CVE Vulnerability Catalog
Translated CVE descriptions from NVD NIST - in English
CISA KEV catalog updated: (v2026.07.14)
In the Linux kernel's qrtr module, a vulnerability was found where the socket reference count is decremented before the port is removed from the XArray and before the RCU grace period ends. This causes refcount saturation and potential Use-After-Free (UAF) due to a race with RCU readers.
A deadlock vulnerability was found in the Linux kernel's send_sigio() and send_sigurg() functions when signaling process groups with FASYNC enabled. The issue stems from an unsafe lock ordering between process context and softirq, potentially causing system hangs.
A commit enabling threaded NAPI by default in the WireGuard driver has been reverted in the Linux kernel because it caused complete decryption stalls for specific peers in environments using Cilium and Kubernetes. The issue occurred rarely but led to permanent blocking of East-West traffic between pods, without automatic recovery.
Missing authentication for a critical function in MailerUp <1.0.1 allows a remote, unauthenticated attacker to self-register an account. The POST /api/auth/register/ endpoint applies AllowAny permissions without email verification, CAPTCHA, or administrator approval.
Feast before version 0.63.0 contains an unsafe deserialization vulnerability that allows unauthenticated or unauthorized attackers to achieve remote code execution by sending a crafted gRPC request to the registry server. The user_defined_function.body field of an OnDemandFeatureView spec is decoded from base64 and passed to dill.loads() before any authorization check is performed, enabling attackers to embed a malicious serialized Python object with an arbitrary __reduce__ method to execute OS commands as the feast service account.
The CVE ID has been rejected or withdrawn by its CVE Numbering Authority.
CVE ID CVE-2026-56118 has been rejected or withdrawn by its CVE Numbering Authority.
A vulnerability in Marlin Firmware up to version 2.1.2.7 (fixed in commit 1f255d1) with MESH_BED_LEVELING enabled allows an out-of-bounds write in the M421 G-code handler. Attackers can send a crafted G-code command via USB serial, network interface, or malicious gcode file to write a controlled 32-bit float value past the z_values array bounds, corrupting firmware memory.
motionEye (mEye) is an online interface for a software called 'motion', which is a video surveillance program with motion detection. Versions prior to 0.44.0 contain an absolute path traversal vulnerability in multiple media file handlers that allows an attacker to read arbitrary files from the filesystem.
A Stored Cross-Site Scripting (XSS) vulnerability exists in Frappe Framework version 17.0.0-dev due to improper neutralization of user-controlled input in the frappe.ui.Tree component.
A Stored Cross-Site Scripting (XSS) vulnerability exists in Frappe Framework version 17.0.0-dev due to improper neutralization of user-controlled input in the Number Card component.
A Stored Cross-Site Scripting (XSS) vulnerability exists in Frappe Framework version 17.0.0-dev due to unsafe evaluation of user-controlled data in the Number Card component.
A Stored Cross-Site Scripting (XSS) vulnerability exists in Frappe Framework version 17.0.0-dev due to improper neutralization of user-controlled input in the Notifications > Events panel.
A Stored Cross-Site Scripting (XSS) vulnerability exists in Frappe Framework version 17.0.0-dev due to improper neutralization of user-controlled input in the MultiSelectDialog component.
A Cross-Site Scripting (XSS) vulnerability exists in Frappe Framework version 17.0.0-dev due to improper neutralization of untrusted input in the Form Dashboard headline renderer.
A Stored Cross-Site Scripting (XSS) vulnerability exists in Frappe Framework version 17.0.0-dev due to improper neutralization of user-controlled input in the File View breadcrumb renderer.
A Stored Cross-Site Scripting (XSS) vulnerability exists in Frappe Framework version 17.0.0-dev due to improper neutralization of user-controlled input in the Desk desktop icon renderer.
A Reflected Cross-Site Scripting (XSS) vulnerability exists in Frappe Framework version 17.0.0-dev due to improper neutralization of user-controlled input in the dashboard-view component.
A Stored Cross-Site Scripting (XSS) vulnerability exists in Frappe Framework version 17.0.0-dev due to improper neutralization of user-controlled input in the frappe.get_avatar function.
Apple M1 GPUs retain register file data between compute shader dispatches from different processes. A sandboxed attacker app can read stale register values left by a separate sandboxed victim app.

