CVE Vulnerability Catalog

Translated CVE descriptions from NVD NIST — in English

CISA KEV catalog updated: (v2026.07.01)

CVE-2026-13207
High

FUXA versions 1.3.1 and prior contain an authentication bypass vulnerability via dot-segment path normalization in the REST API. The API router fails to normalize dot-segment sequences before applying authentication middleware, allowing unauthenticated requests to access protected endpoints by prefixing paths with dot-segments such as /api/./users, /api/./roles, and /api/project/../users. These requests bypass authentication checks and return sensitive user and role data without credentials.

CVE-2026-11594
High

IBM WebSphere Application Server 9.0 and 8.5 is affected by a cross-site scripting vulnerability in the administrative console. This allows an attacker to inject malicious scripts into the server management interface.

CVE-2025-36359
High

The vulnerability in IBM DevOps Automation 1.0.1 and IBM DevOps Loop 1.0.2 does not invalidate session IDs after expiration. This allows an authenticated user to impersonate another user on the system.

CVE-2026-13772
High

IBM WebSphere Extreme Scale 8.6.1.0 through 8.6.1.6 contains a vulnerability in the Object Query Language engine that resolves attacker-supplied class names via Class.forName() and invokes their constructors without an allow-list at three distinct sinks (SELECT NEW, enum literals, and reflection-based comparators). An authenticated remote attacker who can influence an application-built OQL query string can execute arbitrary constructors on the WAS JVM, and a SELECT DISTINCT variant using planted grid values triggers the same gadget post-deserialization in a manner that bypasses JEP-290 serialization filters across grid node boundaries.

CVE-2026-13759
High

IBM WebSphere Extreme Scale 8.6.1.0 through 8.6.1.6 ships three ObjectInputStream subclasses (WsObjectInputStream, ObjectStreamPool$ReusableInputStream, ObjectInputStreamResolver) that install no JEP-290 class filter; when Coherence is on the classpath, multiple RCE gadget chains including RemoteConstructor.readResolve and PriorityQueue/ExtractorComparator are confirmed working, allowing a post-login attacker who can write a session attribute or a LAN-adjacent attacker on the grid replication wire to execute arbitrary code on peer WAS JVMs.

CVE-2026-13449
High

IBM Business Automation Manager Open Editions versions 9.0.0 through 9.4.2 is vulnerable to an XML external entity injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources.

CVE-2026-11806
High

IBM WebSphere Application Server Liberty versions 17.0.0.3 through 26.0.0.6 are affected by an arbitrary file read vulnerability when the restConnector-2.0 feature is enabled.

CVE-2026-11714
High

IBM WebSphere Application Server Liberty versions 17.0.0.3 through 26.0.0.7 are affected by a server-side request forgery (SSRF) vulnerability when the apiDiscovery-1.0 feature is enabled. An attacker can exploit this flaw to send unauthorized requests from the server to internal network resources.

CVE-2026-11546
High

IBM WebSphere Application Server Liberty versions 17.0.0.3 through 26.0.0.7 with the adminCenter-1.0 feature enabled are affected by a server-side request forgery (SSRF) vulnerability.

CVE-2026-10564
High

IBM Langflow OSS versions 1.0.0 through 1.9.6 contain a Server-Side Request Forgery (SSRF) vulnerability. The RSSReaderComponent and SearXNG components make unvalidated HTTP requests to user-controlled URLs, bypassing SSRF protections introduced in version 1.9.3.

CVE-2026-10560
High

IBM Langflow OSS versions 1.0.0 through 1.9.6 contain a missing authentication vulnerability in /api/v1/build_public_tmp/ endpoints, allowing an unauthenticated attacker to read build event data or cancel jobs using a valid job identifier, resulting in information disclosure and denial of service.

CVE-2026-10546
High

IBM Langflow OSS versions 1.0.0 through 1.9.3 contain a Server-Side Request Forgery (SSRF) vulnerability in the URL component due to a TOCTOU race condition exploitable via DNS rebinding.

CVE-2026-10129
High

IBM Langflow OSS versions 1.0.0 through 1.9.3 contain a Server-Side Request Forgery (SSRF) protection bypass vulnerability in the API Request component. An authenticated attacker with low-level privileges (flow author role) can bypass SSRF protections by enabling the follow_redirects parameter and supplying a public URL that redirects to internal/localhost addresses. The vulnerability exists because the application validates only the initial URL but does not re-validate redirect destinations.

CVE-2026-10513
High

The Webmention plugin for WordPress up to version 5.8.0 is vulnerable to Stored Cross-Site Scripting via parser-derived 'avatar' and 'url' author metadata. This is due to insufficient input sanitization and output escaping on user-supplied MF2 author properties processed by the unauthenticated webmention REST endpoint and rendered directly into HTML 'value' attributes by the edit-comment-form template.

CVE-2026-8864
High

The HP Fan Control App might allow local escalation of privileges. The vulnerability stems from improper access control in HP's fan management software.

CVE-2026-58377
High

A broken access control vulnerability in JeecgBoot through version 3.9.2 allows authenticated low-privilege users to perform full CRUD operations on OpenAPI credentials via OpenApiAuthController and OpenApiPermissionController endpoints lacking Shiro authorization annotations. The list endpoint exposes secret keys in plaintext, enabling credential theft and unauthorized API invocation.

CVE-2026-58376
High

Dolibarr up to version 23.0.3 (fixed in commit 14db36e) contains a SQL injection vulnerability. Authenticated API users can exfiltrate arbitrary database contents by supplying malicious values to the sqlfilters parameter in the setup dictionary and multicurrencies REST API endpoints.

CVE-2026-58375
High

JimuReport up to version 2.5.0 exposes the POST /jmreport/auto/export endpoint without authentication. The @JimuNoLoginRequired annotation causes all access controls to be skipped, and the export service streams the report for any supplied ID without verifying the auto-export configuration flag. An unauthenticated attacker can enumerate Snowflake report identifiers and export the full contents of any report, including data from SQL queries and credentials embedded in data sources.

CVE-2026-58372
HighEPSS 51%

SeaweedFS before version 4.34 has a path traversal vulnerability in the S3 gateway DeleteMultipleObjectsHandler. An authenticated S3 principal with write access to a single bucket can delete arbitrary objects in other tenants' buckets by supplying object keys containing ../ sequences in the DeleteObjects XML request body.

CVE-2026-58370
High

A vulnerability in Woodpecker before version 3.15.0 allows bypassing the ApprovalAllowedUsers list by manipulating the pipeline.Author field. For GitLab integration, the commit author is taken from webhook data which can be attacker-controlled. A user opening a merge request from a fork can set the commit author name to match an entry in ApprovalAllowedUsers, causing the pipeline to run without required approval.

PreviousPage 29 of 3336Next

Vulnerability data from NVD (NIST) · CISA KEV · EPSS