CVE Vulnerability Catalog
Translated CVE descriptions from NVD NIST — in English
CISA KEV catalog updated: (v2026.07.01)
A vulnerability in the command interface of NVIDIA ConnectX and BlueField allows a local user with virtual function (VF) access to cause an out-of-bounds write via crafted input. Successful exploitation may lead to arbitrary code execution on the device.
A vulnerability in the command interface of NVIDIA ConnectX and BlueField allows a local user with virtual function (VF) access to cause a write out of bounds via crafted input. Successful exploitation may lead to arbitrary code execution on the device.
A vulnerability in HTML::Gumbo for Perl before version 0.19 discloses heap memory via type confusion. The walk_tree function does not support the <template> element, treating it as a text node, causing strlen() to over-read the heap block.
A vulnerability in FatFs R0.16 and earlier affects long filename (LFN) handling. The function copies filenames (up to 255 characters) into short fixed buffers without bounds checking, causing buffer overflow.
FatFs R0.16 and earlier contains a stack overflow bug in f_getlabel() because exFAT label length (XDIR_NumLabel) is trusted without enforcing spec maximums.
FatFs R0.16 and earlier contains an uninitialized cluster exposure when f_lseek() extends files beyond EOF without zero-filling newly allocated clusters. This can lead to data disclosure.
A vulnerability in FatFs R0.16 and earlier allows bypassing dirty-cache consistency checks via unsigned-subtraction wrap in f_read() and f_write() during interleaved read/write operations on fragmented filesystems.
A vulnerability in FatFs prior to R0.16, using GPT scanning with 'FF_LBA64 = 1', causes an infinite loop during filesystem mounting. The issue stems from an unbounded loop count derived from the GPTH_PtNum field in the GPT header, leading to extremely long or infinite mount times.
FatFs R0.16 and earlier contains a divide-by-zero bug in exFAT sync logic. Crafted metadata can cause n_fatent - 2 to be zero during write/sync operations, leading to a system crash.
In FatFS R0.16 and earlier, there is an integer overflow bug in mount_volume() where fasize *= fs->n_fats can wrap, leading to attacker-controlled file-size metadata and unsafe read lengths in downstream callers.
A stored cross-site scripting (XSS) vulnerability has been found in DivvyDrive by DivvyDrive Information Technologies Inc. The flaw is caused by improper input neutralization during web page generation, allowing injection of malicious scripts.
A stored cross-site scripting (XSS) vulnerability has been found in DivvyDrive by DivvyDrive Information Technologies Inc., due to improper input neutralization during web page generation. The issue affects versions from 4.8.2.23 up to 4.8.3.0.
A flaw was found in Foreman where authenticated users with 'view_keypairs' permission can bypass taxonomy scoping, allowing them to download private SSH keys from other organizations by directly querying key pair IDs. This vulnerability leads to cross-tenant data exposure in multi-tenant deployments.
A cross-tenant information disclosure vulnerability was found in Foreman. An authenticated user with host-edit permissions can bypass authorization checks and leak sensitive infrastructure metadata from unauthorized organizations and locations.
A flaw was found in Foreman where a broken access control vulnerability allows an authenticated user with host-edit permissions to retarget an existing lookup value override to a different host. This is achieved by modifying the match field through nested host attributes, effectively bypassing authorization checks.
A vulnerability in the @acastellon/auth authentication system for microservices allows an unauthenticated attacker to bypass token validation via crafted auth-user and Host HTTP headers. The issue affects validateToken() in versions prior to 2.3.0.
Cross-site scripting (XSS) vulnerability in MediaWiki due to improper input neutralization during page generation. The issue is located in resource files related to user blocking.
A Cross-Site Scripting (XSS) vulnerability in the Wikimedia Foundation CheckUser extension due to improper input neutralization during page generation. The issue is located in Vue module files related to temporary accounts.
An XSS vulnerability in MediaWiki exists in the ApiSandboxLayout.Js file, allowing an attacker to inject malicious script into a page. The issue affects versions from 1.46.0-rc.0 before 1.46.0.
A vulnerability in Poly Voice IP devices (CCX, Trio, Edge E) may render them inoperable when connecting to a malicious SIP server and receiving malformed data. HP is releasing updates to mitigate this risk.

