CVE Vulnerability Catalog

Translated CVE descriptions from NVD NIST - in English

CISA KEV catalog updated: (v2026.07.10)

CVE-2026-57533
Low

Malicious HTML content could be injected into the page pretix shows when redirection to an untrusted page occurs. Since this page has a Content-Security-Policy, this can mainly be used for phishing purposes.

CVE-2026-57532
High

Malicious HTML content contained in the layout specification of a PDF could be executed when the PDF editor is opened in the browser. This allows one backend user to inject JavaScript into the browser context of another backend user.

CVE-2026-57437
Medium

Vulnerability in the Nokogiri library for Ruby (versions prior to 1.19.4) causes Nokogiri::XML::XPathContext to not keep its source document alive for garbage collection. If an XPathContext outlives its document and the document is collected, evaluating an XPath expression could read invalid memory and potentially segfault.

CVE-2026-57436
Medium

Vulnerability in the Nokogiri library for Ruby allows setting a DTD node as the document root, leading to a heap use-after-free during garbage collection or finalization, resulting in invalid memory read or potential segfault.

CVE-2026-57435
High

A vulnerability in the Nokogiri library (versions prior to 1.19.4) for the Ruby programming language allows a Ruby wrapper to point to freed memory when replacing the value of an XML attribute. This can lead to an invalid read and a possible segfault.

CVE-2026-57434
High

Vulnerability in the Nokogiri library for Ruby causes a NULL pointer dereference when calling certain methods on allocated-but-uninitialized native wrapper classes inheriting from Nokogiri::XML::Node. The issue is fixed in version 1.19.4.

CVE-2026-57236
High

Vulnerability in the Nokogiri library (versions prior to 1.19.4) for Ruby. Calling Document#encoding= with an invalid encoding (e.g., non-string or containing a null byte) frees the current encoding string without replacing it. Subsequent calls to Document#encoding read freed memory, potentially causing a segfault or leaking freed bytes into a Ruby String. Affects only the CRuby (libxml2) implementation; JRuby is not affected.

CVE-2026-57235
High

Vulnerability in the Nokogiri library for Ruby allows out-of-bounds memory read via the Nokogiri::XML::NodeSet#[] method (and its alias #slice). The issue stems from incorrect bounds checking where the index is truncated to 32 bits before validation, allowing a very large negative index to pass the check and read outside allocated memory. On CRuby this causes process crashes, on JRuby it returns an incorrect node.

CVE-2026-57234
Low

Vulnerability in the Nokogiri library for Ruby involves incorrect enforcement of the NONET parse option in the JRuby implementation. This option, enabled by default for Nokogiri::XML::Schema (per CVE-2020-26247), did not prevent fetching external resources over the network during schema parsing, potentially enabling SSRF or XXE attacks. The issue is fixed in version 1.19.4.

CVE-2026-49319
Medium

The Remote Keyless Entry System (RKES) using the 433 MHz key fob bearing FCC ID CWTR53R0 manufactured by ALPS ALPINE CO., LTD. is vulnerable to a roll-back attack against its rolling-code authentication. An attacker within RF range who records two consecutive lock or unlock transmissions from a legitimate key fob can later replay the same pair of transmissions repeatedly, resulting in a successful lock or unlock operation of the vehicle.

CVE-2026-46735
High

Dell Display and Peripheral Manager (DDPM Mac) versions prior to 2.3 contain an Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability, allowing a low privileged attacker with local access to potentially execute commands.

CVE-2026-13314
Low

The pretix-digital plugin is vulnerable to malicious HTML content injection into rendered content. An attacker can exploit this flaw to embed arbitrary HTML code, potentially leading to cross-site scripting (XSS) attacks.

CVE-2026-13225
Medium

Malicious HTML content could be injected into the email address of an order, which pretix showed without sanitization on the confirmation page for individual tickets in that order.

CVE-2026-13223
Medium

The payment integration with Computop-based payment methods did not properly validate payment status responses. An attacker could use a successful payment status response from one payment and supply it to the system for a different payment, gaining access to multiple valid tickets with only one payment.

CVE-2026-13222
Medium

The payment integration with Oppwa-based payment methods did not properly validate payment status responses. An attacker could use a successful payment status response from one payment and supply it to the system for a different payment, gaining access to multiple valid tickets with only one payment.

CVE-2026-57619
Medium

The Elementor Website Builder plugin version 4.1.3 and earlier contains a contributor sensitive data exposure vulnerability. This flaw may allow an attacker to access confidential information stored by the plugin.

CVE-2026-57429
Medium

The Slim SEO plugin versions up to 4.6.2 contain a vulnerability involving broken access control for contributors. A user with the contributor role can gain unauthorized access to SEO management functions.

CVE-2026-56122
High

Winstone Servlet Engine through 0.9.10 contains a path traversal vulnerability that allows unauthenticated attackers to read arbitrary files by sending HTTP GET requests with dot-dot-slash sequences. Attackers can traverse outside the webroot directory, potentially exposing sensitive data.

CVE-2026-56071
High

Versions of Forminator up to 1.53.1 are vulnerable to unauthenticated Cross Site Scripting (XSS). An attacker can exploit this vulnerability to inject malicious JavaScript code.

CVE-2026-56054
High

In JS Help Desk versions <= 3.1.1, there is a vulnerability that allows subscribers to delete arbitrary files.

PreviousPage 182 of 4563Next

Vulnerability data from NVD (NIST) · CISA KEV · EPSS