CVE Vulnerability Catalog

Translated CVE descriptions from NVD NIST - in English

CISA KEV catalog updated: (v2026.07.14)

CVE-2026-42012
High

A flaw was found in GnuTLS where a remote attacker can present a specially crafted certificate containing URI or SRV Subject Alternative Names (SANs). This causes the certificate validation process to incorrectly fall back to checking DNS hostnames against the Common Name (CN), potentially allowing the attacker to spoof legitimate services or intercept sensitive information.

CVE-2025-46284
High

A race condition was addressed with additional validation. This issue is fixed in macOS Sequoia 15.7, macOS Tahoe 26.

CVE-2025-43306
High

A logic issue was fixed in macOS Sequoia 15.7, macOS Sonoma 14.8, and macOS Tahoe 26 that could allow a malicious app to gain root privileges.

CVE-2026-9580
High

A vulnerability was identified in JeecgBoot up to version 3.9.1 in the function LoginController.selectDepart of the file /sys/selectDepart, leading to improper access controls. Remote exploitation of this vulnerability is possible.

CVE-2026-8676
High

An attacker is able to downgrade the security of a Bluetooth LE connection by deleting an existing bond, spoofing the bonded device and creating a new bond.

CVE-2026-45575
High

The vulnerability in epa4all-client before version 1.2.2 allows an attacker to perform a MITM attack on the TLS connection between the client and the IDP. The attacker can substitute a forged discovery document, redirecting data to URLs controlled by them.

CVE-2026-44847
High

MaxKB is an open-source AI assistant for enterprises. In versions prior to 2.9.0, the webhook trigger endpoint (/api/trigger/v1/webhook/{trigger_id}) is accessible without authentication, allowing unauthorized attackers to invoke tasks associated with a valid trigger ID.

CVE-2026-44843
High

LangChain to framework do budowania agentów i aplikacji zasilanych LLM. W wersjach przed 0.3.85 i 1.3.3, LangChain zawiera starsze ścieżki kodu wykonawczego, które deserializują dane wejściowe i wyjściowe, używając zbyt szerokich list dozwolonych obiektów, co może prowadzić do instancjonowania klas z nieufnymi argumentami konstruktora.

CVE-2025-14361
High

The CVE-2025-14361 vulnerability in the Woocommerce Envato Affiliates plugin has a missing authorization issue that allows access to functionality not properly constrained by access control lists (ACLs).

CVE-2026-9575
High

A vulnerability has been found in itsourcecode Student Transcript Processing System 1.0, affecting some unknown processing of the file /admin/modules/class/index.php?view=view. Manipulation of the argument ID leads to SQL injection.

CVE-2026-9574
High

A flaw has been found in itsourcecode Student Transcript Processing System 1.0, affecting unknown code in the file /admin/modules/student/trans.php. Manipulating the argument studentId/cid can lead to SQL injection.

CVE-2026-9573
High

A vulnerability was detected in itsourcecode Student Transcript Processing System 1.0, affecting an unknown part of the file /admin/modules/student/index.php?view=view. Manipulating the argument studentId results in SQL injection.

CVE-2026-44832
High

In Snipe-IT prior to 8.4.1, an authenticated user with only users.edit permission can escalate their privileges to admin by sending a PATCH request to /api/v1/users/{id} with permissions[admin]=1. The API controller only strips the superuser key from the permissions array, allowing admin and all other permission keys to be set by any user who can update users.

CVE-2026-8890
High

CVE-2026-8890 describes an authentication bypass vulnerability in the Mobile API of code100x that allows unauthenticated attackers to impersonate arbitrary users by supplying a crafted JSON payload in the 'g' HTTP header. The middleware skips identity header generation when an Auth-Key header is present without validating its value, allowing attackers to inject a spoofed user identity header.

CVE-2026-4051
High

IBM Engineering Lifecycle Management versions 7.0.3, 7.1.0, and 7.2.0 may allow an attacker with administrative privileges to execute remote code due to an improperly restricted method.

CVE-2026-3603
High

IBM Engineering Lifecycle Management w wersjach 7.0.3 Interim Fix 001 do 021, 7.1.0 Interim Fix 001 do 009 oraz 7.2.0 i 7.2.0 Interim Fix 001 jest podatny na atak typu XML external entity injection (XXE) podczas przetwarzania danych XML. Uwierzytelniony atakujący może wykorzystać tę podatność do ujawnienia wrażliwych informacji lub zużycia zasobów pamięci.

CVE-2026-9560
High

A vulnerability in OpenVPN Connect from version 3.5.1 to 3.8.1 on macOS allows privilege escalation via background services. Attackers can execute arbitrary commands with elevated privileges through a local IPC channel.

CVE-2026-8856
High

IBM HTTP Server versions 8.5 and 9.0 are vulnerable to denial of service in configurations where an attacker has write access to parts of the server configuration.

CVE-2026-8855
High

IBM HTTP Server versions 8.5 and 9.0 are vulnerable to remote code execution and denial of service in configurations with TLS mutual authentication (client authentication).

CVE-2026-8854
High

IBM HTTP Server versions 8.5 and 9.0 is vulnerable to denial of service via the optional module mod_mem_cache.

PreviousPage 245 of 3321Next

Vulnerability data from NVD (NIST) · CISA KEV · EPSS