CVE Vulnerability Catalog
Translated CVE descriptions from NVD NIST - in English
CISA KEV catalog updated: (v2026.07.10)
The ActivityPub client in the Ghost application was vulnerable to JavaScript injection on posts shared by a maliciously customized ActivityPub server prior to version 3.1.0. This vulnerability has been fixed in version 3.1.0.
In the Ghost content management system, from version 5.46.1 to 6.21.2, the validation applied to filters on public API endpoints could be partially bypassed, allowing the disclosure of private fields via a brute force attack. If SQLite was used, password hashes were fully accessible, while in the case of MySQL, the case of the password hashes was lost, potentially rendering further brute force attacks ineffective.
Ghost is a Node.js content management system. From versions 6.19.4 to 6.21.1, insufficient validation of the client-supplied Content-Type on Ghost's Admin API file upload endpoint allowed uploaded files to be served with an attacker-chosen content type from S3/GCS storage backends.
A vulnerability in the Ghost content management system (versions 5.18.0 through 6.21.1) allows an unauthenticated attacker to determine whether a given email address belongs to a registered member. The issue stems from discrepancies in responses from the members signin endpoints.
Ghost is a Node.js content management system. From versions 6.19.4 to 6.21.1, when re-rendering posts, Ghost could send HTTP requests to unauthorized image hosts, posing a security risk.
Ghost is a Node.js content management system. From versions 6.0.9 to 6.21.1, the private-IP check for outbound HTTP requests could be bypassed via DNS rebinding, allowing an attacker to coerce the Ghost server into reaching hosts on internal networks.
Ghost is a Node.js content management system. From versions 6.0.9 to 6.21.1, it is possible to bypass the IP filter when making an external request, allowing it to target an internal service using an IPv6 literal that maps to a private IPv4 address.
Ghost is a Node.js content management system. In versions up to 6.37.0, when Ghost is behind a shared caching layer, an unauthenticated user could send an x-ghost-preview header that altered the rendered frontend response.
Rclone versions 1.46.0 through 1.74.2 have a vulnerability in server mode (rcd --rc-serve) that allows unauthenticated GET and HEAD requests to execute arbitrary system commands. An attacker can craft special URLs to initialize backends with options that run local commands.
Vulnerability in Jellyfin from version 10.9.0 to 10.11.9 allows authenticated non-admin users to write arbitrary files on the server by manipulating the Client field in the Authorization header. An attacker can use ../ sequences in this field to overwrite files in any location accessible to the Jellyfin service user, with a forced .log extension.
Jellyfin prior to version 10.11.10 has a vulnerability that allows a specially crafted MKV file with forged filename tags to exploit missing path sanitization during playback. As a result, a malicious MKV file can redirect attachment extraction to any absolute path on disk.
Jellyfin, an open-source media server, prior to version 10.11.9, had a potential XSS vulnerability that allowed a non-privileged user to execute arbitrary Javascript in the context of a logged-in Administrative user. The attack could occur through the Client header during AuthenticateByName.
A vulnerability in Jellyfin before version 10.11.10 allows FFmpeg argument injection via a specially crafted subtitle filename. An unauthenticated attacker can exploit the lack of path normalization in SubtitleEncoder, leading to arbitrary file write on the server and information disclosure.
Use after free in Autofill in Google Chrome on Windows prior to version 149.0.7827.197 allowed a remote attacker to execute arbitrary code via a crafted HTML page.
Use after free in WebView in Google Chrome on Android prior to version 149.0.7827.197 allowed a local attacker to execute arbitrary code inside a sandbox via a crafted HTML page.
Use after free in Blink in Google Chrome prior to version 149.0.7827.197 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page.
Use after free in Bluetooth in Google Chrome on Mac prior to version 149.0.7827.197 allowed a remote attacker to execute arbitrary code via a malicious peripheral.
Inappropriate implementation in Passwords in Google Chrome prior to version 149.0.7827.197 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTML page.
In Google Chrome prior to version 149.0.7827.197, there was an out of bounds read and write vulnerability in Blink>InterestGroups, allowing a remote attacker to execute arbitrary code via a crafted HTML page.
Use after free in WebGL in Google Chrome on Android prior to version 149.0.7827.197 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page.

