CVE Vulnerability Catalog

Translated CVE descriptions from NVD NIST - in English

CISA KEV catalog updated: (v2026.07.10)

CVE-2026-52955
Critical

In the Linux kernel, the crush_decode() function in libceph is vulnerable to an out-of-bounds memory access. The issue arises when a CRUSH map (CEPH_MSG_OSD_MAP) contains two inconsistent bucket algorithm fields – one used for memory allocation and the other for processing. An attacker can exploit this inconsistency to cause memory corruption.

CVE-2026-52954
High

In the Linux kernel's libceph, the decode_choose_args() function lacks proper error handling when inserting elements into the rbtree. A crafted CEPH_MSG_OSD_MAP message with duplicate choose_args indices triggers an assertion and causes a kernel BUG.

CVE-2026-52946
High

A deadlock vulnerability was found in the Linux kernel's send_sigio() and send_sigurg() functions when signaling process groups with FASYNC enabled. The issue stems from an unsafe lock ordering between process context and softirq, potentially causing system hangs.

CVE-2026-52945
High

A commit enabling threaded NAPI by default in the WireGuard driver was reverted in the Linux kernel because it caused complete decryption stalls for specific peers in Kubernetes environments with Cilium. The issue occurred rarely but led to permanent blocking of E/W traffic between pods and nodes.

CVE-2026-13164
High

Missing authentication for a critical function in MailerUp <1.0.1 allows a remote, unauthenticated attacker to self-register an account. The POST /api/auth/register/ endpoint applies AllowAny permissions without email verification, CAPTCHA, or administrator approval.

CVE-2026-56121
CriticalEPSS 54%

Feast before version 0.63.0 contains an unsafe deserialization vulnerability that allows unauthenticated or unauthorized attackers to achieve remote code execution by sending a crafted gRPC request to the registry server. The user_defined_function.body field of an OnDemandFeatureView spec is decoded from base64 and passed to dill.loads() before any authorization check is performed, enabling attackers to embed a malicious serialized Python object with an arbitrary __reduce__ method to execute OS commands as the feast service account.

CVE-2026-56119
Unknown

The CVE ID has been rejected or withdrawn by its CVE Numbering Authority.

CVE-2026-56118
Unknown

CVE ID CVE-2026-56118 has been rejected or withdrawn by its CVE Numbering Authority.

CVE-2026-56111
Critical

Marlin Firmware through version 2.1.2.7, with MESH_BED_LEVELING enabled, contains an out-of-bounds write vulnerability in the M421 G-code handler. This allows attackers to corrupt firmware memory by supplying out-of-range X and Y grid indices.

CVE-2026-55488
High

motionEye (mEye) is an online interface for a software called 'motion', which is a video surveillance program with motion detection. Versions prior to 0.44.0 contain an absolute path traversal vulnerability in multiple media file handlers that allows an attacker to read arbitrary files from the filesystem.

CVE-2026-50712
Medium

A Stored Cross-Site Scripting (XSS) vulnerability exists in Frappe Framework version 17.0.0-dev due to improper neutralization of user-controlled input in the frappe.ui.Tree component.

CVE-2026-50711
Medium

A Stored Cross-Site Scripting (XSS) vulnerability exists in Frappe Framework version 17.0.0-dev due to improper neutralization of user-controlled input in the Number Card component.

CVE-2026-50710
Medium

A Stored Cross-Site Scripting (XSS) vulnerability exists in Frappe Framework version 17.0.0-dev due to unsafe evaluation of user-controlled data in the Number Card component.

CVE-2026-50709
Medium

A Stored Cross-Site Scripting (XSS) vulnerability exists in Frappe Framework version 17.0.0-dev due to improper neutralization of user-controlled input in the Notifications > Events panel.

CVE-2026-50708
Medium

A Stored Cross-Site Scripting (XSS) vulnerability exists in Frappe Framework version 17.0.0-dev due to improper neutralization of user-controlled input in the MultiSelectDialog component.

CVE-2026-50705
Medium

A Cross-Site Scripting (XSS) vulnerability exists in Frappe Framework version 17.0.0-dev due to improper neutralization of untrusted input in the Form Dashboard headline renderer.

CVE-2026-50704
Medium

A Stored Cross-Site Scripting (XSS) vulnerability exists in Frappe Framework version 17.0.0-dev due to improper neutralization of user-controlled input in the File View breadcrumb renderer.

CVE-2026-50703
Medium

A Stored Cross-Site Scripting (XSS) vulnerability exists in Frappe Framework version 17.0.0-dev due to improper neutralization of user-controlled input in the Desk desktop icon renderer.

CVE-2026-50701
Medium

A Reflected Cross-Site Scripting (XSS) vulnerability exists in Frappe Framework version 17.0.0-dev due to improper neutralization of user-controlled input in the dashboard-view component.

CVE-2026-50700
Medium

A Stored Cross-Site Scripting (XSS) vulnerability exists in Frappe Framework version 17.0.0-dev due to improper neutralization of user-controlled input in the frappe.get_avatar function.

PreviousPage 209 of 4562Next

Vulnerability data from NVD (NIST) · CISA KEV · EPSS