CVE Vulnerability Catalog
Translated CVE descriptions from NVD NIST - in English
CISA KEV catalog updated: (v2026.07.10)
A vulnerability has been found in arc53 DocsGPT up to version 0.18.0 in the encrypt_credentials function within application/security/encryption.py. It involves insufficient verification of data authenticity, potentially allowing remote attacks. Although the exploit is difficult, it has been published and may be used.
A vulnerability was found in skypilot up to version 0.12.0, affecting the username.encode function in sky/users/server.py of the User ID Handler component. Manipulation leads to use of weak hash, enabling a remote attack with high complexity.
In Zephyr's BSD-sockets getaddrinfo() implementation, a use-after-return vulnerability occurs when a semaphore wait times out and the code retries the DNS query without canceling the previous one, leaving a stale stack pointer active. A subsequent DNS response or delayed timeout can overwrite stack memory, leading to crashes or memory corruption.
The Microchip SERCOM-G1 UART driver for PIC32CM-JH SoCs has an out-of-bounds write vulnerability in the asynchronous (DMA) receive path. When uart_rx_enable() is called with a 1-byte receive buffer and CONFIG_UART_MCHP_ASYNC is enabled, the RX-complete ISR triggers a single-beat DMA transfer while a byte is already pending in the DATA register, causing a one-byte write past the buffer end (CWE-787).
In Zephyr Bluetooth LE Audio Basic Audio Profile (BAP) unicast client, a NULL pointer dereference vulnerability exists. The unicast_client_ep_qos_state() function writes attacker-controlled QoS fields via the stream->qos pointer, which can be NULL when the stream is codec-configured but not added to a unicast group. A remote ASCS server can send a GATT notification announcing the ASE has entered the QoS Configured state while the local endpoint is in Codec Configured state, causing a write through NULL and a crash (denial of service).
A vulnerability in Nmap through version 7.99 causes the ipv6_get_data_primitive function to improperly handle IPv6 extension header boundaries, leading to out-of-bounds reads. An attacker can trigger a crash by sending a crafted IPv6 response with a truncated extension header during raw IPv6 scans.
A vulnerability in Flowise before version 3.1.3 allows bypassing the denylist of environment variables for Custom MCP nodes. On Windows, where environment variable names are case-insensitive, using 'node_options' instead of 'NODE_OPTIONS' enables injection of --require options and arbitrary code execution.
A vulnerability in RustDesk allows privilege escalation within a file transfer session. The gating of incoming control messages is based on per-capability flags rather than the session's authorized connection type, and a file transfer session does not clear those flags. A peer holding only a valid FileTransfer authorization can inject keyboard and mouse input and reach the unguarded screenshot and display-capture handlers, acting outside its granted scope.
A vulnerability in nghttp2 nghttpx up to version 1.69.0 causes an HTTP/1.1 Upgrade request with a Content-Length header and body to be forwarded onto reusable keep-alive backend connections. A backend interpreting this ambiguous message in the attacker's favor enables HTTP request/response smuggling and cross-client response-queue poisoning.
In MyBB 1.8.40, a limited administrator with user management permissions can assign any usergroup, including the Administrators group (gid 4). The verify_usergroup() function in the user module always returns true, allowing privilege escalation to full administrator permissions.
A vulnerability in Gitea act_runner with Docker backend (up to act 0.262.0) allows bypassing privileged mode restrictions. By passing container options like --pid=host, --cap-add, and --security-opt, a user can access host namespaces and escalate privileges to root.
A vulnerability in 7-Zip for Windows up to version 26.02 allows bypassing the Mark-of-the-Web when extracting a crafted RAR5 archive. The guard mechanism checks for the exact name 'Zone.Identifier' but fails to handle STM records named ':Zone.Identifier:$DATA', which NTFS canonicalizes to the same stream, overwriting the Internet zone marker with ZoneId=0. A second STM record '::$DATA' overwrites the default data stream of the extracted file, enabling an attacker to bypass SmartScreen/MotW warnings and spoof file content.
In libssh2 up to version 1.11.1, when growing the publickey list with SSH2_REALLOC, new entries are not zero-initialized before parsing populates them. A parse failure reaching the cleanup path causes libssh2_publickey_list_free to operate on an uninitialized entry, potentially freeing an attacker-influenceable attrs pointer.
A vulnerability in libssh2 up to version 1.11.1 allows an attacker-controlled SSH server to read a 32-bit attribute count from a publickey-subsystem response. This count is used for memory allocation without bounds checking, causing multiplication overflow on 32-bit platforms and an undersized buffer. A malicious server can then write past the allocation, leading to a heap buffer overflow in the connecting libssh2 client.
The RASC video decoder in FFmpeg (decode_dlta function in libavcodec/rasc.c) performs 32-bit reads and writes at the row cursor before the NEXT_LINE row-boundary check and validates the DLTA region in pixel rather than byte units, so a DLTA run on a PAL8 frame can access several bytes past the row allocation. A crafted media stream using the RASC FourCC, decoded by libavcodec, triggers a bitstream-controlled out-of-bounds heap write and adjacent out-of-bounds read, leading to memory corruption.
The Frontend File Manager Plugin for WordPress up to version 23.6 is vulnerable to authenticated arbitrary file deletion. The issue is a case-sensitive bypass of the wpfm_dir_path parameter sanitization in the wpfm_file_meta_update AJAX handler, allowing an attacker to delete arbitrary files on the server.
In Zephyr's IP socket recvmsg() implementation (sockets_inet.c), the insert_pktinfo() function improperly validates the control buffer size by omitting the cmsg header size, allowing an out-of-bounds write. This affects versions from v3.6.0 through v4.4.0.
A vulnerability in the FreeBSD kernel in the CONS_HISTORY ioctl handler allows an unprivileged local user to perform an out-of-bounds write. A large history size causes an integer overflow in buffer size calculation, resulting in a heap allocation smaller than expected and subsequent write beyond the allocation.
The ELF image activator cleared per-process ASLR preference flags for setuid binaries after the code that computes the PIE base address, rather than before. As a result, a user-requested ASLR disable was still in effect at the point where the base address was chosen.
A use-after-free vulnerability was found in the Linux kernel audio drivers. When an audio device is closed, the audio buffer may be freed while the memory mapping remains valid, allowing access to freed kernel memory.

