CVE Vulnerability Catalog

Translated CVE descriptions from NVD NIST - in English

CISA KEV catalog updated: (v2026.07.10)

CVE-2026-12026
Medium

An out-of-bounds read vulnerability in the Video component of Google Chrome on ChromeOS prior to version 149.0.7827.115 allows a remote attacker who has compromised the renderer process to obtain potentially sensitive information from process memory via a crafted HTML page.

CVE-2026-12025
Medium

Insufficient validation of untrusted input in Network in Google Chrome prior to version 149.0.7827.115 allowed a remote attacker who compromised the renderer process to leak cross-origin data via a crafted HTML page.

CVE-2026-12024
Medium

Insufficient policy enforcement in DevTools in Google Chrome prior to version 149.0.7827.115 allowed a remote attacker to bypass same origin policy via a crafted HTML page.

CVE-2026-12015
Medium

Use after free in Autofill in Google Chrome prior to version 149.0.7827.115 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive information from process memory via a crafted HTML page.

CVE-2026-53818
Medium

OpenClaw before version 2026.4.24 contains an authorization bypass vulnerability in the MCP loopback feature that allows non-owner callers to skip owner-only tool policies. Attackers can invoke owner-only behavior through the affected loopback path.

CVE-2026-53815
Medium

OpenClaw before version 2026.5.19 contains an authorization bypass vulnerability in message read actions that skips channel allowlist checks. Lower-trust callers can request messages from channels not intended for them, potentially exposing sensitive information.

CVE-2026-53808
Medium

OpenClaw before 2026.5.6 contains an approval policy bypass vulnerability in the Skill Workshop apply flow. This allows attackers to exploit agent tool calls to set apply: true despite approvalPolicy: pending configuration.

CVE-2026-53781
Medium

The vulnerability in Summarize before version 0.17.0 allows remote attackers to exhaust disk resources by serving media responses that bypass the enforced size limits. This can occur through missing or misreported Content-Length headers, chunked transfer encoding, or failed HEAD requests.

CVE-2026-49949
Medium

CodexBar before version 0.33.0 contains a credential forwarding vulnerability that allows network-adjacent attackers to intercept sensitive credentials. Attackers can redirect credentialed provider requests to unintended hosts or ports, capturing data such as browser cookies, bearer tokens, or API keys.

CVE-2026-45802
Medium

FPDI is a collection of PHP classes that facilitate reading pages from existing PDF documents and using them as templates in FPDF. Prior to version 2.6.7, an attacker can upload a small, malicious PDF file that will cause the server-side script to crash due to memory exhaustion or a script time-out.

CVE-2026-53702
Medium

A stack buffer overflow flaw was found in the GStreamer H.265 codec parser library (gst-plugins-bad). This flaw occurs when parsing a buffering period SEI message, where an incorrect loop bound is used, potentially leading to writes beyond the allocated stack memory bounds.

CVE-2026-53701
Medium

An out-of-bounds write vulnerability was found in GStreamer's H.266/VVC PPS picture partition parser. In the multi-slice-in-tile processing of gst_h266_parser_parse_picture_partition(), the loop iterates without checking that the slice index stays within bounds, leading to writes past three fixed-size arrays.

CVE-2026-47250
Medium

mcp-server-kubernetes is a Model Context Protocol server for Kubernetes cluster management. Prior to version 3.7.0, the kubectl_generic tool passes user-supplied flags directly to kubectl without any allowlist, enabling a privilege escalation attack within Kubernetes environments.

CVE-2026-47177
Medium

Quest Bot is an opensource modern Discord Bot that prior to version 1.0.4 allowed users to configure bot settings, including the ticket transcript channel. Users could set this channel to one they could read, leading to the exposure of private ticket messages.

CVE-2026-47176
Medium

Quest Bot is an open-source modern Discord Bot that, prior to version 1.0.4, allowed users to configure logging settings, resulting in the logging of deleted and edited message contents from every channel, including private ones that the configuring user could not access.

CVE-2026-47173
Medium

Quest Bot is a modern Discord bot that, prior to version 1.0.3, allowed normal users to create tickets with reasons containing @everyone, @here, user mentions, or role mentions. When the ticket was created, the bot posted the attacker-controlled reason into the new ticket channel without suppressing mentions.

CVE-2026-47167
Medium

In the Vim text editor prior to version 9.2.0496, a code injection vulnerability exists in the s:stepmatch() function of the cucumber filetype plugin. Step-definition patterns read from .rb files can be exploited to execute arbitrary Ruby commands, posing a risk of executing malicious code.

CVE-2025-46313
Medium

A logging issue was addressed with improved data redaction. An app may be able to access sensitive user data.

CVE-2025-46308
Medium

An authorization issue was addressed with improved state management. An app may be able to leak sensitive user information.

CVE-2025-46293
Medium

The issue concerns improper handling of symlinks, which may allow an app to access protected user data. It is fixed in macOS Sequoia 15.4.

PreviousPage 134 of 560Next

Vulnerability data from NVD (NIST) · CISA KEV · EPSS