CVE Vulnerability Catalog

Translated CVE descriptions from NVD NIST - in English

CISA KEV catalog updated: (v2026.07.10)

CVE-2026-46732
Medium

Dell Display and Peripheral Manager (DDPM) for macOS versions prior to 2.3 contain a Race Condition vulnerability due to concurrent execution using a shared resource without proper synchronization. A low-privileged attacker with local access could potentially exploit this vulnerability to achieve Elevation of Privileges.

CVE-2026-42390
Medium

An invalid zone might pass ZONEMD validation while it should not. This is only relevant if ZoneToCache is configured with ZONEMD validation.

CVE-2026-42389
Medium

This fix provides extra hardening for the 5.4.x branch by doing extra validation of incoming answers from authoritative servers.

CVE-2026-42388
Medium

Incomplete validation of the SOA record present in a catalog zone might lead to a crash.

CVE-2026-42387
Medium

A malicious authoritative server can send a crafted zone via the ZoneToCache function that leads to a crash of the Recursor due to insufficient input validation.

CVE-2026-41120
Critical

A vulnerability in Dell Wyse Management Suite (versions prior to WMS 5.5 HF1) involves accepting extraneous untrusted data along with trusted data. This allows a low-privileged attacker with remote access to execute code on the vulnerable system.

CVE-2026-40012
Medium

The vulnerability affects the ECS (EDNS Client Subnet) mechanism in DNS servers. Zero-scoped ECS responses are stored in the packet cache even though they should not be cached. The issue occurs only in configurations with ECS enabled.

CVE-2026-2815
High

Incorrect use of the PUF key for user key generation in EFR32xG27 results in predictable keys.

CVE-2026-27366
High

The MainWP Child plugin versions up to 6.1.1 contain a vulnerability allowing unauthenticated attackers to bypass access controls. This flaw enables unauthorized operations on the site without requiring authentication.

CVE-2026-12755
Low

A vulnerability in Devolutions Server versions 2026.2.4.0 through 2026.2.7.0 allows an authenticated user with the UserGroupsView permission to coerce server-side authentication to an attacker-controlled host. By crafting a DomainName parameter in the PAM AD discovery endpoints, the attacker can capture PAM provider credentials as an NTLMv2 challenge-response.

CVE-2026-42004
Low

An attacker can send a crafted EDNS OPT record that will be ignored by DNSdist’s filtering rules, but will be rewritten as a valid OPT record when EDNS Client Subnet is inserted, causing the backend to see the EDNS option(s) that DNSdist did not filter.

CVE-2026-40211
Medium

An attacker can send crafted DNS over HTTP/3 queries, triggering an exception that prevents some buffer from being freed right away. The buffer will be freed at the end of the QUIC connection, but on some setups it might be possible to open enough concurrent DoH3 streams to trigger an out-of-memory condition, resulting in a denial of service.

CVE-2026-40210
Medium

An out-of-bounds read might happen when SetMacAddrAction is used, potentially resulting in uninitialized memory being sent over the network or a crash.

CVE-2026-40209
Medium

An attacker can send IXFR queries, causing outgoing TCP connections to the backend to be stuck until a timeout occurs instead of being released immediately. This could lead to a denial of service (DoS) if there is a limit on concurrent connections or if file descriptors are exhausted.

CVE-2026-40208
Low

An attacker might be able to delay the processing of DoH3 queries by sending DoH3 GET queries with an invalid DATA frame.

CVE-2026-40011
Low

An attacker sending a large number of crafted DNS queries might be able to trigger a dynamic block being inserted with a value causing invalid output to be produced in the prometheus endpoint. The prometheus endpoint will then be rejected by the scraper until the dynamic block expires.

CVE-2026-33612
High

A malicious authoritative server can send a crafted zone via the ZoneToCache function that leads to cache poisoning.

CVE-2026-42005
Medium

An attacker can send a web request that causes unlimited memory allocation in the internal web server, leading to a denial of service. The internal web server is disabled by default.

CVE-2026-56130
Low

The age of the 'Remember me' cookie is not verified on the server, potentially allowing an attacker to intercept a valid cookie and reuse it indefinitely, even after the configured expiration time has passed.

CVE-2026-56091
High

A vulnerability in Apache Shiro with the shiro-guice module in a web servlet context may lead to authentication bypass through a specially crafted HTTP request. This affects all Apache Shiro versions up to 2.x and 3.0.0-alpha-1 when using the shiro-guice module.

PreviousPage 185 of 4563Next

Vulnerability data from NVD (NIST) · CISA KEV · EPSS