CVE Vulnerability Catalog

Translated CVE descriptions from NVD NIST - in English

CISA KEV catalog updated: (v2026.07.13)

CVE-2026-41047
Medium

In qSnapper before version 1.3.3, lack of authentication in the "snapshot diff" functions allowed a local attacker to read otherwise read-protected information.

CVE-2026-41046
High

A path traversal vulnerability in qSnapper before version 1.3.3 allows a local attacker to use malicious snapper config files via the "configName" parameter. This can lead to denial of service or potential privilege escalation to root.

CVE-2026-41045
High

A time-to-check-time-of-use vulnerability in the polkit authentication of qSnapper before version 1.3.3 allowed a local attacker to bypass qSnapper's authentication mechanism and operate with root privileges.

CVE-2026-12725
Medium

A heap-based buffer overflow was found in dnsmasq. When DNSSEC validation and query logging are both enabled, logging of DS or DNSKEY replies containing unsupported algorithm or digest types can cause dnsmasq to write past the end of an internal logging buffer. A remote attacker able to supply such a DNS response may crash the dnsmasq process, resulting in denial of service.

CVE-2026-12628
Critical

IBM Storage Protect Client 8.1.0.0 through 8.2.1.0 and IBM Storage Protect Snapshot For Windows 8.1.0.0 through 8.2.1.0 contain a hardcoded credential in the FlashCopy Manager (FCM) authentication mechanism, allowing a remote attacker to bypass authentication and gain unauthorized access to protected services.

CVE-2026-12549
Medium

The fix for CVE-2026-2443 was regressed by a subsequent rework commit that replaced specific overflow checks with a general signed comparison. When a client sends a Range request with a suffix length exceeding the content size, the resulting negative start value is not properly clamped, leading to malformed HTTP 206 responses and log flooding.

CVE-2026-12479
Medium

A path traversal vulnerability exists in version 3.14.0 of the Keras library, related to the `DiskIOStore.make` method. The issue arises from improper handling of user-provided layer names, allowing unauthorized file system operations.

CVE-2026-11943
Medium

Akaunting version 3.1.21 contains an authenticated stored cross-site scripting vulnerability in the document timeline shown on invoice and bill detail pages. An authenticated user can store HTML/JavaScript in their profile name.

CVE-2026-11942
Medium

Akaunting 3.1.21 contains an authenticated stored cross-site scripting vulnerability in the reusable delete confirmation flow. A user with permission to create or modify records, such as Items, can store HTML/JavaScript in the record name.

CVE-2026-11372
Medium

IBM TRIRIGA Application Platform versions 5.0.2 through 5.0.3 are vulnerable to cross-site scripting (XSS). An authenticated user can embed arbitrary JavaScript code in the Web UI, potentially leading to credential disclosure within a trusted session.

CVE-2026-10845
High

IBM WebSphere Application Server versions 8.5 and 9.0 could allow a remote attacker to bypass authentication and gain unauthorized access to JAX-WS applications.

CVE-2024-51454
Medium

IBM Engineering Workflow Management versions 7.0.2 through 7.0.2 Interim Fix 035, 7.0.3 through 7.0.3 Interim Fix 017, and 7.1 through 7.1 Interim Fix 004 are vulnerable to HTTP header injection due to improper validation of input in the HOST headers. This could allow an attacker to conduct various attacks against the vulnerable system, including cross-site scripting, cache poisoning, or session hijacking.

CVE-2023-33854
Medium

A vulnerability in IBM Db2 on Cloud Pak for Data and Db2 Warehouse on Cloud Pak for Data versions 4.8, 5.0, 5.1, 5.2, and 5.3 allows an authenticated user to bypass client-side validation and manipulate input data using man-in-the-middle techniques.

CVE-2026-9162
Medium

Mattermost versions 11.7.x <= 11.7.0, 11.6.x <= 11.6.2, 11.5.x <= 11.5.5, and 10.11.x <= 10.11.17 fail to invalidate cached authentication state for active WebSocket connections during global session revocation. This allows a user with an existing WebSocket connection to remain authenticated and continue receiving real-time events until the cached session expires or the client reconnects.

CVE-2026-9029
High

A vulnerability in the Geomap panel in Grafana allows a user with Editor permissions to inject a malicious script into the attribution field of an XYZ tile layer via a template variable. The script executes in the browser of any user viewing the affected dashboard (stored cross-site scripting).

CVE-2026-8074
Low

Mattermost versions 11.7.x up to 11.7.0 and 10.11.x up to 10.11.17 fail to enforce bot-specific permission checks on the user active status endpoint. This allows a User Manager with user management write access but no Integrations access to deactivate bot accounts via the PUT /api/v4/users/{id}/active API endpoint.

CVE-2026-7167
Medium

The vulnerability arises when the system fails to properly validate the 'email' field during the authentication process, allowing unverified or fake email addresses to be accepted. This lack of validation enables the creation of user accounts with fake email addresses, facilitating the mass creation of fraudulent accounts.

CVE-2026-7166
Critical

The vulnerability involves the exposure of sensitive data, such as email addresses and phone numbers, without adequate protection. Sensitive information is also accessible in the local database, including data on minors and municipal users.

CVE-2026-7165
Critical

The vulnerability exists in the '/addJugador' endpoint, where the 'keyJugador' and 'keyJugadorObjectiu' parameters allow modification of other users' information without authorization validation. Additionally, the 'punts' and 'numObjectiusEliminats' fields permit arbitrary data to be added, potentially leading to fraud related to rewards.

CVE-2026-6673
Medium

Mattermost versions 11.7.x <= 11.7.0, 11.6.x <= 11.6.2, 11.5.x <= 11.5.5, and 10.11.x <= 10.11.17 fail to authenticate Atlassian Connect installed callbacks, allowing a remote unauthenticated attacker to inject a rogue sharedSecret and disrupt the Jira integration.

PreviousPage 230 of 4549Next

Vulnerability data from NVD (NIST) · CISA KEV · EPSS