CVE Vulnerability Catalog
Translated CVE descriptions from NVD NIST — in English
CISA KEV catalog updated: (v2026.07.07)
In the Linux kernel's idpf driver, a vulnerability causes double free and use-after-free in auxiliary device error paths. When auxiliary_device_add() fails, the error handling code incorrectly falls through, freeing the same iadev structure twice and accessing freed memory.
In the Linux kernel, a bug in the AMD Display driver (DCN32) causes a kernel crash when allocating memory for phantom planes. The issue occurs because dcn32_enable_phantom_plane() calls kvzalloc() within a softirq-disabled region, triggering BUG_ON(in_interrupt()).
In the Linux kernel's Btrfs filesystem, a bug was found where the dirty_pages io tree was prematurely cleared after a failed write during transaction commit. This caused dirty extent buffers to not be properly cleaned up during unmount, leading to warnings and potential data loss.
In the Linux kernel AMD IOMMU driver, a missing bounds check for the device ID (devid) in __rlookup_amd_iommu() caused an out-of-bounds read and a general protection fault (GPF) at boot when a PCI device was not described in the IVRS table.
A vulnerability was found in the Linux kernel's kexec mechanism. After recent changes, in a non-kjump kexec path the return address is no longer pushed onto the stack, causing purgatory code to attempt reading a non-existent address, leading to a fault and potential system hang.
In the Linux kernel iommu/vt-d driver, a vulnerability was found causing NULL pointer dereference or refcount corruption. The issue occurs when teardown operations are executed without checking if the dev_pasid structure exists, potentially leading to system crash or memory safety violation.
A vulnerability in the Linux kernel's pci_dev_reset_iommu_done() function was found where the IOMMU group domain pointer can be NULL if default domain allocation fails during first probe. This leads to a NULL pointer dereference and system crash when attempting to re-attach the device to the domain.
In the Linux kernel, the gma500 DRM driver for Oaktrail LVDS displays has a bug causing a hang during initialization. The LVDS init code retrieves an I2C adapter via i2c_get_adapter() and on failure attempts to deregister and free also that adapter, which was not allocated by the driver. Since i2c_get_adapter() increments the reference count, the deregistration waits indefinitely for the reference to be released, resulting in a permanent hang.
In the Linux kernel ARM MPAM subsystem, a NULL pointer dereference vulnerability was found in __destroy_component_cfg(). The issue occurs when the function is called from mpam_disable() before the configuration array is allocated, leading to a system crash.
OpenProject before versions 17.3.3 and 17.4.1 contains a SQL injection vulnerability in the timestamps functionality. Attackers can exploit the timestamps parameter to execute unauthorized database queries.
In OpenProject before versions 17.3.3 and 17.4.1, there is a CSRF vulnerability on the /users/:id path via the POST parameter user[admin]. An attacker can exploit this to unauthorizedly change admin privileges.
OpenProject versions prior to 17.3.3 and 17.4.1 store the OneDrive/SharePoint userless OAuth access token in plaintext in Rails.cache under a deterministic key. The token is continuously refreshed by an hourly cron and OAuth call sites, and none of the allowed cache backends (file_store, memcache, redis) encrypt data at rest.
In OpenProject prior to versions 17.3.3 and 17.4.1, an IDOR vulnerability exists in the endpoint /projects/<A>/settings/project_storages/<A_ps_id> via the PATCH parameter "storages_project_storage[project_folder_id]". A project administrator can hijack the managed Nextcloud or OneDrive folder of another project on the same storage, leading to unauthorized resource access.
OpenProject before versions 17.3.3 and 17.4.1 has a vulnerability due to unrestricted data-* attributes in <macro> elements in the HTML sanitizer. An attacker can inject data-controller="poll-for-changes" into a work package description, causing Stimulus.js to mount a controller that fetches an attacker-uploaded attachment and passes it to renderStreamMessage(), executing arbitrary Turbo Stream actions including redirect_to to an attacker-controlled server.
OpenProject is open-source, web-based project management software. Prior to 17.3.3 and 17.4.1, cache store poisoning leads to Remote Code Execution (RCE).
In OpenProject prior to versions 17.3.3 and 17.4.1, an IDOR vulnerability in the Calendar and Team Planner modules allows a user with management permissions in one project to delete public queries from another project where they lack such permissions.
In RustFS 1.0.0-beta.4, authenticated users with PutObject permission on their own bucket can exploit a path traversal vulnerability in the Snowball auto-extract feature to write arbitrary objects into other users' buckets, completely breaking multi-tenant isolation. The vulnerability chains three flaws: no ../ sanitization in tar entry key normalization, IAM wildcard matching using raw (uncleaned) paths, and filesystem path cleaning resolving ../ across bucket boundaries.
A vulnerability in OpenProject prior to version 17.4.0 allows disclosure of private work package data from a linked work package belonging to an inaccessible project via a GET request to the API endpoint.
A vulnerability in OpenProject before versions 17.3.3 and 17.4.1 allows the journal diff endpoint to disclose hidden historical field values without enforcing object and field visibility.
The official openproject/openproject Docker image ships with a default SECRET_KEY_BASE=OVERWRITE_ME, which combined with cookies_serializer = :marshal allows any logged-in user a deterministic Marshal-deserialization path via the /my/two_factor_devices cookie reader. This vulnerability is fixed in a later version.

