CVE Vulnerability Catalog

Translated CVE descriptions from NVD NIST - in English

CISA KEV catalog updated: (v2026.07.10)

CVE-2026-49269
High

Apple M1 GPUs retain register file data between compute shader dispatches from different processes. A sandboxed attacker app can read stale register values left by a separate sandboxed victim app.

CVE-2026-50699
Medium

A Stored Cross-Site Scripting (XSS) vulnerability exists in Frappe Framework version 17.0.0-dev. An authenticated attacker with write access to Auto Repeat can persist HTML/JavaScript in reference_document, leading to script execution when users open the affected Auto Repeat form.

CVE-2026-50698
Medium

A Stored Cross-Site Scripting (XSS) vulnerability exists in Frappe Framework version 17.0.0-dev due to improper neutralization of user-controlled input before generating HTML output in the Audit Trail component.

CVE-2026-12986
High

A critical vulnerability in the Admin GUI of Payara Server allows an attacker to leak the administrator's REST session token to an attacker-controlled host, potentially leading to a full unauthenticated takeover of the Payara admin domain.

CVE-2026-11878
Medium

OpenText Access Manager versions 5.1 through 5.1.2 are vulnerable to Cross-Site Scripting (XSS) due to improper input neutralization during web page generation. This allows an attacker to inject malicious JavaScript into a victim's browser.

CVE-2026-11877
High

An unauthorized user can modify configuration through API calls in OpenText Access Manager. This issue affects versions before 5.1.3.

CVE-2026-57307
Medium

A missing permission check in Jenkins Zowe zDevOps Plugin 1.1.3.50.ve350c9b_450b_1 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

CVE-2026-57306
Medium

A CSRF vulnerability in Jenkins Zowe zDevOps Plugin version 1.1.3.50.ve350c9b_450b_1 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

CVE-2026-57305
Medium

The Assembla Plugin in Jenkins versions 1.4 and earlier has a CSRF vulnerability that allows attackers to connect to an attacker-specified URL using an attacker-specified username and password.

CVE-2026-57304
Medium

A missing permission check in Jenkins Assembla Plugin 1.4 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using an attacker-specified username and password.

CVE-2026-57303
High

The Assembla Plugin for Jenkins version 1.4 and earlier does not configure its XML parser to prevent XXE attacks, allowing attackers to control responses from the Assembla server and extract secrets from the Jenkins controller.

CVE-2026-57302
Medium

Jenkins FitNesse Plugin 1.36 and earlier stores passwords unencrypted in job config.xml files on the Jenkins controller, where they can be viewed by users with Extended Read permission or access to the Jenkins controller file system.

CVE-2026-57301
High

Jenkins OWASP ZAP Plugin 1.0.7 and earlier performs build operations on the Jenkins controller rather than the assigned agent, allowing attackers with Item/Configure permission to execute arbitrary code on the Jenkins controller.

CVE-2026-57300
Medium

A missing permission check in Jenkins MCP Server Plugin 0.177.v629fdb_2557fe and earlier allows attackers with Item/Read permission to read the Pipeline replay scripts of jobs they can access.

CVE-2026-57299
Medium

Missing permission checks in Jenkins Contrast Continuous Application Security Plugin 3.11 and earlier allow attackers with Overall/Read permission to enumerate the names of configured Contrast metadata.

CVE-2026-57298
Medium

The Jenkins Contrast Continuous Application Security Plugin version 3.11 and earlier contains a cross-site request forgery (CSRF) vulnerability that allows attackers to force Jenkins to connect to an attacker-specified URL using an attacker-specified username, API key, and service key.

CVE-2026-57297
Medium

A missing permission check in Jenkins Contrast Continuous Application Security Plugin 3.11 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using an attacker-specified username, API key, and service key.

CVE-2026-57296
High

Jenkins External Workspace Manager Plugin version 1.3.2 and earlier does not reject path traversal sequences in the custom workspace path provided to the exwsAllocate Pipeline step, allowing attackers with Item/Configure permission to read arbitrary files on the Jenkins controller file system.

CVE-2026-57295
Medium

A CSRF vulnerability in Jenkins EC2 Fleet Plugin 4.2.3.539.v8fedff2a_81c3 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing AWS credentials stored in Jenkins.

CVE-2026-57294
Medium

A missing permission check in Jenkins EC2 Fleet Plugin 4.2.3.539.v8fedff2a_81c3 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing AWS credentials stored in Jenkins.

PreviousPage 210 of 4562Next

Vulnerability data from NVD (NIST) · CISA KEV · EPSS