CVE Vulnerability Catalog

Translated CVE descriptions from NVD NIST - in English

CISA KEV catalog updated: (v2026.07.14)

CVE-2026-55603
High

The http-proxy-middleware library in versions 3.0.4 to 3.0.7 and 4.1.1 has a vulnerability related to the fixRequestBody() method. When sending data in multipart/form-data format, an attacker can inject new form parts, leading to data desynchronization between the proxy and the backend.

CVE-2026-55599
Medium

The phpseclib library up to versions 1.0.30, 2.0.55, and 3.0.54 by default fetches a URL from the Authority Information Access (AIA) extension of an untrusted X.509 certificate during validation. An attacker can supply a certificate with a controlled host, port, and path, leading to a server-side request forgery (SSRF) vulnerability.

CVE-2026-54651
Medium

pypdf is a free and open-source pure-python PDF library. Prior to version 6.13.1, an attacker could exploit this vulnerability to craft a PDF that leads to an infinite loop.

CVE-2026-54531
Medium

pypdf is a free and open-source pure-python PDF library. Prior to version 6.13.0, an attacker could exploit this vulnerability to craft a PDF that leads to an infinite loop.

CVE-2026-54530
Medium

pypdf is a free and open-source pure-python PDF library. Prior to version 6.13.0, an attacker could exploit this vulnerability to craft a PDF that leads to an infinite loop when extracting text in layout mode.

CVE-2026-49468
Critical

LiteLLM proxy before version 1.84.0 has a Host-header parsing flaw that, under specific conditions, allows unauthenticated access to protected management routes. The auth layer derived the effective route from request.url.path, which Starlette reconstructs from the Host header, enabling bypass of access controls.

CVE-2026-49461
Medium

pypdf is a free and open-source pure-python PDF library. Prior to version 6.12.2, an attacker could craft a PDF that leads to large memory usage by extracting text from a page containing a form XObject with self-references.

CVE-2026-49460
Low

pypdf is a free and open-source pure-python PDF library. Prior to version 6.12.2, an attacker could exploit this vulnerability to craft a PDF that leads to long runtimes.

CVE-2026-47242
Medium

The Net::IMAP library in Ruby has a vulnerability that allows arbitrary IMAP command injection due to improper validation of arguments in the #id and #enable methods. This issue affects versions prior to 0.6.5 and 0.5.15.

CVE-2026-47241
Low

Net::IMAP in Ruby prior to versions 0.6.5 and 0.5.15 has a vulnerability that allows an attacker to inject additional commands. By exploiting improperly validated arguments, an attacker can force the first command to wait for another command to finish.

CVE-2026-47240
Medium

The Net::IMAP library in Ruby has a vulnerability that allows arbitrary IMAP command injection if the server does not support non-synchronizing literals. Versions prior to 0.6.5 and 0.5.15 are susceptible to an attack that may lead to unauthorized command execution.

CVE-2026-45034
Critical

PhpSpreadsheet prior to version 1.30.5 contained a vulnerability that allowed bypassing stream wrapper security checks, potentially leading to remote code execution (RCE). The issue stemmed from improper URL scheme validation, enabling attackers to exploit wrappers like phar://.

CVE-2026-41479
Medium

The Authlib library before versions 1.6.10 and 1.7.1 contains an unauthenticated open redirect vulnerability in the OAuth 2.0 authorization endpoint. By sending a request with an unsupported response_type and an attacker-controlled redirect_uri, an HTTP 302 response redirecting to an arbitrary URL can be obtained.

CVE-2026-48931
Low

A flaw in Node.js HTTP Agent can cause a client to accept as valid a response that is sent before the client has sent the request. This vulnerability affects all supported release lines: Node.js 22, Node.js 24, and Node.js 26.

CVE-2026-44274
High

A vulnerability in Dell Wyse Management Suite (WMS) prior to version 2605 is due to improper link resolution before file access. It allows a low-privileged attacker with local access to gain unauthorized access.

CVE-2026-44273
Medium

A vulnerability in Dell Wyse Management Suite (WMS) prior to version 2605 involves the use of default credentials. It allows an attacker with high privileges and local access to disclose sensitive information.

CVE-2026-44272
High

An SQL Injection vulnerability in Dell Wyse Management Suite (WMS) prior to version 2605 allows a low-privileged attacker to remotely execute unauthorized database queries. The flaw is due to improper neutralization of special elements used in SQL commands.

CVE-2026-44271
High

In Dell Wyse Management Suite (WMS) versions prior to 2605, an SQL injection vulnerability has been discovered. This flaw results from improper neutralization of special elements in SQL commands. It allows an attacker with low privileges and remote access to gain unauthorized access to the system.

CVE-2026-10852
Medium

IBM WebSphere Application Server and IBM WebSphere Application Server Liberty are vulnerable to a denial of service (DoS) attack in the WebSphere WebServer Plug-in component. An attacker can send crafted requests to the web server, causing system overload.

CVE-2026-55443
Medium

LangChain prior to version 1.3.9 contains a vulnerability where several components that resolve filesystem paths or expand search patterns do not consistently confine the resolved path to the intended root directory. Affected behaviors include file-search middleware, configuration loaders, and path-prefix authorization checks that can allow access to files outside the configured root via glob patterns, symlinks, or path segment boundary bypass.

PreviousPage 247 of 4514Next

Vulnerability data from NVD (NIST) · CISA KEV · EPSS