CVE Vulnerability Catalog

Translated CVE descriptions from NVD NIST - in English

CISA KEV catalog updated: (v2026.07.10)

CVE-2026-44975
Medium

Frappe is a web application framework. Prior to versions 15.107.2 and 16.17.4, any authenticated user could reset onboarding for all users in the system.

CVE-2026-44967
Medium

OpenTelemetry-cpp prior to version 1.27.0 has a vulnerability where the OTLP HTTP exporters (traces/metrics/logs) read the full HTTP response into an in-memory vector of bytes without a size cap. This can lead to memory exhaustion when the configured collector endpoint is attacker-controlled.

CVE-2026-44208
Medium

Frappe is a web application framework that prior to versions 15.107.0 and 16.17.0 lacked validations in the 'submit_discussion()' endpoint, allowing unauthorized access to resources.

CVE-2026-44207
Medium

Frappe is a web application framework. Prior to versions 15.107.0 and 16.17.0, an IDOR vulnerability allowed authenticated users to access other users' email configuration details.

CVE-2026-44206
Medium

Frappe is a web application framework. Prior to versions 15.107.2 and 16.17.4, DB Schema Enumeration was possible through exploiting an endpoint. This issue has been patched in versions 15.107.2 and 16.17.4.

CVE-2026-8694
Medium

Improper access control in Devolutions PowerShell Universal 2026.1.7 and earlier allows an unauthenticated remote attacker to obtain the OpenAPI specification of user-defined REST endpoints.

CVE-2026-53722
Medium

The Nuxt framework prior to versions 3.21.7 and 4.4.7 did not validate the URL scheme for values bound to the to or href attributes of the <NuxtLink> component. This allows attackers to inject malicious scripts, leading to reflected XSS attacks.

CVE-2026-47739
Medium

Frappe is a web application framework, and prior to versions 15.106.0 and 16.16.0, there was a stored XSS vulnerability in the Note module due to lack of sanitization. This issue has been patched in versions 15.106.0 and 16.16.0.

CVE-2026-47244
Medium

Netty, a network application framework, prior to versions 4.1.135.Final and 4.2.15.Final, does not limit the number of active streams in HTTP/2, potentially leading to excessive resource consumption. The lack of a default limit on the maximum number of streams can result in the creation of hundreds of thousands of stream objects in a single TCP connection.

CVE-2026-47141
Medium

vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, NodeVM exposes some process-wide observability builtins that can be used by sandboxed code to observe host application data.

CVE-2026-45673
Medium

Netty, a network application framework, prior to versions 4.1.135.Final and 4.2.15.Final, used a predictable PRNG for generating DNS transaction IDs and defaults to a static UDP source port. This combination reduces the entropy of DNS queries, enabling DNS Cache Poisoning.

CVE-2026-45536
Medium

In versions prior to 4.1.135.Final and 4.2.15.Final of the Netty framework, there is a vulnerability related to improper handling of SCM_RIGHTS messages, leading to file descriptor leaks. Due to incorrect message length handling, two file descriptors may be installed in the receiving process but not closed.

CVE-2026-44205
Medium

Frappe is a web application framework. Prior to version 15.106.0, a stored XSS vulnerability in the user profile image section allowed an attacker to execute malicious scripts in the browsers of other users.

CVE-2026-41581
Medium

Frappe is a web application framework. Prior to versions 15.106.0 and 16.16.0, there was a possible SQL Injection via get_blog_list. This issue has been patched in versions 15.106.0 and 16.16.0.

CVE-2026-49993
Medium

Nuxt is an open-source web development framework for Vue.js. In versions @nuxt/rspack-builder and @nuxt/webpack-builder from 3.15.4 to before 3.21.7 and from 4.0.0 to before 4.4.7, there is an incomplete fix for GHSA-6m52-m754-pw2g, which may lead to source code theft during development.

CVE-2026-47200
Medium

In Nuxt versions 3.11.0 to before 3.21.6 and 4.0.0-alpha.1 to before 4.4.6, as well as in @nuxt/nitro-server versions 3.20.0 to before 3.21.6 and 4.0.0-alpha.1 to before 4.4.6, enabling the experimental.componentIslands option caused .server.vue files under pages/ to be automatically registered as server islands. Requests through the /__nuxt_island/:name endpoint rendered the page component directly without instantiating Vue Router, resulting in route middleware not running.

CVE-2026-46342
Medium

In Nuxt versions 3.1.0 to before 3.21.6 and 4.0.0-alpha.1 to before 4.4.6, as well as in @nuxt/nitro-server versions 3.20.0 to before 3.21.6 and 4.0.0-alpha.1 to before 4.4.6, the /__nuxt_island/* endpoint accepts attacker-controlled props query/body parameters and renders island components without verifying that the URL-resident hash (<Name>_<hashId>.json) was actually issued for those inputs. This issue has been patched in versions 3.21.6 and 4.4.6.

CVE-2026-45670
Medium

In versions @nuxt/rspack-builder and @nuxt/webpack-builder from 3.15.4 to before 3.21.6 and 4.0.0-alpha.1 to before 4.4.6, there is an incomplete fix for GHSA-4gf7-ff8x-hq99. Source code may be stolen during development when the dev server is bound to a non-loopback address.

CVE-2026-45669
Medium

Nuxt is a web development framework that in versions from 3.4.3 to before 3.21.6 and 4.0.0-alpha.1 to before 4.4.6 has an issue with the navigateTo() function. Using external: true generates an HTML redirect with a <meta http-equiv="refresh"> tag, allowing for injection of malicious code.

CVE-2026-1836
Medium

The system stores the username and password from the login form after submitting the request. This could allow an attacker with access to the platform to return to the browser and view the login credentials.

PreviousPage 132 of 560Next

Vulnerability data from NVD (NIST) · CISA KEV · EPSS