CVE Vulnerability Catalog
Translated CVE descriptions from NVD NIST - in English
CISA KEV catalog updated: (v2026.07.10)
ApostropheCMS version 4.29.0 has a stored XSS vulnerability in the image widget functionality. A user with the Editor role can configure an image widget link to use a javascript: URL payload, allowing a malicious widget to be published on the site.
Discourse is an open-source discussion platform with a vulnerability in versions from 2026.1.0 to before 2026.1.4, from 2026.3.0 to before 2026.3.1, and from 2026.4.0 to before 2026.4.1. Chat events for public category channels are published to MessageBus without proper permission scoping, allowing subscribers without chat enabled to receive chat message payloads in real time.
MISP contains multiple mass assignment vulnerabilities in the handling of collections, tag collections, event delegations, and shadow attributes. This allows authenticated attackers to manipulate fields that should remain server-controlled, leading to unauthorized modification of MISP objects.
A mass assignment vulnerability exists in MISP’s sharing group creation endpoint. The controller did not remove a user-supplied id field before saving the submitted data, which may lead to unauthorized modification of existing sharing groups.
MISP contains an insecure default configuration where the Security.check_sec_fetch_site_header control is disabled. This allows remote unauthenticated attackers to send malicious requests to MISP automation endpoints on behalf of authenticated users.
MISP has an incorrect authorization vulnerability that allows an organization administrator to target site administrator accounts belonging to the same organization through the administrative email functionality. The affected code restricted organization administrators to users within their own organization but did not exclude site administrator role accounts from recipient queries.
AgenticMail prior to version 0.9.27 exposed a Streamable HTTP transport without an authentication layer, allowing remote clients to directly call tools. This issue has been patched in version 0.9.27.
Koel is a free, open-source music streaming solution. In versions prior to 9.3.5, Koel did not properly validate podcast episode URLs, allowing for SSRF attacks against internal services.
Kitty is a cross-platform GPU based terminal. In versions prior to 0.47.0, a program able to write bytes to a kitty terminal can cause kitty to execute attacker-supplied Python inside the running kitty process with the user's full privileges.
In versions prior to 0.47.0 of the Kitty terminal, it is possible to inject commands into the subshell through a Kitty error. A special escape code causes Kitty to return an error that is not properly escaped and is correctly echoed back to the terminal, allowing it to be executed by the shell in use.
In Zoom Workplace before version 7.0.4 for Android and before 7.0.3 for iOS, improper authorization in the handler for custom URL scheme may allow an unauthenticated user to conduct an escalation of privilege via network access.
Improper Authorization in Handler for Custom URL Scheme in Zoom Workplace before version 7.0.4 for Android and before 7.0.3 for iOS may allow an unauthenticated user to conduct an escalation of privilege via network access.
The Naxclow platform API that returns device relay registration details exposes a persistent credential without verifying that the requester is the legitimate device or owner. An actor able to present a platform-valid request signature can retrieve credentials for arbitrary devices and register on the relay as that device.
Naxclow devices use a static relay credential that is not rotated and is re-issued to the device on each boot. This credential remains valid indefinitely and cannot be reset or revoked by the legitimate owner.
Parse Server prior to versions 8.6.77 and 9.9.1-alpha.1 is vulnerable to an attack where an unauthenticated user can send a malicious HTTP request, leading to excessive CPU consumption on the server.
A flaw in Naxclow's platform’s onboarding workflow allows an attacker to replay a confirm-then-bind sequence to silently reassign a device to an arbitrary account.
In Moby, versions prior to 2.0.0-beta.14 and Docker Engine prior to 29.5.1, a race condition during mount setup allows a malicious container to redirect a bind mount target to an arbitrary host path. This can lead to overwriting host files or denial of service.
The form-data library for creating multipart/form-data streams is vulnerable to CRLF injection in the Content-Disposition header. An attacker can inject CR, LF, or double-quote characters via the `field` argument or `filename` option, allowing addition of extra headers or multipart parts. Affects versions up to 4.0.5.
Improper handling of HPACK dynamic table size updates in the AWS Common Runtime aws-c-http library might allow a remote threat actor operating a server to cause memory corruption on a connecting client application, potentially leading to arbitrary code execution.
Insufficient verification of data authenticity in the remote control feature of Zoom Contact Center for Windows before version 7.0.0 may allow an authenticated user to escalate privileges via local access.

