CVE Vulnerability Catalog
Translated CVE descriptions from NVD NIST — in English
CISA KEV catalog updated: (v2026.07.01)
A vulnerability in Cursor before version 3.0 allows a malicious agent to modify the working_directory parameter, enabling file writes outside the intended workspace. This can lead to remote code execution without user interaction, e.g., by overwriting the cursorsandbox helper.
Heap buffer overread in wc_PKCS7_DecodeEnvelopedData when parsing crafted PKCS7 EnvelopedData. This could theoretically be triggered by attacker-supplied data delivered via S/MIME or CMS.
In ToolJet prior to version 3.20.178-lts, any authenticated user with builder role (free tier) could overwrite a globally-shared marketplace plugin with arbitrary JavaScript that executed server-side with full Node.js access. The malicious code ran whenever any user on the instance triggered a query using that plugin, leading to remote code execution (RCE) and supply-chain compromise of the entire ToolJet deployment.
The Premmerce Wishlist plugin for WooCommerce versions up to 1.1.11 contains a vulnerability to unauthenticated SQL injection.
There is an unauthenticated SQL injection vulnerability in MDTF versions <= 1.3.7.
SQL Injection vulnerability in YMC Filter allows an attacker to inject malicious SQL code. The flaw affects versions up to and including 3.11.5.
There is a remote code execution (RCE) vulnerability in Widget Options versions <= 4.2.3 that can be exploited by an attacker.
A vulnerability in Dell Wyse Management Suite (versions prior to WMS 5.5 HF1) involves accepting extraneous untrusted data along with trusted data. This allows a low-privileged attacker with remote access to execute code on the vulnerable system.
A vulnerability was found in the Linux kernel's TCP stack in the reqsk_queue_hash_req() function. On systems with PREEMPT_RT, preemption between mod_timer() and refcount_set() can cause a timer to fire early, leading to a refcount underflow and use-after-free.
In the Linux kernel, a use-after-free vulnerability was found in the mtk_eth_soc driver. The mtk_free_dev() function calls metadata_dst_free() which frees metadata_dst memory immediately, bypassing the RCU grace period. In the RX path, skb_dst_set_noref() sets a non-refcounted pointer, which can lead to use of freed memory if the driver is torn down while packets still reference the dst.
In the Linux kernel SCTP stack, the cached INIT chunk length in COOKIE_ECHO processing was not validated, potentially leading to out-of-bounds reads and memory corruption.
In the Linux kernel, a vulnerability in the SIT (Simple Internet Transition) IPv6 module uses a stale inner IPv6 header pointer after GSO offloads. The ipip6_tunnel_xmit() function caches the pointer at entry, but iptunnel_handle_offloads() may relocate the skb buffer, causing reads from freed memory.
A vulnerability was found in the Linux kernel's SCTP stack in the __sctp_rcv_asconf_lookup() function. An unauthenticated peer can send a truncated ASCONF chunk that declares an IPv6 address but ends after the parameter header, causing uninitialized memory to be read.
In the Linux kernel, sctp_unpack_cookie() lacked validation of the embedded INIT chunk length and address list length in SCTP cookies. A truncated INIT or oversized address list can cause out-of-bounds reads.
In the Linux kernel, a bug was found in the vti6_tnl_lookup() function causing incorrect tunnel matching for IP6_VTI. During wildcard tunnel fallback search, missing checks allowed hash collisions to match tunnels without actual wildcard addresses.
In the Linux kernel, the mvpp2 driver incorrectly initializes the XDP frame size (frame_sz) to PAGE_SIZE instead of the actual RX buffer size from the BM pool. This allows bpf_xdp_adjust_tail() to grow a packet beyond the allocated buffer, causing memory corruption.
In the Linux kernel, a vulnerability in the mvpp2 driver allows an RX buffer to be returned to the BM pool after being handed to XDP or skb, causing use-after-free. The fix reorders operations to refill the BM pool before handing the buffer to XDP or skb.
In the Linux kernel, the RDMA/SRP driver lacks validation of the sense data length in SRP_RSP responses. A malicious SRP target can set a large resp_data_len, causing an out-of-bounds read beyond the received buffer and a potential page fault.
In the Linux kernel's IB/isert driver, a vulnerability was found due to missing lower bound validation of iSER login PDU length. A remote initiator can send a packet shorter than ISER_HEADERS_LEN (76 bytes), causing an underflow in payload length calculation and resulting in a negative value. This negative length is then used in memcpy(), leading to an out-of-bounds write and system crash.
A use-after-free vulnerability was found in the Linux kernel's IP fragment reassembly mechanism. During network namespace teardown, fqdir_pre_exit() flushes fragment queues without resetting q->fragments_tail and q->last_run_head pointers, which still point to freed skbs. A fragment that obtained the queue before the flush can dereference these pointers upon resumption, causing memory corruption.

