CVE Vulnerability Catalog
Translated CVE descriptions from NVD NIST - in English
CISA KEV catalog updated: (v2026.07.10)
Crypt::PBKDF2 versions before 0.261630 for Perl are vulnerable to timing attacks. The use of Perl's built-in eq comparison may allow an attacker to guess the underlying derived key by analyzing timing discrepancies.
Quest Bot is an open-source Discord bot that, prior to version 1.1.8, allowed users to repeatedly create new ticket channels without restrictions. The latest version still creates a new database ticket and Discord channel for every completed ticket modal submission, without checking if the same user already has an open ticket.
The iRM-IEI Remote Management developed by IEI Integration Corp has a Missing Authentication vulnerability, allowing unauthenticated remote attackers to exploit a specific functionality to obtain partial system configuration information.
A vulnerability in Apache CXF's JwsJsonContainerRequestFilter allows for processing metadata that was not authenticated by the accepted signature. This can bypass the application's assumptions regarding `Content-Type` or protected HTTP-header metadata.
A CRLF injection vulnerability exists in the OAuth2 AuthorizationUtils class. The 'realm' parameter is concatenated without sanitizing Carriage Return (CR) and Line Feed (LF) characters, allowing an attacker to inject arbitrary HTTP headers or split the HTTP response entirely.
The 'clientId' parameter from incoming HTTP requests is directly concatenated into OAuth2 server log warning messages without sanitizing control characters. This allows an attacker to inject arbitrary content, including fake log entries, into the server's log files.
An authentication bypass vulnerability exists in the OAuth2 TokenIntrospectionService in Apache CXF. Due to a missing 'throw' keyword in the security context check, the introspection endpoint (/services/oauth2/introspect) can be accessed by any unauthenticated network attacker.
A flaw was found in QEMU's virtio-blk device due to improper validation of input descriptor sizes before writing data. A malicious guest with high privileges could exploit this vulnerability by submitting a malformed virtio-blk SCSI request.
The iVEC-IEI Virtualization Edge Computer developed by IEI Integration Corp has a Path Traversal vulnerability, allowing authenticated remote attackers to exploit this vulnerability to create directories in unintended system paths.
The iVEC-IEI Virtualization Edge Computer developed by IEI Integration Corp has an Arbitrary File Read vulnerability, allowing privileged remote attackers to access files outside the intended directory scope.
The connection confirmation pop-up of a specific feature in the PcSuite can be bypassed.
Vulnerability CVE-2026-9271 affects a specific component that may be susceptible to attacks. In particular, it could lead to unauthorized access or data disclosure.
Heptabase developed by Hepta Platforms has an Exposed Dangerous Method or Function vulnerability, allowing unauthenticated remote attackers to leverage social engineering techniques to trick a victim into opening or loading a malicious webpage within the Heptabase application, thereby gaining unauthorized access to camera and microphone permissions.
CVE-2026-48613 describes an SQL injection vulnerability in phpBB profile field migration due to improper handling of user-supplied profile field data. This allows for the execution of arbitrary SQL queries on phpBB forums that were updated from versions prior to phpBB 3.3.8 and have not yet been updated to 3.3.11 or newer.
Virtual attribute handling in Ping Identity PingDirectory in affected versions allows only authorized users to exhaust java memory heap when recent login history is enabled and copying virtual attributes that reference ds-privilege-name values.
The Presto Player plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) via the 'link_url' parameter of the [presto_player_overlay] shortcode in versions up to and including 4.2.0. This is due to insufficient input sanitization and output escaping in the getOverlays() function.
ClipBucket v5 is an open source video sharing platform that prior to version 5.5.3 - #141 contained improper neutralization of SQL wildcard characters in the subtitle editing endpoint. An authenticated user could send a % character as the number parameter to overwrite all subtitle titles of any video they own in a single HTTP request.
ClipBucket v5 is an open source video sharing platform. In versions prior to 5.5.3 - #133, a normal authenticated user could edit another user's video subtitles due to a lack of authorization.
The Idira Identity Browser extension for Chrome, Firefox, and Edge versions prior to 26.8.1 has an origin validation flaw in its internal web-page verification routines. An authenticated user navigating to a specially crafted webpage could allow a remote attacker to trigger unauthorized application interaction or execution parameters within the context of that authenticated browser session.
In Google Chrome prior to version 149.0.7827.115, an out of bounds read in VideoCapture allowed a remote attacker who had compromised the GPU process to obtain potentially sensitive information from process memory via a crafted HTML page.

