CVE Vulnerability Catalog
Translated CVE descriptions from NVD NIST — in English
CISA KEV catalog updated: (v2026.07.01)
A vulnerability in Rocket.Chat before versions 8.5.0, 8.4.1, 8.3.3, 8.2.3, 8.1.4, 8.0.5, 7.13.7, and 7.10.11 causes the SAML service provider implementation to silently skip SAML Response and Assertion signature validation when the configured IdP certificate field is empty. The verifySignatures routine performs an early return when serviceProviderOptions.cert is falsy, which is the default state of the setting.
An unauthenticated attacker can obtain a valid OAuth access token for any Rocket.Chat user by sending a single HTTP POST with MongoDB query operators to the /oauth/token endpoint. The OAuth2 server does not validate that grant parameters are strings, allowing substitution of values like {"$ne": null} and receiving an access token for the first matched user.
In Rocket.Chat before versions 8.5.0, 8.4.1, 8.3.3, 8.2.3, 8.1.4, 8.0.5, 7.13.7, and 7.10.11, the CAS login handler forwards the client-supplied `credentialToken` value directly into a MongoDB `findOne({_id: ...})` query without any runtime type check. An unauthenticated attacker can substitute a NoSQL query operator (e.g., `{"$gt": ""}`) for the expected ticket string, matching the first unexpired document in the `credential_tokens` collection and completely bypassing the CAS ticket check.
FOSSBilling versions 0.7.2 and prior have a vulnerability in the guest API that allows the creation of new administrator accounts even when one already exists. A flaw in the admin existence check enables an attacker to bypass protections.
Ghost is a Node.js content management system. In versions up to 6.37.0, when Ghost is behind a shared caching layer, an unauthenticated user could send an x-ghost-preview header that altered the rendered frontend response.
Rclone versions 1.46.0 through 1.74.2 have a vulnerability in server mode (rcd --rc-serve) that allows unauthenticated GET and HEAD requests to execute arbitrary system commands. An attacker can craft special URLs to initialize backends with options that run local commands.
Use after free in WebGL in Google Chrome on Android prior to version 149.0.7827.197 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page.
A use-after-free vulnerability in WebGL in Google Chrome on Android prior to 149.0.7827.197 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical)
A vulnerability in concurrent-ruby up to version 1.3.6 allows any thread to release a write lock without authorization, potentially breaking mutual exclusion. Additionally, release_read_lock can decrement the shared counter below zero, causing ResourceLimitError on read lock acquisition.
In the Linux kernel, an off-by-one vulnerability was found in the bcmgenet driver's bcmgenet_put_txcb function. The write_ptr points to the next free tx_cb, but the function returned it before rewinding the pointer, causing incorrect cleanup of transmission buffers.
In the Linux kernel, a race condition was found in the bcmgenet driver's timeout handler. The handler aggressively stopped all transmit queues when only one queue timed out, causing race conditions with other active queues.
In the Linux kernel's hisilicon/sec2 crypto driver, a use-after-free vulnerability was found. Under heavy system load, hardware may complete packet processing and free the request memory (req) before the transmission function finishes, causing an error. The fix replaces the req pointer with the qp_ctx structure, which persists throughout the packet sending process.
In the Linux kernel, the GFS2 filesystem lacked proper log locking in the gfs2_logd() function. Log flushing functions were called without holding the required sdp->sd_log_flush_lock, potentially causing conflicts with concurrent transactions. A new __gfs2_log_flush() function and proper locking were added.
In the Linux kernel, a use-after-free vulnerability was found in the ksmbd module related to the Qualcomm Crypto Engine (QCE). The ksmbd_crypt_message() function does not properly handle the -EINPROGRESS return code from the hardware crypto engine, leading to premature memory freeing and a system crash.
In the Linux kernel, the memory driver for Tegra124-EMC had a reversed logic check for whether DLL is enabled in the EMRS register. The fix corrects the condition to properly check if bit A0 is low (indicating DLL enabled).
In the Linux kernel's OCFS2/DLM filesystem, a vulnerability was found due to missing validation of the qr_numregions field in dlm_match_regions(). A crafted DLM_QUERY_REGION network message can set this value above the allowed maximum (32), causing out-of-bounds reads of the qr_regions buffer. Additionally, an off-by-one error in the comparison loop was fixed.
A use-after-free vulnerability was found in the Linux kernel's ksmbd module in the smb2_open function during durable file descriptor reconnection. Premature release of the fp reference leads to accessing freed memory when accessing file properties like fp->create_time.
A vulnerability was found in the Linux kernel's icmpv6_rcv() function for IPv6. Caching source and destination addresses before calling pskb_pull() can lead to a use-after-free (UAF) because pskb_pull() may change the skb->head pointer.
In the Linux kernel netfilter/conntrack subsystem, a stack-out-of-bounds write vulnerability was found in the mangle_content_len() function. The fix replaces sprintf() with scnprintf() and increases the buffer size.
In the Linux kernel, a vulnerability in the netfilter nfnetlink_osf module causes an out-of-bounds read during TCP option matching. The issue occurs because the shared ctx->optp pointer is not restored after an early return in nf_osf_match_one(), leading to garbage data reads and incorrect logging when NF_OSF_LOGLEVEL_ALL is enabled.

