CVE Vulnerability Catalog
Translated CVE descriptions from NVD NIST — in English
CISA KEV catalog updated: (v2026.07.07)
Sync-in Server is a secure, open-source platform for file storage, sharing, collaboration, and syncing. In versions prior to 2.3.0, the regex used in the URL download feature for blocking private IP addresses does not match IPv4-mapped IPv6 addresses, allowing SSRF protection to be bypassed on dual-stack systems.
A command injection vulnerability was found in galaxy_ng. The do_git_checkout() function in the legacy role import API (v1) interpolates unsanitized git ref names into shell commands executed via subprocess.run() with shell=True. An authenticated user controlling a git repository can create a branch or tag with shell metacharacters to achieve remote code execution on the pulp worker.
A denial of service issue exists in the affected product due to a fault occurring when a crafted CIP message is sent. Devices with less memory are more likely to be affected.
An improper authentication security issue exists within the 1794-AENTR adapter's embedded web server. The vulnerability allows an unauthenticated attacker to change the device's web interface password by sending a crafted HTTP GET request to a specific endpoint.
A denial-of-service issue exists within the 1794-AENTR adapter due to improper memory handling of CIP protocol requests. This vulnerability can result in the adapter faulting and losing connection to its associated I/O modules, requiring a manual reset to recover.
A security issue was identified in Pavilion due to improper authorization enforcement in API endpoints. This vulnerability can allow an unauthorized actor to execute privileged operations, including user/role management and other administrative actions.
A security issue exists within 1769 CompactLogix controllers due to the missing validation of sequence numbers and source IP addresses in the CIP protocol. This allows attackers to abuse the exposed Connection ID’s visible on the web interface to perform denial-of-service attacks, resulting in a minor fault.
Memory safety bugs exist in Firefox ESR 140.11, Thunderbird ESR 140.11, Firefox 151, and Thunderbird 151. Some of these bugs showed evidence of memory corruption, which could potentially be exploited to run arbitrary code.
Memory safety bugs were found in Firefox 151 and Thunderbird 151. Some of these bugs showed evidence of memory corruption, which could potentially allow arbitrary code execution. The vulnerabilities were fixed in Firefox 152 and Thunderbird 152.
Incorrect boundary conditions in the Graphics: CanvasWebGL component may lead to unexpected application behavior. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, Thunderbird 152, and Thunderbird 140.12.
Incorrect boundary conditions in the Libraries component in NSS. This vulnerability was fixed in Firefox 152 and Thunderbird 152.
Memory safety bug fixed in Firefox 152. This vulnerability was fixed in Thunderbird 152 as well.
A memory safety bug was fixed in Firefox 152. This vulnerability also affects Firefox ESR 140.12 and Thunderbird 152 and 140.12.
Memory safety bug fixed in Firefox 152. This vulnerability also affects Firefox ESR 140.12 and Thunderbird 152 and 140.12.
Memory safety bug fixed in Firefox 152. This vulnerability was also fixed in Firefox ESR 140.12, Thunderbird 152, and Thunderbird 140.12.
A memory safety bug was fixed in Firefox 152. This vulnerability was also fixed in Firefox ESR 140.12, Thunderbird 152, and Thunderbird 140.12.
The syracom AG Secure Login (2FA) plugin for Atlassian Jira, Confluence, and Bitbucket version 3.4.0.x contains an authentication bypass vulnerability. An attacker with valid login credentials can bypass the two-factor authentication process by sending crafted HTTP requests with a specific User-Agent header.
A stack-based buffer overflow vulnerability has been found in the NPort W2150A-W4/W2250A-W4 Series version 1.5 and earlier. This vulnerability stems from insufficient input validation of user-supplied input in the 'Server location' parameter on the Basic settings page.
The WP Review Slider Pro plugin for WordPress is vulnerable to Arbitrary File Deletion in versions up to and including 12.6.8. Missing authorization checks and insufficient path validation allow attackers to delete files on the server.
The LatePoint – Calendar Booking Plugin for Appointments and Events for WordPress is vulnerable to Privilege Escalation to Administrator in versions up to and including 5.5.1. The plugin chains three independent flaws that allow an authenticated Agent (Agent+) to overwrite a WordPress Administrator's password without invoking an Administrator-only API.

