CVE Vulnerability Catalog

Translated CVE descriptions from NVD NIST - in English

CISA KEV catalog updated: (v2026.07.10)

CVE-2026-57913
High

A vulnerability in Johnson & Johnson Audit Tracking Management System (ATMS) before April 21, 2026 allows unauthorized viewing of meeting minutes and transcripts.

CVE-2026-57912
High

The vulnerability in Johnson & Johnson Campus Recruiting before October 31, 2025 allows unauthorized viewing of data provided by recruited students and notes entered about students by interviewers.

CVE-2026-57473
Medium

A vulnerability in the netclient and factory services of Reolink Home Hub (versions prior to v3.3.0.456_26031911) allows brute-force credential cracking. Attackers on the same local network can intercept traffic between the Hub and cameras and compromise camera credentials.

CVE-2026-13325
High

A serious flaw was found in KubeVirt's migration proxy. When spec.configuration.migrations.disableTLS is set to true on the KubeVirt custom resource, the target virt-handler binds a plain TCP listener on all interfaces (0.0.0.0/::) on a random port with no authentication, peer allow-list, or handshake token. This listener proxies directly into the target virt-launcher's virtqemud control socket.

CVE-2025-7958
High

A Code Injection vulnerability in Trellix Network Security CM and NX allows a locally authenticated admin user to execute arbitrary code using the web interface and Alert artifact details.

CVE-2026-6658
Medium

A vulnerability in jupyter/nbconvert versions up to 7.17.0 allows Cross-site Scripting (XSS) via unsanitized `text/vnd.mermaid` output in HTML exports. The `data_mermaid` block in `share/templates/lab/base.html.j2` renders `text/vnd.mermaid` cell output directly into HTML without escaping, enabling attackers to inject arbitrary HTML/JavaScript by breaking out of the `<pre>` tag.

CVE-2026-1869
Medium

The User Registration & Membership plugin for WordPress up to version 5.2.0 contains a vulnerability due to missing validation in the confirm_payment() function. This allows unauthenticated attackers to bypass payment processing and activate paid memberships.

CVE-2026-11702
High

The Bytes::Random::Secure::Tiny library for Perl (versions up to 1.011) shares internal PRNG state across forked processes. If an object is initialized before forking, all child processes produce identical random streams.

CVE-2026-11625
High

The vulnerability in the Bytes::Random::Secure library for Perl up to version 0.29 causes the internal state of the PRNG to be shared across forked processes. When an object is initialized before forking or the functional interface is used, child processes produce identical random streams.

CVE-2026-57881
Critical

In GeoVision GV-LPC2011 and GV-LPC2211 devices version V1.12 and earlier, a stack-based buffer overflow vulnerability exists in the vlsvr component. An unauthenticated remote attacker can exploit this vulnerability by sending crafted login data with overly long input, leading to memory corruption, denial of service, or potentially remote code execution.

CVE-2026-57880
Critical

A stack-based buffer overflow vulnerability exists in the ssvr component of GeoVision GV-LPC2011 and GV-LPC2211 devices running version V1.12 and earlier. The issue is caused by insufficient bounds checking when parsing RTSP Digest authentication fields. An unauthenticated remote attacker can exploit this by sending a crafted RTSP request with overly long authentication data, leading to memory corruption, denial of service, or potentially arbitrary code execution.

CVE-2026-57879
Critical

A stack-based buffer overflow vulnerability exists in the ssvr component of GeoVision GV-LPC2011 and GV-LPC2211 devices running version V1.12 and earlier. The issue is caused by insufficient bounds checking when processing RTSP custom authentication data. An unauthenticated remote attacker can exploit this vulnerability by sending a crafted RTSP request, potentially leading to memory corruption, denial of service, or arbitrary code execution.

CVE-2026-57878
Critical

An unauthenticated stack-based buffer overflow vulnerability exists in thttpd in GeoVision GV-LPC2011 and GV-LPC2211 V1.12 and earlier. The vulnerability is caused by insufficient bounds checking when processing web request parameters in a specific request path. A remote attacker may exploit this vulnerability by sending a crafted HTTP request with overly long input, resulting in memory corruption, denial of service, or potentially arbitrary code execution.

CVE-2026-57877
High

An unauthenticated format string vulnerability exists in vlsvr in GeoVision GV-LPC2011 and GV-LPC2211 V1.12 and earlier. The vulnerability is caused by improper handling of externally controlled input during log message formatting in the login processing path. A remote attacker may exploit this vulnerability by sending crafted login data, potentially causing information disclosure, memory corruption, or a denial of service.

CVE-2026-57876
High

In GeoVision GV-LPC2011 and GV-LPC2211 devices version V1.12 and earlier, an out-of-bounds write vulnerability exists in onvif.cgi. Insufficient bounds checking when processing HTTP request body data allows an unauthenticated remote attacker to cause memory corruption and denial of service (DoS) by sending a crafted request with excessive input.

CVE-2026-57875
HighEPSS 66%

A denial of service (DoS) vulnerability exists in GeoVision GV-LPC2011 and GV-LPC2211 devices running firmware V1.12 and earlier. The flaw is caused by improper validation of required HTTP request metadata before use, leading to a NULL pointer dereference and process crash.

CVE-2026-57874
High

A buffer overflow vulnerability exists in IEEE8021x_upload.cgi in GeoVision GV-LPC2011 and GV-LPC2211 V1.12 and earlier due to insufficient bounds checking when parsing filename values in multipart upload data. An unauthenticated remote attacker may exploit this by sending a crafted upload request with overly long input, causing memory corruption and denial of service.

CVE-2026-57873
High

In GeoVision GV-LPC2011 and GV-LPC2211 devices version V1.12 and earlier, an unauthenticated NULL pointer dereference vulnerability exists in IEEE8021x_upload.cgi. The issue is caused by improper validation of multipart upload headers when processing certificate-related fields. A remote attacker can send a malformed multipart request, causing the CGI process to crash and resulting in a denial of service.

CVE-2026-57872
HighEPSS 57%

An unauthenticated directory traversal vulnerability exists in get_fcont.cgi in GeoVision GV-LPC2011 and GV-LPC2211 V1.12 and earlier. The vulnerability is caused by insufficient validation of user-supplied file path input before the requested file is accessed by the CGI component. A remote attacker may exploit this vulnerability by sending a crafted request to read arbitrary files accessible to the affected process, resulting in information disclosure.

CVE-2026-49486
High

The Apache Airflow FTP provider's FTPS connection does not encrypt the data channel. Although the control channel is TLS-protected, data is transmitted in cleartext, allowing a network attacker to intercept file contents and credentials.

PreviousPage 170 of 4563Next

Vulnerability data from NVD (NIST) · CISA KEV · EPSS