CVE Vulnerability Catalog

Translated CVE descriptions from NVD NIST - in English

CISA KEV catalog updated: (v2026.07.10)

CVE-2026-53821
High

OpenClaw before version 2026.5.18 accepts WebSocket client-declared operator scopes before binding to server-approved pairing or trusted-proxy authorization. Unpaired or restricted trusted-proxy Control UI clients can obtain cached operator.admin authority on live WebSocket connections.

CVE-2026-53608
High

ApostropheCMS versions up to 1.4.2 of the `@apostrophecms/seo` package injects Google Analytics and Google Tag Manager IDs without proper sanitization. Users with editor-level access can set these fields to malicious values, leading to stored XSS attacks.

CVE-2026-49396
High

Nezha Monitoring is a tool for monitoring servers and websites. In versions from 1.0.0 to before 2.0.14, a malicious cross-site GET request can trigger stored cron commands on a victim's agents. This issue has been patched in version 2.0.14.

CVE-2026-48119
High

Nezha Monitoring is a tool for monitoring servers and websites. In versions from 0.20.0 to before 2.0.12, authenticated agents can forge service-monitor results for other users' services. This issue has been patched in version 2.0.12.

CVE-2026-47120
High

Nezha Monitoring versions from 1.4.0 to before 2.0.8 allow RoleMember to trigger other users' cron tasks without ownership checks. This issue has been patched in version 2.0.8.

CVE-2026-46717
High

Nezha Monitoring is a tool for monitoring servers and websites, which in versions from 1.4.0 to before 2.0.8 allows users with the RoleMember role to make unauthorized HTTP requests. As a result, users can send requests to URLs they control and receive responses, creating a risk of data exposure.

CVE-2026-41158
High

Software running as a non-privileged user may conduct GPU system calls, allowing writes to arbitrary freed physical pages. This can lead to unauthorized access to memory.

CVE-2026-34195
High

Software running as a non-privileged user may conduct intentional GPU sparse memory API calls, leading to out of bounds write in the kernel. The product incorrectly indexes internal state when performing sparse allocation remapping.

CVE-2025-7017
High

CVE-2025-7017 is a heap buffer out-of-bounds read vulnerability in the Avira Antivirus engine when scanning a malformed Windows MSI file. This may allow Local Execution of Code or Denial-of-Service of the antivirus engine process.

CVE-2025-7011
High

A heap out-of-bounds read vulnerability in Avast Antivirus when scanning a malformed zip file containing XML may allow Local Execution of Code or Denial-of-Service of the antivirus process.

CVE-2025-7009
High

CVE-2025-7009 describes a heap buffer out-of-bounds read vulnerability in Avast Antivirus when scanning a malformed Windows PE file, which may allow Local Execution of Code or Denial-of-Service of the antivirus process.

CVE-2025-7008
High

CVE-2025-7008 describes a heap buffer out-of-bounds read vulnerability in Avast Antivirus when scanning a malformed Windows PE file with .NET metadata, which may allow Local Execution of Code or Denial-of-Service of the antivirus process.

CVE-2025-7004
High

Avast Antivirus has a heap buffer out-of-bounds write vulnerability when scanning a malformed Windows PE file, which may allow Local Execution of Code or Denial-of-Service of the antivirus process.

CVE-2025-7003
High

A heap buffer out-of-bounds read vulnerability exists in the Avira Antivirus engine when scanning a malformed PDF file. This may allow Local Execution of Code or Denial-of-Service of the antivirus engine process.

CVE-2025-7002
High

CVE-2025-7002 describes a heap buffer out-of-bounds read vulnerability in the Avira Antivirus engine that may occur when scanning a malformed PDF file. This may allow local code execution or denial-of-service of the antivirus engine process.

CVE-2026-54057
High

Kitty is a cross-platform GPU based terminal. In versions prior to 0.47.3, kitty's OSC 21 (color-control) query reply reflects attacker-controlled bytes, including newlines, into the shell's input without sanitization.

CVE-2026-54056
High

In versions 0.47.0 and 0.47.1 of the Kitty terminal, the `kitten dnd` feature can allow a malicious remote drag-and-drop source to overwrite or truncate arbitrary files writable by the local kitty user. The issue arises from the lack of de-duplication of filenames on case-sensitive filesystems.

CVE-2026-4870
High

IBM Qiskit SDK versions 0.43.0 through 2.5.0 could allow an attacker to trigger a segmentation fault leading to a denial of service due to uncontrolled recursion in the parser.

CVE-2026-45013
High

ApostropheCMS is a Node.js content management system that in versions up to 4.29.0 has a vulnerability in the password reset process. This vulnerability allows an attacker to send a crafted reset request that results in a reset link being sent to the attacker's domain.

CVE-2026-45012
High

ApostropheCMS is an open-source Node.js content management system. Versions up to and including 4.29.0 contain an authenticated server-side request forgery (SSRF) in the rich-text widget import flow, allowing an attacker to force the server to fetch attacker-controlled URLs.

PreviousPage 147 of 3365Next

Vulnerability data from NVD (NIST) · CISA KEV · EPSS