CVE Vulnerability Catalog
Translated CVE descriptions from NVD NIST - in English
CISA KEV catalog updated: (v2026.07.10)
In the Linux kernel, a use-after-free vulnerability was found in the HMM test (lib: test_hmm). When closing a file via dmirror_fops_release(), the dmirror struct is freed without first migrating device private pages back to system memory, leaving a dangling pointer. A subsequent page fault (e.g., during coredump) can dereference this stale pointer, causing a kernel panic.
In the Linux kernel, a vulnerability was found where allocation tags (codetags) are not initialized for pages allocated before the page_ext structure is set up. This causes warnings and potential errors when such pages are freed, especially in configurations with memory allocation profiling debugging enabled.
In the Linux kernel, a vulnerability was found in the zone_device memory management. After calling ->folio_free(), the device folio must not be accessed as it may be immediately reallocated by a driver with a different order. The fix uses a local stack variable instead of re-reading the folio when calling percpu_ref_put_many().
OpenBullet2 through version 0.3.2 contains an authenticated remote code execution vulnerability that allows authenticated users to execute arbitrary C# code on the server host by creating or modifying job configurations. Attackers can leverage the plain C# execution mode, which lacks reference filtering or API restrictions.
OpenBullet2 through version 0.3.2 contains a remote code execution vulnerability that allows authenticated users to execute arbitrary commands by uploading script files (.bat.ps1.sh) through the FileProxySource proxy loading feature. Attackers can upload malicious script files as proxy sources, leading to the execution of scripts on the server.
OpenBullet2 through version 0.3.2 contains a path traversal vulnerability in the wordlist endpoint that allows authenticated attackers to perform arbitrary file read, write, and delete operations by supplying unsanitized absolute paths to the upload handler and wordlist functions.
A security flaw has been discovered in the imvks786 student management system that allows SQL injection attacks by manipulating the a_usr/a_pwd arguments in the admin/admin_login.php file. The attack can be carried out remotely.
A vulnerability was identified in the imvks786 student management system affecting an unknown function of the file /index.ph of the Login component. Manipulation of the arguments usr/pwd leads to SQL injection.
A memory allocation with excessive size vulnerability in Apache HTTP Server's mod_http allows an attacker to cause a denial of service via malicious HTTP requests. The issue affects versions from 2.4.17 through 2.4.67.
CVE-2026-49755 is a vulnerability related to improper handling of highly compressed data in the Req library, allowing attackers to exhaust memory in a Req client via decompression-bomb responses.
Use After Free vulnerability in the mod_http2 module of Apache HTTP Server occurs when file handles are already exhausted. This affects Apache HTTP Server versions from 2.4.55 to 2.4.67.
Bludit is a content management system that has a vulnerability in user management logic in versions prior to 3.22.0. It allows deactivated accounts to maintain access via persistent authentication tokens.
Bludit is a content management system that has a Broken Access Control flaw in versions prior to 3.22.0. Active sessions remain valid even after the corresponding user account has been physically deleted from the database, allowing unauthorized access to the system.
Flowise, a user interface for building customized large language model flows, had a vulnerability prior to version 3.1.2 that allowed cross-workspace evaluator takeover through mass-assignment. This issue has been patched in version 3.1.2.
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, evaluation create and update mass-assignment allows cross-workspace evaluation takeover.
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, DatasetRow create and update mass-assignment allows cross-workspace row takeover.
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, dataset create and update mass-assignment allows cross-workspace dataset takeover.
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, CustomTemplate create and update mass-assignment allows cross-workspace template takeover.
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, assistant create and update mass-assignment allows cross-workspace assistant takeover.
Flowise prior to version 3.1.2 had unauthenticated CRUD endpoints for OpenAI Assistants Vector Store that were not protected by authentication middleware. The route /api/v1/openai-assistants-vector-store was not in WHITELIST_URLS and lacked permission checks for operations.

