CVE Vulnerability Catalog

Translated CVE descriptions from NVD NIST - in English

CISA KEV catalog updated: (v2026.07.10)

CVE-2026-46280
High

In the Linux kernel, a use-after-free vulnerability was found in the HMM test (lib: test_hmm). When closing a file via dmirror_fops_release(), the dmirror struct is freed without first migrating device private pages back to system memory, leaving a dangling pointer. A subsequent page fault (e.g., during coredump) can dereference this stale pointer, causing a kernel panic.

CVE-2026-46279
High

In the Linux kernel, a vulnerability was found where allocation tags (codetags) are not initialized for pages allocated before the page_ext structure is set up. This causes warnings and potential errors when such pages are freed, especially in configurations with memory allocation profiling debugging enabled.

CVE-2026-46277
High

In the Linux kernel, a vulnerability was found in the zone_device memory management. After calling ->folio_free(), the device folio must not be accessed as it may be immediately reallocated by a driver with a different order. The fix uses a local stack variable instead of re-reading the folio when calling percpu_ref_put_many().

CVE-2026-25856
High

OpenBullet2 through version 0.3.2 contains an authenticated remote code execution vulnerability that allows authenticated users to execute arbitrary C# code on the server host by creating or modifying job configurations. Attackers can leverage the plain C# execution mode, which lacks reference filtering or API restrictions.

CVE-2026-25855
HighEPSS 57%

OpenBullet2 through version 0.3.2 contains a remote code execution vulnerability that allows authenticated users to execute arbitrary commands by uploading script files (.bat.ps1.sh) through the FileProxySource proxy loading feature. Attackers can upload malicious script files as proxy sources, leading to the execution of scripts on the server.

CVE-2026-25559
HighEPSS 50%

OpenBullet2 through version 0.3.2 contains a path traversal vulnerability in the wordlist endpoint that allows authenticated attackers to perform arbitrary file read, write, and delete operations by supplying unsanitized absolute paths to the upload handler and wordlist functions.

CVE-2026-11531
High

A security flaw has been discovered in the imvks786 student management system that allows SQL injection attacks by manipulating the a_usr/a_pwd arguments in the admin/admin_login.php file. The attack can be carried out remotely.

CVE-2026-11530
High

A vulnerability was identified in the imvks786 student management system affecting an unknown function of the file /index.ph of the Login component. Manipulation of the arguments usr/pwd leads to SQL injection.

CVE-2026-49975
HighEPSS 96%

A memory allocation with excessive size vulnerability in Apache HTTP Server's mod_http allows an attacker to cause a denial of service via malicious HTTP requests. The issue affects versions from 2.4.17 through 2.4.67.

CVE-2026-49755
High

CVE-2026-49755 is a vulnerability related to improper handling of highly compressed data in the Req library, allowing attackers to exhaust memory in a Req client via decompression-bomb responses.

CVE-2026-48913
High

Use After Free vulnerability in the mod_http2 module of Apache HTTP Server occurs when file handles are already exhausted. This affects Apache HTTP Server versions from 2.4.55 to 2.4.67.

CVE-2026-46657
High

Bludit is a content management system that has a vulnerability in user management logic in versions prior to 3.22.0. It allows deactivated accounts to maintain access via persistent authentication tokens.

CVE-2026-46656
High

Bludit is a content management system that has a Broken Access Control flaw in versions prior to 3.22.0. Active sessions remain valid even after the corresponding user account has been physically deleted from the database, allowing unauthorized access to the system.

CVE-2026-46480
High

Flowise, a user interface for building customized large language model flows, had a vulnerability prior to version 3.1.2 that allowed cross-workspace evaluator takeover through mass-assignment. This issue has been patched in version 3.1.2.

CVE-2026-46479
High

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, evaluation create and update mass-assignment allows cross-workspace evaluation takeover.

CVE-2026-46478
High

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, DatasetRow create and update mass-assignment allows cross-workspace row takeover.

CVE-2026-46477
High

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, dataset create and update mass-assignment allows cross-workspace dataset takeover.

CVE-2026-46476
High

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, CustomTemplate create and update mass-assignment allows cross-workspace template takeover.

CVE-2026-46475
High

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, assistant create and update mass-assignment allows cross-workspace assistant takeover.

CVE-2026-46444
High

Flowise prior to version 3.1.2 had unauthenticated CRUD endpoints for OpenAI Assistants Vector Store that were not protected by authentication middleware. The route /api/v1/openai-assistants-vector-store was not in WHITELIST_URLS and lacked permission checks for operations.

PreviousPage 180 of 3362Next

Vulnerability data from NVD (NIST) · CISA KEV · EPSS