CVE Vulnerability Catalog

Translated CVE descriptions from NVD NIST - in English

CISA KEV catalog updated: (v2026.07.10)

CVE-2026-54030
High

A vulnerability in LibreChat before version 0.8.5 allows a malicious MCP server to steal access tokens intended for a legitimate server. The MCP OAuth implementation does not validate that the resource parameter from OAuth Protected Resource metadata (RFC 9728) matches the configured MCP server URL.

CVE-2026-54029
Medium

A vulnerability in LibreChat before version 0.8.4-rc1 allows any authenticated user to delete any other user's messages. The delete endpoint lacks a user constraint, enabling an attacker to use their own conversation ID and the victim's message ID to permanently remove messages.

CVE-2026-54027
Medium

Vulnerability in LibreChat before version 0.8.4-rc1 allows an authenticated user to upload files to any agent's tool resources (e.g., context, execute code) without verifying ownership or EDIT permission. The authorization bypass is possible by using the image endpoint instead of the file endpoint.

CVE-2026-54025
Medium

LibreChat prior to version 0.8.4-rc1 has a vulnerability due to missing HTML escaping of double-quote characters in image alt text in Markdown. An attacker can inject malicious HTML code that executes in the victim's browser.

CVE-2026-54024
Medium

A vulnerability in LibreChat before version 0.8.4-rc1 allows an authenticated user to upload arbitrarily large files via the conversation import endpoint, potentially exhausting server disk space and memory. The issue stems from missing file size limits in a separate multer instance for this endpoint and a disabled application-level size check by default.

CVE-2026-45233
High

HTMLy CMS version 3.1.1 contains a path traversal vulnerability that allows low-privileged authenticated attackers to relocate arbitrary files by supplying directory traversal sequences in the oldfile parameter at the admin autosave endpoint.

CVE-2026-13351
High

The IPv6 stack in Zephyr can be prevented from receiving or processing future incoming packets by sending a small number of maliciously fragmented IPv6 packets. When such a packet is handled by the fragment-header processing path, the associated RX network packet buffer (allocated from a memory slab) is not released back to the pool. Repeating the malicious packet exhausts all RX buffer slots, after which the device can no longer obtain RX buffers and stops receiving traffic, resulting in a denial of service.

CVE-2026-13350
Low

Permissions were checked incorrectly during room creation, allowing attackers to create rooms of types they shouldn't be allowed to create.

CVE-2026-9718
Medium

A CWE-617 Reachable Assertion vulnerability allows an authenticated attacker to trigger a denial-of-service (DoS) condition by sending a specially crafted request to a vulnerable network-exposed service. This impacts system availability.

CVE-2026-9717
HighEPSS 64%

An OS Command Injection vulnerability (CWE-78) in a network service allows unauthorized execution of commands with elevated privileges. The flaw is triggered when a privileged authenticated user interacts with the vulnerable service.

CVE-2026-9716
High

A CWE-476 NULL Pointer Dereference vulnerability could cause a denial-of-service condition, making the device's HMI and configuration functionality unavailable when malformed requests are received over exposed network interfaces.

CVE-2026-9651
Medium

CWE-732 Incorrect Permission Assignment for Critical Resource vulnerability that could cause unauthorized disclosure of password hashes and potential account compromise when an attacker with privileged local access reads improperly protected system files.

CVE-2026-9650
High

CVE-2026-9650 is a vulnerability related to insufficiently protected credentials, which may lead to unauthorized access and exposure of sensitive information. An attacker with physical access to the device could use these credentials to compromise it.

CVE-2026-57456
High

In Vim prior to version 9.2.0699, the Python omni-completion function executes reconstructed function and class definitions from the current buffer using exec(). During source reconstruction, each scope's docstring is inserted verbatim between triple quotes without escaping, allowing a malicious buffer to break out of the triple-quoted literal and execute attacker-controlled Python code during omni-completion.

CVE-2026-57455
High

In Vim before version 9.2.0698, the spell_soundfold_sofo() function in src/spell.c has a stack out-of-bounds write vulnerability. The copy loop does not check the bounds of the result buffer, allowing data to be written past the allocated stack memory when processing a word longer than MAXWLEN. This corrupts the call frame and crashes the editor.

CVE-2026-57454
Medium

A vulnerability in Vim versions 9.2.0320 through 9.2.0679 allows an out-of-bounds heap memory read via a crafted undo or swap file. A specially crafted file can store a virtual-text property with offset and length pointing outside the line's property data, causing an out-of-bounds read when Vim restores or displays such a line.

CVE-2026-57453
Medium

In Vim from version 9.1.1784 to 9.2.0678, the bundled zip plugin (autoload/zip.vim) when falling back to PowerShell to browse, read, extract, update or delete entries in a zip archive, builds the PowerShell command by inserting archive entry names that are quoted only for the shell, not for PowerShell. A crafted entry name can break out of the intended string context and cause PowerShell to execute arbitrary commands with the privileges of the user running Vim, triggered by opening, viewing or extracting the archive.

CVE-2026-57452
Medium

Vim before version 9.2.0671 has a vulnerability when opening files encrypted with VimCrypt~04! or VimCrypt~05! (xchacha20poly1305, requires +sodium feature). If the file body is shorter than a single libsodium secretstream header, an unsigned length calculation underflows and a subsequent decryption call reads far past the end of the input buffer, crashing Vim.

CVE-2026-57451
Medium

In Vim before version 9.2.0670, a vulnerability was found in the get_text_props() function in src/textprop.c. The function reads a uint16 property count stored inline after a line's text and returns it as the number of 32-byte textprop_T entries that follow, without checking if the actual data amount is sufficient. A crafted line with a large count but little data causes reading past the end of the line buffer, potentially leading to a crash.

CVE-2026-57438
Medium

Vulnerability in the Nokogiri library (versions prior to 1.19.4) for the Ruby language. During XInclude processing, <xi:include> nodes along with children and namespaces are freed, but if the application previously exposed them to Ruby, Ruby objects point to freed memory, which can lead to invalid reads or writes.

PreviousPage 180 of 4563Next

Vulnerability data from NVD (NIST) · CISA KEV · EPSS