CVE Vulnerability Catalog

Translated CVE descriptions from NVD NIST - in English

CISA KEV catalog updated: (v2026.07.10)

CVE-2025-43339
Medium

An access issue was addressed with additional sandbox restrictions. This issue is fixed in macOS Tahoe 26.1.

CVE-2025-43278
Medium

This issue was addressed with improved handling of symlinks. An app may be able to access protected user data.

CVE-2025-30459
Medium

A privacy issue was addressed by removing the vulnerable code. This issue is fixed in macOS Sequoia 15.4.

CVE-2025-30431
Medium

The issue was addressed with improved checks. This issue is fixed in macOS Sequoia 15.4, macOS Sonoma 14.7.5, and macOS Ventura 13.7.5.

CVE-2025-24268
Medium

A parsing issue in the handling of directory paths was addressed with improved path validation. An app may be able to access sensitive user data.

CVE-2025-24165
Medium

A permissions issue was addressed with additional restrictions. An app may be able to cause unexpected system termination.

CVE-2026-47157
Medium

aiograpi is an asynchronous Instagram API for Python. Versions before 0.9.10 accepted server-supplied signup challenge paths, which could lead to building request URLs without prior validation, creating a risk of attacks.

CVE-2026-46698
Medium

The Fediverse Embeds plugin prior to version 1.5.9 had a vulnerability that allowed unauthorized invocation of the AJAX action wp_ajax_nopriv_ftf_get_site_info, enabling attackers to fetch information from external URLs.

CVE-2026-11986
Medium

A flaw was found in the admin-ui-ext component of Keycloak related to bulk role removal. Issues with permission checks allow a delegated administrator with limited permissions to remove highly privileged roles from other users or groups.

CVE-2026-44490
Medium

Axios, a promise-based HTTP client, prior to versions 0.32.0 and 1.16.0, was vulnerable to prototype pollution attacks. As a result, polluted values could be silently captured and used in request headers.

CVE-2026-11945
Medium

PostgreSQL Anonymizer contains a vulnerability that allows a user to gain superuser privileges by creating a JSON document and placing malicious code inside a particular key-value pair. If a superuser calls the import_database_rules() or import_roles_rules() functions, the malicious code is executed with superuser privileges.

CVE-2026-4096
Medium

IBM DevOps Plan versions 3.0.0 through 3.0.6 is vulnerable to HTTP header injection due to improper validation of input in the HOST headers. This could allow an attacker to conduct various attacks against the vulnerable system, including cross-site scripting, cache poisoning, or session hijacking.

CVE-2026-3341
Medium

IBM Langflow Desktop versions 1.0.0 through 1.9.2 are vulnerable to server-side request forgery (SSRF). This allows an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks.

CVE-2024-45636
Medium

IBM Security QRadar EDR versions 3.12 through 3.12.24 store user credentials in plain text, which can be read by a local privileged user.

CVE-2026-6338
Medium

CVE-2026-6338 is a vulnerability affecting HTTP request smuggling and desynchronization in Kong Gateway Enterprise versions 3.4, 3.10, 3.11, 3.12, 3.13, and 3.14. The issue is caused by a parsing flaw in Kong's HTTP request processing pipeline when handling untrusted HTTP/1.1 traffic.

CVE-2026-53723
Medium

Guzzle Services prior to version 1.5.4 has an issue with safely serializing XML element values containing the CDATA terminator `]]>`. An attacker can introduce malicious data, leading to premature closing of the CDATA section and interpretation of the remaining part as XML markup.

CVE-2026-49214
Medium

The guzzlehttp/psr7 library in versions prior to 2.10.2 did not reject ASCII control characters, whitespace, or DEL in URI host components. This can lead to the injection of additional headers by an attacker, posing a risk to applications using user-controlled URLs.

CVE-2026-48998
Medium

The guzzlehttp/psr7 library in versions prior to 2.10.2 contains improper Host header validation, which can lead to incorrect URI processing in HTTP requests. An attacker can provide a malicious Host header, resulting in a discrepancy between the original value and the URI host value.

CVE-2026-9204
Medium

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.10 before 18.10.8, 18.11 before 18.11.5, and 19.0 before 19.0.2. Under certain conditions, an authenticated user could read arbitrary files from the Gitaly server and access internal network resources during repository import, due to insufficient validation of secondary URLs.

CVE-2026-6277
Medium

GitLab has remediated an issue in GitLab EE affecting all versions from 13.9 before 18.10.8, 18.11 before 18.11.5, and 19.0 before 19.0.2. Under certain conditions, an authenticated user with Security Manager-role permissions could manage project security configuration even when the relevant feature was in a disabled state, due to incorrect authorization enforcement.

PreviousPage 135 of 560Next

Vulnerability data from NVD (NIST) · CISA KEV · EPSS