CVE Vulnerability Catalog
Translated CVE descriptions from NVD NIST - in English
CISA KEV catalog updated: (v2026.07.10)
A vulnerability in MariaDB server allows a high-privileged user to execute shell commands via the wsrep_sst_receive_address or wsrep_sst_donor global system variables. Affected versions range from 10.6.1 to before 10.6.27, 10.11.1 to before 10.11.18, 11.4.1 to before 11.4.12, 11.8.1 to before 11.8.8, and 12.3.1.
A vulnerability in MariaDB allows a malicious joiner node to execute arbitrary shell commands on the donor node during the SST (Snapshot State Transfer) process using the rsync method. The issue is caused by insufficient validation of parameters sent by the joiner, which are interpolated into the command line on the donor side.
Acrobat Reader versions 24.001.30365, 26.001.21651 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Typesense, a typo-tolerant search engine, has an unauthenticated denial-of-service vulnerability in the /multi_search endpoint prior to versions 29.1 and 30.2. A specially crafted request can trigger an unhandled exception, causing the server process to terminate.
A vulnerability in MariaDB allows a malicious joiner node to execute arbitrary shell commands on the donor node during the SST (State Snapshot Transfer) process using the mariabackup method. The issue is caused by insufficient validation of parameters sent by the joiner, which are interpolated into the donor's command line.
Mattermost versions 11.6.x <= 11.6.1, 11.5.x <= 11.5.4, and 10.11.x <= 10.11.16 fail to require role-management authorization when setting the scheme_admin flag on group syncable link and patch endpoints, allowing a user with group-link permissions to escalate themselves and group members to team or channel admin via crafted API requests.
Mattermost versions 11.6.x <= 11.6.1, 11.5.x <= 11.5.4, and 10.11.x <= 10.11.16 have a vulnerability that allows improper processing of the FileInfo.Name received from federated peers. An attacker controlling a federated server can exploit this vulnerability to write files to arbitrary locations within the target server's filestore via path traversal sequences in the filename field.
Cap-go prior to 12.128.2 contains an account takeover vulnerability in its email change mechanism that allows an attacker with temporary authenticated session access to change the registered email address without re-authentication. Attackers can redirect verification to an attacker-controlled email address and subsequently perform a password reset to permanently take over the victim's account.
A vulnerability in Kedro version 1.2.0 allows an attacker to exploit path traversal by providing a crafted version string. The `_get_versioned_path()` method directly interpolates user-supplied version strings into filesystem paths without sanitization, enabling access to files outside the intended dataset directory.
Crypt::PBKDF2 versions before 0.261630 for Perl generate insecure random values for salts. They use the built-in rand function, which is predictable and unsuitable for cryptography.
A lack of authorization validation in version 1.0.0 or later of the ChromaDB Rust project allows any authenticated users to arbitrarily read, write, update, or delete data in any tenant's collection regardless of which tenant they belong to.
The Aqara Developer Portal (developer.aqara.com) and shared test environments (developer-test.aqara.com, aiot-test.aqara.com) have an overly permissive CORS policy, allowing unauthorized domains to make cross-origin requests. This vulnerability is classified as CWE-942 and has an estimated CVSS score of 8.2 (High).
The Aqara IAM/SSO gateway (gw-builder.aqara.com) has a cross-origin request sharing vulnerability due to a permissive cross-domain policy with untrusted domains (CWE-942), with an estimated CVSS score of 8.2 (High).
The Aqara Board service (op-test.aqara.com) accepts arbitrary MQTT command payloads and forwards them to the HiveMQ broker without authentication. This is a missing authentication for critical function (CWE-306) with an estimated CVSS of 8.6 (High). Combined with other vulnerabilities, it can lead to fully unauthenticated remote takeover of affected devices.
A vulnerability in Netty RedisArrayAggregator pre-allocates an ArrayList with a capacity equal to the RESP array element count declared in a header, which can be inflated by a malicious packet. An attacker can send a small header with a falsely large count, leading to excessive memory consumption.
A vulnerability in Netty where wrapping a plain X509TrustManager in X509TrustManagerWrapper bypasses hostname verification. Despite Netty 4.2 defaulting to endpointIdentificationAlgorithm="HTTPS", a client built with SslContextBuilder.forClient().trustManager(somePlainX509TrustManager) performs no hostname verification at all.
A memory exhaustion vulnerability in Netty before version 4.2.15.Final allows creating an infinite number of blocked streams in the HTTP/3 codec, leading to an OOM error.
A memory leak vulnerability exists in the Netty library when processing the HAProxy PROXY protocol v2. Each connection with a valid header containing nested PP2_TYPE_SSL TLVs at depth two or greater permanently pins the cumulation buffer, even after normal release of the HAProxyMessage object.
A vulnerability in the Netty library causes permanent leakage of pooled direct-memory buffers in the RedisArrayAggregator handler when a Redis pipeline connection closes before RESP array aggregation completes. The leaked buffers prevent memory chunks from being returned to the JVM-wide direct-memory pool, leading to exhaustion. The issue is fixed in versions 4.1.135.Final and 4.2.15.Final.
A vulnerability in the Netty framework allows DNS cache poisoning. An attacker controlling an authoritative name server for a subdomain can inject fake NS and A records into the cache for parent domains like .co.uk.

