CVE Vulnerability Catalog

Translated CVE descriptions from NVD NIST - in English

CISA KEV catalog updated: (v2026.07.10)

CVE-2026-53950
High

The ActivityPub client in the Ghost application was vulnerable to JavaScript injection on posts shared by a maliciously customized ActivityPub server prior to version 3.1.0. This vulnerability has been fixed in version 3.1.0.

CVE-2026-53949
Medium

In the Ghost content management system, from version 5.46.1 to 6.21.2, the validation applied to filters on public API endpoints could be partially bypassed, allowing the disclosure of private fields via a brute force attack. If SQLite was used, password hashes were fully accessible, while in the case of MySQL, the case of the password hashes was lost, potentially rendering further brute force attacks ineffective.

CVE-2026-53948
Medium

Ghost is a Node.js content management system. From versions 6.19.4 to 6.21.1, insufficient validation of the client-supplied Content-Type on Ghost's Admin API file upload endpoint allowed uploaded files to be served with an attacker-chosen content type from S3/GCS storage backends.

CVE-2026-53947
Medium

A vulnerability in the Ghost content management system (versions 5.18.0 through 6.21.1) allows an unauthenticated attacker to determine whether a given email address belongs to a registered member. The issue stems from discrepancies in responses from the members signin endpoints.

CVE-2026-53946
Medium

Ghost is a Node.js content management system. From versions 6.19.4 to 6.21.1, when re-rendering posts, Ghost could send HTTP requests to unauthorized image hosts, posing a security risk.

CVE-2026-53945
Medium

Ghost is a Node.js content management system. From versions 6.0.9 to 6.21.1, the private-IP check for outbound HTTP requests could be bypassed via DNS rebinding, allowing an attacker to coerce the Ghost server into reaching hosts on internal networks.

CVE-2026-53944
Medium

Ghost is a Node.js content management system. From versions 6.0.9 to 6.21.1, it is possible to bypass the IP filter when making an external request, allowing it to target an internal service using an IPv6 literal that maps to a private IPv4 address.

CVE-2026-53943
Critical

Ghost is a Node.js content management system. In versions up to 6.37.0, when Ghost is behind a shared caching layer, an unauthenticated user could send an x-ghost-preview header that altered the rendered frontend response.

CVE-2026-49980
Critical

Rclone versions 1.46.0 through 1.74.2 have a vulnerability in server mode (rcd --rc-serve) that allows unauthenticated GET and HEAD requests to execute arbitrary system commands. An attacker can craft special URLs to initialize backends with options that run local commands.

CVE-2026-49247
High

Vulnerability in Jellyfin from version 10.9.0 to 10.11.9 allows authenticated non-admin users to write arbitrary files on the server by manipulating the Client field in the Authorization header. An attacker can use ../ sequences in this field to overwrite files in any location accessible to the Jellyfin service user, with a forced .log extension.

CVE-2026-49246
Low

Jellyfin prior to version 10.11.10 has a vulnerability that allows a specially crafted MKV file with forged filename tags to exploit missing path sanitization during playback. As a result, a malicious MKV file can redirect attachment extraction to any absolute path on disk.

CVE-2026-49220
Medium

Jellyfin, an open-source media server, prior to version 10.11.9, had a potential XSS vulnerability that allowed a non-privileged user to execute arbitrary Javascript in the context of a logged-in Administrative user. The attack could occur through the Client header during AuthenticateByName.

CVE-2026-48793
High

A vulnerability in Jellyfin before version 10.11.10 allows FFmpeg argument injection via a specially crafted subtitle filename. An unauthenticated attacker can exploit the lack of path normalization in SubtitleEncoder, leading to arbitrary file write on the server and information disclosure.

CVE-2026-13038
High

Use after free in Autofill in Google Chrome on Windows prior to version 149.0.7827.197 allowed a remote attacker to execute arbitrary code via a crafted HTML page.

CVE-2026-13037
High

Use after free in WebView in Google Chrome on Android prior to version 149.0.7827.197 allowed a local attacker to execute arbitrary code inside a sandbox via a crafted HTML page.

CVE-2026-13036
High

Use after free in Blink in Google Chrome prior to version 149.0.7827.197 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page.

CVE-2026-13035
High

Use after free in Bluetooth in Google Chrome on Mac prior to version 149.0.7827.197 allowed a remote attacker to execute arbitrary code via a malicious peripheral.

CVE-2026-13034
Medium

Inappropriate implementation in Passwords in Google Chrome prior to version 149.0.7827.197 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTML page.

CVE-2026-13033
High

In Google Chrome prior to version 149.0.7827.197, there was an out of bounds read and write vulnerability in Blink>InterestGroups, allowing a remote attacker to execute arbitrary code via a crafted HTML page.

CVE-2026-13032
Critical

Use after free in WebGL in Google Chrome on Android prior to version 149.0.7827.197 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page.

PreviousPage 201 of 4563Next

Vulnerability data from NVD (NIST) · CISA KEV · EPSS