CVE Vulnerability Catalog

Translated CVE descriptions from NVD NIST - in English

CISA KEV catalog updated: (v2026.07.14)

CVE-2026-8676
High

An attacker is able to downgrade the security of a Bluetooth LE connection by deleting an existing bond, spoofing the bonded device and creating a new bond.

CVE-2026-45575
High

The vulnerability in epa4all-client before version 1.2.2 allows an attacker to perform a MITM attack on the TLS connection between the client and the IDP. The attacker can substitute a forged discovery document, redirecting data to URLs controlled by them.

CVE-2026-44847
High

MaxKB is an open-source AI assistant for enterprises. In versions prior to 2.9.0, the webhook trigger endpoint (/api/trigger/v1/webhook/{trigger_id}) is accessible without authentication, allowing unauthorized attackers to invoke tasks associated with a valid trigger ID.

CVE-2026-44843
High

LangChain to framework do budowania agentów i aplikacji zasilanych LLM. W wersjach przed 0.3.85 i 1.3.3, LangChain zawiera starsze ścieżki kodu wykonawczego, które deserializują dane wejściowe i wyjściowe, używając zbyt szerokich list dozwolonych obiektów, co może prowadzić do instancjonowania klas z nieufnymi argumentami konstruktora.

CVE-2025-14361
High

The CVE-2025-14361 vulnerability in the Woocommerce Envato Affiliates plugin has a missing authorization issue that allows access to functionality not properly constrained by access control lists (ACLs).

CVE-2026-9575
High

A vulnerability has been found in itsourcecode Student Transcript Processing System 1.0, affecting some unknown processing of the file /admin/modules/class/index.php?view=view. Manipulation of the argument ID leads to SQL injection.

CVE-2026-9574
High

A flaw has been found in itsourcecode Student Transcript Processing System 1.0, affecting unknown code in the file /admin/modules/student/trans.php. Manipulating the argument studentId/cid can lead to SQL injection.

CVE-2026-9573
High

A vulnerability was detected in itsourcecode Student Transcript Processing System 1.0, affecting an unknown part of the file /admin/modules/student/index.php?view=view. Manipulating the argument studentId results in SQL injection.

CVE-2026-44832
High

In Snipe-IT prior to 8.4.1, an authenticated user with only users.edit permission can escalate their privileges to admin by sending a PATCH request to /api/v1/users/{id} with permissions[admin]=1. The API controller only strips the superuser key from the permissions array, allowing admin and all other permission keys to be set by any user who can update users.

CVE-2026-8890
High

CVE-2026-8890 describes an authentication bypass vulnerability in the Mobile API of code100x that allows unauthenticated attackers to impersonate arbitrary users by supplying a crafted JSON payload in the 'g' HTTP header. The middleware skips identity header generation when an Auth-Key header is present without validating its value, allowing attackers to inject a spoofed user identity header.

CVE-2026-4051
High

IBM Engineering Lifecycle Management versions 7.0.3, 7.1.0, and 7.2.0 may allow an attacker with administrative privileges to execute remote code due to an improperly restricted method.

CVE-2026-3603
High

IBM Engineering Lifecycle Management w wersjach 7.0.3 Interim Fix 001 do 021, 7.1.0 Interim Fix 001 do 009 oraz 7.2.0 i 7.2.0 Interim Fix 001 jest podatny na atak typu XML external entity injection (XXE) podczas przetwarzania danych XML. Uwierzytelniony atakujący może wykorzystać tę podatność do ujawnienia wrażliwych informacji lub zużycia zasobów pamięci.

CVE-2026-9560
High

A vulnerability in OpenVPN Connect from version 3.5.1 to 3.8.1 on macOS allows privilege escalation via background services. Attackers can execute arbitrary commands with elevated privileges through a local IPC channel.

CVE-2026-8856
High

IBM HTTP Server versions 8.5 and 9.0 are vulnerable to denial of service in configurations where an attacker has write access to parts of the server configuration.

CVE-2026-8855
High

IBM HTTP Server versions 8.5 and 9.0 are vulnerable to remote code execution and denial of service in configurations with TLS mutual authentication (client authentication).

CVE-2026-8854
High

IBM HTTP Server versions 8.5 and 9.0 is vulnerable to denial of service via the optional module mod_mem_cache.

CVE-2026-8835
High

IBM HTTP Server versions 8.5 and 9.0 are vulnerable to invalid pointer dereference. A privileged user authenticated to the Administration Server could exploit this vulnerability to expose sensitive information or cause a denial of service.

CVE-2026-8834
High

IBM HTTP Server versions 8.5 and 9.0 contain a buffer overflow vulnerability. A privileged user authenticated to the Administration Server could exploit this vulnerability to execute remote code or cause a denial of service.

CVE-2026-8620
High

Wtyczki serwera WWW dla IBM WebSphere Application Server i WebSphere Liberty w wersjach 8.5 i 9.0 są podatne na atak typu HTTP request smuggling poprzez specjalnie skonstruowane żądanie.

CVE-2026-7454
High

A maliciously crafted WRL file, when parsed through Autodesk 3ds Max, can force a Memory Corruption vulnerability. A malicious actor can leverage this vulnerability to execute arbitrary code in the context of the current process.

PreviousPage 246 of 3326Next

Vulnerability data from NVD (NIST) · CISA KEV · EPSS