CVE Vulnerability Catalog

Translated CVE descriptions from NVD NIST - in English

CISA KEV catalog updated: (v2026.07.10)

CVE-2026-6269
Medium

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.10 before 18.10.8, 18.11 before 18.11.5, and 19.0 before 19.0.2. Under certain conditions, an authenticated user with developer-role permissions could modify hidden merge requests due to incorrect authorization enforcements.

CVE-2026-53912
Medium

Cerebrate before version 1.37 exposed credential data from self-registration requests. User passwords are stored in message data and can be returned in API responses, creating a risk of disclosure.

CVE-2026-53423
Medium

A vulnerability in the membraneframework membrane_mp4_plugin allows unauthenticated denial-of-service via BEAM atom table exhaustion. The MP4 box header parser does not validate box names, leading to permanent atom allocations.

CVE-2026-1500
Medium

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.10 before 18.10.8, 18.11 before 18.11.5, and 19.0 before 19.0.2. Under certain conditions, an authenticated user could have caused denial of service due to uncontrolled resource consumption when processing a specially crafted file upload.

CVE-2026-10733
Medium

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.0 before 18.10.8, 18.11 before 18.11.5, and 19.0 before 19.0.2. This issue could have allowed an authenticated user to cause denial of service on the CI/CD Catalog page due to improper sanitization.

CVE-2023-32959
Medium

MetroStore has a missing authorization vulnerability that allows exploiting incorrectly configured access control security levels.

CVE-2023-25969
Medium

CVE-2023-25969 describes a missing authorization vulnerability in the ThemeHunk Contact Form & Lead Form Elementor Builder, allowing exploitation of incorrectly configured access control security levels.

CVE-2022-47150
Medium

CSRF vulnerability in weDevs WooCommerce Conversion Tracking allows Cross-Site Request Forgery. This issue affects versions from n/a through 2.0.10.

CVE-2022-45813
Medium

CVE-2022-45813 is a vulnerability in the BeRocket Advanced AJAX Product Filters plugin that has a missing authorization issue, allowing exploitation of incorrectly configured access control security levels.

CVE-2026-53911
Medium

Cerebrate before version 1.37 allowed the id primary key field to be supplied through request input during CRUD edit operations and certain custom entity patching flows. This enabled an authenticated attacker to craft edit requests that could modify unrelated records.

CVE-2026-11850
Medium

An integer underflow vulnerability was found in the berval2tl_data() function in MIT krb5, which can lead to out-of-bounds memory reads. The issue occurs when the buffer length (bv_len) is 0 or 1, causing incorrect calculations and reading up to 65534 bytes from a 0-1 byte buffer.

CVE-2025-7064
Medium

CVE-2025-7064 affects the ABB Freelance system and allows authentication bypass due to a primary weakness. It impacts Freelance versions from 2013 to 2024.

CVE-2022-44630
Medium

CSRF vulnerability in YITH WooCommerce Product Slider Carousel allows Cross Site Request Forgery. This affects versions from n/a through 1.16.0.

CVE-2022-42479
Medium

TemplateHouse Soledad has a missing authorization vulnerability that allows access to functionality not properly constrained by access control lists (ACLs). This issue affects Soledad from n/a through 8.2.5.

CVE-2024-32110
Medium

CVE-2024-32110 describes a Cross-Site Request Forgery (CSRF) vulnerability in Magepeople inc.'s WpEvently, allowing for CSRF attacks.

CVE-2023-40200
Medium

CVE-2023-40200 is a vulnerability in the WP Logo Showcase Responsive Slider and Carousel plugin that allows authorization bypass through a user-controlled key. This issue affects versions from n/a to 3.6.

CVE-2026-41001
Medium

Spring Boot uses a fixed, static path for the embedded Artemis message broker's data directory when no explicit path is configured. A local attacker can pre-create this predictable directory or place a symlink before the application starts.

CVE-2026-40997
Medium

Several Spring WS integration paths with Spring Security could expose detailed account state information, such as locked or disabled user accounts, through exception messages or callback outcomes. This behavior assists remote attackers in distinguishing valid accounts from invalid ones.

CVE-2026-40996
Medium

Wss4jSecurityInterceptor defaulted allowRSA15KeyTransportAlgorithm to true, overriding Apache WSS4J's safer default for validation RequestData. Inbound WS-Security decryption could therefore accept RSA PKCS#1 v1.5 encrypted key material unless operators explicitly reconfigured the flag.

CVE-2026-40995
Medium

X509AuthenticationProvider could issue a fully authenticated X509AuthenticationToken for a certificate mapped to UserDetails, without applying Spring Security's standard account lifecycle checks.

PreviousPage 136 of 560Next

Vulnerability data from NVD (NIST) · CISA KEV · EPSS