CVE Vulnerability Catalog

Translated CVE descriptions from NVD NIST — in English

CISA KEV catalog updated: (v2026.07.01)

CVE-2026-57231
High

Podman from version 1.8.1 to 5.8.4 contains a vulnerability where a container image with an environment variable containing only a key without a value can trick Podman into passing that variable from the host into the container. Using an asterisk (*) causes all host variables to be passed, allowing a malicious image to exfiltrate Podman environment variables from the session where the container is launched.

CVE-2026-56663
High

In AutoGPT before version 0.6.52, an authenticated user can bypass SSRF protections and access internal network services. The _is_ip_blocked() function does not normalize IPv4-mapped IPv6 addresses or block special ranges like 100.64.0.0/10 (CGNAT).

CVE-2026-55677
High

Echo, a Go web framework, has a vulnerability due to a mismatch in URL path decoding between the router and the static file handler. The router matches routes using the raw encoded path (preserving %2F as-is), while StaticDirectoryHandler unescapes %2F to / before resolving filesystem paths. This allows an attacker to bypass route-level access controls and read static files without authorization.

CVE-2026-9640
High

A privilege escalation vulnerability in LXD versions 6.0 before 6.9, 5.21.0 before 5.21.5, and 5.0.0 before 5.0.7 allows bypassing project-restriction policies during snapshot restoration. An authenticated project operator can import a malicious instance backup with restricted configuration keys in a snapshot, which are applied without validation upon restoration.

CVE-2026-5757
High

An unauthenticated remote attacker can read and exfiltrate the heap memory of the Ollama server through the model quantization engine, leading to sensitive data exposure.

CVE-2026-47214
High

In Docling prior to version 2.94.0, unsafe URI and path handling was found in the HTML backend. This vulnerability could allow an attacker to perform unauthorized operations on files or network resources.

CVE-2026-45195
High

A vulnerability in kernel software running inside a Host VM allows sending improper commands to the GPU firmware, potentially causing memory read or write outside the permitted range. Addresses passed to the GPU firmware can be used to gain more privileged memory access than allowed by the system.

CVE-2026-21734
High

A vulnerability in the GPU shader compiler allows an out-of-bounds write by loading a web page with specially crafted GPU shader code. This can cause a segmentation fault in the compiler under certain conditions.

CVE-2026-12411
High

A Broken Access Control vulnerability in the devLXDInstancePatchHandler component of Canonical LXD allows an untrusted guest to mount, read, and overwrite another guest's custom storage volume via a crafted device PATCH request over /dev/lxd when security.devlxd.management.volumes is enabled.

CVE-2026-0828
High

The kernel driver ProcessMonitorDriver.sys in Safetica's endpoint client x64, versions 10.5.75.0 and 11.11.4.0, allows an unprivileged user to abuse the IOCTL path and terminate protected system processes.

CVE-2026-57667
High

The Groundhogg plugin for WordPress versions 4.5 and earlier contains an SQL injection vulnerability in the Sales Representative module. An attacker can exploit this flaw to execute unauthorized database queries.

CVE-2026-57663
High

The Recipe Maker For Your Food Blog plugin by Zip Recipes version 8.2.7 and earlier contains a Contributor SQL Injection vulnerability.

CVE-2026-57662
High

SQL Injection vulnerability in the Contributor component of Contest Gallery plugin up to version 30.0.0. Allows an attacker to manipulate database queries through improperly sanitized input.

CVE-2026-57659
High

The Paid Memberships Pro - Add Member From Admin plugin version 0.7.2 and earlier is vulnerable to unauthenticated Cross-Site Request Forgery (CSRF). An attacker can exploit this vulnerability to perform unauthorized actions in the context of an administrator without requiring an authenticated session.

CVE-2026-57655
High

The vulnerability allows an unauthenticated attacker to perform a Cross-Site Request Forgery (CSRF) in the Child Theme Wizard plugin version 1.4 and earlier. The attack can lead to unauthorized changes in the plugin configuration without the administrator's knowledge.

CVE-2026-57653
High

The WP Job Portal plugin version 2.5.2 and earlier contains a SQL injection vulnerability in the Contributor module. This allows an attacker to manipulate database queries.

CVE-2026-57647
High

The Panorama Viewer – 360 Degree Image + Video Viewer plugin version 1.6.1 and earlier contains a Local File Inclusion (LFI) vulnerability exploitable by contributors. This allows an attacker with contributor privileges to read sensitive files on the server.

CVE-2026-57645
High

The vulnerability in the Newsletters plugin up to version 4.13 allows unauthorized access to subscriber management functions. The lack of proper access control enables an attacker to manipulate subscriber data without required permissions.

CVE-2026-57644
High

The Restaurant Menu by MotoPress plugin version 2.4.10 and earlier contains a SQL injection vulnerability exploitable by contributors. An attacker with contributor privileges can inject malicious SQL queries into the database.

CVE-2026-57643
High

The WP Post Author plugin version 3.9.1 and earlier contains a SQL injection vulnerability in the Contributor function. This allows an attacker to manipulate database queries.

PreviousPage 39 of 3334Next

Vulnerability data from NVD (NIST) · CISA KEV · EPSS