CVE Vulnerability Catalog
Translated CVE descriptions from NVD NIST - in English
CISA KEV catalog updated: (v2026.07.15)
Capgo before 12.128.2 contains a BOLA (broken object level authorization) vulnerability in the POST /build/start/:jobId and POST /build/cancel/:jobId endpoints. An attacker can exploit the controlled app_id to authorize requests, allowing them to start or cancel build jobs of other tenants.
Capgo before version 12.128.2 contains a cross-domain SSO account takeover vulnerability in the provision-user endpoint that allows attackers to merge arbitrary victim accounts based on email match without validating SSO provider domain authorization.
CVE-2026-13163 describes an open redirect vulnerability in the _safe_redirect function of the click-tracking endpoint in Mailerup versions before 1.0.0. This allows remote unauthenticated attackers to redirect victims to arbitrary external sites, potentially leading to phishing attacks.
CVE-2026-13140 involves stored Cross-Site Scripting in the exposed AWS API key store of Thinkst Applied Research Canarytokens. Anonymous exploitation requires knowledge of a random identifier.
The AdRotate Banner Manager plugin for WordPress is vulnerable to PHP Code Injection in all versions up to and including 5.17.7 via the 'banner' attribute of the adrotate shortcode. This is due to insufficient input validation and sanitization of the banner shortcode attribute before concatenation into a PHP code string.
Picklescan before 0.0.29 fails to detect malicious idlelib.calltip.Calltip.fetch_tip calls in pickle files, allowing remote code execution. Attackers can embed undetected payloads in pickle files that execute arbitrary code when loaded via pickle.load().
Picklescan before 0.0.29 fails to detect malicious pickle files that exploit idlelib.debugobj.ObjectTreeItem.SetText function in reduce methods. Attackers can craft pickle files with embedded code that bypasses picklescan detection and executes arbitrary commands when pickle.load() is called.
Flowise through version 2.2.7 contains a SQL injection vulnerability in the importChatflows API. Due to insufficient validation of the chatflow.id value, an authenticated user can supply a crafted JSON import file whose id field is concatenated unsanitized into a SQL IN clause, allowing arbitrary SQL to be executed, including blind and error-based extraction of data from the credential table.
In ccyl13 Pentestify version 1.0.0 and lower, there is a Server-Side Request Forgery (SSRF) vulnerability in the PDF generation endpoint. An attacker can exploit this flaw to send requests to arbitrary internal or external URLs, potentially leading to the exposure of sensitive data.
In the Linux kernel's ksmbd (SMB) filesystem, a missing access control for FSCTL_SET_SPARSE was found. The fsctl_set_sparse() function modifies the sparse attribute of a file without checking if the share is read-only or if the client has proper permissions (FILE_WRITE_DATA or FILE_WRITE_ATTRIBUTES).
TortoiseGitBlame is vulnerable to argument injection via malicious Git history filenames, leading to arbitrary file write in TortoiseGit.
CVE-2026-10745 describes an improper output neutralization for logs vulnerability in upKeeper Solutions upKeeper Instant Privilege Access on Windows, allowing log injection, tampering, and forging.
The Ultimate Member plugin for WordPress is vulnerable to Account Takeover via Password Reset Link Disclosure in all versions up to and including 2.11.4. This is due to a chain of three logic bugs that allow attackers with appropriate permissions to create malicious posts and leak password reset links.
CVE-2026-56052 describes an improper neutralization of special elements used in SQL commands, allowing for Blind SQL Injection in FunnelKit Funnel Builder.
In the Linux kernel netfilter subsystem, a slab-out-of-bounds read vulnerability was found in dump_mac_header(). Missing validation of the MAC header being set (skb_mac_header_was_set()) allows an attacker to send a packet via AF_PACKET with PACKET_QDISC_BYPASS, causing a read of ~64 KiB beyond the buffer and potential data leak into kernel logs.
In the Linux kernel, a vulnerability in the SMC (Shared Memory Communications) subsystem causes a NULL pointer dereference in the smc_msg_event tracepoint. The tracepoint unconditionally dereferences conn->lnk, which is NULL for SMC-D connections, leading to a kernel crash on the first sendmsg() or recvmsg() call on an SMC-D socket when tracing is enabled.
In the Linux kernel, the tun_put_user() function declares an on-stack struct virtio_net_hdr_v1_hash_tunnel without zeroing it. For non-tunnel packets, only the first 10 bytes are initialized, leaving bytes 10..23 as stack garbage. An unprivileged user can set the vnet header size to 24 bytes, causing 14 bytes of kernel stack data to be leaked to userspace on every read of a non-tunnel packet.
In the Linux kernel, a vulnerability in the RDS/IB driver causes a NULL pointer dereference in rds_ib_send_cqe_handler() when handling masked atomic completions. The rds_ib_send_unmap_op() function lacks handling for masked atomic opcodes (IB_WR_MASKED_ATOMIC_CMP_AND_SWP and IB_WR_MASKED_ATOMIC_FETCH_AND_ADD), returning NULL and triggering a kernel panic in softirq context.
A NULL pointer dereference vulnerability was found in the Linux kernel's BPF subsystem within bpf_sk_storage_clone and bpf_sk_storage_diag_put_all functions. A concurrent RCU reader can observe a storage element (selem) still on the list after its smap pointer has been cleared by bpf_selem_unlink_nofail(), leading to a crash.
In the Linux kernel, a stack info leak was found in the tap driver via the SIOCGIFHWADDR ioctl. The tap_ioctl() function copies 16 bytes of an uninitialized sockaddr_storage structure to userspace, while netif_get_mac_address() only writes 6 bytes of the MAC address, leaving 8 bytes uninitialized. These 8 bytes may leak sensitive kernel data, including pointers, defeating KASLR.

