CVE Vulnerability Catalog

Translated CVE descriptions from NVD NIST - in English

CISA KEV catalog updated: (v2026.07.10)

CVE-2026-57924
Medium

In JetBrains YouTrack before 2026.2.16593 default role configuration exposed excessive user profile details.

CVE-2026-57923
Medium

In JetBrains YouTrack before 2026.2.16593, improper authorization in the app configurations endpoint allowed unauthorized modification of project settings.

CVE-2026-57922
Low

In JetBrains YouTrack before 2026.2.16593 project settings disclosure via the MCP was possible.

CVE-2026-57921
Medium

In JetBrains YouTrack before 2026.2.16593 improper access control allowed reading users' private data via the comment templates endpoint.

CVE-2026-53914
Medium

In JetBrains Kotlin before version 2.4.20, a vulnerability was found that allows code execution via unsafe deserialization in the build cache metadata.

CVE-2026-13426
Medium

The Mattermost Go module github.com/mattermost/mattermost/server/public versions < v0.1.22 fail to validate path parameters when constructing API route paths which allows an attacker to redirect API calls to unintended endpoints via crafted IDs containing path traversal components.

CVE-2026-57920
High

A vulnerability in Peplink InControl 2 up to version 2.14.2 before 2026-06-03 allows bypassing access-control rules for certain /rest/o/{orgId} endpoints by using a semicolon.

CVE-2026-57915
High

A vulnerability in Apache Kerby allows bypassing the Kerberos pre-authentication check by sending a PA-DATA with an unrecognized or unsupported type. An attacker can gain access without proper authentication.

CVE-2026-40711
High

An OS Command Injection vulnerability in Dell Container Storage Modules (csi-powerstore, csi-unity, csi-powerflex, csi-powermax version 2.16.0) allows a high-privileged attacker with remote access to execute arbitrary operating system commands.

CVE-2025-64152
Critical

A path traversal vulnerability has been discovered in Apache IoTDB, allowing access to files outside the restricted directory. The issue affects versions from 1.0.0 to 1.3.5 and from 2.0.0 to 2.0.6.

CVE-2025-55017
Critical

A Path Traversal vulnerability has been discovered in Apache IoTDB, allowing bypass of file path restrictions. The issue affects versions from 2.0.0 before 2.0.6 and from 1.0.0 before 1.3.6.

CVE-2026-57914
Medium

Sending a deeply nested ASN1 structure to an Apache Kerby client or service can trigger a StackOverFlow exception, leading to denial of service (DoS).

CVE-2026-57620
Medium

The Exclusive Addons Elementor plugin for WordPress contains a Stored Cross-Site Scripting (XSS) vulnerability due to improper input neutralization during page generation. The flaw affects all versions up to and including 2.7.9.8.

CVE-2026-57918
High

A vulnerability in libnfs up to version 6.0.2 before commit 935b8db causes an integer underflow in the xid field in the READ_IOVEC function in lib/socket.c. The issue occurs when connecting to a crafted NFS server, where the expected PDU size exceeds the absolute PDU size from the xid/record-marker.

CVE-2026-57913
High

A vulnerability in Johnson & Johnson Audit Tracking Management System (ATMS) before April 21, 2026 allows unauthorized viewing of meeting minutes and transcripts.

CVE-2026-57912
High

The vulnerability in Johnson & Johnson Campus Recruiting before October 31, 2025 allows unauthorized viewing of data provided by recruited students and notes entered about students by interviewers.

CVE-2026-57473
Medium

A vulnerability in the netclient and factory services of Reolink Home Hub (versions prior to v3.3.0.456_26031911) allows brute-force credential cracking. Attackers on the same local network can intercept traffic between the Hub and cameras and compromise camera credentials.

CVE-2026-13325
High

A serious flaw was found in KubeVirt's migration proxy. When spec.configuration.migrations.disableTLS is set to true on the KubeVirt custom resource, the target virt-handler binds a plain TCP listener on all interfaces (0.0.0.0/::) on a random port with no authentication, peer allow-list, or handshake token. This listener proxies directly into the target virt-launcher's virtqemud control socket.

CVE-2025-7958
High

A Code Injection vulnerability in Trellix Network Security CM and NX allows a locally authenticated admin user to execute arbitrary code using the web interface and Alert artifact details.

CVE-2026-6658
Medium

A vulnerability in jupyter/nbconvert versions up to 7.17.0 allows Cross-site Scripting (XSS) via unsanitized `text/vnd.mermaid` output in HTML exports. The `data_mermaid` block in `share/templates/lab/base.html.j2` renders `text/vnd.mermaid` cell output directly into HTML without escaping, enabling attackers to inject arbitrary HTML/JavaScript by breaking out of the `<pre>` tag.

PreviousPage 151 of 4537Next

Vulnerability data from NVD (NIST) · CISA KEV · EPSS