CVE Vulnerability Catalog

Translated CVE descriptions from NVD NIST - in English

CISA KEV catalog updated: (v2026.07.10)

CVE-2026-26237
High

A missing authorization vulnerability has been reported to affect QuMagie, allowing remote attackers to access unauthorized data or perform unauthorized actions.

CVE-2026-24724
High

An incorrect authorization vulnerability has been reported to affect File Station 6. A remote attacker with a user account can exploit this vulnerability to bypass intended access restrictions.

CVE-2026-24719
HighEPSS 58%

A command injection vulnerability has been reported in QNAP QTS and QuTS hero operating systems. A remote attacker with an administrator account can exploit this flaw to execute arbitrary commands.

CVE-2026-24716
High

A NULL pointer dereference vulnerability in QNAP operating systems. A remote attacker with an administrator account can exploit it to cause a denial-of-service (DoS) attack.

CVE-2026-22893
HighEPSS 57%

A command injection vulnerability has been reported to affect several QNAP operating system versions. A remote attacker with an administrator account can exploit this vulnerability to execute arbitrary commands.

CVE-2025-66281
High

A NULL pointer dereference vulnerability has been reported to affect several QNAP operating system versions. Remote attackers can exploit this vulnerability to launch a denial-of-service (DoS) attack.

CVE-2025-66280
High

An integer overflow vulnerability has been reported affecting several QNAP operating system versions. A remote attacker with administrator account access can exploit this vulnerability to compromise system security.

CVE-2025-66279
HighEPSS 57%

A command injection vulnerability has been reported to affect several QNAP operating system versions. A remote attacker with an administrator account can exploit this vulnerability to execute arbitrary commands.

CVE-2025-66273
HighEPSS 57%

A command injection vulnerability has been reported to affect several QNAP operating system versions. A remote attacker with an administrator account can exploit this vulnerability to execute arbitrary commands.

CVE-2025-62850
High

A NULL pointer dereference vulnerability has been reported to affect several QNAP operating system versions. A remote attacker with an administrator account can exploit this vulnerability to launch a denial-of-service (DoS) attack.

CVE-2026-45542
High

In the Espressif Internet of Things (IOT) development framework, versions 5.2.6, 5.3.5, 5.4.4, 5.5.4, and 6.0, a heap buffer overflow exists in the session-setup path of the protocomm component. The issue arises from trusting the length of a client-supplied protobuf field for the SRP6a username, leading to heap corruption when an oversized value is provided.

CVE-2026-45541
High

In the esp_http_server component, versions 5.2.6, 5.3.5, 5.4.4, 5.5.4, and 6.0 have a NULL-pointer dereference in the WebSocket subprotocol-negotiation path. This issue can crash the server while processing the Sec-WebSocket-Protocol request header, occurring before any application-level authentication.

CVE-2026-45329
High

In versions 5.5.4 and 6.0 of the ESF-IDF framework, there is a vulnerability where some caller-supplied pointer arguments are not properly validated. This allows access to TEE-exclusive memory, potentially leading to the disclosure of sensitive data.

CVE-2026-44634
High

The SimpleBLE library prior to version 0.14.0 has multiple stack-based buffer overflow vulnerabilities. These affect the Protocol::simpleble_write function in the dongl backend and the processing of manufacturer-specific and service data in BLE advertisements.

CVE-2026-53674
High

BuddyPress version 14.4.0 contains a regular expression injection vulnerability in the activity mention resolver. When username compatibility mode is enabled, attackers can manipulate a REGEXP database clause by crafting mention names containing regex metacharacters.

CVE-2026-53673
High

BuddyPress version 14.4.0 contains an insecure direct object reference vulnerability in the messages REST API that allows authenticated attackers to access arbitrary private message threads.

CVE-2026-46545
High

Nimiq is a Rust implementation of the Proof-of-Stake protocol that prior to version 1.5.0 had a remote, unauthenticated denial-of-service vulnerability in the MerkleRadixTrie::put_chunk method. An attacker could crash any state-sync node.

CVE-2026-46541
High

In versions prior to 1.4.0 of Nimiq, in the handle_dht_get() function, the DhtResults accumulator is only initialized when the first DHT record passes verification. If the first record fails (from a malicious DHT node), DhtResults is never created, and all subsequent valid records are discarded with 'DHT inconsistent state' errors.

CVE-2026-46518
High

OpenEMR prior to version 8.0.0.1 contains a stored XSS vulnerability in the prescription multi-print feature. A patient portal user can execute arbitrary JavaScript in a clinician's browser session, violating the trust boundary between patient and clinician.

CVE-2026-46517
High

LMDeploy is a toolkit for compressing, deploying, and serving large language models. In versions 0.12.3 and prior, hardcoded 'trust_remote_code=True' enables HF supply-chain RCE without user opt-in.

PreviousPage 144 of 3344Next

Vulnerability data from NVD (NIST) · CISA KEV · EPSS