CVE Vulnerability Catalog
Translated CVE descriptions from NVD NIST - in English
CISA KEV catalog updated: (v2026.07.10)
A weakness has been identified in Tenda F451 versions 1.0.0.7 and 1.0.0.9. The affected element is the function fromNatlimit in the file /goform/Natlimit, which can lead to stack-based buffer overflow due to manipulation of the argument page.
CVE-2026-8913 describes a command injection vulnerability in the WireGuard client configuration of the Archer MR600 v5, caused by improper neutralization of user-controlled input within the web management interface. An authenticated attacker with administrative privileges may be able to execute arbitrary commands when applying configuration changes.
A security flaw has been discovered in Tenda F451 versions 1.0.0.7 and 1.0.0.9 in the function formWriteFacMac. Manipulating the mac argument in the file /goform/WriteFacMac leads to OS command injection.
A vulnerability was found in Tenda HG7HG9 and HG10 affecting the function formPPPEdit of the file /boaform/formPPPEdit. Manipulation of the argument encodename results in stack-based buffer overflow.
In the Snipe-IT IT asset management system, versions prior to 8.6.0 have a vulnerability that allows a non-admin user with only the `users.edit` permission to lock all admins out by editing the `activated` flag and the `ldap_import` flag. Version 8.6.0 contains a patch.
In OpenMetadata prior to version 1.12.4, a non-admin SSO user could trigger a TEST_CONNECTION workflow for a Database Service and receive in the HTTP 201 response both the cleartext database password and the ingestion bot JWT.
In the Linux kernel, a vulnerability in the drm/amdgpu/userq driver allows access to a stale wptr mapping. The fix uses drm_exec to lock both vm root bo and wptr_obj bo simultaneously, preventing a race condition during queue creation.
In the Linux kernel, the DRM/XE driver added validation in xe_vm_madvise_ioctl() to reject PAT indices with XE_COH_NONE coherency mode for CPU cached memory. Using coh_none with CPU cached buffers is a security issue because the GPU can bypass CPU caches and read stale sensitive data directly from DRAM, potentially leaking data from previously freed pages of other processes.
In the Linux kernel's pmdomain driver for Mediatek platforms, a use-after-free vulnerability was found. The scpsys_get_bus_protection_legacy() function released a device node reference before checking for errors, potentially leading to use of freed memory during error handling.
In the ath5k Wi-Fi driver in the Linux kernel, an out-of-bounds (OOB) array access vulnerability was found. The issue occurs in ath5k_tasklet_tx where ts->ts_final_idx can be 3, leading to an access to rates[ts->ts_final_idx + 1] beyond the array size of 4. This overwrites the adjacent ack_signal field, though the impact is negligible.
A vulnerability was found in the Linux kernel's flow_dissector, which mishandles PPPoE frames with Protocol Field Compression (PFC). Sending a crafted PPPoE PFC frame to a network interface can cause a memory access exception on architectures like MIPS, leading to a system crash.
In the Linux kernel, a vulnerability was found in the NVMe over Fabrics (NVMe-oF) target subsystem where nvmet_ctrl_free() calls flush_work on the same nvmet-wq workqueue, potentially causing a deadlock and triggering a lockdep recursive locking warning.
A vulnerability was found in the Linux kernel's ISO 9660 filesystem (isofs) related to Rock Ridge extension validation. The rock_continue() function reads the extent block number from the CE record without checking if it is within the mounted volume bounds, potentially allowing out-of-range reads or reads from an adjacent filesystem.
A use-after-free vulnerability was found in the Linux kernel's SPI topcliff-pch driver. The issue occurs on driver unbind when the SPI queue is not flushed before releasing DMA buffers.
In the Linux kernel HFS+ filesystem, a held lock is freed without release on an error path in hfsplus_fill_super(). The function fails to release tree->tree_lock before jumping to the out_put_root label after a failed hfsplus_cat_build_key() call, triggering a held lock freed warning.
A buffer overflow vulnerability was found in the Linux kernel in the retrieve_status function of the dm-ioctl module. The bug is due to missing overflow check when aligning the outptr pointer to an 8-byte boundary, which can lead to out-of-bounds write. The vulnerability has no security implications because only root can issue device mapper ioctls and commonly used libraries use 8-byte aligned buffers.
In the Linux kernel, an out-of-bounds access vulnerability was found during output registration in the mpfs-ccc driver. The issue arises from insufficient space allocation in the hws array, which does not account for DLL identifiers, leading to memory access beyond allocated bounds.
A use-after-free vulnerability was found in the Linux kernel's of_unittest_changeset() function. The 'parent' variable points to the same device_node as 'nchangeset', and calling of_node_put(nchangeset) may free memory before the last use of 'parent', causing a use-after-free.
A use-after-free vulnerability was found in the Linux kernel's docg3 driver. The docg3_release() function dereferences freed memory of the docg3 structure after calling doc_release_device().
A buffer overflow vulnerability was found in the Linux kernel's vrealloc_node_align() function. It occurs when shrinking an allocation, as the code copies old_size bytes into a smaller new buffer, causing an out-of-bounds write.

