CVE Vulnerability Catalog

Translated CVE descriptions from NVD NIST — in English

CISA KEV catalog updated: (v2026.07.01)

CVE-2026-37977
Low

A flaw was found in Keycloak where a remote attacker can exploit a CORS header injection vulnerability in the UMA token endpoint. The `azp` claim from a client-supplied JWT is used to set the `Access-Control-Allow-Origin` header before signature validation, allowing reflection of attacker-controlled values. This only affects clients misconfigured with `webOrigins: ["*"]`.

CVE-2026-3109
Low

Mattermost Plugins versions <=11.4 and 10.11.11.0 fail to validate webhook request timestamps, allowing an attacker to corrupt Zoom meeting state in Mattermost via replayed webhook requests.

CVE-2026-4874
Low

A flaw was found in Keycloak. An authenticated attacker can perform Server-Side Request Forgery (SSRF) by manipulating the `client_session_host` parameter during refresh token requests. This occurs when a Keycloak client is configured to use the `backchannel.logout.url` with the `application.session.host` placeholder.

CVE-2026-4519
Low

The webbrowser.open() API in Python accepted URLs with leading dashes, which could be interpreted as command-line options by certain web browsers. The new behavior rejects such URLs.

CVE-2025-13462
Low

Moduł tarfile w Pythonie błędnie normalizował bloki AREGTYPE (\x00) do DIRTYPE podczas przetwarzania wieloblokowych członków archiwum, takich jak GNUTYPE_LONGNAME lub GNUTYPE_LONGLINK. Może to prowadzić do błędnej interpretacji spreparowanego archiwum tar w porównaniu z innymi implementacjami.

CVE-2026-24310
Low

W wyniku braku sprawdzenia autoryzacji w serwerze aplikacyjnym SAP NetWeaver dla ABAP, uwierzytelniony atakujący mógłby wykonać określony moduł funkcji ABAP i odczytać wrażliwe informacje z katalogu bazy danych systemu ABAP. Podatność ta ma niski wpływ na poufność aplikacji, nie wpływając na integralność i dostępność.

CVE-2026-21725
Low

A TOCTOU vulnerability allows recently deleted-then-recreated data sources to be re-deleted without proper permissions.

CVE-2025-69873
Low

A ReDoS vulnerability in ajv (Another JSON Schema Validator) before version 8.18.0 allows an attacker to cause a denial of service (DoS) by injecting a malicious regex pattern into the $data option. A single HTTP request with a 31-character payload can block the CPU for approximately 44 seconds.

CVE-2025-9615
Low

A flaw in NetworkManager allows non-root users to access files owned by other users when configuring the network. The daemon runs with root privileges and can read files belonging to users other than the one who added the connection.

CVE-2026-24515
Low

W libexpat przed wersją 2.7.4 funkcja XML_ExternalEntityParserCreate nie kopiuje danych użytkownika dla nieznanych obsługiwaczy kodowania. Może to prowadzić do nieprawidłowego przetwarzania danych XML.

CVE-2026-0992
Low

A flaw was found in the libxml2 library where uncontrolled resource consumption occurs when processing XML catalogs with repeated <nextCatalog> elements pointing to the same downstream catalog. A remote attacker can exploit this by supplying crafted catalogs, causing redundant traversal of catalog chains.

CVE-2026-0989
Low

A flaw was found in the RelaxNG parser of libxml2 related to handling external schema inclusions. The parser does not enforce a limit on inclusion depth when resolving nested <include> directives, which can cause excessive recursion. Specially crafted schemas may lead to stack exhaustion and application crashes.

CVE-2025-13127
Low

Podatność CVE-2025-13127 dotyczy niewłaściwej neutralizacji danych wejściowych podczas generowania stron internetowych w systemie GoldenHorn firmy TAC Information Services. Umożliwia to ataki typu Cross-Site Scripting (XSS).

CVE-2025-66382
Low

W bibliotece libexpat do wersji 2.7.3, specjalnie przygotowany plik o przybliżonym rozmiarze 2 MiB może powodować znaczne opóźnienia w czasie przetwarzania, trwające nawet kilkanaście sekund.

CVE-2025-54821
Low

An Improper Privilege Management vulnerability in Fortinet FortiOS and FortiPAM allows an authenticated administrator to bypass the trusted host policy via crafted CLI command.

CVE-2025-58903
Low

CVE-2025-58903 in Fortinet FortiOS versions 7.6.0 through 7.6.3 and before 7.4.8 has an Unchecked Return Value vulnerability that allows an authenticated user to cause a Null Pointer Dereference, crashing the http daemon via a specially crafted request.

CVE-2025-47890
Low

Fortinet FortiOS and FortiProxy have a URL Redirection to Untrusted Site vulnerability that may allow an unauthenticated attacker to perform an open redirect attack via crafted HTTP requests.

CVE-2025-31514
Low

There is a vulnerability in Fortinet FortiOS and FortiProxy that allows for the insertion of sensitive information into log files. This affects FortiOS versions from 7.6.0 to 7.6.3 and all versions of 7.4, 7.2, 7.0, and 6.4, as well as FortiProxy from 7.6.0 to 7.6.3 and versions 7.4.0 to 7.4.13.

CVE-2025-11731
Low

A flaw was found in the exsltFuncResultComp() function of libxslt, which handles EXSLT <func:result> elements during stylesheet parsing. Due to improper type handling, the function may treat an XML document node as a regular XML element node, resulting in a type confusion. This can cause unexpected memory reads and potential crashes.

CVE-2025-60019
Low

The OpenSSL backend in glib-networking fails to properly check the return values of memory allocation routines. An out-of-memory condition could potentially result in writing to an invalid memory location.

PreviousPage 20 of 60Next

Vulnerability data from NVD (NIST) · CISA KEV · EPSS