CVE Vulnerability Catalog
Translated CVE descriptions from NVD NIST — in English
CISA KEV catalog updated: (v2026.07.01)
Dell Device Management Agent, versions prior to DDMA 26.05, contain an Improper Link Resolution Before File Access ('Link Following') vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Elevation of Privileges.
OS command injection vulnerability in the NodejsFunction Docker bundling pipeline (OsCommand helper) in AWS aws-cdk-lib. An attacker controlling dependency version strings in package.json can execute arbitrary commands on the CDK toolchain host via injected shell metacharacters.
An insertion of sensitive information into sent data vulnerability in HubSpot allows retrieval of embedded sensitive data. This issue affects HubSpot from n/a through 11.3.51.
A CSRF vulnerability in VikBooking Hotel Booking Engine & PMS allows an attacker to perform operations leading to Path Traversal. This issue affects all versions up to and including 1.8.12.
A vulnerability in the HTTP/2 HPACK decoder in Apache HttpComponents Core (versions 5.4.2 and earlier, 5.5-beta1 and earlier) allows a remote attacker to cause a denial of service through memory exhaustion by sending oversized compressed header blocks before the HTTP/2 SETTINGS acknowledgement applies the configured header list size limit.
CWE-117 vulnerability in Kibana allows injection of unsanitized data into logs. An attacker can supply specially crafted input that is written to log files without proper neutralization. When logs are viewed in a terminal that interprets control sequences, the injected content may alter the displayed log data.
In containerd prior to versions 1.7.32, 2.0.9, 2.2.4, and 2.3.1, containers with a numeric User directive that cannot be parsed as a 32-bit integer are incorrectly treated as a username. This allows bypassing the Kubernetes runAsNonRoot restriction if a crafted image maps this large numeric string to root in /etc/passwd, causing the container to run as root (UID 0).
JAIOTlink C492A-W6 Wi-Fi IP cameras with firmware 4.8.30.57701411 contain a remote code execution vulnerability. An authenticated attacker can write a malicious script to persistent JFFS2 storage and trigger execution via an HTTP endpoint, achieving persistent control over the device.
JAIOTlink C492A-W6 Wi-Fi IP cameras running firmware 4.8.30.57701411 contain an OS command injection vulnerability. An authenticated attacker can achieve remote code execution by supplying a malicious Wireless parameter to the HTTP PUT NetSDK/Factory SetMAC endpoint.
Ray prior to version 2.56.0 contains an unsafe deserialization vulnerability in the WebDataset reader. An attacker can achieve remote code execution by supplying a malicious tar archive to the read_webdataset() function. The _default_decoder() function in webdataset_datasource.py unconditionally calls pickle.loads() on tar entries with .pkl/.pickle extensions and torch.load() with weights_only=False on .pt/.pth entries, executing arbitrary code inside Ray remote workers.
An uncontrolled resource consumption vulnerability in the HTTP/1.1 message parser in Apache HttpComponents Core (versions 5.4.2 and earlier, 5.5-beta1 and earlier) allows a remote attacker to cause a denial of service through memory exhaustion by sending messages with an excessive number of headers or excessive header length.
A vulnerability in the DMG file format parser of ClamAV could allow an unauthenticated, remote attacker to cause a denial of service (DoS) or other impacts due to memory corruption on an affected device. The issue stems from improper boundary checks during DMG scanning, leading to an integer overflow on 32-bit platforms only.
A vulnerability in the ALZ file format parser of ClamAV could allow an unauthenticated, remote attacker to cause a DoS condition or other impacts due to memory corruption. The issue stems from improper boundary checks during ALZ file scanning, leading to an out-of-bounds buffer write.
A vulnerability in the PESpin file format parser of ClamAV could allow an unauthenticated, remote attacker to cause a DoS condition or other impacts due to memory corruption. The issue stems from improper boundary checks in PESpin files during scanning, potentially leading to an out-of-bounds buffer write.
A vulnerability in the InstallShield file format parser of ClamAV could allow an unauthenticated, remote attacker to cause a DoS condition on an affected device. This is due to improper handling of temporary resources during file scanning.
A vulnerability in the 7z file format parser of ClamAV could allow an unauthenticated, remote attacker to cause a DoS condition, or possibly other impacts from memory corruption. The issue is due to improper boundary checks for content in 7z files during scanning, which may result in an out-of-bounds buffer write.
A vulnerability in the FSG file format parser of ClamAV could allow an unauthenticated, remote attacker to cause a DoS condition or other impacts due to memory corruption. The issue stems from improper boundary checks during FSG file scanning, leading to an out-of-bounds buffer write.
A vulnerability in the PE file format parser of ClamAV could allow an unauthenticated, remote attacker to cause a DoS condition, or possibly other impacts, due to memory corruption. The issue stems from improper boundary checks in PE files, leading to an out-of-bounds buffer write.
A vulnerability in Cisco Catalyst Center allows an unauthenticated, remote attacker to read arbitrary files from a restricted container. The issue is due to insufficient validation of user-supplied input.
NVIDIA Triton Inference Server for Linux has a vulnerability involving improper handling of highly compressed data. An attacker could exploit this flaw, potentially leading to a denial of service (DoS).

