CVE Vulnerability Catalog
Translated CVE descriptions from NVD NIST - in English
CISA KEV catalog updated: (v2026.07.13)
A vulnerability in Mattermost versions 11.7.x <= 11.7.0 and 10.11.x <= 10.11.17 is due to missing validation of bot targets when demoting users to guests. This allows a lower-privileged administrator to degrade arbitrary bot accounts via the standard demote-user API.
IBM WebSphere Application Server versions 9.0 and 8.5 and IBM WebSphere Application Server - Liberty versions 17.0.0.3 through 26.0.0.6 are vulnerable to HTTP request smuggling. A remote attacker could smuggle a specially crafted request to the application server, allowing the attacker to bypass security controls, spoof identity, escalate privilege, and expose sensitive information.
IBM Datacap 9.1.7, 9.1.8, and 9.1.9 and IBM Datacap Navigator 9.1.7, 9.1.8, and 9.1.9 allow an attacker to retrieve user passwords and cryptographic keys from memory. The attacker can use the same keys to decrypt passwords, gain access to the application, and access sensitive data in the database.
IBM Datacap 9.1.7, 9.1.8, and 9.1.9 and IBM Datacap Navigator 9.1.7, 9.1.8, and 9.1.9 are vulnerable to cross-site scripting (XSS). An unauthenticated attacker can embed arbitrary JavaScript code in the Web UI, altering intended functionality and potentially leading to credential disclosure within a trusted session.
IBM Langflow OSS versions 1.0.0 through 1.8.4 contain a vulnerability due to improper authorization enforcement in the Streamable MCP transport endpoint. This allows unauthenticated attackers to access protected MCP project resources and execute MCP operations.
An SSRF vulnerability in IBM Watson Speech Services Cartridge allows an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks. The issue affects the Sterling File Gateway component used in speech runtimes.
Chainlit before 2.10.1 contains a session hijacking vulnerability that allows unauthenticated attackers to restore and inherit authenticated user sessions by presenting a valid sessionId during WebSocket session restoration without ownership verification.
In Angular (@angular/common) prior to versions 22.0.1, 21.2.17, and 20.3.25, a DoS vulnerability exists. The formatDate function and DatePipe do not limit the length of the format parameter, allowing CPU and memory exhaustion via a maliciously long format string.
A DOM Clobbering vulnerability in Angular allows an attacker to replace the SSR state container (ng-state) by injecting an HTML element with the same ID. During client hydration, Angular reads data from the fake element, potentially leading to code execution or data theft.
A vulnerability in Angular prior to versions 22.0.1, 21.2.17, and 20.3.25 allows an attacker to overwrite HTTP responses in the TransferState cache during Server-Side Rendering (SSR). The weak 32-bit DJB2 hash used for cache key generation enables hash collisions, causing sensitive endpoint responses to be replaced with responses from other requests.
In Angular prior to versions 22.0.1, 21.2.17, and 20.3.25, a vulnerability in the @angular/compiler package allows bypassing DOM property sanitization through two-way property bindings. An attacker who controls the value of a sensitive property can bypass Angular's built-in sanitization, leading to client-side Cross-Site Scripting (XSS).
An information disclosure vulnerability exists in the @angular/service-worker package of Angular prior to versions 22.0.1, 21.2.17, and 20.3.25. When fetching assets, the Service Worker preserves sensitive headers (e.g., Authorization, Proxy-Authorization, session cookies) on cross-origin redirects, violating the Fetch redirect algorithm. A remote attacker can obtain these credentials by triggering a redirect to an untrusted external origin.
Vulnerability in node-tar (before 7.5.16) involves incorrect processing of PAX extended headers. The library erroneously applies the size override from a PAX header to intermediate metadata headers (e.g., GNU long-name), causing stream desynchronization compared to other tar implementations. This allows crafting an archive that is interpreted differently by different tools.
A vulnerability in js-yaml (YAML parser for JavaScript) before versions 4.2.0 and 3.15.0 allows a DoS attack via a crafted YAML document that causes quadratic time complexity during merge-key (<<) processing. Repeatedly using the same alias in a merge sequence leads to CPU exhaustion and blocks the Node.js event loop for seconds with a relatively small payload (tens of KB).
In @angular/core prior to 22.0.0-rc.2, 21.2.15, 20.3.22, and 19.2.23, a vulnerability allows bypassing script-execution restrictions during dynamic component creation by mounting components directly onto a <script> or namespaced script element. This enables attackers to execute untrusted code or perform client-side XSS.
A vulnerability in Angular's @angular/compiler and @angular/core packages allows bypassing element and attribute sanitization via namespace workarounds. An attacker can inject a malicious template with custom namespaces, leading to client-side Cross-Site Scripting (XSS).
The Angular Language Service VS Code extension configures the tooltip Markdown renderer with isTrusted: true, allowing active command: URIs. The language server fails to sanitize JSDoc strings, enabling an attacker to inject malicious command links. When a developer hovers over a symbol and clicks the link, the command executes on their host machine.
The Angular Language Service VS Code extension before version 21.2.4 reads the custom TypeScript SDK path from .vscode/settings.json without verifying Workspace Trust. It then passes this path as an argument to the language server process, which dynamically imports the tsserverlibrary.js library from the attacker-specified location. This allows arbitrary code execution when a developer opens a crafted repository.
Incorrect caching of authentication between different users in the qSnapper dbus service before version 1.3.3 allows any local attacker to use dbus functions after a privileged user has authenticated.
In qSnapper before version 1.3.3, incorrect caching of authentication between different polkit methods allowed a local attacker to use functions like 'restore from snapshot' even if only allowed to do 'delete snapshot'.

