CVE Vulnerability Catalog
Translated CVE descriptions from NVD NIST - in English
CISA KEV catalog updated: (v2026.07.10)
Frappe is a web application framework. Prior to versions 15.107.2 and 16.17.4, any authenticated user could reset onboarding for all users in the system.
OpenTelemetry-cpp prior to version 1.27.0 has a vulnerability where the OTLP HTTP exporters (traces/metrics/logs) read the full HTTP response into an in-memory vector of bytes without a size cap. This can lead to memory exhaustion when the configured collector endpoint is attacker-controlled.
Frappe is a web application framework that prior to versions 15.107.0 and 16.17.0 lacked validations in the 'submit_discussion()' endpoint, allowing unauthorized access to resources.
Frappe is a web application framework. Prior to versions 15.107.0 and 16.17.0, an IDOR vulnerability allowed authenticated users to access other users' email configuration details.
Frappe is a web application framework. Prior to versions 15.107.2 and 16.17.4, DB Schema Enumeration was possible through exploiting an endpoint. This issue has been patched in versions 15.107.2 and 16.17.4.
Improper access control in Devolutions PowerShell Universal 2026.1.7 and earlier allows an unauthenticated remote attacker to obtain the OpenAPI specification of user-defined REST endpoints.
The Nuxt framework prior to versions 3.21.7 and 4.4.7 did not validate the URL scheme for values bound to the to or href attributes of the <NuxtLink> component. This allows attackers to inject malicious scripts, leading to reflected XSS attacks.
Frappe is a web application framework, and prior to versions 15.106.0 and 16.16.0, there was a stored XSS vulnerability in the Note module due to lack of sanitization. This issue has been patched in versions 15.106.0 and 16.16.0.
Netty, a network application framework, prior to versions 4.1.135.Final and 4.2.15.Final, does not limit the number of active streams in HTTP/2, potentially leading to excessive resource consumption. The lack of a default limit on the maximum number of streams can result in the creation of hundreds of thousands of stream objects in a single TCP connection.
vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, NodeVM exposes some process-wide observability builtins that can be used by sandboxed code to observe host application data.
Netty, a network application framework, prior to versions 4.1.135.Final and 4.2.15.Final, used a predictable PRNG for generating DNS transaction IDs and defaults to a static UDP source port. This combination reduces the entropy of DNS queries, enabling DNS Cache Poisoning.
In versions prior to 4.1.135.Final and 4.2.15.Final of the Netty framework, there is a vulnerability related to improper handling of SCM_RIGHTS messages, leading to file descriptor leaks. Due to incorrect message length handling, two file descriptors may be installed in the receiving process but not closed.
Frappe is a web application framework. Prior to version 15.106.0, a stored XSS vulnerability in the user profile image section allowed an attacker to execute malicious scripts in the browsers of other users.
Frappe is a web application framework. Prior to versions 15.106.0 and 16.16.0, there was a possible SQL Injection via get_blog_list. This issue has been patched in versions 15.106.0 and 16.16.0.
Nuxt is an open-source web development framework for Vue.js. In versions @nuxt/rspack-builder and @nuxt/webpack-builder from 3.15.4 to before 3.21.7 and from 4.0.0 to before 4.4.7, there is an incomplete fix for GHSA-6m52-m754-pw2g, which may lead to source code theft during development.
In Nuxt versions 3.11.0 to before 3.21.6 and 4.0.0-alpha.1 to before 4.4.6, as well as in @nuxt/nitro-server versions 3.20.0 to before 3.21.6 and 4.0.0-alpha.1 to before 4.4.6, enabling the experimental.componentIslands option caused .server.vue files under pages/ to be automatically registered as server islands. Requests through the /__nuxt_island/:name endpoint rendered the page component directly without instantiating Vue Router, resulting in route middleware not running.
In Nuxt versions 3.1.0 to before 3.21.6 and 4.0.0-alpha.1 to before 4.4.6, as well as in @nuxt/nitro-server versions 3.20.0 to before 3.21.6 and 4.0.0-alpha.1 to before 4.4.6, the /__nuxt_island/* endpoint accepts attacker-controlled props query/body parameters and renders island components without verifying that the URL-resident hash (<Name>_<hashId>.json) was actually issued for those inputs. This issue has been patched in versions 3.21.6 and 4.4.6.
In versions @nuxt/rspack-builder and @nuxt/webpack-builder from 3.15.4 to before 3.21.6 and 4.0.0-alpha.1 to before 4.4.6, there is an incomplete fix for GHSA-4gf7-ff8x-hq99. Source code may be stolen during development when the dev server is bound to a non-loopback address.
Nuxt is a web development framework that in versions from 3.4.3 to before 3.21.6 and 4.0.0-alpha.1 to before 4.4.6 has an issue with the navigateTo() function. Using external: true generates an HTML redirect with a <meta http-equiv="refresh"> tag, allowing for injection of malicious code.
The system stores the username and password from the login form after submitting the request. This could allow an attacker with access to the platform to return to the browser and view the login credentials.

