CVE Vulnerability Catalog
Translated CVE descriptions from NVD NIST - in English
CISA KEV catalog updated: (v2026.07.14)
An attacker is able to downgrade the security of a Bluetooth LE connection by deleting an existing bond, spoofing the bonded device and creating a new bond.
The vulnerability in epa4all-client before version 1.2.2 allows an attacker to perform a MITM attack on the TLS connection between the client and the IDP. The attacker can substitute a forged discovery document, redirecting data to URLs controlled by them.
MaxKB is an open-source AI assistant for enterprises. In versions prior to 2.9.0, the webhook trigger endpoint (/api/trigger/v1/webhook/{trigger_id}) is accessible without authentication, allowing unauthorized attackers to invoke tasks associated with a valid trigger ID.
LangChain to framework do budowania agentów i aplikacji zasilanych LLM. W wersjach przed 0.3.85 i 1.3.3, LangChain zawiera starsze ścieżki kodu wykonawczego, które deserializują dane wejściowe i wyjściowe, używając zbyt szerokich list dozwolonych obiektów, co może prowadzić do instancjonowania klas z nieufnymi argumentami konstruktora.
The CVE-2025-14361 vulnerability in the Woocommerce Envato Affiliates plugin has a missing authorization issue that allows access to functionality not properly constrained by access control lists (ACLs).
A vulnerability has been found in itsourcecode Student Transcript Processing System 1.0, affecting some unknown processing of the file /admin/modules/class/index.php?view=view. Manipulation of the argument ID leads to SQL injection.
A flaw has been found in itsourcecode Student Transcript Processing System 1.0, affecting unknown code in the file /admin/modules/student/trans.php. Manipulating the argument studentId/cid can lead to SQL injection.
A vulnerability was detected in itsourcecode Student Transcript Processing System 1.0, affecting an unknown part of the file /admin/modules/student/index.php?view=view. Manipulating the argument studentId results in SQL injection.
In Snipe-IT prior to 8.4.1, an authenticated user with only users.edit permission can escalate their privileges to admin by sending a PATCH request to /api/v1/users/{id} with permissions[admin]=1. The API controller only strips the superuser key from the permissions array, allowing admin and all other permission keys to be set by any user who can update users.
CVE-2026-8890 describes an authentication bypass vulnerability in the Mobile API of code100x that allows unauthenticated attackers to impersonate arbitrary users by supplying a crafted JSON payload in the 'g' HTTP header. The middleware skips identity header generation when an Auth-Key header is present without validating its value, allowing attackers to inject a spoofed user identity header.
IBM Engineering Lifecycle Management versions 7.0.3, 7.1.0, and 7.2.0 may allow an attacker with administrative privileges to execute remote code due to an improperly restricted method.
IBM Engineering Lifecycle Management w wersjach 7.0.3 Interim Fix 001 do 021, 7.1.0 Interim Fix 001 do 009 oraz 7.2.0 i 7.2.0 Interim Fix 001 jest podatny na atak typu XML external entity injection (XXE) podczas przetwarzania danych XML. Uwierzytelniony atakujący może wykorzystać tę podatność do ujawnienia wrażliwych informacji lub zużycia zasobów pamięci.
A vulnerability in OpenVPN Connect from version 3.5.1 to 3.8.1 on macOS allows privilege escalation via background services. Attackers can execute arbitrary commands with elevated privileges through a local IPC channel.
IBM HTTP Server versions 8.5 and 9.0 are vulnerable to denial of service in configurations where an attacker has write access to parts of the server configuration.
IBM HTTP Server versions 8.5 and 9.0 are vulnerable to remote code execution and denial of service in configurations with TLS mutual authentication (client authentication).
IBM HTTP Server versions 8.5 and 9.0 is vulnerable to denial of service via the optional module mod_mem_cache.
IBM HTTP Server versions 8.5 and 9.0 are vulnerable to invalid pointer dereference. A privileged user authenticated to the Administration Server could exploit this vulnerability to expose sensitive information or cause a denial of service.
IBM HTTP Server versions 8.5 and 9.0 contain a buffer overflow vulnerability. A privileged user authenticated to the Administration Server could exploit this vulnerability to execute remote code or cause a denial of service.
Wtyczki serwera WWW dla IBM WebSphere Application Server i WebSphere Liberty w wersjach 8.5 i 9.0 są podatne na atak typu HTTP request smuggling poprzez specjalnie skonstruowane żądanie.
A maliciously crafted WRL file, when parsed through Autodesk 3ds Max, can force a Memory Corruption vulnerability. A malicious actor can leverage this vulnerability to execute arbitrary code in the context of the current process.

