssh2 client.

CVE-2026-58049
High

The RASC video decoder in FFmpeg (decode_dlta function in libavcodec/rasc.c) performs 32-bit reads and writes at the row cursor before the NEXT_LINE row-boundary check and validates the DLTA region in pixel rather than byte units, so a DLTA run on a PAL8 frame can access several bytes past the row allocation. A crafted media stream using the RASC FourCC, decoded by libavcodec, triggers a bitstream-controlled out-of-bounds heap write and adjacent out-of-bounds read, leading to memory corruption.

CVE-2026-8095
High

The Frontend File Manager Plugin for WordPress up to version 23.6 is vulnerable to authenticated arbitrary file deletion. The issue is a case-sensitive bypass of the wpfm_dir_path parameter sanitization in the wpfm_file_meta_update AJAX handler, allowing an attacker to delete arbitrary files on the server.

CVE-2026-10643
High

In Zephyr's IP socket recvmsg() implementation (sockets_inet.c), the insert_pktinfo() function improperly validates the control buffer size by omitting the cmsg header size, allowing an out-of-bounds write. This affects versions from v3.6.0 through v4.4.0.

CVE-2026-49416
High

A vulnerability in the FreeBSD kernel in the CONS_HISTORY ioctl handler allows an unprivileged local user to perform an out-of-bounds write. A large history size causes an integer overflow in buffer size calculation, resulting in a heap allocation smaller than expected and subsequent write beyond the allocation.

CVE-2026-49414
High

The ELF image activator cleared per-process ASLR preference flags for setuid binaries after the code that computes the PIE base address, rather than before. As a result, a user-requested ASLR disable was still in effect at the point where the base address was chosen.

CVE-2026-49417
High

A use-after-free vulnerability was found in the Linux kernel audio drivers. When an audio device is closed, the audio buffer may be freed while the memory mapping remains valid, allowing access to freed kernel memory.

CVE-2026-49413
High

A vulnerability in the Linuxulator (FreeBSD's Linux binary compatibility layer) causes the AT_SECURE flag to be incorrectly set to zero for executables with set-user-ID or set-group-ID bits. This allows an unprivileged local user to inject a shared library via the LD_PRELOAD environment variable into such a binary.

CVE-2026-49412
High

In the kernel handler for IPV6_MSFILTER, a use-after-free vulnerability exists. The handler drops a serializing lock while copying the source-filter list from userspace, then reacquires the lock. During this window, another thread can free the multicast filter structure, leaving the handler with a stale pointer to freed memory.

CVE-2026-45259
Medium

A vulnerability in the sigqueue(2) implementation in FreeBSD allows a process in capability mode to send signals to any process, bypassing Capsicum sandbox restrictions. The missing check for the target PID being the calling process's own enables an attacker to interfere with other processes.

CVE-2026-45258
High

An integer overflow vulnerability was found in the dsp_mmap_single() function during validation of memory mapping requests. A large offset and length can cause the sum to wrap around, bypassing the check and allowing mapping beyond the audio buffer into unrelated kernel memory.

CVE-2026-9242
Medium

The RegistrationMagic plugin for WordPress up to version 6.0.8.6 contains an authentication bypass vulnerability due to insufficient data authenticity verification in the PayPal IPN handler. The handler is accessible to unauthenticated users and updates the database before IPN validation, allowing an attacker to forge an IPN request, overwrite the user ID in a payment log, and then obtain authentication cookies for any user, including administrators.

PreviousPage 110 of 4484Next

Vulnerability data from NVD (NIST) · CISA KEV · EPSS