CVE Vulnerability Catalog

Translated CVE descriptions from NVD NIST - in English

CISA KEV catalog updated: (v2026.07.15)

CVE-2026-48493
Medium

In Snipe-IT versions prior to 8.6.0, a user with users.edit permission can send a PATCH request to /api/v1/users/{their_own_id} and grant themselves any permission except admin and superuser, e.g., assets.view, assets.create, reports.view, import. The issue is fixed in version 8.6.0.

CVE-2026-47693
Medium

Poweradmin before versions 4.2.4 and 4.3.3 is vulnerable to CSV Injection (Formula Injection) in its log export functionality. User-controlled data, specifically the username field, is written to exported CSV files without sanitizing formula trigger characters (=, +, -, @).

CVE-2026-12164
Medium

A vulnerability in Fortra File Integrity Monitoring (formerly Tripwire Enterprise) prior to version 9.4.0 may assign incorrect or elevated effective permissions to users created by the tetool import command while FIM is running, especially when the import also creates or changes roles or role-permission relationships.

CVE-2026-12163
Medium

Fortra File Integrity Monitoring (FIM), formerly Tripwire Enterprise, versions prior to 9.4.0.1 contain a stored cross-site scripting (XSS) vulnerability in the Asset View UI component. An authenticated user with sufficient privileges can store malicious script in node or database configuration fields, which will be executed in another administrator's browser.

CVE-2026-11972
High

A vulnerability in Python's 'tarfile' module occurs when opening an archive in streaming mode (mode='r|'). The module improperly handles EOF, causing archive parsing to take exponentially longer.

CVE-2026-54518
Medium

Vulnerability in jackson-databind related to unwrapped properties in constructors. The UnwrappedPropertyHandler.processUnwrappedCreatorProperties() method does not check @JsonView visibility, allowing bypass of view restrictions and injection of JSON data into a constructor parameter annotated with both @JsonView and @JsonUnwrapped, even when a more restrictive view is active.

CVE-2026-56120
Unknown

CVE-2026-56120 has been rejected as it is a duplicate of CVE-2026-56784.

CVE-2026-54517
Medium

In jackson-databind versions 2.21.0 to 2.21.4 and 3.1.4, the @JsonView filter is not applied to setterless Collection/Map properties, allowing attacker-supplied JSON to be processed even when the active view should exclude it.

CVE-2026-54516
Medium

Vulnerability in jackson-databind allows an attacker to bypass @JsonIgnore annotation on a setter by using @JsonProperty on a getter. As a result, a private field becomes writable during deserialization, enabling direct data injection into the object.

CVE-2026-54515
Medium

In jackson-databind from version 2.8.0 to 2.18.9, 2.21.5, and 3.1.4, a vulnerability exists where per-property @JsonIgnoreProperties exclusions are applied by removing ignored properties from BeanPropertyMap, but subsequent case-insensitivity processing (ACCEPT_CASE_INSENSITIVE_PROPERTIES) rebuilds the map from the original unfiltered source, restoring the removed properties. The ignored property becomes writable again.

CVE-2026-54514
Medium

Vulnerability in jackson-databind from version 2.0.0 to 2.18.8, 2.21.4, and 3.1.4 causes immediate DNS resolution for untrusted input during deserialization of InetSocketAddress. An attacker can force a DNS query to a chosen host before any application-level validation.

CVE-2026-54513
High

A vulnerability in jackson-databind allows bypassing the allowlist via arrays. The allowIfSubTypeIsArray() method permits any array type without validating the component type, enabling deserialization of unsafe objects.

CVE-2026-54512
High

Vulnerability in jackson-databind allows bypassing the PolymorphicTypeValidator (PTV) during polymorphic deserialization. When a type contains generic parameters (e.g., ArrayList<Gadget>), validation only checks the container name, not nested types, enabling loading a denied class as a generic parameter.

CVE-2026-53931
Medium

NocoDB prior to version 2026.05.1 had a vulnerability that allowed the spreadsheet-import endpoint axiosRequestMake to be used as a generic HTTP proxy. This endpoint was accessible unauthenticated, enabling unauthorized access.

CVE-2026-53930
Medium

NocoDB prior to version 2026.05.1 had a vulnerability in the base-migration endpoint that accepted a caller-supplied URL without enforcing protocol or destination. This allowed scheme abuse and probing of internal HTTP destinations.

CVE-2026-53929
Medium

NocoDB prior to version 2026.05.1 allowed authenticated uploaders to deliver .html or .svg attachments that were rendered inline in the browser instead of forcing a download. The issue stemmed from a mismatch in how response headers were handled, leading to automatic rendering of these files.

CVE-2026-53928
Medium

NocoDB prior to version 2026.05.1 had a vulnerability where a stolen refresh token could be used to mint new JWTs even after the user reset their password. The password forgot flow did not delete all refresh tokens, allowing an attacker to exchange the captured token for a new access token.

CVE-2026-53927
Medium

NocoDB prior to version 2026.05.1 had a vulnerability in the spreadsheet-fetch endpoint (axiosRequestMake) that accepted URLs with a permitted extension anywhere in the string. This allowed access to the cloud-metadata endpoint via a crafted URL.

CVE-2026-53926
Medium

NocoDB prior to version 2026.05.1 had a vulnerability in the users service where the revokeAllOAuthTokensByUser function was an empty stub. As a result, OAuth tokens were not revoked when the user changed, reset, or recovered their password.

CVE-2026-50193
High

A vulnerability in jackson-databind from version 2.13.0 to 2.14.0 allows a DoS attack by sending deeply nested JSON (thousands of levels) read as JsonNode and written via toString(). Even small requests (1000 nested arrays is 2kB) can significantly consume system resources.

PreviousPage 272 of 4629Next

Vulnerability data from NVD (NIST) · CISA KEV · EPSS