CVE Vulnerability Catalog
Translated CVE descriptions from NVD NIST — in English
CISA KEV catalog updated: (v2026.07.01)
A vulnerability was found in the EtherNet IP Message Handler component of the CIPster library (up to commit e8e9dba09bf56962807d3504b783ccdb6287f3e4), involving an out-of-bounds write in the BufWriter::append function. Remote exploitation is possible and the exploit has been made public.
A vulnerability in the libtiff library allows a remote attacker to execute arbitrary code or cause a denial of service (DoS) by providing a specially crafted TIFF image compressed with the PixarLog codec. The issue occurs when decoding PixarLog images with the PIXARLOGDATAFMT_8BITABGR output format and a specific stride value, leading to a heap-based buffer overflow.
In Rancher versions 2.14 before 2.14.2, 2.13 before 2.13.6, and 2.12 before 2.12.10, users with the Project Owner role can exploit improper privilege handling to escalate their privileges.
A vulnerability in Snowflake CLI prior to version 3.19 allows arbitrary code execution due to improper neutralization in the Snowpark annotation processor callback template. An attacker can supply crafted project content that is interpolated into generated Python code, causing the CLI to execute attacker-controlled code in the local user context.
A vulnerability in Snowflake CLI prior to version 3.19 allowed unintended SQL execution by supplying crafted repository, project configuration, manifest data, or specification input. An attacker could execute arbitrary SQL in the context of the victim's Snowflake session.
A buffer overflow vulnerability was found in Edimax EW-7478APC version 1.04 in the formUSBFolder function of the /goform/formUSBFolder file. Manipulation of the ShareName/SelectName arguments in a POST request can cause a buffer overflow, enabling remote attack. The exploit has been publicly disclosed and may be used.
A buffer overflow vulnerability has been found in Edimax EW-7478APC version 1.04 in the formUSBAccount function of the /goform/formUSBAccount file. An attacker can remotely manipulate the UserName/Password arguments, causing a buffer overflow. The exploit has been published and may be used.
A buffer overflow vulnerability has been detected in the Edimax EW-7478APC version 1.04 in the formQoS function of the /goform/formQoS file. An attacker can remotely manipulate the selSSID argument, leading to a buffer overflow. The exploit has been publicly disclosed and may be used.
The ARForms plugin version 7.1.2 and earlier contains an unauthenticated Cross Site Scripting (XSS) vulnerability. An attacker can inject malicious script without requiring authentication.
The Landing Page Builder plugin version 1.5.3.5 and earlier contains an unauthenticated Cross Site Scripting (XSS) vulnerability. It allows an attacker to inject malicious script without requiring authentication.
The Jobify plugin version 4.3.2 and earlier contains an unauthenticated Cross Site Scripting (XSS) vulnerability. An attacker can inject malicious script without requiring authentication.
The Link Whisper Free plugin version 0.9.4 and earlier contains an unauthenticated Cross Site Scripting (XSS) vulnerability. An attacker can inject malicious script without requiring authentication.
The Wallet System for WooCommerce plugin version 2.7.6 and earlier contains a broken access control vulnerability for subscribers. This allows users with the subscriber role to perform operations they should not be authorized for.
An unauthenticated Cross Site Scripting (XSS) vulnerability exists in BEAR versions 1.1.8 and earlier. It allows a remote attacker to inject malicious JavaScript code into the page without requiring authentication.
phpUploader before version 2.0.2 contains an unauthenticated information disclosure vulnerability that allows remote attackers to access the full contents of the uploaded-files database table by visiting any page of the application. The index model executes an unbounded SELECT query and embeds the complete JSON-encoded result set in an inline script block, exposing uploader IP addresses, Argon2ID key hashes, internal filenames, and SHA-256 fingerprints.
The Home Assistant iOS companion app ignores the SSID allowlist for internal networks. When no other URL is found, it falls back to the internal URL, potentially exposing the user's token on an unsecured network.
A vulnerability in Claude Code (versions 2.1.38 through 2.1.163) allows worktree manipulation attacks, including creating worktrees named ".git" and navigating outside the sandbox. An attacker can overwrite files in the user's home directory (e.g., .zshenv), leading to code execution outside seatbelt sandbox restrictions.
The Helix3 plugin for Joomla! exposes an AJAX handler task that allows unauthenticated attackers to delete arbitrary files, write arbitrary JSON files, and update template parameters.
A vulnerability in the getfattr and setfattr utilities before version 2.6.0 allows local attackers to escalate privileges by replacing a pathname component with a symbolic link during directory hierarchy traversal. Attackers who control a pathname component can redirect getfattr and setfattr operations to arbitrary files, leading to local privilege escalation when these tools are invoked by a privileged process over an attacker-controlled path.
A symlink traversal vulnerability was found in the libacl library before version 2.4.0 in pathname-based functions. A local attacker can replace any pathname component with a symbolic link, leading to privilege escalation by manipulating access control lists.

