CVE Vulnerability Catalog
Translated CVE descriptions from NVD NIST - in English
CISA KEV catalog updated: (v2026.07.10)
An access issue was addressed with additional sandbox restrictions. This issue is fixed in macOS Tahoe 26.1.
This issue was addressed with improved handling of symlinks. An app may be able to access protected user data.
A privacy issue was addressed by removing the vulnerable code. This issue is fixed in macOS Sequoia 15.4.
The issue was addressed with improved checks. This issue is fixed in macOS Sequoia 15.4, macOS Sonoma 14.7.5, and macOS Ventura 13.7.5.
A parsing issue in the handling of directory paths was addressed with improved path validation. An app may be able to access sensitive user data.
A permissions issue was addressed with additional restrictions. An app may be able to cause unexpected system termination.
aiograpi is an asynchronous Instagram API for Python. Versions before 0.9.10 accepted server-supplied signup challenge paths, which could lead to building request URLs without prior validation, creating a risk of attacks.
The Fediverse Embeds plugin prior to version 1.5.9 had a vulnerability that allowed unauthorized invocation of the AJAX action wp_ajax_nopriv_ftf_get_site_info, enabling attackers to fetch information from external URLs.
A flaw was found in the admin-ui-ext component of Keycloak related to bulk role removal. Issues with permission checks allow a delegated administrator with limited permissions to remove highly privileged roles from other users or groups.
Axios, a promise-based HTTP client, prior to versions 0.32.0 and 1.16.0, was vulnerable to prototype pollution attacks. As a result, polluted values could be silently captured and used in request headers.
PostgreSQL Anonymizer contains a vulnerability that allows a user to gain superuser privileges by creating a JSON document and placing malicious code inside a particular key-value pair. If a superuser calls the import_database_rules() or import_roles_rules() functions, the malicious code is executed with superuser privileges.
IBM DevOps Plan versions 3.0.0 through 3.0.6 is vulnerable to HTTP header injection due to improper validation of input in the HOST headers. This could allow an attacker to conduct various attacks against the vulnerable system, including cross-site scripting, cache poisoning, or session hijacking.
IBM Langflow Desktop versions 1.0.0 through 1.9.2 are vulnerable to server-side request forgery (SSRF). This allows an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks.
IBM Security QRadar EDR versions 3.12 through 3.12.24 store user credentials in plain text, which can be read by a local privileged user.
CVE-2026-6338 is a vulnerability affecting HTTP request smuggling and desynchronization in Kong Gateway Enterprise versions 3.4, 3.10, 3.11, 3.12, 3.13, and 3.14. The issue is caused by a parsing flaw in Kong's HTTP request processing pipeline when handling untrusted HTTP/1.1 traffic.
Guzzle Services prior to version 1.5.4 has an issue with safely serializing XML element values containing the CDATA terminator `]]>`. An attacker can introduce malicious data, leading to premature closing of the CDATA section and interpretation of the remaining part as XML markup.
The guzzlehttp/psr7 library in versions prior to 2.10.2 did not reject ASCII control characters, whitespace, or DEL in URI host components. This can lead to the injection of additional headers by an attacker, posing a risk to applications using user-controlled URLs.
The guzzlehttp/psr7 library in versions prior to 2.10.2 contains improper Host header validation, which can lead to incorrect URI processing in HTTP requests. An attacker can provide a malicious Host header, resulting in a discrepancy between the original value and the URI host value.
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.10 before 18.10.8, 18.11 before 18.11.5, and 19.0 before 19.0.2. Under certain conditions, an authenticated user could read arbitrary files from the Gitaly server and access internal network resources during repository import, due to insufficient validation of secondary URLs.
GitLab has remediated an issue in GitLab EE affecting all versions from 13.9 before 18.10.8, 18.11 before 18.11.5, and 19.0 before 19.0.2. Under certain conditions, an authenticated user with Security Manager-role permissions could manage project security configuration even when the relevant feature was in a disabled state, due to incorrect authorization enforcement.

