CVE Vulnerability Catalog
Translated CVE descriptions from NVD NIST - in English
CISA KEV catalog updated: (v2026.07.14)
A vulnerability in the hackney library allows for unbounded accumulation of HTTP/3 responses in memory, potentially leading to resource exhaustion.
The vulnerability related to improper neutralization of CRLF sequences in the hackney library allows HTTP request splitting. Hackney does not percent-encode carriage return ( ) or line feed ( ) characters in the URL query component before constructing the HTTP/1.1 request target.
CVE-2026-47073 in the benoitc hackney library has a resource allocation issue without limits, allowing Flooding attacks. The WebSocket client imposes no upper bound on memory consumption in three code paths, leading to memory exhaustion.
The CRLF Injection vulnerability in the hackney library allows for HTTP Request/Response Splitting. An attacker can inject arbitrary HTTP headers into the outbound WebSocket upgrade request, leading to various threats such as credential spoofing or malicious request forwarding.
Uncontrolled Resource Consumption vulnerability in the benoitc hackney library allows for Flooding attacks. The issue arises because after establishing a SOCKS5 connection, the timeout for the TLS connection is set to infinity by default, potentially leading to the blocking of the connecting process.
A vulnerability in the hackney library allows for flooding the BEAM atom table through unbounded resource allocation. An attacker can supply malicious URLs, leading to a crash of the entire BEAM virtual machine.
CVE-2026-47066 vulnerability in the hackney library causes an infinite loop due to an unreachable exit condition, leading to excessive resource allocation. The Alt-Svc response header parser does not guarantee progress, resulting in the process being pinned at 100% CPU.
Joomla Responsive Portfolio version 1.6.1 contains an SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL commands through multiple filter parameters. Attackers can inject malicious SQL code via the filter_type_id, filter_pid_id, and filter_search parameters in POST requests.
The Joomla Component eXtroForms version 2.1.5 contains an SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL commands through the filter_type_id, filter_pid_id, and filter_search parameters. Attackers can submit POST requests to the extroformfield view with malicious SQL payloads to extract sensitive database information and server data.
Collectric CMU 1.0 contains a boolean-based blind SQL injection vulnerability in the lang parameter that allows unauthenticated attackers to manipulate database queries during authentication. Attackers can inject SQL code through the lang parameter in login requests to extract sensitive information from the database using time-based blind techniques.
Flash Slideshow Maker Professional 5.20 contains a buffer overflow vulnerability in the registration dialog that allows local attackers to execute arbitrary code by exploiting structured exception handling.
Socusoft 3GP Photo Slideshow version 8.05 contains a buffer overflow vulnerability in the registration dialog that allows local attackers to execute arbitrary code by exploiting structured exception handling.
SocuSoft iPod Photo Slideshow version 8.05 contains a buffer overflow vulnerability in the registration dialog that allows local attackers to execute arbitrary code by overwriting the structured exception handler.
Softneta MedDream PACS Server Premium version 6.7.1.1 contains a directory traversal vulnerability that allows unauthenticated attackers to read arbitrary files by manipulating the path parameter. Attackers can send requests to nocache.php with encoded backslash sequences to traverse directories and access sensitive files including system configuration and password files.
SocuSoft DVD Photo Slideshow Professional version 8.07 contains a stack-based buffer overflow vulnerability in the registration name field, allowing local attackers to execute arbitrary code by exploiting structured exception handling.
MedDream PACS Server Premium version 6.7.1.1 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the email parameter. Attackers can submit crafted POST requests to the userSignup.php endpoint with SQL payloads in the email field to extract sensitive database information from the backend MySQL database.
The mooSocial Store plugin version 2.6 contains a blind SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries through the product parameter in URL rewrite functionality.
Nord VPN version 6.14.31 contains a denial of service vulnerability that allows unauthenticated attackers to crash the application by submitting an excessively long string in the password field. Attackers can paste a buffer of repeated characters into the password input field to trigger an application crash when attempting to authenticate.
CuteFTP 5.0 XP contains a buffer overflow vulnerability that allows local attackers to execute arbitrary code by injecting malicious payload into the Site Manager label field. Attackers can craft a payload exceeding 520 bytes that overwrites the return address and executes shellcode when a shortcut is created and launched.
PCViewer vt1000 contains a directory traversal vulnerability that allows unauthenticated attackers to read arbitrary files by submitting relative path sequences in GET requests. Attackers can use path traversal sequences ../../../../../../../../../../../../etc/passwd to access sensitive system files outside the intended directory.

