CVE Vulnerability Catalog
Translated CVE descriptions from NVD NIST - in English
CISA KEV catalog updated: (v2026.07.10)
Spring Boot does not enable hostname verification in mail auto-configuration. Applications that set the relevant JavaMail property are not affected.
Spring Web Flow's JavaScript RemotingHandler renders the body of an error response as HTML even when the response is not 'text/html'. This can lead to a scripting attack in the user's browser if the error response from the server contains error details with input reflected from an attacker.
Applications that configure the WebFlowELExpressionParser are vulnerable to the use of malicious Unified EL expressions.
The Open User Map PRO plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) via the 'oum_location_notification' parameter in versions up to and including 1.4.31 due to insufficient input sanitization and output escaping.
ImageMagick prior to version 7.1.2-25 contained a vulnerability that allowed for a heap buffer over-write when encoding a crafted multi-frame image with the SF3 encoder.
ImageMagick prior to version 7.1.2-25 has a small memory leak issue when providing invalid options to the wand option parser.
ImageMagick prior to versions 6.9.13-50 and 7.1.2-25 had a vulnerability that led to a null pointer dereference when passing incorrect arguments in the distort operation. This issue has been patched in versions 6.9.13-50 and 7.1.2-25.
ImageMagick prior to versions 6.9.13-50 and 7.1.2-25 has a memory allocation issue in CheckPrimitiveExtent, which can lead to a heap-use-after-free error and application crash.
ImageMagick prior to versions 6.9.13-48 and 7.1.2-24 had an issue with incorrect parsing of filenames, which could lead to a policy bypass and reading disallowed files using symlinks.
ImageMagick prior to versions 6.9.13-48 and 7.1.2-24 had a missing check of a return value, which could lead to a heap buffer over-write in the MAT decoder on 32-bit systems. This issue has been patched in versions 6.9.13-48 and 7.1.2-24.
ImageMagick prior to versions 6.9.13-49 and 7.1.2-24 had a stack overflow vulnerability due to a missing depth or visited-set check in MVG files. This issue has been patched in the mentioned versions.
ImageMagick prior to versions 6.9.13-49 and 7.1.2-24 contained a flaw that could lead to an infinite loop during the subimage-search operation when using a crafted image. This issue has been patched in versions 6.9.13-49 and 7.1.2-24.
ImageMagick prior to version 7.1.2-24 has a heap buffer over-write vulnerability when using an image with a mask with the Floyd-Steinberg dithering method.
Dulwich, a pure-Python implementation of Git file formats and protocols, has a vulnerability that allows a client with push access to send a small crafted pack, leading to the allocation of a huge amount of memory. The issue affects versions from 0.1.0 to 1.2.5 and is patched in version 1.2.5.
Boxlite is a sandbox service that allows users to create lightweight virtual machines and launch OCI containers. In versions 0.8.2 and prior, Boxlite uses the SIGALRM signal to terminate processes after a timeout, which can be exploited by malicious code to continue running, leading to resource exhaustion.
ImageMagick prior to versions 6.9.13-48 and 7.1.2-23 contained a vulnerability that allowed an attacker to cause a heap buffer over-read in the server process if they could connect to a magick -distribute-cache service.
ImageMagick prior to versions 6.9.13-48 and 7.1.2-23 had a distributed pixel cache that operated without a challenge-response authentication model. Changes have been made in newer versions to enhance security.
ImageMagick prior to versions 6.9.13-48 and 7.1.2-23 contained a vulnerability that allowed an attacker to hijack a file descriptor in the server process when a race condition occurred. This issue has been patched in the mentioned versions.
ImageMagick prior to versions 6.9.13-48 and 7.1.2-23 contained a vulnerability that allowed an attacker to perform a heap buffer over-write in the server process if they had access to the magick -distribute-cache service.
SQLAdmin is a flexible Admin interface for SQLAlchemy models. Prior to version 0.25.1, the ajax_lookup endpoint in application.py bypasses the is_accessible() access control check, allowing authenticated users to access model data despite restrictions set by developers.

