CVE Vulnerability Catalog

Translated CVE descriptions from NVD NIST - in English

CISA KEV catalog updated: (v2026.07.10)

CVE-2017-20240
Medium

Crypt::PBKDF2 versions before 0.261630 for Perl are vulnerable to timing attacks. The use of Perl's built-in eq comparison may allow an attacker to guess the underlying derived key by analyzing timing discrepancies.

CVE-2026-49347
Medium

Quest Bot is an open-source Discord bot that, prior to version 1.1.8, allowed users to repeatedly create new ticket channels without restrictions. The latest version still creates a new database ticket and Discord channel for every completed ticket modal submission, without checking if the same user already has an open ticket.

CVE-2026-11848
Medium

The iRM-IEI Remote Management developed by IEI Integration Corp has a Missing Authentication vulnerability, allowing unauthenticated remote attackers to exploit a specific functionality to obtain partial system configuration information.

CVE-2026-50634
Medium

A vulnerability in Apache CXF's JwsJsonContainerRequestFilter allows for processing metadata that was not authenticated by the accepted signature. This can bypass the application's assumptions regarding `Content-Type` or protected HTTP-header metadata.

CVE-2026-50630
Medium

A CRLF injection vulnerability exists in the OAuth2 AuthorizationUtils class. The 'realm' parameter is concatenated without sanitizing Carriage Return (CR) and Line Feed (LF) characters, allowing an attacker to inject arbitrary HTTP headers or split the HTTP response entirely.

CVE-2026-50629
Medium

The 'clientId' parameter from incoming HTTP requests is directly concatenated into OAuth2 server log warning messages without sanitizing control characters. This allows an attacker to inject arbitrary content, including fake log entries, into the server's log files.

CVE-2026-50623
Medium

An authentication bypass vulnerability exists in the OAuth2 TokenIntrospectionService in Apache CXF. Due to a missing 'throw' keyword in the security context check, the introspection endpoint (/services/oauth2/introspect) can be accessed by any unauthenticated network attacker.

CVE-2026-48914
Medium

A flaw was found in QEMU's virtio-blk device due to improper validation of input descriptor sizes before writing data. A malicious guest with high privileges could exploit this vulnerability by submitting a malformed virtio-blk SCSI request.

CVE-2026-11847
Medium

The iVEC-IEI Virtualization Edge Computer developed by IEI Integration Corp has a Path Traversal vulnerability, allowing authenticated remote attackers to exploit this vulnerability to create directories in unintended system paths.

CVE-2026-11844
Medium

The iVEC-IEI Virtualization Edge Computer developed by IEI Integration Corp has an Arbitrary File Read vulnerability, allowing privileged remote attackers to access files outside the intended directory scope.

CVE-2026-12058
Medium

The connection confirmation pop-up of a specific feature in the PcSuite can be bypassed.

CVE-2026-9271
Medium

Vulnerability CVE-2026-9271 affects a specific component that may be susceptible to attacks. In particular, it could lead to unauthorized access or data disclosure.

CVE-2026-12060
Medium

Heptabase developed by Hepta Platforms has an Exposed Dangerous Method or Function vulnerability, allowing unauthenticated remote attackers to leverage social engineering techniques to trick a victim into opening or loading a malicious webpage within the Heptabase application, thereby gaining unauthorized access to camera and microphone permissions.

CVE-2026-48613
Medium

CVE-2026-48613 describes an SQL injection vulnerability in phpBB profile field migration due to improper handling of user-supplied profile field data. This allows for the execution of arbitrary SQL queries on phpBB forums that were updated from versions prior to phpBB 3.3.8 and have not yet been updated to 3.3.11 or newer.

CVE-2026-20746
Medium

Virtual attribute handling in Ping Identity PingDirectory in affected versions allows only authorized users to exhaust java memory heap when recent login history is enabled and copying virtual attributes that reference ds-privilege-name values.

CVE-2026-9125
Medium

The Presto Player plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) via the 'link_url' parameter of the [presto_player_overlay] shortcode in versions up to and including 4.2.0. This is due to insufficient input sanitization and output escaping in the getOverlays() function.

CVE-2026-49482
Medium

ClipBucket v5 is an open source video sharing platform that prior to version 5.5.3 - #141 contained improper neutralization of SQL wildcard characters in the subtitle editing endpoint. An authenticated user could send a % character as the number parameter to overwrite all subtitle titles of any video they own in a single HTTP request.

CVE-2026-47238
Medium

ClipBucket v5 is an open source video sharing platform. In versions prior to 5.5.3 - #133, a normal authenticated user could edit another user's video subtitles due to a lack of authorization.

CVE-2026-45173
Medium

The Idira Identity Browser extension for Chrome, Firefox, and Edge versions prior to 26.8.1 has an origin validation flaw in its internal web-page verification routines. An authenticated user navigating to a specially crafted webpage could allow a remote attacker to trigger unauthorized application interaction or execution parameters within the context of that authenticated browser session.

CVE-2026-12033
Medium

In Google Chrome prior to version 149.0.7827.115, an out of bounds read in VideoCapture allowed a remote attacker who had compromised the GPU process to obtain potentially sensitive information from process memory via a crafted HTML page.

PreviousPage 133 of 560Next

Vulnerability data from NVD (NIST) · CISA KEV · EPSS