CVE Vulnerability Catalog

Translated CVE descriptions from NVD NIST - in English

CISA KEV catalog updated: (v2026.07.13)

CVE-2026-54651
Medium

pypdf is a free and open-source pure-python PDF library. Prior to version 6.13.1, an attacker could exploit this vulnerability to craft a PDF that leads to an infinite loop.

CVE-2026-54531
Medium

pypdf is a free and open-source pure-python PDF library. Prior to version 6.13.0, an attacker could exploit this vulnerability to craft a PDF that leads to an infinite loop.

CVE-2026-54530
Medium

pypdf is a free and open-source pure-python PDF library. Prior to version 6.13.0, an attacker could exploit this vulnerability to craft a PDF that leads to an infinite loop when extracting text in layout mode.

CVE-2026-49468
Critical

LiteLLM proxy before version 1.84.0 has a Host-header parsing flaw that, under specific conditions, could allow unauthenticated access to protected management routes. The auth layer derives the effective route from request.url.path, which Starlette reconstructs from the Host header, enabling manipulation and bypass of access controls.

CVE-2026-49461
Medium

pypdf is a free and open-source pure-python PDF library. Prior to version 6.12.2, an attacker could craft a PDF that leads to large memory usage by extracting text from a page containing a form XObject with self-references.

CVE-2026-49460
Low

pypdf is a free and open-source pure-python PDF library. Prior to version 6.12.2, an attacker could exploit this vulnerability to craft a PDF that leads to long runtimes.

CVE-2026-47242
Medium

The Net::IMAP library in Ruby has a vulnerability that allows arbitrary IMAP command injection due to improper validation of arguments in the #id and #enable methods. This issue affects versions prior to 0.6.5 and 0.5.15.

CVE-2026-47241
Low

Net::IMAP in Ruby prior to versions 0.6.5 and 0.5.15 has a vulnerability that allows an attacker to inject additional commands. By exploiting improperly validated arguments, an attacker can force the first command to wait for another command to finish.

CVE-2026-47240
Medium

The Net::IMAP library in Ruby has a vulnerability that allows arbitrary IMAP command injection if the server does not support non-synchronizing literals. Versions prior to 0.6.5 and 0.5.15 are susceptible to an attack that may lead to unauthorized command execution.

CVE-2026-45034
Critical

PhpSpreadsheet prior to version 1.30.5 contained a vulnerability that allowed bypassing stream wrapper security checks, potentially leading to remote code execution (RCE). The issue stemmed from improper URL scheme validation, enabling attackers to exploit wrappers like phar://.

CVE-2026-44727
Medium

A vulnerability in Jupyter Server before version 2.20 allows stored XSS via malicious HTML in notebook display_data output. Missing sandbox directive in Content-Security-Policy for nbconvert endpoints enables script execution under Jupyter origin, leading to session hijacking and remote code execution.

CVE-2026-41479
Medium

The Authlib library before versions 1.6.10 and 1.7.1 contains an unauthenticated open redirect vulnerability in the OAuth 2.0 authorization endpoint. By sending a request with an unsupported response_type and an attacker-controlled redirect_uri, an HTTP 302 response redirecting to an arbitrary URL can be obtained.

CVE-2026-39904
Medium

Gophish through version 0.12.1 contains a denial of service vulnerability that allows authenticated users with the User role to exhaust server memory by uploading a crafted Office document as an email template attachment. The ApplyTemplate() function processes Office documents as ZIP archives, allowing a zip bomb payload to be exploited.

CVE-2026-48931
Low

A flaw in Node.js HTTP Agent can cause a client to accept as valid a response that is sent before the client has sent the request. This vulnerability affects all supported release lines: Node.js 22, Node.js 24, and Node.js 26.

CVE-2026-44274
High

A vulnerability in Dell Wyse Management Suite (WMS) prior to version 2605 is due to improper link resolution before file access. It allows a low-privileged attacker with local access to gain unauthorized access.

CVE-2026-44273
Medium

A vulnerability in Dell Wyse Management Suite (WMS) prior to version 2605 involves the use of default credentials. It allows an attacker with high privileges and local access to disclose sensitive information.

CVE-2026-44272
High

An SQL Injection vulnerability in Dell Wyse Management Suite (WMS) prior to version 2605 allows a low-privileged attacker to remotely execute unauthorized database queries. The flaw is due to improper neutralization of special elements used in SQL commands.

CVE-2026-44271
High

In Dell Wyse Management Suite (WMS) versions prior to 2605, an SQL injection vulnerability has been discovered. This flaw results from improper neutralization of special elements in SQL commands. It allows an attacker with low privileges and remote access to gain unauthorized access to the system.

CVE-2026-10852
Medium

IBM WebSphere Application Server and IBM WebSphere Application Server Liberty are vulnerable to a denial of service (DoS) attack in the WebSphere WebServer Plug-in component. An attacker can send crafted requests to the web server, causing system overload.

CVE-2026-55443
Medium

LangChain prior to version 1.3.9 contains a vulnerability where several components that resolve filesystem paths or expand search patterns do not consistently confine the resolved path to the intended root directory. Affected behaviors include file-search middleware, configuration loaders, and path-prefix authorization checks that can allow access to files outside the configured root via glob patterns, symlinks, or path segment boundary bypass.

PreviousPage 225 of 4550Next

Vulnerability data from NVD (NIST) · CISA KEV · EPSS