CVE Vulnerability Catalog
Translated CVE descriptions from NVD NIST - in English
CISA KEV catalog updated: (v2026.07.13)
FOSSBilling versions 0.5.4 to 0.8.0 have an authorization bypass in API role handling, allowing unauthenticated access to privileged `/api/system/*` endpoints. Attackers can invoke admin API methods without valid credentials.
An out-of-bounds read vulnerability exists in dnsmasq's find_soa() function in src/rfc1035.c. When parsing NS section records, extract_name() is called with extrabytes=0, failing to validate that 10 additional bytes exist for fixed-length DNS record fields. A remote attacker controlling a DNS zone can exploit this via a crafted NXDOMAIN response to cause a 10-byte heap out-of-bounds read, potentially accessing stale data from prior transactions.
DRIMO CMS is vulnerable to reflected XSS via the q parameter in the searching functionality. An attacker can prepare a URL that, when opened, results in arbitrary JavaScript execution in the victim's browser.
A missing authorization flaw was found in the OpenShift Cluster Logging Operator. The operator creates and forwards ServiceAccount tokens to output destinations without verifying that the ClusterLogForwarder creator has permission to use those credentials.
OpenRemote before version 1.25.0 contains an insecure direct object reference (IDOR) vulnerability in the bulk alarm deletion endpoint that allows authenticated users to permanently delete alarms belonging to other tenants by supplying arbitrary alarm IDs.
Hono before version 4.12.12 does not validate cookie names in the setCookie(), serialize(), and serializeSigned() functions, allowing invalid characters such as control characters. This can lead to malformed Set-Cookie header values.
Grav before version 2.0.0-beta.2 contains an XML external entity injection (XXE) vulnerability in SVG file upload processing that allows authenticated attackers to read arbitrary files. The application uses simplexml_load_string without disabling external entity loading, enabling attackers to inject XXE payloads via malicious SVG files.
A command injection vulnerability in ImageMagick before versions 7.1.2-15 and 6.9.13-40 exists in the SVG decoder. Attackers can craft malicious SVG files with injected Magick Vector Graphics commands that execute during rendering.
ImageMagick before 7.1.2-15 and 6.9.13-40 contains a use-after-free vulnerability in the meta coder. When memory allocation fails, a single byte is written to a stale pointer, potentially leading to denial of service.
ImageMagick before versions 7.1.2-15 and 6.9.13-40 has a memory leak in coders/txt.c when processing TXT files with texture attributes. The texture object allocated via ReadImage is not released when GetTypeMetrics fails, leaking memory each time a crafted TXT file with a texture attribute is processed.
Capgo before 12.128.2 contains an information disclosure vulnerability in the unauthenticated /updates endpoint that resolves the defaultChannel parameter before enforcing privacy restrictions. This allows attackers to enumerate private channels and leak version/config state.
Picklescan before 1.0.4 fails to block at least seven Python standard library modules, allowing for remote code execution. Attackers can craft malicious pickle files importing these unblocked modules, bypassing picklescan's safety validation.
Nuxt versions 4.0.0 before 4.4.7 and 3.18.0 before 3.21.7, when running the development server (nuxt dev) on Linux, binds the vite-node IPC server to an abstract-namespace Unix socket without permission restrictions, allowing local users to enumerate and connect.
Flowise before 3.1.0 contains a server-side request forgery (SSRF) vulnerability in the Execute Flow node that allows attackers to bypass security validation by providing intranet addresses through the base URL field. Attackers can initiate HTTP requests to internal network addresses and access cloud metadata.
Flowise versions before 3.1.2 contain multiple OS command injection vulnerabilities in the Custom MCP Server feature due to incomplete command-flag validation and a regex bypass in local file access restrictions.
Crawl4AI before version 0.8.7 contains a stored cross-site scripting vulnerability in the monitor dashboard. The dashboard renders crawl URLs and error messages via innerHTML without escaping, allowing an attacker to submit a crafted crawl request with malicious markup that executes in an operator's browser when viewing the dashboard.
Crawl4AI before version 0.8.8 contains an arbitrary file write vulnerability in the screenshot and PDF endpoints, allowing unauthenticated attackers to write files outside the intended directory.
Cap-go capgo (capgo-backend) before 12.128.12 contains an unauthenticated denial-of-service vulnerability arising from the audit_logs table's Row-Level Security (RLS) policy when accessed via the Supabase PostgREST API.
Capgo before version 12.128.2 contains a security control bypass vulnerability where the PostgREST/RLS plane accepts plaintext API keys through the capgkey header despite enforce_hashed_api_keys being enabled. Attackers can bypass org-level hashed-key enforcement by sending plaintext API keys directly to the PostgREST/RLS plane to access protected resources.
Capgo before version 12.128.2 contains a credential validation vulnerability in the POST /functions/v1/private/validate_password_compliance endpoint that can be called using only the public Supabase key without authentication. The endpoint is CORS-permissive and lacks rate limiting, enabling attackers to perform password spraying and credential stuffing attacks.

