CVE Vulnerability Catalog

Translated CVE descriptions from NVD NIST — in English

CISA KEV catalog updated: (v2026.07.01)

CVE-2026-48314
Medium

A Path Traversal vulnerability in ColdFusion versions 2025.9, 2023.20 and earlier allows bypassing path restrictions. An attacker can gain limited read and write access to unauthorized files or directories outside intended restrictions. Exploitation does not require user interaction.

CVE-2026-44948
Medium

A path traversal vulnerability in the ImageScan subsystem of Rancher Fleet affects versions 0.12.0 to 0.12.16, 0.13.0 to 0.13.12, 0.14.0 to 0.14.7, and 0.15.0 to 0.15.3, allowing an attacker to traverse outside the intended directory and cause a denial of service.

CVE-2026-13455
Medium

A vulnerability in PostgreSQL Anonymizer allows unprivileged masked users to repeatedly call the anon.hash() function and collect (seed, hash_output) pairs to perform an offline brute-force attack and deduce the salt.

CVE-2026-48192
Medium

A vulnerability in Mendix Studio Pro arises from improper validation and sanitization of project files processed during the build pipeline. An attacker can trick a user into opening and running a specially crafted malicious project, leading to arbitrary code execution in the context of that user.

CVE-2026-44947
Medium

A missing clean-up in the legacy Project Role Template Binding (PRTB) reconciler in Rancher versions 2.13.0 up to 2.13.7 and 2.14.0 up to 2.14.3 allowed users to retain unauthorized Pod Security Admission (PSA) permissions after an administrator removes those permissions from a RoleTemplate.

CVE-2026-27956
Medium

Coolify prior to version 4.0.0-beta.464 has a vulnerability in the `GET /api/v1/servers/{server_uuid}/domains?uuid={app_uuid}` endpoint that bypasses team scoping when the optional `uuid` parameter is provided. Any authenticated API user can enumerate domain names (FQDNs) of applications belonging to other teams.

CVE-2026-27955
Medium

Coolify prior to version 4.0.0-beta.464 has a vulnerability in the executeInDocker() helper that wraps commands in bash -c without escaping single quotes. The docker_compose_custom_build_command and docker_compose_custom_start_command fields are interpolated directly, allowing an attacker to break out of the bash -c argument and execute arbitrary commands on the managed server host.

CVE-2026-27883
Medium

Coolify prior to version 4.0.0-beta.464 has a vulnerability in the GET /api/v1/deployments/{uuid} endpoint that allows any authenticated user to access deployment details of any team, bypassing team-based authorization. The issue stems from the $teamId extracted from the authentication token not being used to scope the database query.

CVE-2026-27882
Medium

Coolify prior to version 4.0.0-beta.461 uses a non-constant-time string comparison operator (!==) to validate the GitLab webhook secret token. This allows an attacker to gradually discover the secret token by measuring response time differences (timing attack).

CVE-2026-27881
Medium

Coolify prior to version 4.0.0-beta.464 has a vulnerability in the `GET /api/v1/deployments/{uuid}` endpoint that does not validate whether the deployment belongs to the authenticated user's team. Any authenticated API user can read deployment details from other teams by providing a valid deployment UUID.

CVE-2026-35098
Medium

KTM System e-BOK does not implement any limit or timeout on consecutive login attempts, allowing an attacker to perform unlimited authentication requests. This lack of rate-limiting enables efficient brute-force attacks against user accounts. When combined with vulnerability CVE-2026-35097, where passwords are restricted to a six-digit numeric format, this becomes a critical issue, as such passwords can be brute-forced in a relatively short time.

CVE-2026-35097
Medium

The KTM e-BOK system enforces a maximum password length of six numeric digits and does not allow alphabetic, special, or extended characters. This issue was fixed in the patch released in June 2026.

CVE-2026-35096
Medium

KTM e-BOK system is vulnerable to Cross‑Site Request Forgery (CSRF) in email-change and password-change functionalities. An authenticated user can be tricked into performing unauthorized changes without their knowledge.

CVE-2026-35095
Medium

The vulnerability in KTM e-BOK allows an attacker to set the session identifier before authentication. If a cookie with a valid name is set, its value remains unchanged after successful login, enabling session hijacking.

CVE-2026-14178
Medium

In openGauss, when processing to_timestamp calls with NLS parameters, to_timestamp_with_fmt_nls() stores nls_fmt_str in u_sess->parser_cxt.nls_fmt_str. In the seqscan + sort execution path, this string is allocated in the SeqScan expression context; after SeqScan completes, the memory context is reset, but the output phase timestamp_out() still accesses u_sess->parser_cxt.nls_fmt_str via CheckNlsFormat(), causing a heap-use-after-free. An attacker with SQL execution privileges can craft a specific to_timestamp(..., ..., nlsparam) query to trigger this, leading to backend process crash and denial of service.

CVE-2025-53648
Medium

A SQL misconfiguration in the Gravitino UI, versions 1.0.0 and below, allows a malicious user to read or truncate files. The issue is fixed in version 1.0.0.

CVE-2026-8403
Medium

A stored cross-site scripting (XSS) vulnerability was found in Eksagate SYSGUARD 6001 due to improper input neutralization during web page generation. It affects versions from 2.0.2 up to (but not including) 6.1.4.0. The vendor was contacted and confirmed the product is no longer supported.

CVE-2026-58374
Medium

In hostapd before version 2.12, a missing bounds check in AP-mode Wi-Fi 7 (IEEE 802.11be) Multi-Link Operation (MLO) association request processing allows an unauthenticated attacker within wireless range to send a crafted management frame with a malformed Multi-Link Element or Per-STA Profile subelement. In hostapd_process_ml_assoc_req() in src/ap/ieee802_11_eht.c, the received link_id field can be parsed as value 15, but the corresponding links[] storage only has valid entries for lower link IDs (0 through 14), causing an out-of-bounds write and small memory corruption before the 4-way handshake.

CVE-2026-58015
Medium

A flaw was found in GLib's D-Bus client-side implementation of the DBUS_COOKIE_SHA1 SASL authentication mechanism. The cookie_context parameter received from the server is not validated, allowing a malicious D-Bus server to supply path traversal sequences. This enables the client to read arbitrary files and exfiltrate sensitive data by verifying guessed file contents against a generated hash.

CVE-2026-58013
Medium

A flaw was found in GLib where a buffer over-read occurs in g_io_channel_read_line_backend() in giochannel.c when a custom line terminator longer than one byte is set, causing memcmp to read past the GString buffer. This vulnerability can lead to minor information disclosure of 7 bytes or denial of service if the over-read crosses a page boundary.

PreviousPage 27 of 523Next

Vulnerability data from NVD (NIST) · CISA KEV · EPSS