CVE Vulnerability Catalog

Translated CVE descriptions from NVD NIST - in English

CISA KEV catalog updated: (v2026.07.10)

CVE-2026-46559
Medium

ImageMagick prior to versions 6.9.13-48 and 7.1.2-23 contained a flaw in JP2 checking that could lead to a heap buffer over-write of a single byte when certain options were specified. This issue has been patched in versions 6.9.13-48 and 7.1.2-23.

CVE-2026-46557
Medium

ImageMagick prior to version 7.1.2-23 has a vulnerability that can lead to a stack overflow in the fx operation due to a missing depth check when passing a crafted argument.

CVE-2026-46521
Medium

ImageMagick prior to versions 6.9.13-48 and 7.1.2-23 contained a vulnerability that allowed for an out of bounds write when using LZMA compression in the MIFF encoder due to a missing check.

CVE-2026-42568
MediumEPSS 75%

In the Yamcs framework, prior to versions 5.13.0 and 5.12.7, an LDAP injection vulnerability exists in the `org.yamcs.security.LdapAuthModule` when constructing search filters. The username parameter is inserted directly into the LDAP filter without proper RFC 4515 escaping.

CVE-2024-21944
Medium

Improper input validation for DIMM serial presence detect (SPD) metadata could allow an attacker with physical access, ring0 access on a system with a non-compliant DIMM, or control over the Root of Trust for BIOS update, to potentially overwrite guest memory resulting in loss of guest data integrity.

CVE-2026-53742
Medium

Simple Link Directory version 9.0.4 improperly processes shortcode attributes, leading to their reflection in HTML data attributes without proper escaping. Attackers with contributor access can craft a shortcode attribute that injects an event handler executing in a viewer's browser.

CVE-2026-53741
Medium

Simple Link Directory version 9.0.4 interpolates the sld_no_results_found option into a JavaScript string literal without encoding. Because sanitize_text_field leaves quotes intact, a stored payload can break out of the string and run script for every page visitor.

CVE-2026-53740
Medium

The Yoast Duplicate Post plugin up to version 4.6 inserts an unescaped post title and permalink into the Classic Editor scheduled republish notice. Attackers can schedule a republish copy with a crafted title to execute script when an administrator views the resulting notice.

CVE-2026-53739
Medium

The Yoast Duplicate Post plugin up to version 4.6 contains a cross-site request forgery vulnerability in the duplicate_post_dismiss_notice handler, which does not verify nonce or capabilities. Attackers can trick any authenticated user into sending a request that sets the duplicate_post_show_notice site option, suppressing admin notices network-wide.

CVE-2026-53737
Medium

Juicer through 1.12.18 fails to escape remote feed API response fields before rendering them on the admin settings page. Attackers controlling the connected feed data can inject script that executes in an administrator's browser when the settings page loads.

CVE-2026-53736
Medium

Easy Twitter Feeds before 1.2.13 contains a cross-site request forgery vulnerability in the duplicate_post action handler that lacks nonce verification. Attackers can trick an authenticated user into visiting a crafted link that duplicates any post regardless of post type.

CVE-2026-53634
Medium

Sharp is a content management framework built for Laravel as a package. From version 9.0.0 to before version 9.22.3, the create and store endpoints of the Quick Creation Command feature did not enforce any authorization check.

CVE-2026-48108
Medium

Russh is a Rust SSH client & server library that from version 0.34.0-beta.1 to before version 0.61.0 did not enforce SSH identification-string rules as strictly as OpenSSH. This issue allowed the server to accept malformed identification lines, potentially leading to resource exhaustion during the pre-authentication phase.

CVE-2026-48107
Medium

Russh is a Rust SSH client & server library. From version 0.37.0 to before version 0.61.0, in the russh client keyboard-interactive authentication path, a malicious SSH server could send a USERAUTH_INFO_REQUEST with an attacker-controlled prompt count, leading to the use of that count without prior validation of the data.

CVE-2026-46705
Medium

Russh is a Rust SSH client & server library. From version 0.34.0-beta.1 to before version 0.61.0, the user authentication state is kept internally, which may lead to incorrect processing of authentication requests when the user or service changes.

CVE-2026-46523
Medium

In ImageMagick prior to versions 7.1.2.23 and 6.9.13-48, a crafted MSL image can trigger a heap-use-after-free.

CVE-2026-45664
Medium

In ImageMagick prior to versions 6.9.13-47 and 7.1.2-22, a missing check in the MNG coder allows reading more images than the list limit policy permits, resulting in excessive resource consumption.

CVE-2026-45624
Medium

ImageMagick prior to versions 6.9.13-47 and 7.1.2-22 has a vulnerability that allows an out of bounds over-read of 24 bytes when performing polynomial distortion with specific arguments. This issue has been patched in versions 6.9.13-47 and 7.1.2-22.

CVE-2026-45384
Medium

In the bit7z library prior to version 4.0.12, there is an arbitrary file overwrite vulnerability via symlink attack on predictable temp files during archive update. This issue has been patched in version 4.0.12.

CVE-2026-45359
Medium

In ImageMagick prior to versions 6.9.13-48 and 7.1.2-22, an invalid connected-components:keep-top value could result in a heap buffer over-read when performing the connected components operation.

PreviousPage 138 of 560Next

Vulnerability data from NVD (NIST) · CISA KEV · EPSS