CVE Vulnerability Catalog
Translated CVE descriptions from NVD NIST - in English
CISA KEV catalog updated: (v2026.07.15)
In Snipe-IT versions prior to 8.6.0, a user with users.edit permission can send a PATCH request to /api/v1/users/{their_own_id} and grant themselves any permission except admin and superuser, e.g., assets.view, assets.create, reports.view, import. The issue is fixed in version 8.6.0.
Poweradmin before versions 4.2.4 and 4.3.3 is vulnerable to CSV Injection (Formula Injection) in its log export functionality. User-controlled data, specifically the username field, is written to exported CSV files without sanitizing formula trigger characters (=, +, -, @).
A vulnerability in Fortra File Integrity Monitoring (formerly Tripwire Enterprise) prior to version 9.4.0 may assign incorrect or elevated effective permissions to users created by the tetool import command while FIM is running, especially when the import also creates or changes roles or role-permission relationships.
Fortra File Integrity Monitoring (FIM), formerly Tripwire Enterprise, versions prior to 9.4.0.1 contain a stored cross-site scripting (XSS) vulnerability in the Asset View UI component. An authenticated user with sufficient privileges can store malicious script in node or database configuration fields, which will be executed in another administrator's browser.
A vulnerability in Python's 'tarfile' module occurs when opening an archive in streaming mode (mode='r|'). The module improperly handles EOF, causing archive parsing to take exponentially longer.
Vulnerability in jackson-databind related to unwrapped properties in constructors. The UnwrappedPropertyHandler.processUnwrappedCreatorProperties() method does not check @JsonView visibility, allowing bypass of view restrictions and injection of JSON data into a constructor parameter annotated with both @JsonView and @JsonUnwrapped, even when a more restrictive view is active.
CVE-2026-56120 has been rejected as it is a duplicate of CVE-2026-56784.
In jackson-databind versions 2.21.0 to 2.21.4 and 3.1.4, the @JsonView filter is not applied to setterless Collection/Map properties, allowing attacker-supplied JSON to be processed even when the active view should exclude it.
Vulnerability in jackson-databind allows an attacker to bypass @JsonIgnore annotation on a setter by using @JsonProperty on a getter. As a result, a private field becomes writable during deserialization, enabling direct data injection into the object.
In jackson-databind from version 2.8.0 to 2.18.9, 2.21.5, and 3.1.4, a vulnerability exists where per-property @JsonIgnoreProperties exclusions are applied by removing ignored properties from BeanPropertyMap, but subsequent case-insensitivity processing (ACCEPT_CASE_INSENSITIVE_PROPERTIES) rebuilds the map from the original unfiltered source, restoring the removed properties. The ignored property becomes writable again.
Vulnerability in jackson-databind from version 2.0.0 to 2.18.8, 2.21.4, and 3.1.4 causes immediate DNS resolution for untrusted input during deserialization of InetSocketAddress. An attacker can force a DNS query to a chosen host before any application-level validation.
A vulnerability in jackson-databind allows bypassing the allowlist via arrays. The allowIfSubTypeIsArray() method permits any array type without validating the component type, enabling deserialization of unsafe objects.
Vulnerability in jackson-databind allows bypassing the PolymorphicTypeValidator (PTV) during polymorphic deserialization. When a type contains generic parameters (e.g., ArrayList<Gadget>), validation only checks the container name, not nested types, enabling loading a denied class as a generic parameter.
NocoDB prior to version 2026.05.1 had a vulnerability that allowed the spreadsheet-import endpoint axiosRequestMake to be used as a generic HTTP proxy. This endpoint was accessible unauthenticated, enabling unauthorized access.
NocoDB prior to version 2026.05.1 had a vulnerability in the base-migration endpoint that accepted a caller-supplied URL without enforcing protocol or destination. This allowed scheme abuse and probing of internal HTTP destinations.
NocoDB prior to version 2026.05.1 allowed authenticated uploaders to deliver .html or .svg attachments that were rendered inline in the browser instead of forcing a download. The issue stemmed from a mismatch in how response headers were handled, leading to automatic rendering of these files.
NocoDB prior to version 2026.05.1 had a vulnerability where a stolen refresh token could be used to mint new JWTs even after the user reset their password. The password forgot flow did not delete all refresh tokens, allowing an attacker to exchange the captured token for a new access token.
NocoDB prior to version 2026.05.1 had a vulnerability in the spreadsheet-fetch endpoint (axiosRequestMake) that accepted URLs with a permitted extension anywhere in the string. This allowed access to the cloud-metadata endpoint via a crafted URL.
NocoDB prior to version 2026.05.1 had a vulnerability in the users service where the revokeAllOAuthTokensByUser function was an empty stub. As a result, OAuth tokens were not revoked when the user changed, reset, or recovered their password.
A vulnerability in jackson-databind from version 2.13.0 to 2.14.0 allows a DoS attack by sending deeply nested JSON (thousands of levels) read as JsonNode and written via toString(). Even small requests (1000 nested arrays is 2kB) can significantly consume system resources.

